If you can't read please download the document
Upload
nguyennga
View
249
Download
14
Embed Size (px)
Citation preview
PRACTICE GUIDE | Financial ServicesNIST SP 1800-5a
IT Asset ManagementExecutiveSummary TheNationalCybersecurityCenterofExcellence(NCCoE),partoftheNationalInstituteofStandards
andTechnology(NIST),developedanexamplesolutionthatfinancialservicescompaniescanuseforamoresecureandefficientwayofmonitoringandmanagingtheirmanyIThardwareandsoftwareassets.
ThesecuritycharacteristicsinourITassetmanagementplatformarederivedfromthebestpracticesofstandardsorganizations,includingthePaymentCardIndustryDataSecurityStandard(PCIDSS).
TheNCCoEsapproachusesopensourceandcommerciallyavailableproductsthatcanbeincludedalongsidecurrentproductsinyourexistinginfrastructure.Itprovidesacentralized,comprehensiveviewofnetworkedhardwareandsoftwareacrossanenterprise,reducingvulnerabilitiesandresponsetimetosecurityalerts,andincreasingresilience.
TheexamplesolutionispackagedasaHowToguidethatdemonstratesimplementationofstandards-basedcybersecuritytechnologiesintherealworld.Theguidehelpsorganizationsgainefficienciesinassetmanagement,whilesavingthemresearchandproofofconceptcosts.
THE CHALLENGELargefinancialservicesorganizationsemploytensorhundredsofthousandsofindividuals.Atthisscale,thetechnologybaserequiredtoensuresmoothbusinessoperations(includingcomputers,mobiledevices,operatingsystems,applications,data,andnetworkresources)ismassive.Toeffectivelymanage,use,andsecureeachofthoseassets,youneedtoknowtheirlocationsandfunctions.Whilephysicalassetscanbelabeledwithbarcodesandtrackedinadatabase,thisapproachdoesnotanswerquestionssuchasWhatoperatingsystemsareourlaptopsrunning?andWhichdevicesarevulnerabletothelatestthreat?
Computersecurityprofessionalsinthefinancialservicessectortoldustheyarechallengedbythevastdiversityofhardwareandsoftwaretheyattempttotrack,andbyalackofcentralizedcontrol:Alargefinancialservicesorganizationcanincludesubsidiaries,branches,third-partypartners,contractors,aswellastemporaryworkersandguests.Thiscomplexitymakesitdifficulttoassessvulnerabilitiesortorespondquicklytothreats,andaccuratelyassessriskinthefirstplace(bypinpointingthemostvaluableassets).
THE SOLUTIONTheNISTCybersecurityIT Asset Management Practice Guideisaproof-of-conceptsolutiondemonstratingcommerciallyavailabletechnologiesthatcanbeimplementedtotrackthelocationandconfigurationofnetworkeddevicesandsoftwareacrossanenterprise.Ourexamplesolutionspanstraditionalphysicalassettracking,ITassetinformation,physicalsecurity,andvulnerabilityandcomplianceinformation.UserscannowqueryonesystemandgaininsightintotheirentireITassetportfolio.
1
DRAFT
Theguide:
mapssecuritycharacteristicstoguidanceandbestpracticesfromNISTandotherstandardsorganizationsincludingthePCIDSS
provides
adetailedexamplesolutionwithcapabilitiesthataddresssecuritycontrols
instructionsforimplementersandsecurityengineers,includingexamplesofallthenecessarycomponentsforinstallation,configuration,andintegration
ismodularandusesproductsthatarereadilyavailableandinteroperablewithyourexistingITinfrastructureandinvestments
Whilewehaveusedasuiteofcommercialproductstoaddressthischallenge,thisguidedoesnotendorsetheseparticularproducts,nordoesitguaranteeregulatorycompliance.Yourorganizationsinformationsecurityexpertsshouldidentifythestandards-basedproductsthatwillbestintegratewithyourexistingtoolsandITinfrastructure.Yourcompanycanadoptthissolutionoronethatadherestotheseguidelinesinwhole,oryoucanusethisguideasastartingpointfortailoringandimplementingpartsofasolution.
BENEFITS Ourexamplesolutionhasthefollowingbenefits:
enablesfasterresponsestosecurityalertsbyrevealingthelocation,configuration,andownerofadevice
increasescybersecurityresilience:youcanfocusattentiononthemostvaluableassets
providesdetailedsysteminformationtoauditors
determineshowmanysoftwarelicensesareactuallyusedinrelationtohowmanyhavebeenpaidfor
reduceshelpdeskresponsetimes:staffwillknowwhatisinstalledandthelatestpertinenterrorsandalerts
reducestheattacksurfaceofeachdevicebyensuringthatsoftwareiscorrectlypatched
SHARE YOUR FEEDBACKYoucangetacopyoftheguideathttp://nccoe.nist.govandhelpusimproveitbysubmittingyourfeedback.Asyoureviewandadoptthissolutionforyourownorganization,weaskyouandyourcolleaguestoshareyourexperienceandadvicewithus.
participateinourforumsathttps://nccoe.nist.gov/forums/financial-services
Tolearnmore,youcancontactusatfinancial_nccoe@nist.govtoarrangeademonstrationofthisreferencesolution.
2
mailto:[email protected]:[email protected]://nccoe.nist.gov/forums/financial-serviceshttp://nccoe.nist.gov
DRAFT
TECHNOLOGY PARTNERS
ThetechnologyvendorswhoparticipatedinthisprojectsubmittedtheircapabilitiesinresponsetoacallintheFederalRegister.CompanieswithrelevantproductswereinvitedtosignaCooperativeResearchandDevelopmentAgreementwithNIST,allowingthemtoparticipateinaconsortiumtobuildthisexamplesolution.
