PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA...

26

Transcript of PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA...

Page 1: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 2: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA

2020 – Looking backwards

Page 3: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 4: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA

2020 – Looking forwards

Ben Schumin

Page 5: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 6: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 7: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA

Mind the Tropes

There is no cloudIt’s just someone else’s computer

Page 8: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA

HIPAA /

HITECH ActFERPA

GxP

21 CFR Part 11

Singapore

MTCS

UK

G-Cloud

Australia

IRAP/CCSL

FISC Japan

New Zealand

GCIO

China

GB 18030

EU

Model Clauses

ENISA

IAF

Argentina

PDPA

Japan CS

Mark Gold

CDSAShared

Assessments

Japan My

Number Act

FACT UK GLBA

Spain

ENS

PCI DSS

Level 1MARS-E FFIEC

China

TRUCS

Canada

Privacy Laws

MPAA

Privacy

Shield

India

MeitY

Germany IT

Grundschutz

workbook

Spain

DPA

HITRUST IG Toolkit UK

China

DJCP

ITARSection 508

VPATSP 800-171 FIPS 140-2

High

JAB P-ATOCJIS

DoD DISA

SRG Level 2

DoD DISA

SRG Level 4 IRS 1075DoD DISA

SRG Level 5

Moderate

JAB P-ATO

GLO

BA

LU

S G

OV

IND

US

TR

YR

EG

ION

AL

ISO 27001

SOC 1

Type 2ISO 27018CSA STAR

Self-AssessmentISO 27017SOC 2

Type 2SOC 3ISO 22301

CSA STAR

Certification

CSA STAR

AttestationISO 9001

http://www.asd.gov.au/infosec/irap/index.htm
https://www.fisc.or.jp/
Page 9: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 10: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 11: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 12: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA

Machine learning applied to:• Reduce manual effort• Reduce wasted effort

on false positives• Speed up detection

Page 13: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA

Securing Privileged Access

Office 365 Security

Rapid Cyberattacks (Wannacrypt/Petya)

https://aka.ms/MCRA Video Recording Strategies

SQL Encryption &

Data Masking

Office 365

Dynamics 365

+Monitor

Data Loss Protection

Data Governance

eDiscovery

https://docs.microsoft.com/en-us/sccm/
https://blogs.office.com/2015/04/21/announcing-customer-lockbox-for-office-365/
https://support.office.com/en-us/article/Introducing-the-Office-365-Secure-Score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef
https://aka.ms/SPARoadmap
https://aka.ms/O365SecRoadmap
http://aka.ms/rapidattack
https://docs.microsoft.com/en-us/azure/active-directory/
https://aka.ms/cyberpaw
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/
https://azure.microsoft.com/en-us/services/security-center/
https://aka.ms/ESAE
http://aka.ms/cyberpaw
https://azure.microsoft.com/en-us/marketplace/
https://developer.microsoft.com/en-us/windows/iot
https://www.microsoft.com/en-us/iot-central/
https://aka.ms/MCRA
https://aka.ms/mcra-mva
https://aka.ms/cyberstrategies
https://www.microsoft.com/en-us/cloud-platform/cloud-app-security
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-threat-detection
https://msdn.microsoft.com/en-us/library/dn948096.aspx
https://azure.microsoft.com/en-us/blog/introducing-sql-information-protection-for-azure-sql-database-and-on-premises-sql-server/
https://www.microsoft.com/en-us/cloud-platform/microsoft-intune
https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
https://docs.microsoft.com/en-us/azure/security-center/security-center-monitoring
http://download.microsoft.com/download/5/0/8/50856745-C5AE-451A-80DC-47A920B9D545/AFCEA_PADS_Datasheet.pdf
https://www.microsoft.com/en-us/microsoftservices/campaigns/cybersecurity-protection.aspx#stage-3
https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection
https://support.office.com/en-us/article/Office-365-ATP-for-SharePoint-OneDrive-and-Microsoft-Teams-26261670-db33-4c53-b125-af0662c34607
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/
https://www.microsoft.com/en-us/cloud-platform/cloud-app-security
https://aka.ms/graphsecuritydocs
https://www.microsoft.com/en-us/security/threat-protection
https://aka.ms/SIEMConnect
https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application
https://docs.microsoft.com/en-us/azure/active-directory/authentication/multi-factor-authentication
http://aka.ms/pam
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-management-configure
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection
http://aka.ms/pam
https://docs.microsoft.com/en-us/azure/active-directory-b2c/
https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-architecture
http://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf
https://azure.microsoft.com/en-us/blog/introducing-microsoft-azure-sphere-secure-and-power-the-intelligent-edge/
https://www.microsoft.com/en-us/cloud-platform/azure-information-protection
https://blogs.technet.microsoft.com/enterprisemobility/2016/08/10/azure-information-protection-with-hyok-hold-your-own-key/
https://docs.microsoft.com/en-us/information-protection/get-started/requirements-applications
https://blogs.technet.microsoft.com/enterprisemobility/2015/09/08/sealpath-brings-rms-protection-to-autocad/
https://docs.microsoft.com/en-us/azure/information-protection/deploy-use/deploy-aip-scanner
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-web-application-firewall-overview
https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption
https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview
https://azure.microsoft.com/en-us/services/site-recovery/
https://docs.microsoft.com/en-us/azure/azure-policy/azure-policy-introduction
https://azure.microsoft.com/en-us/blog/azure-confidential-computing/
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-10-security-guide
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-10-security-guide
https://www.microsoft.com/en-us/WindowsForBusiness/Windows-security
https://docs.microsoft.com/en-us/windows/deployment/windows-10-pro-in-s-mode
https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection
https://www.microsoft.com/en-us/cloud-platform/windows-server-security
https://azure.microsoft.com/en-us/services/expressroute/
http://www.microsoft.com/SDL
https://aka.ms/STP
https://www.microsoft.com/trustcenter
https://www.microsoft.com/security/intelligence
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal
https://technet.microsoft.com/en-us/windows-server-docs/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms
https://azure.microsoft.com/en-us/blog/security-and-compliance-in-azure-stack/
https://blogs.office.com/2013/10/28/office-365-compliance-controls-data-loss-prevention/
https://blogs.office.com/2013/10/28/office-365-compliance-controls-data-loss-prevention/
https://support.office.com/en-us/article/Manage-data-governance-in-Office-365-48064107-fed2-4db0-9e5c-aa5ddd5ccb09
Simplifies%20the%20eDiscovery%20process%20and%20helps%20analyze%20unstructured%20data%20within%20Office%20365,%20efficiently%20review%20documents,%20and%20make%20scope%20reduction%20decisions%20for%20eDiscovery.
Page 14: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 15: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA

