How to Get and Maintain your Compliance without ticking everyone off - Rob Carson

hi everyone and welcome to proving grounds so I'd like to I'd like to start by thanking our sponsors verse right / tippity tenable amazon and source of knowledge please go and visit them out in the chill-out area so our next talk is on how to get and maintain your compliance without ticking everyone off by Rob Carson director of security at share well he loves building and improving immature security programs and he looks really dapper in a purple suit oh so look building building improve that exact right all right before we get started I just want to say the tracks being recorded so at at the end when we do questions I'm going to be running the

Micra let's give bra the warm welcome thank you guys all right so how do we get maintain compliance up is everybody off so one realized today is never going to happen or a perfect appliance so let's just move on past that talk about some challenges the professional space basically being compliant a sort of fully secure right and then how crazy the hours you've job done new engagement how to engage in different business units and then still we have about yourself a true security professional and I just feel like it's a big Swiss cheese right here when you're me okay all right so my background director of security sharable software prior life is law 27001 twice a couple zero flying on it's

also the PCI HIPAA I want your fairy right now holding the adventure this narrows and you spew barrymore officer alright so initial implementation so this is a lot what it feels like your kitty hawk you know I so compliance program pci like that and one thing to recognize is that just as these young Marines here graduate bones your boot camp right you graduate from boot camp you're a infantry you're a provisional rifle on fishermen good a special on school fall upon schools things like that you're not necessarily a MARSOC operator since we're special forces ninja so understanding that hey just because you got a capacity first thought it does not mean you're going to be some

you know all-star ninja alright that's how it goes so how do you do one and i got my security architect in here and that's a lot sometimes to just try to blow holes you I think you'll see this for sure a lot of times you wind up you know I terrible oh [ __ ] i might have you know just doing north atlantic and I still is like I'm hearing but we'll get it there so what should you consider is your kicking off the program so this impacting factor so Pam sized organization you're having that thing so personnel change so people are going to come and go you have ten to twenty four seven support step you have company you

run explosive growth to be a big thing that's a that's definitely a huge challenges how do you as you're going down the road trying to do you also change tires we're going down the road resistance to change this change is hard you know he's going to get out for free but sometimes it feels like it's you know people people are used to doing things a certain way why can't I do it this way those kind of things like how do you get to overcome those challenges ability to execute that's another big piece tubes that you know one of the things is see nobody has a limited budget really has a limited time so you have to stay focused on what's the most

important part and understanding some things you're going to have to improve later on and then external so you have changing statutory regulations increasing customer requirements and let's face it I don't how you guys feel but I get these things from customers all time why aren't you knew requires you have sought to why don't you have this why don't you got back is beyond any help all year long is better we did was you know pick a nursing certification it was and then we also new vulnerabilities you know the IT guys have the easier sometimes because it Stacy they have a new web version windows in few years we have your vulnerability every day so who here has

ever felt that someone in their company might feel like this yeah so that's one of the things one of my favorite frameworks as I so because advanced continuous improvement that's one of the best things that I say you're compliant but you still have continued to improve it so you don't get to just stick with well past it just say if we are so where we start right so the first thing is to start with people so who are the people not only on your core team but also who are the different different business units of stakeholders who are going to be working with implement this it's not just going to be you you're going to

have people from IT depending on your sofa might be professional services the people who hear MSSP will handle the customer data and things like that i'm going to be having to deal with different stakeholders so figure out who they are finding those people that can reach the security gospel and those that are going to be a big pain in your ass figure out who they are and start working around working with them and then process right so first one of the most important things is to figure out what your processes are so instead of writing these beautiful you know 50 page SOPs of a process of healing compulsive all right now you actually do you guys

start there you just make sure that everybody including what they say they actually do it's actually a great start and great directors at that point you can't start wrapping technology around it to either enforce that process or control it different links and then let's talk about one of the pieces of server processes to so 10 mistakes item is that I have done I'll start rolling on HR security SOP before I even have some of the core processes any have in place first so what are those four processes need have you know your committee procedures are you going to me how you hear about your document control records patrol rep until Adonis sots your audit is looking your training sot

some of those core SOPs and corrective action preventive actions if you were a lot the other recipes how are you going to want it to make sure it's working how are you going to handle it if it breaks you need to have some of the core infrastructure set up first before you start going out the big network operations ice-o-pede things like that you don't have those things in place first and very difficult to deal with those mature and crew so scope known to find your scope and don't overcomplicate so what is your most pair of glasses what what are the things that drive revving that's probably in your scope or maybe it's icy operations that touches

