IT Compliance and Controls

• Latest Thoughts: When Cryptography is irrelevant, bypassing key card security http://t.co/x3Sbe5Gc 2012-01-17
• RT @Urvaksh: Lunch: 2 energy bars & 8 cups of coffee. Yeah, Friday's going to be that good. #AtlBizChron <- the best things come from focus 2012-01-17
• When vendors attack, inspired by India espionage reports of USCC and Symantec: The attacker victim scenarios we … http://t.co/921Rudjc 2012-01-18
• Latest Thoughts: When vendors attack, inspired by India espionage reports of USCC and Symantec http://t.co/ujBSYF5j 2012-01-18
• RT @heidishey: New self assessment tool for Forrester infosec metrics maturity model! http://t.co/5XBUvjuC <– HTTP ERROR, new link? 2012-01-18
• Update and final GSA Rule provides value related to Vendor 3rd party audits: The GSA Final Rule got a lot of att… http://t.co/F6ajUYzq 2012-01-18
• Would you be PCI Compliant if there were not fines, fees, damages? Possible result of court case: An interestin… http://t.co/nnetn9zu 2012-01-19
• Latest Thoughts: Would you be PCI Compliant if there were not fines, fees, damages? Possible result of court case http://t.co/F2f9UFab 2012-01-19
• " #PCI compliance is fiercely expensive, but all it does is protect against accidents" http://t.co/TgHRNTkD <- interesting observ #infosec 2012-01-19
• Oh a new year and so many new opportunities. Gotta love the passion in our industry! #infosec 2012-01-19
• RT @TomSellers: Symantec, did your DLP product catch the exfiltration of source code? <– their #RSAC talks shld be updated to provide intel 2012-01-19
• The Great CON is out! http://t.co/bWCVdIp6 ▸ Top stories today via @rcs_pos @siliconshecky @bfpennington @heartlandhpy @bulwarkz 2012-01-19
• Vendor Proof of Security, GSA Final Rule and how it can help everybody else: The GSA Final Rule got a lot of att… http://t.co/sNMkLc4Q 2012-01-20
• Latest Thoughts: Vendor Proof of Security, GSA Final Rule and how it can help everybody else http://t.co/rNO19DIE 2012-01-20
• So this is what the Flu feels like. Awesome. 2012-01-20

The GSA Final Rule got a lot of attention in the government services sector as it solidified the requirements related to security and third parties.  The Final Rule makes it clear that upon winning a contract and to continue the contract ongoing performance and attestation is required of the Security program.  Specifically the language states the following:

“…the rule requires contractors, within 30 days after contract award to submit an IT Security Plan to the contracting officer and contracting officer’s representative that describes the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under the contract. The rule will also require that contractors submit written proof of IT security authorization six months after award, and verify that the IT Security Plan remains valid annually. Where this information is not already available, this may mean small businesses will need to become familiar with the requirements, research the requirements, develop the documents, submit the information, and create the infrastructure to track, monitor and report compliance with the requirements.”

While the idea of 3rd party audits and attestations is common practice in the private sector, there are a few interesting considerations that businesses should consider adopting as appropriate based on the type of vendor.

“…ensure appropriate security of IT resources that are developed, processed, or used under the contract…”

Businesses when setting up agreements with third parties should be engaged at the relationship discovery stage and upon contract.  Specifically architect what are the appropriate security safeguards for the type of vendor and what will be the scope of processes of the vendor.  This is becoming more present across the spectrum of industries, but the maturity of the above process is just emerging in mature organizations.

“…verify that the IT Security Plan remains valid annually…”

Business relationships must be managed.  Operational and performance metrics exist for each vendor and if a vendor misses a contractual agreement, there are usual fines and contract adjustments that result.  The management of vendor operational information security to the agreed upon plan should also be executed.  This is a great opportunity to establish a routine, efficient, and appropriate validation / attestation process.

The takeaway here is that the practices securing businesses must evolve to address the introduced risks of third parties.  There is a need to be balanced in the requests to vendors and so a progressive security plan that reflects the relationship is appropriate.

InfosecIsland has a nice writeup of the full GSA Final Rule here, and the actual rule is available here too.

Other thoughts / Considerations?

