Module 1: Risk Management Framework (RMF)
Introduction
RMF Introduction• Primarily for Federal Government• Recommended for state, local, and tribal governments• Easily adapted for private sector or non-profit• Background• A Risk Based Approach• What is Certification and Accreditation• What is the NIST Risk Management Framework• What is Authorization• Systems Security Approach• Benefits• External Drivers
History• There is an obligation for each agency (or organization) to
properly secure information.• Computer Security Act 1987
• OMB A-130 appendix III, implemented the act
• National Computer Security Center (NCSC)• NCSC-TG-029 Introduction to Certification and Accreditation by NSA in 1994• DoD, DITSCAP• NSA, NIACAP in 2000
• FISMA made law for Public Agencies• Federal Information Security Management Act 2002 (FISMA)• NIST created standards and guidelines for implementation
• DoD, DIACAP• DoD Instruction 8510.01 in 2007• Coming soon: Department of Defense Information Assurance Risk Management Framework (DIARMF)
Standards and Guidelines• Public Law
• Compulsory and binding
• Federal information Processing Standards (FIPS)• Compulsory and binding• High level objectives
• NIST Special Publications (SP) • OMB requires federal agencies to follow certain SP• Lower specific objectives• Some flexibility in how agencies apply guidance
• NISTIR and ITL are mandatory only when specified by OMB• OMB polices, directives and memoranda• DoD and CNSS Instructions
What is FISMA?• E-Government Act (Public Law 107-347) passed and
signed into law in December 2002• Title III of the E-Government Act, Federal Information
Security Management Act (FISMA) (44 USC § 351)• Required for all government agencies• To develop, document, and implement an agency-wide
information security program• To provide information security for the information and systems
that support the operations and assets of the agency• Applies to contractors and other sources
A Risk Based Approach• Emphasize a risk-based policy for cost-effective security
• FISMA• The Paperwork Reduction Act of 1995• The Information Technology Management Reform Act of 1996 (Clinger-Cohen
Act)
• Supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources
• OMB defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.
FISMA Goals• Security Federal Government Systems• Understand Risk to the Mission at the organization-
wide level• Consistent• Comparable • Repeatable• Complete• Reliable• Trustworthy
RMF a Common Foundation• Collaboration
• National Institute of Standards and Technology (NIST)• Office of the Director of National Intelligence (ODNI)• Department of Defense (DoD)• Committee on National Security Systems (CNSS)• Public (review and vetting)
• Common Foundation• Uniform and consistent risk management• Strong basis for reciprocal acceptance• Defense, Intelligence and Civil sectors• State, local and tribal governments• As well as contractors and private organizations
NIST’s roll To develop and publish the standards and guidelines
Work with interest groups Update the standards and guidelines
http://csrc.nist.gov/
Risk Management Framework (RMF)
Categorize
Select
Implement
Assess
Authorize
Monitor
Certification and Accreditation
“Certification and accreditation is the methodology used to ensure that security controls are established for an information system, that these controls are functioning appropriately, and that management has authorized the operation of the system in is current security posture.” - Official (ISC)2 Guide to the CAP CBK (1st ed.)
Information Assurance
Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. - CNSS Instruction No. 4009
Changes• Recent changes transform the traditional Certification and
Accreditation (C&A) process into the six-step Risk Management Framework (RMF)
• Revised process emphasizes• Building information security capabilities into federal information systems
through the application of state-of-the-practice management, operational, and technical security controls
• Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes
• Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems
Term Transition
Certification
Assessment
Accreditation
Authorization
Assessment (Certification)• Detailed security review of an information system
• Comprehensive assessment of: • Management security controls• Operational security controls• Technical security controls
• To determine the extent to which the controls are• Implemented correctly• Operating as intended• Producing the desired outcome
• Providing the factual basis for an authorizing official to render a security accreditation decision
Authorization (Accreditation)• Authorization is the official management decision to operate• Given by a senior agency official (management)• The official should have the authority to oversee the budget
and business operations of the information system • Explicitly accept the risk to
• Operations• Assets• Individuals
• Accepts responsibility for the security of the system • Fully accountable for the security of the system
Authorization
“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.”- NIST SP 800-37 rev 1
Multi-tiered Approach
PROGRAM LEVEL
SYSTEM
LEVEL
System Security Approach• Security not at the application, device, data or user level• Security that encompasses a system made up of applications,
devices, data and users.• Easier and more cost effect to define ‘systems’ with
boundaries and perimeters• Implement controls based upon the system and not the entire
enterprise
Benefits• Information security visibility• Management involvement• Management due diligence• Integrate security• Consistent implementation• Common goal• Ensure minimum security• Ensure proper controls in place• Ensure risk-based controls• Efficient use of resources and funds
DiscussionWhy are Agencies riddled with
security holes?
Source: <http://www.fcw.com/Articles/2009/07/17/Web-GAO-FISMA-info-security.aspx>
External Drivers• Security Incidents• Financial scandals• Terrorist attacks• Natural disasters• Sarbanes-Oxley• Health Insurance Portability and Accountability Act• Gramm-Leach-Bliley Act• Clinger-Cohen• FISMA• PCI
Example of external drives
http://gcn.com/articles/2011/07/06/cyber-attacks-take-2-energy-labs-offline.aspx
Review
What is the official management decision to operate?
A. CertificationB. AuthorizationC. Risk AssessmentD. Responsibility
Review
What is a comprehensive assessment of management, operational, and technical security controls?
A. CertificationB. AccreditationC. Risk AssessmentD. Authorization
Risk Management Framework (RMF)
Introduction
Module 2: Building a Successful RMF Program
The Business Case• What is the benefit to the organization?
• Due diligence• Accountability• Implementation of risk management• Visibility of risk• Cost-effectiveness
• A strong business case will help enlist support• The RMF program will help them meet their organizational
needs, reach their goals and accomplish their mission• Security and RMF is a business enabler
RMF Goal Setting• Typical project management• Goals must be:
• Realistic• Comprehensive• Integrated• Achievable• Effective• Supported• Enduring
• The organizations management, culture, personality and security posture all play a part.
Establishing program tasks and milestone• Typical project management
• Project management is the discipline of planning, organizing and managing resources to bring about the successful completion of specific project goals and objectives.
• A Project is made up of multiple stages, tasks and milestones.• A milestone is the end of a stage that marks the completion of
a work phase• A task is an activity that needs to be accomplished within a
defined period of time
Overseeing Program Execution• Constant measurement, metrics• Ensure program requirements are
being met• Tracking process• Need to have some way to enforce
project management and include escalation
• A security oversight committee can provide oversight to the C&A program
Maintaining Program Visibility• Need consistent management
support• Without management support
people will not fulfill their obligations to the project
• Without management support you will not have access to needed resources and funding
• The Chief Information Security Officer (CISO) can keep the program visible by giving regular updates to c-level management
Resources
• What types of resources might the project need?
