View
3
Download
0
Category
Preview:
Citation preview
Information Security
Rick Aldrich, JD, CISSP
Booz | Allen | Hamilton
Aldrich_Richard@bah.com
Overview(Fed Info Sys)
From NIST SP 800-60, Vol 1, Guide for Mapping Types of Information Systems to Security Categories
Overview(NSS)
From CNSSP-22, Information Assurance Risk Management Policy for NSSCATSS not an NSS so will address only federal information systems for remaining presentation
Step 1: Categorization
• Is vendor operated/maintained CATSS a “federal information system”?
• Yes, per 40 USC 11331:
–An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency
Step 1: Categorization
• Per FIPS 199
–SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}
– Impact can be Low, Moderate or High
–Must consider all information types on the information system
System Categorization
• Impact values
–Low
• Loss of C-I-A could be expected to have a limited adverse effect on operations, assets, or individuals.
–Moderate
• … serious adverse effect …
–High
• … severe or catastrophic effect …
Amplification
Low Moderate High
Mission capability
Degraded,effectiveness noticeably reduced
Degraded,effectiveness significantly reduced
Not able to perform one or more of primary functions
Org. assets Minor damage Significant dmg Major damage
Financial loss
Minor loss Significant loss Major loss
Harm to individuals
Minor Significant Loss of life or serious life-threatening injuries
Categories are logically “or”ed
Identify Information Types
• Based on hypo, info types would include, for example:
–Personal Identity/Authentication Info type
–Payments Information type
Assign Provisional Values for Info Types
• Based on NIST 800-60, vol. 2
–Personal Identity/Authentication Info type
• Security Category = {(confidentiality, Moderate), (integrity, Moderate), (availability, Moderate)}
–Payments Information type
• Security Category = {(confidentiality, Low/Moderate), (integrity, Moderate), (availability, Low)
–Other types
Assign System Security Category
• Based on NIST 800-60, vol. 1
–Select high water mark of aggregated information types on system
– In this case
–System is highest among C-I-A, so Moderate
Confidentiality Integrity Availability
Personal ID/ Authentication
Moderate Moderate Moderate
Payment L ow (Moderate) Moderate Low
…
System Moderate Moderate Moderate
System Architecture
• Architecture description is also key to Step 1
–Key to understanding perimeter of the information system
–Plays a key role in selecting security controls in Step 2
• Increasing use of cloud computing introduces dynamic sub-systems and external sub-systems
Steps 2, 3, 4: Security Controls
• What is the effect of determining the security category of the IS?
–Drives the security controls to be
• Selected (FIPS 200 and SP 800-53) under Step 2
• Implemented (SP 800-70) under Step 3
• Assessed (SP 800-53) under Step 4
Select Controls per Impact Level
• Use 800-53 to
–Select initial Baseline Security Controls
– Tailor the Baseline Security Controls
• Scoping
• Compensating controls
• Organization-defined control parameters
–Coordinate with Authorizing official
–Obtain approval from Authorizing official
Security Controls
• “Moderate” controls require, e.g.
– Info flow enforcement
–Separation of duties
– Least privilege
–Audit reduction and report generation
–Configuration change control
–Configuration management plan
–Access restrictions for change
–Alternate storage site
–Alternate processing site
System Security Plan
• Per OMB A-11 and NIST 800-18 has many inputs and outputs
System Security Plan Template
1. Information System Name/Title
– Unique Identifier (OMB A-11)
2. Information System Categorization
3. Information System Owner
4. Authorizing Official
5. Other Designated Contacts
6. Assignment of Security Responsibility
7. Info System Operational Status
8. Info System Type
System Security Plan Template (cont.)
9. General System Description/ Purpose
10. System Environment
11. System Interconnections/Info Sharing
12. Related Laws/Regulations/Policies
13. Minimum Security Controls
14. IS Security Plan Completion Date
15. IS Security Plan Approval Date
System Security Plan Review
• Who reviews the security plan?
– Senior Agency Information Security Officer
• Review at least annually for changes in
– information system owner
– information security representative
– system architecture
– system status
– system interconnections
– system scope
– authorizing official
– system authorization status
E-Authentication
• Authentication is a Step 2 control
• Per NIST 800-63 and OMB 04-04
–Applies to remote authentication of users of Agency IT to conduct gov’t business
–Not applicable to NSS
–Two types of authentication
• Identity – confirming a unique person
• Attribute – confirming membership in a particular group (e.g., military veterans, US citizens)
Assurance Levels
• Level 1 (no ID proofing req’t)
– Little or no confidence in the asserted identity’s validity
• Level 2 (single factor, PW or pin)
– Some confidence …
• Level 3 (multi-factor, soft, hard or 1-time PW tokens)
– High confidence …
• Level 4 (multi-factor, hard tokens)
– Very high confidence …
Determining Assurance Level
• Determining max impacts for each assurance level
From OMB 04-04
Choosing Assurance Level
• Factors
–Access over Internet
–Access from PCs outside of Agency’s control
– Includes access to sensitive PII on 1M applicants
–Need to attribute as US citizen
• Chosen assurance level must be made public (website, Fed Reg, etc.)
Encryption
• Encryption required for levels 3, 4
• Level 4 must use FIPS 140-2 validated encryption modules
–All sensitive data transfers must be encrypted
• CATSS website should use TLS (via https) and require multi-factor authentication
Web Services Security
• Security actions to consider (NIST 800-95):
–Replicate Data and Services to Improve Availability
•May require regular back-ups and alternate COOP locations to address DOS, faults, disruptions
–Use Logging of Transactions to Improve Non-repudiation and Accountability
• Hypo identifies logging of visits, pages
Web Services Security
• Security actions to consider (cont):
– Use Threat Modeling and Secure Software Design Techniques to Protect from Attacks
– Use Performance Analysis and Simulation Techniques for End to End QoS and QoP
– Digitally Sign UDDI Entries to Verify the Author of Registered Entries
– Enhance Existing Security Mechanisms and Infrastructure
• Consider employing a database security, risk and compliance tool to enhance the security of this CATSS
Step 5: Security Authorization
• What is the security authorization process?
– New name for C&A, Step 5, set out in 800-37
• Security authorization package:
– Security plan
– Security assessment report
– Plan of action and milestones (POAM)
• Authorizing official makes risk-based decision, based on above, regarding information system’s authority to operate
Step 5: Security Authorization
• Who are the authorizing officials?
– Senior official or executive with the authority to formally assume responsibility for operating an IS at an acceptable level of risk to an organization’s operations, assets, individuals, other organizations, and the Nation.
– Same as DAA (CNSSI 4009)
Step 6: Continuous Monitoring
• Per OMB Memo 11-33
–For Agencies with a continuous monitoring program
• Security reauthorizations not required every three years or after “significant change”
• Rather, risk-based decisions should rely on results of continuous monitoring
– Effectiveness of deployed security controls
– Changes to info systems
– Compliance with laws, directives, policies, etc.
Questions?
Rick Aldrich, JD, CISSP
Booz | Allen | Hamilton
Aldrich_Richard@bah.com
Recommended