The May release of the Traps management service is now available and introduces the following key features and capabilities:
Traps for Android — You can now protect your Android endpoints from malware using the new Traps app for Android. To get your end users started with Traps for Android, you create a custom installation URL from the Traps management service and send it to your users. Your custom URL contains a distribution ID for your Traps management service tenant which ties the Android endpoint to your tenant. After you install Traps for Android, you can use the Traps management service to manage your Android endpoints and view details about the threats and events reported by your Android endpoints. Traps for Android is supported on Android 4.4 and later releases.
File Analytics — The Traps management service now provides detailed file analytics for the files that attempt to run on Windows and Mac endpoints in your organization.
Child Process Execution Criteria — You can now allow specific parent processes to launch child processes and optionally configure execution criteria based on command line parameters.
Windows Security Center Registration — You can now customize the registration behavior for Traps and the Windows Security Center.
Delete an Endpoint — This feature enables you to manually remove an endpoint from the Traps management service (Endpoints view) and returns its license to the license pool.
For more details on the new features, please refer to the following resources:
by Tamer Gamali, CISSP, CISO Mashreq Bank, and member of the (ISC)² EMEA Advisory Council
Is the CISO well positioned to mitigate operational risk? (ISC)² will be asking this probing question of Security leaders at the kick-off session for Infosecurity Europe’s Leaders Programme in London next month. A round table discussion conducted under the Chatham House Rule, the session creates an opportunity to offer up frank comment and illuminate the challenges currently hampering companies from appreciating and truly gaining control of cyber risks. Infosecurity Europe’s Leaders Programme is open to CISOs and Heads of Information Security, who are the final decision-makers and budget holders for information security in end-user organisations, making this a bespoke session for those charged with managing the risks. It’s also a continuation of a discussion we started in Abu Dhabi at Infosecurity Middle East in March which proved to be very enlightening.
We had 10 participants sitting around the table in Abu Dhabi, all with CISO-level responsibilities representing government, at city and national levels, small companies and larger corporations. Overall, the group confirmed a persistent governance challenge when it comes to mitigating cyber security risk, despite the acknowledgement of a National Framework and/or documented company policy and procedures. Understanding what should be done, it seems, is proving not enough: organisations must also build in the motivation and influence across their management structure to get it done.
The group confirmed, for example, that the status of a project or its business owner, is more likely to determine whether it goes forward without sign off from the security experts, than the understood risks. In all cases, participants felt they couldn’t always put their hand up and highlight concerns, even when there was a security governance committee in place: if a project was considered critical or high -profile the chief motivation is to deliver making it likely to move ahead into production with the risks logged in a risk register. The group also revealed that increasing levels of risks logged in this way were being realized within months.
Clear lines of accountability proved to be another concern. Participants noted the existence of many consultants and recommenders, but very few approvers in the security and risk governance process. In the best-case scenario, particularly within government, a governance committee will have authority to veto acceptance of risk by a business owner, yet the veto occurring will still be determined by the criticality of the project, not necessarily the level of risk. Further, all described an unhealthy relationship with auditing grounded in the belief that auditors are biased to find something wrong rather than contribute to development, while traditional auditors lack the skill needed for cyber.
Overall the group concluded that there is no single model for security governance, including the auditing stages, but there are some intangible yet clear shortcomings that must be recognised and accepted. Ensuring the right level of influence and a healthier balance of considerations is needed. Regulators are recognising this and some, including within the UAE, are requiring the appointment of a CISO accountable for regularly updated plans within particular sectors. Clearly, greater visibility and co-ordination of the overall risk will be required if CISOs, and the organisations that appoint them are going to live up to the expectation. Frameworks, best practice and policies must be backed up by a process to document that they have been followed and best efforts made.
As a Chief Information Security Officer (CISO) based in Dubai with over 12 years working in this capacity within financial services, and a volunteer member of (ISC)²’s EMEA Advisory Council, I am
keen to help companies develop a deeper understanding of how operational risks are evolving with cyberthreats. As every company marches toward their own digital agenda, I believe that the CISO will increasingly play a strategic, not just supporting role. A well-positioned, business-aligned CISO can help align corporate priorities so that security issues can be properly addressed as companies increase their dependency on technology and, therefore, the capacity to address the risks properly.
I look forward to continuing and sharing more insights from the discussion in London, June 5 at 10:30am. To join us, qualifying Infosecurity Europe delegates must register for a Leaders Pass, which also gives them access to a Leaders Lounge and networking opportunities, in addition to the round tables. Learn more, and register to join us.
Seattle, WA– May 14, 2018 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announces that it has partnered with the Federal Risk and Authorization Management Program (FedRAMP), at the U.S. General Services Administration (GSA). The two programs will work together to develop FedSTAR that offers mutual recognition between the two security programs based on a common framework for deployment, use and maintenance.
“FedRAMP and CSA’s STAR are among the most used cloud certifications world-wide, however, because they are deployed separately and incompatible, cloud service providers (CSP) spend valuable resources in duplicating efforts to comply with both systems,” said Kate Lewin, Federal Director, Cloud Security Alliance.
“Complying with multiple systems is not only confusing, costly and ineffective, but acts as a barrier to market entry for smaller companies. That’s about to change with the development of FedSTAR. Now, CSPs will be able to earn two certifications with one audit, saving both time and money,” she added.
Cloud service providers are in desperate need of tools they can use to analyze and assess their security posture, as well as use to conduct continuous monitoring. FedSTAR will provide processes and methodologies that allow CSPs to stop replicating steps that are common between FedRAMP and STAR. This collaboration will demonstrate the effectiveness and efficiency of joint efforts with the U.S. Government and industry to reduce compliance burdens on private-sector companies.
CSA and the GSA have agreed to establish a working group to begin work on bridging the gaps. The group will engage independent, third-party assessor companies to conduct a gap analysis between STAR and FedRAMP controls.
Further, the working group will seek input from all stakeholders, including cloud service providers, the security community (CISOs, risk managers) and Federal government as it sets out to determine which processes and procedures from each system can be recognized and accepted by both, including the Independent Third-Party Assessors certification processes, documentation format, and standards for mutual acceptance. Individuals and organizations interested in participating in the working group are invited to contact Katie Lewin, Federal Director, CSA.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.
