CategorizeSelectImplementAssessAuthorizeMonitor

Module 1: Risk Management Framework (RMF)

Introduction

RMF Introduction• Primarily for Federal Government• Recommended for state, local, and tribal governments• Easily adapted for private sector or non-profit• Background• A Risk Based Approach• What is Certification and Accreditation• What is the NIST Risk Management Framework• What is Authorization• Systems Security Approach• Benefits• External Drivers

History• There is an obligation for each agency (or organization) to

properly secure information.• Computer Security Act 1987

• OMB A-130 appendix III, implemented the act

• National Computer Security Center (NCSC)• NCSC-TG-029 Introduction to Certification and Accreditation by NSA in 1994• DoD, DITSCAP• NSA, NIACAP in 2000

• FISMA made law for Public Agencies• Federal Information Security Management Act 2002 (FISMA)• NIST created standards and guidelines for implementation

• DoD, DIACAP• DoD Instruction 8510.01 in 2007• Coming soon: Department of Defense Information Assurance Risk Management Framework (DIARMF)

Standards and Guidelines• Public Law

• Compulsory and binding

• Federal information Processing Standards (FIPS)• Compulsory and binding• High level objectives

• NIST Special Publications (SP) • OMB requires federal agencies to follow certain SP• Lower specific objectives• Some flexibility in how agencies apply guidance

• NISTIR and ITL are mandatory only when specified by OMB• OMB polices, directives and memoranda• DoD and CNSS Instructions

What is FISMA?• E-Government Act (Public Law 107-347) passed and

signed into law in December 2002• Title III of the E-Government Act, Federal Information

Security Management Act (FISMA) (44 USC § 351)• Required for all government agencies• To develop, document, and implement an agency-wide

information security program• To provide information security for the information and systems

that support the operations and assets of the agency• Applies to contractors and other sources

A Risk Based Approach• Emphasize a risk-based policy for cost-effective security

• FISMA• The Paperwork Reduction Act of 1995• The Information Technology Management Reform Act of 1996 (Clinger-Cohen

• Supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources

• OMB defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.

FISMA Goals• Security Federal Government Systems• Understand Risk to the Mission at the organization-

wide level• Consistent• Comparable • Repeatable• Complete• Reliable• Trustworthy

RMF a Common Foundation• Collaboration

• National Institute of Standards and Technology (NIST)• Office of the Director of National Intelligence (ODNI)• Department of Defense (DoD)• Committee on National Security Systems (CNSS)• Public (review and vetting)

• Common Foundation• Uniform and consistent risk management• Strong basis for reciprocal acceptance• Defense, Intelligence and Civil sectors• State, local and tribal governments• As well as contractors and private organizations

NIST’s roll To develop and publish the standards and guidelines

Work with interest groups Update the standards and guidelines

http://csrc.nist.gov/

Risk Management Framework (RMF)

Categorize

Select

Implement

Assess

Authorize

Monitor

Certification and Accreditation

“Certification and accreditation is the methodology used to ensure that security controls are established for an information system, that these controls are functioning appropriately, and that management has authorized the operation of the system in is current security posture.” - Official (ISC)2 Guide to the CAP CBK (1st ed.)

Information Assurance

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. - CNSS Instruction No. 4009

Changes• Recent changes transform the traditional Certification and

Accreditation (C&A) process into the six-step Risk Management Framework (RMF)

• Revised process emphasizes• Building information security capabilities into federal information systems

through the application of state-of-the-practice management, operational, and technical security controls

• Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes

• Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems

Term Transition

Certification

Assessment

Accreditation

Authorization

Assessment (Certification)• Detailed security review of an information system

• Comprehensive assessment of: • Management security controls• Operational security controls• Technical security controls

• To determine the extent to which the controls are• Implemented correctly• Operating as intended• Producing the desired outcome

• Providing the factual basis for an authorizing official to render a security accreditation decision

Authorization (Accreditation)• Authorization is the official management decision to operate• Given by a senior agency official (management)• The official should have the authority to oversee the budget

and business operations of the information system • Explicitly accept the risk to

• Operations• Assets• Individuals

• Accepts responsibility for the security of the system • Fully accountable for the security of the system

Authorization

“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.”- NIST SP 800-37 rev 1

Multi-tiered Approach

PROGRAM LEVEL

SYSTEM

System Security Approach• Security not at the application, device, data or user level• Security that encompasses a system made up of applications,

devices, data and users.• Easier and more cost effect to define ‘systems’ with

boundaries and perimeters• Implement controls based upon the system and not the entire

enterprise

Benefits• Information security visibility• Management involvement• Management due diligence• Integrate security• Consistent implementation• Common goal• Ensure minimum security• Ensure proper controls in place• Ensure risk-based controls• Efficient use of resources and funds

DiscussionWhy are Agencies riddled with

security holes?

Source: <http://www.fcw.com/Articles/2009/07/17/Web-GAO-FISMA-info-security.aspx>

External Drivers• Security Incidents• Financial scandals• Terrorist attacks• Natural disasters• Sarbanes-Oxley• Health Insurance Portability and Accountability Act• Gramm-Leach-Bliley Act• Clinger-Cohen• FISMA• PCI

Example of external drives

http://gcn.com/articles/2011/07/06/cyber-attacks-take-2-energy-labs-offline.aspx

Review

What is the official management decision to operate?

A. CertificationB. AuthorizationC. Risk AssessmentD. Responsibility

Review

What is a comprehensive assessment of management, operational, and technical security controls?

A. CertificationB. AccreditationC. Risk AssessmentD. Authorization

Risk Management Framework (RMF)

Introduction

Module 2: Building a Successful RMF Program

The Business Case• What is the benefit to the organization?

• Due diligence• Accountability• Implementation of risk management• Visibility of risk• Cost-effectiveness

• A strong business case will help enlist support• The RMF program will help them meet their organizational

needs, reach their goals and accomplish their mission• Security and RMF is a business enabler

RMF Goal Setting• Typical project management• Goals must be:

• Realistic• Comprehensive• Integrated• Achievable• Effective• Supported• Enduring

• The organizations management, culture, personality and security posture all play a part.

Establishing program tasks and milestone• Typical project management

• Project management is the discipline of planning, organizing and managing resources to bring about the successful completion of specific project goals and objectives.

• A Project is made up of multiple stages, tasks and milestones.• A milestone is the end of a stage that marks the completion of

a work phase• A task is an activity that needs to be accomplished within a

defined period of time

Overseeing Program Execution• Constant measurement, metrics• Ensure program requirements are

being met• Tracking process• Need to have some way to enforce

project management and include escalation

• A security oversight committee can provide oversight to the C&A program

Maintaining Program Visibility• Need consistent management

support• Without management support

people will not fulfill their obligations to the project

• Without management support you will not have access to needed resources and funding

• The Chief Information Security Officer (CISO) can keep the program visible by giving regular updates to c-level management

Resources

• What types of resources might the project need?

