is it safe how compliance and auditing fit with config
play

Is it safe? How compliance and auditing fit with Config Management - PowerPoint PPT Presentation

Oct 16, 2023 •187 likes •992 views

Is it safe? How compliance and auditing fit with Config Management Peter Souter Senior Professional Services Engineer | Puppet @petersouter Is it safe? @petersouter How compliance and auditing fit with Config Management Who petems

  1. Is it safe? How compliance and auditing fit with Config Management Peter Souter Senior Professional Services Engineer | Puppet @petersouter Is it safe? @petersouter How compliance and auditing fit with Config Management

  2. Who petems @petersouter IRC/Slack/GitHub am I? Help customers deploy Puppet Senior Professional Teach Puppet classes Services Engineer 5 years using Puppet Contribute to the community and 2 years @ Puppet Inc open-source 2 Is it safe? @petersouter How compliance and auditing fit with Config Management

  3. Warning: I speak quickly And I have a different accent... 3 Is it safe? @petersouter How compliance and auditing fit with Config Management

  4. Warning: I am not a lawyer or auditor Always go speak to one of them before implementing some of the stuff I’m talking about! 4 Is it safe? @petersouter How compliance and auditing fit with Config Management

  5. So, why are we here? (This room specifically, listening to this talk...) 5 Is it safe? @petersouter How compliance and auditing fit with Config Management

  6. Show of hands in the room Who has to deal with IT compliance or auditing in their current role? 6 Is it safe? @petersouter How compliance and auditing fit with Config Management

  7. So what is compliance? What does it mean? 7 Is it safe? @petersouter How compliance and auditing fit with Config Management

  8. “Many organisations in the public sector and the regulated industries, such as utilities and legal or financial services, have to demonstrate an information security policy that proves they have a range of steps and measures in place... If these policies are not adhered to, the regulators reserve the right to prosecute ” - http://www.computerweekly.com/feature/Inf ormation-security-The-route-to-compliance 8 Is it safe? @petersouter How compliance and auditing fit with Config Management

  9. Sidebar: Important distinction Compliance is not security! 9 Is it safe? @petersouter How compliance and auditing fit with Config Management

  10. “Compliance is the discipline of verification at scale” It’s the ops equivalent of planning permission, zoning laws, building guidelines etc. 10 Is it safe? @petersouter How compliance and auditing fit with Config Management

  11. Think about how many files, scripts, artifacts and services make up your estate How could you ever check every single one of them, and what should you be prioritising? 11 Is it safe? @petersouter How compliance and auditing fit with Config Management

  12. This means compliance straddles an awkward organisational line ● Who’s responsible? ● Who runs the scans? ● Who fixes things when they go wrong? 12 Is it safe? @petersouter How compliance and auditing fit with Config Management

  13. Regardless: Someone has told you you need to follow the rules Either for best practise or legal reasons... 13 Is it safe? @petersouter How compliance and auditing fit with Config Management

  14. Alphabet Soup Control Objectives for Information and related Technology (COBIT) Defense Information Systems Agency (DISA) STIGs Federal Information Security Management Act (FISMA) Federal Desktop Core Configuration (FDCC) Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) ISO 27002/17799 Security Standards Information Technology Information Library (ITIL) National Institute of Standards (NIST) configuration guidelines National Security Agency (NSA) configuration guidelines Payment Card Industry Data Security Standards (PCI DSS) Sarbanes-Oxley (SOX) Site Data Protection (SDP) United States Government Configuration Baseline (USGCB) California’s Security Breach Notification Act - SB 1386 14 Is it safe? @petersouter How compliance and auditing fit with Config Management

  15. You might have your own hardening policies Removing non-essential users etc. 15 Is it safe? @petersouter How compliance and auditing fit with Config Management

  16. Center for Internet Security (CIS) “Enhance the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration” ● Founded in October, 2000 ● It is composed of roughly 180 members from 17 different countries. ● Wide range of entities, including academia and the government ● Kind of a non-government fork of the STIG standards 16 Is it safe? @petersouter How compliance and auditing fit with Config Management

