Managing a Compliance Engagement

Managing a Compliance Engagement2 H 18 M

Learn about NIST SP 800-171 and HIPAA compliance and how to manage a compliance engagement with this business for technologists show.

  • Managing a Compliance Engagement
    • NIST 800-171 Basics
    • HIPAA Basics
    • Compliance Project Scoping
    • Compliance Gap Analysis
    • Compliance Remediation and Negotiation
    • Compliance Audit/Assessment

NIST 800-171 Basics

20 M

itprotv course thumbnailitprotv course thumbnailitprotv course thumbnail
  • Episode Description
  • Transcript

NIST 800-171 Basics

[MUSIC] Hi and thanks for joining us here at Bizpro.TV. I'm Joshua Marpet. This is Scott Lyons and we're with Red Lion. We're here to talk to you today about Nist 800-171 and getting the basics of it down pat. So Scott, why don't you tell them about yourself. >> Sure thing. So hi everybody. I am the CEO of Red Lion. I am a graduate of the business of, geez, I can't even speak right now. The school of hard knocks when it comes to business, right? I am a peer review on SYNACK the Info Sec journal. I do hold certifications although I won't tell you which, right? And my real passion are people and business. Josh. >> So my name's Joshua Marpet, I'm the COO of Red Lion, Chief Operating Officer. I've been around the block more than once. You've probably heard me say this but I'm an ex-cop, I'm an ex-fireman, I'm an ex horse dentist, I'm an ex-blacksmith. N,o that's not a joke, that's actually me. I've been a jail guard, I've done just about everything except astronaut, and I'm working on that. >> Wow. >> Okay, so I run Security BSides Delaware along with Janice Paulson. And occasionally I get to sleep, it's an amazing thing, so. >> So today let's talk about what we're getting into, right? So, we're dealing with the 171, okay. We need to know who is NIST? We need to know what the heck 171 is. How does it translate to entities that deal with the government? How does it change process? How does it change the certification, right? What is the certification? What is the cost associated? And some other general Q and A about 171. So let's start of with NIST. NIST is the National Institute of Standards and Technology it is developed by the US Department of Commerce, founded in 1901. NIST is responsible for a lot of the major certification projects that you'll find with the US Government. From 5g wireless standards to Biopharms to ICS/SCADA which is industrial control systems, all right? >> All the way to bullet proof vests. >> Yeah. >> It's really cool, they get to shoot people. >> [LAUGH] Man. So NIST is actually responsible for a lot of what drives government standards. Now, with that being said, we need to take a look at what 171 is specific around. And that really is the protection of controlled information for unclassified systems. And that is around non-federal, it is around information systems. So basically, go ahead Josh. >> What we're talking about is you've got to pull the important terms out of that title. Okay, the full title of NIST 800-171 is Protecting Controlled Unclassified Information, CUI, by the way is the abbreviation, in Non-federal Information Systems and Organizations. Okay, so it's protecting information that's not in a classification scheme, for non-federal agencies. Why would NIST care about that? >> I don't know. Why would NIST care about that? Really what we're looking at the access, we're looking at security requirements based around access control, based around identity and authentication. Based around incident response and maintenance, based around personnel security. >> So Scott, this looks like a serious information security program, and a fairly complete one. >> Yeah. >> You've got all the identification, you got the accountability, you've got all the training, sort of every piece of a information security program is here. But this is specifically for non-federal agencies and organizations for unclassified information. I mean, who does this apply to? >> Well, it applies a lot to companies that wanna do business with the federal government, right? So the real question is, Josh, if I may, why do I care, right? Well, why I care is because either I have to be a part of DFARS, right? >> What's DFARS? >> DFARS, the DOD Federal Acquisition Resource? >> Regulations. >> Regulations, or FARS, the Federal Acquisition Regulations. Thank you. Am I a government contractor because, guess what, I care. Am I sub to a sub to a sub to a sub, I still have to deal with 171, right? But the question I say is, why not 27001? >> Well because 27001 is incredibly particular it's a detailed-oriented beyond belief. 