• Funds, money, budget• People, man-hours• Processes• Technology• Outside expertise• Training• Automated tools

• Use realistic requirements

Developing Guidance• Document what the program is• Document how you plan to implement• Sample Documents

• Policies• Standards• Guidelines• Procedures

• Should meet organizational business needs• Describe the process• Precise, clear and brief

Sample RMF (C & A) Policy

Reference: http://www.tess-llc.com/Certification%20&%20Accreditation%20PolicyV4.pdf

RMF Guidance Development Life Cycle

Life-cycle for the development of the documentation for the RMF process

• Awareness• Monitoring• Enforcement• Maintenance

• Retirement

• Communication• Compliance• Exceptions

• Creation• Review• Approval

Development Implementation

MaintenanceDisposal

Guidance Caution• Too many rules limit the latitude and

innovation that may be needed at lower levels

• Long, cumbersome guidance documents will be ignored

• Limits agility• Should be easy to access

• Intranet site• System administrators need to use

regularly

Program Integration• Security needs to be baked into the

organization• C & A program should integrate with

other organizational programs, processes and activities

• For example • Integrate with human resources for

background checks• Guard service for physical security• Accounting for procurement and budget

Establishing RMF Points of Contact• Chief Information Security Officer (CISO) is directly

responsible.• Other key players

• System Owners• C & A Workgroup• Security Steering Committee• IT administrators

• Key areas of knowledge for Organizations• Operations• Hierarchy• Management• Strategies• Initiative

Measuring Progress• Need to have a method for measuring progress and

effectiveness. • Dashboard for an over-all status and where additional

resources are needed.• Scope

• Tasks• Type and number of systems• Risk• Sensitivity & Criticality

• Time• Effort• Improvements

• Budget• Cost

Tracking Program Activities• Keep your eyes on the road• Know where you are• Determine potential hazards (Problem forecasting)• Determine outside influences (Track external projects)• Keep people informed (Reporting)• Know what you have (Resource monitoring)

Tracking and Monitoring Compliance• How do you hit a moving target?• Maintenance Phase (keep your guard up)

• Updates and maintenance (systems and documentation)

• Plan of Actions and Milestones (POA&M)• Open items that need to be addressed (mitigation)

• Recertification Triggers or Reassessment Risk• New Vulnerabilities• New Risks• Environment changes• Control failure• Audit findings

Providing Advice & Assistance• Need to strive for a consistent approach within the program• Multiple systems and system owners (Enterprise wide)• Maintain flexibility for individual systems• Seek advice of professionals• Take suggestions• Document understandings

Responding to Change• Need a process to know when a change has been made that

will effect the risk of a system• Is the change a material change?

• Significant changes modify the risk to the system

• Recertification Triggers or Reassessment Risk• New Vulnerabilities (major possibly, minor are handled by patch management)• New Risks (brought about by changes)• Environment changes (Application or OS change)• Control failure (Controls not working as intended)• Audit findings (Missing controls)

Program Awareness, Training and Education• In order to maintain the RMF program

• Constant reminders – awareness• Training – program training – depending on role• Education – security and RMF related continuing

education

• Possible to integrate with other training and awareness programs within the organization

• Track training

Use of Expert Systems

• Automated tools• Tracking systems• RMF document management systems• Audit log management• Dashboards• Intrusion Prevention Systems • Etc.

Waivers and Exceptions to Policy• There needs to be a process to handle exceptions

• How will you consider waivers?• Who makes the decision?• Can the decision be made in a timely fashion?• How will the decision be documented?• Does the system owner accept the risk?• RMF is not supposed to be a paper exercise.• RMF is based on risk!• RMF helps the organization meets its goals.• Waivers should be based on business need.

Summary• Business Case• Setting up the program• Establishing tasks, milestones and goals• Resources• Program Integration• Program Phases• Points of contact• Measuring results• Tracking progress• Education, training and awareness• Exceptions and waivers

Class Discussion • What are some of the tools you use or would use to

help your organization have an effective RMF program?

• Should all agencies use the same processes and tools to implement a RMF program?

• What would you say to a manager who thinks RMF is a waste of time and money?

• You are responsible for the RMF program for your organization. What things would you do to ensure the program was successful?

Module 3: Risk Management Framework

Roles & Responsibilities

RMF Roles and Responsibilities

Roles and Responsibilities Head of Agency or CEO Risk Executive (function) Chief Information Officer (CIO) Chief Information Security Officer (CISO) Information Owner/Custodian Information System Owner (System Owner) Information Systems Security Officer (ISSO) Security Control Assessor (Certifying Agent) Authorizing Official (AO) Approving Authority (AA) Common Control Provider Approving Authority Designated Representative

Roles and Responsibilities Auditor System Administrator/Manager Business Unit Manager Project Manager Risk Analyst Facility Manager Executive Management Authorization Advocate User Representative Information Security Architect Information Systems Security Engineer

Head of Agency Head of Agency or Chief Executive Officer (CEO) Highest level senior official or executive Overall responsibility to provide information security Ensure security is commensurate with risk to

organization Responsible for security of 3rd party use or operation of

systems Responsible to ensure security is integrated into

strategic and operational planning Responsible to ensure personnel are trained

sufficiently Establish appropriate accountability and commitment

to create a climate that promotes due diligence

Risk Executive Function Looks at risk from the program level Organization-wide perspective Overall strategic goals and objectives Risk to the organization’s mission Creates a consistent risk management approach

(organization-wide) Addresses the organization’s risk tolerance (risk

appetite) Provides oversight Provides sharing of risk related information

Chief Information Officer (CIO) Overall responsibility for organization’s security Delegates authority to SISO Provision resources Provide oversight Maintain visibility Develop and maintain policies Assists executive level officials concerning

security responsibilities CIO and AO allocate appropriate resources to

the system Government employee only

“The Chief Information Officer, with the support of the senior agency information security officer, works closely with authorizing officials and their designated representatives to ensure that an agency-wide security program is effectively implemented, that the certifications and accreditations required across the agency are accomplished in a timely and cost-effective manner, and that there is centralized reporting of all security-related activities. “ NIST SP 800-37

Senior Information Security Officer (SISO) AKA:

Senior Agency Information Security Officer (SAISO) Chief Information Security Officer (CISO)

Senior manager in charge of Information Security Accountable for most aspects of security within an organization Liaison between CIO and other roles Security is primary duty Head of the RMF program within the organization

Establish the program Enforce the program

Responsible for the success of a RMF program Government employee only May serve as AO Designated Representative or security control assessor

Information Owner / Steward Agency official with statutory management or operational

authority for specific information Establish rules of behavior for that information Establish polices and procedures for

Generation Collection Processing Dissemination Disposal Retention

Provide input to information system owners on protect requirements

Authorizing Official (AO) Also Known As

Designated Approving Authority (DAA or DAO) Senior management Formally accepts responsibility for operating an

information system and accepts residual risk to the system

Must be a Government Employee May have a designated representative that can do

everything but sign or decide Accreditation Typically have budgetary oversight Responsible for the mission and/or business

operations supported by the system Accountable for security of system A system may have multiple AOs

“A senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals.” - NIST SP 800-37

Authorizing Official Designated Representative Acts on behalf of an Authorizing Official Handles day to day activities Can be empowered for certain decisions

Approve system security plans Approve monitoring Implement Plan of Action and Milestones (POA&M) Complete authorization package

The only thing the designated representative cannot do is make the authorization decision and sign the authorization document

Information System Owner Also Known As

System Owner or IT Manager

Coordinate with information owner on user access Primary responsibility for the system Full lifecycle of the system Often it is the IT department Ensuring compliance with policies

“Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. “ - (NIST SP 800-37)

System Administrator (SA) In charge of the day-to-day operation

and administration Implements technical and operational

controls IT administrators Separation of duties from ISSO Implement hardware changes Implement software changes Backups Monitoring Maintenance

“Individual responsible for the installation and maintenance of an information system, providing effective information system utilization, adequate security parameters, and sound implementation of established Information Assurance policy and procedures.” CNSS Instruction No. 4009