everybody but they don't necessarily have to feel okay as much but taking your scope and understand you know what is the most important to you so where I work is our customer data today I feel really bad compilatie it got leaked out but that's not gonna stop revenue all employees to apologize do so you know figure out what the real scope should be and then those boundaries all right this to keep it clean keep it enforceable turn wandering around right what are those boundaries what is the scope so so should you have a pc audio CD environment you know what are those actual boundaries of your perimeter for FedRAMP same kind of thing you have to

really understand what those boundaries are understand how that data flows in and out so mature all right so one of the things to think about is that when you start off this can take a I'm size your organization take a year to you expand how big you are right but once you get this manage state where you actually have you know at least they might be manual processes would you have those in place you're able to start really quickly accelerating getting that quantity managed fine that's where automation comes into play all these awesome tools they still out there that's great stuff but if you don't have to process what do you want me figure you need army first what does that

process how does this supposed to look what are you gonna control so maturing in this space how do we go from bunch of Regular Army soldiers to the Marine Corps drills here all right so I click pop right it's pretty sexy or you can be like that which is what you posture out when you get started right all right lessons learned anybody there were certain military decision lessons you learn a gash in a pretty quick all right so compliance fails so you know organizations stopping with policies drafting one of the things you have to recognize is that your procedures are going to change even if you wrote the most perfect procedure in the world if

your organization grows at ten percent a year it's probably going to have to change at least ten percent just to keep up all right so understanding that you have to do that so you know one thing I recommend is getting a good piece of s with the software I've used the policy type in the past something that they all sell it at that that's not a plug it just think works is it lets you make sure you can you can control your push I'd recipes make sure you can get people to read them when they change and one of the things I've seen the last place says that they were tracking SOP approvals via email try it firmly have to an

auditor like that's going to suck so think about those things so you want to get in place if you can just this period technologies implement its not protected it hits with a ninny ender golden this [ __ ] for you what no wine for configurations you know policies for the signal policies when I got to assure will they had an eight-page password policy I did horrible I got NE mari this is what we do right so cut down to two paragraphs good and acceptable use moved it hang on right keep it as simple as you can so one of the things when I started they had a 50-50 policies 3s apiece okay so then these policies that their works car

should be frank and eight days basketball is very impressive but at the end of day what good is it right you don't know how to follow it so those policies beyond make sure that you want to so PC puncture to know how they actually can follow the policy or the procedure you're actually trying to force that control now a lot of most people will try to follow the procedure if it's clear but if it doesn't say go here send a meeting on to this distro you know that's how you make sure you're actually able to make your procedures useful polycythemia talking about that policies don't make any sense you know one of the things I've struggled with is

a rules like no BYOD yet you can bring your phone but you can't bring a tab right think about it though right your tablets the same basic alas right so what's the point right so lets you know the challenges I have and having to talk afterwards about how you guys tackle those ones as well so compliance wins yeah it can actually not sup totally alright so baseline baseline interest of your security controls so at the end of the day we started off at least now you're actually looking at it from a holistic standpoint and not just looking at it from one spot now where you improve is going to be dependent on your budget you're going to

execute as well as what is what's really available to what's your data where you really want to think of effort you know is your physical security matter that much as long as they can't connector where Tory wants me to time you can't spend time everywhere it helps you start to figure out where you can slowly and incrementally increase get the parts of your controls and they dress a lot of people in process so you can do a lot of free security food people in process you know yeah you know for all the pen testers out there oh I still do this is that in this and I'm looking at a couple guys that hired a few times along the

way and they like still do whatever but that's fine but what's the people in process this Alyssa process makes your phone exact and put those central controls in place right so but and that covers a lot of it you still deal with insider threats again but it's a story you have to start somewhere if you can't get that environmental progress if you don't start somewhere and move from there alright mandate improvements that's what I saw and met me super budget so when I risk assessment works I do risk assessment I do offer the business process and the information assets of grades right I don't do it a risk assessment on server who gives a [ __ ] about server we really care about

the data on a server business processes are critical to that server and so when you're sitting out CFO it's a whole lot easier say I need this to protect this distance process this line revenue that drives this not in this X amount as opposed to I need to school now like why do you need this for this business cross-linking that resonates a lot better with an executive team then we'll with you know just getting the business advice employee in essence cannonball scanner and get all this stuff for what why what are the business processes will protect why are we doing this that's what we're campinas isn't a non-profit we're closed for 10 to maintain ready right to make sure we

protect that revenue protect that data set ourselves on there then a toolkit so one of the things I use cloud security alliance questionnaire so you get those uh RFP questions from your customers and like somebody sends you want to sell sheet 70 questions next guy sends you want 20 questions the next I sent you want 300 this is the way to streamline that so this thing has 300 volunteer questions and it will literally answer everything that customers you need to know it's a very nice compliance piece and sometimes i'll fixate i'm supposed to answer their questions answering answering my head i recommend a nice part about it was it actually has a mapping where every single frame one out

