View
249
Download
14
Category
Preview:
Citation preview
PRACTICE GUIDE | Financial ServicesNIST SP 1800-5a
IT Asset ManagementExecutiveSummary TheNationalCybersecurityCenterofExcellence(NCCoE),partoftheNationalInstituteofStandards
andTechnology(NIST),developedanexamplesolutionthatfinancialservicescompaniescanuseforamoresecureandefficientwayofmonitoringandmanagingtheirmanyIThardwareandsoftwareassets.
ThesecuritycharacteristicsinourITassetmanagementplatformarederivedfromthebestpracticesofstandardsorganizations,includingthePaymentCardIndustryDataSecurityStandard(PCIDSS).
TheNCCoEsapproachusesopensourceandcommerciallyavailableproductsthatcanbeincludedalongsidecurrentproductsinyourexistinginfrastructure.Itprovidesacentralized,comprehensiveviewofnetworkedhardwareandsoftwareacrossanenterprise,reducingvulnerabilitiesandresponsetimetosecurityalerts,andincreasingresilience.
TheexamplesolutionispackagedasaHowToguidethatdemonstratesimplementationofstandards-basedcybersecuritytechnologiesintherealworld.Theguidehelpsorganizationsgainefficienciesinassetmanagement,whilesavingthemresearchandproofofconceptcosts.
THE CHALLENGELargefinancialservicesorganizationsemploytensorhundredsofthousandsofindividuals.Atthisscale,thetechnologybaserequiredtoensuresmoothbusinessoperations(includingcomputers,mobiledevices,operatingsystems,applications,data,andnetworkresources)ismassive.Toeffectivelymanage,use,andsecureeachofthoseassets,youneedtoknowtheirlocationsandfunctions.Whilephysicalassetscanbelabeledwithbarcodesandtrackedinadatabase,thisapproachdoesnotanswerquestionssuchasWhatoperatingsystemsareourlaptopsrunning?andWhichdevicesarevulnerabletothelatestthreat?
Computersecurityprofessionalsinthefinancialservicessectortoldustheyarechallengedbythevastdiversityofhardwareandsoftwaretheyattempttotrack,andbyalackofcentralizedcontrol:Alargefinancialservicesorganizationcanincludesubsidiaries,branches,third-partypartners,contractors,aswellastemporaryworkersandguests.Thiscomplexitymakesitdifficulttoassessvulnerabilitiesortorespondquicklytothreats,andaccuratelyassessriskinthefirstplace(bypinpointingthemostvaluableassets).
THE SOLUTIONTheNISTCybersecurityIT Asset Management Practice Guideisaproof-of-conceptsolutiondemonstratingcommerciallyavailabletechnologiesthatcanbeimplementedtotrackthelocationandconfigurationofnetworkeddevicesandsoftwareacrossanenterprise.Ourexamplesolutionspanstraditionalphysicalassettracking,ITassetinformation,physicalsecurity,andvulnerabilityandcomplianceinformation.UserscannowqueryonesystemandgaininsightintotheirentireITassetportfolio.
1
DRAFT
Theguide:
mapssecuritycharacteristicstoguidanceandbestpracticesfromNISTandotherstandardsorganizationsincludingthePCIDSS
provides
adetailedexamplesolutionwithcapabilitiesthataddresssecuritycontrols
instructionsforimplementersandsecurityengineers,includingexamplesofallthenecessarycomponentsforinstallation,configuration,andintegration
ismodularandusesproductsthatarereadilyavailableandinteroperablewithyourexistingITinfrastructureandinvestments
Whilewehaveusedasuiteofcommercialproductstoaddressthischallenge,thisguidedoesnotendorsetheseparticularproducts,nordoesitguaranteeregulatorycompliance.Yourorganizationsinformationsecurityexpertsshouldidentifythestandards-basedproductsthatwillbestintegratewithyourexistingtoolsandITinfrastructure.Yourcompanycanadoptthissolutionoronethatadherestotheseguidelinesinwhole,oryoucanusethisguideasastartingpointfortailoringandimplementingpartsofasolution.
BENEFITS Ourexamplesolutionhasthefollowingbenefits:
enablesfasterresponsestosecurityalertsbyrevealingthelocation,configuration,andownerofadevice
increasescybersecurityresilience:youcanfocusattentiononthemostvaluableassets
providesdetailedsysteminformationtoauditors
determineshowmanysoftwarelicensesareactuallyusedinrelationtohowmanyhavebeenpaidfor
reduceshelpdeskresponsetimes:staffwillknowwhatisinstalledandthelatestpertinenterrorsandalerts
reducestheattacksurfaceofeachdevicebyensuringthatsoftwareiscorrectlypatched
SHARE YOUR FEEDBACKYoucangetacopyoftheguideathttp://nccoe.nist.govandhelpusimproveitbysubmittingyourfeedback.Asyoureviewandadoptthissolutionforyourownorganization,weaskyouandyourcolleaguestoshareyourexperienceandadvicewithus.
emailfinancial_nccoe@nist.gov
participateinourforumsathttps://nccoe.nist.gov/forums/financial-services
Tolearnmore,youcancontactusatfinancial_nccoe@nist.govtoarrangeademonstrationofthisreferencesolution.
2
mailto:financial_nccoe@nist.govmailto:financial_nccoe@nist.govhttps://nccoe.nist.gov/forums/financial-serviceshttp://nccoe.nist.gov
DRAFT
TECHNOLOGY PARTNERS
ThetechnologyvendorswhoparticipatedinthisprojectsubmittedtheircapabilitiesinresponsetoacallintheFederalRegister.CompanieswithrelevantproductswereinvitedtosignaCooperativeResearchandDevelopmentAgreementwithNIST,allowingthemtoparticipateinaconsortiumtobuildthisexamplesolution.
