MSA 2022 - Compliance ✅

Again this year the MacSysAdmin conference is held as a virtual conference from October 4-7, 2022.

Here you will find the links to all the videos of the daily sessions: https://docs.macsysadmin.se/2022/

My talk at this year’s edition is about Compliance Checks. In the following, you will find some resources that I refer to during the session.

• Find the video here: https://docs.macsysadmin.se/2022/video/day4session2.mp4
• See the slides here: https://docs.macsysadmin.se/2022/pdf/MSA22_HenryStamerjohann.pdf

To narrow down a broad topic like compliance, the talk’s objective is here focusing to perform checks to prove a compliant state on macOS devices when managing specific settings in a business or enterprise context. Checks are, of course, only one part of the compliance activities that organizations need to perform.

In short, it is crucial for compliance that the organization’s risk management approach is consistent with the predefined security measures and controls on how the confidentiality, integrity, and availability of (data) information is ensured. Compliance is only a subset of security. You can’t rely on compliance to take care of everything, just as you can’t expect that applying industry-leading frameworks and security standards by the book will automatically make you secure to protect your data.

Even if the session is about compliance and controls, be open and think beyond compliance. Of course, it is crucial, but, e.g., gearing all your activities toward implementing compliance controls will likely not solve your security problems. The essential element of the action to work on is team communication, training, and an open mindset to help keep your organization, users, and customers safe.

But now, back to some resources that may be useful on the way to reviewing the topics outlined in the session:

• NIST Cyber Security Framework

• CIS Critical Security Controls v8 - CIS_Controls_v8_Guide

• CIS Critical Security Controls v8 - Mapping to NIST CSF

• CIS Critical Security Controls v8 - Enterprise Assets and Software

• NIST macOS Security Framework

• MDO:YVR Threat Models Are Like Opinions, talk by Allister Banks

• Zentral for ~Observability~ ~Governance~ Compliance at AFP345

• CI/CD Pipeline example

• Terraform

• Zentral Terraform Provider

Essential Terminology #

• Governance - is the process of how an organization is managed; typically this includes all aspects of how decisions are made for that organization, e.g., policies, roles and procedures to make those decisions.
• Risk - the identification, classification and addressing of any risk associated with organizational activities.
• Compliance - ensuring that an organization is meeting compliance with all legal and regulatory requirements