800-171 is a significant amount easier than ISO 27001. It's a little more far reaching, but ISO 27001 is the OCD cousin of 800171 if you will. So it also is a nice stepping stone it helps you build to the next cyber security framework, the CSL. So effectively, if you care about this you're either a government contractor, you're a government sub to a contractor, or sub to a government contractor rather. You need to prove that you're following a risk management program of some sort, okay? For a sale, for a customer, for a supplier, for a regulatory regime of some sort. And you go, you know, 800 one something one doesn't sound so bad. It's understandable those families of controls that we just looked at are totally literally realistic, they're reasonable. >> They are and so 171 actually breaks down the four main steps and those are Review, Implement, Analyze, and Audit. >> Okay, so let's talk about each of them real quick. >> Yeah. >> So in Review, you're gonna go over what you have now. You're gonna see, hey I'm right here, and you're going to go, hum, they need me to be over here. So how do I get from A to B? And that's implement. This leads to each other very very nicely. >> It does. >> So you're going to review what you have. You're going to review what you are, your business process, and your CUI. In other words, what information do I have? That's data classification, that's managing your assets, asset inventory. That's knowing who has access to those assets. That's understanding your business processes around those assets, around that date, around those classifications. And then realizing that I have a gap, I have a risk, I have a problem I need to fix that. So, I'm gonna implement some controls, some segmentation, some new processes. Modify the existing ones or whatever, and then. >> We're gonna step right in to analyze. So let's make sure that we've done our review correctly, we've done our implementation correctly, which really leads us to a controls gap, right? So where are we, where are we headed and how do we get there right? And that's really your gap, that's where a good gap analysis comes into place. >> Well, right, and so then we've done our review. We've implemented to fix the gap, we've analyzed to make sure that we fixed the gap, this is basically the double check, and then we're gonna audit. And the audit is gonna be where we say, we are actually in compliance, we are validating, we are verifying, we are making sure we're doing it right. >> But the audit also comes into play when trying to deal with your road map. The roadmap basically says, how we're going to implement the entire solution. When you audit, it's not that you're auditing for a compliance. Sure, that might be something gained to help your business but, at the same time, you're really auditing, and a lot of companies miss this, you're auditing to make sure that you're matching your roadmap. >> Well agreed, agreed. So your road map, or your strategic road map really, says that I want to be, let's say, I wanna have 5000 new customers by the end of the year. Those customers are gonna be in the government space, those customers are gonna want me to be certified or at least secure in some form or fashion. We're gonna use 800-171 to show them that we have a risk management framework. To get 800-171, we're going to make sure that we've done our gap analysis, we're gonna make sure that we've analyzed, we've implemented, we've taken care of everything. We're gonna use this as a stepping stone in that road map to get all those new customers, to get all that new business, to get all those things going on. Okay, so the government has come down and said that all DOD contractors must be 171 compliant by what? December 31st? >> 2017. >> Of 2017, right. So my real question to you is how does this relate to our business? >> That easy. Are you a government contractor? Are you a sub to a government contractor? Are you a sub to a sub to a sub to a sub? Are you anywhere in the supplier value chain? Those terms by the way mean roughly the same thing, it's just different people use them differently, okay? If you are a supplier, if you are the person actually doing the work, if you are a customer, that is a value chain from supplier to processor to customer. If you're in that value chain anywhere, and by the way, there's are more, there's what, 6,000 subcontractors to the government? >> There's a lot. >> So if there's 6,000 subcontractors to the government, how many subcontractors do they have? Dear God, the number is huge. Now, there's also other reasons to use 800-171, or any good risk management framework. Do you wanna reduce your sales friction? If you go, hey, I'd like to sign up for ITPro.TV and I wanna give you my credit card. And they go, hey, we have managed to secure your credit card information because we are PCI compliant or using a PCI compliant payment processor, you go, hey, I feel better about this. I feel better about putting my credit card in those little boxes because I know that they're doing it in a secure fashion, okay? And that's how you get it, you reduce sales friction. If somebody said, hey, would you mind mailing me, snail mailing me, or faxing me, that's fine, just send me a copy of your credit card, would you feel secure? Cuz I know I wouldn't. >> Right, so how does this affect your DFARS and your FARS standing, right? As a federal resource we need to figure out the easiest way to move all of this forward and still be compliant, right? So understanding your contracting officer and what their technical requirements are according to the FARS and the DFARS will really help with 171. Because originally we used to have to deal with 853 which was [INAUDIBLE] as what, ISO 27000 >> 1 and 2. >> 1 and 2, right. So we've taken the medium listing for 853, sprinkled in some ISO 27000 1 and 2, and that's how we got to 171 >> Right so they're a little off topic, but there's a little bit more to that. >> Yeah. >> And the reason is that 853 is a pre scriptive standard. 