Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Slides:



Advertisements
Similar presentations
MODELING THE TESTING PROCESS Formal Testing (1.0) Requirements Software Design Risk Data Approved, Debugged, Eng. Tested Code Automated Test Tools Tested.
Advertisements

Software Quality Assurance Plan
More CMM Part Two : Details.
 Capacity Development; National Systems / Global Fund Summary of the implementation capacities for National Programs and Global Fund Grants For HIV /TB.
©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.
Environmental Management Systems An Overview With Practical Applications.
Stepan Potiyenko ISS Sr.SW Developer.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Fundamentals of Information Systems, Second Edition
(c) 2007 Mauro Pezzè & Michal Young Ch 24, slide 1 Documenting Analysis and Test.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Quality evaluation and improvement for Internal Audit
Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Management Framework
Purpose of the Standards
1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.
Internal Auditing and Outsourcing
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
S/W Project Management
How To Apply Quality Management
PMP® Exam Preparation Course
Introduction to Software Quality Assurance (SQA)
Chapter 6 Software Implementation Process Group
Security Assessments FITSP-A Module 5
STANDARDS FOR THE PRACTICE RECREATIONAL THERAPY (ATRA, REVISED 2013) HPR 453.
NIST Special Publication Revision 1
Demystifying the Business Analysis Body of Knowledge Central Iowa IIBA Chapter December 7, 2005.
Management & Development of Complex Projects Course Code - 706
FCS - AAO - DM COMPE/SE/ISE 492 Senior Project 2 System/Software Test Documentation (STD) System/Software Test Documentation (STD)
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Evaluation of Internal Control System
What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.
Auditing Information Systems (AIS)
The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.
10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
Quality Concepts within CMM and PMI G.C.Reddy
It is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Chapter 19 Verification and Validation.
Develop Project Charter
Fundamentals of Information Systems, Second Edition 1 Systems Development.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Authorizing Information Systems FITSP-A Module 6.
Business Analysis. Business Analysis Concepts Enterprise Analysis ► Identify business opportunities ► Understand the business strategy ► Identify Business.
Purpose: The purpose of CMM Integration is to provide guidance for improving your organization’s processes and your ability to manage the development,
ITC Software ITC FUNCTIONAL TESTING SERVICES.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
1 Software Testing Strategies: Approaches, Issues, Testing Tools.
~ pertemuan 4 ~ Oleh: Ir. Abdul Hayat, MTI 20-Mar-2009 [Abdul Hayat, [4]Project Integration Management, Semester Genap 2008/2009] 1 PROJECT INTEGRATION.
Prepared by Amira Selim 31 st October 2009 Revised by Dahlia Biazid Requirements Analysis.
6/6/ SOFTWARE LIFE CYCLE OVERVIEW Professor Ron Kenett Tel Aviv University School of Engineering.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Software Engineering Process - II 7.1 Unit 7: Quality Management Software Engineering Process - II.
Internal Audit Quality Assessment Guide
 System Requirement Specification and System Planning.
How To Apply Quality Management
Software Configuration Management
Quality Management Perfectqaservices.
Software Requirements
Overview – Guide to Developing Safety Improvement Plan
Overview – Guide to Developing Safety Improvement Plan
Engineering Processes
Compliance Toolbox.
HHS Child Welfare National IT Managers' Meeting
Software Reviews.
Presentation transcript:

Security Assessments FITSP-M Module 5

Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass inspections or audits, rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives. Joint Task Force Transformation Initiative From SP800-53a Leadership

FITSP-M Exam Module Objectives  Risk Assessment –Ensure periodic assessment of risk to organization  Security Assessments and Authorization –Direct processes that facilitate the periodic assessment of the security controls in organizational information systems to determine if the controls are effective in their application

Security Assessment Module Overview  Section A: Assessment Foundation –RMF Tasks for Step 4 –Assessments Within the SDLC –Security Content Automation Protocol –Strategy for Conducting Security Control Assessments –Building an Effective Assurance Case –Assessment Procedures  Section B: Planning for Assessments –Preparing for Security Control Assessments –Developing Security Assessment Plans  Conducting and Reporting –Conducting Security Control Assessments –Analyzing Security Assessment Report Results

ASSESSMENT FOUNDATION Section A

RMF Step 4 – Assess Security Controls  Assessment Preparation  Security Control Assessment  Security Assessment Report  Remediation Actions