• Funds, money, budget• People, man-hours• Processes• Technology• Outside expertise• Training• Automated tools
• Use realistic requirements
Developing Guidance• Document what the program is• Document how you plan to implement• Sample Documents
• Policies• Standards• Guidelines• Procedures
• Should meet organizational business needs• Describe the process• Precise, clear and brief
Sample RMF (C & A) Policy
Reference: http://www.tess-llc.com/Certification%20&%20Accreditation%20PolicyV4.pdf
RMF Guidance Development Life Cycle
Life-cycle for the development of the documentation for the RMF process
• Awareness• Monitoring• Enforcement• Maintenance
• Retirement
• Communication• Compliance• Exceptions
• Creation• Review• Approval
Development Implementation
MaintenanceDisposal
Guidance Caution• Too many rules limit the latitude and
innovation that may be needed at lower levels
• Long, cumbersome guidance documents will be ignored
• Limits agility• Should be easy to access
• Intranet site• System administrators need to use
regularly
Program Integration• Security needs to be baked into the
organization• C & A program should integrate with
other organizational programs, processes and activities
• For example • Integrate with human resources for
background checks• Guard service for physical security• Accounting for procurement and budget
Establishing RMF Points of Contact• Chief Information Security Officer (CISO) is directly
responsible.• Other key players
• System Owners• C & A Workgroup• Security Steering Committee• IT administrators
• Key areas of knowledge for Organizations• Operations• Hierarchy• Management• Strategies• Initiative
Measuring Progress• Need to have a method for measuring progress and
effectiveness. • Dashboard for an over-all status and where additional
resources are needed.• Scope
• Tasks• Type and number of systems• Risk• Sensitivity & Criticality
• Time• Effort• Improvements
• Budget• Cost
Tracking Program Activities• Keep your eyes on the road• Know where you are• Determine potential hazards (Problem forecasting)• Determine outside influences (Track external projects)• Keep people informed (Reporting)• Know what you have (Resource monitoring)
Tracking and Monitoring Compliance• How do you hit a moving target?• Maintenance Phase (keep your guard up)
• Updates and maintenance (systems and documentation)
• Plan of Actions and Milestones (POA&M)• Open items that need to be addressed (mitigation)
• Recertification Triggers or Reassessment Risk• New Vulnerabilities• New Risks• Environment changes• Control failure• Audit findings
Providing Advice & Assistance• Need to strive for a consistent approach within the program• Multiple systems and system owners (Enterprise wide)• Maintain flexibility for individual systems• Seek advice of professionals• Take suggestions• Document understandings
Responding to Change• Need a process to know when a change has been made that
will effect the risk of a system• Is the change a material change?
• Significant changes modify the risk to the system
• Recertification Triggers or Reassessment Risk• New Vulnerabilities (major possibly, minor are handled by patch management)• New Risks (brought about by changes)• Environment changes (Application or OS change)• Control failure (Controls not working as intended)• Audit findings (Missing controls)
Program Awareness, Training and Education• In order to maintain the RMF program
• Constant reminders – awareness• Training – program training – depending on role• Education – security and RMF related continuing
education
• Possible to integrate with other training and awareness programs within the organization
• Track training
Use of Expert Systems
• Automated tools• Tracking systems• RMF document management systems• Audit log management• Dashboards• Intrusion Prevention Systems • Etc.
Waivers and Exceptions to Policy• There needs to be a process to handle exceptions
• How will you consider waivers?• Who makes the decision?• Can the decision be made in a timely fashion?• How will the decision be documented?• Does the system owner accept the risk?• RMF is not supposed to be a paper exercise.• RMF is based on risk!• RMF helps the organization meets its goals.• Waivers should be based on business need.
Summary• Business Case• Setting up the program• Establishing tasks, milestones and goals• Resources• Program Integration• Program Phases• Points of contact• Measuring results• Tracking progress• Education, training and awareness• Exceptions and waivers
Class Discussion • What are some of the tools you use or would use to
help your organization have an effective RMF program?
• Should all agencies use the same processes and tools to implement a RMF program?
• What would you say to a manager who thinks RMF is a waste of time and money?
• You are responsible for the RMF program for your organization. What things would you do to ensure the program was successful?
Module 3: Risk Management Framework
Roles & Responsibilities
RMF Roles and Responsibilities
Roles and Responsibilities Head of Agency or CEO Risk Executive (function) Chief Information Officer (CIO) Chief Information Security Officer (CISO) Information Owner/Custodian Information System Owner (System Owner) Information Systems Security Officer (ISSO) Security Control Assessor (Certifying Agent) Authorizing Official (AO) Approving Authority (AA) Common Control Provider Approving Authority Designated Representative
Roles and Responsibilities Auditor System Administrator/Manager Business Unit Manager Project Manager Risk Analyst Facility Manager Executive Management Authorization Advocate User Representative Information Security Architect Information Systems Security Engineer
Head of Agency Head of Agency or Chief Executive Officer (CEO) Highest level senior official or executive Overall responsibility to provide information security Ensure security is commensurate with risk to
organization Responsible for security of 3rd party use or operation of
systems Responsible to ensure security is integrated into
strategic and operational planning Responsible to ensure personnel are trained
sufficiently Establish appropriate accountability and commitment
to create a climate that promotes due diligence
Risk Executive Function Looks at risk from the program level Organization-wide perspective Overall strategic goals and objectives Risk to the organization’s mission Creates a consistent risk management approach
(organization-wide) Addresses the organization’s risk tolerance (risk
appetite) Provides oversight Provides sharing of risk related information
Chief Information Officer (CIO) Overall responsibility for organization’s security Delegates authority to SISO Provision resources Provide oversight Maintain visibility Develop and maintain policies Assists executive level officials concerning
security responsibilities CIO and AO allocate appropriate resources to
the system Government employee only
“The Chief Information Officer, with the support of the senior agency information security officer, works closely with authorizing officials and their designated representatives to ensure that an agency-wide security program is effectively implemented, that the certifications and accreditations required across the agency are accomplished in a timely and cost-effective manner, and that there is centralized reporting of all security-related activities. “ NIST SP 800-37
Senior Information Security Officer (SISO) AKA:
Senior Agency Information Security Officer (SAISO) Chief Information Security Officer (CISO)
Senior manager in charge of Information Security Accountable for most aspects of security within an organization Liaison between CIO and other roles Security is primary duty Head of the RMF program within the organization
Establish the program Enforce the program
Responsible for the success of a RMF program Government employee only May serve as AO Designated Representative or security control assessor
Information Owner / Steward Agency official with statutory management or operational
authority for specific information Establish rules of behavior for that information Establish polices and procedures for
Generation Collection Processing Dissemination Disposal Retention
Provide input to information system owners on protect requirements
Authorizing Official (AO) Also Known As
Designated Approving Authority (DAA or DAO) Senior management Formally accepts responsibility for operating an
information system and accepts residual risk to the system
Must be a Government Employee May have a designated representative that can do
everything but sign or decide Accreditation Typically have budgetary oversight Responsible for the mission and/or business
operations supported by the system Accountable for security of system A system may have multiple AOs
“A senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals.” - NIST SP 800-37
Authorizing Official Designated Representative Acts on behalf of an Authorizing Official Handles day to day activities Can be empowered for certain decisions
Approve system security plans Approve monitoring Implement Plan of Action and Milestones (POA&M) Complete authorization package
The only thing the designated representative cannot do is make the authorization decision and sign the authorization document
Information System Owner Also Known As
System Owner or IT Manager
Coordinate with information owner on user access Primary responsibility for the system Full lifecycle of the system Often it is the IT department Ensuring compliance with policies
“Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. “ - (NIST SP 800-37)
System Administrator (SA) In charge of the day-to-day operation
and administration Implements technical and operational
controls IT administrators Separation of duties from ISSO Implement hardware changes Implement software changes Backups Monitoring Maintenance
“Individual responsible for the installation and maintenance of an information system, providing effective information system utilization, adequate security parameters, and sound implementation of established Information Assurance policy and procedures.” CNSS Instruction No. 4009
Information Systems Security Officer (ISSO) Principal advisor to the AO Serves as an agent to the information system owner Monitors day to day security on the system Coordinate with physical security, personal, incident handling
and security awareness. May not actually touch the system Close collaboration with Information system owner Assess security impact of changes to the system
“The information system security officer often plays an active role in developing and updating the system security plan as well as in managing and controlling changes to the system and assessing the security impact of those changes.“ NIST SP 800-37
Auditor Provides independent (unbiased) Assess controls Assess program Ensures documentation is adequate Weaknesses identified Corrective actions specified Example:
Security Control Assessor Inspector General
Inspector General (IG) Program level audit Ensure compliance with FISMA and other government
policies Provides independent (unbiased) assessment of the
RMF program Looks at individual program components Ensures documentation is adequate Weaknesses identified Corrective actions specified
IG findings may get press
Security Control Assessor AKA: Certification Agent or Certifying Agent Independent authority Impartial and unbiased (separation of duties) Measures effectiveness and completeness of controls
at the system level Level of independence based upon risk to system
The certification agent is an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. - NIST SP 800-37
Other Roles Common Control Provider
Individual or group responsible for the development implementation, monitoring and assessment of common controls
Agency-wide, center-wide, campus-wide, building-wide Information Security Architect
Ensures security has been adequately addresses in all aspects on enterprise architecture
Information Systems Security Engineer Ensures security requirements are effectively integrated in
to information technology
IT Security Program Steering Committee Provides high-level oversight Provides direction Indirect supervision Advisory group to the program Does not exercise authority
Business Unit Manager Responsible for the mission and/or business
operations Often function as information owner or AO Might be a higher level manager or director Disseminate security information to
subordinates Report security incidents to higher
management Respond to security incidents Determine resources Set priorities
Project Manager May work for the system owner for complex system security plans
May aid the CIO or CISO in the overall program implementation
Facility Manager Responsible for physical security Responsible for environmental controls
Executive Management Crucial Role Establish Policy Enforce Policy Allocate Resources Maintain visibility of program
User Representative Represents a user group or community Looks out for the interests of users “The person that defines the system’s operational and functional requirements, and who is responsible for ensuring that user operational interests are met throughout the systems authorization process.”
