DOE S&S Audit and Tune IT Up Campaign Mark Leininger August 26, 2009
Audits and Compliance Safeguards and Security Audit of Computer Security Program resulted in 6 findings in May 2009 Findings have serious consequences for lab Auditors will keep coming back, we need to work together lab wide to improve We want to fix the underlying causes that led to audit findings, not just address isolated consequences
Computer Security Requirements are in Fermilab’s Contract There is a contract between FRA and DOE to manage Fermilab. One of the items specified in that contract is the list of regulations that Fermilab must comply with, and a process for updating that list managed through our DOE site office. Consequences of failing to meet terms of contract can be both tangible (financial, resources, rebid our contract) and intangible (credibility of lab to conduct scientific program)
Small Sample of Federal Requirements Applicable Standards and Guidance Legislation Office of Management and Budget (OMB) Memorandum Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 September 26, Office of Management and Budget (OMB) Memorandum Instructions For Complying With The President's Memorandum Of May 14, 1998, "Privacy and Personal Information in Federal Records, January 7, Public Law (44 U.S.C. Ch 36) E-Government Act of 2002, Title III— Information Security, also known as the Federal Information Security Management Act (FISMA) of Office of Management and Budget (OMB) Circular No. A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, February 8, Public Law, Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) NIST Guidance Federal Information Processing Standards (FIPS) FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, July FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, February Special Publications SP , The NIST Security Configuration Checklists Program,May 2005.The NIST Security Configuration Checklists Program SP , Integrating Security into the Capital Planning and Investment Control Process, January SP , Security Considerations in the Information System Development Life Cycle, October 2003 (publication original release date) (revision 1 released June 2004). SP , Guide for Mapping Types of Information and Information Systems to Security Categories, June SP , Recommended Security Controls for Federal Information Systems, February SP , Wireless Network Security: , Bluetooth, and Handheld Devices, November SP , Guide for the Security Certification and Accreditation of Federal Information Systems, May SP , Contingency Planning Guide for Information Technology Systems, June SP , Risk Management Guide for Information Technology Systems, July SP , Rev. 1 NIST DRAFT Special Publication , Revision 1: Guide for Information Security Program Assessments and System Reporting Form.NIST DRAFT Special Publication , Revision 1: Guide for Information Security Program Assessments and System Reporting Form SP , Rev. 1 Guide for Developing Security Plans for Federal Information Systems February DOE Policy and Guidance Revitalization of the Department of Energy Cyber Security Program (1/2006) Department of Energy Cyber Security Management Program Order 205.1, (Draft) Department of Energy Cyber Security Management Program, (3/21/2003) Notice Incident Prevention Warning and Response Manual Notice Foreign National Access to DOE Cyber Systems (extended to 9/30/06) Notice Password Generation, Protection and Use, (extended to 9/30/06) Notice Handling Cyber Alerts and Advisories, and Reporting Cyber Security Incidents (extended to 07/06/05) Notice Cyber Security Requirements for Wireless Devices and Information Systems, (3/18/06) Notice Certification and Accreditation Process for Information Systems, including National Security Systems, (3/18/06) Notice Cyber Security Requirements for Risk Management, (3/18/06) Notice Security Requirements for Remote Access to DOE and Applicable Contractor Information Technology Systems (3/1/8/06) Notice Clearing, Sanitizing, and Destroying Information System Storage Media, Memory Devices, and Other Related Hardware (2/19/2004) Notice Extension of DOE Directive on Cyber Security, (7/6/2004)
Examples of what we have to do All passwords on Imap server reset to 10 characters Reset all local admin passwords to comply with domain policy Increase complexity of Domain passwords Automated actions taken on Anti Virus alerts Update desktop operating system baselines Process to maintain them that ensures workability (eg Windows Policy Committee) Make changes known to community Automate monitoring of all machine configurations Alert sysadmins and possibly block misconfigured machines Strengthen our program to protect Personally Identifiable Information (PII)
This is what happened
They’ve got us in their sights
Need an Organized Lab Wide Response Tune IT Up Campaign Lab Director instructed CIO to lead a lab wide response CIO placed Mark Kaletka in charge of leading the lab wide response Progress is being monitored by DOE Site office
Duration of the campaign The campaign is expected to last approximately six months with an intense period of activity in the period mid July to mid October, 2009 followed by an ongoing program of work for the remainder of 2009 to ensure that the goals of the campaign are met and that the IT management practices put into place are sustainable. At that time attention will turn to beginning execution of Information Systems projects that are not part of this campaign but are part of the corrective action plan for the audit findings.
Campaign Goals Ensure all sensitive data and PII are in systems protected with moderate level controls detailed in “major application” security plans; that those people who have access to such data are approved; and that all lab contracts related to such data are reviewed. Tune up and increase training and education on cyber secure behaviors and how to recognize and protect sensitive data and PII. Tune up and make more rigorous our internal assessments and testing of our cyber security program.
Campaign Goals Review and update all security baselines and policies (including password and authentication policies). Improve efficiency and consistency of management of desktop and laptops and move towards standards and central management of all Fermilab systems. Implement request and approval process for local admin privileges to be sure they are used properly and only by people who need them to do their job. Ensure all systems deviating from baselines are assessed and approved (or have risk mitigation plans). Ensure that all Fermilab computers conform to security baselines and security plans and that all applications are patched. Implement network environments that add required protections where necessary (topic of today’s discussion)
Discussion Dave Coder will talk about real things that are happening in Networking (Guest Network, VPN, etc) Irwin Gaines will lead discussion: How to implement separate network environments for Machines whose configuration can be confirmed remotely Machines whose configuration cannot be confirmed remotely Goals Minimize chances of a vulnerable machine being infected Minimize chances of infected machine spreading that infection to the rest of the site Still have an environment where people can do their work Nothing has been decided yet Nothing has been purchased yet We’re still in the thinking stage