Measuring Compliance with
Tenable Security Center
Joe Zurba | HUIT IT Summit
May 23, 2013
Agenda:
• Introduction
• What is compliance and why is it important?
• What do we need to comply with?
• What can we measure?
• How is measurement accomplished?
• What are the first steps?
• What are the next steps?
• Questions
2
Introduction
3
What is Compliance?
• com·pli·ance
/kəmˈplīəns/
Noun
1. The action or fact of complying with a wish or command.
2. The state or fact of according with or meeting rules or standards.
Synonyms
agreement - consent - accord - accordance - conformity
• Compliance means conforming to a rule, such as a specification,
policy, standard or law.
4
What is Compliance?
• com·pli·ance
/kəmˈplīəns/
Noun
1. The action or fact of complying with a wish or command.
2. The state or fact of according with or meeting rules or standards.
Synonyms
agreement - consent - accord - accordance - conformity
• Compliance means conforming to a rule, such as a specification,
policy, standard or law.
5
Why is Compliance Important?
• Compliance provides a baseline posture from which we can build
more mature process and controls
• Compliance provides standards
• Compliance helps to lower risk
• Compliance helps to improve the quality of work
• Compliance helps to mitigate potential penalties
6
What Do We Need To Comply With?
• Depending on where you are within Harvard, you may need to
comply with one or several of the following policies/standards:
– HIPAA
– FERPA
– PCI
– Massachusetts 201 CMR 17
– Harvard Information Security Policy
– Harvard Research Data Security Policy
– Contractual Obligations
7
What Can We Measure?
• Government Compliance
– FISMA, NIST, DISA STIG, CERT
• Regulatory Compliance
– HIPAA, Sarbanes-Oxley (SOX), FERPA
• Corporate (Institutional) Governance, Risk, and Compliance
(GRC)
– Institutional Policy, PCI, ISO 27001
And…
• Harvard Security Policy
8
How Is Measurement Accomplished?
• Tenable Security Center Vulnerability Scanning
– Used to measure systems for vulnerabilities in Operating Systems and
common applications
– Uses credentialed scans to unobtrusively log into systems to analyze patch
status
• Tenable Security Center Compliance Scanning
– Uses industry standard or custom audit files to measure system
configurations
– Uses credentialed scans to unobtrusively log into systems
9
Audit Files
10
Audit Files
11
Audit Files
12
Scan Policy
13
Scan Policy
14
Scan Policy
15
Scan Policy
16
Add a Compliance Scan
17
Add a Compliance Scan
18
Add a Compliance Scan
19
Add a Compliance Scan
20
Analyze The Results
21
Analyze The Results
22
Analyze The Results
23
Analyze The Results
24
Analyze The Results
25
Analyze The Results
26
Analyze The Results
27
What Are The First Steps?
• Measuring systems that store or process HRCI (PII) against 10 points of
the HEISP:
– Private IP addressing
– Host-based firewall
– Vulnerability Scanning and Patching program
– External logging (Splunk)
– Active, up-to-date Anti-Virus software
– Unique credentials, default passwords changed, shared accounts disabled
– Password length and complexity
– Brute force credential lock-outs
– Logging of successful and unsuccessful login attempts
28
What Are The Next Steps?
• Establish a process for ongoing compliance scanning, reporting
and remediation
• Expand the service offering to comply with other regulatory
standards
– HIPAA
– PCI
• Define standard build audit files to scan for deviation
29
Where To Find More Information
• For this presentation – Harvard iSite HUIT IT Security http://hvrd.me/13CFp4Z
• ithelp@harvard.edu
• 617-495-7777
30
Questions
31
Thank you.
Joe Zurba | HUIT IT Summit
June 6, 2013