James DeLuccia

//cc at PCI DSS & IT Controls

An article published on Open Group’s site has a nice Q&A with Jeanne Ross a Scientist at MIT Center for information systems research, and an author of 3 books.  She is a speaker on how adoption of enterprise architecture (EA) leads to greater efficiencies and better business agility.  Reading the interview I had a few challenges for business leaders and information security professionals.

The first is that when a target is established and projects are executed to achieve that target, the business performs better.  This is demosntrated by a few examples of the author, and highlighted in the article:

“…we can ascribe to architecture is that when companies have competition, then they can establish any kind of performance target they want, whether it’s faster revenue growth or better profitability, and then architect themselves so they can achieve their goals. Then, we can monitor that.”

It seems ANY target will improve the business.  Grasping onto the Getting Things Done mindset, this leads teams all the way up to the CIO/CISO leaders to set stretch goals.  These targets could be lower incidents; better response time; lower downtime; lower end-user complaints; faster turn around of projects; lower fail rates; etc…  the key of course is to be ethical in how these metrics are achieved (obviously, or not, that reaching better customer complaint ratios should be done where quality and speed are measured to ensure that dual either are not lost as a result of the new target.

“We also have statistical support in some of the work we’ve done that shows that high performers in our sample of 102 companies, in fact, had greater architecture maturity. They had deployed a number of practices associated with good architecture.”

Architecture breeds discipline and matures an organization from “heroes’.  An interesting advantage for those growing their businesses in a rapid fashion and need to achieve a broader security posture.  This though is also true in most other businesses.  It is hard to consider a business where defining a discipline (that still enables brilliance and innovation) on architecture and in this case information security practices is not an advantage:

• Businesses grown by acquisition benefit from having a superior on-boarding process of new companies allowing for single measurable and manageable structures
• Historic / existing establishments benefit where processes gain efficiency and effectiveness against newly defined targets

“We really just need architecture to pull out unnecessary cost and to enable desirable reusability”

This is a key point – technology is evolving and is incredibly capable, but the utility of such are not efficient.  There is tremendous opportunity to remove duplication and leverage existing information security processes and technology.  This is a natural effect of systems and technology growing in capability, but also shifting needs directed by the business and risk landscape.  The joke of “shelf-ware” can be referred to here, just be sure it is not a reflection.

The article / interview for me brought forward ideas where we can be different within information security and leverage the approach and toolsets to enhance businesses.  I would encourage a read of the article, here, and a deeper consideration as to what goals the business could (or even a team within a larger entity) set and adjust accordingly.  Tis the New Year afterall.

Best,
James DeLuccia IV

• RT @joshcorman: we have indefensible infrastructure & too much of it. 2 ways to be rich, get more or want less. <– agree w/ less is best 2012-01-10
• Failure of Industry presumes ineffective toolset .. not Execution? @SpireSec @Wh1t3Rabbit @mortman @joshcorman @rmogull @RobHale77 2012-01-10
• Security posture shifts .. tools exist to support endeavor .. competent teams & biz execution define success .. not one alone, or industry 2012-01-10
• RT @rmogull: I no longer buy anything electronic that I can't update the SW on. Including my car. <– updating = hack = enhance; good idea! 2012-01-10
• To those New Years athletes, PLEASE focus on form and not speed / effort. Swim, weights, running .. you'll get better, promise + no injury 2012-01-10
• RT @planetrussell: Indian Intelligence Infiltrated US Govt. Networks http://t.co/XW3Q13NT @cyberwar #infosec #infragard <- we must be better 2012-01-11
• RT @BrianHonan: when will biz realize a pen-test will not show how secure they are? <- only shows effectiveness of the deployed controls 2012-01-11
• Interesting … GOOG won BBVA as largest Cloud Bank deal; plan to limit to internal systems. Line will bc grey quickly http://t.co/eKOUGHtw 2012-01-11
• RT @quentynblog: Like many #infosec people I implicitly trust 1 person <– I don't trust him either! Human Error represents to high a risk 2012-01-11
• RT @krypt3ia: For those of you into the #OSINT I suggest first reading that file dump to be the NATO OSINT manual. <- the 2001 handbook? 2012-01-11
• So under HITECH Act Breach of PHI must be listed here http://t.co/TUf4q42Q but list doesn't seem updated .. did law change? #infosec 2012-01-11
• Argh … I need to toss a packet analyzer & figure out what my firm is doing to my computer .. VPN on = creeping perf; VPN off = brilliant 2012-01-12
• I am officially presenting at the #IIA #GAM conf in March! Topic: Pragmatic risk mgmt & prac on social media. http://http://bit.ly/y9y7vZ 2012-01-12
• RT @jeremiahg: A small merchant filed suit against US Bank for seizing funds to pay PCI fines http://t.co/hrhixcEX <- Class Action possible? 2012-01-12
• The Great CON is out! http://t.co/bWCVdIp6 ▸ Top stories today via @moduloitgrc @idt911 @thelogicgroup @xyprotechnology @epaymentamerica 2012-01-12