DoD Specific Roles Information Assurance Manager
Individual responsible for the information assurance of a program, organization, system, or enclave.
AKA: Information Systems Security Manager (ISSM) Information Assurance Officer
Individual assigned responsibility for maintaining the appropriate operational security posture for an information system or program.
AKA: Information Systems Security Officer (ISSO)
CIRT Computer Incident Response Team Group of individuals usually consisting of Security
Analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents.
AKA Cyber Incident Response Team (CIRT) Computer Security Incident Response Team (CSIRT) Computer Incident Response Center (CIRC) Computer Incident Response Capability (CIRC)
Delegation of Roles“At the discretion of senior agency officials, certain security certification and accreditation roles may be delegated and if so, appropriately documented. Agency officials may appoint appropriately qualified individuals, to include contractors, to perform the activities associated with any security certification and accreditation role with the exception of the Chief Information Officer and authorizing official. The Chief Information Officer and authorizing official have inherent United States Government authority, and those roles should be assigned to government personnel only. Individuals serving in delegated roles are able to operate with the authority of agency officials within the limits defined for the specific certification and accreditation activities. Agency officials retain ultimate responsibility, however, for the results of actions performed by individuals serving in delegated roles. “ NIST SP 800-37
Support Hierarchy
Mission
Business Unit
IT
Security
Audit
IG
IA
SCA
SISO
ISSM
ISSO
CIO
SO
SA
BUM
IO
EU
Program Level
System Level
Audit Security IT Business Unit
Middle- Tier
Independence
AO
Risk Executive Function
Head of Agency (CEO)
SO
D
SO
D
Mission
DoD and NISTDoDI 8510.01 & 8500.2 SP 800-37 Rev 1
Head od DoD Components Head of Agency (CEO)
Principle Accrediting Authority (PAA)
Risk Executive Function and/or Approving Authority (AA)
Senior Information Assurance Officer (SIAO)
Senior Information Security Officer (SISO)
Designated Accrediting Authority (DAA)
Approving Authority (AA)
Systems Manager Common Control Provider and/or Systems Owner
Program Manager Common Control Provider and/or System Owner
Information Assurance Manager (IAM)
ISSO and/or SISO
Information Assurance Officer (IAO)
Information Systems Security Officer (ISSO)
Certification Agent Security Control Assessor
Discussion Who is best suited for the roll of Authorization Official?
Documenting roles and responsibilities Document contact information for each role In other documents, refer to the roles not the person Letters of appointment May create contact database
Sample System Security Plan from Centers for Disease Control and Prevention
Job descriptions Describe responsibilities Don’t forget the C & A responsibilities Outline expectations of performance Used for accountability
Position sensitivity designations Some key roles should be designated highly sensitive People who know security of the system People who know the controls People with knowledge of the security posture Need trustworthy people Avoid frequent turnover
Personnel transitions Make sure individuals have adequate replacements
before they leave, if possible Overlapping smooth transition Acclimatize the individual with the C & A process and
organizational specifics Make sure they understand their new roles and
responsibilities
Time requirements RMF duties do not require full time, unless you
dedicate the tasks Collateral duties to normal ones Dedicated employee help with consistency Size of the organization Number of systems
Expertise requirements Skills and abilities Project management System development life-cycle Technical controls Operational controls IT terminology Security terminology Clear background Administrative skills – technical writing skills Certifications like CAP, CISSP, CISA, CISM
Using contractors Want to have stability in the following positions, thus
employees are preferred CIO, CISO System Owner AO ISSO
Need for independence, often contractors used for certifying agent
Contractors can make for effective partners Need to have background checks, statements of work,
contracts and timetables
Routine duties Scheduling Reporting Providing advice Meetings Quality control Monitor compliance Intermediary Offer solutions Educate and train Systems development Explain technical issues to non-technical management
Organizational skills Well organized Proficient in RMF and C & A Project management skills
Scheduling Task lists Meeting notes Manage email
Certifications
CISSP
CISM
CISSP ISSMP
CAP CISA
GSNA
SSCPCASP
Security+
CISSP ISSEP/ ISSAP
CSSLP
Management / Risk Audit
Software Dev
Network / Communicatio
ns
(ISC)2 Certifications (ISC)2 International Information Systems Security Certification
Consortium, Inc. Website: www.isc2.org Certifications
Associate of (ISC)² SSCP: Systems Security Certified Practitioner CAP: Certified Authorization Professional CSSLP: Certified Secure Software Lifecycle Professional CISSP: Certified Information Systems Security Professional CISSP Concentrations: ISSEP, ISSAP, ISSMP
Professional Certification (ISC)2 certifications require ongoing continuing education to maintain certification.
ISACA Certifications Information Systems and Control Association (ISACA) Certifications
CISA: Certified Information Systems Auditor CISM: Certified Information Systems Manager CGEIT: Certified in the Governance of Enterprise IT CRISC: Certified in Risk and Information Systems Control
Website www.isaca.org
Professional Certification ISACA certifications require ongoing continuing education to maintain certification.
