Professional Documents
Culture Documents
Security Management in a
Compliance-driven Culture
Security and Regulatory Compliance arent the
same thing but theyre often confused
Shahid N. Shah, CEO
NETSPECTIVE
Who is Shahid?
20+ years of architecture, design, software
engineering, and information assurance
(security) in embedded, desktop, and
enterprise environments such as
FISMA-regulated government systems
HIPAA-regulated health IT systems
FDA-regulated medical devices and systems
NETSPECTIVE
Security
www.netspective.com
NETSPECTIVE
Human Resources
Law: Compliance
www.netspective.com
Order: Security
NETSPECTIVE
Knowledge
Compliance knowledge bases
FISMA
HIPAA
FDA
www.netspective.com
PCI DSS
Firewalls
Encryption
ONC
Access
Control
Pen Testing
SOX
Continuous
Monitoring
Packet
Analysis
6
NETSPECTIVE
States
Compliance:
Usually Binary
www.netspective.com
Security:
Continuous Risk Management
NETSPECTIVE
Reality
You can be compliant and not secure, secure but not compliant, or both
Compliant
www.netspective.com
Both
Secure
NETSPECTIVE
Compliance Requirement
SSL encryption
Disk-independent key
management
TLS encryption
www.netspective.com
NETSPECTIVE
Regulations
Meetings & discussions
Documentation
Artifact completion
checklists
www.netspective.com
Instead of
Risk management
Probability of attacks
Impact of successful attacks
Threat models
Attack surfaces
Attack vectors
10
Recommendations
NETSPECTIVE
Forget compliance
Get your security operations
in proper order before
concentrating on compliance.
Start sounding like a broken
record, ask is this about
security or compliance?
often.
www.netspective.com
12
NETSPECTIVE
13
NETSPECTIVE
www.netspective.com
14
NETSPECTIVE
Objective
Purpose
Low Impact
Moderate
Impact
High Impact
Confidentiality
Protecting
personal
privacy and
proprietary
Information
Limited adverse
effect from
disclosure
Serious adverse
effect from
disclosure
Catastrophic
effect from
disclosure
Integrity
Guarding against
improper
information
modification
or destruction
and nonrepudiation
Limited adverse
effect from
unauthorized
modification
Serious adverse
effect from
unauthorized
modification
Catastrophic
effect from
unauthorized
modification
Availability
Ensuring timely
and
reliable access to
and use
of information.
Limited adverse
effect from
service
disruption
Serious adverse
effect from
service
disruption
Catastrophic
effect from
service
disruption
www.netspective.com
15
NETSPECTIVE
www.netspective.com
16
NETSPECTIVE
Define threats
Experienced hacker
Script kiddie
Insiders
17
NETSPECTIVE
www.netspective.com
18
NETSPECTIVE
LDAP Injection
Man-in-the-Middle
Network Eavesdropping
One-Click/Session
Riding/CSRF
Repudiation Attack
Response Splitting
Server-Side Code
Injection
Session Hijacking
SQL Injection
XML Injection
Source: Microsoft
www.netspective.com
19
NETSPECTIVE
SQL Injection
Use of Dynamic
SQL
Use
parameterized
SQL
Ineffective or
missing input
validation
Validate input
Use stored
procedure with
no dynamic SQL
Source: Microsoft
www.netspective.com
20
NETSPECTIVE
21
NETSPECTIVE
Auditors
www.netspective.com
22
NETSPECTIVE
Key Takeaway
If you have good security operations in place
then meeting compliance requirements is
easier and more straightforward.
Even if you have a great compliance track
record, it doesnt mean that you have real
security.
www.netspective.com
23
Visit
http://www.netspective.com
http://www.healthcareguy.com
E-mail shahid.shah@netspective.com
Follow @ShahidNShah
Call 202-713-5409
Thank You