  17. CIS standard exist for a lot of applications and tools: Amazon Linux, Amazon Web Services Apache Tomcat, Apache HTTP Server Assessment Tool Apple iOS, Apple OSX, Apple Safari, Benchmark Mappings: Medical Device Security Standards CentOS Linux, CheckPoint Firewall, Cisco Device Debian Linux, Distribution Independent Linux, Docker, FreeBSD, FreeRadius, Google Android, Google Chrome, HP-UX, IBM AIX, IBM DB2, IBM DB2 Benchmark Archive ISC BIND, Juniper Device, Kerberos, LDAP, Microsoft Exchange Server, Microsoft IIS, Microsoft Internet Explorer, Microsoft MS SQL Server, Microsoft Office, Microsoft SharePoint Server, Microsoft Windows 10, Microsoft Windows 7, Microsoft Windows 8, Microsoft Windows NT, Microsoft Windows Server 2000, Microsoft Windows Server 2003, Microsoft Windows Server 2008, Microsoft Windows Server 2012, Microsoft Windows XP, Mozilla Firefox, MySQL Novell Netware, Opera, Oracle Database Server, Oracle Database Server Assessment Tool Oracle Linux, Oracle Solaris, Red Hat Linux, Slackware Linux, SuSE Linux, Sybase ASE, Ubuntu VMware, Wireless Network Devices, Xen 17 Is it safe? @petersouter How compliance and auditing fit with Config Management

  18. A lot of the time, you have to dig through a lot of legalese to get to an engineerable problem And whether your engineering solution actually succeeds in it’s goal is entirely up to the discretion of your auditor 18 Is it safe? @petersouter How compliance and auditing fit with Config Management

  19. An example: HIPAA Health Insurance Portability and Accountability Act of 1996 19 Is it safe? @petersouter How compliance and auditing fit with Config Management

  20. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. - https://www.hhs.gov/hipaa/for-professionals/security/index.html 20 Is it safe? @petersouter How compliance and auditing fit with Config Management

  21. Ok, let's go digging Let's look for 45 CFR Part 160 and Subparts A and C of 164 21 Is it safe? @petersouter How compliance and auditing fit with Config Management

  22. PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS Contents Subpart A—General Provisions §160.101 Statutory basis and purpose. §160.102 Applicability. 45 CFR Part 164, Subpart C - Security §160.103 Definitions. §160.104 Modifications. Standards for the Protection of Electronic §160.105 Compliance dates for implementation of new or modified standards and implementation specifications. Protected Health Information Subpart B—Preemption of State Law §160.201 Statutory basis. §160.202 Definitions. §160.203 General rule and exceptions. § 164.302 — Applicability. §160.204 Process for requesting exception determinations. §160.205 Duration of effectiveness of exception determinations. § 164.304 — Definitions. Subpart C—Compliance and Investigations § 164.306 — Security standards: General §160.300 Applicability. §160.302 [Reserved] rules. §160.304 Principles for achieving compliance. §160.306 Complaints to the Secretary. §160.308 Compliance reviews. § 164.308 — Administrative safeguards. §160.310 Responsibilities of covered entities and business associates. §160.312 Secretarial action regarding complaints and compliance reviews. § 164.310 — Physical safeguards. §160.314 Investigational subpoenas and inquiries. §160.316 Refraining from intimidation or retaliation. § 164.312 — Technical safeguards. Subpart D—Imposition of Civil Money Penalties § 164.314 — Organizational requirements. §160.400 Applicability. §160.401 Definitions. § 164.316 — Policies and procedures and §160.402 Basis for a civil money penalty. §160.404 Amount of a civil money penalty. documentation requirements. §160.406 Violations of an identical requirement or prohibition. §160.408 Factors considered in determining the amount of a civil money penalty. §160.410 Affirmative defenses. § 164.318 — Compliance dates for the initial §160.412 Waiver. §160.414 Limitations. implementation of the security standards. §160.416 Authority to settle. §160.418 Penalty not exclusive. §160.420 Notice of proposed determination. §160.422 Failure to request a hearing. §160.424 Collection of penalty. §160.426 Notification of the public and other agencies. Subpart E—Procedures for Hearings 22 Is it safe? @petersouter How compliance and auditing fit with Config Management

Recommend

PCI DSS Compliance Training Matthew Packard, CCEP | Internal Auditing and Compliance

