In-House Risk Based Security Control Assessments (SCA) Process

This video is about implementing and managing technology security control assessments in large organizations primarily involved in federal and/or healthcare contracts, portions of which can be useful for organizations of any size that are faced with responsibility for their own risk or compliance regiments. Dr. Jerry Craig reviews a new process in which Security Controls Assessments (SCA) are managed and operated by in-house assessor teams—which allow the federal government to reduce engagement periods and costs; perform continuous monitoring and risk-based system vulnerabilities analysis; develop deeper knowledge into control families and individual controls; gain greater visibility into systems, perform and most importantly result in the ability to stand in a defensible position in the event of a data breach. The event occurred during the October 7th meeting of the Southwest CyberSec Forum at University of Advancing Technology in Tempe, AZ. Table of Contents: Introduction 0:11 Major Experience 1:28 Core Questions 3:00 What is an SCA? 4:23 What Do Restaurants & SCAs Have in Common? 5:42 What is Adaptive Capabilities Testing? 7:17 ACT Snapshot Analogy (Goal) 7:44 SCA/ACT Information Source Comparison 8:24 Failed Controls vs. Mapping Example 14:18 Alignment of Controls & Testing 17:49 Control Family Test Plans 18:32 Benefits of Aligned Test Plans 19:19 Funding Approaches 20:55 System of Record vs. Piecemeal 23:09 Conflict of Interest 24:50 Staffing for Success 25:42 Mowing the Lawn 31:05 DHS CDM Phases & Approach 32:46 Continuous Monitoring 33:51 Individual Control Family Deep Dives 36:38 Cost Savings 39:42 Bringing on Contractor Labor vs. In-House Labor (FTEs) 40:44 Lessons Learned 41:47 About Ventech Solutions 44:51 Our Core Strengths Key HIDS Program Achievements Full Security Suite