Upload File

csa slovenija owasp · nist 800-53,hitrust csf, iso 27001/27002, ... compliance mapping control...

  • Home
  • Documents
  • CSA Slovenija OWASP · NIST 800-53,HITRUST CSF, ISO 27001/27002, ... Compliance Mapping Control Revisions v1.1 Control Area ... – ENISA Cloud Computing Risk Assessment
5
Predstavitev CCSK Področja delovanja Primeri CAI in CCM – Aplikacijska varnost Zaključek 6 5 4 4 3 3 2 2 1 1 GRC knjižnica

Upload: vunguyet

Post on 02-Apr-2018

228 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: CSA Slovenija OWASP · NIST 800-53,HITRUST CSF, ISO 27001/27002, ... Compliance Mapping Control Revisions v1.1 Control Area ... – ENISA Cloud Computing Risk Assessment

Predstavitev

CCSK

Področja delovanja

Primeri CAI in CCM – Aplikacijska varnost

Zaključek66

55

44

33

22

11

GRC knjižnica

Page 2: CSA Slovenija OWASP · NIST 800-53,HITRUST CSF, ISO 27001/27002, ... Compliance Mapping Control Revisions v1.1 Control Area ... – ENISA Cloud Computing Risk Assessment

• Globalna, neprofitna organizacija• 23,000+ članov, 100 korporativnih članov, 50 odsekov• Gradimo najboljše prakse in zaupanja vreden ekosistem• Agilna filozofija, hiter razvoj uporabnih raziskav

– GRC: Uravnoteževanje skladnosti z upravljanjem tveganji

– Referenčni modeli: z uporabo obstoječih standardov

– Identiteta: osnova za delovanje oblačnega trga

– Zagovarjanje združljivosti

– Omogočanje inovacij

– Zagovarjanje preudarne javne politike

“Promocija uporabe najboljših praks za zagotovljanje varnosti znotraj računalništva v oblaku in izobraževanje o uporabi računalništva v oblaku z

namenom zaščite vseh ostalih oblik računalništva.”

Arhitektura oblaka Upravljanje v oblaku Delovanje v oblakuArhitekturni okvir računalništva v

oblaku

Korporativno upravljanje in upravljanje

organizacijskih tveganj

Tradicionalna varnost, neprekinjeno poslovanje in okrevanje po katastrofi

Pravna in elektronska razkritja

Odziv na incidente, obveščanje in odprava

Skladnost in revizija Aplikacijska varnostUpravljanje življenjskega

cikla informacijEnkripcija in upravljanje

s ključiPrenosljivost in

združljivostUpravljanje z identitetami

in dostopiVirtualizacija

Varnost kot storitev (predlog)

Page 3: CSA Slovenija OWASP · NIST 800-53,HITRUST CSF, ISO 27001/27002, ... Compliance Mapping Control Revisions v1.1 Control Area ... – ENISA Cloud Computing Risk Assessment

Družina 4 raziskovalnih projektov

Cloud Controls Matrix

Consensus Assessments Initiative

Cloud Audit

Cloud Trust Protocol

Orodja za korp. upravljanje ter upravljanje tveganj in skladnosti

Omogoča avtomatizacijo in neprekinjen nadzor GRC

Government Specs Extensions Commercial

??? Continuous monitoring … with a purpose

• Common technique and nomenclature to request and receive evidence and affirmation of controls from cloud providers

??? Claims, offers, and the basis for auditing service delivery

• Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments

• FedRAMP

• DIACAP

• Other C&A standards

Pre-audit checklists and questionnaires to inventory

controls

• Industry-accepted ways to document what security controls exist

NIST 800-53, HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA, SOX, GLBA, STIG, NIST 800-144, SAS 70, …

The recommended foundations for controls

• Fundamental security principles in assessing the overall security risk of a cloud provider