PCI DSS Compliance Training Matthew Packard, CCEP | Internal Auditing and Compliance

PCI DSS Compliance Training Matthew Packard, CCEP | Internal Auditing and Compliance mpackard@uwf.edu | 850.857.6070 Agenda PCI DSS overview The Basics Your responsibilities University Policies Best Practices So what is

420 views • 30 slides
1 State Single Audit Requirements In accordance with federal requirements, beginning in

1 State Single Audit Requirements In accordance with federal requirements, beginning in

Compliance Auditing Update Compliance Auditing Update NC Local Government Auditing, Reporting and Review NC Local Government Auditing, Reporting and Review June 14, 2016 June 14, 2016 Uniform Guidance Overview Course Objectives- Uniform

435 views • 25 slides
1 We want to automatically reject malformed, or not working patches 2 3 4 name: Proctree

1 We want to automatically reject malformed, or not working patches 2 3 4 name: Proctree

1 We want to automatically reject malformed, or not working patches 2 3 4 name: Proctree Syscall builds: - arch: x86_64 config: - config/proctree_syscall - config/virtio_net - config/gcov - config/overlayfs lava: True [...] - arch:

598 views • 33 slides
INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations & Projects Auditing Auditing

INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations & Projects Auditing Auditing

INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations & Projects Auditing Auditing and assurance plays a crucial part of ensuring the safety and integrity of any diving system as well as ensuring safe and efficient diving

185 views • 14 slides
Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst Frankenberger University of Applied Sciences Lbeck SG 4: Auditing - Lbeck 16.09.2002 1 Remarks on Auditing, Regulatory Auditing and Regulatory

305 views • 16 slides
Mgmt Config: Merging Config Management and Monitoring (in real-time) James Shubin, a.k.a. @

Mgmt Config: Merging Config Management and Monitoring (in real-time) James Shubin, a.k.a. @

Mgmt Config: Merging Config Management and Monitoring (in real-time) James Shubin, a.k.a. @ purpleidea Config Mgmt. Architect, m9rx (self-funded) FOSDEM, Brussels, Belgium, 03/Feb/2019 1 JAMES SHUBIN Why are these separate? 2 JAMES SHUBIN

367 views • 33 slides
The Role Facility Auditing Plays in Assuring Ongoing Waste Compliance Alan Potter, Director

The Role Facility Auditing Plays in Assuring Ongoing Waste Compliance Alan Potter, Director

WFAA Seminar 19 th October 2016 Manchester Chamber of Commerce The Role Facility Auditing Plays in Assuring Ongoing Waste Compliance Alan Potter, Director Beyond Waste CENv, FCIWM, UKELA, IEMA (qualified auditor) Beyond Waste Specialist

521 views • 34 slides
John Mathew Site Safe PDA Auditing and Benchmarking Estimating Ambush They couldnt hit us

John Mathew Site Safe PDA Auditing and Benchmarking Estimating Ambush They couldnt hit us

John Mathew Site Safe PDA Auditing and Benchmarking Estimating Ambush They couldnt hit us at this distance The final est imat e and last words of General John S edgwick before he was shot overlooking his parapet in 1864

1k views • 24 slides
Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1 Outline Overview What is auditing? What does an audit system look like? How do you design an auditing system? Auditing mechanisms

1.4k views • 88 slides
Auditing Communications Act, Accounting, & NFFS Requirements O ffice of I nspector G eneral

Auditing Communications Act, Accounting, & NFFS Requirements O ffice of I nspector G eneral

Auditing Communications Act, Accounting, & NFFS Requirements O ffice of I nspector G eneral PMBA Presentation May 2016 Background Station audits routinely identify non-compliance issues with Communications Act, accounting, & Non-Federal

318 views • 17 slides
How Using NNNetwork simplified i18n config Objectives - Configure iOS app for IT/ES (help urls,

How Using NNNetwork simplified i18n config Objectives - Configure iOS app for IT/ES (help urls,

How Using NNNetwork simplified i18n config Objectives - Configure iOS app for IT/ES (help urls, account creation form, country config, etc.) - Create a new format for service and web urls: `es.nextdoor.com` and `es-api.nextdoor.com` while

