Proposed Maturity Model for

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.
IT Security Law for Federal Agencies As of: 30 December 2002.
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
1  AGA-DC and GWSPCA 6 th ANNUAL CONFERENCE OMB Circular A-123, Appendix A Internal Control Over Financial Reporting Innovative Approaches Jerome A. Vaiana.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Information Security Policies and Standards
Presented by Loren Schwartz, CPA, CISSP, CISA, CIPP
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Quality evaluation and improvement for Internal Audit
Office of Inspector General (OIG) Internal Audit
Computer Security: Principles and Practice
Consumer Work Group Presentation Federal Health IT Strategic Plan January 9, 2015 Gretchen Wyatt Office of Planning, Evaluation, and Analysis.
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
Risk Assessment Frameworks
Risk Management Framework
Federal IT Security Professional - Manager FITSP-M Module 1.
Investment Management Concepts Portfolio Management | Segment Architecture March 25, 2009 Adrienne Walker and Kshemendra Paul
Complying With The Federal Information Security Act (FISMA)
European Public Sector Information Systems Conference -- September 30, 1998 Case Study: Building the Skills that Produce Success - A Case Study from the.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
FISMA 2.0: A CISO Perspective
Information Security Framework & Standards
The Evergreen, Background, Methodology and IT Service Management Model
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
NIST Special Publication Revision 1
Federal IT Security Professional - Auditor
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
NMS Certification and Accreditation (C&A) Removal of Material Weakness for NMS Security and Access Controls Jim Craft USAID ISSO.
E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Eliza de Guzman HTM 520 Health Information Exchange.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
PMC Update on Cyber Sprint June 18, Overview: 30-Day Cyber Sprint 1.Interagency Cyber Sprint Team: Launched June 11 and executing against the.
EGovOS Panel Discussion CIO Council Architecture & Infrastructure Committee Subcommittee Co-Chairs March 15, 2004.
University of Maryland University College (UMUC) 3/11/2004 POA&M and FISMA What does it really mean? FISSEA Annual Conference.
Enterprise Cybersecurity Strategy
MDIC 1 George Serafin Deloitte & Touche LLP MDIC Open Forum Quality System Maturity Model Update.
2012 DHS/ACT-IAC Cybersecurity Awards The “Fed Cyber Cup” Concept Overview Cheryl Soderstrom, Programs Chair, Cybersecurity SIG.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Freeze the Footprint Update March 25, 2014 Presented for Monja Vadnais Facilities & Infrastructure Division (MA-652) Office of Acquisition and Project.
OMB Status 09/30/04 Monday, November 15, 2004 OMB Progress 09/30/04 Vicki Novak Tom Luedtke Gwen SykesPat DunningtonSteve Isakowitz Best in Government!
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
The NIST Special Publications for Security Management By: Waylon Coulter.
OMB Status 03/31/05 Monday, June 6, 2005 OMB Progress 03/31/05 Vicki Novak Tom Luedtke Gwen SykesPat DunningtonGwen Sykes Best in Government! Steps to.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI
Advanced Planning Brief to Industry Jerry L. Davis DAS, Office of Information Security June 9, 2011.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Agenda FISMA – an introduction Roles and Responsibilities
Presenter: Mohammed Jalaluddin
Computer Security Division Information Technology Laboratory
Leverage What’s Out There
NIST Cybersecurity Framework
I have many checklists: how do I get started with cyber security?
Matthew Christian Dave Maddox Tim Toennies
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Group Meeting Ming Hong Tsai Date :
Vijay Rachamadugu and David Snyder September 7, 2006
Presentation transcript:

Proposed Maturity Model for IG FISMA Reporting Andy Patchan Associate IG for Information Technology Federal Reserve Board & Consumer Financial Protection Bureau Chair, FAEC IT Committee Louis King Assistant Inspector General for Financial and IT Audits Department of Transportation Federal Audit Executive Council Conference September 3 -4, 2014

Discussion Points Background on FISMA CIO and OIG FISMA reporting (limitations and inconsistencies) Increasing cybersecurity attacks Uses and advantages of maturity models Proposed maturity model for IGs assessment of agencies’ information security continuous monitoring (ISCM) programs Progress to date and next steps References for proposed maturity model

Federal Information Security Management Act of 2002 (FISMA) Requires agencies to develop, document, and implement an agency-wide information security program Requires IGs to conduct an annual independent evaluation of Agencies’ information security program and practices The effectiveness of security controls and techniques for select information systems Compliance with FISMA and related policies and guidelines The Department of Homeland Security (DHS) also requires IGs to answer specific questions on the performance of agency information security programs in 11 areas

IG FISMA Metric Results (2011-2013) (% of Agencies with programs in place) 2012 2013 Continuous Monitoring 37% 71% 74% Configuration Management 25% 75% 63% Identity and Access Management 83% 78% Incident Response & Reporting 67% 96% Risk Management 33% Security Training 50% 92% 91% Plan of Action and Milestones 79% 87% Remote Access Management 54% Contingency Planning Contractor Systems 42% Security Capital Planning 4 4

CIO FISMA Metric Results (2011-2013) (% compliance) 2012 2013 Automated Asset Management 80% 86% 83% Automated Configuration Management 78% 70% 79% Automated Vulnerability Management 77% 81% TIC Traffic Consolidation 65% TIC Capabilities 72% 84% 87% PIV Logical Access 66% 57% 67% Portable Device Encryption 90% Domain Name System Security Extensions 74% 93% Remote Access Authentication 52% 53% Remote Access Encryption 82% 98% User Security Training 99% 88% 94% 5

