SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

Slides:

Advertisements

Similar presentations

Symantec 2004 Pulse of IT Security in Canada Volume II Survey shows Increases in Concern and Spending for IT Security Andrew Bisson Director, Planning.

Advertisements

1. International Module – 503 Noise: Measurement & Its Effects Day 5.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:

Presentation Title on MasterPage 1 Single Audit Changes – Recovery Act Compliance Supplement Appendix VII devoted to ARRA CFDA numbers Clarification of.

National Association of State Auditors

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

The Managing Authority –Keystone of the Control System

1 Managing Authority Conducting a self assessment 10 June 2008 A. Badrichani – DG Regional Policy – Audit Unit J3.

Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated.

Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

EMS Checklist (ISO model)

10/04/20081 TWG of ESF Committee 10 April 2008 Franck Sébert Head of unit DG EMPL/I/1 Relations with Control Authorities Action plan to strengthen the.

Internews Network Ukraine Media Project (U-Media) Evidence-based Local Capacity Development in Ukraine October 2012.

Department of Information Technology Trusted Network Initiation Certification Request Dave Dikitolia, Andrew Griego

Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Overview of SB 191 Ensuring Quality Instruction through Educator Effectiveness Colorado Department of Education Updated: July 2011.

Preventing Deaths in Custody: Recommendations, Impacts and Change 13 th Biennial CCJA Congress Hyatt Regency Hotel Vancouver, BC October 5, –

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Internal Control–Integrated Framework

Latest developments in the MYP © International Baccalaureate Organization 2007 Page 2 Background to the presentation This PowerPoint presentation.

1 Phase III: Planning Action Developing Improvement Plans.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

Presented to: NDIA PMSC By: Keith Kratzert Date: January 29, 2009 Federal Aviation Administration Improving Program Performance at FAA.

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Environmental Management System (EMS)

Proposed Maturity Model for

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Sarbanes-Oxley Compliance Process Automation

Security Controls – What Works

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Office of Inspector General (OIG) Internal Audit

Computer Security: Principles and Practice

Risk Management Framework

1 IT Security Awareness, Training and Education Trends Dan Costello Policy Analyst OMB.

Complying With The Federal Information Security Act (FISMA)

NIST Special Publication Revision 1

Federal Cyber Policy and Assurance Issues Dwayne Ramsey Computer Protection Program Manager Berkeley Lab Cyber Security Summit September 27, 2004.

A DEPARTMENTAL PERSPECTIVE Drive Value through Compliance with the Green Book – Stop Checking the Box.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

NMS Certification and Accreditation (C&A) Removal of Material Weakness for NMS Security and Access Controls Jim Craft USAID ISSO.

VULNERABILITY ASSESSMENT FOR THE POLICE DEPARTMENT’S NETWORK.

Award Monitoring Update National Science Foundation Advisory Committee for Business and Operations October 22, 2003 Mary Santonastasso, Director, Division.

Security is not just… 1 A Compliance Exercise Certification and Accreditation FISMA.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

University of Maryland University College (UMUC) 3/11/2004 POA&M and FISMA What does it really mean? FISSEA Annual Conference.

OMB Memorandum M Implementation of the Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act) September 2013.

1 American Recovery and Reinvestment Act of 2009: Challenges Facing the Department of Transportation and the Office of Inspector General’s Strategy for.

US Department of State Jay Coplon. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be.

Information Security tools for records managers Frank Rankin.

OMB Status 03/31/05 Monday, June 6, 2005 OMB Progress 03/31/05 Vicki Novak Tom Luedtke Gwen SykesPat DunningtonGwen Sykes Best in Government! Steps to.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.

Collaboration Process 1. IC Objectives and Risk Tolerances Define, document, and implement top-down internal control objectives and risk tolerances: 

US Department of State Jay Coplon. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Seventeen (17) Principles of Internal Cont New Gov’t Internal Control Standards.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Auditors’ Dilemma – reporting requirements on Internal Financial Controls under the Companies Act 2013 and Clause 49 of the Listing agreement V. Venkataramanan.

SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

Computer Security Division Information Technology Laboratory

Introduction to the Federal Defense Acquisition Regulation

Matthew Christian Dave Maddox Tim Toennies

Nicholas Martyn DG Regional Policy

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Presentation transcript:

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA, CFM, CGFM ASSISTANT IG FOR FINANCIAL & IT AUDITS, DOT 1

CERTIFICATION & ACCREDITATION OMB A-130, Appendix III The authorization/accreditation of a system to process information provides an important quality control. By authorizing processing in a system, a manager assesses and accepts the risk associated with it. Re-authorization should occur prior to a significant change in processing, but at least every three years. 2

C&A PROCESS 3

C&A PACKAGE A typical package will contain: System Security Plan System Test and Evaluation (STE) Report Risk Assessment Contingency Plan Plans of Action and Milestones (POA&Ms) 4

C&A CHANGING PERSPECTIVE 2003 “Going through the formal process of a C&A may seem cumbersome, but the results are well worth it.” – SANS Institute % of systems accredited at a estimated cost of $300 million (about $78,000 per system) 2010 “At first, the mandate of FISMA was met by requiring C&A…While this approach provided foundational work…it did not recognize or respond to the real-time nature of the threats to Federal information systems. Large aspects of FISMA implementation became an additional compliance exercise.” --OMB 5

C&A ISSUES COST In FY 2009, the first year OMB requested cost data, an estimated $300 million was spent on C&As (about $78,000 per system) QUALITY In FY 2009, although 95% had C&As, IGs reported that only two-thirds of agencies had compliant processes. EFFECTIVENESS C&As are static; security states are not. Ultimately, even though the vast majority of systems have been accredited, this has not prevented significant information security compromises. 6

C&A TRANSITION In February 2010, NIST issues Revision 1 to , Guide for Applying the Risk Management Framework to Federal Information Systems Rev 1 transforms the C&A process into a six-step Risk Management Framework. 1. Categorize Information System 2. Select Security Controls 3. Implement Security Controls 4. Assess Security Controls 5. Authorize Information System 6. MONITOR SECURITY CONTROLS 7

CONTINUOUS MONITORING  NIST “Information Security Continuous Monitoring for Federal Information Systems and Organizations (September 2011)  To monitor system risks and security controls defined in NIST Special Publication “Recommended Security Controls for Federal Information Systems and Organizations” 8

CONTINUOUS MONITORING (CONT.)  Control CA-7 under NIST :  Reduces the level of effort required for the reauthorization of systems  Maintains security authorization over time in a highly dynamic operational environment with changing threats, vulnerabilities, technologies, and business processes  Promotes situational awareness of the security state of the system 9

CONTINUOUS MONITORING (CONT.)  Control CA-7 under NIST (cont.):  Implementation of continuous monitoring should result in updates to the security plan, security assessment report, and plan of action and milestones (the three key documents in a security reauthorization package) 10

CONTINUOUS MONITORING (CONT.)  Manual Processes, e.g. assessments of adequacy of security controls/documentation, and testing And  Automated Processes, e.g. vulnerability scanning tools, and network scanning devices 11

CONTINUOUS MONITORING (CONT.)  Challenges in Implementing Continuous Monitoring:  Developing strategies, policies, and procedures for ISCM across organization components  Involvement/buy-in of system owners  Updating information on risk assessments, security plan, security assessments, and plan of action and milestones 12

CONTINUOUS MONITORING (CONT.)  Challenges in Implementing Continuous Monitoring (cont.)  Establishing frequencies for monitoring and assessing security information  Sampling of controls  Analysis and reporting of findings and determining appropriate response Output information needs to be specific, measurable, actionable, relevant, and timely  Plan of action and milestones to ensure remediation  Developing metrics to evaluate and control ongoing risk 13

CONTINUOUS MONITORING (CONT.)  Status of Implementation of Continuous Monitoring:  According to March 2013 OMB report on 2012 FISMA, OIGs in the 24 CFO Act agencies found that: 30% of agencies did not have documented strategies and plans for continuous monitoring 50% had not established and adhered to milestone dates for remediating vulnerabilities or ensuring remediation plans were effective 67% did not have a fully developed patch management process and were not timely remediating findings from vulnerability scans 14