Uniform Compliance and Risk Management through Harmonized … · Uniform Compliance and Risk...
Transcript of Uniform Compliance and Risk Management through Harmonized … · Uniform Compliance and Risk...
Uniform Compliance and Risk Management through Harmonized GRC
Mark Butler CISO Qualys
Challenges To Compliance and Risk Management Programs
Qualys, Inc. Corporate Presentation 2
4 Key Challenges • Multiple Compliance Regulations and Standards • Broken Link to Security baseline • Risk in Silos • GRC’s own challenges
Challenge 1: Multiple Regulations and Standards
Industry Recommended and Mandate-Based Standards
• PCI • NERC • HIPAA • SANS • NIST • ISO • Vendor
Recommendations
Numerous Existing Technologies…
Operating Systems
Applications
Databases
Infrastructure
New / Emerging Technologies…
• Docker, OpenStack, Pivotal Cloud Foundry, HyperV, VMWare
• Elastic / Ephemeral Workloads
• Moving beyond classic Databases into Data Lakes with mixed Data Sensitivity
• Aggressive Cloud And Hybrid-Cloud Adoption outside of IT
Challenge 2: Broken Link to Security Baseline • Guidance vs. Implementation • Scoping and Tracking Assets • Technical and Procedural Control Selection • Lacking Third Party Control Assessment Data • Application Complexity
Challenge 3: Risk in Silos
Technology CRM / Support
Legal / Finance / HR
Operations Sales
Challenge 4: GRC’s own challenges
• What is GRC’s primary objective?
• Top down or Bottom up approach?
• Defining Scope
• Operational Aspects of Compliance/Risk
Approach To Harmonizing GRC
Qualys, Inc. Corporate Presentation 11
Objectives of GRC - Nirvana Simplified
MITIGATE REPORT
Common Compliance Baseline Mandates
Policies
Standards
Threats
Vulnerabilities
Risks
Controls
Checks
ASSESS BUSINESS STRATEGY
People
Information
Technology
Processes
BASELINE
Assets
Harmonized GRC Reporting
Harmonization of Compliance Requirements
Mapping to Security and Risk baseline
Automation and Reporting
Continuous, Cloud Benchmarking, Intelligence
Continuous Mapping of security checks to ‘One’ set Map risk to ‘Middle’ set
Find overlapping ‘Middle’ set, report multiple
Why Quarterly Audit and Report; Why not report on changes
FedRAMP, CSA Certified Cloud providers
Report in terms of Industry Averages
Prioritization in terms of
Most common baseline
Report security data and risk in terms of ‘Middle set’ Security data = Assessed data of Config, Vuln, FIM etc.
Step 1: Harmonization of Requirements
NIST (800-53 Revision 4) IA-5 (1) a - Password Based Authentication - Password Complexity IA-5 (1) d -Password Based Authentication - Password Life
Custom CO1.12 - Password Management - Complexity and Strength CO1.13 - Password Management - Password Age Restrictions
HiTrust 01.d - User Password Management 01.f - Password Use
CIS Top 20 controls
CSC 16-3 - Account Monitoring and Controls
CIS Top 20 Controls
NIST Controls
Define your own Control Statements
HITRUST Controls
UCF Controls
Middle Set
COM
PLY TO
PCI 8.2.3 8.2.4
HIPAA 164.308 (a)(5)(2)
ISO 11.2.3
NERC CIP-007-5 R5
Security Objectives
Mapping
Continuous and Automatic view
Step 2: Map Security baseline to Objectives End point Technical Security – Password Checks
Status of the 'Maximum Password Age' setting (expiration) Windows
Status of the 'Minimum PIN length' setting Mobile
Status of the 'Enforce password history' setting AIX
Status of the 'Minimum Password Length' setting Ubuntu
List all users with password expiration date within /etc/shadow file Red Hat
Status of the 'Enforce password complexity' setting
Cisco Firewall Checkpoint
Firewall Password reuse maximum - password_reuse_max - Profile level Oracle
IAM password policy - password strength
Amazon Web Services
Vendor controls assessment – Password
Are Password required to access the systems storing, processing or transmitting the customer data?
Vendor
Has the Service organization implemented a password policy, which clearly mentions the password strength, password age, account lockout/duration information
Vendor
Based on : NIST (800-53 Revision 4)
IA-5 (1) a - Password Based Authentication - Password Complexity
IA-5 (1) d -Password Based Authentication - Password Life
Security Configuration Baseline
Security Objectives
Vulnerabilities
FIM Events
Risk Register and Risk Events
Step 3: Automate Assessment and Reporting
Automate Security Control Assessment
MSB
TSR
STANDARDS
CIS
Vendor RECOMENDATIONS
SCM
PCI
SOX
HIPAA
• Technical and Procedural Control Automation
• Vulnerability Assessment • Asset Discovery • Change Detection • Don’t Forget Application Assessments (Web/UI/API)
COBIT
NIST 800-53
COSO
Step 4: Ongoing Monitoring
▪ Asset Discovery & Classification
▪ Automated Application of Standards
▪ Change Tracking & Notification
▪ Business Process Integration
▪ Continuous Baseline Monitoring
Step 5: Intelligence Driven Benchmarking
▪ Vertical and Industry Comparisons
▪ “Wall of Shame” Approaches
▪ Comparative Risk & Compliance
▪ Means of Prioritization
▪ Use Internally
Summary
▪ Step 1: Harmonization of Requirements
▪ Step 2: Map Security baseline to Objectives
▪ Step 3: Automate Assessment and Reporting
▪ Step 4: Ongoing Monitoring
▪ Step 5: Intelligence Driven Benchmarking
Qualys Policy Compliance Cloud-Based Security Configuration Auditing
Reduce Compliance
Costs
Automate Security Control
Assessment
Prioritize Remediation to Improve
Security
Raise Auditors’
Confidence & Trust
Qualys, Inc. Corporate Presentation 21
Qualys Cloud Platform / Enabling Audit Visibility
Integrated Suite of Applications
Qualys API
Analytics and Reporting Engines
Distributed Sensors
Reporting & Dashboards
Distributed Correlation
Solr Lucene Indexing
Remediation and Workflows
ElasticSearch Clusters
Oracle and BFFS Storage
Hardware Agent Passive
3+ billion IP scans and audits per year
100 billion Detections per year
1+ trillion Security events per year
Virtual Cloud API
DX / Security / Auditing Visibility Challenges
CISO
Are my cloud and on-premise environments secure?
Show me data that proves I am
meeting my security standards on my new cloud infrastructure?
Why can’t I reduce the number of
security tools deployed and associated support staff?
Threat Management
Do my Business partners trust what I’m telling them?
How do I accurately prioritize
remediation to address real risks?
How am I solving root cause issues and demonstrating improvements in both security and compliance over
time?
DevSecOps
Do my Business partners trust what I’m telling them?
How do I accurately prioritize
remediation to address real risks?
How am I solving root cause issues and demonstrating improvements in both security and compliance over
time?
Auditors
How can we partner with Sales/Marketing since we are
compliant?
Can you generate the required reports in the standardized formats?
Are the new environments meeting
contractual, PCI and Regulatory requirements?
Qualys, Inc. Corporate Presentation 22
Digital Transformation Auditing Success Factors
Enable Digital Transformation Initiatives (Speed / Efficiency / Visibility)
Extend required security visibility to all of your cloud infrastructure and deployments (known & newly built & recently discovered)
Discover assets beyond traditional hosts (anywhere in the workload)
Integrate with new API services that are replacing web services
Resolve vulnerabilities or insecure configurations in near real-time
Remediate and secure all cloud infrastructure for compliancy
Qualys, Inc. Corporate Presentation 23