Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2013 > October
2013

Happy Halloween Archer Community members! We are very pleased to announce the Information Security Forum 2013 Standard of Good Practice as the latest addition to the Archer content library.

 

RSA has been pleased to share a relationship with the ISF for several years both as a member and as the only GRC vendor to offer the venerable Standard of Good Practice. As it’s grown in popularity, each version of “the Standard” has evolved in comprehensive security coverage and this latest round raises the bar once again. Here at Archer we’ve responded in kind by completely reworking the content presentation to make the Standard more useful than ever before. This improved granularity resulted in nearly 8,900 discreet mappings to Archer Control Standards!

 

If you like ISO 27002 then you’ll love the ISF Standard of Good Practice. In addition to providing complete coverage across all ISO/IEC 27002 topics, the ISF SoGP’s expanded coverage includes:

  • Cloud computing and privacy
  • Supply Chain
  • Consumer devices and BYOD
  • Cybercrime attacks
  • Critical infrastructure

 

Plus the Standard also overlaps COBIT 5, SANS 20, DSD Top 35, UK Top 10, and PAS 555.

 

The structure of the Standard is organized under four basic categories which extend to 26 Areas and 188 Topics (see figure below). The Standard is further bolstered by the underlying ISF Security Model that provides a basis for addressing information security needs by defining a balanced set of tools and methods that intersect basic GRC concepts with the people, processes, and technology embedded in the organization.

 

 

71575

 

 

The Information Security Forum is an international member-driven organization with several regional networks and more than a dozen local chapters in place. Over half its members are included on the Fortune 500 and Forbes 2000 listings. Other member organizations include public sector bodies, government departments, and some of the world’s largest international corporations. Local chapter events are held throughout the year and every November the ISF hosts its “World Congress”, the ISF flagship global event. Held in a different city each year, 2013 marks the 24th annual Congress which begins in just a few days on November 2nd in Paris.

 

Like most other things membership has its privilege. ISF membership offers a unique private forum for security professionals to collaborate and further the practice of information security. In addition to the local and international events, membership provides access to the ISF Standard of Good Practice and the ability to benchmark security performance against other member organizations in a confidential and useful way. Other resources such as IRAM, the ISF’s risk assessment methodology and the ISF Live social business website are also available to members in good standing.

 

I highly encourage you to explore the ISF and consider having your organization join its member ranks. If you’re already a member and happen to be attending World Congress in Paris this year then please stop by the RSA booth and check out the latest version of the Standard of Good Practice in Archer.

 

Archer content import packs for the 2013 Standard of Good Practice for Information Security are available to ISF members through Customer Support.

One topic getting a lot of buzz lately is the Executive Order (EO) 13636 and the new NIST Cybersecurity Framework (CSF) that stems from it.

 

I blogged on this subject a few months ago and that post can be found here.

 

If you don’t want to read the previous post, the short version is the EO is trying to improve the Cybersecurity posture of critical infrastructure organizations. The government hopes to achieve this by sharing threat data with the private sector, developing a Cybersecurity framework for organizations that don’t have one of their own to use, and to “promote and incentivize the adoption of Cybersecurity practices”.

 

A few updates since that post:

Another NIST CSF workshop was held in Dallas. The inputs from that workshop were incorporated into a preliminary draft that was released earlier this month. That draft can be viewed here. The CSF is the piece of the EO that is getting the most attention. What will the framework look like? What will it do? Will it become a mandatory compliance burden? What will I have to do?

 

At its simplest, the framework provides a common language and mechanism for organizations to:

1) describe their current Cybersecurity posture;

2) describe their target state for Cybersecurity;

3) identify and prioritize opportunities for improvement within the context of risk management;

4) assess progress toward the target state;

5) foster communications among internal and external stakeholders

 

It is considered voluntary, though the language about “promoting and incentivizing” the framework does make people nervous.

