Information Security and Risk Management A Plan for Success
Is Your Information Security Model a House of Cards or a Fortress?
Copyright 2007 Stevens Technologies, Inc. House of Cards Information security implementation is “Ad-Hoc” Information security implementation is “Ad-Hoc” Latest media buzz is focus of information security implementation. Latest media buzz is focus of information security implementation. Information system characterization not complete. Information system characterization not complete. Full hardware, software, system interfaces, people, and data processed may not have been identified or may not be known. Full hardware, software, system interfaces, people, and data processed may not have been identified or may not be known. No prior risk assessment has been completed. No prior risk assessment has been completed.
Copyright 2007 Stevens Technologies, Inc. Fortress System boundaries are clearly documented. System boundaries are clearly documented. Data processed by the system has been characterized by criticality in terms of confidentiality, integrity, and availability. Data processed by the system has been characterized by criticality in terms of confidentiality, integrity, and availability. A list of potential vulnerabilities has been assembled from previous risk assessments. A list of potential vulnerabilities has been assembled from previous risk assessments. A list of current and planned controls has been identified and documented. A list of current and planned controls has been identified and documented. A likelihood rating has been assigned to each threat source/vulnerability pair. A likelihood rating has been assigned to each threat source/vulnerability pair. A business impact assessment has been conducted. A business impact assessment has been conducted. Risk and associated risk levels are pre-curser of control implementation. Risk and associated risk levels are pre-curser of control implementation. Control effectiveness is monitored for continued applicability and organizational compliance. Control effectiveness is monitored for continued applicability and organizational compliance.
Copyright 2007 Stevens Technologies, Inc. Organizations are implementing information security without a plan Risk – Do you really know your vulnerabilities? Risk – Do you really know your vulnerabilities? –Does it matter that you don’t have full disk encryption on a laptop used for field work? –Is a password protection mechanism needed for a wireless network where the password is posted on all the walls?
Copyright 2007 Stevens Technologies, Inc. How are you doing without a plan? Many organizations say that they don’t want to waste money on C&A, they want to implement real security. Many organizations say that they don’t want to waste money on C&A, they want to implement real security. “We don’t have money to develop a plan.” “We don’t have money to develop a plan.”
Copyright 2007 Stevens Technologies, Inc. Reason for Information Security Everyone else is doing it. Everyone else is doing it. Industry best practices. Industry best practices. Compliance. Compliance. Justification of the cost of a new $100, technology toy may emerge from an information system risk assessment.
Copyright 2007 Stevens Technologies, Inc. Building a Foundation Risk Assessment is the cornerstone of a strong information security foundation. assessment risk
Copyright 2007 Stevens Technologies, Inc. Questions to Consider Who are valid users? Who are valid users? What is the mission of the user organization? What is the mission of the user organization? What is the purpose of the system in relation to the mission? What is the purpose of the system in relation to the mission? How important is the system to the user organization’s mission? How important is the system to the user organization’s mission? What is the system availability requirement? What is the system availability requirement? What information is required by the organization? What information is required by the organization? What information is generated by, consumed by, processed on, stored in, and retrieved by the system? What information is generated by, consumed by, processed on, stored in, and retrieved by the system? How important is the information to the user organization’s mission? How important is the information to the user organization’s mission? What are the paths of information flow? What are the paths of information flow? What types of information are processed by and stored on the system? What types of information are processed by and stored on the system? What is the sensitivity level of the information? What is the sensitivity level of the information? What information handled by or about the system should not be disclosed and to whom? What information handled by or about the system should not be disclosed and to whom? Where specifically is the information processed and stored? Where specifically is the information processed and stored? What are the types of information storage? What are the types of information storage? What is the potential impact on the organization if the information is disclosed to unauthorized personnel? What is the potential impact on the organization if the information is disclosed to unauthorized personnel? What are the requirements for information integrity and availability? What are the requirements for information integrity and availability? What is the effect on the organization’s mission if the system or information is not reliable? What is the effect on the organization’s mission if the system or information is not reliable? How much system downtime can the organization tolerate? How does this compare to mean repair/recovery time? What other processing or communication options can the user access? How much system downtime can the organization tolerate? How does this compare to mean repair/recovery time? What other processing or communication options can the user access? Could a system or security malfunction or unavailability result in injury or death? Could a system or security malfunction or unavailability result in injury or death?
Copyright 2007 Stevens Technologies, Inc. A System Security Plan Template The Overview Information System Name/Title Information System Name/Title Information System Type Information System Type –Major Application – Mission Essential –Major Application – NOT Mission Essential –General Support System Information System Security Categorization Information System Security Categorization –FIPS 199 Operational Status Operational Status –Operational, underdevelopment, undergoing a modification
Copyright 2007 Stevens Technologies, Inc. FIPS 199 Categorization LOW LOW –The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. –A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.