Getting Specific on AI

Data Math Codifying APIs Packages … Application Function Business

Data• Context of collection• Unrecognized Bias• Synthetic data• Temporal characteristics• Streaming / static

Automation• Human in the loop• Human over the loop• Human out of the loop

Security/privacy• Model Theft• Model Corruption• Faulty training (synthetic data)• Adversarial perturbation

Algorithms• Locked• Trained• Evolving

Training• Supervised• Unsupervised

Page 16: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA

about the future of AI systems

empowering and augmenting individuals’ and

organizations’ abilities to address broad societal

issues such as povert

Page 17: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 18: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 19: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 20: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 21: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 22: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 23: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 24: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 25: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA
Page 26: PowerPoint Presentation...JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO L GOV RY L ISO 27001 SOC 1 ISO 27018 Type 2 CSA

John Weigelt

[email protected]

@Thumbtackhead


Lawsuit: CREW v. DOD: Regarding DISA: 11/06/07 - CREW's Complaint

Lawsuit: CREW v. DOD: Regarding DISA: 11/06/07 - CREW's Complaint

Container Image Creation and Deployment Guide...2020/11/02  · UNCLASSIFIED Container Image and Deployment Guide, V2 R0.6 DISA 02 November 2020 Developed by DISA for the DoD 2 UNCLASSIFIED

Container Image Creation and Deployment Guide...2020/11/02  · UNCLASSIFIED Container Image and Deployment Guide, V2 R0.6 DISA 02 November 2020 Developed by DISA for the DoD 2 UNCLASSIFIED

Emerging Privacy Issues - International Association of ... · DoD DISA Cloud infrastructure •Rapid Access Computing Environment – Agile and responsive computing – Authorized

Emerging Privacy Issues - International Association of ... · DoD DISA Cloud infrastructure •Rapid Access Computing Environment – Agile and responsive computing – Authorized

DoD UCR 2008 Change 3 - DISA

DoD UCR 2008 Change 3 - DISA

DoD Cloud Computing Security Requirements Guide (SRG) …cloudcomputingcaucus.org/pdfs/KeynotePresentation_DoD_SRG.pdf•APIs of a cloud can create risk of unauthorized access to NIPRnet

DoD Cloud Computing Security Requirements Guide (SRG) …cloudcomputingcaucus.org/pdfs/KeynotePresentation_DoD_SRG.pdf•APIs of a cloud can create risk of unauthorized access to NIPRnet

Cybersecurity Challenges · Internal Cloud. NIST SP 800-171. DoD Information . System. CSP. DoD Cloud Computing SRG. Risk Management Framework and ‘Authority to Operate’ shall

Cybersecurity Challenges · Internal Cloud. NIST SP 800-171. DoD Information . System. CSP. DoD Cloud Computing SRG. Risk Management Framework and ‘Authority to Operate’ shall

UNCLASSIFIED DoD Metadata Registry Dr Glenda Hayes ghayes@mitre.org MITRE/DISA PEO-GES 9 Oct 2008 Presentation to Federal Data Architecture Subcommittee.

UNCLASSIFIED DoD Metadata Registry Dr Glenda Hayes [email protected] MITRE/DISA PEO-GES 9 Oct 2008 Presentation to Federal Data Architecture Subcommittee.