Information Systems Security Officer (ISSO) Principal advisor to the AO Serves as an agent to the information system owner Monitors day to day security on the system Coordinate with physical security, personal, incident handling

and security awareness. May not actually touch the system Close collaboration with Information system owner Assess security impact of changes to the system

“The information system security officer often plays an active role in developing and updating the system security plan as well as in managing and controlling changes to the system and assessing the security impact of those changes.“ NIST SP 800-37

Auditor Provides independent (unbiased) Assess controls Assess program Ensures documentation is adequate Weaknesses identified Corrective actions specified Example:

Security Control Assessor Inspector General

Inspector General (IG) Program level audit Ensure compliance with FISMA and other government

policies Provides independent (unbiased) assessment of the

RMF program Looks at individual program components Ensures documentation is adequate Weaknesses identified Corrective actions specified

IG findings may get press

Security Control Assessor AKA: Certification Agent or Certifying Agent Independent authority Impartial and unbiased (separation of duties) Measures effectiveness and completeness of controls

at the system level Level of independence based upon risk to system

The certification agent is an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. - NIST SP 800-37

Other Roles Common Control Provider

Individual or group responsible for the development implementation, monitoring and assessment of common controls

Agency-wide, center-wide, campus-wide, building-wide Information Security Architect

Ensures security has been adequately addresses in all aspects on enterprise architecture

Information Systems Security Engineer Ensures security requirements are effectively integrated in

to information technology

IT Security Program Steering Committee Provides high-level oversight Provides direction Indirect supervision Advisory group to the program Does not exercise authority

Business Unit Manager Responsible for the mission and/or business

operations Often function as information owner or AO Might be a higher level manager or director Disseminate security information to

subordinates Report security incidents to higher

management Respond to security incidents Determine resources Set priorities

Project Manager May work for the system owner for complex system security plans

May aid the CIO or CISO in the overall program implementation

Facility Manager Responsible for physical security Responsible for environmental controls

Executive Management Crucial Role Establish Policy Enforce Policy Allocate Resources Maintain visibility of program

User Representative Represents a user group or community Looks out for the interests of users “The person that defines the system’s operational and functional requirements, and who is responsible for ensuring that user operational interests are met throughout the systems authorization process.”

DoD Specific Roles Information Assurance Manager

Individual responsible for the information assurance of a program, organization, system, or enclave.

AKA: Information Systems Security Manager (ISSM) Information Assurance Officer

Individual assigned responsibility for maintaining the appropriate operational security posture for an information system or program.

AKA: Information Systems Security Officer (ISSO)

CIRT Computer Incident Response Team Group of individuals usually consisting of Security

Analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents.

AKA Cyber Incident Response Team (CIRT) Computer Security Incident Response Team (CSIRT) Computer Incident Response Center (CIRC) Computer Incident Response Capability (CIRC)

Delegation of Roles“At the discretion of senior agency officials, certain security certification and accreditation roles may be delegated and if so, appropriately documented. Agency officials may appoint appropriately qualified individuals, to include contractors, to perform the activities associated with any security certification and accreditation role with the exception of the Chief Information Officer and authorizing official. The Chief Information Officer and authorizing official have inherent United States Government authority, and those roles should be assigned to government personnel only. Individuals serving in delegated roles are able to operate with the authority of agency officials within the limits defined for the specific certification and accreditation activities. Agency officials retain ultimate responsibility, however, for the results of actions performed by individuals serving in delegated roles. “ NIST SP 800-37

Support Hierarchy

Mission

Business Unit

Security

Program Level

System Level

Audit Security IT Business Unit

Middle- Tier

Independence

Risk Executive Function

Head of Agency (CEO)

Mission

DoD and NISTDoDI 8510.01 & 8500.2 SP 800-37 Rev 1

Head od DoD Components Head of Agency (CEO)

Principle Accrediting Authority (PAA)

Risk Executive Function and/or Approving Authority (AA)

Senior Information Assurance Officer (SIAO)

Senior Information Security Officer (SISO)

Designated Accrediting Authority (DAA)

Approving Authority (AA)

Systems Manager Common Control Provider and/or Systems Owner

Program Manager Common Control Provider and/or System Owner

Information Assurance Manager (IAM)

ISSO and/or SISO

Information Assurance Officer (IAO)

Information Systems Security Officer (ISSO)

Certification Agent Security Control Assessor

Discussion Who is best suited for the roll of Authorization Official?

Documenting roles and responsibilities Document contact information for each role In other documents, refer to the roles not the person Letters of appointment May create contact database

Sample System Security Plan from Centers for Disease Control and Prevention

Job descriptions Describe responsibilities Don’t forget the C & A responsibilities Outline expectations of performance Used for accountability

Position sensitivity designations Some key roles should be designated highly sensitive People who know security of the system People who know the controls People with knowledge of the security posture Need trustworthy people Avoid frequent turnover

Personnel transitions Make sure individuals have adequate replacements

before they leave, if possible Overlapping smooth transition Acclimatize the individual with the C & A process and

organizational specifics Make sure they understand their new roles and

responsibilities

Time requirements RMF duties do not require full time, unless you

dedicate the tasks Collateral duties to normal ones Dedicated employee help with consistency Size of the organization Number of systems

Expertise requirements Skills and abilities Project management System development life-cycle Technical controls Operational controls IT terminology Security terminology Clear background Administrative skills – technical writing skills Certifications like CAP, CISSP, CISA, CISM

Using contractors Want to have stability in the following positions, thus

employees are preferred CIO, CISO System Owner AO ISSO

Need for independence, often contractors used for certifying agent

Contractors can make for effective partners Need to have background checks, statements of work,

contracts and timetables

Routine duties Scheduling Reporting Providing advice Meetings Quality control Monitor compliance Intermediary Offer solutions Educate and train Systems development Explain technical issues to non-technical management

Organizational skills Well organized Proficient in RMF and C & A Project management skills

Scheduling Task lists Meeting notes Manage email

Certifications

CISSP ISSMP

CAP CISA

SSCPCASP

Security+

CISSP ISSEP/ ISSAP

Management / Risk Audit

Software Dev

Network / Communicatio

(ISC)2 Certifications (ISC)2 International Information Systems Security Certification

Consortium, Inc. Website: www.isc2.org Certifications

Associate of (ISC)² SSCP: Systems Security Certified Practitioner CAP: Certified Authorization Professional CSSLP: Certified Secure Software Lifecycle Professional CISSP: Certified Information Systems Security Professional CISSP Concentrations: ISSEP, ISSAP, ISSMP

Professional Certification (ISC)2 certifications require ongoing continuing education to maintain certification.

ISACA Certifications Information Systems and Control Association (ISACA) Certifications

CISA: Certified Information Systems Auditor CISM: Certified Information Systems Manager CGEIT: Certified in the Governance of Enterprise IT CRISC: Certified in Risk and Information Systems Control

Website www.isaca.org

Professional Certification ISACA certifications require ongoing continuing education to maintain certification.

