Information Security

Rick Aldrich, JD, CISSP

Booz | Allen | Hamilton

Aldrich_Richard@bah.com

Overview(Fed Info Sys)

From NIST SP 800-60, Vol 1, Guide for Mapping Types of Information Systems to Security Categories

Overview(NSS)

From CNSSP-22, Information Assurance Risk Management Policy for NSSCATSS not an NSS so will address only federal information systems for remaining presentation

Step 1: Categorization

• Is vendor operated/maintained CATSS a “federal information system”?

• Yes, per 40 USC 11331:

–An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency

Step 1: Categorization

• Per FIPS 199

–SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}

– Impact can be Low, Moderate or High

–Must consider all information types on the information system

System Categorization

• Impact values

–Low

• Loss of C-I-A could be expected to have a limited adverse effect on operations, assets, or individuals.

–Moderate

• … serious adverse effect …

–High

• … severe or catastrophic effect …

Amplification

Low Moderate High

Mission capability

Degraded,effectiveness noticeably reduced

Degraded,effectiveness significantly reduced

Not able to perform one or more of primary functions

Org. assets Minor damage Significant dmg Major damage

Financial loss

Minor loss Significant loss Major loss

Harm to individuals

Minor Significant Loss of life or serious life-threatening injuries

Categories are logically “or”ed

Identify Information Types

• Based on hypo, info types would include, for example:

–Personal Identity/Authentication Info type

–Payments Information type

Assign Provisional Values for Info Types

• Based on NIST 800-60, vol. 2

–Personal Identity/Authentication Info type

• Security Category = {(confidentiality, Moderate), (integrity, Moderate), (availability, Moderate)}

–Payments Information type

• Security Category = {(confidentiality, Low/Moderate), (integrity, Moderate), (availability, Low)

–Other types

Assign System Security Category

• Based on NIST 800-60, vol. 1

–Select high water mark of aggregated information types on system

– In this case

–System is highest among C-I-A, so Moderate

Confidentiality Integrity Availability

Personal ID/ Authentication

Moderate Moderate Moderate

Payment L ow (Moderate) Moderate Low

…

System Moderate Moderate Moderate

System Architecture

• Architecture description is also key to Step 1

–Key to understanding perimeter of the information system

–Plays a key role in selecting security controls in Step 2

• Increasing use of cloud computing introduces dynamic sub-systems and external sub-systems

Steps 2, 3, 4: Security Controls

• What is the effect of determining the security category of the IS?

–Drives the security controls to be

• Selected (FIPS 200 and SP 800-53) under Step 2

• Implemented (SP 800-70) under Step 3

• Assessed (SP 800-53) under Step 4

Select Controls per Impact Level

• Use 800-53 to

–Select initial Baseline Security Controls

– Tailor the Baseline Security Controls

• Scoping

• Compensating controls

• Organization-defined control parameters

–Coordinate with Authorizing official

–Obtain approval from Authorizing official

Security Controls

• “Moderate” controls require, e.g.

– Info flow enforcement

–Separation of duties

– Least privilege

–Audit reduction and report generation

–Configuration change control

–Configuration management plan

–Access restrictions for change

–Alternate storage site

–Alternate processing site

System Security Plan

• Per OMB A-11 and NIST 800-18 has many inputs and outputs

System Security Plan Template

1. Information System Name/Title

– Unique Identifier (OMB A-11)

2. Information System Categorization

3. Information System Owner

4. Authorizing Official

5. Other Designated Contacts

6. Assignment of Security Responsibility

7. Info System Operational Status

8. Info System Type

System Security Plan Template (cont.)

9. General System Description/ Purpose

10. System Environment

11. System Interconnections/Info Sharing

12. Related Laws/Regulations/Policies

13. Minimum Security Controls

14. IS Security Plan Completion Date

15. IS Security Plan Approval Date

System Security Plan Review

• Who reviews the security plan?

– Senior Agency Information Security Officer

• Review at least annually for changes in

– information system owner

– information security representative

– system architecture

– system status

– system interconnections

– system scope

– authorizing official

– system authorization status

E-Authentication

• Authentication is a Step 2 control

• Per NIST 800-63 and OMB 04-04

–Applies to remote authentication of users of Agency IT to conduct gov’t business

–Not applicable to NSS

–Two types of authentication

• Identity – confirming a unique person

• Attribute – confirming membership in a particular group (e.g., military veterans, US citizens)

Assurance Levels

• Level 1 (no ID proofing req’t)

– Little or no confidence in the asserted identity’s validity

• Level 2 (single factor, PW or pin)

– Some confidence …

• Level 3 (multi-factor, soft, hard or 1-time PW tokens)

– High confidence …

• Level 4 (multi-factor, hard tokens)

– Very high confidence …

Determining Assurance Level

• Determining max impacts for each assurance level

From OMB 04-04

Choosing Assurance Level

• Factors

–Access over Internet

–Access from PCs outside of Agency’s control

– Includes access to sensitive PII on 1M applicants

–Need to attribute as US citizen

• Chosen assurance level must be made public (website, Fed Reg, etc.)

Encryption

• Encryption required for levels 3, 4

• Level 4 must use FIPS 140-2 validated encryption modules

–All sensitive data transfers must be encrypted

• CATSS website should use TLS (via https) and require multi-factor authentication

Web Services Security

• Security actions to consider (NIST 800-95):

–Replicate Data and Services to Improve Availability

•May require regular back-ups and alternate COOP locations to address DOS, faults, disruptions

–Use Logging of Transactions to Improve Non-repudiation and Accountability

• Hypo identifies logging of visits, pages

Web Services Security

• Security actions to consider (cont):

– Use Threat Modeling and Secure Software Design Techniques to Protect from Attacks

– Use Performance Analysis and Simulation Techniques for End to End QoS and QoP

– Digitally Sign UDDI Entries to Verify the Author of Registered Entries

– Enhance Existing Security Mechanisms and Infrastructure

• Consider employing a database security, risk and compliance tool to enhance the security of this CATSS

Step 5: Security Authorization

• What is the security authorization process?

– New name for C&A, Step 5, set out in 800-37

• Security authorization package:

– Security plan

– Security assessment report

– Plan of action and milestones (POAM)

• Authorizing official makes risk-based decision, based on above, regarding information system’s authority to operate

Step 5: Security Authorization

• Who are the authorizing officials?

– Senior official or executive with the authority to formally assume responsibility for operating an IS at an acceptable level of risk to an organization’s operations, assets, individuals, other organizations, and the Nation.

– Same as DAA (CNSSI 4009)

Step 6: Continuous Monitoring

• Per OMB Memo 11-33

–For Agencies with a continuous monitoring program

• Security reauthorizations not required every three years or after “significant change”

• Rather, risk-based decisions should rely on results of continuous monitoring

– Effectiveness of deployed security controls

– Changes to info systems

– Compliance with laws, directives, policies, etc.

Questions?

Rick Aldrich, JD, CISSP

Booz | Allen | Hamilton

Aldrich_Richard@bah.com