Archive for the ‘Policy and Compliance’ Category

Whether defending against common malware or some determined Nation State, being able to proactively detect attacks and changes in the organization are required.  The past year I spent a large amount of time helping several organizations setup and put in place the right people, processes, and technology to help defend against increasing security threats.  Although many organizations spend millions of dollars on technology and hire staff to monitor security 24/7 the organizations were still lacking two fundamental items.

  1. The people although good at monitoring lacked the attack and threat mind set.  The staff was not able to figure out when an actual attack was happening.
  2. Second the organizations lacked the basic security operations processes required to keep track and make appropriate use of the vast amounts of data.

As a result I spent the past few months developing a whitepaper that specifically addresses the primary components of a SOC, which can be used to help organizations setup a centralized core and embark on developing the correct operational processes.  Although I don’t address item number one above, this paper explains in detail the following.

  • Defining the SOC
  • Determining the Processes
  • Understanding the Environment that needs protected
  • Identifying the SOC Customers
  • Staffing the SOC
  • Managing the Events
  • Leveraging ITIL compliance

Creating and Maintaining a SOC – The details behind successful Security Operations Centers

If your organization is under attack and you have invested in more people and technology be sure to implement the right processes and build a foundation for future defense.


There has been a large amount of security information and recent attacks posted in the media.  We have Mandiant’s report on China as well as several issues concerning Java.  The pure volume of information over the past year has made it difficult to keep up without a combination sources.  As a result InfoSecAlways has done a few modifications to the site.  Please check out the new “Security Feeds” in the right column (4th Block Down).  This is a combination of about 20 different security RSS feeds piping into the blog now.  You can check the site daily to get the latest news and updates in the industry.

Also, check out the links page as there are several new Threat and Vulnerability links added.  These are great if you are looking for specific attacks, breaches, or threats.

Doing a project that requires knowledge of international crypto laws.  Here is a great resource that has captured information from several sources and put it on a Google map.

How about trying to figure out all those privacy laws for DLP?  Here is another map by Simon Hunt for detailing the major international DLP related privacy laws.

Take a look at the DLP map below.

What do you think? Is this another useless assessment methodology, great idea, or a platform for vendors to sell products?

I recently went to the 2nd Annual BITs Shared Assessments in Chicago.

I found the event driven mostly by product vendors, a few assessment firms, and some footprint from the banking industry. During the time of the event and now I was able to deliver an engagement and as a result of the conference and this delivery I have the following comments.

  1. Many assessors are using older versions of the SIG and still have not adopted 4.2.
  2. Product vendors have incorporated many of the features and appear to be pushing the solution the most.
  3. The current AUP and SIG are fairly decent, but the overall solution still needs to mature greatly. I found that several of the AUPs were incorrect or missing. I have yet to consolidate all my comments; however I emailed the main contact number on the site. Currently comments are submitted one by one. I don’t want to enter them one by one, thus, I haven’t submitted as I’m still waiting for a response after several weeks.
  4. The current scoping and process for delivery is underestimated. My experience shows that you will have to set strict guidelines with the number of follow up conversations and have a cut off for evidence. Otherwise the entity that is assessed will continue to try and justify they have the appropriate controls in place.
  5. There are plans for mapping to other compliance regulations. There are many more comments I have about this solution, but mostly I’m seeing customers use only the SIG Light or SIG level 2.

I see this as holding a place in the 3rd party assessment realm for an organization. I’m wondering! Is anyone else using the Shared Assessments? What are your thoughts? Will this solution grow and be used like PCI even though it doesn’t have the formal backing like PCI?

I guess that title should say “Can anyone clarify PCI?” or “Can we get some PCI consistency please?.  I find myself in discussion day after day on topics around PCI.


What is required for web app test?  Is it authenticated? Is it just a scan?  Is it just my external environment?  Is it only my card holder systems?


I know the council is trying to do their best with outlining the standards but there still is a serious lack of consistency across QSA’s and organizations.  I found this so frustrating that I developed the cartoon below to represent my opinion.



Basically Mr. CEO here is not meeting PCI compliance and his QSA’s are all telling him something different.  Even better is the new standards and enforcement that all the QSA’s themselves are trying to understand?  Will any big enterprise be able to make compliance?

For anyone looking to find or understand the main key compliance documents across the following industries, regulations, regions of the world the link below has a good list.