The National Cybersecurity Center of Excellence at the National Institute of Standards and Technology addresses businesses most pressing cybersecurity problems with practical, standards-based example solutions using commercially available technologies. As the U.S. national lab for cybersecurity, the NCCoE seeks problems that are applicable to wholesectors, or across sectors. The center's work results in publicly available NIST Cybersecurity Practice Guides that provide modular, open, end-to-endreferencedesigns.
LEARN MORE Visithttp://nccoe.nist.gov
ARRANGE A [email protected]
240-314-6800
3
http://nccoe.nist.govmailto:[email protected]
NIST CYBERSECURITY PRACTICE GUIDE FINANCIAL SERVICES
IT ASSET MANAGEMENT
Approach, Architecture, and Security Characteristics
For CIOs, CISOs, and Security Managers
Michael Stone Chinedum IrrechukwuHarry Perper Devin Wynne
Leah Kauffman, Editor-in-Chief
NISTSPECIALPUBLICATION1800-5b
DRAFT
NIST Special Publication 1800-5b
IT ASSET MANAGEMENT
Financial Services
DRAFT
Michael StoneNational Cybersecurity Center of Excellence
Information Technology Laboratory
Chinedum Irrechukwu Harry PerperDevin Wynne
The MITRE Corporation McLean, VA
Leah Kauffman, Editor-in-ChiefNational Cybersecurity Center of Excellence
Information Technology Laboratory
October2015
U.S. Department of Commerce Penny Pritzker, Secretary
National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director
DRAFT
DISCLAIMERCertaincommercialentities,equipment,ormaterialsmaybeidentifiedinthisdocumentinordertodescribeanexperimentalprocedureorconceptadequately.SuchidentificationisnotintendedtoimplyrecommendationorendorsementbyNISTorNCCoE,norisitintendedtoimplythattheentities,materials,orequipmentarenecessarilythebestavailableforthepurpose.
NationalInstituteofStandardsandTechnologySpecialPublication1800-5bNatlInst.Stand.Technol.Spec.Publ.1800-5b,49pages(October2015)CODEN:NSPUE2
Organizationsareencouragedtoreviewalldraftpublicationsduringpubliccommentperiodsandprovidefeedback.AllpublicationsfromNISTsNationalCybersecurityCenterofExcellenceareavailableathttp://nccoe.nist.gov.
Commentsonthispublicationmaybesubmittedto:[email protected]
Publiccommentperiod:October26,2015throughJanuary8,2016
NationalCybersecurityCenterofExcellenceNationalInstituteofStandardsandTechnology
9600GudelskyDrive(MailStop2002)Rockville,MD20850Email:[email protected]
iii
http://nccoe.nist.govmailto:[email protected]:[email protected]
DRAFT
NATIONAL CYBERSECURITY CENTER OF EXCELLENCETheNationalCybersecurityCenterofExcellence(NCCoE)attheNationalInstituteofStandardsandTechnology(NIST)addressesbusinessesmostpressingcybersecurityproblemswithpractical,standards-basedsolutionsusingcommerciallyavailabletechnologies.TheNCCoEcollaborateswithindustry,academic,andgovernmentexpertstobuildmodular,open,end-to-endreferencedesignsthatarebroadlyapplicableandrepeatable.ThecentersworkresultsinpubliclyavailableNISTCybersecurityPracticeGuides,SpecialPublicationSeries1800,thatprovideuserswiththematerialslists,configurationfiles,andotherinformationtheyneedtoadoptasimilarapproach.
TolearnmoreabouttheNCCoE,visithttp://nccoe.nist.gov.TolearnmoreaboutNIST,visithttp://www.nist.gov.
NIST CYBERSECURITY PRACTICE GUIDESNISTCybersecurityPracticeGuides(SpecialPublicationSeries1800)targetspecificcybersecuritychallengesinthepublicandprivatesectors.Theyarepractical,user-friendlyguidesthatfacilitatetheadoptionofstandards-basedapproachestocybersecurity.Theyshowmembersoftheinformationsecuritycommunityhowtoimplementexamplesolutionsthathelpthemalignmoreeasilywithrelevantstandardsandbestpractices.
Thedocumentsinthisseriesdescribeexampleimplementationsofcybersecuritypracticesthatbusinessesandotherorganizationsmayvoluntarilyadopt.Thedocumentsinthisseriesdonotdescriberegulationsormandatorypractices,nordotheycarrystatutoryauthority.
ABSTRACTWhileaphysicalassetmanagementsystemcantellyouthelocationofacomputer,itcannotanswerquestionslike,Whatoperatingsystemsareourlaptopsrunning?andWhichdevicesarevulnerabletothelatestthreat?AneffectiveITassetmanagement(ITAM)solutioncantietogetherphysicalandvirtualassetsandprovidemanagementwithacompletepictureofwhat,where,andhowassetsarebeingused.ITAMenhancesvisibilityforsecurityanalysts,whichleadstobetterassetutilizationandsecurity.
ThisNISTCybersecurityPracticeGuideprovidesareferencebuildofanITAMsolution.Thebuildcontainsdescriptionsofthearchitecture,allproductsusedinthebuildandtheirindividualconfigurations.Additionally,thisguideprovidesamappingofeachproducttomultiplerelevantsecuritystandards.Whilethereferencesoluti