Beruflich Dokumente
Kultur Dokumente
Where to begin
• Identifying requirements
• How to proceed
• Documenting requirements
Frameworks and methodology
Examples
2
McAfee Confidential
Context. Perspectives. Why?
3
McAfee Confidential
Where to begin.
Look beyond your current technical controls
Server Auditing Network
Web Application Vulnerability
– Vuln Scanning Scanning
Malicious Code DB Protection
– Vuln Scanning Firewall
– VirusScan
– Virtual Patching File, Mail. IP, Domain
– HIPS, Whitelisting DLP Monitor
Network IPS
– Virtualization Geo Location
Discover
Optimization Prevent Reputation
Servers Mail Gateway
Intelligence
Web Gateway
Mail / Web SaaS
Mobile Network Data
Protection Tokenization
Mobile
Devices
Malicious Code
– VirusScan Risk Posture
– HIPS, Firewall Advanced
Analysis
– VDI Optimization Malware
– Endpoint Auditing Analysis
Workstations
Data Protection
SOC
– Encryption
– Device Control Security SIEM
– USB Devices
– DLP
Management
.
McAfee Confidential
Recognize that Security is a Process, and Start
Strengths, Governance
Weaknesses, Risk
Assessment
Opportunities,
Threats Compliance
Discovery
Reports
Metrics Remediation
Capacity Solution
Management Architecture
Policy
Incident
Enforcement
Management
Event Technical
Management Operational Controls
Processes .
McAfee Confidential
Think Holistically
Plan for an iterative approach
Stakeholder requirements
Start with the requirements you
already know. Then expand. • Risk mitigation
• Incident reviews
For many organizations this • New business
begins with Internal Administrative requirements and
Control requirements. organization initiatives
These are the constants and
sometimes they’re aligned with
external standards.
Allow Information Technology and
Information Security to partner and
enable the organization, not
unnecessarily restrict and confine.
This holds true for the State.
6
McAfee Confidential
Common Control Frameworks
ISO 27002:2013 and SAM Chapter 5300
• 14 Security Control Clauses Data Classification Controls
• 35 Main Security Categories
8.1.2 Ownership of assets 5305.5
• 114 Controls
8.2.1 Classification of information 5305.5
7
McAfee Confidential
Think Holistically
Plan for an iterative approach
Each state entity is
responsible for the
State Administrative Manual integration of information
Information Security Integration security and privacy within
Chapter 5315 the organization.
Implementation Guidance further This includes, but is not
outlined limited to, the designing of
appropriate security controls
• 5315.1 – 5315.9 in new systems, or systems
How can this be accomplished? that are undergoing
substantial redesign,
Establish a framework, apply it to including both in-house and
each scenario and endeavor to outsourced solutions
continuously improve.
8
McAfee Confidential
Requirements Gathering
How do I proceed?
Take a data centric Legislative FISMA, HIPAA, NIST
approach to
requirements gathering
Regulatory PCI DSS
Align your design with
requirements to Standards ITIL, COBIT, ISO
maximize project
success. Contracts Vendor/partner agreements
Bottom up or top down
either approach can Internal Controls SIM / SAM
work.
Service Management SLA / SLO
9
McAfee Confidential
Documenting
Requirements
Project Management
California Project
Project Charter Management Methodology
Purpose, justification (CA-PMM)
In scope • Reference Manual
Out of scope • Related Toolkits
Measurable project objectives • Already identifies
common members of
Success criteria the project team
• What constitutes project including technical
success? leads responsible for
security
• Who decides the project is
successful?
• Requirements traceability
matrix
10
McAfee Confidential
Plan
Plan
Bring the team together How will the solution be operated Best Practice:
• Project meetings long term? Identify
• Discuss project and business What about availability? resources that
objectives What about security? can bring the
• Identify business applications, different
administrators and application owners • Discuss current security management stakeholder
practices perspectives
Common high level discussions • Review corporate security policies and together
begin supporting documentation
• Discuss migration from previous • Discuss policy requirements
service • Incorporate security requirements into
• Discuss the implementation process the plan to meet availability objectives
• Identify users for the initial pilot testing
• Discuss change control processes
• Discuss back out and recovery plans
• Discuss end user communications
• Discuss application validation testing
• Discuss business application testing
procedures
11
McAfee Confidential
Design
Plan Design
12
McAfee Confidential
Frameworks and methodologies
13
McAfee Confidential
FIPS 199 Standards for Security Categorization of
Federal Information and Information Systems
Applicability:
Best Practice:
Establishes security categories for information
and information systems Classify your data
• Based on potential impact should certain SAM 5305.5
events occur Each state entity
• Used with vulnerability and threat information must understand
the value of its
• Information type examples: information assets
• Public information and the level of
• Investigative information protection those
• Administrative information
assets require.
14
McAfee Confidential
Think Holistically
Many organizations think about the technology alone and not the
business problem the solution is attempting to resolve
• Or the business processes required to enable
• This approach doesn’t take into account feedback or changes in
requirements or the solution
15
McAfee Confidential
Federal Enterprise Architecture Framework
Think Holistically
McAfee Confidential
Enterprise Architecture
Holistic System View
How will it be
stored?
DRM
Where is it
stored? •
•
Server Operations
Security Operations
SRM
• Network Operations
•
What are the •
Internal Audit
Service Desk
threat actors?
• ePO Admin
• Server Admin
TRM
McAfee Confidential
Enterprise Architecture
Holistic System View
• Business Data Owner • Service Level Management Security Baseline based on FIPS 199
• Content Author • Availability Management Information and Information Systems
• Capacity Management Classification
• Business Relationship
Management Sequence priority codes
• Security Management • Server Operations • Continuity Planning P1 – Implement P1 codes first
• Remedy • Security Operations • Business Impact Analysis • ITIL P2 – After implementation of P1
SRM
18
McAfee Confidential
Framework Resources
19
McAfee Confidential
Summary
Project Managers
• Expand the project team, include data owners and security architects
that are familiar with internal requirements
Application Developers & Technical Engineers
• Limit data collected, it has value and represents risk
• Think holistically
• Develop your design methodology based on the CEAF
Security Leaders
• Approach controls from security categorization
• Based on risk assessments
Everyone
• Use the currently available policies, templates and toolkits
.
20
McAfee Confidential
Examples
21
McAfee Confidential
Examples
State of California Agency
Vertical
State Government Business Drivers
• The agency knew personal/sensitive information was being collected but was
Region
North America unsure how data was being transferred or used
Applicable State of CA
Requirements:
Project Details
• 5305.5 Information
Asset Management • Contractor staff augmentation to provide lab environment configuration
• 5315 Information • Design and test data protection controls
Security Integration
• High availability configuration required
• 5315.4 System
Developer Security
Testing
Outcomes
• Data classification controls developed based on agency labels for sensitive
information e.g. confidential, restricted
• Cluster configuration provided, failover testing performed
• Capacity planning guidance and modeling provided for use with production
deployment
22
McAfee Confidential
Examples
Other State Agency, Outside of California
Vertical
State Government Business Drivers
• Agency objectives weren’t clearly defined. Not fully developed.
Region
North America • Not based on data classification or risk
Applicable State of CA
Requirements:
• 5325.6 Information
Project Details
System Backup • A project team wasn’t formed and the focus was simply on the latest
technology
Outcomes
• The group implemented controls narrowly; not based on risk
• Additional best practices for backups were ignored and the following year the
solution was corrupted and needed to rebuilt from scratch
23
McAfee Confidential
.
McAfee Confidential