 

One last thing – If you are interested in this subject …interested enough to participate directly…there is another NIST CSF workshop coming up in NC in the middle of November. http://www.nist.gov/itl/csd/5th-cybersecurity-framework-workshop-november-14-15-2013.cfm

Thanks for reading! Stay tuned for more on this subject. As always, email me with any questions or comments

 

Thanks

Chris

In every organization, there is a universe of Devices and a universe of Vulnerabilities.   Security Teams use Vulnerability Scanners to identify where systems are vulnerable.  These scanners produce pages and pages of reports that are given to IT itemizing every system and every vulnerability identified during the scan.  IT then needs to address these vulnerabilities on these systems through some patch or a configuration change.  Once the fix is applied, the system is secure, right? 

 

This seems like a pretty straightforward process.  Security teams have been tinkering with scanners since the early days. (Remember the controversy around the Security Administrators Tool for Analyzing Networks affectionately known as SATAN? Yes – that was almost 18 years ago)   Compliance requirements and industry standards for security all include some provision around vulnerability scanning and management.  The chapter and verses related to vulnerability management are numerous:  NIST 800-53R4 RA-05, ISO 27001 12.6, NERC CIP CIP-007-2 R8, PCI 2.0 11.2.  The list includes international requirements too - Monetary Authority of Singapore, Reserve Bank of India, Australian Government Information Security Manual… This could go on and on but you get the picture – vulnerability management is a widely accepted concept for Security 101.

 

And it isn’t as if we just started doing vulnerability assessments.  We have been doing this for a while.  An entire segment of the security industry has been established around this process.  Scanner vendors have dedicated, talented teams researching vulnerabilities, building checks, optimizing network loads, extending capabilities, features and functions.   Scanners have consistently improved the technical methods to identifying vulnerabilities evolving from pure on-the-wire network scans to authenticated scanning to agent based scanning.  Gartner estimates that Vulnerability Assessment (VA) market was around $415 Million in 2012 and expects a stable, long-term demand for security VA capabilities.1    This is a solid arrow in the security team’s quiver.

 

 

So if we have been doing this for a while and vulnerability assessment is a fundamental need, why are companies still struggling with it?  Take a look at this video and see if you recognize anyone.  I think you will.  The battle with vulnerabilities is something IT and Security must be fighting together.  Finding vulnerabilities isn’t just a security problem, fixing them isn’t just an IT problem.

 

 

Companies have to remember that while vulnerability scanning may have first been forced on the organization through some compliance requirement, the true objective of scanning is to reduce the exploit surface of systems.  It isn’t about just checking the box (“Yes, the scan ran this quarter and we delivered the report”).  It is about finding those cracks in the castle walls that system intrusions abuse.  Sure the company could be hacked with a zero-day malware delivered to some poor employee in a phishing email.  But the leap frog attacks from system to system inside the infrastructure aren’t going to utilize zero-day malware.  Those attacks prey on the misconfigured, unpatched systems that lay wide open.  Many times those vulnerabilities are sitting on some scan report on someone’s desk.

 

My next series of blogs will delve into the topic of Vulnerability Risk Management.  It sure feels like we should have had an answer to this age old problem but there are many layers to the issue.  Vulnerability assessment is a complex problem and for large organizations can be a significant challenge.  In addition, it is becoming more and more evident that even though this has been in our security arsenal for a while, it is as important as ever.

 

I am interested in hearing about your successes and struggles with vulnerability management as we explore this critical part of security management.   Feel free to drop a comment as the conversation unfolds and check out RSA’s latest advancement in the world of Vulnerability Risk Management at http://pulseblog.emc.com/2013/10/29/slowing-down-the-vulnerability-whack-a-mole-game-using-big-data-analytics-and-rsa-archer/

 

1  Gartner, MarketScope for Vulnerability Assessment, Kelly M. Kavanaugh, Sept 9 2013.

RSA Admin

Inline Editingis HERE!

Posted by RSA Admin Employee Oct 22, 2013

I suspect this headline might get an outburst of excitement, a few high fives, maybe even a virtual ‘Wave’ across cyberspace.  Yes indeed, inline editing is now available with our latest release of the Platform 5.4 SP1.  And do we have a deal for you!

 

Today, when a user wishes to update GRC data, let’s say the status of a finding, they would run the search, review the report data, click and open the Finding record, Edit the record, make the needed change and then click to save their changes.   With Inline Editing, your users can edit fields in records directly on a report page or within search results.  They can easily make status updates, close out incidents, change the status of findings or approve exceptions without having to open, change and save each individual record.  There are endless examples of how users will greatly benefit from this feature improvement.