there so it's got a nerve for everything out this you can actually say okay here a soft to be honest a 16 jobless you care about here's how i said after this as opposed to well you don't have this you don't have that is how you can get through those this issues you're going compliance people on the other side Excel honking start yourself it's fine it's a good compliance management software out there if you want to best achieve and software compliance fighters finding people out there that have been through this how did you get through this how were you able to tackle this decision how you handle that control finding those guys out there knaan krrs

and kts that's one of the big things that we use we use key risk indicators and have to do my hungry vulnerabilities of age past a certain date you know whatever but the few performance indicators would be more like a background checks versus employees hired not way I can be sure that my process my sop is actually performing as this design so I can check the performance of it as well as the words you know those are things you want to think about and then impor- directly you know so this is talk about getting fairless external thanks so this is a screenshot of what I use so this is a tweet deck it's free but nice part about is I blokes up in

that makes interesting I have location so i have spots you know different offices it's going on there sure well Saul sit there figure out how and she was tweeting something panaceas rampage got some crazy here now I mean this happened to Alex to dismiss area then you don't get Brian Krebs stuff like that right Lee never calls me alright how to work with others so people a professional mess alright so sales it is all about them so your engagement sales in any of your security journey hey if you don't you miss Carrie training how much will see how call the customer tell where she here you like selling let's make sure your spirit raining marketing their arts

and crafts masters right so if you deploy something like Titus you know there's a document classification thing let them pick the font let them kick where it says who cares let them pick that stuff their act as long as you know classification on right you know one of these we did with controller our cruise control docks is supposed to write it on this big thing and we're going to use courier new or New Times Roman 12 is a rainfall whatever marketing is using that way Marquis happens to help enforce what they're doing and at the same time I'm not getting a battle over Trillium 11 or whatever font they want to use is just about over happen right so make

your compliance easy you know finance helps official spending so use them you know they can help you so when they're buying the software hey make sure we check beforehand they're happy to lend that they can so it's an opportunity right audit be ready this is what I wear my on it why this is fun all right and I'm sure you did as seriously as I can right so you know you show up in t-shirt and shorts you know it might look sloppy right you want to show like your get your a-game on take the fight to the enemy so what I do is I literally a month before and about the weekend before i go through every single control

and walk through how I'm going to prove all those and where that is so when I'm sit before the auditor I'm taking them to it so this way at a minimum I might wind up with a pig a minor making information as opposed bang cooks bands play little bad ads now is if you may not be perfect but at least you can show them that you are trying to follow the process but thinking about how you can prove it is the outer smell blood that are sharps so if you sit there and you're like it's all quiet I'm gonna ask you a question doesn't look so well so take the fight to them right now they're only there for

so long you know I'm fine and GRC process and suck it's totally you know it's important think about that if your handles those corrective actions as preventive actions things like that so one of the challenges I think we all have time to time it is trying to understand what the control actually means you know security standpoint well I gotta have this definitely sit anybody hit bud you really have to have you know da rest encryption reach have to make sure that is detected yeah so there's things to think about all right risk assessment hey you know all the processes and refinance and engels to ask yourself what is the financial implications legal implications of these

processes failing and assess the value data so look at it from an information assets standpoint more so than from a server or a USB stick right and that's it any questions

how you don't good what experience do you have with the risk management framework for federal information systems so you're talking about this yet the NIST end of gist so it's basically planting jeff backus if you sorry yeah so that's a very question I could definitely follow further off offline but the federal risk risk management framework is not that much different than the old iso risk management for any more or 31,000 serious is plan do check act this it's a little bit different but it's all basically the same you know it's a cesta you make your sorry what is your oyster on mitigated risk and once you're good at risk being able to quantitatively prove that one of the big

pieces too so maybe sure you ask yourself with people questions as opposed to following you myself three points for because I've got proof point right or whatever what doesn't count it's great but that's not assist you wanna make sure you have good questions on the side as well oh I guess what I'm asking is because I looked at that compared to the certain set of the ISO controlled burns there aren't much controls and it looks like there's like a [ __ ] ton more of controls I'm like why is there so many oh you're talking about the actual miss the 300 controls there yeah i mean that's that's a lot a lot absolutely it's more grain and it's a

little more specific and it's definitely less you know I so says you need to meet the control but it doesn't necessarily how we're gives you guidance whereas especially a feta Greenwich basing this on steroids it's going to be much more prescriptive on how you're in deep a control that helps nah not really but thank you all right any more questions what's grounds around the box