CompTIA Certifications CompTIA certifications Website: www.comptia.org Certifications

A+ - Computer Support Technician Network+ - Network Support Technician Security+ - Entry level security certification CASP - CompTIA Advanced Security Practitioner RFID+ - RFID professionals CTT+ - Certified Technical Trainer Project+ - IT Project Management Others: Server+, Linux+, CTP+, CDIA+, PDI+

SANS Institute Certifications Website: www.giac.org Certifications

GIAC (Global Information Assurance Certification) GSNA (GIAC Systems and Network Auditor) G7799 (GIAC Certified ISO-17799 Specialist) GCFE (GIAC Certified Forensics Examiner) GCFA (GIAC Certified Forensic Analyst) GREM (GIAC Reverse Engineering Malware) GLEG (GIAC Legal Issues) GISP (GIAC Information Security Professional) GCPM (GIAC Certified Project Manager Certification) GISF (GIAC Information Security Fundamentals)

SANS Institute Certifications (cont.) Website: www.giac.org Certifications

GIAC (Global Information Assurance Certification) GSEC (GIAC Security Essentials Certification) GWAPT (GIAC Web Application Penetration Tester) GCED (Certified Enterprise Defender) GCFW (GIAC Certified Firewall Analyst) GCIA (GIAC Certified Intrusion Analyst) GCIH (GIAC Certified Incident Handler) GCWN (GIAC Certified Windows Security Administrator) GCUX (GIAC Certified UNIX Security Administrator) GPEN (GIAC Certified Penetration Tester) GAWN (GIAC Assessing Wireless Networks)

SCP Certifications Security Certified Program (SCP) Website: www.securitycertified.net Certifications:

SCNS - Security Certified Network Specialist SCNP - Security Certified Network Professional SCNA - Security Certified Network Architect

Inspector General Institute Association of Inspectors General Website: http://inspectorsgeneral.org Certifications:

Certified Inspector General (CIG) Certified Inspector General Auditor (CIGA) Certified Inspector General Investigator (CIGI)

Is recognized by the National Association of State Boards of Accountancy (NASBA)

DoDD 8570 All IA (Information Assurance) jobs will require certification.

DoDD 8570 (cont.) All IA (Information Assurance) jobs will require certification.

Level Qualifying Certifications

CND Analyst GCIA, CEH

CND Infrastructure Support

SSCP, CEH

CND Incident Responder

GCIH, GSIH, CEH

CND Auditor CISA, CEH, GSNA

CN-SP Manager CISM, CISSP-ISSEP

Organizational placement of RMF function Where it will be able to be the most effective? Reach the highest and lowest parts of the

organizational chart As wide as the enterprise CISO may work for the CIO or COO for whistle blower

Key Agencies & Organizations Office of Management and Budget (OMB) Department of Homeland Security (DHS) National Institute of Standards and Technology (NIST) Office of the Director of National Intelligence (ODNI) Depart of Defense (DoD) Defense Information Systems Agency (DISA) Committee on National Security Systems (CNSS) National Security Council (NSC) National Security Telecommunication and Information Systems Security

Committee (NSTISSC) U.S. Government Accountability Office (GAO) Office of the Inspector General (OIG) CIO.gov

Department of Homeland Security (DHS) Oversees critical infrastructure protection Operates the United States Computer Emergency Readiness

Team (US-CERT) Oversees implementation of the Trusted Internet Connection

initiative Has primary responsibility within the executive branch for the

operational aspects of Federal agency cybersecurity (FISMA) Subject to general OMB oversight

DHS FISMA Activities Overseeing:

the government-wide and agency-specific implementation of and reporting on cybersecurity policies and guidance

government-wide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity

the agencies’ compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report

the agencies’ cybersecurity operations and incident response and providing appropriate assistance

annually reviewing the agencies’ cybersecurity programs

Office of Management and Budget (OMB) Leads the interagency process for cybersecurity

strategy and policy development (Cybersecurity Coordinator)

Responsible for the submission of the annual FISMA report to Congress

Responsible for the development and approval of the cybersecurity portions of the President’s Budget

Provide oversight

Cyber Command Mission USCYBERCOM plans, coordinates, integrates,

synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.

CNSS The Committee on National

Security Systems Been in existence since 1953 Formerly named the National

Security Telecommunications and Information Systems Security Committee (NSTISSC)

Establishes requirements pertaining to National Security Systems“The CNSS is directed to assure the security of NSS against technical

exploitation by providing: reliable and continuing assessments of threats and vulnerabilities and implementation of effective countermeasures; a technical base within the USG to achieve this security; and support from the private sector to enhance that technical base assuring that information systems security products are available to secure NSS.”

Summary People are the most important part of the process

The right people make the program

Class Discussion: Roles & Responsibility What are some of the biggest challenges within your current

role? How would you respond to a BUM, information owner or AO

who says RMF is an IT issue and that he/she does not need to be involved?

If staffing is an issue, what roles would you combine? Which roles would you not combine?

In order to have a successful RMF program you have been tasked to make an education system for your organization. What are some key features you would include?

Why are certifications important for staff with roles and responsibilities in the RMF?

Module 4: Planning for Security

You got to be careful if you don’t knowwhere you’re going, because you might not

get there.-- Yogi Berra

Learning Objectives Upon completion of this module, you should be able

Recognize the importance of planning and describe the principal components of organizational planning

Know and understand the principal components of information security system implementation planning as it functions within the organizational planning scheme

Introduction

Successful organizations utilize planning

Planning involves: Employees Management Stockholders Other outside stakeholders Physical environment Political and legal environment Competitive environment Technological environment

Introduction (Continued)

Strategic planning includes: Vision statement

Mission statement

Strategy

Coordinated plans for sub units

Knowing how the general organizational planning process works helps in the information security planning process

Introduction (Continued)

Planning: Is creating action steps toward goals, and then

controlling them

Provides direction for the organization’s future

Top-down method: Organization’s leaders choose the direction

Planning begins with the general and ends with the specific

Figure 1Information Security Planning

Components Of Organizational Planning:The Mission Statement

Mission statement: Declares the business of the organization and its

intended areas of operations

Explains what the organization does and for whom

Example: Random Widget Works, Inc. designs and manufactures quality widgets, associated equipment and supplies for use in modern business environments

Components Of Organizational Planning:Vision Statement

Vision statement: Expresses what the organization wants to

become

Should be ambitious

Example: Random Widget Works will be the preferred manufacturer of choice for every business’s widget equipment needs, with an RWW widget in every machine they use

Components Of Organizational Planning: Values

By establishing organizational principles in a values statement, an organization makes its conduct standards clear Example: RWW values commitment, honesty,

integrity and social responsibility among its employees, and is committed to providing its services in harmony with its corporate, social, legal and natural environments.

The mission, vision, and values statements together provide the foundation for planning

Components Of Organizational Planning: Strategy

Strategy is the basis for long-term direction

Strategic planning: Guides organizational efforts Focuses resources on clearly defined goals

“… strategic planning is a disciplined effort to produce fundamental decisions and actions that shape and guide what an organization is, what it does, and why it does it, with a focus on the future.”