 

Enabling Inline Editing:

ILE Image.png

 

BUT WAIT, THERE’S MORE!  This service pack also includes dynamic filtering which allow administrators to configure a cross-reference that is automatically filtered based on attributes of the source record.  This useful functionality might enable an administrator to tag an authoritative source with a common set of terms (such as access control, physical security or customer breach notification) and filter for control standards that are also tagged with those same terms for mapping purposes.

 

Configuring Dynamic Filtering:

Dynamic Filtering.png

 

BUT THAT’S NOT ALL!  This release also features enhanced Audit logging capabilities to capture all activity on the GRC Platform.  This functionality requires a syslog listener (for example, RSA Security Analytics) and uses Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).  Audit logging is not available for an environment (SaaS) hosted by RSA Archer. The communication protocol for audit logging is configured in the instance on the General tab.

 

The 5.4 SP1 release comes chock full of features that users can take advantage of every day.  For those of you waiting for your free gift, unfortunately we’re all out of our Ginsu paring knives.  However, you can get the latest information about this exciting treasure trove of new features on SCOL  as well as Platform technical documentation on the Community for FREE.

 

Do you want more information on how to configure these new features? Listen in to the October 25th Friday Tech Huddle and learn more about how to take advantage of this new functionality.  And yes, we do have a toll-free number you can dial.  DON’T WAIT! HURRY NOW and download the latest installation package and information all in one Community about this release.  You too can save your user’s time and simplify their GRC experience by implementing these new features.


Read Susan Read Miller's EMC Pulse Blog: Farthest Up in Ability to Execute, Farthest Right in Completeness of Vision - RSA Archer Customers Make a Difference in GRC Leadership

 

EMC Pulse

In June, RSA Archer celebrated its 10th annual Summit bringing together GRC professionals from around the world.  The cooperative spirit, collaboration and knowledge sharing of this event are truly wonderful things about RSA Archer community.   The fact that so many GRC practitioners come together to share ideas, explore new approaches and learn from each other is the reason RSA Archer has the most influential and celebrated GRC community.   As part of the event, we held an Executive Forum bringing together leaders from multiple companies and industries to discuss top-of-mind issues, strategies and challenges.    Last year, we issued a report on the key findings from the forum and I am pleased to announce the release of this year’s report.

 

The findings in the report speak volumes on the challenges facing companies today.  Last year’s report had a clear emphasis on overall risk management and building the business cases for investment in improving GRC processes.  This year’s forum tightened the focus on a major risk affecting all organizations – the change in the regulatory environment.  Regulatory Change is a significant discussion in many organizations and a fundamental piece of a GRC strategy.  Companies are finding regulatory related processes require new strategies evolving towards more fluid and dynamic approaches.

 

One takeaway that is interesting is the theme around ‘decentralization of GRC’.   While we continually speak of the value GRC can bring an organization by breaking down silos, this does not imply that the silos must be brought together into some uber-GRC function.  Risk and Compliance is a complex challenge and engaging individual business units – especially for those geographically or business diverse companies – is a critical point.  Noted by several participants, the rate of change of regulatory pressures affecting local business operations requires some decentralization of roles and responsibilities but with the important connection to a broad, enterprise strategy.

 

Another key finding related GRC to performance measurement and making the value of GRC processes tangible and demonstrable.   The “So What” factor outlined in the report is of particular interest for those companies that are getting lukewarm reception from the business when risk and compliance processes need to be adjusted.  Connecting GRC with improved performance is a common thread.  In fact, we used “Business Optimization” as the end output of the GRC program in our own RSA Archer GRC Reference Architecture that was produced in collaboration with our Customer Advisory Council.  The Executive Forum Key Findings report further highlights the importance of the end goals of any company’s GRC strategy.

 

Thanks must go out to the many RSA Archer customers that participated in this year’s forum.  The leadership and vision articulated by the participants during this year’s discussion is invaluable in capturing this relevant and compelling snapshot of the GRC world.

 

To download the report visit the Resources page on RSA.com or click here.

Filter Blog

By date: By tag: