Information System Continuous Monitoring (ISCM)

Slides:



Advertisements
Similar presentations
CIP Cyber Security – Security Management Controls
Advertisements

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
Software Quality Assurance Plan
Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
SACM Terminology Nancy Cam-Winget, David Waltermire, March.
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works
Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
System Engineering Instructor: Dr. Jerry Gao. System Engineering Jerry Gao, Ph.D. Jan System Engineering Hierarchy - System Modeling - Information.
Stephen S. Yau CSE , Fall Security Strategies.
Risk Management Framework
Federal IT Security Professional - Manager FITSP-M Module 1.
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.
Complying With The Federal Information Security Act (FISMA)
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Information Technology Audit
What is Business Analysis Planning & Monitoring?
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information System Continuous Monitoring (ISCM) FITSP-A Module 7.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Information Security Framework & Standards
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.
Security Assessments FITSP-A Module 5
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
NIST Special Publication Revision 1
Federal IT Security Professional - Auditor
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Roles and Responsibilities
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Automating STIGs: The Transition to CCI and SRG
SCSC 311 Information Systems: hardware and software.
Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
It is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk.
Engineering Essential Characteristics Security Engineering Process Overview.
Security Automation May 26th, Security Automation: the challenge “Tower of Babel” – Too much proprietary, incompatible information – Costly – Error.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Authorizing Information Systems FITSP-A Module 6.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
US Department of State Jay Coplon. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be.
Revision N° 11ICAO Safety Management Systems (SMS) Course01/01/08 Module N° 9 – SMS operation.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Introduction to the Federal Defense Acquisition Regulation
I have many checklists: how do I get started with cyber security?
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Cybersecurity ATD technical
IT Management Services Infrastructure Services
Presentation transcript:

Information System Continuous Monitoring (ISCM) FITSP-M Module 7 Information System Continuous Monitoring (ISCM) FITSP-M Module 6 - Continuous Monitoring

Leadership “Continuous monitoring is the backbone of true security.” -Vivek Kundra Federal CIO FITSP-M Module 6 - Continuous Monitoring

FITSP-M Exam Module Objectives Audit and Accountability Manage controls in a system that facilitate the creation, protection, and retention of information system audit records to the extent needed to enable the monitoring, analysis, and investigation of the system Security Assessments and Authorization Supervise processes that facilitate the monitoring of information system security controls on an ongoing basis to ensure the continued effectiveness of the controls System and Communication Protection Oversee processes that monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems System and Information Integrity Direct mechanisms that monitor information system security alerts and advisories that take appropriate actions in response FITSP-M Module 6 - Continuous Monitoring

Continuous Monitoring Overview Section A: Continuous Monitoring Trends RMF Step 6 – Monitor Security Controls Redefining Risk Management DHS CM Reporting Metrics Cyberscope Section B: CM Guidelines, SP 800-137 ISCM Fundamentals Organization-wide Approach Elements of Organization-wide CM Program Continuous Monitoring Process Section C: Automation Automation Domains SCAP & OCIL Continuous Asset Evaluation, Situational Awareness and Risk Scoring (CEASARS) Section D: CM Implementation FITSP-M Module 6 - Continuous Monitoring

Continuous Monitoring Trends Section A Continuous Monitoring Trends FITSP-M Module 6 - Continuous Monitoring

RMF Step 6 – Monitor Security Controls Information System And Environment Changes Ongoing Security Control Assessments Ongoing Remediation Actions Key Updates Security Status Reporting Ongoing Risk Determination And Acceptance Information System Removal And Decommissioning FITSP-M Module 6 - Continuous Monitoring

Risk Management Redefined OODA Loop FITSP-M Module 6 - Continuous Monitoring

DHS Cyberscope Monthly Data Feeds to DHS Inventory Systems and Services Hardware Software External Connections Security Training Identity Management and Access Government-wide benchmarking on security posture Agency-specific interviews FITSP-M Module 6 - Continuous Monitoring

DHS FY12 Reporting Metrics 1. Continuous Monitoring FITSP-M Module 6 - Continuous Monitoring

Knowledge Check Name the components of the new risk management model. Name the reporting tool, which automates Agency FISMA reporting directly to the DHS. What 3 Continuous Monitoring metrics will DHS expect agencies to report for FY2012? FITSP-M Module 6 - Continuous Monitoring

The CM Guidelines SP 800-137 Section B FITSP-M Module 6 - Continuous Monitoring

NIST SP800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations Information security continuous monitoring (ISCM) is defined as: Maintaining Ongoing Awareness of Information Security, Vulnerabilities, and Threats Support Organizational Risk Management Decisions Begins With Leadership Defining A Comprehensive ISCM Strategy Encompassing technology processes procedures operating environments people FITSP-M Module 6 - Continuous Monitoring

ISCM Fundamentals Define the ISCM strategy Establish an ISCM program Implement the ISCM program Analyze and Report findings Respond to findings Review and Update ISCM strategy and program FITSP-M Module 6 - Continuous Monitoring

Mission/Business Processes ISCM Criteria Tier 1 Tier 2 Tier 3 Organization Mission/Business Processes Information Systems Automated/Manual Data Feeds (Security-related Information, POAMs, SARs) Data Tools Risk Management Strategy: How the organization plans to assess, respond to, and monitor risk Oversight required to ensure effectiveness of RM strategy Program Management Defined by how business processes are prioritized Types of information needed to successfully execute those business processes Monitoring System Level Controls and Security Status Reporting Security Alerts Security Incidents Identified Threat Activities FITSP-M Module 6 - Continuous Monitoring

The CM Process Define an ISCM Strategy Establish an ISCM Program Implement an ISCM Program Determining Appropriate Response Mitigating Risk Review and Update the Monitoring Program FITSP-M Module 6 - Continuous Monitoring

Interrelationships to the CM Process Risk Tolerance Enterprise Architecture Security Architecture Security Configurations Plans for Changes to Enterprise Architecture Available Threat Information FITSP-M Module 6 - Continuous Monitoring

Section C Automation FITSP-M Module 6 - Continuous Monitoring

Role of Automation in ISCM Consideration is given to ISCM tools that: Pull information from a variety of sources (Specifications, Mechanisms, Activities, Individuals) Use open specifications such as SCAP Offer interoperability with other products (help desk, inventory management, configuration management, and incident response solutions) Support compliance with applicable federal laws, regulations, standards, and guidelines Provide reporting with the ability to tailor output Allow for data consolidation into Security Information and Event Management (SIEM) tools and dashboard products. SP 800-137 FITSP-M Module 6 - Continuous Monitoring

Security Automation Domains Vulnerability & Patch Management Event & Incident Management Malware Detection Asset Management Configuration Management Network Management License Management Information Management Software Assurance SP 800-137 FITSP-M Module 6 - Continuous Monitoring

Tools and Technologies Automation Domain Tools and Technologies NIST Guidelines 1 - Vulnerability Management Vulnerability scanners NIST SP 800-40 Creating a Patch and Vulnerability Management Program 2 - Patch Management Patch management tools 3 - Event Management Intrusion detection/ prevention systems and logging mechanisms NIST SP 800-92, Computer Security Log Management 4 - Incident Management NIST SP 800-94, Guide IDPS 5 - Malware Detection Antivirus/ Malware detection mechanisms NIST SP 800-83, Malware Incident Prevention and Handling 6 - Configuration Management SCAP, SEIM, Dashboards NIST SP 800-126r2 The Technical Specification for SCAP Version 1.2 SP 800-137 FITSP-M Module 6 - Continuous Monitoring

Tools and Technologies Automation Domain Tools and Technologies 7 - Asset Management System configuration, network management, and license management tools 8 - Network Management Host discovery, inventory, change control, performance monitoring, and other network device management capabilities 9 - License Management License management tools 10 - Information Management Data Loss Prevention (DLP) Tools: network analysis software, application firewalls, and intrusion detection and prevention systems SP 800-137 FITSP-M Module 6 - Continuous Monitoring

Software Assurance Technologies Security Automation Domain #11 Software Assurance Automation Protocol (SwAAP -measure and enumerate software weaknesses): CWE Common Weakness Enumeration Dictionary of weaknesses that can lead to exploitable vulnerabilities CWSS Common Weakness Scoring System Assigning risk scores to weaknesses CAPEC Common Attack Pattern Enumeration & Classification Catalog of attack patterns MAEC Malware Attribute Enumeration & Characterization Standardized language about malware, based on attributes such as behaviors and attack patterns SP 800-137 FITSP-M Module 6 - Continuous Monitoring

Knowledge Check What is the document that provides guidelines for developing a CM program? What is the first step in the CM Process? Name an automation specification, which is a dictionary of weaknesses that can lead to exploitable vulnerabilities? What is defined as an information security area that includes a grouping of tools, technologies, and data? Data within the domains is captured, correlated, analyzed, and reported to present the security status of the organization that is represented by the domains monitored. FITSP-M Module 6 - Continuous Monitoring

Automation and Reference Data Sources Security Content Automation Protocol (SCAP) What Can Be Automated With SCAP How to Implement SCAP Partially Automated Controls Reference Data Sources National Vulnerability Database (NVD) Security Configuration Checklists FITSP-M Module 6 - Continuous Monitoring

NVD SCAP Program NVD Primary Resources Scan Data Feed Vulnerability Search Engine National Checklist Program SCAP Compatible Tools SCAP Data Feeds (CVE, CCE, CPE, CVSS, XCCDF, OVAL) Product Dictionary (CPE) Impact Metrics (CVSS) Common Weakness Enumeration (CWE) SCAP Program Scan NVD Data Feed FITSP-M Module 6 - Continuous Monitoring

SCAP: What Can Be Automated? Vulnerability and Patch Scanners Authenticated Unauthenticated Baseline Configuration Scanners Federal Desktop Core Configuration (FDCC) United States Government Configuration Baseline (USGCB) FITSP-M Module 6 - Continuous Monitoring

How to Implement SCAP with SCAP-validated Tools FITSP-M Module 6 - Continuous Monitoring

… and SCAP-expressed Checklists FITSP-M Module 6 - Continuous Monitoring

Partially Automated Controls Open Checklist Interactive Language (OCIL) Define Questions (Boolean, Choice, Numeric, Or String) Define Possible Answers to a Question from Which User Can Choose Define Actions to be Taken Resulting from a User's Answer Enumerate Result Set Used in Conjunction with eXtensible Configuration Checklist Description Format (XCCDF) FITSP-M Module 6 - Continuous Monitoring

Technologies for Aggregation and Analysis Management Dashboards Meaningful And Easily Understandable Format Provide Information Appropriate to Roles And Responsibilities Security Information and Event Management (SIEM), analysis of: Vulnerability Scanning Information, Performance Data, Network Monitoring, System Audit Record (Log) Information Audit Record Correlation And Analysis FITSP-M Module 6 - Continuous Monitoring

CAESARS Framework FITSP-M Module 6 - Continuous Monitoring

FITSP-M Module 6 - Continuous Monitoring

IR 7756 FITSP-M Module 6 - Continuous Monitoring

CM Documents FITSP-M Module 6 - Continuous Monitoring

Knowledge Check Name the set of specifications used to standardize the communication of software flaws and security configurations. What is the name of the U.S. government repository of standards-based vulnerability management data represented using the SCAP specifications? What is the name of the program designed to test the ability of products to use the features and functionality available through SCAP and its component standards? Name an ISCM reference model that provides a foundation for a continuous monitoring reference model that aims to enable organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness. FITSP-M Module 6 - Continuous Monitoring

Section D CM Implementation FITSP-M Module 6 - Continuous Monitoring

FITSP-M Module 6 - Continuous Monitoring

FITSP-M Module 6 - Continuous Monitoring Component Abbre-viation What is Scored Source Vulnerability VUL Vulnerabilities detected on a host Foundstone Patch PAT Patches required by a host SMS Security Compliance SCM Failures of a host to use required security settings Policy Auditor Anti-Virus AVR Out of date anti-virus signature file Unapproved OS UOS Unapproved operating systems AD Cyber Security Awareness Training CSA Every user who has not passed the mandatory awareness training within the last 365 days DoS Training Database SOE Compliance SOE Incomplete/invalid installations of any product in the Standard Operating Environment (SOE) suite AD Computers ADC Computer account password ages exceeding threshold AD Users ADU User account password ages exceeding threshold (scores each user account, not each host) SMS Reporting Incorrect functioning of the SMS client agent Vulnerability Reporting VUR Missed vulnerability scans Security Compliance Reporting SCR Missed security compliance scans FITSP-M Module 6 - Continuous Monitoring