CompTIA Certifications CompTIA certifications Website: www.comptia.org Certifications
A+ - Computer Support Technician Network+ - Network Support Technician Security+ - Entry level security certification CASP - CompTIA Advanced Security Practitioner RFID+ - RFID professionals CTT+ - Certified Technical Trainer Project+ - IT Project Management Others: Server+, Linux+, CTP+, CDIA+, PDI+
SANS Institute Certifications Website: www.giac.org Certifications
GIAC (Global Information Assurance Certification) GSNA (GIAC Systems and Network Auditor) G7799 (GIAC Certified ISO-17799 Specialist) GCFE (GIAC Certified Forensics Examiner) GCFA (GIAC Certified Forensic Analyst) GREM (GIAC Reverse Engineering Malware) GLEG (GIAC Legal Issues) GISP (GIAC Information Security Professional) GCPM (GIAC Certified Project Manager Certification) GISF (GIAC Information Security Fundamentals)
SANS Institute Certifications (cont.) Website: www.giac.org Certifications
GIAC (Global Information Assurance Certification) GSEC (GIAC Security Essentials Certification) GWAPT (GIAC Web Application Penetration Tester) GCED (Certified Enterprise Defender) GCFW (GIAC Certified Firewall Analyst) GCIA (GIAC Certified Intrusion Analyst) GCIH (GIAC Certified Incident Handler) GCWN (GIAC Certified Windows Security Administrator) GCUX (GIAC Certified UNIX Security Administrator) GPEN (GIAC Certified Penetration Tester) GAWN (GIAC Assessing Wireless Networks)
SCP Certifications Security Certified Program (SCP) Website: www.securitycertified.net Certifications:
SCNS - Security Certified Network Specialist SCNP - Security Certified Network Professional SCNA - Security Certified Network Architect
Inspector General Institute Association of Inspectors General Website: http://inspectorsgeneral.org Certifications:
Certified Inspector General (CIG) Certified Inspector General Auditor (CIGA) Certified Inspector General Investigator (CIGI)
Is recognized by the National Association of State Boards of Accountancy (NASBA)
DoDD 8570 All IA (Information Assurance) jobs will require certification.
DoDD 8570 (cont.) All IA (Information Assurance) jobs will require certification.
Level Qualifying Certifications
CND Analyst GCIA, CEH
CND Infrastructure Support
SSCP, CEH
CND Incident Responder
GCIH, GSIH, CEH
CND Auditor CISA, CEH, GSNA
CN-SP Manager CISM, CISSP-ISSEP
Organizational placement of RMF function Where it will be able to be the most effective? Reach the highest and lowest parts of the
organizational chart As wide as the enterprise CISO may work for the CIO or COO for whistle blower
Key Agencies & Organizations Office of Management and Budget (OMB) Department of Homeland Security (DHS) National Institute of Standards and Technology (NIST) Office of the Director of National Intelligence (ODNI) Depart of Defense (DoD) Defense Information Systems Agency (DISA) Committee on National Security Systems (CNSS) National Security Council (NSC) National Security Telecommunication and Information Systems Security
Committee (NSTISSC) U.S. Government Accountability Office (GAO) Office of the Inspector General (OIG) CIO.gov
Department of Homeland Security (DHS) Oversees critical infrastructure protection Operates the United States Computer Emergency Readiness
Team (US-CERT) Oversees implementation of the Trusted Internet Connection
initiative Has primary responsibility within the executive branch for the
operational aspects of Federal agency cybersecurity (FISMA) Subject to general OMB oversight
DHS FISMA Activities Overseeing:
the government-wide and agency-specific implementation of and reporting on cybersecurity policies and guidance
government-wide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity
the agencies’ compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report
the agencies’ cybersecurity operations and incident response and providing appropriate assistance
annually reviewing the agencies’ cybersecurity programs
Office of Management and Budget (OMB) Leads the interagency process for cybersecurity
strategy and policy development (Cybersecurity Coordinator)
Responsible for the submission of the annual FISMA report to Congress
Responsible for the development and approval of the cybersecurity portions of the President’s Budget
Provide oversight
Cyber Command Mission USCYBERCOM plans, coordinates, integrates,
synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.
CNSS The Committee on National
Security Systems Been in existence since 1953 Formerly named the National
Security Telecommunications and Information Systems Security Committee (NSTISSC)
Establishes requirements pertaining to National Security Systems“The CNSS is directed to assure the security of NSS against technical
exploitation by providing: reliable and continuing assessments of threats and vulnerabilities and implementation of effective countermeasures; a technical base within the USG to achieve this security; and support from the private sector to enhance that technical base assuring that information systems security products are available to secure NSS.”
Summary People are the most important part of the process
The right people make the program
Class Discussion: Roles & Responsibility What are some of the biggest challenges within your current
role? How would you respond to a BUM, information owner or AO
who says RMF is an IT issue and that he/she does not need to be involved?
If staffing is an issue, what roles would you combine? Which roles would you not combine?
In order to have a successful RMF program you have been tasked to make an education system for your organization. What are some key features you would include?
Why are certifications important for staff with roles and responsibilities in the RMF?
Module 4: Planning for Security
You got to be careful if you don’t knowwhere you’re going, because you might not
get there.-- Yogi Berra
111
Learning Objectives Upon completion of this module, you should be able
to:
Recognize the importance of planning and describe the principal components of organizational planning
Know and understand the principal components of information security system implementation planning as it functions within the organizational planning scheme
112
Introduction
Successful organizations utilize planning
Planning involves: Employees Management Stockholders Other outside stakeholders Physical environment Political and legal environment Competitive environment Technological environment
113
Introduction (Continued)
Strategic planning includes: Vision statement
Mission statement
Strategy
Coordinated plans for sub units
Knowing how the general organizational planning process works helps in the information security planning process
114
Introduction (Continued)
Planning: Is creating action steps toward goals, and then
controlling them
Provides direction for the organization’s future
Top-down method: Organization’s leaders choose the direction
Planning begins with the general and ends with the specific
115
Figure 1Information Security Planning
116
Components Of Organizational Planning:The Mission Statement
Mission statement: Declares the business of the organization and its
intended areas of operations
Explains what the organization does and for whom
Example: Random Widget Works, Inc. designs and manufactures quality widgets, associated equipment and supplies for use in modern business environments
117
Components Of Organizational Planning:Vision Statement
Vision statement: Expresses what the organization wants to
become
Should be ambitious
Example: Random Widget Works will be the preferred manufacturer of choice for every business’s widget equipment needs, with an RWW widget in every machine they use
118
Components Of Organizational Planning: Values
By establishing organizational principles in a values statement, an organization makes its conduct standards clear Example: RWW values commitment, honesty,
integrity and social responsibility among its employees, and is committed to providing its services in harmony with its corporate, social, legal and natural environments.
The mission, vision, and values statements together provide the foundation for planning
119
Components Of Organizational Planning: Strategy
Strategy is the basis for long-term direction
Strategic planning: Guides organizational efforts Focuses resources on clearly defined goals
“… strategic planning is a disciplined effort to produce fundamental decisions and actions that shape and guide what an organization is, what it does, and why it does it, with a focus on the future.”
