Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems

Federal Information Security Act (FISMA) Overview “Each Federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…” -- Federal Information Security Management Act of 2002

3 Legislation and Policy  Public Law (Title III) –Federal Information Security Management Act of 2002 (FISMA) (December 2002)  Office of Management and Budget Circular A-130 (Appendix III) –Security of Federal Automated Information Resources (February 1996)  National Institute of Standards and Technology (NIST) Special Publication Guidance –Special Publications at  National Science Foundation Information Security Handbook – Manual 7 (April 2004) –

4 Information Security Program Elements Reference: FISMA  Periodic assessments of risk  Security policies and procedures  Security planning for networks and information systems  Security awareness training for employees and contractors  Periodic testing and evaluation of security practices annually  Plans for continuity of operations and disaster recovery  Procedures for detecting and reporting security incidents  Process to document and address security weaknesses  Report security status to Congress annually

5 Key Definitions Reference: OMB A-130 Appendix III  General Support System (GSS, i.e. LAN) –An interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, application, communications, and people.  Major Application –Application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application.  Application –The use of information resources to satisfy a specific set of user requirements.

6 Key NIST Publications  Introduction to Computer Security: The NIST Handbook  Guide for Developing Security Plans  Security Self Assessment  A Risk Management Guide  Contingency Planning Guide

7 NSF Information Security Handbook  Management Control Procedures –Risk Management, Security Control Review, Life Cycle, Security Planning  Operational Control Procedures –Personnel, Physical, Contingency Planning, HW/SW, Training, Incident Response  Technical Control Procedures –Identification and Authentication, Logical Access Controls, Audit Trails  Appendices with Report Templates –Security & Contingency Plans, Risk Assessment

8 NSF Keys to Success  Top Down Commitment to Security as a Strategic Priority  Comprehensive Security Program  Sustained Levels of Investment  Performance Goals and Measures

9 NSF IT Security Program Risk Management Approach Risks are assessed, understood and appropriately mitigated Confidentiality Integrity Availability Security Open Collaborative Environment for Research and Discovery

10 Security Management Structure DIS Security Officer NSF Director CIO Sr. Agency Information Security Officer Security Working Group Program Office Security Liaisons NSF Employees and Contractors NSF Customers and Stakeholders

11 NSF IT Security Program Policies, Procedures & Plans Security Assessments, Audits & Controls Security Awareness Training Certification & Accreditation Intrusion Detection & CIRT Vulnerability Assessment & Penetration Tests NSF IT Security Program

12 Layered Approach Protecting Critical Assets Requires Layered Proactive Controls, Monitoring the Environment and Reactive Functions for Effective Response Proactive MeasuresEventReactive Functions Critical Data, Informatio n, & Systems ProtectDetectReact (Cited only as examples) Defense in DepthEscalation by Severity Deter e.g., Warning Banner Detect e.g., Intrusion Detection Delay e.g., Firewall Defend e.g., Encryption Deny, Defeat Monitoring CIRT Forensics BCP/COOP

13 Management Controls  Management Structure, Roles and Responsibilities  Policy and Procedures  System Inventory  Security Reviews, Assessments, and Plans  Certification and Accreditation  Agency-Level Plan of Action and Milestones  Security Awareness and Training

14 Technical and Operational Controls  Connectivity Standards  External and Internal Networks  Firewall Architecture  Intrusion Detection  Vulnerability Scans  Penetration Tests  Patch Management  Laptop Scanning  Anti-Virus Protection  Continuity of Operations, Contingency, and Disaster Recovery The Visible and Known Establishes Confidence

15 Lesson Learned – Security is a Continuous Process Policy Standards Enterprise Architecture Configuration Standards Security is a continuous process of evaluation and monitoring Managed Security Services Intrusion Detection Firewall Management Incident Reporting Vulnerability Scan Assessments Risk – Threats Privacy Security Test & Eval. Compliance Product Selection Product Implementation Centralized Security Mgt. Strategy Business Continuity Solution Planning Resource Allocation Run Assess Plan Design Implement

16 Challenges  Changing Threat Environment  Cultural Change –Awareness and Education  Security Investment