The National Cybersecurity Center of Excellence at the National Institute of Standards and Technology addresses businesses most pressing cybersecurity problems with practical, standards-based example solutions using commercially available technologies. As the U.S. national lab for cybersecurity, the NCCoE seeks problems that are applicable to wholesectors, or across sectors. The center's work results in publicly available NIST Cybersecurity Practice Guides that provide modular, open, end-to-endreferencedesigns.
LEARN MORE Visithttp://nccoe.nist.gov
ARRANGE A DEMONSTRATIONnccoe@nist.gov
240-314-6800
3
http://nccoe.nist.govmailto:nccoe@nist.gov
NIST CYBERSECURITY PRACTICE GUIDE FINANCIAL SERVICES
IT ASSET MANAGEMENT
Approach, Architecture, and Security Characteristics
For CIOs, CISOs, and Security Managers
Michael Stone Chinedum IrrechukwuHarry Perper Devin Wynne
Leah Kauffman, Editor-in-Chief
NISTSPECIALPUBLICATION1800-5b
DRAFT
NIST Special Publication 1800-5b
IT ASSET MANAGEMENT
Financial Services
DRAFT
Michael StoneNational Cybersecurity Center of Excellence
Information Technology Laboratory
Chinedum Irrechukwu Harry PerperDevin Wynne
The MITRE Corporation McLean, VA
Leah Kauffman, Editor-in-ChiefNational Cybersecurity Center of Excellence
Information Technology Laboratory
October2015
U.S. Department of Commerce Penny Pritzker, Secretary
National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director
DRAFT
DISCLAIMERCertaincommercialentities,equipment,ormaterialsmaybeidentifiedinthisdocumentinordertodescribeanexperimentalprocedureorconceptadequately.SuchidentificationisnotintendedtoimplyrecommendationorendorsementbyNISTorNCCoE,norisitintendedtoimplythattheentities,materials,orequipmentarenecessarilythebestavailableforthepurpose.
NationalInstituteofStandardsandTechnologySpecialPublication1800-5bNatlInst.Stand.Technol.Spec.Publ.1800-5b,49pages(October2015)CODEN:NSPUE2
Organizationsareencouragedtoreviewalldraftpublicationsduringpubliccommentperiodsandprovidefeedback.AllpublicationsfromNISTsNationalCybersecurityCenterofExcellenceareavailableathttp://nccoe.nist.gov.
Commentsonthispublicationmaybesubmittedto:financial_nccoe@nist.gov
Publiccommentperiod:October26,2015throughJanuary8,2016
NationalCybersecurityCenterofExcellenceNationalInstituteofStandardsandTechnology
9600GudelskyDrive(MailStop2002)Rockville,MD20850Email:financial_nccoe@nist.gov
iii
http://nccoe.nist.govmailto:financial_nccoe@nist.govmailto:financial_nccoe@nist.gov
DRAFT
NATIONAL CYBERSECURITY CENTER OF EXCELLENCETheNationalCybersecurityCenterofExcellence(NCCoE)attheNationalInstituteofStandardsandTechnology(NIST)addressesbusinessesmostpressingcybersecurityproblemswithpractical,standards-basedsolutionsusingcommerciallyavailabletechnologies.TheNCCoEcollaborateswithindustry,academic,andgovernmentexpertstobuildmodular,open,end-to-endreferencedesignsthatarebroadlyapplicableandrepeatable.ThecentersworkresultsinpubliclyavailableNISTCybersecurityPracticeGuides,SpecialPublicationSeries1800,thatprovideuserswiththematerialslists,configurationfiles,andotherinformationtheyneedtoadoptasimilarapproach.
TolearnmoreabouttheNCCoE,visithttp://nccoe.nist.gov.TolearnmoreaboutNIST,visithttp://www.nist.gov.
NIST CYBERSECURITY PRACTICE GUIDESNISTCybersecurityPracticeGuides(SpecialPublicationSeries1800)targetspecificcybersecuritychallengesinthepublicandprivatesectors.Theyarepractical,user-friendlyguidesthatfacilitatetheadoptionofstandards-basedapproachestocybersecurity.Theyshowmembersoftheinformationsecuritycommunityhowtoimplementexamplesolutionsthathelpthemalignmoreeasilywithrelevantstandardsandbestpractices.
Thedocumentsinthisseriesdescribeexampleimplementationsofcybersecuritypracticesthatbusinessesandotherorganizationsmayvoluntarilyadopt.Thedocumentsinthisseriesdonotdescriberegulationsormandatorypractices,nordotheycarrystatutoryauthority.
ABSTRACTWhileaphysicalassetmanagementsystemcantellyouthelocationofacomputer,itcannotanswerquestionslike,Whatoperatingsystemsareourlaptopsrunning?andWhichdevicesarevulnerabletothelatestthreat?AneffectiveITassetmanagement(ITAM)solutioncantietogetherphysicalandvirtualassetsandprovidemanagementwithacompletepictureofwhat,where,andhowassetsarebeingused.ITAMenhancesvisibilityforsecurityanalysts,whichleadstobetterassetutilizationandsecurity.
ThisNISTCybersecurityPracticeGuideprovidesareferencebuildofanITAMsolution.Thebuildcontainsdescriptionsofthearchitecture,allproductsusedinthebuildandtheirindividualconfigurations.Additionally,thisguideprovidesamappingofeachproducttomultiplerelevantsecuritystandards.Whilethereferencesoluti
Recommended