Monitoring Tool Data Sources Component ID What is Scored Source Vulnerability VUL Vulnerabilities detected on a host Foundstone (McAfee) Patch PAT Patches required by a host SMS (System Center) Security Compliance SCM Failures of a host to use required security settings McAfee Policy Auditor Anti-Virus AVR Out of date anti-virus signature file Unapproved OS UOS Unapproved operating systems AD Cyber Security Awareness Training CSA Every user who has not passed the mandatory awareness training within the last 365 days DoS Training Database SOE Compliance SOE Incomplete/invalid installations of any product in the Standard Operating Environment (SOE) suite AD Computers ADC Computer account password ages exceeding threshold AD Users ADU User account password ages exceeding threshold (scores each user account, not each host) SMS Reporting SMS Incorrect functioning of the SMS client agent Vulnerability Reporting VUR Missed vulnerability scans Security Compliance Reporting SCR Missed security compliance scans FITSP-M Module 6 - Continuous Monitoring

Risk Scoring FITSP-M Module 6 - Continuous Monitoring

Remediation FITSP-M Module 6 - Continuous Monitoring

CM Challenges The Organization of the SP 800-53 Emerging CM Technologies SCAP OCIL The Limitations of CAESARS Department of State’s iPost and Risk Scoring Program FITSP-M Module 6 - Continuous Monitoring

CM Discussion Section Optional FITSP-M Module 6 - Continuous Monitoring

Organization of Security Controls 18 Families 198 Controls 892 Control Items (Parts/Enhancements) FITSP-M Module 6 - Continuous Monitoring

Control Catalog Redundancies Evident in USGCB FITSP-M Module 6 - Continuous Monitoring

DoD Solution: Mapping STIG to 800-53 FITSP-M Module 6 - Continuous Monitoring

DoS Solution: Using Fishbone to Find Root Controls FITSP-M Module 6 - Continuous Monitoring

DoS Solution: Proposed Structure of Security Control Catalog FITSP-M Module 6 - Continuous Monitoring

The Limitations of CAESARS Lack of Interface Specifications Reliance on an Enterprise Service Bus Incomplete Communication Payload Specifications Lack of Specifications Describing Subsystem Capabilities Lack of a Multi-CM Instance Capability Lack of Multi-Subsystem Instance Capability CM Database Integration with Security Baseline Content Lack of Detail on the Required Asset Inventory Requirement for Risk Measurement FITSP-M Module 6 - Continuous Monitoring

GAO Report on Scope of iPost Risk Scoring Program Addresses windows hosts but not other IT assets on its major unclassified network Covers a set of 10 scoring components that includes some, but not all, information system controls that are intended to reduce risk State could not demonstrate the extent to which scores are based on risk factors such as threat, impact, or likelihood of occurrence that are specific to its computing environment FITSP-M Module 6 - Continuous Monitoring

Minimum Security Controls (FIP 200) Controls Monitored by iPost Access Control Security Compliance (AD Group check) Awareness and Training Awareness Training Audit and Accountability Reporting Security Assessment and Authorization Configuration Management Patching, SOE, Reporting(Inventory) Contingency Planning Identification and Authentication AD Computers & Users Incident Response Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Risk Assessment Vulnerabilities System and Services Acquisition System and Communications Protection System and Information Integrity Patching, Antivirus FITSP-M Module 6 - Continuous Monitoring

Challenges with Implementation of iPost Overcoming limitations and technical issues with data collection tools Identifying and notifying individuals with responsibility for site-level security Implementing configuration management for iPost Adopting a strategy for continuous monitoring of controls Managing stakeholder expectations for continuous monitoring activities FITSP-M Module 6 - Continuous Monitoring

Continuous Monitoring Key Concepts & Vocabulary Role in the RMF Process RMF Step 6 – Monitor Security Controls Characteristics of Continuous Monitoring organization-wide approach Elements of Organization-wide CM Program Continuous Monitoring Process Role of Automation Continuous Asset Evaluation, Situational Awareness and Risk Scoring (CEASARS) FITSP-M Module 6 - Continuous Monitoring

Questions? FITSP-M Module 6 - Continuous Monitoring

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.