Copyright 2007 Stevens Technologies, Inc. FIPS 199 Categorization MODERATE MODERATE –The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. –A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.
Copyright 2007 Stevens Technologies, Inc. FIPS 199 Categorization HIGH HIGH –The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. –A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.
Copyright 2007 Stevens Technologies, Inc. A System Security Plan Template The Overview Information System Name/Title Information System Name/Title Information System Type Information System Type –Major Application – Mission Essential –Major Application – NOT Mission Essential –General Support System Information System Security Categorization Information System Security Categorization –FIPS 199 Operational Status Operational Status –Operational, underdevelopment, undergoing a modification
Copyright 2007 Stevens Technologies, Inc. Information Types Information Type ConfidentialityIntegrityAvailability Type of information (reference to guidance) LOW/MOD/HIG H
Copyright 2007 Stevens Technologies, Inc. Key Stakeholders Information System Owner Authorizing Official Other Designated Contact Assignment of Security Responsibilit y Name Title Organization Address Phone
Copyright 2007 Stevens Technologies, Inc. System Background General Description General Description Purpose Purpose Function Function Capabilities Capabilities
Copyright 2007 Stevens Technologies, Inc. User Community User Type Purpose Type of Data Accessed
Copyright 2007 Stevens Technologies, Inc. Hardware HardwareModel Number Network IDStandard Configuration SoftwareOS/ApplicationVersionStandard ConfigurationSoftware
Copyright 2007 Stevens Technologies, Inc. Interfaces System Name OrganizationType Agreement ISA/MOA DateFIPS 199 Category C&A Status Authorizing Official
Copyright 2007 Stevens Technologies, Inc. Laws/Regulations/Policies HIPAA HIPAA Homeland Security Directive # Homeland Security Directive # Any other applicable laws/regulations/policies Any other applicable laws/regulations/policies
Copyright 2007 Stevens Technologies, Inc. Control Descriptions Control number Control number Control name Control name Control description Control description Implementation detail Implementation detail Reason for not implementing control Reason for not implementing control Entity-level controls versus system level controls. Entity-level controls versus system level controls.
Copyright 2007 Stevens Technologies, Inc. AC-2 ACCOUNT MANAGEMENT AC-2 ACCOUNT MANAGEMENT –Control: The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization reviews information system accounts [Assignment: organization-defined frequency]. –Supplemental Guidance: Account management includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations. The organization identifies authorized users of the information system and specifies access rights/privileges. The organization grants access to the information system based on: (i) a valid need-to-know that is determined by assigned official duties and satisfying all personnel security criteria; and (ii) intended system usage. The organization requires proper identification for requests to establish information system accounts and approves all such requests. The organization specifically authorizes and monitors the use of guest/anonymous accounts and removes, disables, or otherwise secures unnecessary accounts. The organization ensures that account managers are notified when information system users are terminated or transferred and associated accounts are removed, disabled, or otherwise secured. Account managers are also notified when users’ information system usage or need-to-know changes. –Control Enhancements: (1) The organization employs automated mechanisms to support the management of information system accounts. (1) The organization employs automated mechanisms to support the management of information system accounts. (2) The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. (2) The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. (3) The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. (3) The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. (4) The organization employs automated mechanisms to ensure that account creation, modification, disabling, and termination actions are audited and, as required, appropriate individuals are notified. (4) The organization employs automated mechanisms to ensure that account creation, modification, disabling, and termination actions are audited and, as required, appropriate individuals are notified. LOW AC-2 MOD AC-2 (1) (2) (3) HIGH AC-2 (1) (2) (3) (4) LOW AC-2 MOD AC-2 (1) (2) (3) HIGH AC-2 (1) (2) (3) (4)
Copyright 2007 Stevens Technologies, Inc. A Complete Package Risk Assessment Risk Assessment SSP SSP COOP COOP Security Assessment Report Security Assessment Report POA&M POA&M
Copyright 2007 Stevens Technologies, Inc. Updates Controls Change Controls Change Application Changes Application Changes Assessment Finding Assessment Finding Annual Review Annual Review
Copyright 2007 Stevens Technologies, Inc. Risk Management Cycle Evaluate Monitor Identify
Copyright 2007 Stevens Technologies, Inc. A Fortress
Copyright 2007 Stevens Technologies, Inc. Questions? Sarah Stevens President Stevens Technologies, Inc. PO Box Mint Hill, NC (704)