Presentation is loading. Please wait.

Presentation is loading. Please wait.

November 30, 2017 By: Richard D. Condello NRECA Senior Director

Published byAlejandro Morales Modified over 5 years ago

Similar presentations

Presentation on theme: "November 30, 2017 By: Richard D. Condello NRECA Senior Director"— Presentation transcript:

1 November 30, 2017 By: Richard D. Condello NRECA Senior Director
Implementing the Center for Internet Security (CIS) Critical Security Controls (CSC) November 30, 2017 By: Richard D. Condello NRECA Senior Director

2 How To Eat a Herd of Elephants Without Being Trampled to Death
November 30, 2017 By: Richard D. Condello NRECA Senior Director

3 Purpose To familiarize you with the 20 Critical Security Controls
Give you the benefit of our experience to date Get a discussion going here this morning To help you decide your path forward

4 Everything needs context
It matters where you are at the moment What controls you need What controls you have What is the Effectiveness of your existing controls How much work can you take on A little bit about me Aim for Font size 28 Background and start the (successful) Story Simple Unexpected Concrete Credible Emotion (tap into a) Story Context in which I work, etc. Who are you? Are there any lawyers present? Who has started or has implemented a framework/controls? If anyone can’t respect the need for confidentiality as I will be disclosing some elements of the NRECA Information Security Program

5 A Little About Me

6 Why we are believers Implementing the CSCs is working for us
We saw measurable results in about 15 months Penetration Testers were not able to escalate privileges Forensics evaluation found no anomalous behaviors Survived an external program assessment Passed Internal Audit Passed External Financial Controls Audit

7 Attack Lifecycle Model

8 Information Assurance Frameworks
Many industry groups trying to address the issues Numerous frameworks have been established NIST NIST Core Framework ISO Series CoBIT IT Assurance Framework (ITAF) IT Baseline Protection Manual Consensus Audit Guidelines / Critical Security Controls Many, many others

9 Select a starting point
Your context matters Do you have existing frameworks? Do you at least have a Program Framework in mind? We picked ISO 27001/ / 2005 standards Pick something that is right sized Suggest one programmatic and one technical

10 Enter the CIS Critical Security Controls
For Effective Cyber Defense A realistic solution Defines specific defenses against known cyber attacks Created and maintained by a volunteer army Provides actionable tasks in clear language

11 History and Document Contributors
US Contributors Include: International Contributors Include: Department of Homeland Security (DHS) National Security Agency (NSA) Department of Energy (DoE) Laboratories Department of State (DoS) US-CERT and other incident response teams DoD Cyber Crime Center (DC3) The Federal Reserve The SANS Institute Civilian penetration testers Numerous other Federal CIOs and CISOs Hundreds of other private sector researchers UK Government Communications Headquarters (GCHQ) UK Centre for the Protection of National Infrastructure (CPNI) Australian Defence Signals Directorate (DSD) Japanese Security Researchers Scandinavian Security Researchers GCC Security Researchers Turkish Security Researchers Canadian Security Researchers Many other international researchers

12 Offense Informs Defense Continuous Diagnostics & Mitigation
Prioritization Metrics Continuous Diagnostics & Mitigation Automation

13 By the Numbers….. 20 Critical High Level Controls 148 sub-controls
125 Foundational, 23 Advanced 9 System, 5 Network and 6 Application 96 Measures, metrics and thresholds 30 Effectiveness tests 4 Governance items and 15 Governance topics 23 Attack Types

14 The Controls Inventory of Authorized and Unauthorized Devices
Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers Continuous Vulnerability Assessment and Remediation Controlled Use of Administrative Privileges Maintenance, Monitoring and Analysis of Audit Logs and Web Browser Protections Malware Defenses Limitation and Control of Network Ports Data Recovery Capability Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Data Protection Controlled Access Based on the Need to Know Wireless Access Control Account Monitoring and Control Security Skills Assessment and Appropriate Training To Fill Gaps Application Software Security Incident Response and Management Penetration Tests and Red Team Exercises

15 Secure Configurations
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports Protocols Services Boundary Defense Data Recovery Network Secure Configurations

16 Measures, Metrics and Thresholds
Each Measure has lower, moderate and higher risk thresholds Time based: An hour, a day and a week Percentage based:1%, 4% and 10% Quantitative : How many – you set your own thresholds except for CSC 20 This is where automation hits the road

17 Example Measures How long does it take to deploy operating system patches? (CSC 4 Vulnerability Management) What percentage of elevated accounts do not require two factor authentication? (CSC 5 Admin Access) How many attempts to gain access to password files have been detected recently? (CSC 16 Controlled Access)

18 Effectiveness Testing
30 Tests to run, some are quite complex Adding items to your environment and seeing what your responses are Just think like the bad guys x 10 Periodic – need to decide what frequency to run the tests Need to design your systems so they can be tested

19 Example Testing Connect hardened systems to the network and verify that the system generates an alert (CSC 1 Hardware Inventory and NAC) Attempt to gain access to cross section of devices using default administrator passwords (CSC 5 Admin Access) Perform authorized phishing attempts (CSC 7 and Browser Protections)

20 Attack Types 23 Attack types Useful for risk assessments
Can cross reference to top level controls (v5) Can be used mitigate Incident Scenarios We identified 9 Incident Scenarios

21 Example Attack Types Attackers distribute hostile content on Internet-accessible websites that exploit unpatched and improperly secured client software running on Attackers exploit users and system administrators via social engineering scams that work because of a lack of security skills and awareness Attackers exploit weak application software, particularly web applications, through attack vectors such as SQL injection, cross- site scripting, and similar tools

22 Example Incident Scenarios
Attackers exploit Inbound to introduce malware into the environment Attackers exploit our Websites to either introduce malware or to extract data directly Insiders surfing the internet resulting in malware being introduced into the environment

23 Tying Things Together Attack Type: Attacker exploit users and system administrators via social engineering scams that work because of a lack of security skills and awareness Incident Scenario: Attackers exploit Inbound to introduce malware into the environment Applicable Controls: 05 Controlled Use of Administrative Privileges 07 and Web Browser Protections 16 Account Monitoring and Control 17 Security Skills Assessment and Appropriate Training to Fill Gaps

24 Other Component Parts Governance Controls
Defines 15 categories of governance controls Appendices: Evolving An Attack Model NIST Framework National Hygiene Campaign Privacy Impact Assessment

25 Select an approach Essential that you are thoughtful and organized
A huge task to undertake If you aren’t careful you can actually make things worse Going to need a lot of support and resources Have some idea of time frame, length of time Project vs. Operational focus

26 Start with an Assessment
Broke the 149 sub-controls into device and area specific sub- controls (350 total) Surveyed by team Overall effectiveness vs. the actual words Aggregated results, worked out differences between teams Risk ranked based on the security value Validate against effectiveness measures

27 What We Discovered Tangible benefits from initial assessment
Identified Any really serious gaps Low hanging fruit Anything close to completion Absolutely need high-level prioritization Absolutely need project management

28 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Quick Wins based upon risk Assessment

29 Created a Formal Project
Cross-functional teams Qualified Project Manager Let the teams self-identify the work within the work Made it a real priority Obtained the tools and training that the teams needed

30 Get training and awareness program going
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Get training and awareness program going

31 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Drive to Vulnerability Management

32 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Drive to Vulnerability Management and Include Network secure Configurations

33 Tackle Incident Management, Audit Logs and Data Recovery
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Tackle Incident Management, Audit Logs and Data Recovery

34 In many cases Incident Management may include Penetration Exercises
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery In many cases Incident Management may include Penetration Exercises Network Secure Configurations

35 Complete controls over Accounts and data
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Complete controls over Accounts and data

36 May want to attack App Sec, Email and Browsers at same time
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations May want to attack App Sec, and Browsers at same time

37 Consider all of the network related controls together
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Consider all of the network related controls together

38 Putting it all Together

39 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Quick Wins based upon risk Assessment

40 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Start with training

41 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Drive to Vulnerability Management

42 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Add in Incident Response

43 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Complete controls over Accounts and data

44 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Complete app sec, and browsers

45 Ensure Network Controls are completed
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Ensure Network Controls are completed Network Secure Configurations

46 An “On Ramp” to Compliance
Use the CSC Compliance model if its useful Mappings currently exist between the CSCs and: NIST rev4 NIST Cyber Security Framework ISO Control Catalog HIPAA / HITECH Act

47 Actionable Next Steps Get Charter from Senior Executives
Create governance structures Document policies Implement the controls defined by policies Measure/audit the controls that are defined by the policies Communicate, Communicate, Communicate

48 In Summary Implementing these controls will mitigate risks
But its easy to get overwhelmed Do at least a high-level risk assessment Prioritize actions Get the quick wins Settle in for the long haul Know that there is a lot of help available

49 Q & A

50 Resources for further study:
The Critical Security Controls Courses – SEC 440 / 566 The Critical Security Controls Project AuditScripts.com Resources Mandiant APT1 Report (with Appendixes) The Security Content Automation Protocol (SCAP) by NIST NIST 800 Series Special Publications DHS Cyber Security Tool cset

51 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Basic Structure Boundary Defense Data Recovery – System Network Secure Configurations

52 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Basic Structure Boundary Defense Data Recovery Network Secure Configurations – Network

53 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Basic Structure Boundary Defense Data Recovery Network Secure Configurations – Application

54 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Basic Structure Boundary Defense Data Recovery – System Network Secure Configurations – Network – Application

55 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Governance (what you should do) Data Protection Network Ports, Protocols, and Services – Identify Info Assets Boundary Defense Data Recovery Network Secure Configurations

56 Hardware Inventory and NAC
Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Governance (what you should do) Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery – Know Your Vulnerabilities Network Secure Configurations

57 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Governance (what you should do) Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations – Identify Key Threats

58 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Governance (what you should do) Data Protection Network Ports, Protocols, and Services – Identify Info Assets Boundary Defense Data Recovery – Know Vulnerabilities Network Secure Configurations – Identify Key Threats – Control Access

59 Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Governance (what you should do) Data Protection Network Ports, Protocols, and Services – Identify Info Assets Boundary Defense Data Recovery – Know Vulnerabilities Network Secure Configurations – Identify Key Threats – Control Access

60 All the 20 controls are in progress if not finished
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery All the 20 controls are in progress if not finished Network Secure Configurations

Download ppt "November 30, 2017 By: Richard D. Condello NRECA Senior Director"

Similar presentations

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.

E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Continuous Monitoring: Diagnostics & Mitigation October 24, 2012.

Continuous Monitoring: Diagnostics & Mitigation October 24, 2012.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
HO20110473 1 © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Similar presentations

Ads by Google