warrant of fitness for security the “c” of the “c and a” of fitness for security the “c”...

PREPARED BY

Warrant of Fitness for SecurityThe “C” of the “C and A”

As presented at

ISACA Wellington Security Education Day 2013

• What is a Security Certificate?

• Why have them?

• How does the security framework work?

• A helicopter view of the evolution of aprocess

• Communication and Fleet Management

BIO: Howard Page

Howard Page has served on the ISACA Wellington Committee, ledCISM study groups, organised CSED days, established and runsecurity governance groups and held roles in IT Audit, InformationAssurance, and IT Security Management.

In his post-ISACA-life Howard returns to us to talk about a warrant offitness for security and “fleet management” from an information securityperspective.

Who

Information assurance for the protection of assets

What is it

• An assertion made at a point in time that a: site, system, orapplication can be expected to comply with the minimum relevantstandards for a period of time to protect an identified set ofinformation, for a particular environment.

What is it to be applied to

• Ministry of Health systems only, and designed to be invoked at thestart of projects

• One or more security baselines have already been set e.g.standards, guidelines, manuals etc for the protection of information

• Information systems carrying high risk / high value information

• Renewals

What is a System Security Certificate?

Why have them / Problems to solve

Stating the standards applicable for Service Delivery

• Standard: Something that some people agree on – that’s all.

• Standards don’t relate to unique service line risks, and don’t setpriorities

• Risk: something that happens (or doesn’t happen that could) thatresults in a “Change” (hopefully for the better) to the operationalenvironment.

Acceptance of residual risk

• Risk approaches are generally tailored for corporate risks (ISO)

• Who advises on “residual risks” and for whom? (Governance)

• What does “Transfer” of risk mean? Where does the money go?

Fleet Management perspective

• Is the fleet of information systems generally getting better?

Why have them?

Comparisons to a Warrant of Fitness

Like a warrant of fitness

• Centric on what is being carried and stored

• Compliance plus risk assessment

• Lasts for a finite period of time

• The vehicle is best designed at the outset with knowledge of thecompliance regime / warrant of fitness compliance requirements

• Is issued independently: being free from the encumbrance of harmfor an adverse opinion

Unlike a warrant of fitness

• Waivers are possible, at different levels for different things

What is a System Security Certificate?

Strategy, Policy, Controls catalogue – drive down

Overarching

ICT security framework

• Strategy

• Policy

• Controls

Agency artifacts

• Strategies

• Policies

• Business Rules and Guidelines

• Procedures, etc

• Contracts and Memorandum of Understanding

How does the Security Framework work?

Process evolution

Evolution of the process in other jurisdictions

• USA: NIST Security Certification process SP800-57, and itsrebranding to “Risk Management Framework” (3 examples)

• Australia: DSD Information Security Manual (3 examples)

… next 6 slides can be printed off in A3

What is really important

• A “results driven” process. Not effort or time driven.

o Stating the standards applicable (security baselines)

o Governance (Roles and Responsibilities)

o Knowing what you’re going to do (Statement of Work)

o Communicating - telling people what’s been done and preparingthem for the next steps

*

A helicopter view of the evolution of a process

USA 1st publication: Define the process and 10 tasks


USA 2nd publication : Assign the roles, simplify the tasks


USA 3rd publication: Id the asset and verify the controls


Australia 1st publication: Consider operational env.


Control valve

Australia 2nd publication: Reduce the risk


Australia 3rd publication: Accept the residual risk


A Plan for Communication


Security baselines and the risks that sit on top of them(example only)

Security

Baseline

Core Mitigations(First 4 Mitigations)

USA priority area#5 IDS / IPS

USA priority area#8 Education & training

USA priority area#12 File format checks

USA priority area#21 Antivirus

Ris

k-b

as

ed

As

se

ss

me

nt

Step 1: Communicate the applicable standards

Transparency and multiple role management

Storekeeper, Fire Chief, Postmaster, Consumers of a service

Newspaper Editor and Publisher ….