Deliver “continuous monitoring” required by A&A methodologies

Page 4: CSA Slovenija OWASP · NIST 800-53,HITRUST CSF, ISO 27001/27002, ... Compliance Mapping Control Revisions v1.1 Control Area ... – ENISA Cloud Computing Risk Assessment

SaaS PaaS IaaSService Provider Tenant COBIT 4.1 HIPAA / HITECH Act

ISO/IEC 27001-2005 NIST SP800-53 FedRAMP PCI DSS v2.0

Security Architecture - Application Security

SA-04 Applications shall be designed in accordance with industry accepted security standards (i.e., OWASP for web applications) and complies with applicable regulatory and business requirements.

No Change X X X X COBIT 4.1 AI2.4 45 CFR 164.312(e)(2)(i) A.11.5.6A.11.6.1A.12.2.1A.12.2.2A.12.2.3A.12.2.4A.12.5.2A.12.5.4A.12.5.5A.12.6.1A.15.2.1

NIST SP800-53 R3 SC-2NIST SP800-53 R3 SC-3NIST SP800-53 R3 SC-4NIST SP800-53 R3 SC-5NIST SP800-53 R3 SC-6NIST SP800-53 R3 SC-7NIST SP800-53 R3 SC-8NIST SP800-53 R3 SC-9NIST SP800-53 R3 SC-10NIST SP800-53 R3 SC-11NIST SP800-53 R3 SC-12NIST SP800-53 R3 SC-13NIST SP800-53 R3 SC-14NIST SP800-53 R3 SC-17NIST SP800-53 R3 SC-18NIST SP800-53 R3 SC-20

NIST SP800-53 R3 SC-2�NIST SP800-53 R3 SC-3�NIST SP800-53 R3 SC-4�NIST SP800-53 R3 SC-5�NIST SP800-53 R3 SC-6�NIST SP800-53 R3 SC-7�NIST SP800-53 R3 SC-7 (1)�NIST SP800-53 R3 SC-7 (2)�NIST SP800-53 R3 SC-7 (3)�NIST SP800-53 R3 SC-7 (4)�NIST SP800-53 R3 SC-7 (5)�NIST SP800-53 R3 SC-7 (7)�NIST SP800-53 R3 SC-7 (8)�NIST SP800-53 R3 SC-7 (12)�NIST SP800-53 R3 SC-7 (13)�NIST SP800-53 R3 SC-7 (18)�

PCI DSS v2.0 6.5

Compliance MappingControl

Revisions v1.1

Control Area Control ID

Control Specification

Cloud Service Delivery Model Applicability

Scope Applicability

Security Architecture - Application Security

SA-04 SA-04a - Do you utilize industry standards (Build Security in Maturity Model [BSIMM] Benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc) to "build-in" security for your Systems/Software Development Lifecycle (SDLC)?SA-04b - Do you utilize an automated source-code analysis tool to detect code security defects prior to production?SA-04c - Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?

Consensus Assessment Questions(Cloud-Specific Control Assessment)Control Area Control

ID

• Prvi certifikat na področju varnosti v oblaku

• Temelji na osnovi dveh gradiv:– CSA vodilo– ENISA Cloud Computing Risk Assessment

• Dve vrsti delavnic:– CCSK Osnovni (1 dan)– CCSK Napredni (2 dni)

Page 5: CSA Slovenija OWASP · NIST 800-53,HITRUST CSF, ISO 27001/27002, ... Compliance Mapping Control Revisions v1.1 Control Area ... – ENISA Cloud Computing Risk Assessment

• CSA Application Security Whitepaper:– https://cloudsecurityalliance.org/wp-

content/uploads/2011/07/csaguide-dom10-v2.10.pdf

• Članstvo v slovenskem odseku– Brezplačno– Včlanitev preko LinkedIn skupine Cloud Security Alliance,

Slovenia Chapter (http://goo.gl/t7G25)

• Za vsa morebitna vprašanja in sodelovanje pišite:– [email protected]