(Link Updated Sept. 2012)

Industries, Regulations, Regions:

  • Sarbanes Oxley Guidance
  • Banking and Finance Guidance
  • NASD NYSE Guidance
  • Healthcare and Life Science Guidance
  • Energy Guidance
  • US Federal Security Guidance
  • US Internal Revenue Guidance
  • Records Management Guidance
  • NIST Guidance
  • ISO Guidance
  • ITIL Guidance
  • US Federal Privacy Guidance
  • US State Laws Guidance
  • EU Guidance
  • UK and Canadian Guidance
  • Other European and African Guidance
  • Asia and Pacific Rim Guidance
  • System Configuration Guidance

Also, some of these are already linked off this site.  If anyone is feeling like they have some free time feel free to send me links to the listed documents and I will add them to the Links page.

This document is written with the assumption that the organization follows ISO and has implemented many of the controls (including Disaster Recovery), but may be lacking in the area of business continuity management. This document aims to consolidate and leverage the work already done for other ISO controls to jumpstart the BCP compliance efforts.


The first step in compliance is to develop and implement a BCP management process.  The process needs to identify the critical business processes within the organization and incorporate management requirements.



  1. Identify critical business processes and associated assets.  Create a template or leverage the disaster recovery (DR) documentation (Note:  The DR information may not be complete enough as it usually only includes recovery of technology functions and may exclude important business functions or process that do not rely on technology.) and send to managers requiring them to document their critical business processes by location.
  2. Identify the consequences in the event of a disaster.  Again most of this should be in a DR plan.
  3. Identify controls to reduce risk.
  4. Ensure information for business operations is available.
  5. Ensure BCP is integrated within business processes and includes security.
  6. Ensure that plans are updated and tested on a regular basis.


Below is a sample that can be used and quickly put together to help meet some of this compliance.  Use Excel and list the critical business processes in a matrix associated with each geographic location as shown below.




The next step is to identity the results of different events by doing a business impact analysis.  Continuity plans have to be developed to for quick restoration of operations and should be integrated with information security and other key management processes.  Controls that can be put in place to reduce risk should be identified.


The Threat should define “Who”

The Event should define “What, Where, and When”




The table below is an expansion of the above.  (Threats are repeated for consistency)




After the assessment the following must be done:

  • Continuity plan(s) must be created.
  • Roles and responsibilities must be documented.  Most should have already been done for other ISO controls, but there may need to be a few short statements added to reflect business continuity compliance.
  • Procedures and processes must be documented.  Many of these should have already been documented as a part of incident response, disaster recovery, change control, and other standard operations.  A few additional procedures may need to be created like the process of documenting and updating plans.


Plans must have the same framework.  This means all departmental plans must be a on a standard template.  A centralized escalation and evacuation plan should be developed.  Evacuation plans can simply state follow building evacuation procedures.  Escalation plans in most cases can follow standard disaster, emergency services, or incident response plans.


Plans need to address:

  • Roles and responsibilities of key staff (i.e. BCP coordinator, executive management, and users)
  • Summary pointing to the documents that have recovery procedures for operations.  In many cases these procedures are in the disaster recovery area or part of the standard operating function.
  • Testing of plans.  This needs to track and schedule each element and when its tested. 
  • Storage of plans at alternate locations
  • Ownership of plans
  • Fallback procedures
  • Resumption procedures
  • Awareness and Training
  • Review of plan(s)


Putting everything important together is the key to the business continuity plan.  Many of the items above exist within many organizations but they have not been organized or consolidated in one area.  A document detailing each of these items and consolidating them all in one location is the key to passing the assessment.  If you are already working towards ISO compliance then Business Continuity Management is just one more minor component that can be accomplished quickly by consolidating a large amount of information in one place and creating a document (plan) that organizes and explains everything that needs to be done with these documents if there disruption to business operations.  In some cases there may need to be department level plans that are a close mirror to the main plan but focus more on departmental operations.  Some assessments will look for both centralized and departmental plans.


For more information you can also review that actual ISO/IEC 17799/27001 documentation and the BS 25999-2 Specification.

PHIN 2.0 Requirements

Posted: September 27, 2007 in Policy and Compliance

There are updated guides for anyone who does security compliance assessments of works with the Public Health Information Network (PHIN).  These were updated in June of 2007.  There are many changes from the previous 1.0 version guides.  For the new requirements guide see below.

PHIN Requirements 2.0

The BS 31100 Code of practice for risk management is also out in draft form free to download and review.  This document has the same deadline as the BCM.

The BS 25999-2 Specification for business continuity management is out in draft form free to download and review.  My apologies for sitting on this so long and not getting it out earlier because the deadline is today for review.  Anyway it’s still good to download while you can.