www.acr2.org Click to edit Master subtitle style www.acr2solutions.com Company Overview, Products and Sample Reports January 2007
Dec 16, 2015
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
Company Overview,Productsand SampleReports
January 2007
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
Corporate Background
• Founded in Nov. 2006
- Headquartered in Lilburn, GA
- Sales and Marketing office in Buford, GA
• Unique compliance solution
- Addresses GLBA, HIPAA, FISMA and PCI markets
- Traceable and Compliant with NIST protocols
- Risk scores automatically updated using network data, new safeguards, Intrusion and Anti-virus data
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
Introducing ….
ACR2Basic - Risk Assessment
Available in 2 versions January 2007:• ACR2Basic - Business Edition
reports encrypted and auditable• ACR2Basic - MSP Edition
reports headers can be modified
And in Q1 2007..• ACR2Basic - Enterprise Edition
For managing multiple locationsShips with 10 site licenses
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
Automated Compliance Reporting
• Information Security involves reducing the risk of loss
or theft of protected information
• Perfect Information Security would require infinite resources
• Compliance involves providing enough security to meet the “standard of care”
• Compliance is perfectly possible – and required!
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
Automated Compliance Reporting
• How does an organization determine a “reasonably foreseeable” risk?
• Or a “material change”?
• “reasonably foreseeable risks” under Federal law are defined by the
National Institutes of Standards and Technology (NIST)
• The NIST standards are freely available…
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
They are also complex and extensive
FIPS 140-2 SP 800-53 SP 800-37 SP 800-53A SP 800-73 SP 800-95FIPS 180-2 SP 800-20 SP 800-38A SP 800-54 SP 800-76-1 SP 800-96FIPS 186-2 SP 800-21-1 SP 800-38B SP 800-55 SP 800-77 SP 800-97FIPS 188 SP 800-22 SP 800-38C SP 800-56A SP 800-78 SP 800-98FIPS 190 SP 800-23 SP 800-38D SP 800-57 SP 800-79 SP 800-100FIPS 197 SP 800-24 SP 800-40 SP 800-58 SP 800-81 SP 800-101FIPS 198 SP 800-25 SP 800-41 SP 800-59 SP 800-82FIPS 199 SP 800-26 SP 800-42 SP 800-60 SP 800-83FIPS 200 SP 800-27 SP 800-43 SP 800-61 SP 800-84FIPS 201-1 SP 800-28 SP 800-44 SP 800-63 SP 800-85A
SP 800-12 SP 800-29 SP 800-45A SP 800-64 SP 800-85BSP 800-13 SP 800-30 SP 800-46 SP 800-65 SP 800-86SP 800-14 SP 800-31 SP 800-47 SP 800-66 SP 800-87SP 800-15 SP 800-32 SP 800-48 SP 800-67 SP 800-88SP 800-16 SP 800-33 SP 800-49 SP 800-68 SP 800-89SP 800-17 SP 800-34 SP 800-50 SP 800-69 SP 800-90SP 800-18 SP 800-35 SP 800-51 SP 800-70 SP 800-92SP 800-19 SP 800-36 SP 800-52 SP 800-72 SP 800-94
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
Automated Compliance Reporting
• There is a better way.
• 79% of Americans use Turbo-Tax™ to deal with IRS regulations, which are long and complex
• ACR2 is a Turbo-Tax™ style simplification of the NIST protocols to deal with information security regulations, which are also long and complex
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
Automated Compliance Reporting
• Risk Score - is determined by multiplying the probability of event by the impact of the event
• Risk Scores range from 1 to 100, with 50-100 High, 10-50 Medium and scores <10 considered Low.
• For risks labeled High, corrective action must be taken "as soon as possible" (NIST 800-30).
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
Automated Compliance Reporting
• For Medium Risks, correction must be within a "reasonable amount of time", while Low risks may be merely observed.
• How do organizations achieve acceptably Low Risk?
• NIST definition of “Low Risk” means that “controls are in place to prevent…the vulnerability from being exercised”
•What controls are needed to achieve acceptably “Low Risk?”