120
Planning for the Organization
Organization: Develops a general strategy Creates specific strategic plans for major
divisions
Each level of division translates those objectives into more specific objectives for the level below
In order to execute this broad strategy, executives must define individual managerial responsibilities
121
Strategic Planning
Strategic goals are then translated into tasks with specific, measurable, achievable, reasonably high and time-bound objectives (SMART)
Strategic planning then begins a transformation from general to specific objectives
122
Planning Levels
Tactical Planning Shorter focus than strategic planning
Usually one to three years
Breaks applicable strategic goals into a series of incremental objectives
123
Planning Levels (Continued)
Operational Planning Used by managers and employees to organize
the ongoing, day-to-day performance of tasks Includes clearly identified coordination activities
across department boundaries such as: Communications requirements Weekly meetings Summaries Progress reports
124
Typical Strategic Plan Elements
Introduction by senior executive
Executive Summary Mission Statement and Vision Statement
Organizational Profile and History
Strategic Issues and Core Values
Program Goals and Objectives Management/Operations Goals and Objectives
Appendices (optional) Strengths, weaknesses, opportunities and threats
(SWOT) analyses, surveys, budgets &etc
125
Tips For Planning Create a compelling vision statement that frames the evolving plan, and acts as a magnet for people who want to make a difference
Embrace the use of balanced scorecard approach
Deploy a draft high level plan early, and ask for input from stakeholders in the organization
Make the evolving plan visible
126
Tips For Planning (Continued)
Make the process invigorating for everyone
Be persistent
Make the process continuous
Provide meaning
Be yourself
Lighten up and have some fun
127
Planning For Information Security Implementation
The CIO and CISO play important roles in translating overall strategic planning into tactical and operational information security plans/ information security
CISO plays a more active role in the development of the planning details than does the CIO
128
The Systems Development Life Cycle (SDLC)
SDLC: methodology for the design and implementation of an information system
SDLC-based projects may be initiated by events or planned
At the end of each phase, a review occurs when reviewers determine if the project should be continued, discontinued, outsourced, or postponed
129
Figure 2-8 Feasibility
130
Figure 2-9 Phases of An SDLC
131
Investigation Identifies problem to be solved
Begins with the objectives, constraints, and scope of the project
A preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate costs for those benefits
132
Analysis Begins with information from the Investigation phase
Assesses the organization’s readiness, its current systems status, and its capability to implement and then support the proposed system(s)
Analysts determine what the new system is expected to do, and how it will interact with existing systems
133
Logical Design
Information obtained from analysis phase is used to create a proposed solution for the problem
A system and/or application is selected based on the business need
The logical design is the implementation independent blueprint for the desired solution
134
Physical Design
During the physical design phase, the team selects specific technologies
The selected components are evaluated further as a make-or-buy decision
A final design is chosen that optimally integrates required components
135
Implementation Develop any software that is not purchased, and create integration capability
Customized elements are tested and documented
Users are trained and supporting documentation is created
Once all components have been tested individually, they are installed and tested as a whole
136
Maintenance Tasks necessary to support and modify
the system for the remainder of its useful life
System is tested periodically for compliance with specifications
Feasibility of continuance versus discontinuance is evaluated
Upgrades, updates, and patches are managed
When current system can no longer support the mission of the organization, it is terminated and a new systems development project is undertaken
137
The Security Systems Development Life Cycle (SecSDLC)
May differ in several specifics, but overall methodology is similar to the SDLC
SecSDLC process involves: Identification of specific threats and the risks that
they represent
Subsequent design and implementation of specific controls to counter those threats and assist in the management of the risk those threats pose to the organization
138
Investigation in the SecSDLC Often begins as directive from
management specifying the process, outcomes, and goals of the project and its budget
Frequently begins with the affirmation or creation of security policies
Teams assembled to analyze problems, define scope, specify goals and identify constraints
Feasibility analysis determines whether the organization has resources and commitment to conduct a successful security analysis and design
139
Analysis in the SecSDLC A preliminary analysis of existing
security policies or programs is prepared along with known threats and current controls
Includes an analysis of relevant legal issues that could affect the design of the security solution
Risk management begins in this stage
140
Risk Management Risk Management: process of identifying, assessing, and evaluating the levels of risk facing the organization Specifically the threats to the information stored
and processed by the organization
To better understand the analysis phase of the SecSDLC, you should know something about the kinds of threats facing organizations
In this context, a threat is an object, person, or other entity that represents a constant danger to an asset
141
Key Terms Attack: deliberate act that exploits a vulnerability to achieve the compromise of a controlled system Accomplished by a threat agent that damages or
steals an organization’s information or physical asset
Exploit: technique or mechanism used to compromise a system
Vulnerability: identified weakness of a controlled system in which necessary controls are not present or are no longer effective
142
Threats to Information Security
143
Some Common Attacks• Malicious code• Hoaxes• Back doors• Password crack• Brute force• Dictionary• Denial-of-service (DoS) and
distributed denial-of-service (DDoS)
• Spoofing• Man-in-the-middle• Spam• Mail bombing• Sniffer• Social engineering• Buffer overflow• Timing
144
Risk Management Use some method of prioritizing risk posed by
each category of threat and its related methods of attack
To manage risk, you must identify and assess the value of your information assets
Risk assessment assigns comparative risk rating or score to each specific information asset
Risk management identifies vulnerabilities in an organization’s information systems and takes carefully reasoned steps to assure the confidentiality, integrity, and availability of all the components in organization’s information system
145
Design in the SecSDLC
Design phase actually consists of two distinct phases: Logical design phase: team members create and
develop a blueprint for security, and examine and implement key policies
Physical design phase: team members evaluate the technology needed to support the security blueprint, generate alternative solutions, and agree upon a final design
146
Security Models Security managers often use
established security models to guide the design process
Security models provide frameworks for ensuring that all areas of security are addressed
Organizations can adapt or adopt a framework to meet their own information security needs
147
Policy
A critical design element of the information security program is the information security policy
Management must define three types of security policy: General or security program policy
Issue-specific security policies
Systems-specific security policies
148
SETA Another integral part of the InfoSec program is the security education and training program
SETA program consists of three elements: security education, security training, and security awareness
Purpose of SETA is to enhance security by: Improving awareness Developing skills and knowledge Building in-depth knowledge
149
Design
Attention turns to the design of the controls and safeguards used to protect information from attacks by threats
Three categories of controls: Managerial
Operational
Technical
150
Managerial Controls
Address the design and implementation of the security planning process and security program management
Management controls also address:
Risk management
Security control reviews
151
Operational Controls
Cover management functions and lower level planning including: Disaster recovery Incident response planning
Operational controls also address: Personnel security Physical security Protection of production inputs and outputs
152
Technical Controls
Address those tactical and technical issues related to designing and implementing security in the organization
Technologies necessary to protect information are examined and selected
153
Contingency Planning
Essential preparedness documents provide contingency planning (CP) to prepare, react and recover from circumstances that threaten the organization: Incident response planning (IRP)
Disaster recovery planning (DRP)
Business continuity planning (BCP)
154
Physical Security
Physical Security: addresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization
Physical resources include: People
Hardware
Supporting information system elements
155
Implementation in the SecSDLC Security solutions are acquired, tested, implemented, and tested again
Personnel issues are evaluated and specific training and education programs conducted
Perhaps most important element of implementation phase is management of project plan: Planning the project Supervising tasks and action steps within the project Wrapping up the project
156
InfoSec Project Team
Should consist of individuals experienced in one or multiple technical and non-technical areas including: Champion Team leader Security policy developers Risk assessment specialists Security professionals Systems administrators End users
157
Staffing the InfoSec Function
Each organization should examine the options for staffing of the information security function1. Decide how to position and name the security
function2. Plan for proper staffing of information security
function3. Understand impact of information security
across every role in IT 4. Integrate solid information security concepts
into personnel management practices of the organization
158
InfoSec Professionals
It takes a wide range of professionals to support a diverse information security program: Chief Information Officer (CIO) Chief Information Security Officer (CISO) Security Managers Security Technicians Data Owners Data Custodians Data Users
159
Certifications
Many organizations seek professional certification so that they can more easily identify the proficiency of job applicants: CISSP SSCP GIAC SCP ICSA Security + CISM
160
Maintenance and Change in the SecSDLC
Once information security program is implemented, it must be operated, properly managed, and kept up to date by means of established procedures
If the program is not adjusting adequately to the changes in the internal or external environment, it may be necessary to begin the cycle again
161
Maintenance Model
While a systems management model is designed to manage and operate systems, a maintenance model is intended to focus organizational effort on system maintenance: External monitoring Internal monitoring Planning and risk assessment Vulnerability assessment and remediation Readiness and review Vulnerability assessment
162
ISO Management Model
One issue planned in the SecSDLC is the systems management model
ISO management model contains five areas: Fault management Configuration and name management Accounting management Performance management Security management
163
Security Management Model Fault Management involves identifying
and addressing faults Configuration and Change Management
involve administration of components involved in the security program and administration of changes
Accounting and Auditing Management involves chargeback accounting and systems monitoring
Performance Management determines if security systems are effectively doing the job for which they were implemented
164
Security Program Management Once an information security program
is functional, it must be operated and managed
In order to assist in the actual management of information security programs, a formal management standard can provide some insight into the processes and procedures needed
This could be based on the BS7799/ISO17799 model or the NIST models described earlier
165
Summary
Introduction
Components of Organizational Planning
Planning for Information Security Implementation
Module 5: Information Security
and Risk Management
167
Objectives
How security supports organizational mission, goals and objectives
Risk management Security management Personnel security
168
Mission
Statement of its ongoing purpose and reason for existence.