853 says you will do this, and this, and this. 800-171 is a descriptive standard, it says it will protect against these attacks. How you do it is up to you, because these things change on, well, let's be honest, a daily basis. >> They do. >> But if you are protected against these types of attacks, you are following the standard. >> Okay, okay, so seeing that we're protected against these types of attacks, right The real question is do I have to change the business process? >> No. >> Because a lot of what we do, a lot of what we do and a lot of what we say is that no matter what you do as far as complain goes you have to tailor to the business, right? So do do we change business process, maybe, right. >> It might be. But the thing is, here's the thing, it depends on your security maturity. It depends on your existing processes, it depends on your risk management framework. If you're not using risk management, if you don't have existing business processes. If you don't have a high enough security maturity, or any information security maturity, physical security maturity all these different types. Then yeah, you're gonna probably have to change some of your business processes. If you've already built up a very, very secure, very mature system of information physical security, and you've got risk management, you're doing risk-based thinking. You're saying, I've got an asset worth $1,000, I'm spending $500 for protection, I'm protected up to this level, you're risk thinking, okay? You're thinking about your risk. >> Right. >> You're probably won't have to change your processes at all or not very much, maybe a little tiny bit. >> So if we go onto the next, we're asking just a simple question here. Do we really need to get certified? Is there a certifying body for 171 that's been set up or, is it sort of like HIPAA in that you say you're HIPAA certified but there's really no paper for it? >> So the contractors, remember we're talking government contractors primarily, they're sort of the main receiving body or audience for this standard. The government contractors have no auditing body for this officially set up, but, of course, they can be audited by the agency that are their customers at any time, or the prime contractors that are the customers at any time. So, while it's more like HIPAA, in that, there are audit protocols, and audit standards, that have been set up so that they can be audited, there's no real way to get that stamp of approval that says, funk, you're good. So it's a problem, that's a real problem, you don't know. You go we're compliant according to our compliance officer, according to our paperwork, according to everything we've done. But just like anybody can say, I see a problem, well, we didn't see a problem there. Well, I do in my interpretation of the standards, and that's where the problem arises. >> So right now, to help you out a little bit, you're saying it's more of a self-certification process than anything else, right? >> It is. >> Okay. >> It absolutely is and that's fantastic because it means that you can do it at your own pace. >> Yeah. >> It means you can do it with your own resources. It means you can really get very far down the path without bringing in a huge monstrous consulting company. You might bring in a trusted advisor who says, hey, let's start with this plan, let's have these as goals, let's do one piece at a time. You can do it slow and steady, very stable, very comfortable and not totally upsetting the apple cart if you will. On the other hand, it does cause problems sometimes. >> So, that really runs us into the question of cost. >> Yeah. >> A lot of companies try to budget for things that they know. They try to budget for what they don't know but more often then not, that budgeting gets blown out of the water. Would something like this, given what needs to happen, blow our budget under the water if you are not careful. >> It depends, so, let's go over budgeting. Okay, this, I should be very honest and tell you that this is very specific to Red Lion's way of doing business. There is no one god given way to do this, but there are quite a few ways to do it. We like to do a gap analysis because we believe that we don't know how much it's gonna cost until we know where you stand right now. We already know what the regulations say you have to do and be and where you have to end up. But we don't know where you are now. So unless we know that how can we tell you the cost? So we tend to do a gap analysis that takes anywhere from two to four weeks, and costs somewhere between 10 and $50,000. All right, that's on site, offsite, interviews, investigation, VOM scans, all kinds of scans, and look-ats, okay? Then we can tell you, here's your remediation plan, you can do these parts yourself and these parts we can help you with. This is what it's gonna cost, etc. >> That's where the roadmap comes into play. >> Right. >> So from the remediation plan and understanding where you are and where you need to go, then how you get there, that's how you build out your roadmap. Once you've gone through your roadmap and you've done your Audit on the backend of the roadmap, then we come in and do a reassessment, right? >> So this goes back to what we were saying. It's a gap analysis, then it's a remediation, then it's reassess and it goes through a full step and you iterate. Think of this almost as like agile compliance, okay? You do a Gap analysis, you figure out what your backlog is. You do your remediation, which is when you're