Monday, December 2, 2019


Chief Information Security Officer as a Service


Whether you are a company seeking to augment your current Information Security function, or you are looking to build an Information Security organization from scratch, the Contract Chief Information Security Officer (CISO) is an option that provides the necessary expertise and structure.  Designed to supplement current information security activities, provide security leadership, and implement architectural structure, the CISO arrives with a full set of tools to perform the task, without the commitment of creating a full-time position.  In fact, the position of CISO can be satisfied by a part-time contract subject matter expert, backed by a team of specialists, to provide a comprehensive security program.

Compliance

One of the immediate needs of any organization is to validate their compliance with identified rules, regulations and practices mandated by their specific industry or regulatory organization.  The contract CISO can provide policy and standards services that are customized to the requirements of the organization.  Ranging from acceptable use to information classification, every organization needs to have its information security policy in place. 

Business Continuity

Years in business teaches us that the unexpected is going to happen.  The contract CISO can Initiate, Coordinate, Document and Test the whole scope of Business Continuity from Continuity of Operations to Disaster Recovery.  These essential processes are often overlooked, but left unconsidered, they can have a devastating impact on your organization.  The service provides subject matter experts at every phase of the Business continuity process to enable smooth, documented, and practiced transition in difficult situations.

Security Education

Most people will do the right thing, once they know what the right thing is.  The Contract CISO can provide information security education services, by live or online instruction.  Both general security training, and industry specific education is available through the CISO team.   Annual security training, event specific training, and specialized information handling training is available.

Security Analysis

In information technology, what you don’t know can hurt you!  The contract CISO can design, implement and analyze vulnerability testing, as well as regular scanning and monitoring.  This can be carried forward into risk analysis, penetration testing, phishing scans, and other tests; both internal and external.  The CISO can then make use of this information to recommend infrastructure, process, training, or policy changes.

Audit Response

Depending on industry and regulatory environment, audit findings are an inevitable part of doing business.  The CISO can craft responses to auditors, establish plans of action and milestones (POAM,) and develop mitigation plans to satisfy findings.  Audit pre-work is used to prevent “finding surprises” and minimize the impacts of findings on the organization.

Business Processes and Architecture

Information that is well managed is easier to secure.  The extensive experience of the contract CISO and the team of experts can provide assistance in Change and Problem Management, Design Review and, Software Standards.  Other business functions can be included with appropriate expertise availability.  Processes for equipment issuance and inventory, software control, and privilege management are within scope of service.  These can be applied in both the tactical and in the strategic planning phases.

Executive Training

In time, many organizations will benefit from their own CISO and local Information Security Officers.  The contract CISO team will train permanent staff to satisfy the requirements of the organization for Information Security.

General “Traditional” Information Security

The team approach to the contract CISO provides opportunities for the evaluation, implementation and operation of tradition security controls, including:
·         Firewalls
·         Host security software
·         Identity Management
·         Network segmentation
·         Anti-virus
·         Defense in Depth implementations
·         IDS/IPS
This is just a brief list of the tools that can be brought to bear by the CISO.

Process of Acquisition

Every organization has unique needs, but common practices include the establishment of a policy base, training and analysis.  The presence of an experienced and certified CISO helps to speed and improve the implementation of a security program.  To this end, the CISO service can be purchased by the hour (minimum 40 hours,) or for up to 5 years.  Work can be performed on-site, or remotely, depending on the organizations needs and culture.
This purchasing model enables a business to purchase as much or as little CISO time as they need, from as little as 4 hours a week, to full time.
Posted by at No comments:

Defining Trust

The casual use of trust creates challenges of understanding when trying to create a federated environment.  For the purpose of this document it is necessary to strictly define trust.  Trust is a mutual understanding consisting of three parts:
1.       A defined and scoped behavior that is mutually understood and measurable,
2.       A means by which both parties can verify the performance of the behavior, and
3.       Defined consequences for the familiar to perform the behavior in accordance with the previously established metrics.
These simple parameters define how organizations can establish relationships that enable the transfer of identity information in full confidence that the identity presented has been adequately vetted and authenticated.  The word “adequate” is used to indicate that the presented information is within the bounds of the established trust.  Depending upon the trust, and the requirements of the relying party, “adequate” may vary from trust agreement to trust agreement.  Each trust agreement, therefore, establishes a baseline.

The Trust Agreement

The trust agreement is a legal document outlining the terms and conditions by which both parties to the trust are bound.  Generally, these terms include the defined baseline for vetting users, conditions for the users’ removal from the environment, and the methods by which a user can authenticate.  All of these, and any other elements that are included, are assigned metrics that are reported to all parties on a pre-determined interval for review.  Spot checking is also included (if desired) in the trust agreement.  If the metrics are not met, the negative consequences are enacted.  These may include loss of access, diminished functionality, and/or financial penalties that have been agreed to in the trust.  The trust may also include positive consequences for exceeding the assigned metrics.

Technical Trust

Once the legal trust is established, it is necessary to technically enforce the agreements, and provide both verification and non-repudiation of access.  This is done via the technical mechanism of digital certificate exchange. The parties in the trust exchange certificates and the SAML[1] requests are all signed from the identity provider to the service provider, and then returned to the service provider signed with the service provider’s key.  This provides a bidirectional basis of trust for the transfer of the identity information.  Please note that each identity assertion is signed, not just the “tunnel”.  An example of the flow of data from the initial access request to the return of the authorized resource is found in Figure 1.
 
Figure 1 : Example of a TLS secured SAML authentication request

Conformance

To adequately conform to the technical trust, both the service and identity provider must be able to properly present and accept signed assertions, and be able to decrypt them in adherence to the X.509[2] standard for digital certificates. Both parties must also agree to, and comply with, the configuration of optional meta-data elements of the SAML assertion. 
What the Trust Does Not Cover
One of the defining purposes of the trust is to create clear delineation between the responsibilities of the identity provider and the service provider.  The authorization of identified individuals to resources of the service provider is solely the service provider’s responsibility.  The provisioning of identity, the issuance of credentials and the identity lifecycle of individuals is solely the responsibility of the identity provider.  The only contact of these items for both providers with the trust is in meeting the established metrics. 
Dissolution or Revision of the Trust
Should circumstances require that the trust be dissolved or revised, the technical elements of the trust must be revised and tested in advance to enable a smooth transition to the new trust.  Under no circumstances should there be more than one trust agreement in place for a single technical connection.

[1]  All references to SAML refer to SAML 2.0 as defined in http://docs.oasis-open.org/security/saml/v2.0/

[2]  Defined in RFC 4158
  • Add to Phrasebook
    • No word lists for English -> English...
    • Create a new word list...
  • Copy
Posted by at No comments:
Subscribe to: Comments (Atom)