Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ITSG-33: Audit Details

by Cesar Navas
December 16, 2016

Organizations that must comply with Canadian regulatory controls need a consistent and structured way to meet compliance requirements. The Communications Security Establishment Canada (CSEC) developed a series of guidelines for security practitioners in managing information technology (IT) security risks for Government of Canada (GC) information systems. The ITSG-33, IT Security Risk Management: A Lifecycle Approach provides a comprehensive set of security controls that will be used to support a wide variety of business requirements. To support interoperability needs, the ITSG-33 guide is consistent with controls published in the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-53. The standard does not explicitly state how to validate these settings in a cohesive and straightforward interface. Analysts within an organization must ensure that the compliance standard is followed, but also ensure the organization is continually compliant.

This dashboard covers all the ITSG-33 families currently supported by Tenable audit files, which provide the results of an audit check as one of three severity levels. Analysts are able to see on a continual basis the status of the organization and the posture of being compliant with ITSG-33 controls. The ITSG-33 families and controls are not a checklist-type compliance standard like HIPAA, PCI, or CSF; rather, they are a catalog of controls that are used in achieving compliance with the aforementioned standards. Analysts are presented with concise information of the status of the checks such as an informational severity level is considered a pass. The pass is achieved when the configuration setting matches the expected result of the audit check. The match can be a defined value or a range of values. The “Nessus Compliance Checks” document, available in the Support Portal, contains details on how to edit the audit files. When an audit check fails, the severity is set to high, indicating that the collected result and the expected result do not match. A mismatch may not mean a failure. Each failure should be reviewed and verified to ensure the expected result is correct. If the expected result is not correct, then the audit file should be modified and the scan should be run again. Results assigned a medium severity must be evaluated by an analyst to determine whether the results are applicable or not.

The components in this dashboard use audit files (released after 1 July 2013), which incorporate the reference tag that maps many audit checks to a respective standard. In the case of this dashboard, the audit files must contain a string similar to 'ITSG-33|IA-5' on the reference line of the applicable audit check. Where multiple components are required, a number in parentheses will be displayed. Analysts can use this method to search with cross references in the “Analysis” feature in Tenable.sc to further research specific compliance plugins and see their results.

This dashboard is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, ARC, and assets. The dashboard can be easily located in the Tenable.sc Feed by selecting category Compliance & Configuration Assessment. The dashboard requirements are:

  • Tenable.sc 5.4.2
  • Nessus 8.5.1
  • NNM 5.9.0
  • LCE 6.0.0
  • Audit Files containing ITSG-33 references

Tenable's Tenable.sc Continuous View (CV) is the market-defining continuous network monitoring solution, and assists in securing an organization’s internal network. Tenable.sc CV is continuously updated with information about advanced threats, zero-day vulnerabilities, and regulatory compliance framework such as ITSG-33. Active scanning periodically examines systems to detect vulnerabilities within operating systems, software applications, and hardware. Agent scanning enables scanning and detection of vulnerabilities on transient and isolated devices. Passive listening provides real-time discovery of vulnerabilities on operating systems, protocols, network services, wireless devices, web applications, and critical infrastructure. Host data and data from other security products is analyzed to monitor activity from patch management solutions and services. Tenable.sc CV provides an organization with the most comprehensive view of the network and the intelligence needed to fully understand the impact of vulnerabilities on the network.

The ITSG-33 controls within the components in this dashboard include:

  • Access Control (1): This component monitors the following ITSG-33 audit controls: AC-1, AC-2, AC-3, AC-4, AC-5, AC-6, AC-7, and AC-8
  • Access Control (2): This component monitors the following ITSG-33 audit controls: AC-9, AC-10, AC-11, AC-12, C-13, C-16, AC-17, and AC-18
  • Access Control (3): This component monitors the following ITSG-33 audit controls: AC-19, AC-20, AC-21, and AC-22
  • Audit and Accountability (1): This component monitors the following ITSG-33 audit controls: AU-1, AU-2, AU-3, AU-4, AU-5, AU-6, and AU-7
  • Audit and Accountability (2): This component monitors the following ITSG-33 audit controls: AU-8, AU-9, AU-11, AU-12, AU-13, and AU-14
  • Awareness and Training: This component monitors the following ITSG-33 audit control: AT-1
  • Configuration Management: This component monitors the following ITSG-33 audit controls: CM-1, CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-8, CM-9, and CM-11
  • Contingency Planning: This component monitors the following ITSG-33 audit controls: CP-1, CP-2, CP-9, and CP-10
  • Identification and Authentication: This component monitors the following ITSG-33 audit controls: IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8 and IA-11
  • Incident Response: This component monitors the following ITSG-33 audit controls: IR-1, IR-5, and IR-6
  • Maintenance: This component monitors the following ITSG-33 audit controls: MA-1, MA-5, and MA-6
  • Media Protection: This component monitors the following ITSG-33 audit controls: MP-1, MP-2, MP-3, MP-4, MP-6, MP-7, and MP-8
  • Personnel Security: This component monitors the following ITSG-33 audit controls: PS-1, PS-4, PS-5, PS-6, and PS-7
  • Physical and Environmental Protection: This component monitors the following ITSG-33 audit controls: PE-1, PE-3, PE-5, PE-16 and PE-19
  • Planning: This component monitors the following ITSG-33 audit controls: PL-1, PL-2, PL-5, and PL-8
  • Program Management (1): This component monitors the following ITSG-33 audit controls: PM-1, PM-2, PM-4, PM-5, PM-6, and PM-7
  • Program Management (2): This component monitors the following ITSG-33 audit controls: PM-8, PM-9, PM-10, PM-11, and PM-14
  • Risk Assessment: This component monitors the following ITSG-33 audit controls: RA-1, RA-2, RA-3, and RA-5
  • Security Assessment and Authorization: This component monitors the following ITSG-33 audit controls: CA-1, CA-2, CA-3, CA-5, CA-6, and CA-7
  • System and Communications Protection Family (1): This component monitors the following ITSG-33 audit controls: SC-1, SC-2, SC-3, SC-4, SC-5, SC-7, SC-8, and SC-9
  • System and Communications Protection Family (2): This component monitors the following ITSG-33 audit controls: SC-10, SC-12, SC-13, SC-15, SC-16, SC-17, SC-18, and SC-20
  • System and Communications Protection Family (3): This component monitors the following ITSG-33 audit controls: SC-22, SC-23, SC-26, SC-28, and SC-39
  • System and Information Integrity (1): This component monitors the following ITSG-33 audit controls: SI-1, SI-2, SI-3, SI-4, SI-5, SI-6, and SI-7
  • System and Information Integrity (2): This component monitors the following ITSG-33 audit controls: SI-8, SI-9, SI-10, SI-11, and SI-12.
  • System and Services Acquisition: This component monitors the following ITSG-33 audit controls: SA-1, SA-4, SA-6, SA-7, SA-8, SA-10, SA-12, and SA-13
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.