Continuous Monitoring

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

EMS Checklist (ISO model)
Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland Telephone Facsimile Satellite.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice
First Practice - Information Security Management System Implementation and ISO Certification.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Managing Risk in Information Systems Lesson.
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.
Privacy and Security Tiger Team Meeting Recommendations regarding a framework of security protections for EHRs December 7, 2011.
Complying With The Federal Information Security Act (FISMA)
An overview of the NIST Risk Management Framework ISA 652 Fall 2010
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
DFARS & What is Unclassified Controlled Technical Information (UCTI)?
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
NIST Special Publication Revision 1
OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil August 12, 2014 UNCLASSIFIED NISPOM Update.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Working with HIT Systems
ISO DOCUMENTATION. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to:  Name.
SecSDLC Chapter 2.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester.
Learn Integrated Management System Documentation Process with Ready-to-use EQHSMS Documentation Kit
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
ISSM 101 Break-Out Session

Safeguarding CDI - compliance with DFARS
Utilizing Your Business Continuity Plan.
Presenter: Mohammed Jalaluddin
Defense Security Service Risk Management Framework (RMF)
Software Configuration Management
Introduction to the Federal Defense Acquisition Regulation
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
Unit 2: Recovery Pre-Disaster Planning Guidance for Local Governments
Josh Thompson Classified Information Systems – Western Region
CYB 110 Teaching Effectively-- snaptutorial.com
NRC Cyber Security Regulatory Overview
Defense Security Service Risk Management Framework (RMF)
UConn NIST Compliance Project
NCHER Knowledge Symposium Federal Contractor/TPS Session
Final HIPAA Security Rule
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
County HIPAA Review All Rights Reserved 2002.
RMF Process in the NISP eMASS
Developing and testing the Plan
INPUT OUTPUT ASSURANCE
IT Management Services Infrastructure Services
Risk Management NDS Forum June 23rd 2010.
Presentation transcript:

Continuous Monitoring RMF Step 6 Under NISP RMF FISWG 1-16-2019

Objectives Recap the Six Steps in the RMF Process DSS-provided RMF Guidance and Resources Overview of an RMF Continuous Monitoring (CONMON) Strategy Example of CONMON Tracking Document Overview of the 18 Security Control Families Review and Discuss Selected Security Controls Objectives FISWG 1-16-2019

The Six RMF Steps (from DAAPM v1.3) FISWG 1-16-2019

DSS Assessment and Authorization Process Manual (DAAPM) v1.3 Outlines DSS RMF processes and procedures Defines RMF roles and responsibilities Identifies minimum training requirements for ISSM/ISSO Provides configuration management guidance Establishes the significance of Continuous Monitoring (CONMON) in DAAPM RMF Step 2/Task 4 where it states, in part: “Ongoing monitoring of the security controls is a critical part of risk management. Effective monitoring includes, but is not limited to, configuration management and control, security impact analyses on proposed changes, assessment of selected security controls, and security status reporting. “ DSS Assessment and Authorization Process Manual (DAAPM) v1.3 FISWG 1-16-2019

The DSS SSP Overlay System Security Plan (SSP) Excel Version 1.2 Provides a simple six-tab MS Excel workbook format for completing an SSP The overlay provides pre-selected security controls for SUSA/MUSA/Isolated Networks based on DSS Moderate/Low/Low control selection Certain controls not selected for a system type are “tailored out” by default and will have a “ – “ under the applicable system type Tab 5 on the Excel version of the SSP overlay is used to define a CONMON strategy for each assigned control The DSS SSP Overlay System Security Plan (SSP) Excel Version 1.2 Based on Moderate/Low/Low (MLL) FISWG 1-16-2019

Provides the DSS DAAPM selected security controls in a columnar format for easy reference Shows the DSS recommended continuous monitoring frequency in the left column Includes supplemental DSS-specific guidance for controls in the left column (for selected controls) DAAPM Appendix A Security Controls v1.2 FISWG 1-16-2019

DAAPM Appendix A DAAPM Appendix A – Sample Control NIST Guidance is the primary source for these columns DSS Guidance Good resource for DSS recommended CONMON frequency Additional DSS supplemental guidance is not included for some of the controls FISWG 1-16-2019

Building a CONMON Strategy in the DSS SSP Overlay SSP Overlay, TAB 4 “SecCtrls” Column “Q” is Used to Define CONMON Frequency SSP Overlay, TAB 5 “ConMon Strategies” Column “E” is Populated based on SecCtrls Tab Input Must describe how your facility completes the required monitoring. Documentation will likely be needed. FISWG 1-16-2019

No Defined Form/Format Controls are assigned annual, semi-annual, quarterly, monthly, or weekly CONMON frequency Tracking mechanism and documentation largely left to the facility/ISSM Best practice is to coordinate with the assigned ISSP for buy-in when possible CONMON Tracking No Defined Form/Format FISWG 1-16-2019

CONMON Tracking CONMON Tracking Record – Example FISWG 1-16-2019

Security Control Families 380+ RMF controls are divided into18 groups or families Many control families relate to policy, training, physical security, etc (AC) Access Control (MP) Media Protection (AT) Awareness and Training (PE) Physical and Environmental Protection (AU) Audit and Accountability (PL) Planning (CA) Security Assessment and Authorization (PM) Program Management (CM) Configuration Management (PS) Personnel Security (CP) Contingency Planning (RA) Risk Assessment (IA) Identification and Authentication (SA) System and Services Acquisition (IR) Incident Response (SC) System and Communications Protection (MA) Maintenance (SI) System and Information Integrity FISWG 1-16-2019

Security Control Families…cont (AT) Awareness and Training NOTE: This is only a small sampling of controls!!! FISWG 1-16-2019

Security Control Families…cont (AT) Awareness and Training FISWG 1-16-2019

Security Control Families…cont (CP) Contingency Planning NISPOM, 8-302 c states: Contingency Planning. When contractually required, contractors will establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery operations for ISs to ensure the availability of critical information and continuity of operations FISWG 1-16-2019

Security Control Families…cont (CP) Contingency Planning FISWG 1-16-2019

Security Control Families…cont (PE) Physical and Environmental Protection FISWG 1-16-2019

Security Control Families…cont (PE) Physical and Environmental Protection Best practice dictates that a KVM switch used across classifications or security boundaries should conform to the NIAPapproved Protection Profile (PP) for peripheral sharing switches… FISWG 1-16-2019

Security Control Families…cont (PE) Physical and Environmental Protection FISWG 1-16-2019

Security Control Families…cont (PS) Personnel Security FISWG 1-16-2019

Security Control Families…cont (PS) Personnel Security FISWG 1-16-2019

Security Control Families…cont (PS) Personnel Security FISWG 1-16-2019

Security Control Families…cont (SA) System and Services Acquisition FISWG 1-16-2019

Security Control Families…cont (SA) System and Services Acquisition FISWG 1-16-2019

Security Control Families…cont (SA) System and Services Acquisition FISWG 1-16-2019

Security Control Families…cont (SA) System and Services Acquisition FISWG 1-16-2019

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.