Usually published, so that employees, customers, suppliers, and partners are aware of the organization’s stated purpose.
Should influence how we will approach the need to protect the organization’s assets.
169
Example Mission Statements
“Promote professionalism among information system security practitioners through the provisioning of professional certification and training.” - (ISC)²
“Help civilize the electronic frontier; to make it truly useful and beneficial not just to a technical elite, but to everyone; and to do this in a way which is in keeping with our society's highest traditions of the free and open flow of information and communication.” – Electronic Frontier Foundation
170
Example Mission Statements (cont.) “Empower and engage people around the world to collect and develop educational content under a free license or in the public domain, and to disseminate it effectively and globally.” – Wikimedia Foundation
171
Objectives
Statements of activities or end-states that the organization wishes to achieve.
Support the organization’s mission and describe how the organization will fulfill its mission.
Observable and measurable. Do not necessarily specify how they will be completed, when, or by whom.
172
Example Objectives
“Improve security audit results.” “Develop a security awareness strategy.” “Consolidate computer account provisioning processes.”
173
Goals
Specify specific accomplishments that will enable the organization to meet its objectives.
Measurable, observable, objective, support mission and objectives
174
Example Goals
“Obtain ISO 27001 certification by the end of third quarter.”
“Reduce development costs by twenty percent in the next fiscal year.”
“Complete the integration of CRM and ERP systems by the end of November.”
175
Security Support of Mission, Objectives, and Goals Influence development of mission, objectives, goals Become involved in key activities Risk management provides feedback
176
Risk Management
“The process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.” – Wiktionary Risk assessments Risk treatment
177
Qualitative Risk Assessment
For a given scope of assets, identify: Vulnerabilities Threats Threat probability (Low / medium / high) Impact (Low / medium / high) Countermeasures
178
Quantitative Risk Assessment
Extension of a qualitative risk assessment. Metrics for each risk are: Asset value Exposure Factor (EF): portion of asset damaged Single Loss Expectancy (SLE) = Asset ($) x EF (%) Annualized Rate of Occurrence (ARO)
Probability of loss in a year, % Annual Loss Expectancy (ALE) = SLE x ARO
179
Quantifying Countermeasures
Goal: reduction of ALE (or the qualitative losses)
Impact of countermeasures: Cost of countermeasure Changes in Exposure Factor (EF) Changes in Single Loss Expectancy (SLE)
180
Geographic Considerations
Replacement and repair costs of assets may vary by location
Exposure Factor may vary by location Impact may vary by location
181
Risk Assessment Methodologies
NIST 800-30, Risk Management Guide for Information Technology Systems
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
FRAP (Facilitated Risk Analysis Process) – qualitative pre-screening
Spanning Tree Analysis – visual, similar to mind map
182
Risk Treatment
One or more outcomes from a risk assessment Rick acceptance
“yeah, we can live with that” Risk avoidance
Discontinue the risk-related activity Risk reduction
Mitigate Risk transfer
Buy insurance
Risk treatment is often a blended approach
After risk treatment, any leftover risk is known as “residual risk”
183
Security Management Concepts
Security controls CIA Triad Defense in depth Single points of failure Fail open, fail closed Privacy
184
Security Controls
Detective Preventive Deterrent Administrative Compensating
185
CIA: Confidentiality, Integrity, Availability The three pillars of security: the CIA Triad
Confidentiality: information and functions can be accessed only by properly authorized parties
Integrity: information and functions can be added, altered, or removed only by authorized persons and means
Availability: systems, functions, and data must be available on-demand according to any agreed-upon parameters regarding levels of service
CIA: Confidentiality, Integrity, Availability
186
187
Defense in Depth
A layered defense in which two or more layers or controls are used to protect an asset Heterogeneity: the different controls should be different types, so
as to better resist attack Entire protection: each control completely protects the asset from
most or all threats
Defense in depth reduces or eliminates the risks associated by single points of failure, fail open, malfunctions, and successful attacks on individual components
188
Single Points of Failure
A single point of failure (SPOF) is a weakness in a system where the failure of a single component results in the failure of the entire system
189
Fail Open, Fail Closed
When a security mechanism fails, there are usually two possible outcomes: Fail open – the mechanism permits all activity Fail closed – the mechanism blocks all activity
Principles Different types of failures will have different results Both fail open and fail closed are undesirable, but sometimes one
or the other is catastrophic!
190
Privacy
Defined: the protection and proper handling of sensitive personal information
Requires proper technology for protection Requires appropriate business processes and controls for appropriate handling
Issues Inappropriate uses of sensitive data Unintended disclosures of sensitive data to others
191
Security Management Executive oversight Governance Policy, guidelines, standards, and procedures
Roles and responsibilities Service level agreements Secure outsourcing Data classification and protection Certification and accreditation Internal audit
192
Security Executive Oversight
Support and enforcement of policies Allocation of resources Prioritization of activities Risk treatment
193
Security Governance
Defined: “Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.” – IT Governance Institute
194
Security Governance (cont.)
Steering committee oversight Resource allocation and prioritization Status reporting Strategic decisions The process and action that supports executive oversight
195
Security Policies, Requirements, Guidelines, Standards, and Procedures Policies: constraints of behavior on
systems and people. Defines what, but not how.
Requirements: required characteristics of a system or process
Guidelines: defines how to support a policy.
Standards: what products, technical standards, and methods will be used to support policy
Procedures: step by step instructions
196
Security Roles and Responsibilities Formally defined in security policy and job descriptions
These need to be defined: Ownership of assets Access to assets Use of assets Managers responsible for employee behavior
197
Service Level Agreements
SLAs define a formal level of service SLAs for security activities
Security incident response Security alert / advisory delivery Security investigation Policy and procedure review
198
Secure Outsourcing
Outsourcing risks Control of confidential information Loss of control of business activities Accountability – the organization that outsources activities is still accountable
for their activities and outcomes
An organization’s security program for assessing and treating risk associated with outsourced entities will depend on a number of factors, including the level of sensitivity and volume of sensitive data accessible by each outsourced party
199
Data Classification and Protection Components of a classification and protection program Sensitivity levels
“confidential”, “restricted”, “secret”, etc. Marking procedures
How to indicate sensitivity on various forms of information Access procedures Handling procedures
E-mailing, faxing, mailing, printing, transmitting, destruction
200
Certification and Accreditation
Two-step process for the formal evaluation and approval for use of a system Certification is the process of evaluating a system against a set of
formal standards, policies, or specifications. Accreditation is the formal approval for the use of a certified
system, for a defined period of time (and possibly other conditions).