Planning for the Organization

Organization: Develops a general strategy Creates specific strategic plans for major

divisions

Each level of division translates those objectives into more specific objectives for the level below

In order to execute this broad strategy, executives must define individual managerial responsibilities

Strategic Planning

Strategic goals are then translated into tasks with specific, measurable, achievable, reasonably high and time-bound objectives (SMART)

Strategic planning then begins a transformation from general to specific objectives

Planning Levels

Tactical Planning Shorter focus than strategic planning

Usually one to three years

Breaks applicable strategic goals into a series of incremental objectives

Planning Levels (Continued)

Operational Planning Used by managers and employees to organize

the ongoing, day-to-day performance of tasks Includes clearly identified coordination activities

across department boundaries such as: Communications requirements Weekly meetings Summaries Progress reports

Typical Strategic Plan Elements

Introduction by senior executive

Executive Summary Mission Statement and Vision Statement

Organizational Profile and History

Strategic Issues and Core Values

Program Goals and Objectives Management/Operations Goals and Objectives

Appendices (optional) Strengths, weaknesses, opportunities and threats

(SWOT) analyses, surveys, budgets &etc

Tips For Planning Create a compelling vision statement that frames the evolving plan, and acts as a magnet for people who want to make a difference

Embrace the use of balanced scorecard approach

Deploy a draft high level plan early, and ask for input from stakeholders in the organization

Make the evolving plan visible

Tips For Planning (Continued)

Make the process invigorating for everyone

Be persistent

Make the process continuous

Provide meaning

Be yourself

Lighten up and have some fun

Planning For Information Security Implementation

The CIO and CISO play important roles in translating overall strategic planning into tactical and operational information security plans/ information security

CISO plays a more active role in the development of the planning details than does the CIO

The Systems Development Life Cycle (SDLC)

SDLC: methodology for the design and implementation of an information system

SDLC-based projects may be initiated by events or planned

At the end of each phase, a review occurs when reviewers determine if the project should be continued, discontinued, outsourced, or postponed

Figure 2-8 Feasibility

Figure 2-9 Phases of An SDLC

Investigation Identifies problem to be solved

Begins with the objectives, constraints, and scope of the project

A preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate costs for those benefits

Analysis Begins with information from the Investigation phase

Assesses the organization’s readiness, its current systems status, and its capability to implement and then support the proposed system(s)

Analysts determine what the new system is expected to do, and how it will interact with existing systems

Logical Design

Information obtained from analysis phase is used to create a proposed solution for the problem

A system and/or application is selected based on the business need

The logical design is the implementation independent blueprint for the desired solution

Physical Design

During the physical design phase, the team selects specific technologies

The selected components are evaluated further as a make-or-buy decision

A final design is chosen that optimally integrates required components

Implementation Develop any software that is not purchased, and create integration capability

Customized elements are tested and documented

Users are trained and supporting documentation is created

Once all components have been tested individually, they are installed and tested as a whole

Maintenance Tasks necessary to support and modify

the system for the remainder of its useful life

System is tested periodically for compliance with specifications

Feasibility of continuance versus discontinuance is evaluated

Upgrades, updates, and patches are managed

When current system can no longer support the mission of the organization, it is terminated and a new systems development project is undertaken

The Security Systems Development Life Cycle (SecSDLC)

May differ in several specifics, but overall methodology is similar to the SDLC

SecSDLC process involves: Identification of specific threats and the risks that

they represent

Subsequent design and implementation of specific controls to counter those threats and assist in the management of the risk those threats pose to the organization

Investigation in the SecSDLC Often begins as directive from

management specifying the process, outcomes, and goals of the project and its budget

Frequently begins with the affirmation or creation of security policies

Teams assembled to analyze problems, define scope, specify goals and identify constraints

Feasibility analysis determines whether the organization has resources and commitment to conduct a successful security analysis and design

Analysis in the SecSDLC A preliminary analysis of existing

security policies or programs is prepared along with known threats and current controls

Includes an analysis of relevant legal issues that could affect the design of the security solution

Risk management begins in this stage

Risk Management Risk Management: process of identifying, assessing, and evaluating the levels of risk facing the organization Specifically the threats to the information stored

and processed by the organization

To better understand the analysis phase of the SecSDLC, you should know something about the kinds of threats facing organizations

In this context, a threat is an object, person, or other entity that represents a constant danger to an asset

Key Terms Attack: deliberate act that exploits a vulnerability to achieve the compromise of a controlled system Accomplished by a threat agent that damages or

steals an organization’s information or physical asset

Exploit: technique or mechanism used to compromise a system

Vulnerability: identified weakness of a controlled system in which necessary controls are not present or are no longer effective

Threats to Information Security

Some Common Attacks• Malicious code• Hoaxes• Back doors• Password crack• Brute force• Dictionary• Denial-of-service (DoS) and

distributed denial-of-service (DDoS)

• Spoofing• Man-in-the-middle• Spam• Mail bombing• Sniffer• Social engineering• Buffer overflow• Timing

Risk Management Use some method of prioritizing risk posed by

each category of threat and its related methods of attack

To manage risk, you must identify and assess the value of your information assets

Risk assessment assigns comparative risk rating or score to each specific information asset

Risk management identifies vulnerabilities in an organization’s information systems and takes carefully reasoned steps to assure the confidentiality, integrity, and availability of all the components in organization’s information system

Design in the SecSDLC

Design phase actually consists of two distinct phases: Logical design phase: team members create and

develop a blueprint for security, and examine and implement key policies

Physical design phase: team members evaluate the technology needed to support the security blueprint, generate alternative solutions, and agree upon a final design

Security Models Security managers often use

established security models to guide the design process

Security models provide frameworks for ensuring that all areas of security are addressed

Organizations can adapt or adopt a framework to meet their own information security needs

Policy

A critical design element of the information security program is the information security policy

Management must define three types of security policy: General or security program policy

Issue-specific security policies

Systems-specific security policies

SETA Another integral part of the InfoSec program is the security education and training program

SETA program consists of three elements: security education, security training, and security awareness

Purpose of SETA is to enhance security by: Improving awareness Developing skills and knowledge Building in-depth knowledge

Design

Attention turns to the design of the controls and safeguards used to protect information from attacks by threats

Three categories of controls: Managerial

Operational

Technical

Managerial Controls

Address the design and implementation of the security planning process and security program management

Management controls also address:

Risk management

Security control reviews

Operational Controls

Cover management functions and lower level planning including: Disaster recovery Incident response planning

Operational controls also address: Personnel security Physical security Protection of production inputs and outputs

Technical Controls

Address those tactical and technical issues related to designing and implementing security in the organization

Technologies necessary to protect information are examined and selected

Contingency Planning

Essential preparedness documents provide contingency planning (CP) to prepare, react and recover from circumstances that threaten the organization: Incident response planning (IRP)

Disaster recovery planning (DRP)

Business continuity planning (BCP)

Physical Security

Physical Security: addresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization

Physical resources include: People

Hardware

Supporting information system elements

Implementation in the SecSDLC Security solutions are acquired, tested, implemented, and tested again

Personnel issues are evaluated and specific training and education programs conducted

Perhaps most important element of implementation phase is management of project plan: Planning the project Supervising tasks and action steps within the project Wrapping up the project

InfoSec Project Team

Should consist of individuals experienced in one or multiple technical and non-technical areas including: Champion Team leader Security policy developers Risk assessment specialists Security professionals Systems administrators End users

Staffing the InfoSec Function

Each organization should examine the options for staffing of the information security function1. Decide how to position and name the security

function2. Plan for proper staffing of information security

function3. Understand impact of information security

across every role in IT 4. Integrate solid information security concepts

into personnel management practices of the organization

InfoSec Professionals

It takes a wide range of professionals to support a diverse information security program: Chief Information Officer (CIO) Chief Information Security Officer (CISO) Security Managers Security Technicians Data Owners Data Custodians Data Users

Certifications

Many organizations seek professional certification so that they can more easily identify the proficiency of job applicants: CISSP SSCP GIAC SCP ICSA Security + CISM

Maintenance and Change in the SecSDLC

Once information security program is implemented, it must be operated, properly managed, and kept up to date by means of established procedures

If the program is not adjusting adequately to the changes in the internal or external environment, it may be necessary to begin the cycle again

Maintenance Model

While a systems management model is designed to manage and operate systems, a maintenance model is intended to focus organizational effort on system maintenance: External monitoring Internal monitoring Planning and risk assessment Vulnerability assessment and remediation Readiness and review Vulnerability assessment

ISO Management Model

One issue planned in the SecSDLC is the systems management model

ISO management model contains five areas: Fault management Configuration and name management Accounting management Performance management Security management

Security Management Model Fault Management involves identifying

and addressing faults Configuration and Change Management

involve administration of components involved in the security program and administration of changes

Accounting and Auditing Management involves chargeback accounting and systems monitoring

Performance Management determines if security systems are effectively doing the job for which they were implemented

Security Program Management Once an information security program

is functional, it must be operated and managed

In order to assist in the actual management of information security programs, a formal management standard can provide some insight into the processes and procedures needed

This could be based on the BS7799/ISO17799 model or the NIST models described earlier

Summary

Introduction

Components of Organizational Planning

Planning for Information Security Implementation

Module 5: Information Security

and Risk Management

Objectives

How security supports organizational mission, goals and objectives

Risk management Security management Personnel security

Mission

Statement of its ongoing purpose and reason for existence.