492 views • 10 slides
XYPRO Technology Corporation Compliance, Auditing and Alerts Sean Bicknell XYPRO XYGATE and

XYPRO Technology Corporation Compliance, Auditing and Alerts Sean Bicknell XYPRO XYGATE and

XYPRO Technology Corporation Compliance, Auditing and Alerts Sean Bicknell XYPRO XYGATE and XYPRO are registered trademarks of XYPRO Technology Corporation. All other brand or product names, trademarks, or registered trademarks are

314 views • 19 slides
THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with

THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with

16/11/2012 THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with certification) OF SOCIAL ACCOUNTS A DEBATE (CONSIDERING IN THIS CASE ONLY ITALY): A) ONLY VOLUNTARY B) COMPULSORY BY LAW 1

322 views • 7 slides
CONFIG Convergent Core Architecture for Next Generation Networks Riccardo Trivisonno Brus usse

CONFIG Convergent Core Architecture for Next Generation Networks Riccardo Trivisonno Brus usse

CONFIG Convergent Core Architecture for Next Generation Networks Riccardo Trivisonno Brus usse sels, ls, April l 6 th th , 2016 16 Presentation Outline Project Intro, Motivation, Consortium CONFIG Objectives and Plan Architecture

1.09k views • 25 slides
Auditing in the Public Interest Auditing in the Public Interest Victorian Government

Auditing in the Public Interest Auditing in the Public Interest Victorian Government

Victorian Auditor-Generals Office Auditing in the Public Interest Auditing in the Public Interest Victorian Government Solicitors Office Seminar 30 May 2007 Des Pearson - Auditor-General 1 Auditing in the Public Interest Personal

352 views • 20 slides
Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives

Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives

Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives Define data auditing Explain the importance of data auditing Data Auditing What does data mean to you? What is data auditing? When

648 views • 33 slides
Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of

Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of

Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of gratitude to DeWitt Beeler, who in an article published in the 1999 May Issue of Quality Progress provided me with a fresh look at auditing and

557 views • 41 slides
How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4

How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4

How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4 54818800 CHAN Shu Wah 54791726 IP Sunny 54814013 WAN Chun Fai 54808805 YIU Ho Fung How would the emerging technology affect the future of

672 views • 54 slides
School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana

School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana

School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana 5522791896 Objective To make auditing system more efficient we develop the new auditing system version. Motivation Old style of search or tracking

852 views • 8 slides
Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept.

Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept.

Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept. of Medical Informatics Academic Medical Center University of Amsterdam Outline Background Types of Auditing Logic-based Auditing

245 views • 21 slides
Auditing SDGs SUSTAINABLE DEVELOPMENT GOALS What value do SAIs add to the implementation of

Auditing SDGs SUSTAINABLE DEVELOPMENT GOALS What value do SAIs add to the implementation of

SAIs making a difference by AUDITING Auditing SDGs SUSTAINABLE DEVELOPMENT GOALS What value do SAIs add to the implementation of Agenda 2030 ? Urge national governments into action if there isnt any. Independent oversight on the

203 views • 17 slides
Anti-Kickback Statute Compliance in Healthcare Transactions Navigating Safe Harbors, Identifying

Anti-Kickback Statute Compliance in Healthcare Transactions Navigating Safe Harbors, Identifying

Presenting a live 90-minute webinar with interactive Q&A Anti-Kickback Statute Compliance in Healthcare Transactions Navigating Safe Harbors, Identifying Transactions That Implicate AKS, Limiting Civil Monetary Penalty Exposure THURSDAY,

527 views • 51 slides
Earned Recognition Pilot Helping you stay safe on Britains roads 0 Compliance Vision To

Earned Recognition Pilot Helping you stay safe on Britains roads 0 Compliance Vision To

Earned Recognition Pilot Helping you stay safe on Britains roads 0 Compliance Vision To introduce more efficient & effective interventions without compromising standards or outcomes Mostly Non- Serially non- Exemplar Earned

417 views • 40 slides
Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby,

Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby,

Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby, Keith Winstein, Philip Levis, Dan Boneh Stanford University Auditing Standard Devices MITM Used for: security audit automated exfiltration

971 views • 64 slides

More recommend