201
Internal Audit
Evaluation of security controls and policies to measure their effectiveness Performed by internal staff Objectivity is of vital importance Formal methodology Required by some regulations, e.g. Sarbanes Oxley
Methodologies Standards and practices of internal auditing from The Institute of
Internal Auditors IT Audit and Assurance Standards, Tools, and Techniques from
ISACA
202
Security Strategies
Management is responsible for developing the ongoing strategy for security management
Past events can help shape the future Incidents SLA performance Certification and accreditation Internal audit
203
Personnel Security
Hiring practices and procedures Periodic performance evaluation Disciplinary action policy and procedures Termination procedures
204
Hiring Practices and Procedures
Effective assessment of qualifications Background verification (prior employment, education, criminal history, financial history)
Non-disclosure agreement Intellectual property agreement Employment agreement Agreement to abide by all organizational policies
Formal job descriptions
205
Termination
Immediate termination of all logical and physical access
Change passwords known to the employee
Recovery of all assets Notification of the termination to affected staff, customers, other third parties
And possibly: code reviews, review of recent activities prior to the termination
206
Work Practices
Separation of duties Designing sensitive processes so that two or more persons are
required to complete them
Job rotation Good for cross-training, and also reduces the likelihood that
employees will collude for personal gain
Mandatory vacations Detect / prevent irregularities that violate policy and practices
207
Security Education, Training, and Awareness Training on security policy, guidelines, standards
Upon hire and periodically thereafter Various types of messaging
E-mail, intranet, posters, flyers, trinkets, training classes
Testing – to measure employee knowledge of policy and practices
208
Summary An organization’s security program should support its
mission, objectives, and goals. The core principles of information security are
confidentiality, integrity, and availability. Privacy is related to the protection and proper
handling of personal information. Security governance is the set of responsibilities and
practices related to the development of strategic direction and risk management.
Security policies specify the required characteristics of information systems and the required conduct of employees.
209
Summary (cont.) Security roles and responsibilities define the
ownership, access, and use of assets, and the general responsibilities of managers and employees.
Data classification and protection defines levels of sensitivity for business information, as well as handling procedures for each level of sensitivity.
Internal audit is the activity of evaluating security controls and policies to measure their effectiveness.
An organization’s hiring process should include the use of non-disclosure, employment, non-compete, intellectual property, and acceptable use agreements, as well as background checks.
210
Summary (cont.) Upon termination of employment, the organization should retrieve all assets issued to the terminated employee and immediately rescind the employee’s access to all information systems.
Sound work practices include separation of duties, job rotation, and mandatory vacations.
A security education, training, and awareness program should keep employees regularly informed of their expectations.
Module 6: Federal Information Security Management Act
Applying NIST Information Security Standards and Guidelines
The Current Landscape
Public and private sector enterprises today are highly dependent on information systems to carry out their missions and business functions.
To achieve mission and business success, enterprise information systems must be dependable in the face of serious cyber threats.
To achieve information system dependability, the systems must be appropriately protected.
The Threat Situation
Continuing serious cyber attacks on federal informationsystems, large and small; targeting key federal operationsand assets… Attacks are organized, disciplined, aggressive, and well resourced; many
are extremely sophisticated. Adversaries are nation states, terrorist groups, criminals, hackers, and
individuals or groups with intentions of compromising federal information systems.
Significant exfiltration of critical and sensitive information and implantation of malicious software.
Unconventional Threats to Security
Connectivity
Complexity
Asymmetry of Cyber Warfare
The weapons of choice are— Laptop computers, hand-held devices, cell phones. Sophisticated attack tools and techniques downloadable from the
Internet. World-wide telecommunication networks including telephone
networks, radio, and microwave.
Resulting in low-cost, highly destructive attack potential.
What is at Risk?
Federal information systems supporting Defense, Civil, and Intelligence agencies within the federal government.
Private sector information systems supporting U.S. industry and businesses (intellectual capital).
Information systems supporting critical infrastructures within the United States (public and private sector) including: Energy (electrical, nuclear, gas and oil, dams) Transportation (air, road, rail, port, waterways) Public Health Systems / Emergency Services Information and Telecommunications Defense Industry Banking and Finance Postal and Shipping Agriculture / Food / Water / Chemical
U.S. Critical Infrastructures
“...systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.” -- USA Patriot Act (P.L. 107-56)
Critical Infrastructure Protection
The U.S. critical infrastructures are over 90% owned and operated by the private sector.
Critical infrastructure protection must be a partnership between the public and private sectors.
Information security solutions must be broad-based, consensus-driven, and address the ongoing needs of government and industry.
A National Imperative
For economic and national security reasons, we need— State-of-the-art cyber defenses for public and private sector
enterprises. Adequate security for organizational operations (mission, functions,
image, and reputation), organizational assets, individuals, other organizations (in partnership with the organization), and the Nation.
A process for managing cyber risks in a dynamic environment where threats, vulnerabilities, missions, information systems, and operational environments are constantly changing.
A Unified FrameworkFor Information Security
The Generalized Model
Common Information Security Requirements
Unique Information Security Requirements
The “Delta” Foundational Set of Information Security Standards and Guidance
• Standardized risk management process• Standardized security categorization
(criticality/sensitivity)• Standardized security controls
(safeguards/countermeasures)• Standardized security assessment procedures• Standardized security authorization process
Intelligence
Community
Department of
Defense
Federal Civil Agencies
National security and non national security information systems
Risk-Based Protection Strategy
Enterprise missions and business processes drive security requirements and associated safeguards and countermeasures for organizational information systems.
Highly flexible implementation; recognizing diversity in mission/ business processes and operational environments.
Senior leaders take ownership of their security plans including the safeguards/countermeasures for the information systems.
Senior leaders are both responsible and accountable for their information security decisions; understanding, acknowledging, and explicitly accepting resulting mission/business risk.
Information Security Programs
Adversaries attack the weakest link…where is yours?
Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation
Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards
Links in the Security Chain: Management, Operational, and Technical Controls
Strategic Planning Considerations
Consider vulnerabilities of new information technologies and system integration before deployment.
Diversify information technology assets. Reduce information system complexity. Apply a balanced set of management, operational, and technical
security controls in a defense-in-depth approach. Detect and respond to breaches of information system boundaries. Reengineer mission/business processes, if necessary.
Risk Management Framework
Security Life CycleSP 800-39
Determine security control effectiveness(i.e., controls implemented correctly,
operating as intended, meeting security requirements for information system).
SP 800-53A
ASSESSSecurity Controls
Define criticality/sensitivity of information system according to
potential worst-case, adverse impact to mission/business.
FIPS 199 / SP 800-60
CATEGORIZE Information
System
Starting Point
Continuously track changes to the information system that may affect
security controls and reassess control effectiveness.
SP 800-37 / SP 800-53A
MONITORSecurity State
SP 800-37
AUTHORIZE Information System
Determine risk to organizational operations and assets, individuals,
other organizations, and the Nation;if acceptable, authorize operation.
Implement security controls within enterprise architecture using sound
systems engineering practices; apply security configuration settings.
IMPLEMENT Security Controls
SP 800-70
FIPS 200 / SP 800-53
SELECT Security Controls
Select baseline security controls; apply tailoring guidance and
supplement controls as needed based on risk assessment.
RMF Characteristics
The NIST Risk Management Framework and the associated security standards and guidance documents provide a process that is: Disciplined Flexible Extensible Repeatable Organized Structured
“Building information security into the infrastructure of the organization…so that critical enterprise missions and business cases will be protected.”
Security Categorization
FIPS 199 LOW MODERATE HIGH
Confidentiality
The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity
The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Availability
The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Example: An Enterprise Information System
Mapping Information Types to FIPS 199 Security Categories
SP 800-60
Security Control Baselines
Minimum Security Controls
Low ImpactInformation
Systems
Minimum Security Controls
High Impact Information
Systems
Minimum Security Controls
Moderate Impact Information
Systems
Master Security Control CatalogComplete Set of Security Controls and Control Enhancements
Baseline #1Selection of a subset of security
controls from the master catalog—consisting of basic level controls
Baseline #2Builds on low baseline. Selection
of a subset of controls from the master catalog—basic level
controls, additional controls, and control enhancements
Baseline #3Builds on moderate baseline.