actually doing the work, you're doing sprints, and with 800-171 you can do a sprint at a time. You can do multiple sprints, it all depends. And then you do a reassess, which is where you do the stand up meeting and go, how did we do, okay? So it's almost like agile compliance. And we prefer to do it that way rather than a waterfall compliance method. I'm bastardizing a little bit, bear with me. Because at waterfall compliance, we're gonna charge you a quarter of a million dollars, we get it all done. Well, I don't know that. It might cost $70000 and be able to do everything. It might cost a half a million dollars and those other guys are gonna short change you. We prefer to do in a step by step basis because it also helps to make the budget a bit more understandable and palatable For everybody including the CFO, who'll likely be upset with you if you throw it at them in one lump. >> So, if I have cyber insurance, will this actually make a difference for my insurance company? >> It can. >> We have talked with a lot of cyber insurers that are out there. And we've seen the questionnaires that cyber insurance companies have asked. And they range a full gambit. >> God. >> From, we'll give you a million dollars if you tell us that you have bought a firewall. You don't have to install it. You don't have to have it running. It can be sitting on a shelf in a box, but you've bought one, right. Two yes we have a fully built out program. We ask our people to re-up their certifications every so often. And that's what the basis of our insurance is. So does 171 actually make a difference? >> 171 can absolutely make a difference if you're a federal contractor a sub do federal contractor or sub do a sub do a sub do federal contractor and you're and you have a contract and you do not have 800-171 compliance by the end of 2017 you stand a very good chance of losing that contract all right. I've talked to prime contractors who have had their government lease on say hey. You see this clause in the contract where it says you have to be compliant for information security? This time, we're holding you to that. As of December 31 2017, if you are not compliant with 800171, you can pretty much kiss that contract goodbye. Now- >> So you're saying that if I own cyber insurance >> Right? >> Right, if I own cyber insurance or I do any type of government contracting, that it's gonna care that like it really I should really care about this. >> So you should care. And you should care even if you are not a government contractor. Look cyber insurance, okay so this three things that matter. Are you a government contractor? If not, okay ignore that one. Do you have customers, because if you have customers and you go hey, by the way, customer, we have a risk management program and we are having a security maturity issue that we've fixed and we are mature in the information security realm. They go wow, I'm much happier dealing with you now, because I know you're actually secure. And you go hey cyber insurance vendor, because these days if you don't have cyber insurance, you're in trouble anyway I have an information security program. I have an information security system. We're up to date on everything. I have a risk management framework. We're doing really good. How do you like it? And your cyber insurance company's gonna go, hey, wow you're awesome. Your premium could go down. They could very much be happy with you in terms of if you put in a claim, they're gonna go no, no, no, these guys actually did good stuff. If they put in a claim, something really bad happened, pay the claim faster; you're gonna have proof that any claims that you put in are legitimate faster because you're going to be logging things. So, my god, you care! Okay, even if you're not a government contractor if you have customers or cyber insurance or both, you care. >> All right, so we have outlined a whole bunch of things about 171 even though this is brief and short, right. Yeah so where do we go from here? That's the question. >> That's a great question. So the answer is simple. If you have questions please give us a call ask us, email us, our emails are in the presentation. I am Joshua Marpet >> And I am Scott Lyons And you can reach me on twitter @csp3r Casper. >> Casper. >> Old nickname of his. >> Yep. >> Effectively, what we wanna do is show you that it's not that hard to do a compliance framework, to be compliant, to do risk management, to increase your security maturity. It takes time, it takes effort, it takes some money. But, what it really takes is a determination that I'm gonna reduce my sales friction, I'm gonna increase my likelihood that I can actually get a successful claim in cyber insurance, and I'm gonna make myself a better way, a better company to be a government contractor or sub do government contractor to get some of those beautiful large government contracts. And if you do these things, your business is probably gonna succeed a lot better then if you didn't. >> Yeah and foremost, it also is a great reduction in risk. >> Not a bad thing. So that's NIST 800-171 the basics and thank you very much for joining us here at BIZPRO.TV

Just you? Training a whole team? There's an ITProTV plan that fits.

With more than 5,800 hours of engaging video training for IT professionals, you'll find the courses you and your team need to stay current and get the latest certifications.