Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compliance Toolbox.

Published byIsmo Salonen Modified over 5 years ago

Similar presentations

Presentation on theme: "Compliance Toolbox."— Presentation transcript:

1 Compliance Toolbox

2 AGENDA Compliance Toolbox Bridging the Gap Documentation STIGs
Compliant versus non compliant views

3 toolbox COMPLIANCE TOOLS: RISK MANAGEMENT FRAMEWORK (RMF)
SECURITY TECHNICAL IMPLIMENTATION GUIDES (STIGs) ASSURED COMPLIANCE ASSESSMENT SOLUTION (ACAS) SECURITY CONTENT AUTOMATION PROTOCOL (SCAP) ENTERPRISE MISSION ASSURANCE SUPPORT SERVICES (eMASS)

4 Stigs https://iase.disa.mil/stigs/pages/a-z.aspx
436 possible STIGs Varying amount of Vulnerability IDs. STIG VIEWER

5 I-ASSURE http://www.i-assure.com
RMF STIG 1. Categorize 1. Discover 2. Select Assess 3. Implement Analyze 4. Assess 4. Remediate 5. Authorize 5. Mitigate 6. Monitor

6 5 STEPS OF STIG COMPLIANCE
BRIDGING THE GAP DISA STIG 1. Discover: We will review hardware and software lists, diagrams and perform interviews to determine the baseline STIGs applicable to the environment Assess: We will use DISA-provided automated tools, i.e. ACAS and SCAP, locally developed tools and manual reviews to determine and document the current compliance state. 3. Analyze: We will perform a gap analysis with our customer to identify quick fixes, potential problems and provide a go-forward strategy for achieving compliance. 5 STEPS OF STIG COMPLIANCE

7 5 STEPS OF STIG COMPLIANCE
BRIDGING THE GAP DISA STIG 5 STEPS OF STIG COMPLIANCE 4. Remediate: We will utilize the strategy defined in the Analyze Phase to execute fixes. Regression and functional testing will occur to ensure that security changes do not negatively impact operations. diagrams and perform interviews to determine the baseline STIGs applicable to the environment. All results will be documented. 5. Mitigate: For items that could not be remediated due to operational constraints, a Plan of Actions and Milestones (POA&M) will be created to identify the vulnerability and the mitigations associated with lowering the raw risk.

8 CRACKING THE CODE DOCUMENTATION Not Applicable Automatically Compliant

9 Cracking the Code CCI: Control Correlation Identifier
The purpose of CCIs is to allow a high level statement made in a policy document (i.e., a security control) to be “decomposed” and explicitly associated with the low-level security settings that must be assessed to determine compliance with the objectives of that specific statement.

10 Decoding the STIGs Compliant
CAT I CAT II CAT III

11 Decoding the stigs non compliant
Note: There are no results when searching all 5 STIGs for CCI

12 Bringing it together the bottom line
Expectations: Every 1-3 years minimum It’s going to cost money Cost effective and sustainable low cost Non Layered Approach: >20% Initial Cost of Accreditation >45% to Sustain accreditation over time >70% higher to reaccredit Layered Approach: <50% of the initial cost to reaccredit Cost effective and sustainable lower cost Long term effective for cost and compliance

13 COMPLIANCE TOOLBOX Questions?

Download ppt "Compliance Toolbox."

Similar presentations

PhoenixPro Procurement. technology. contracts. projects.

PhoenixPro Procurement. technology. contracts. projects.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
Cybersecurity and the Risk Management Framework

Cybersecurity and the Risk Management Framework
ProCognis SOX 404 & COSO Implementation Presentation

ProCognis SOX 404 & COSO Implementation Presentation
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Risk Management Framework

Risk Management Framework
NCHRP 8-60 Risk Analysis Tools and Management Practices to Control Transportation Project Costs Keith R. Molenaar, PhD Stuart D. Anderson, PhD, PE Transportation.

NCHRP 8-60 Risk Analysis Tools and Management Practices to Control Transportation Project Costs Keith R. Molenaar, PhD Stuart D. Anderson, PhD, PE Transportation.
Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.

Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Enterprise Architecture

Enterprise Architecture
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Information Technology Audit

Information Technology Audit
PMSS Final SOW May 22 nd, 2013. Statement of Work 2 GLENN RESEARCH CENTER PROJECT MANAGEMENT SUPPORT SERVICES (PMSS) The Contractor shall provide expert.

PMSS Final SOW May 22 nd, Statement of Work 2 GLENN RESEARCH CENTER PROJECT MANAGEMENT SUPPORT SERVICES (PMSS) The Contractor shall provide expert.
S/W Project Management

S/W Project Management
PRM 702 Project Risk Management Lecture #28

PRM 702 Project Risk Management Lecture #28
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.
Security Assessments FITSP-A Module 5

Security Assessments FITSP-A Module 5

Similar presentations

Ads by Google