stackArmor has developed a simple and effective methodology for cybersecurity, vulnerability management and penetration testing that adapts from ISO 27001, FISMA,FFIEC and NIST standards for and is called A.R.MTM (Assess.Remediate.Monitor). The methodology and security controls assessed are drawn from NIST Special Publication 800-53 Rev 4, and additionally map to international ISO/IEC 27001/27002 standards to address administrative, physical, and technical security controls. stackArmor has developed a holistic security architecture and cloud operations framework that is based on real-world implementation experience with US Federal Agencies, Department of Defense, and large Financial and Security-focused Commercial organizations. To help organizations transition to a formal compliance framework, stackArmor has developed an easy to understand overlay called stackArmor A.R.MTM (Assess.Remediate.Monitor).
The Assessment phase begins with the creation of a risk model. The risk model identifies the risk factors (threats, vulnerabilities, impact, likelihood, and predisposing conditions) to be assessed and defines the relationships among them. A threat is any circumstance or event with the potential for adverse impact to operations, assets, or personnel. The source of a threat can be human, environmental, or a structural failure and may be intentional or accidental in nature. A vulnerability is a weakness in an information system, security procedure, internal control, or implementation that may be exploited by a threat source. A predisposing condition is a condition that exists within the organization, its business processes, enterprise architecture, or operating environment that affects the likelihood that initiated threat events result in an adverse impact. The likelihood of occurrence is a weighted risk factor based on the probability that a given threat is capable of exploiting a given vulnerability. The impact of a successful exploitation of a vulnerability or predisposed condition is a measure of the magnitude of harm that could be expected to the firm, its assets, or personnel. The assessment approach combines the measurable aspects of a traditional quantitative assessment with the flexibility of a qualitative assessment. This provides meaningful risk results that allow for prioritization. In order to provide improved rigor and effectiveness of risk analysis, a vulnerability-oriented analysis with an impact-oriented analysis to provide a more complete risk picture that identifies vulnerabilities in policy, process, and technology as well as critical assets and the impact of successful attacks against those assets. The Assessment phase includes a comprehensive review of policies, procedures, practices and tools currently deployed within the enterprise. The environment is scanned for detecting vulnerabilities using penetration testing and scanning tools that are NIST compliant and includes web applications and operating systems software for identifying patching levels.
Based on the findings of the Assessment, a remediation activity is conducted that is commensurate with the organization’s desired security posture. Typically, the remediation phase includes providing a Basic Security Policy that provides an initial baseline. As part of the remediation activity, a Security Assessment Report (SAR) is created that summarizes the scope, approach, high level findings and recommendations. Typically, organization create a Plan of Actions and Milestones (POAM) to implement the recommendations. Findings are categorized as High, Medium or Low. The general practice is to remediate all High’s and a significant number of the Medium’s. Once all remediation activity is concluded, Automated scans with basic parameters are executed to ensure that vulnerabilities have actually been addressed.
Given the dynamic nature of the hosting and software environment, it is critical to ensure that continuous operational activities for vulnerability management, continuous monitoring and executive management reviews are conducted on a periodic basis, preferably monthly but at least quarterly. An annual penetration and vulnerability test should be conducted to ensure a stable baseline.
Coupled with the right framework and governance methodology, it is critical to have a full-stack security architecture that covers and protects the entire stack including the environment, application, data and infrastructure. Each element of the architecture requires its own set of tools to protect from the threat vectors for that specific layer. Finally, in addition to the tools, relevant policies and procedures must be incorporated to provide a holistic cybersecurity solution. The diagram provides a high-level overview of the full-stack framework.
Are you interested in a Free consultation with a stackArmor Security Architect on how you can secure your cloud systems from vulnerabilities, meet HIPPA, FFIEC, FedRAMP or FISMA compliant requirements? We can help review your workload requirements, and also assist with your security and compliance needs. Schedule a a free consultation with a stackArmor DevOps Solutions Architect by sending us an email at solutions at stackarmor.com or fill our contact us form or call us at 888-964-1644.