creating end-to-end traceability - isacantx.org pre - creating end to end... · •requirements...
TRANSCRIPT
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. For External Use.
Bill Weber, HP
May 12 2011
Creating End-to-End Traceability North Texas ISACA Chapter Meeting
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. For External Use.
Bill Weber
InfoSec Architect, HP Enterprise Services
22 years experience in Information Technology
Specialize in Healthcare and Defense Industries
Executive MBA, Masters in IT Security, Bachelors in CIS
CISM, CRISC, CISSP, MCITP, CTT+
billrweber.pro
2
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. For External Use.
Challenge
3
Two lines of business with similar goals and a healthcare focus
Two large legacy systems using different architectures
Emerging investments in new technologies
No centralized InfoSec Architecture
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. For External Use.
InfoSec Architecture Components
4
GRC Architecture
Defines approach to GRC and details
architectural elements.
InfoSec Policy
Contains policies and standards based on
industry compliance and internal best
practices.
AppSec Policy
Contains application construction and
technology specific standards.
SDL Pattern and Practice
Defines approach to the SDL and details
design components.
Requirements Traceability Matrix
Maps compliance requirements to InfoSec
Policy elements.
Evidence Traceability Matrix
Maps implementation of patterns and
practices to design, construction, testing and
audit documents as evidence.
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. For External Use.
Requirements
5
Enterprise InfoSec Standards
NIST Special Publications SP800-13 Telecommunications Security Guidelines
SP800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
SP800-15 NISPC Minimum Interoperability Spec for PKI
SP800-16 IT Security Training Requirements
SP800-17 MOVS Requirements and Procedures
SP800-18 Guide for Developing Security Plans for Federal Information Systems
SP800-19 Mobile Agent Security
SP800-20 TMOVS Requirements and Procedures
SP800-21 Implementing Cryptography
SP800-22 Statistical Test Suite for PNG for Cryptographic Applications
SP800-23 Security Assurance and Acquisition
SP800-24 PBX Vulnerability Analysis
SP800-25 PKI Technology for Digital Signatures and Authentication
SP800-27 Engineering Principles for IT Security
SP800-28 Active Content and Mobile Code
SP800-29 Security Requirements for FIPS 140-1 and FIPS 140-2
SP800-30 Risk Management Guide for IT Systems
SP800-32 Public Key Technology and the Federal PKI Infrastructure
SP800-33 Technical Models for IT Security
SP800-34 Contingency Planning Guide for Federal Information Systems
SP800-35 Guide to IT Security Services
SP800-36 Guide to Selecting IT Security Products
SP800-37 Guide for Applying the Risk Management Framework to Federal Information Systems
SP800-38 Block Cipher Modes of Operation
SP800-39 Managing Information Security Risk
SP 800-40 Creating a Patch and Vulnerability Management Program
SP800-41 Guidelines for Firewalls and Firewall Policy
SP800-43 Systems Administration Guidance for Windows 2000
SP800-44 Guidelines on Securing Public Web Servers
SP800-45 Guidelines on Electronic Mail Security
SP800-46 Guide to Enterprise Telework and Remote Access Security
SP800-47 Security Guide for Interconnecting IT Systems
SP800-48 Guide to Securing Legacy IEEE 802.11 Wireless Networks
SP800-49 Federal S/MIME V3 Client Profile
SP800-50 Building IT Security Awareness and Training Program
SP800-51 Guide to Using Vulnerability Naming Schemes
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. For External Use.
6
SCS
001
SCS
002
SCS
003
SCS
004
SCS
5000
HIPAA
§ 164.312(a)
§ 164.312(a.2)
FIPS 140-2
Level 1
Level 2
FFIEC
Encrypt
NIST 800-111
Encrypt
Requirements Traceability Matrix
Requirements Traceability
InfoSec Policy
Traceability to
Compliance
Requirements
SCS 001
SCS 002
SCS 003
SCS 004
…
SCS 5000
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. For External Use.
Security Development Lifecycle
7
Training Requirements Design Implement Verification Release Response
Fortify Secure Software Assurance
Authentication and Authorization Pattern & Practice
Auditing Pattern & Practice
RTM
ETM
InfoSec Policy / AppSec Policy
Audit Cases / Test Cases
Audit Guidance / Release Reports
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. For External Use.
8
Patterns & Practices
Training Requirements Design Implement Verification Release Response
Fortify Secure Software Assurance
Authentication and Authorization Pattern & Practice
Auditing Pattern & Practice
RTM
ETM
InfoSec Policy / AppSec Policy
Audit Cases / Test Cases
Audit Guidance / Release Reports
InfoSec
Patterns
& Practices
Use Cases
Tech Specs
Tech Design
Software Development
Life Cycle (SDLC)
Work Product
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. For External Use.
9
P&P
001
P&P
002
P&P
003
Doc ID 1
Doc ID 2
Doc ID 3
Evidence Traceability Matrix
Release Report
Audit Guidance
Patterns and Practices detailing
implementation and Traceable
Evidence to Artifacts throughout
the product lifecycle
Evidence Traceability
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. For External Use.
Audit Guidance
10
Business and
Compliance
Requirements
Requirements
Traceability
Matrix
Security
Development
Lifecycle
Policies,
Patterns
& Practices
SDLC
Work Product
Evidence
Traceability
Matrix
Audit
Guidance
Audit Findings
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. For External Use.
End-to-End Traceability
11
• Requirements Traceability Matrix - Requirements
InfoSec Architecture detailing Policies, Standards and
Traceability to Compliance Requirements
• Security Development Lifecycle - Actions
Design, Development, Testing and Release Documentation
that details all aspects of InfoSec Capability and
provides a basis for auditability.
• Evidence Traceability Matrix - Results
Policies and Practices detailing implementation and
Traceable Evidence to Artifacts throughout the
development lifecycle
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. For External Use.
Outcome
12
Provides Governance and Compliance Models
• Measurable Evidence on Specific Controls
• Specific Policies, Standards, Patterns and Practices
• Creates Reusable Intellectual Property
• Demonstrates Value to Market