Monthly Cyber Threat Briefing - HITRUST Alliance · 1 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. Monthly Cyber Threat Briefing October 2015

1. HITRUST Background - AICPA · 1. HITRUST Background ... *Meaningful Use ... implement these controls to qualify for HITRUST CSF Certification. High -risk Exposure Areas for Health

Full Report | ENISA

ENISA Annual Activity Report 2014 | ENISA

Enisa Osmancevic - Pramciok

CERT.be / ENISA ENISA Incident Handling Training Workshop

HITRUST - ecfirst.com · HITRUST Self-Assessment HITRUST Self-Assessment ♦Validation Certification HITRUST Validation & Certification HITRUST Exec Brief

ENISA & Cybersecurity

ENISA Annual Activity Report 2015 | ENISA

ENISA Threat Landscape - Prisa Digitalboletines.prisadigital.com/ENISA Threat Landscape Published.pdf · 4 ENISA Threat Landscape Responding to the Evolving Threat Environment 2 Introduction

HITRUST CSF Assurance Program Requirements

Folleto ENISA

Presentation of ENISA

Introduction to the HITRUST CSF · • State security requirements (e.g., Nevada, Massachusetts, and Texas) • Experiences and best practices of HITRUST participants The HITRUST

Enisa Secure USB

UoF - HITRUST & Risk Analysis v1

HITRUST Third Party Assurance (TPA) Risk Triage Methodology · Copyright 2019 © HITRUST Alliance. This information contained in this document is the property of HITRUST Alliance

SOC 2 + HITRUST: Understanding the Benefits · PDF fileSOC 2® + HITRUST: Understanding the Benefits 888.702.5446 | | [email protected] © 2017 HITRUST Alliance. ... © 2017 HITRUST

HITRUST NIST CSF RFI Response

HITRUST CSF Bridge Assessment · 3. Please verify what the charge will be for the HITRUST CSF Bridge Assessment. The HITRUST CSF Bridge Assessment object and subsequent certificate

Pedro Granado - Enisa

Forensic analysis - ENISA

SU ENISA · 2020-02-25 · SU ENISA L’Agenzia europea per la sicurezza delle reti e dell'informazione (ENISA), sin dal 2004, si occupa di rendere l’Europa cyber-sicura. ENISA

ISO/IEC 27002:2005 Farsi - Hashemitabarmahdi.hashemitabar.com/cms/images/Download/ISO/iso-iec-27002-2005...Islamic Republic of Iran ISIRI-ISO/IEC 27002 ˝˛˚ ˜ $% &˘ 27002 1st

201506_Presentación ENISA (base)

HITRUST CyberAid Security Program - HITRUST Alliance · © 2017 HITRUST Alliance. HITRUST CyberAid Security Program ... © 2017 HITRUST Alliance. REFERENCE SLIDES © 2017 HITRUST

HITRUST risk management frameworks

ENISA STRATEGY - Europa

Enisa 1..docx

Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT

Hitrust: Navigating to 2017, Your Map to HITRUST Certification

ENISA [s efforts related to the NIS Directive · ENISA [s role in supporting MS with OESs ENISA | NIS Directive ENISA WP2017 activities CG WP2017 activities O.1.1.1 - Baseline Security

UNIVERSIDAD CATÓLICA SANTO TORIBIO DE MOGROVEJO … · En base a las metodologías COBIT 4.1, NTP – ISO – IEC 27001, NTP – ISO – IEC 27002, Osstmm Wireless 2.9, ENISA, RED-M,

ENISA – Cloud Computing Security Strategy - TERENA · ENISA – Cloud Computing ... What is cloud computing –ENISA’ s understanding. . ... benefits of cloud computing

ENISA and CERTs · ENISA and CERTs Results from 2006 A wrap-up and outlook Marco Thorbruegge, ENISA Senior Expert Computer Security and Incident Response 2nd ENISA Workshop CERTs