Usually published, so that employees, customers, suppliers, and partners are aware of the organization’s stated purpose.

Should influence how we will approach the need to protect the organization’s assets.

Example Mission Statements

“Promote professionalism among information system security practitioners through the provisioning of professional certification and training.” - (ISC)²

“Help civilize the electronic frontier; to make it truly useful and beneficial not just to a technical elite, but to everyone; and to do this in a way which is in keeping with our society's highest traditions of the free and open flow of information and communication.” – Electronic Frontier Foundation

Example Mission Statements (cont.) “Empower and engage people around the world to collect and develop educational content under a free license or in the public domain, and to disseminate it effectively and globally.” – Wikimedia Foundation

Objectives

Statements of activities or end-states that the organization wishes to achieve.

Support the organization’s mission and describe how the organization will fulfill its mission.

Observable and measurable. Do not necessarily specify how they will be completed, when, or by whom.

Example Objectives

“Improve security audit results.” “Develop a security awareness strategy.” “Consolidate computer account provisioning processes.”

Specify specific accomplishments that will enable the organization to meet its objectives.

Measurable, observable, objective, support mission and objectives

Example Goals

“Obtain ISO 27001 certification by the end of third quarter.”

“Reduce development costs by twenty percent in the next fiscal year.”

“Complete the integration of CRM and ERP systems by the end of November.”

Security Support of Mission, Objectives, and Goals Influence development of mission, objectives, goals Become involved in key activities Risk management provides feedback

Risk Management

“The process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.” – Wiktionary Risk assessments Risk treatment

Qualitative Risk Assessment

For a given scope of assets, identify: Vulnerabilities Threats Threat probability (Low / medium / high) Impact (Low / medium / high) Countermeasures

Quantitative Risk Assessment

Extension of a qualitative risk assessment. Metrics for each risk are: Asset value Exposure Factor (EF): portion of asset damaged Single Loss Expectancy (SLE) = Asset ($) x EF (%) Annualized Rate of Occurrence (ARO)

Probability of loss in a year, % Annual Loss Expectancy (ALE) = SLE x ARO

Quantifying Countermeasures

Goal: reduction of ALE (or the qualitative losses)

Impact of countermeasures: Cost of countermeasure Changes in Exposure Factor (EF) Changes in Single Loss Expectancy (SLE)

Geographic Considerations

Replacement and repair costs of assets may vary by location

Exposure Factor may vary by location Impact may vary by location

Risk Assessment Methodologies

NIST 800-30, Risk Management Guide for Information Technology Systems

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)

FRAP (Facilitated Risk Analysis Process) – qualitative pre-screening

Spanning Tree Analysis – visual, similar to mind map

Risk Treatment

One or more outcomes from a risk assessment Rick acceptance

“yeah, we can live with that” Risk avoidance

Discontinue the risk-related activity Risk reduction

Mitigate Risk transfer

Buy insurance

Risk treatment is often a blended approach

After risk treatment, any leftover risk is known as “residual risk”

Security Management Concepts

Security controls CIA Triad Defense in depth Single points of failure Fail open, fail closed Privacy

Security Controls

Detective Preventive Deterrent Administrative Compensating

CIA: Confidentiality, Integrity, Availability The three pillars of security: the CIA Triad

Confidentiality: information and functions can be accessed only by properly authorized parties

Integrity: information and functions can be added, altered, or removed only by authorized persons and means

Availability: systems, functions, and data must be available on-demand according to any agreed-upon parameters regarding levels of service

CIA: Confidentiality, Integrity, Availability

Defense in Depth

A layered defense in which two or more layers or controls are used to protect an asset Heterogeneity: the different controls should be different types, so

as to better resist attack Entire protection: each control completely protects the asset from

most or all threats

Defense in depth reduces or eliminates the risks associated by single points of failure, fail open, malfunctions, and successful attacks on individual components

Single Points of Failure

A single point of failure (SPOF) is a weakness in a system where the failure of a single component results in the failure of the entire system

Fail Open, Fail Closed

When a security mechanism fails, there are usually two possible outcomes: Fail open – the mechanism permits all activity Fail closed – the mechanism blocks all activity

Principles Different types of failures will have different results Both fail open and fail closed are undesirable, but sometimes one

or the other is catastrophic!

Privacy

Defined: the protection and proper handling of sensitive personal information

Requires proper technology for protection Requires appropriate business processes and controls for appropriate handling

Issues Inappropriate uses of sensitive data Unintended disclosures of sensitive data to others

Security Management Executive oversight Governance Policy, guidelines, standards, and procedures

Roles and responsibilities Service level agreements Secure outsourcing Data classification and protection Certification and accreditation Internal audit

Security Executive Oversight

Support and enforcement of policies Allocation of resources Prioritization of activities Risk treatment

Security Governance

Defined: “Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.” – IT Governance Institute

Security Governance (cont.)

Steering committee oversight Resource allocation and prioritization Status reporting Strategic decisions The process and action that supports executive oversight

Security Policies, Requirements, Guidelines, Standards, and Procedures Policies: constraints of behavior on

systems and people. Defines what, but not how.

Requirements: required characteristics of a system or process

Guidelines: defines how to support a policy.

Standards: what products, technical standards, and methods will be used to support policy

Procedures: step by step instructions

Security Roles and Responsibilities Formally defined in security policy and job descriptions

These need to be defined: Ownership of assets Access to assets Use of assets Managers responsible for employee behavior

Service Level Agreements

SLAs define a formal level of service SLAs for security activities

Security incident response Security alert / advisory delivery Security investigation Policy and procedure review

Secure Outsourcing

Outsourcing risks Control of confidential information Loss of control of business activities Accountability – the organization that outsources activities is still accountable

for their activities and outcomes

An organization’s security program for assessing and treating risk associated with outsourced entities will depend on a number of factors, including the level of sensitivity and volume of sensitive data accessible by each outsourced party

Data Classification and Protection Components of a classification and protection program Sensitivity levels

“confidential”, “restricted”, “secret”, etc. Marking procedures

How to indicate sensitivity on various forms of information Access procedures Handling procedures

E-mailing, faxing, mailing, printing, transmitting, destruction

Certification and Accreditation

Two-step process for the formal evaluation and approval for use of a system Certification is the process of evaluating a system against a set of

formal standards, policies, or specifications. Accreditation is the formal approval for the use of a certified

system, for a defined period of time (and possibly other conditions).