• Weekly recap of Tweets, Links, and Ideas: Please find below my mostly focused mentions on #infosec and relevant … http://t.co/emyCaAb9 2012-01-02
• 2012 Plan: Full Ironman; Run 1,300 miles; Learn new skills, & new adventures, & follow my passion w/in complex InfoSec scenarios… you? 2012-01-04
• The Great CON is out! http://t.co/bWCVdIp6 ▸ Top stories today via @tcmbc @tarunu @bfpennington @spva @mdmolzen 2012-01-05
• The adaption of malware & worms is always impressive .. requires equal responses .. Ramnit http://t.co/cJSlalzw <- summary #infosec 2012-01-06
• Management of risk and #infosec safeguards should be as responsive as the threat landscape .. what is stopping us? 2012-01-06
• Nice short write up on Ramnit … infections and clean links to online reports http://t.co/PzS4z7np #infosec 2012-01-06
• "over 75% of crimeware attacks go undetected by the best anti-malware software", the 25% needs addressing but alt safeguards req'd #infosec 2012-01-06
• Crime ware effectiveness stat referenced URL: http://t.co/f7LOvOKJ #infosec 2012-01-06
• Interesting guidance on #SocialMedia use, programs, monitoring, governance, & their effectiveness from SEC http://t.co/zzJSHhPq PDF #infosec 2012-01-06
• Hackers accessed the code for Symantec & reinforces that risk assessments are prudent, as factors change #infosec http://t.co/6n07zmRk 2012-01-06
• Short article on Fujitsu project dev a counter-neutralization tool against Virii http://t.co/2NjLGTXN <- so many problems here #infosec 2012-01-06
• Stuxnet variants "tilded" http://t.co/sahphmXa allow for modular reuse #infosec 2012-01-06
• RT @nselby: 'I can't give you the pink tag before boarding. It's a security breach.' -Delta gate attendant, ATL. <- training fail 2012-01-07
• Loving Hendriks and tonic these days. A must try if u like or have not liked gin before. 2012-01-07
• RT @Quachen: Def Sec. Panetta: Cyber Attack Could Paralyze US: http://t.co/TbHUetmf <- nice write up; will private sec. play same role? 2012-01-08
• RT @integrisec: RT @KimZetter Why the Symantec source code leak is no big deal – http://t.co/SQrKxyPE <- & no one reuses code or practices 2012-01-08
• RT @retheauditors: "The auditor is decidedly not supposed to be trusted advisor to company." Chmn PCAOB in speech. http://t.co/491igB85 <-hm 2012-01-08

• Any benefit in hitting Interop / Symantec VISION in Vegas? Tracks don't look impressive .. Symantec looks like a product con #infosec true? 2011-12-26
• Loving the "end of year bests" on BBC RADIO1 … awesome tunes of the year jammed together. Perfect for banging through work 2011-12-26
• RT @mrkoot: http://t.co/VaVESXf6 claims that 80 @STRATFOR clients have same pw <- & surprising # of "test" & such accounts w/ same pw @mikko 2011-12-26
• Weekly recap of Tweets, Links, and Ideas: Please find below my mostly focused mentions on #infosec and relevant … http://t.co/nUaPrJdq 2011-12-26
• "Reveal their secrets – Protect our own" … nice one liner for mission statement of 3 letter agency.. 2011-12-27
• RT @Urvaksh: Christmas came two days late. Untethethered jailbreak released. huzzah! <– woot! 2011-12-27
• Sesame street should stick w/ old formula. This new programming is for the birds. #brainwashing 2011-12-29
• RT @Urvaksh: You want to know why you should jailbreak? Here's why. http://t.co/4c02WmQM #iOS <- amazing 2011-12-29
• Any my friends here have a #TRI bike? Seeking recommendations #Ironman #2012 2011-12-29
• "personal computers [are] the new LSD" -SJ Bio. My / Our LSD. #InfoSec 2011-12-29
• The Great CON is out! http://t.co/bWCVdIp6 ▸ Top stories today via @thatdwayne @hfuhs @jgamblin @marcmassar @cyberainc 2011-12-29
• RT @doctorow: Why don't we have #AV 4 embedded systems? #28C3 <- if we don't know we have a problem, do we?! #InfoSec @Beaker 2011-12-29