Selection of a subset of controls from the master catalog—basic
level controls, additional controls, and control enhancements
Tailoring Guidance
FIPS 200 and SP 800-53 provide significant flexibility in the security control selection and specification process: Scoping guidance; Compensating security controls; and Organization-defined security control parameters.
Tailoring Security ControlsScoping, Parameterization, and Compensating Controls
Minimum Security Controls
Low ImpactInformation
Systems
Minimum Security Controls
High Impact Information
Systems
Minimum Security Controls
Moderate Impact Information
Systems
Tailored Security Controls
Tailored Security Controls
Tailored Security Controls
Low Baseline
Moderate Baseline
High Baseline
Enterprise #1Operational Environment #1
Enterprise #2Operational Environment #2
Enterprise #3Operational Environment #3
Cost effective, risk-based approach to achieving adequate information security…
Large and Complex Systems
System security plan reflects information system decomposition with adequate security controls assigned to each subsystem component. Security assessment procedures tailored for the security controls in each subsystem component and for the combined system-level controls. Security assessment performed on each subsystem component and on system-level controls not covered by subsystem assessments. Security authorization performed on the information system as a whole.
Authorization Boundary
SubsystemComponent
Local Area NetworkAlpha
SubsystemComponent
System Guard
SubsystemComponent
Local Area NetworkBravo
Organizational Information System
Applying the Risk Management Framework to Information Systems
Risk ManagementFramework
Authorization
Package
Artifacts and
Evidence
Near Real Time Security Status Information
SECURITY PLANincluding updated Risk Assessment
SECURITY ASSESSMENT
REPORT
PLAN OF ACTION AND
MILESTONES
Output from Automated Support Tools
INFORMATION SYSTEM
CATEGORIZEInformation System
ASSESSSecurity Controls
AUTHORIZEInformation System
IMPLEMENTSecurity Controls
MONITORSecurity State
SELECTSecurity Controls
POAM
SAR
SP
Authorization Decision
Extending the Risk Management Framework to Organizations
RISK EXECUTIVE FUNCTIONEnterprise-wide Oversight, Monitoring, and Risk Management
Policy Guidance
INFORMATIONSYSTEM
INFORMATIONSYSTEM
Common Security Controls(Infrastructure-based, System-inherited)
INFORMATIONSYSTEM
INFORMATIONSYSTEM
Security Requirements
RMFRISK
MANAGEMENT FRAMEWORK
Authorization Decision
POAM
SAR
SP
POAM
SAR
SP
Authorization Decision
POAM
SAR
SP
Authorization Decision
POAM
SAR
SP
Authorization Decision
POAM
SAR
SP
Authorization Decision
Risk Executive Function
Establish organizational information security priorities. Allocate information security resources across the organization. Provide oversight of information system security categorizations. Identify and assign responsibility for common security controls. Provide guidance on security control selection (tailoring and supplementation). Define common security control inheritance relationships for information systems. Establish and apply mandatory security configuration settings. Identify and correct systemic weaknesses and deficiencies in information systems.
Managing Risk at the Organizational Level
RISK EXECUTIVE FUNCTIONCoordinated policy, risk, and security-related activities
Supporting organizational missions and business processes
Information system-specific considerations
Information System
Information System
Information System
Information System
Mission / Business Processes
Mission / Business Processes
Mission / Business Processes
Trust Relationships
Determining risk to the organization’s operations and assets, individuals, other
organizations, and the Nation; and the acceptability of such risk.
The objective is to achieve visibility into and understanding of prospective partner’s information security programs…establishing a trust relationship based on the trustworthiness of their information systems.
Organization One
INFORMATION SYSTEM
Plan of Action and Milestones
Security Assessment Report
System Security Plan
Business / MissionInformation Flow
Security Information
Plan of Action and Milestones
Security Assessment Report
System Security Plan
Organization Two
INFORMATION SYSTEM
Determining risk to the organization’s operations and assets, individuals, other
organizations, and the Nation; and the acceptability of such risk.
Main Streaming Information Security
Information security requirements must be considered first order requirements and are critical to mission and business success.
An effective organization-wide information security program helps to ensure that security considerations are specifically addressed in the enterprise architecture for the organization and are integrated early into the system development life cycle.
Enterprise Architecture
Provides a common language for discussing information security in the context of organizational missions, business processes, and performance goals.
Defines a collection of interrelated reference models that are focused on lines of business including Performance, Business, Service Component, Data, and Technical.
Uses a security and privacy profile to describe how to integrate the Risk Management Framework into the reference models.
System Development Life Cycle
The Risk Management Framework should be integrated into all phases of the SDLC. Initiation (RMF Steps 1 and 2) Development and Acquisition (RMF Step 2) Implementation (RMF Steps 3 through 5) Operations and Maintenance (RMF Step 6) Disposition (RMF Step 6)
Reuse system development artifacts and evidence (e.g., design specifications, system documentation, testing and evaluation results) for risk management activities.
FISMA Phase I Publications
FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication 800-18 (Security Planning) NIST Special Publication 800-30 (Risk Assessment) NIST Special Publication 800-39 (Risk Management) NIST Special Publication 800-37 (Certification & Accreditation) NIST Special Publication 800-53 (Recommended Security Controls) NIST Special Publication 800-53A (Security Control Assessment) NIST Special Publication 800-59 (National Security Systems) NIST Special Publication 800-60 (Security Category Mapping)
FISMA Phase II
Demonstrating competence to provide information securityservices including— Assessments of Information Systems
(Operational environments) Security controls Configuration settings
Assessments of Information Technology Products(Laboratory environments) Security functionality (features) Configuration settings
FISMA Phase II
Information System
Producing evidence that supports the grounds for confidence in the design, development, implementation, and operation of information systems.
Trust Relationshi
p
Trustworthiness
ITProduct
ITProduct
ITProduct
Information System
Functionality and Assurance
Trustworthiness
ITProduct
ITProduct
ITProduct
Information System
Functionality and Assurance
Operational Environment Operational Environment
Training Initiative
Information security training initiative underway to provide increased support to organizations using FISMA-related security standards and guidelines.
Training initiative includes three components— Frequently Asked Questions Publication Summary Guides (Quickstart Guides) Formal Curriculum and Training Courses
NIST will provide initial training in order to fine-tune the curriculum; then transition to other providers.
The Golden RulesBuilding an Effective Enterprise Information Security Program
Develop an enterprise-wide information security strategy and game plan. Get corporate “buy in” for the enterprise information security program—
effective programs start at the top. Build information security into the infrastructure of the enterprise. Establish level of “due diligence” for information security. Focus initially on mission/business process impacts—bring in threat
information only when specific and credible.
The Golden RulesBuilding an Effective Enterprise Information Security Program
Create a balanced information security program with management, operational, and technical security controls.
Employ a solid foundation of security controls first, then build on that foundation guided by an assessment of risk.
Avoid complicated and expensive risk assessments that rely on flawed assumptions or unverifiable data.
Harden the target; place multiple barriers between the adversary and enterprise information systems.
The Golden RulesBuilding an Effective Enterprise Information Security Program
Be a good consumer—beware of vendors trying to sell single point solutions for enterprise security problems.
Don’t be overwhelmed with the enormity or complexity of the information security problem—take one step at a time and build on small successes.
Don’t tolerate indifference to enterprise information security problems.
And finally… Manage enterprise risk—don’t try to avoid it!
Recommended