infosec for compliance officers - for distribution [read-only]...any rebroadcast, retransmission, or...

5/22/2014

1

A non-threatening, non-technical discussion

of information security frameworks, regulations, and

realities

Michael Carr, JD, CISSP, CIPP

Chief Information Security OfficerUniversity of Kentucky

June 2014

InfoSec for Compliance Officers

Disclaimer

The content, discussion, or materials presented are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem or advice. Use of and access to this information or material does not create an attorney-client relationship between Michael Carr and you, the conference attendee. The opinions expressed during this presentation are the opinions of the author and do not reflect the opinions or advice of the SCCE, the University of Kentucky, the Commonwealth of Kentucky or anyone else on planet Earth.

Any rebroadcast, retransmission, or account of this presentation, without the express written consent

of Major League Baseball, er…, I mean, SCCE, is strictly prohibited. This presentation is meant for

educational purposes only. Any resemblance to real persons, living or dead is purely coincidental.

Void where prohibited. Do not use while operating a motor vehicle or heavy equipment. You must be present to win. Subject to change without notice. Disclaimer includes misuse, accident, lightning, flood,

tornado, tsunami, volcanic eruption, earthquake, hurricanes and other Acts of God, neglect, damage from

improper reading, incorrect line voltage, improper or unauthorized reading, broken antenna or marred cabinet,

missing or altered serial numbers, electromagnetic radiation from nuclear blasts, sonic boom vibrations,

customer adjustments that are not covered in this list, and incidents owing to an airplane crash, ship sinking or taking

on water, motor vehicle crashing, dropping the item, falling rocks, leaky roof, broken glass, mud slides, forest fire, or

projectile (which can also include, but not be limited to, arrows, bullets, shot, BB's, shrapnel, lasers, napalm, torpedoes, or emissions of X-rays, Alpha, Beta and Gamma rays, knives, stones, head slaps, nasty tones, mean looks or thoughts, etc.)

5/22/2014

2

Leave no stone unturned…

Feel free to ask any question at any time

Com �� pli �� ant /kəmˈplīənt/

1. Yielding, inclined to obey rules, esp. to an

excessive degree; acquiescent.

2. Produced or performed in accordance with a

specified body of rules.

5/22/2014

3

ADA Clery Act Equal Pay Act CALEA

HEOA OSHA Title VII CAN-SPAM

Title IX Export Control Act GLBA COPPA

Title VI E-Verify Campus SaVE Act ECPA

FCRA Copyright Act OSHA Junk Fax Prevention

SOX DMCA ITAR FOIA

Truth in Lending TEACH ACT FERPA HIPAA

Age Discrimination FMLA ERISA HITECH Act

Body of Rules?

Great resource: www.HigherEdCompliance.org

Body of Rules?

What’s missing?ADA Clery Act Equal Pay Act CALEA





SOX DMCA ITAR FOIA



InfoSec-related

5/22/2014

4

ADA Clery Act Equal Pay Act CALEA





SOX DMCA ITAR FOIA



Body of Rules?

Most specify the what

Not necessarily the how

or the to what extent

Missing: InfoSec Framework

(standards, guidelines and practices)

Agenda

1. Review several InfoSec Frameworks

2. Discuss the “How”s and the “To What Extent”s

3. Discuss “safeguards”, practices, and InfoSec’s

dirty little secrets (really IT’s secrets)

5/22/2014

5


The CIA Triad

Information Security’s Objective:

To ensure the confidentiality,

integrity and

availability of information


5/22/2014

6


Unfortunately, jargon tends to get in the way


5/22/2014

7


Aren’t you just talking about regulations that have

information security (and privacy) requirements?� HIPAA, GLBA, PCI, etc.

What’s an information security framework?


An Information Security Framework

Loosely-defined term for the various & sundry

documents/programs that have been produced

from a variety of sources

—most of which give advice and counsel

regarding information security policies and

practices

i.e., a roadmap

5/22/2014

8


How about some examples?

a) ISO 27000 – Series of InfoSec standards developed by the

International Organization for Standardization (ISO).

b) FISMA – Series of federal govt InfoSec standards &

practices developed by the National Institute of Standards

& Technology (NIST).

c) COBIT – ISACA-developed IT governance objectives & best

practices.