Internal Audit

Evaluation of security controls and policies to measure their effectiveness Performed by internal staff Objectivity is of vital importance Formal methodology Required by some regulations, e.g. Sarbanes Oxley

Methodologies Standards and practices of internal auditing from The Institute of

Internal Auditors IT Audit and Assurance Standards, Tools, and Techniques from

Security Strategies

Management is responsible for developing the ongoing strategy for security management

Past events can help shape the future Incidents SLA performance Certification and accreditation Internal audit

Personnel Security

Hiring practices and procedures Periodic performance evaluation Disciplinary action policy and procedures Termination procedures

Hiring Practices and Procedures

Effective assessment of qualifications Background verification (prior employment, education, criminal history, financial history)

Non-disclosure agreement Intellectual property agreement Employment agreement Agreement to abide by all organizational policies

Formal job descriptions

Termination

Immediate termination of all logical and physical access

Change passwords known to the employee

Recovery of all assets Notification of the termination to affected staff, customers, other third parties

And possibly: code reviews, review of recent activities prior to the termination

Work Practices

Separation of duties Designing sensitive processes so that two or more persons are

required to complete them

Job rotation Good for cross-training, and also reduces the likelihood that

employees will collude for personal gain

Mandatory vacations Detect / prevent irregularities that violate policy and practices

Security Education, Training, and Awareness Training on security policy, guidelines, standards

Upon hire and periodically thereafter Various types of messaging

E-mail, intranet, posters, flyers, trinkets, training classes

Testing – to measure employee knowledge of policy and practices

Summary An organization’s security program should support its

mission, objectives, and goals. The core principles of information security are

confidentiality, integrity, and availability. Privacy is related to the protection and proper

handling of personal information. Security governance is the set of responsibilities and

practices related to the development of strategic direction and risk management.

Security policies specify the required characteristics of information systems and the required conduct of employees.

Summary (cont.) Security roles and responsibilities define the

ownership, access, and use of assets, and the general responsibilities of managers and employees.

Data classification and protection defines levels of sensitivity for business information, as well as handling procedures for each level of sensitivity.

Internal audit is the activity of evaluating security controls and policies to measure their effectiveness.

An organization’s hiring process should include the use of non-disclosure, employment, non-compete, intellectual property, and acceptable use agreements, as well as background checks.

Summary (cont.) Upon termination of employment, the organization should retrieve all assets issued to the terminated employee and immediately rescind the employee’s access to all information systems.

Sound work practices include separation of duties, job rotation, and mandatory vacations.

A security education, training, and awareness program should keep employees regularly informed of their expectations.

Module 6: Federal Information Security Management Act

Applying NIST Information Security Standards and Guidelines

The Current Landscape

Public and private sector enterprises today are highly dependent on information systems to carry out their missions and business functions.

To achieve mission and business success, enterprise information systems must be dependable in the face of serious cyber threats.

To achieve information system dependability, the systems must be appropriately protected.

The Threat Situation

Continuing serious cyber attacks on federal informationsystems, large and small; targeting key federal operationsand assets… Attacks are organized, disciplined, aggressive, and well resourced; many

are extremely sophisticated. Adversaries are nation states, terrorist groups, criminals, hackers, and

individuals or groups with intentions of compromising federal information systems.

Significant exfiltration of critical and sensitive information and implantation of malicious software.

Unconventional Threats to Security

Connectivity

Complexity

Asymmetry of Cyber Warfare

The weapons of choice are— Laptop computers, hand-held devices, cell phones. Sophisticated attack tools and techniques downloadable from the

Internet. World-wide telecommunication networks including telephone

networks, radio, and microwave.

Resulting in low-cost, highly destructive attack potential.

What is at Risk?

Federal information systems supporting Defense, Civil, and Intelligence agencies within the federal government.

Private sector information systems supporting U.S. industry and businesses (intellectual capital).

Information systems supporting critical infrastructures within the United States (public and private sector) including: Energy (electrical, nuclear, gas and oil, dams) Transportation (air, road, rail, port, waterways) Public Health Systems / Emergency Services Information and Telecommunications Defense Industry Banking and Finance Postal and Shipping Agriculture / Food / Water / Chemical

U.S. Critical Infrastructures

“...systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.” -- USA Patriot Act (P.L. 107-56)

Critical Infrastructure Protection

The U.S. critical infrastructures are over 90% owned and operated by the private sector.

Critical infrastructure protection must be a partnership between the public and private sectors.

Information security solutions must be broad-based, consensus-driven, and address the ongoing needs of government and industry.

A National Imperative

For economic and national security reasons, we need— State-of-the-art cyber defenses for public and private sector

enterprises. Adequate security for organizational operations (mission, functions,

image, and reputation), organizational assets, individuals, other organizations (in partnership with the organization), and the Nation.

A process for managing cyber risks in a dynamic environment where threats, vulnerabilities, missions, information systems, and operational environments are constantly changing.

A Unified FrameworkFor Information Security

The Generalized Model

Common Information Security Requirements

Unique Information Security Requirements

The “Delta” Foundational Set of Information Security Standards and Guidance

• Standardized risk management process• Standardized security categorization

(criticality/sensitivity)• Standardized security controls

(safeguards/countermeasures)• Standardized security assessment procedures• Standardized security authorization process

Intelligence

Community

Department of

Defense

Federal Civil Agencies

National security and non national security information systems

Risk-Based Protection Strategy

Enterprise missions and business processes drive security requirements and associated safeguards and countermeasures for organizational information systems.

Highly flexible implementation; recognizing diversity in mission/ business processes and operational environments.

Senior leaders take ownership of their security plans including the safeguards/countermeasures for the information systems.

Senior leaders are both responsible and accountable for their information security decisions; understanding, acknowledging, and explicitly accepting resulting mission/business risk.

Information Security Programs

Adversaries attack the weakest link…where is yours?

Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation

Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards

Links in the Security Chain: Management, Operational, and Technical Controls

Strategic Planning Considerations

Consider vulnerabilities of new information technologies and system integration before deployment.

Diversify information technology assets. Reduce information system complexity. Apply a balanced set of management, operational, and technical

security controls in a defense-in-depth approach. Detect and respond to breaches of information system boundaries. Reengineer mission/business processes, if necessary.

Risk Management Framework

Security Life CycleSP 800-39

Determine security control effectiveness(i.e., controls implemented correctly,

operating as intended, meeting security requirements for information system).

SP 800-53A

ASSESSSecurity Controls

Define criticality/sensitivity of information system according to

potential worst-case, adverse impact to mission/business.

FIPS 199 / SP 800-60

CATEGORIZE Information

System

Starting Point

Continuously track changes to the information system that may affect

security controls and reassess control effectiveness.

SP 800-37 / SP 800-53A

MONITORSecurity State

SP 800-37

AUTHORIZE Information System

Determine risk to organizational operations and assets, individuals,

other organizations, and the Nation;if acceptable, authorize operation.

Implement security controls within enterprise architecture using sound

systems engineering practices; apply security configuration settings.

IMPLEMENT Security Controls

SP 800-70

FIPS 200 / SP 800-53

SELECT Security Controls

Select baseline security controls; apply tailoring guidance and

supplement controls as needed based on risk assessment.

RMF Characteristics

The NIST Risk Management Framework and the associated security standards and guidance documents provide a process that is: Disciplined Flexible Extensible Repeatable Organized Structured

“Building information security into the infrastructure of the organization…so that critical enterprise missions and business cases will be protected.”

Security Categorization

FIPS 199 LOW MODERATE HIGH

Confidentiality

The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Integrity

The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Availability

The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Example: An Enterprise Information System

Mapping Information Types to FIPS 199 Security Categories

SP 800-60

Security Control Baselines

Minimum Security Controls

Low ImpactInformation

Systems

High Impact Information

Systems

Moderate Impact Information

Systems

Master Security Control CatalogComplete Set of Security Controls and Control Enhancements

Baseline #1Selection of a subset of security

controls from the master catalog—consisting of basic level controls

Baseline #2Builds on low baseline. Selection

of a subset of controls from the master catalog—basic level

controls, additional controls, and control enhancements

Baseline #3Builds on moderate baseline.