FISMA Compliance Scores (2011-2013)   FY2013 % FY2012 % FY2011 % DHS 99 93.4 GSA 98 84.2 DOJ 94 91.2 NRC 94.8 SSA 96 96.9 NASA 91 92 92.9 Education 89 79 57.5 NSF 88 90 98.8 Commerce 87 61 81.4 USAID 83 66 53.8 OPM 77 78.6 VA 81 52.8 Interior 42.2 EPA 94.9 Labor 76 82 71.6 Treasury 79.4 Energy 75 72 84.3 Transportation 53 44.2 SBA 55 57 68.7 State 51 63.2 HHS 43 50 50.9 USDA 37 34 32.5 HUD 29 66.1 DOD NA 6 6

Information Security Incidents Reported to US-CERT by all Federal Agencies 7

What is the Status of Information Security? 8

Maturity Models A maturity model refers to a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a certain discipline Can be used to identify current status of information security against set of requirements Cold reader can understand the status of an organization’s information security against specified requirements and in relation to other organizations NIST has developed approaches for information security maturity models Maturity models used in IT organizations and electric industry 9

OIG Approach for Development of a Maturity Model for Information Security Continuous Monitoring (ISCM) ISCM is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions ISCM is identified as an administration priority and a cross- agency priority OMB M-14-03, Enhancing the Security of Federal Information and Information Systems, provides guidance on ISCM and managing information security risks on a “continuous” basis 10

Current FY 2014 IG FISMA Metrics for ISCM Has the organization established an enterprise-wide continuous monitoring program that assesses the security state of information systems that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following attributes? Documented policies and procedures for continuous monitoring Documented strategy for information security continuous monitoring Implemented ISCM for information technology assets Evaluate risk assessments used to develop their ISCM strategy Conduct and report on ISCM results in accordance with their ISCM strategy Ongoing assessments of security controls (system-specific, hybrid, and common) that have been performed based on the approved continuous monitoring plans Provides authorizing officials and other key system officials with security status reports covering updates to security plans and security assessment reports, as well as a common and consistent POA&M program that is updated with the frequency defined in the strategy and/or plans 11

Proposed IG Maturity Model for ISCM 12

Example Dashboard for IG ISCM Maturity Model Initial Consistently Performed Managed and Measurable Optimized Attribute Maturity Level ISCM Policies & Procedures 2 ISCM Strategy   1 Implementation for IT Assets Security Controls Assessment 3 Security Status Reporting 13

Progress to Date Discussed maturity model approach with members of the FAEC IT Committee, which includes representatives from 38 OIGs Formed maturity model workgroup consisting of representatives from 7 OIGs – Treasury, FDIC, Transportation, TIGTA, Interior, CNCS, and FRB Initial focus is on developing an IG FISMA reporting maturity model for ISCM (1 of 11 areas IGs are required to review as part of their annual FISMA evaluations) Maturity Model workgroup held its first brainstorming session on March 13th Working sessions held April 3, 17, and 24 to refine maturity level criteria and attributes for the different maturity levels for continuous monitoring Met with OMB and DHS on April 25 and subsequently with GAO, NIST, Senate staffer, and CIO Council Received positive feedback and overall support 14

Next Steps Continue technical development of maturity model for continuous monitoring: subgroup on ISCM attributes, and another subgroup on integrating model with NIST framework for critical infrastructure cybersecurity Test drive/pilot with participating IGs by end of 2014/early 2015 Make any needed tweaks for inclusion in 2015 OIG FISMA metrics Goal of working with DHS to develop a FISMA maturity model reporting framework for all 11 information security areas 15

References 16

References NIST Special Publication (SP) 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations OMB Memorandum M-14-03, Enhancing the Security of Federal Information and Information Systems United States Government Concept of Operations for Information Security Continuous Monitoring 17

2014 NIST Framework for Improving CyberSecurity Functions Categories Subcategories Identify Risk Assessment System inventory, categorization Protect Identification & Authentication; Security Awareness and Training PIV card; awareness and role-based training Detect Continuous Monitoring Strategy, scanning Respond Incident Response Detection and reporting Recover Contingency Planning BIA, backups Implementation Tiers Tier 1 - Partial Tier 2 – Risk informed Tier 3 - Repeatable Tier 4 - Adaptive 18

Additional NIST Guidance on Maturity Models NIST Program Review for Information Security Management Assistance outlines five maturity levels – polices, procedures, implementation, test, and integration NIST maturity model for information security performance measurement 19

Electricity Subsector Cybersecurity Capability Maturity Model (ES-CM2) Level 1 – Initiated Level 2 – Performed Level 3 – Managed Domain Specific Objectives Domains Focuses on control objectives Level 1 – Initiated Level 2 – Performed Level 3 – Managed Domain Independent (Management) Objectives Continuous Monitoring Risk Assessment Configuration Management… Focuses on process institutionalization 20

Mapping of Maturity Models Proposed IG Model CoBIT ISO NIST Framework ES-CM2 Initial Level 1 – Initial/Ad-hoc Level 1 – Performed Informally Level 1 - Partial MIL 1 - Initial Level 2 – Planned and Committed MIL 2 - Performed Consistently Performed Level 2 – Repeatable Level 3 – Defined Level 3 - Defined Level 2 – Risk Informed MIL 3 - Managed Managed & Measurable Level 4 – Managed & Measurable Level 4 – Quantitatively Measured Level 3 – Repeatable Optimized Level 5 - Optimized Level 5 – Continuously Improving Level 4 – Adaptive MIL X - Reserved 21