Embed Size (px)
Citation preview
Measuring Compliance with Tenable Security Center
Joe Zurba | HUIT IT Security Presentation to FAS Security Liaisons
May 23, 2013
2
Agenda:
• What is compliance and why is it important?
• What do we need to comply with?
• What can we measure?
• How is measurement accomplished?
• What are the first steps?
• What are the next steps?
• Questions
3
What is Compliance?
• com·pli·ance
/kəmˈplīəns/
Noun
1. The action or fact of complying with a wish or command.
2. The state or fact of according with or meeting rules or standards.
Synonyms
agreement - consent - accord - accordance - conformity
• Compliance means conforming to a rule, such as a specification, policy, standard or law.
4
Why is Compliance Important?
• Compliance provides a baseline posture from which we can build more mature process and controls
• Compliance provides standards
• Compliance helps to lower risk
• Compliance helps to improve the quality of work
• Compliance helps to mitigate potential penalties
5
What Do We Need To Comply With?
• Depending on where you are within Harvard, you may need to comply with one or several of the following policies/standards:
– HIPAA
– FERPA
– PCI
– Massachusetts 201 CMR 17
– Harvard Information Security Policy
– Harvard Research Data Security Policy
– Contractual Obligations
6
What Can We Measure?
• Government Compliance
– FISMA, NIST, DISA STIG, CERT
• Regulatory Compliance
– HIPAA, Sarbanes-Oxley (SOX), FERPA
• Corporate (Institutional) Governance, Risk, and Compliance (GRC)
– Institutional Policy, PCI, ISO 27001
And…• Harvard Security Policy
7
How Is Measurement Accomplished?
• Tenable Security Center Vulnerability Scanning
– Used to measure systems for vulnerabilities in Operating Systems and common applications
– Uses credentialed scans to unobtrusively log into systems to analyze patch status
• Tenable Security Center Compliance Scanning
– Uses industry standard or custom audit files to measure system configurations
– Uses credentialed scans to unobtrusively log into systems
8
Audit Files
9
Audit Files
10
Audit Files
11
Scan Policy
12
Scan Policy
13
Scan Policy
14
Add a Compliance Scan
15
Add a Compliance Scan
16
Analyze The Results
17
Analyze The Results
18
Analyze The Results
19
Analyze The Results
20
What Are The First Steps?
• Measuring systems that store or process HRCI (PII) against 10 points of the HEISP:
– Private IP addressing
– Host-based firewall
– Vulnerability Scanning and Patching program
– External logging (Splunk)
– Active, up-to-date Anti-Virus software
– Unique credentials, default passwords changed, shared accounts disabled
– Password length and complexity
– Brute force credential lock-outs
– Logging of successful and unsuccessful login attempts
21
What Are The Next Steps?
• Establish a process for ongoing compliance scanning, reporting and remediation
• Expand the service offering to comply with other regulatory standards
– HIPAA
– PCI
• Define standard build audit files to scan for deviation
22
Questions
Joe Zurba | HUIT IT Security Presentation to Security Liaisons
May 23, 2013
Thank you.