• Dept of Human Health Services recovered $4 Billion in fraud… collected Jan/2011… curious Jan/2012 will be #metricsmatter 2011-12-19
• End of year ritual: Backup up everything; burning backup discs, and shipping to offsite .. Disaster recovery for the home enterprise. U? 2011-12-19
• "Security Incidents = a virus on your computer" … woah… interesting statement on his healthcare training #infosec 2011-12-19
• The Great CON is out! http://t.co/bWCVdIp6 ▸ Top stories today via @gotprivacy @moduloitgrc @kazzyfizzy @iryanb @nightwolf42 2011-12-22
• Hey #infosec peeps .. what are your thoughts of #InterOp or #Symantec Vision CONs in May? Never been to either .. worth it? 2011-12-25

• Weekly recap of Tweets, Links, and Ideas: Please find below my mostly focused mentions on #infosec and relevant … http://t.co/AZVusZNs 2011-12-12
• What are everyone's thoughts regarding the #HyTrust paper on #Cloud architectures re #PCI ? http://t.co/LzLWUEEl 2011-12-13
• RT @BrandenWilliams: Found this on the table of the office I am squatting in. (cc @jdeluccia) http://t.co/VlSGPVEB <- good book 2011-12-14
• The Great CON is out! http://t.co/bWCVdIp6 ▸ Top stories today via @gtbtechnologies @dtmratings @egestalt @aumasson @stange205 2011-12-15
• RT @wimremes: @security4all 11" 4GB RAM 128GB SSD <- I have 13' MBA & it is amazing. 2011-12-17

• Weekly recap of Tweets, Links, and Ideas: Please find below my mostly focused mentions on #infosec and relevant … http://t.co/IEVIa6Af 2011-12-05
• The Great CON is out! http://t.co/bWCVdIp6 ▸ Top stories today via @inetu @drsethdb @andrewrjamieson @hostway @harrington_jo 2011-12-08
• RT @leune: Epic meltdown of 2yo <- raging. My new favorite word for that 2011-12-08
• Ok campers, it's cold outside … lets get this done. Coffee, check. wifi check, coffee check check … 2011-12-09
• I like simplenote app for iphone … like notepad (stupid simple) and accessible on web … @armorguy: @csoandy 2011-12-09
• Coffee pot full downstairs; Me stuck upstairs on another hour call … = bad planning for me … 2011-12-09

• Weekly recap of Tweets, Links, and Ideas: Please find below my mostly focused mentions on #infosec and relevant … http://t.co/liYr8Ugh 2011-11-28
• There is a shocking difference between knowing security and having security … Oy #infosec 2011-11-29
• RT @atdc: The hackathon takes place in #ATL at ATDC this weekend. http://t.co/aJbAMw1N <– smack in middle of SEC Championship! 2011-11-29
• What must come first security controls and then the process to manage or the reverse? Been in a debate for days #infosec 2011-11-30
• not that I am trying to … but… hypothetically, has anyone gotten a skype voice call to work on Delta GoGo wifi? #mildlycurious 2011-11-30
• RT @securityninja: BUSTED! Secret app on millions of phones logs key taps (+prior to SSL) http://t.co/7RAJxhak <- 17 min demo, yeesh 2011-11-30
• I have worked 34 hours on Mon/Tues alone. Some may be inclined to take week off, but my view – Why?!? Too much fun when u love what u do 2011-11-30
• The Great CON is out! http://t.co/bWCVdIp6 ▸ Top stories today via @tier3 @tarunu @todayshospital @thalesesecurity @wolfinpdx 2011-12-01
• I thought it was this conf-call getting out of control, but in fact there are painters outside my window banging & yelling #TGIF 2011-12-02
• Any favorite risk assessment working templates any recommends? 800-38 or more robust? #infosec #lazyweb 2011-12-02
• Impact of FDE on forensics research (full article) http://t.co/RN16cxIC Beware the F.U.D. hype related to this one.. worth knowing #infosec 2011-12-02