Container Hardening Process Guide Version 1, Release 1 15 ......enterprise. UNCLASSIFIED Container Hardening Process Guide, V 1R1 DISA 15 October 2020 Developed by DISA for the DoD

Container Hardening Process Guide Version 1, Release 1 15 ......enterprise. UNCLASSIFIED Container Hardening Process Guide, V 1R1 DISA 15 October 2020 Developed by DISA for the DoD

Container Hardening Process Guide · 2020. 10. 15. · UNCLASSIFIED Container Hardening Process Guide, V 1R1 DISA 15 October 2020 Developed by DISA for the DoD ii UNCLASSIFIED Trademark

Container Hardening Process Guide · 2020. 10. 15. · UNCLASSIFIED Container Hardening Process Guide, V 1R1 DISA 15 October 2020 Developed by DISA for the DoD ii UNCLASSIFIED Trademark

DEPARTMENT OF DEFENSE (DOD) 3 CLOUD CYBERSPACE … · 53 the cloud, as specified in the DOD Cloud Computing Security Requirements Guide (SRG) section on 54 cyberspace protection and

DEPARTMENT OF DEFENSE (DOD) 3 CLOUD CYBERSPACE … · 53 the cloud, as specified in the DOD Cloud Computing Security Requirements Guide (SRG) section on 54 cyberspace protection and

CREW v. DOD: Regarding DISA: 11/6/09 - Document 25 (Merged)

CREW v. DOD: Regarding DISA: 11/6/09 - Document 25 (Merged)

1. OVERVIEW - MARITECH · SRG-1150DN / SRG-1250DN / SN-100 1. OVERVIEW The peculiarity of GMDSS is highly reliable communication by automation and digitalization. SRG-1150DN/SRG-1250DN

1. OVERVIEW - MARITECH · SRG-1150DN / SRG-1250DN / SN-100 1. OVERVIEW The peculiarity of GMDSS is highly reliable communication by automation and digitalization. SRG-1150DN/SRG-1250DN

A Combat Support Agency Defense Information Systems Agency Enterprise Voice Services Component of DoD Unified Capabilities DISA/NSE.

A Combat Support Agency Defense Information Systems Agency Enterprise Voice Services Component of DoD Unified Capabilities DISA/NSE.

Defense Information Systems Agency/media/Files/DISA/Fact-Sheets/DMCC...DEFENSE INFORMATION SYSTEMS AGENCY DOD Mobility Program Management Office For more assistance please contact

Defense Information Systems Agency/media/Files/DISA/Fact-Sheets/DMCC...DEFENSE INFORMATION SYSTEMS AGENCY DOD Mobility Program Management Office For more assistance please contact

Combat Vehicle R&D- Networks · - Joint Technical Architecture (JTA) - DoD Information Technology Standard (DISR) published by Defense Information Systems Agency (DISA) Defense Information

Combat Vehicle R&D- Networks · - Joint Technical Architecture (JTA) - DoD Information Technology Standard (DISR) published by Defense Information Systems Agency (DISA) Defense Information

DoD Cloud Computing Security Requirements Guide (SRG) Overview · •Released 12 January 2015 – ... General - SRG Overview •SRG release details mission data risk associated with

DoD Cloud Computing Security Requirements Guide (SRG) Overview · •Released 12 January 2015 – ... General - SRG Overview •SRG release details mission data risk associated with

Application Security Checklist v2r15 - MIL-STD-188everyspec.com/DoD/...spec=DISA_Application_Security... · DISA Field Security Operations (FSO) conducts Application SRRs to provide

Application Security Checklist v2r15 - MIL-STD-188everyspec.com/DoD/...spec=DISA_Application_Security... · DISA Field Security Operations (FSO) conducts Application SRRs to provide

SRG Corporate Presentation - June 2018srggraphite.com/pdf/SRG_Corporate_Presentation_2018-06-18.pdf | TSX.V SRG 0 3 SRG AT A GLANCE SRG –(TSXV: SRG) • Canadian-based mining company.

SRG Corporate Presentation - June 2018srggraphite.com/pdf/SRG_Corporate_Presentation_2018-06-18.pdf | TSX.V SRG 0 3 SRG AT A GLANCE SRG –(TSXV: SRG) • Canadian-based mining company.

Maryann Dennehy DISA/GO434, (703) 882-1716 DennehyM@ncr.disa.mil March 2004 DoD IA Education, Training, Awareness Products.

Maryann Dennehy DISA/GO434, (703) 882-1716 [email protected] March 2004 DoD IA Education, Training, Awareness Products.

Presentation - Security Content Automation Protocol · ISO 17799/ 27001??? DoD DoD IA Controls DISA STIGS & Checklists COMSEC ‘97 NSA Req NSA Guides Vendor Guide FISMA SP 800-53

Presentation - Security Content Automation Protocol · ISO 17799/ 27001??? DoD DoD IA Controls DISA STIGS & Checklists COMSEC ‘97 NSA Req NSA Guides Vendor Guide FISMA SP 800-53