… and protection from the encumbrance of harm for an adverseopinion (Independence)

Step 2: Communicate roles and responsibilities

Image copyright © 1965 Filmways TV Productions,Orion Television, MGM, CBS

Image copyright © 1965 Filmways TV Productions,Orion Television, MGM, CBS

Tell the story from the start to the finish and back tothe start

Step 3: Communicate the evaluation method

Linkage and Traceability !!!!

1. Statement of Standards Applicable

• Statement of Applicability – ISO 27001:2013

2. Security Governance and Management Framework

• minimum roles and responsibilities from the standards

3. Statement of Work for security assurance services

• TOR for the report (show value for money)

4. Certification Communication

• Preparing the “Next steps”

Use the Security Certificate report / appendix as amechanism to inform the next steps

Step 4: Communicate the action and what it means

System Security Certificate format: traditional approach

• Page 1: Authority to issue a System Security Certificate, Scope, System SecurityClassification, Next Steps, Signoff’s (responsible, accountable, informs / is informed).

• Appendix: Physical Security, Compliance, Change Management, Security Policyand System Security Plan, Risk Assessment (including Procurement Rule 13.3m),Operating Procedures Manual, Decommissioning and environmental sustainability,Residual risks and waivers.

System Security Certificate – an alternative appendix format

• Appendix: Data transfer: Governance and oversight, prepare the data, prepare thefile, transfer the file, receive the file, receive the data.

Final comment: The overall security of …. has improved with the move from ….to … and the minimum security requirements are met.

I am therefore obliged to certify this system

Fleet Management of Services …… (Warrant of Fitness’s for security) … to be Delivered

Fleet Management

Forward Schedule of Warrant of Fitness for security work

Str

uctu

re

PREPARED BY

Warrant of Fitness for SecurityThe “C” of the “C and A”

Questions

‘If you don’t know where you are going, any path is as goodas another … but you won’t realise you’re lost, you wontknow what time you’ll get there, you might unknowingly begoing in circles, and others won’t understand how theycan help. And, since you could pass right by withoutknowing it, you won’t even get the satisfaction of havingarrived!’

Lewis Carroll: Alice in Wonderland

References

As requested by members of the audience during question time for this presentation end of the ISACA Wellington SED2013 day, I have added this extra slide at the end for the security related references. As always, these documentslisted here should be your authoritative sources to be quoted and not this presentation itself.

New Zealand and Australian Sources

• New Zealand's Cyber Security Strategy http://www.dpmc.govt.nz/dpmc/publications/nzcss

• Security in the Government Sector http://www.nzsis.govt.nz/publications/security-in-the-government-sector/

• New Zealand Information Security Manual http://www.gcsb.govt.nz/newsroom.html

• Australian Signals Directorate Information Security Manual http://www.asd.gov.au/infosec/ism/

• Australian Signals Directorate Strategies to Mitigate Targeted Cyber Intrusions http://www.asd.gov.au/infosec/

Other Sources

• U.S. National Institute of Standards and Technology, security and risk guidance: SP800-37 for a risk managementframework ("security certification" in older withdrawn versions), SP800-39 for information security risk management,and probably a few others that I have subconsciously absorbed http://csrc.nist.gov/publications/PubsSPs.html

• SANS 20 Critical Security Controls http://www.sans.org/critical-security-controls/ and http://www.sans.org/critical-security-controls/winter-2012-poster.pdf

• ISO/IEC 27000 family of standards for information security http://www.standards.co.nz/

• US Department of Energy Risk Management CYBERSECURITY RISK MANAGEMENT PROCESS (RMP)GUIDELINE - FINAL (MAY 2012) http://energy.gov/oe/services/cybersecurity/cybersecurity-risk-management-process-rmp as an example of an approach (i.e. not for the content) in how to take generic guidance (similar to whatis listed above) and document something with context that is meaningful for a particular organisation.

warrant of fitness for security the “c” of the “c and a” of fitness for security the “c”...

Documents