Framework Focus Governance Risk Asset Mgmt

ISO 27000

Family

Initiating,

implementing,

maintaining &

improving InfoSec

mgmt in an

organization

§5 – InfoSec policy doc

should be approved by

mgmt, etc.

§4 – Risk

assessments

should be

performed

periodically

§7 - All assets

should be clearly

identified & an

inventory of all

important assets

drawn up &

maintained

FISMA‘14 Cybersecurity

Framework

Identifying, assessing &

managing

cybersecurity risk

§ID.GV –

Organizational

information security

policy is established

§ID.RA – Threats,

vulnerabilities,

likelihoods ad

impacts are used

to determine risk

§ID.AM – Devices,

systems, SW &

apps w/in

organization are

inventoried

COBIT

Linking business goals

to IT goals; ID IT

process owner

responsibilities

Define specific

responsibilities for

mgmt of security

§PO –

Discover,

prioritize & either

contain or accept

relevant IT

security risks

§DS – Ensure

inventory of HW &

SW are complete

& regularly

updated

5/22/2014

9


Framework Focus Governance Risk Asset Mgmt

ISO 27000

Family

Initiating,

implementing,

maintaining &

improving InfoSec

mgmt in an

organization

§5 – InfoSec policy doc

should be approved by

mgmt, etc.

§4 – Risk

assessments

should be

performed

periodically

§7 - All assets

should be clearly

identified & an

inventory of all

important assets

drawn up &

maintained

FISMA‘14 Cybersecurity

Framework

Identifying, assessing &

managing

cybersecurity risk

§ID.GV –

Organizational

information security

policy is established

§ID.RA – Threats,

vulnerabilities,

likelihoods ad

impacts are used

to determine risk

§ID.AM – Devices,

systems, SW &

apps w/in

organization are

inventoried

COBIT

Linking business goals

to IT goals; ID IT

process owner

responsibilities

Define specific

responsibilities for

mgmt of security

§PO –

Discover,

prioritize & either

contain or accept

relevant IT

security risks

§DS – Ensure

inventory of HW &

SW are complete

& regularly

updated

HITRUST’s Common Security Framework (CSF) is a healthcare-oriented

set of security standards based on ISO, NIST, HIPAA & HITECH


And just like most roadmaps, each framework will

get you there but you have to decide…

Do I take the highway?

Do I avoid tolls?

What encryption method is best?

5/22/2014

10

2. The “How”s and the “To What Extent”s

For example, ISO 27000 & Data Classification

“Information should be classified in terms of its value, legal

requirements, sensitivity and criticality to the organization.”

“In general, the classification given to information is a

shorthand way of determining how this information is to be

handled and protected.”

Nowhere does it say “restricted”, “sensitive”, “confidential”, etc.


For example, ISO 27000 & Password Mgmt

“Passwords are a very common way to provide identification

& authentication based on a secret that only the user knows.”

“Passwords are one of the principal means of validating a

user’s authority to access a computer service.”

Nowhere does it say “87-character passphrase

that must be changed every other hour”, etc.

5/22/2014

11


Is there an “informing” document?

• Are there specific safeguards stated/required?

• Are all circumstances & contexts stated/required?

�� Take a look at SANS’ “Top 20 Critical Security Controls”

• Explains why each control is critical

• Lists ways to implement the control

• Lists ways to test effectiveness of the control


For example, ISO 27000 states“A policy on the use of cryptographic controls for

protection of information should be developed and

implemented”

SANS’ Critical Security Control 17: Data Protection

“The adoption of data encryption, both in transit and at

rest, provides mitigation against data compromise”

“Deploy approved hard drive encryption software to

mobile devices and systems that hold sensitive data”

5/22/2014

12


Why not adopt “Top 20 Critical Security Controls” ?

� SANS Institute is a training & security certification company

� Privately held (Alan Paller)

� Not an “independent” international standard

� Not mandated by DoD, NIH, HHS, etc.

3. “Safeguards”, practices and InfoSec’s dirty little secrets

5/22/2014

13


The HIPAA Privacy Rule requires that covered entities

apply appropriate administrative, technical, and

physical safeguards to protect the privacy of

protected health information (PHI), in any form.

45 CFR 164.530(c)


Technical Safeguards?

HHS: The Security Rule is based on the fundamental concepts

of flexibility, scalability and technology neutrality.

