creating end-to-end traceability - isacantx.org pre - creating end to end... · •requirements...

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. For External Use.

Bill Weber, HP

May 12 2011

Creating End-to-End Traceability North Texas ISACA Chapter Meeting



Bill Weber

InfoSec Architect, HP Enterprise Services

22 years experience in Information Technology

Specialize in Healthcare and Defense Industries

Executive MBA, Masters in IT Security, Bachelors in CIS

CISM, CRISC, CISSP, MCITP, CTT+

billrweber.pro

2



Challenge

3

Two lines of business with similar goals and a healthcare focus

Two large legacy systems using different architectures

Emerging investments in new technologies

No centralized InfoSec Architecture



InfoSec Architecture Components

4

GRC Architecture

Defines approach to GRC and details

architectural elements.

InfoSec Policy

Contains policies and standards based on

industry compliance and internal best

practices.

AppSec Policy

Contains application construction and

technology specific standards.

SDL Pattern and Practice

Defines approach to the SDL and details

design components.

Requirements Traceability Matrix

Maps compliance requirements to InfoSec

Policy elements.

Evidence Traceability Matrix

Maps implementation of patterns and

practices to design, construction, testing and

audit documents as evidence.



Requirements

5

Enterprise InfoSec Standards

NIST Special Publications SP800-13 Telecommunications Security Guidelines

SP800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems

SP800-15 NISPC Minimum Interoperability Spec for PKI

SP800-16 IT Security Training Requirements

SP800-17 MOVS Requirements and Procedures

SP800-18 Guide for Developing Security Plans for Federal Information Systems

SP800-19 Mobile Agent Security

SP800-20 TMOVS Requirements and Procedures

SP800-21 Implementing Cryptography

SP800-22 Statistical Test Suite for PNG for Cryptographic Applications

SP800-23 Security Assurance and Acquisition

SP800-24 PBX Vulnerability Analysis

SP800-25 PKI Technology for Digital Signatures and Authentication

SP800-27 Engineering Principles for IT Security

SP800-28 Active Content and Mobile Code

SP800-29 Security Requirements for FIPS 140-1 and FIPS 140-2

SP800-30 Risk Management Guide for IT Systems

SP800-32 Public Key Technology and the Federal PKI Infrastructure

SP800-33 Technical Models for IT Security

SP800-34 Contingency Planning Guide for Federal Information Systems

SP800-35 Guide to IT Security Services

SP800-36 Guide to Selecting IT Security Products

SP800-37 Guide for Applying the Risk Management Framework to Federal Information Systems

SP800-38 Block Cipher Modes of Operation

SP800-39 Managing Information Security Risk

SP 800-40 Creating a Patch and Vulnerability Management Program

SP800-41 Guidelines for Firewalls and Firewall Policy

SP800-43 Systems Administration Guidance for Windows 2000

SP800-44 Guidelines on Securing Public Web Servers

SP800-45 Guidelines on Electronic Mail Security

SP800-46 Guide to Enterprise Telework and Remote Access Security

SP800-47 Security Guide for Interconnecting IT Systems

SP800-48 Guide to Securing Legacy IEEE 802.11 Wireless Networks

SP800-49 Federal S/MIME V3 Client Profile

SP800-50 Building IT Security Awareness and Training Program

SP800-51 Guide to Using Vulnerability Naming Schemes



6

SCS

001

SCS

002

SCS

003

SCS

004

SCS

5000

HIPAA

§ 164.312(a)

§ 164.312(a.2)

FIPS 140-2

Level 1

Level 2

FFIEC

Encrypt

NIST 800-111

Encrypt

Requirements Traceability Matrix

Requirements Traceability

InfoSec Policy

Traceability to

Compliance

Requirements

SCS 001

SCS 002

SCS 003

SCS 004

…

SCS 5000



Security Development Lifecycle

7

Training Requirements Design Implement Verification Release Response

Fortify Secure Software Assurance

Authentication and Authorization Pattern & Practice

Auditing Pattern & Practice

RTM

ETM

InfoSec Policy / AppSec Policy

Audit Cases / Test Cases

Audit Guidance / Release Reports



8

Patterns & Practices

Training Requirements Design Implement Verification Release Response

Fortify Secure Software Assurance

Authentication and Authorization Pattern & Practice

Auditing Pattern & Practice

RTM

ETM

InfoSec Policy / AppSec Policy

Audit Cases / Test Cases

Audit Guidance / Release Reports

InfoSec

Patterns

& Practices

Use Cases

Tech Specs

Tech Design

Software Development

Life Cycle (SDLC)

Work Product



9

P&P

001

P&P

002

P&P

003

Doc ID 1

Doc ID 2

Doc ID 3

Evidence Traceability Matrix

Release Report

Audit Guidance

Patterns and Practices detailing

implementation and Traceable

Evidence to Artifacts throughout

the product lifecycle

Evidence Traceability



Audit Guidance

10

Business and

Compliance

Requirements

Requirements

Traceability

Matrix

Security

Development

Lifecycle

Policies,

Patterns

& Practices

SDLC

Work Product

Evidence

Traceability

Matrix

Audit

Guidance

Audit Findings



End-to-End Traceability

11

• Requirements Traceability Matrix - Requirements

InfoSec Architecture detailing Policies, Standards and

Traceability to Compliance Requirements

• Security Development Lifecycle - Actions

Design, Development, Testing and Release Documentation

that details all aspects of InfoSec Capability and

provides a basis for auditability.

• Evidence Traceability Matrix - Results

Policies and Practices detailing implementation and

Traceable Evidence to Artifacts throughout the

development lifecycle



Outcome

12

Provides Governance and Compliance Models

• Measurable Evidence on Specific Controls

• Specific Policies, Standards, Patterns and Practices

• Creates Reusable Intellectual Property

• Demonstrates Value to Market



Thank you

creating end-to-end traceability - isacantx.org pre - creating end to end... · •requirements...

Documents