Selection of a subset of controls from the master catalog—basic

level controls, additional controls, and control enhancements

Tailoring Guidance

FIPS 200 and SP 800-53 provide significant flexibility in the security control selection and specification process: Scoping guidance; Compensating security controls; and Organization-defined security control parameters.

Tailoring Security ControlsScoping, Parameterization, and Compensating Controls

Low ImpactInformation

Systems

High Impact Information

Systems

Moderate Impact Information

Systems

Tailored Security Controls

Low Baseline

Moderate Baseline

High Baseline

Enterprise #1Operational Environment #1

Cost effective, risk-based approach to achieving adequate information security…

Large and Complex Systems

System security plan reflects information system decomposition with adequate security controls assigned to each subsystem component. Security assessment procedures tailored for the security controls in each subsystem component and for the combined system-level controls. Security assessment performed on each subsystem component and on system-level controls not covered by subsystem assessments. Security authorization performed on the information system as a whole.

Authorization Boundary

SubsystemComponent

Local Area NetworkAlpha

SubsystemComponent

System Guard

SubsystemComponent

Local Area NetworkBravo

Organizational Information System

Applying the Risk Management Framework to Information Systems

Risk ManagementFramework

Authorization

Package

Artifacts and

Evidence

Near Real Time Security Status Information

SECURITY PLANincluding updated Risk Assessment

SECURITY ASSESSMENT

REPORT

PLAN OF ACTION AND

MILESTONES

Output from Automated Support Tools

INFORMATION SYSTEM

CATEGORIZEInformation System

ASSESSSecurity Controls

AUTHORIZEInformation System

IMPLEMENTSecurity Controls

MONITORSecurity State

SELECTSecurity Controls

Authorization Decision

Extending the Risk Management Framework to Organizations

RISK EXECUTIVE FUNCTIONEnterprise-wide Oversight, Monitoring, and Risk Management

Policy Guidance

INFORMATIONSYSTEM

Common Security Controls(Infrastructure-based, System-inherited)

INFORMATIONSYSTEM

Security Requirements

RMFRISK

MANAGEMENT FRAMEWORK

Authorization Decision

Risk Executive Function

Establish organizational information security priorities. Allocate information security resources across the organization. Provide oversight of information system security categorizations. Identify and assign responsibility for common security controls. Provide guidance on security control selection (tailoring and supplementation). Define common security control inheritance relationships for information systems. Establish and apply mandatory security configuration settings. Identify and correct systemic weaknesses and deficiencies in information systems.

Managing Risk at the Organizational Level

RISK EXECUTIVE FUNCTIONCoordinated policy, risk, and security-related activities

Supporting organizational missions and business processes

Information system-specific considerations

Information System

Mission / Business Processes

Trust Relationships

Determining risk to the organization’s operations and assets, individuals, other

organizations, and the Nation; and the acceptability of such risk.

The objective is to achieve visibility into and understanding of prospective partner’s information security programs…establishing a trust relationship based on the trustworthiness of their information systems.

Organization One

INFORMATION SYSTEM

Plan of Action and Milestones

Security Assessment Report

System Security Plan

Business / MissionInformation Flow

Security Information

Plan of Action and Milestones

Security Assessment Report

System Security Plan

Organization Two

INFORMATION SYSTEM

Determining risk to the organization’s operations and assets, individuals, other

organizations, and the Nation; and the acceptability of such risk.

Main Streaming Information Security

Information security requirements must be considered first order requirements and are critical to mission and business success.

An effective organization-wide information security program helps to ensure that security considerations are specifically addressed in the enterprise architecture for the organization and are integrated early into the system development life cycle.

Enterprise Architecture

Provides a common language for discussing information security in the context of organizational missions, business processes, and performance goals.

Defines a collection of interrelated reference models that are focused on lines of business including Performance, Business, Service Component, Data, and Technical.

Uses a security and privacy profile to describe how to integrate the Risk Management Framework into the reference models.

System Development Life Cycle

The Risk Management Framework should be integrated into all phases of the SDLC. Initiation (RMF Steps 1 and 2) Development and Acquisition (RMF Step 2) Implementation (RMF Steps 3 through 5) Operations and Maintenance (RMF Step 6) Disposition (RMF Step 6)

Reuse system development artifacts and evidence (e.g., design specifications, system documentation, testing and evaluation results) for risk management activities.

FISMA Phase I Publications

FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication 800-18 (Security Planning) NIST Special Publication 800-30 (Risk Assessment) NIST Special Publication 800-39 (Risk Management) NIST Special Publication 800-37 (Certification & Accreditation) NIST Special Publication 800-53 (Recommended Security Controls) NIST Special Publication 800-53A (Security Control Assessment) NIST Special Publication 800-59 (National Security Systems) NIST Special Publication 800-60 (Security Category Mapping)

FISMA Phase II

Demonstrating competence to provide information securityservices including— Assessments of Information Systems

(Operational environments) Security controls Configuration settings

Assessments of Information Technology Products(Laboratory environments) Security functionality (features) Configuration settings

FISMA Phase II

Information System

Producing evidence that supports the grounds for confidence in the design, development, implementation, and operation of information systems.

Trust Relationshi

Trustworthiness

ITProduct

Information System

Functionality and Assurance

Trustworthiness

ITProduct

Information System

Functionality and Assurance

Operational Environment Operational Environment

Training Initiative

Information security training initiative underway to provide increased support to organizations using FISMA-related security standards and guidelines.

Training initiative includes three components— Frequently Asked Questions Publication Summary Guides (Quickstart Guides) Formal Curriculum and Training Courses

NIST will provide initial training in order to fine-tune the curriculum; then transition to other providers.

The Golden RulesBuilding an Effective Enterprise Information Security Program

Develop an enterprise-wide information security strategy and game plan. Get corporate “buy in” for the enterprise information security program—

effective programs start at the top. Build information security into the infrastructure of the enterprise. Establish level of “due diligence” for information security. Focus initially on mission/business process impacts—bring in threat

information only when specific and credible.

Create a balanced information security program with management, operational, and technical security controls.

Employ a solid foundation of security controls first, then build on that foundation guided by an assessment of risk.

Avoid complicated and expensive risk assessments that rely on flawed assumptions or unverifiable data.

Harden the target; place multiple barriers between the adversary and enterprise information systems.

Be a good consumer—beware of vendors trying to sell single point solutions for enterprise security problems.

Don’t be overwhelmed with the enormity or complexity of the information security problem—take one step at a time and build on small successes.

Don’t tolerate indifference to enterprise information security problems.

And finally… Manage enterprise risk—don’t try to avoid it!

CategorizeSelectImplementAssessAuthorizeMonitor

Documents

Physical Modelling Synthesis Overview

Venture Capital

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Acetone Peroxide

Simple Functions in Haskell

Aesops Fables

Who Killed God

Chapter-01

Barclays1

Tragic Heroes

Daniel Zanella and Alexander Weygers

(Tesla) - The Tesla Magnetic Car Engine

Rubik's cube solution

Effective Parenting: Establishing Boundaries

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Chapter 23

Oedipus The King: The Ideal Tragic Play

Steve Jobs' Commencement Speech at Stanford

United States Constitution

Star Wars Trivia!