Therefore, no specific requirements for types of technology to

implement are identified.

“Gee thanks for the details”

5/22/2014

14


Technical Safeguards?

� HHS

� Encryption

� Access Controls

� PCI

� Firewall

� Intrusion Detection System (IDS)

Generally, technical safeguards involve

information security-related hardware and software


Sometimes, more guidance is given…

Technical Safeguards:

“Implement a mechanism to encrypt and decrypt electronic

protected health information.”

45 CFR 164.132(a)(2)(iv)

“Is an Ovaltine Decoder Ring sufficient?”

5/22/2014

15


But isn’t standardizing on an encryption algorithm

just a Snipe Hunt?

Researchers crack the world’s toughest encryptionby listening to the tiny sounds made

by your computer’s CPU

www.extremetech.com, 12/18/2013


But isn’t standardizing on an encryption algorithm

just a Snipe Hunt?

“Isn’t that like shooting at a moving target?”

“or like playing Whack-a-Mole?”

5/22/2014

16


Administrative Safeguards?

� Policies• high-level statements relating to information protection

� Standards• low-level mandatory controls that help enforce InfoSec policy

� Guidelines• Recommended, non-mandatory controls that help support

standards or serve as a reference


Administrative Safeguards?

� Policies• high-level statements relating to information protection

Why then are our password requirements called

“The Password Policy”?

5/22/2014

17


Physical Safeguards?

� Fences

� Locked Cabinets

� Media Destruction


Practices (and dirty little secrets)

� Most InfoSec Professionals are ethical• CISSP requires commitment to (ISC)2 Code of Ethics

� Most SysAdmins are not certified• (and, as such, do not necessarily commit to a Code of Ethics)

� Many treat Compliance like External Audit �

• (and only answer the questions that are asked)

5/22/2014

18



� So, you have to learn how to ask the right questions…

• “Does this system have any backdoors?”

• “Give me a list of accounts with non-expiring passwords.”

• “Give me a list of accounts that do not require a password.”

• “What systems are exempt or have been given a waiver from our

password policy.”

• Give me a list of accounts that do not require a password.”




• “Does this system have any backdoors?”

• “Give me a list of accounts with passwords that do not comply with our

password policy.”

• “Give me a list of accounts on this system that have elevated privileges.”

• “Give me a list of accounts on this system that can have their privileges

elevated by an account on any other system.”

5/22/2014

19




• “Does this system comply with our email retention policy?”

• “Do we allow any users to print email?”

• “Is the PrintScreen function enabled on any systems?”

• “Do we allow any users to use their personal webmail, Gmail, Yahoo Mail

or any other non-University email system?”

• “To where are email archives stored?”




• “Does this system comply with our patch policy?”

• “Print out a system report or Error Log showing the currently installed

patch level on every server.”

• “Print out a Change Management log documenting when every server’s

latest patches have been applied.”

• “Are there any systems exempt or that have been given a waiver from

our patch policy?”

5/22/2014

20




• “Is access by SysAdmins to production data tracked?”

• “What accounts have higher privileges on non-production systems than

they have on production systems?”

• “Are there any production data whatsoever stored on any non-

production systems (“systems” includes servers, laptops, desktops,

phones or any device on which data can be stored)?”



� Most SysAdmins have more than one account.

� Most test, development and QA systems are filled with

production data.

� Many accounts have more access on test, development and QA

systems than they do on production systems.

� Most SysAdmins hate coming into the office to work on

incidents.

� Most SysAdmins have multiple computers at home that are used

to address incidents.

5/22/2014

21

Wrap-up


2. Discuss the “How”s and the “To What Extent”s

3. Discuss “safeguards”, practices, and IT’s dirty little

secrets

Wrap-up

� Having a Framework is more important than

which Framework.

� The devil is in the details.

� Most SysAdmins are not business-oriented, want

to be left alone to do their jobs and think that

compliance and audit add little value.

5/22/2014

22

Wrap-up

� And most SysAdmins hate having to explain

jargon or the details of how systems work.

... and they have jackets

Questions?


Chief Information Security OfficerUniversity of Kentucky

June 2014

InfoSec for Compliance Officers

5/22/2014

23

Thank you


[email protected]

June 2014

infosec for compliance officers - for distribution [read-only]...any rebroadcast, retransmission, or...

Documents