compliance security - cyber security summit€¦ · cyber security summit | october 23-25, 2017 |...

Compliance ≠ Security

(But, we’re getting closer) Rich Banta, Co-Owner & CISO, Lifeline Data Centers, LLC

Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org

•  FedRAMP-Ready •  HITRUST CSF

Certified •  PCI DSS AoC/RoC •  SOC2 •  IRS-1075

Rich Banta •  CISSP•  CCSP•  CISA•  CRISC•  CFCP•  CDCDP•  CTIA•  CTDC

Compliance ≠ Security WhydoesCompliance≠Security?

Compliance ≠ Security WhydoesCompliance≠Security?•  ComplianceisChecklist-Based

Compliance ≠ Security WhydoesCompliance≠Security?•  ComplianceisChecklist-Based•  CompliancedependsonAudits

Compliance ≠ Security WhydoesCompliance≠Security?•  ComplianceisChecklist-Based•  CompliancedependsonAudits•  AuditsassessapointinAme

Compliance ≠ Security Whateffortsarebeingmadetoaddressthepoint-in-Ameshortcoming?

Compliance ≠ Security Whateffortsarebeingmadetoaddressthepoint-in-Ameshortcoming?•  CMP:ConAnuousMonitoringProgram

Compliance ≠ Security CMP:FedRAMP’sapproachtoConAnuousMonitoring

Compliance ≠ Security TheFedRAMPModerateBaselinecontains326controls*.*AndanaddiAonal~70controlenhancements

Compliance ≠ Security TheFedRAMPCMPcallsforconAnuousongoingmonitoringandreporAngon58ofthe326controls.

Compliance ≠ Security NIST800-53R4ControlRA-5:•  VulnerabilityScanning

Compliance ≠ Security NIST800-53R4ControlRA-5:•  VulnerabilityScanning– RA-5a:OS/infrastructure/webapplicaAon/databasescans– ScanresultsmustbesubmiYedinFedRAMP-specificdashboardformat

Compliance ≠ Security NIST800-53R4ControlRA-5:•  VulnerabilityScanning– RA-5d:ProvidearAfactstoISSOshowinghigh-riskvulnerabiliAeshavebeenmiAgatedin30daysandmoderaterisk-vulnerabiliAeswithin90days

– POA&M

Compliance ≠ Security NIST800-53R4ControlCM-7(1)a:•  LeastFuncAonality–  IdenAfyandeliminateunnecessaryfuncAons,ports,protocols,and/orservices

–  PPSM(Ports,Protocols,andServicesManagement)

Compliance ≠ Security NIST800-53R4ControlCM-8(3)a:•  InformaAonSystemComponentInventory–  AutomateddetecAonofnewassets–  ReportssubmiYedmonthly–  Vulnerabilityscanmust=Inventoryscan=PPSM=NAC,etc.

Compliance ≠ Security Lifelinehasnointernalwirelessnetworks.

(ThisincludestheDMZ)

Compliance ≠ Security ThisprecludeshavinganIoT,orInternetofThings

Compliance ≠ Security ThisprecludeshavinganIoT,orInternetofThingsIdiocy

Compliance ≠ Security ThisprecludeshavinganIoT,orInternetofThings

Compliance ≠ Security

(But, we’re getting closer)

Questions? Comments? Rich Banta, Co-Owner & CISO, Lifeline Data Centers, LLC

Thank you for your time and interest! Rich Banta, Co-Owner & CISO, Lifeline Data Centers, LLC

compliance security - cyber security summit€¦ · cyber security summit | october 23-25, 2017 |...

Documents

bsc (hons) cyber security bsc (hons) cyber security (with

european cyber security challenge - greel national cyber...

cyber security architecture methodology for the electric...

cyber security specialist information security • cyber...

focus groups - cyber security coalition | cyber security...

cyber security - cisco · cyber security kah-kin ho head of...

cyber security isn’t really cyber

vardhil cyber security cyber crime1st

clarity on cyber security - assets.kpmg€¦ · partner,...

cyber security research impacts · 2 | the australian...

understanding cyber threats & cyber security

cyber security strategy - portal gov.si · 2020-01-08 · 2...

innovating in cyber security...cyber intelligence threat...

cyber security risk rating the egan-jones cyber security

cyber security the cyber security · cyber security...

cyber security, cyber intelligence & cyber investigation

ppt -cyber crime, cyber security and cyber laws

cyber security seminar cyber security fingerprints security...

maritime cyber security cyber security and...

national cyber security division - joint cyber security...