InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Govern and manage Cyber Security risk with this unique comprehensive toolkit suite
Comprehensive Cyber Security Risk Management Toolkit Suite – Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular
There are a number of standalone, best practice approaches to managing cyber risk, none of which is on its own completely satisfactory. This toolkit helps you make an enormous leap forward by consolidating five separate approaches into a single, comprehensive, robust framework.
• PAS 555:2013 is the new standard for cyber security risk governance and management; it was created to work with a range of other standards;
• ISO/IEC 27032 is the international guidance standard for managing cyber security risk;
• The Cloud Controls Matrix was developed by the Cloud Security Alliance for cloud service providers;
• Ten Steps to Cyber Security is the methodology developed by the UK’s Business Department to help organizations of all sizes secure their cyber defenses;
• ISO/IEC 27001: 2013 is the internationally recognized standard against which an information security management system can achieve accredited certification.
Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular construction and control mapping matrix to add its additional controls to an existing ISO27001 management system.
This Cyber Security Governance & Risk Management Toolkit recognizes that mobile device management is a critical component of effective cyber risk control and therefore includes the ITGP BYOD Policy Toolkit as a value-added extra.
www.banksafeonline.org.uk – UK banking industry initiative to help online banking users stay safe online;
www.itsafe.gov.uk – A free UK government service which provide home users and small businesses with warnings and news about computer security problems.
Safeguard your computer
* Workstations should be set up in a secure, clean, calm, stable environment.
* Don’t have loose cables that might be a safety hazard; tripping over a cable and pulling it out of the computer
* Always log out of and shut down Windows, and switch your computer off when it’s not in use.
* The biggest risk associated with laptops (also known as notebooks) is, in fact, the loss or theft of the laptop.
Last year’s HITECH Act toughened the rules and enforcement penalties health information handlers must follow to protect patient privacy.
Under the new policy regime, providers will have to pay more attention to the confidentiality and safety of patient information as they move more of their operations toward electronic health record-keeping.
Without sound security policies and practices, privacy “will be just a principle,” said Sue McAndrew, deputy director for privacy in the Office of Civil Rights, the Health and Human Services Department office that was given responsibility for health privacy and security policy under the new law.
“We want it to be a reality for consumers,” she said at a recent privacy and security conference sponsored by OCR and the National Institute for Standards and Technology.
One of the most basic requirements is that providers must now perform a security assessment, a first step in understanding systems and electronic data over which they are temporary stewards.
OCR recently drafted guidance to help providers and payers figure out what is expected of them in doing a risk assessment. While it might sound onerous, a risk assessment might not be as difficult or costly as some providers might believe, even for small practices, privacy.
“When you say, ‘do a security risk assessment’, people’s eyes glaze over,” said Lisa Gallagher, security director of privacy and security for the Healthcare Information and Management Systems Society. “But really, it’s asking, ‘what are the risk areas?’, ‘how could someone get to it?’ and ‘what controls can you put in place to protect it.’”
In its guidance, OCR said organizations should identify and categorize their data collections, document threats to information that might lead to a disclosure of protected data and check to see if their current security measures are adequate.
“For a small organization, it sounds overwhelming and time-consuming, but in a lot of ways, it’s things that they already do,” said Pat Toth, a computer scientist in NIST’s computer security division.
“What small providers need to do is get an understanding of the framework and break down each step,” she said. “It is something that’s going to be living in their organization, so if they do their categorization and get that right, it will set the correct tone for the rest of the process.”
NIST has developed a quick-start guide, a “Cliff’s Notes” of its security publications detailing its risk management framework and risk assessment, in addition to frequently asked questions, to help providers, especially small practices.
For large organizations, risk management starts in the planning and architecture of systems across the enterprise and system life cycle, Toth said.
Besides a risk assessment, OCR is planning stricter reporting of disclosures of health information when electronic health records are used, even when the disclosure is for treatment and billing purposes. Providers will also have to give the reason for the disclosure. In May, OCR published a request for comments on its rulemaking.
The most effective method of accounting for disclosures is by using automated logging features in electronic health records and other computer systems, according to Mac McMillan, chief executive officer of Cynergistek Inc., an IT security consulting firm.
System logs are used to document and maintain a permanent record of all authorized and unauthorized access to and disclosure of confidential information so providers can recover evidence of that access.
“A lot of the difficulty to get accounting of disclosures in place is because of a lack of industry auditing capabilities,” he said at the OCR and NIST conference. “Most systems don’t have the functionality.” Moreover, IT security folks he works with have logging activated, “but they are still manually digesting them,” McMillan said, adding that manual audits are a time-consuming and imprecise process.
Even so, such practices must now be the order of the day under the new privacy and security framework. “The security rule says wherever you have electronic health information, you need to protect it,” said HIMSS’s Gallagher. “You may not even apply for meaningful use incentives. But if you’re keeping data in electronic form, you have to comply with the security rule.”
The Health & Human Services Department published draft guidance to help healthcare providers and payers figure out what is expected of them in doing a risk analysis of their protected patient health information.
The security rule of the Health Insurance Portability and Accountability Act (HIPAA) requires that providers, payment plans and their business associates perform a risk assessment, but does not prescribe a method for doing so, according to draft guidance from HHS’ Office of Civil Rights (OCR). The HITECH Act directed that OCR oversee health information privacy.
Risk analysis is a technique used to identify and assess threats and vulnerabilities that may hamper the success of achieving bsuiness goals. In risk analysis determines if the security controls are appropriate compare to the risk presented by the impact of threats and vulnerabilities.
The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.
Some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST), OCR said
OCR guidance document explains several elements a risk analysis must incorporate, regardless of the method employed. So basically the auditor will be looking for all the elements required by the guidelines during an audit.
Definition – A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.
A good RAF organizes and presents information in a way that both technical and non-technical personnel can understand. It has three important components: a shared vocabulary, consistent assessment methods and a reporting system.
The common view an RAF provides helps an organization see which of its systems are at low risk for abuse or attack and which are at high risk. The data an RAF provides is useful for addressing potential threats pro-actively, planning budgets and creating a culture in which the value of data is understood and appreciated.
There are several risk assessment frameworks that are accepted as industry standards including:
Risk Management Guide for Information Technology Systems (NIST guide) from the National Institute of Standards.
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from the Computer Emergency Readiness Team.
Control Objectives for Information and related Technology (COBIT) from the Information Systems Audit and Control Association.
To create a risk management framework, an organization can use or modify the NIST guide, OCTAVE or COBIT or create a framework inhouse that fits the organization’s business requirements. However the framework is built, it should:
1. Inventory and categorize all IT assets.
Assets include hardware, software, data, processes and interfaces to external systems.
2. Identify threats.
Natural disasters or power outages should be considered in addition to threats such as malicious access to systems or malware attacks.
3. Identify corresponding vulnerabilities.
Data about vulnerabilities can be obtained from security testing and system scans. Anecdotal information about known software and/or vendor issues should also be considered.
4. Prioritize potential risks.
Prioritization has three sub-phases: evaluating existing security controls, determining the likelihood and impact of a breach based on those controls, and assigning risk levels.
5. Document risks and determine action.
This is an on-going process, with a pre-determined schedule for issuing reports. The report should document the risk level for all IT assests, define what level of risk an organization is willing to tolerate and accept and identify procedures at each risk level for implementing and maintaining security controls.
“By slipping a simple, three-sentence provision into the gargantuan spending bill passed by the House of Representatives last week, a congressman from Silicon Valley is trying to nudge Congress into the 21st Century. Rep. Mike Honda (D-Calif.) placed a measure in the bill directing Congress and its affiliated organs — including the Library of Congress and the Government Printing Office — to make its data available to the public in raw form. This will enable members of the public and watchdog groups to craft websites and databases showcasing government data that are more user-friendly than the government’s own.”
Would be great if this passes BUT, Government would have to have security provisions so hackers could not manipulate databases in this case raw data. Without proper controls, databases can be easily modified and stolen, so before making the raw data available to public, Congress might need a comprehensive legislation to protect the confidentiality, integrity and availability of the data.
Security principles and controls which should be considered in database legislation?
• Principles of least privilege
• Separation of duties
• Defense in depth at every level
• Strong auditing and monitoring controls
• Security risk assessment to assess risks based on ISO 27002 and NIST 800-53
• Comprehensive risk management program to manage risks
In April 20007, California state IT council adopted the information security program guide which help organizations to comply with SB 1386. The council advised the use of information security standard ISO 27002 framework to comply and meet the needs of SB 1386.
[Table = 13] Which businesses are affected by SB 1386 law?
o If you have a business in California
o Outsourcing company who does business with a company in California or have customers in California
o Data centers outside of California which store information of California residents
Toolkits are designed to help organizations who need to comply with a law like SB 1386. SB 1386 and ISO 27002 implementation toolkit assist ISO 27002 compliance. Also help organizations who are interested in certification to lay in the ground work for (ISO 27001) certification that would demonstrate the conformance with world class information security management systems.
The Comprehensive SB1386 Implementation toolkit comprises of:
1. The SB 1386 Documentation Toolkit: a download with nearly 400 of densely packed pages of fit-for-purpose policies and procedures ensuring full compliance with SB 1386.
2. International IT Governance: An Executive Guide to ISO 17799/ISO 27001 (Soft Cover) This is the US version of the long established world leading manual on designing and implementing an Information Security Management System (ISMS) in line with the best practice guidance of ISO27001/ISO17799.
3. vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool which in summary:
o automates and delivers an ISO/IEC 27001-compliant risk assessment
o Uniquely, can assess confidentiality, integrity & availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001
o Comprehensive best-practice alignment
o Supports ISO 27001
o Supports ISO 27002 (ISO/IEC 17799)
o Conforms to ISO/IEC 27005
o Conforms to NIST SP 800-30
o The wizard-based approach simplifies and accelerates the risk assessment process;
o Integrated, regularly updated, BS7799-3 compliant threat and vulnerability databases.
4. Plus an electronic copy of the Information Security Standard ISO/IEC 27002: (formerly ISO 17799).
ISO assessment is a great first step towards ISO 27002 compliance and toward the final goal of ISO 27001 certification audit or for that matter any compliance audit.
ISO 27002 Framework for Today’s Security Challenges
httpv://www.youtube.com/watch?v=yRFMfiLbNj8
Traditional security schemes are incapable of meeting new security challenges of today’s business requirements. Most security architectures are perimeter centric and lack comprehensive internal controls. Organizations which are dependent on firewall security might be overtaxing (asking security mechanism to do more than it can handle). Some of the old firewalls rule set stay intact for years, which might be a liability when the firewall rule set neither represent current business requirements and nor are protecting critical assets appropriately.
“Firewalls are typically managed by a succession of administrators who create their own rules, which then accumulate over a period of years. This creates rule duplication, which can impinge on performance, but also brings risks such as the use default or open passwords.”
The first step in defense in depth is designing a corporate network segmentation policy which describes which departments, application, services and assets should reside on a separate network. Network segmentation will assure that threats are localized with minimal impact on the organization. NIST, ISO27002, and PCI emphasis the importance of network segmentation but does not mandate the requirement. At the same time PCI Standard committee emphasize in new standards that the compliance scope can be significantly minimized by placing all the related assets in the same segment. Network segmentation is not only a common sense in today’s market but also one of the most effective and economical control to implement, simply a great return on investment.
Network segmentation benefits: o Improve network performance and reduce network congestion o Contain attacks (viruses, worms, trojans, spam, adware) from overflowing into other networks. o Improve security by ensuring that nodes are not visible to unauthorized networks. Reduce the size of broadcast domain
Basic idea behind defense in depth is to protect your crown jewel in multiple layers of defense, should one fail, another will provide crucial protection. Another important thing to remember is that we cannot defend everything, so our defense in depth approach should be asset centric rather than perimeter or technology centric. Perform a thorough risk assessment to find out your most important assets and apply the defense in depth approach to protect the confidentiality, integrity and availability of those critical assets. Examples of network segmentation include wireless network, where you place the wireless network users in their own segment behind a firewall with their own rule set. This rule set will help to contain the users on wireless network as well as any potential attacks on the organization. To get to the content of another segment in the network, the wireless users has to pass through all the layers of protection.
Defense in depth diagram Different attacks will be handled by different layers. In the outer layer 1 will handle most of the network related attacks while the layer 2 will handle most of the script based attacks which target the operating system. Layer 3 will handle most of the application attacks which are complex and only utilized by skilled attackers. Layer 4 is your final frontier where you protect your crown jewel by moving many of the tools and techniques used at the perimeter closer to critical assets.
![Reblog this post [with Zemanta]](https://img.zemanta.com/reblog_e.png?x-id=388a1882-ddc8-487a-bc63-9310f0c69ecc)
![Reblog this post [with Zemanta]](https://img.zemanta.com/reblog_e.png?x-id=7df2ef1d-242f-4110-8903-59f134349e57)
