Performing One Audit Using Zero Trust Principles

PERFORMING ONE AUDIT
USING ZERO TRUST
PRINCIPLES
YOUR IT COMPLIANCE PARTNER –
GO BEYOND THE CHECKLIST

Introductions –
ControlCase, Tag Cyber, Evolve MGA
How Can Cyber Insurance
Help If There Are Issues?
Current Research
Implementing Zero Trust Principles
in Remote Working Environments
ControlCase Remote
Assessment Methodology
AGENDA
© 2020 ControlCase. All Rights Reserved. 2
1
2
3
4
5

1 INTRODUCTIONS

ControlCase Snapshot
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance.
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
⁃ Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden to
a trusted compliance partner
1,000+ 275+10,000+
CLIENTS IT SECURITY
CERTIFICATIONS
SECURITY
EXPERTS

Certification Services
One Audit™
Assess Once. Comply to Many.
“You have 27 seconds to make a first
impression. And after our initial
meeting, it became clear that they
were more interested in helping
our business and building a
relationship, not just getting the
business.
— Sr. Director, Information Risk & Compliance,
Large Merchant
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
CSA STAR
HIPAA PCI P2PE GDPR NIST 800-53
PCI PIN PCI PA-DSS SCA PCI 3DS

TAGCYBER
Dr. Edward Amoroso
CEO, TAG Cyber LLC
ANALYSIS SERVICES MEDIA
CYBER
CORPS

EVOLVE
Michael Costello
Principal, Co-Founder, Evolve
• Evolve MGA is the largest “cyber insurance specialist”
company in the United States.
• What is cyber insurance? It is hacker insurance for
businesses of every size in all industries.
• Evolve MGA underwrites & distributes the broadest cyber
insurance policies in the marketplace.
• Offering the largest cyber insurance specialist claims team in
the world, made up of best in class forensic experts.
• Service includes “free” exclusive access to top tier cyber risk
management services

2 CURRENT RESEARCH

Three Key Continuous Security Compliance Requirements
BASED ON RECENT RESEARCH FINDINGS
CONTINUOUS
An effective compliance program for
cyber security must provide a stream
of continuous, accurate information
about posture.
AUTOMATED
Continuous compliance requires an
automated platform that collects and
processes data in as close to real-time as
can be achieved.
INTEGRATED
The best compliance programs are
integrated into the systems being
measured, versus built as after-the-
fact overlays.

What are Zero Trust Principles?
Assume You’re at Risk from all Angles:
• Attackers are both internal and external
to your network
• No machine, user or organization is
automatically trusted
• Strict access controls and least privilege
on processes

3
IMPLEMENTING ZERO
TRUST PRINCIPLES IN REMOTE
WORKING ENVIRONMENTS

Policy Management
Vulnerability Management
Data Management
Antivirus & Antimalware
Configuration Management
Log Management
Physical Security
Access Management
Domains

Provide Information Security Awareness Training
to WFH users on how to secure their wireless network (if any).
Policies & Procedures

Configuration Management
System configuration
standards approved by
organizations must be
enforced on WFH
users’ workstations.
Maintain the inventory
of workstations.

Vulnerability Management
Internal vulnerability
assessment and penetration
testing must be conducted
for WFH workstations.
Penetration tests
emulating a work from home user
scenario must be performed.

Log Management
Ensure all user activities
done on WFH workstations
are logged.
Ensure all WFH
workstations are
synchronizing time with
designated NTP server.

Data Management
1 2 3
Increase the
frequency of PII data discovery
scanning.
Establish process
to run automated
secure data disposal
on disks of workstations for
WFH users.
Reduce the
exposure of PII.

Physical Security
No realistic way to
control physical access
of personnel working
from home.
Ensure controls (such
as Citrix) are in place
that full sensitive/PII
data cannot be viewed
or downloaded when
working from home.
Data Center reviews
may have to be done
using mobile cameras
and or CCTV
images/photographs
(with time stamp)
based evidence.

Antivirus & Antimalware
All systems should have
an Anti-Virus solution installed
and regularly updated.
Users should not be
able to disable the
Anti-virus solution.

Access Management
No regular user
(except power users)
should be able to
access any system
within CDE that stores,
processes or transmits
sensitive/PII.
All the WFH users
must use two factor
authentication to
connect to sensitive/PII
environment.
Need-to-know basis
access along with least
privileges must be
implemented to restrict
access to sensitive/PII
data for WFH users.

4
HOW CAN CYBER INSURANCE HELP
IF THERE ARE ISSUES?

Consumers are using the newly enforceable California Consumer Privacy Act (CCPA) to sue companies
they say have mishandled their data.
Under the CCPA, companies can be hit with a penalty of up to $750 “per consumer per incident” with
regard to data breaches.
In the news today!

Successful Cyberattacks = Human Based Error
Ransomware Fund Transfer Fraud

Secure Your Home Office

Secure Your Business

5
CONTROLCASE REMOTE
ASSESSMENT METHODOLOGY

3 Key Areas Of Focus
1
Automation (Remote scanning,
evidence collection & testing)
2
Mechanisms to enable
remote assessment (CCTV,
phone cameras etc.)
3
Continuous compliance
controls (such as more
frequent user access
reviews, scans and firewall
ruleset reviews)

1. Automation-driven for Remote Work From Home Testing
ACE
• Automated Compliance
Engine
• Can collect evidence
such as configurations
remotely
CDD
• Data Discovery Solution
• Can scan end user
workstations for
sensitive/PII
VAPT
• Vulnerability
Assessment &
Penetration Testing
• Can perform remote
vulnerability scans and
penetration tests
LOGS
• Log Analysis and
Alerting
• Can review log settings
and identify missing
logs remotely
1 2 3 4

2. Mechanisms to Enable Remote Assessments
Assessors should maintain their structure
for an onsite audit but instead use video
calling and screen sharing to provide
evidence and conduct interviews as
a part of the assessment.
Data Center reviews may have to be done
using mobile cameras and or CCTV
images/photographs (with time stamp)
based evidence.
Prepare for additional time interviewing
vis a vis traditional face to face interviews.
Technology to upload and manage
evidence to be shared between
assessor and organization.

3. Continuous Compliance Enablement
The continuous compliance
monitoring is a big value add to
their audit and certification
services, which is good for
organizations that don’t have the
team in-house. It’s a big
differentiator for them.
— VP of IT,
Call Center / BPO Company
70% of company’s assets
are non-compliant at some
point in the year.
Go beyond monitoring and alerting to predict, prioritize and
remediate compliance risks before they become security threats.
Address common non-compliant situations that leave you
vulnerable all year long, including:
• In-scope assets not reporting logs
• In-scope assets missed from vulnerability scans
• Critical, overlooked vulnerabilities due to volume
• Risky firewall rule sets go undetected
• Non-compliant user access scenarios not flagged
“

Summary – Why ControlCase
32
They provide excellent service,
expertise and technology. And,
the visibility into my compliance
throughout the year and during
the audit process provide a lot
of value to us.
— Dir. of Compliance,
SaaS company
“

6 Q & A

Performing One Audit Using Zero Trust Principles

More Related Content

What's hot

Similar to Performing One Audit Using Zero Trust Principles

More from ControlCase

Recently uploaded

Performing One Audit Using Zero Trust Principles

Editor's Notes