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
Recommended Security Controls for Federal Information Systems
Ron Ross, Stu Katzke, Arnold Johnson
Marianne Swanson, Gary Stoneburner, George Rogers, Annabelle Lee
Special Publication 800-53
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
NIST 800-53 includes citations of these additional protocols
FIPS 140-2 SP 800-53 SP 800-37 SP 800-53A SP 800-73 SP 800-95FIPS 180-2 SP 800-20 SP 800-38A SP 800-54 SP 800-76-1 SP 800-96FIPS 186-2 SP 800-21-1 SP 800-38B SP 800-55 SP 800-77 SP 800-97FIPS 188 SP 800-22 SP 800-38C SP 800-56A SP 800-78 SP 800-98FIPS 190 SP 800-23 SP 800-38D SP 800-57 SP 800-79 SP 800-100FIPS 197 SP 800-24 SP 800-40 SP 800-58 SP 800-81 SP 800-101FIPS 198 SP 800-25 SP 800-41 SP 800-59 SP 800-82FIPS 199 SP 800-26 SP 800-42 SP 800-60 SP 800-83FIPS 200 SP 800-27 SP 800-43 SP 800-61 SP 800-84FIPS 201-1 SP 800-28 SP 800-44 SP 800-63 SP 800-85A
SP 800-12 SP 800-29 SP 800-45A SP 800-64 SP 800-85BSP 800-13 SP 800-30 SP 800-46 SP 800-65 SP 800-86SP 800-14 SP 800-31 SP 800-47 SP 800-66 SP 800-87SP 800-15 SP 800-32 SP 800-48 SP 800-67 SP 800-88SP 800-16 SP 800-33 SP 800-49 SP 800-68 SP 800-89SP 800-17 SP 800-34 SP 800-50 SP 800-69 SP 800-90SP 800-18 SP 800-35 SP 800-51 SP 800-70 SP 800-92SP 800-19 SP 800-36 SP 800-52 SP 800-72 SP 800-94
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
Automated Compliance Reporting
is Much Easier
• To Initiate the “Turbo-Tax™” approach to compliance, just browse to:
www.acr2solutions.com
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
Using the ACR2 Basic Reports
The first three ACR2 reports are1. The Safeguards Status Report – a summary of
the current system status vs NIST standards2. The Automated Baseline Report – 30 threat
source/vulnerability pairs scored from 1-1003. The Risk Assessment Chart – same data as the
Baseline, scored as red/yellow/green
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
Using the ACR2 Basic Reports - cont.
Detailed information on each safeguard is available from the NIST
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
Using the ACR2 Basic Reports - cont.
• the Deficiency Report lists the missing or underperforming safeguards relative to each risk.
• This allows creation of a remediation plan that addresses the high risk elements first, as required by the NIST protocols
• Each of the 30 risks is assessed separately
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
ACR 2 reduces over 90 NIST protocols to a simple “Turbo-Tax™” style question and
answer format. The ACR 2 reports can be updated on demand whenever new data
becomes available
www.acr2.orgClick to edit Master subtitle style
www.acr2solutions.com
One Compliance Option is to Read, Understand and Apply the NIST Protocols
FIPS 140-2 SP 800-18 SP 800-33 SP 800-47 SP 800-64 SP 800-84FIPS 180-2 SP 800-19 SP 800-34 SP 800-48 SP 800-65 SP 800-85AFIPS 186-2 SP 800-53 SP 800-35 SP 800-49 SP 800-66 SP 800-85BFIPS 188 SP 800-20 SP 800-36 SP 800-50 SP 800-67 SP 800-86FIPS 190 SP 800-21-1 SP 800-37 SP 800-51 SP 800-68 SP 800-87FIPS 197 SP 800-22 SP 800-38A SP 800-52 SP 800-69 SP 800-88FIPS 198 SP 800-23 SP 800-38B SP 800-53A SP 800-70 SP 800-89FIPS 199 SP 800-24 SP 800-38C SP 800-54 SP 800-72 SP 800-90FIPS 200 SP 800-25 SP 800-38D SP 800-55 SP 800-73 SP 800-92FIPS 201-1 SP 800-26 SP 800-40 SP 800-56A SP 800-76-1 SP 800-94
SP 800-12 SP 800-27 SP 800-41 SP 800-57 SP 800-77 SP 800-95SP 800-13 SP 800-28 SP 800-42 SP 800-58 SP 800-78 SP 800-96SP 800-14 SP 800-29 SP 800-43 SP 800-59 SP 800-79 SP 800-97SP 800-15 SP 800-30 SP 800-44 SP 800-60 SP 800-81 SP 800-98SP 800-16 SP 800-31 SP 800-45A SP 800-61 SP 800-82 SP 800-100SP 800-17 SP 800-32 SP 800-46 SP 800-63 SP 800-83 SP 800-101