Assessments Within the SDLC  Initiation  Development/Acquisition –Design and Code Reviews –Application Scanning –Regression Testing  Implementation  Operations And Maintenance –Security Assessments Conducted by information system owners, common control providers, information system security officers, independent assessors, auditors, and Inspectors General  Disposition (Disposal)

Security Content Automation Protocol  SCAP Compliments Security Assessments  Automates Monitoring & Reporting –Vulnerabilities –Configurations  Open Checklist Interactive Language –Partially Automated Monitoring –Express Determination Statements in a Format Compatible with SCAP

Strategy for Conducting Security Control Assessments  Maximize Use of Common Controls  Share Assessment Results  Develop Organization-wide Procedures  Provide Organization-wide Tools, Template, Techniques

Building an Effective Assurance Case  Compiling and Presenting Evidence  Basis for Determining Effectiveness of Controls  Product Assessments  Systems Assessment  Risk Determination

Trusworthiness

Assessment Procedures  Assessment Objectives  Determination Statements  Assessment Methods  Assessment Objects  Assessment Findings

Objective Determination Statement

Control Statement

Subsequent Objectives

Assessment Methods  Examine  Interview  Test  Attributes –Depth (Basic, Focused, Comprehensive) –Coverage (Basic, Focused, Comprehensive) –Determined by Assurance Requirements –Defined by Organization

Assessment Objects  Specifications (Artifacts)  Mechanisms (Components of an IS)  Activities (Actions)  Individuals

Benefit of Repeatable & Documented Methods  Provide Consistency And Structure  Minimize Testing Risks  Expedite Transition Of New Staff  Address Resource Constraints  Reuse Resources  Decrease Time Required  Cost Reduction

Knowledge Check  What task must the assessor complete before conducting a security assessment? –After?  What type of software testing that seeks to uncover new software bugs in existing functional and non-functional areas of a system after changes have been made to them?  What is a term used to describe a body of evidence, organized into an argument, demonstrating that some claim about an information system is assured?  An assessment procedure consists of a set of assessment ___________, each with an associated set of potential assessment ___________and assessment ___________. An assessment objective includes a set of ___________statements related to the security control under assessment.

PLANNING FOR ASSESSMENTS Section B

Preparing for the Process of Security Control Assessments  Understanding Organization’s Operations  Understanding Information System Structure  Understanding of Security Controls being Assessed  Identifying Organizational Entities Responsible for Development and Implementation of Common Controls  Identifying Points of Contact  Obtaining Artifacts  Obtaining Previous Assessment Results  Establishing Rules of Engagement  Developing a Security Assessment Plan

Gathering Background Information  Security Policies  Implementing Procedures  Responsible Entities  Materials Associated with Implementation and Operation of Security Controls  Objects to be Assessed

Selecting Security Control Assessors  Technical Expertise –Specific Hardware –Software –Firmware  Level of Independence –Impartiality –Determined by Authorizing Official –Based on Categorization  Independent Security Control Assessment Services –Contracted to Outside Entity; or –Obtained within Organization

Developing Security Assessment Plans  Determine Which Security Controls/Control Enhancements  Select Appropriate Assessment Procedures  Tailor Assessment Procedures  Address Controls that are Not Sufficiently Covered  Optimize Assessment Procedures  Obtain Approvals to Execute the Plan

CONDUCTING & REPORTING Section C

Conducting Security Control Assessments  Execution of Security Assessment Plan  Output Security Assessment Report  May Develop Assessment Summary  Assessment Findings –Satisfied (S) = Fully Acceptable Result –Other than Satisfied (O) = Potential Anomalies

Analyzing Security Assessment Report Results  Review Weaknesses and Deficiencies in Security Controls  Prioritize correcting the deficiencies based on –Critical Information Systems –High Risk Deficiencies  Key Documents Updates –System Security Plan with Updated Risk Assessment –Security Assessment Report –Plan of Action and Milestones

Security Assessments Key Concepts & Vocabulary  Assessments Within the SDLC  Strategy for Conducting Security Control Assessments  Building an Effective Assurance Case  Assessment Procedures  Preparing for Security Control Assessments  Developing Security Assessment Plans  Conducting Security Control Assessments  Analyzing Security Assessment Report Results

Lab Activity 4 – Building an Assessment Case Step 1 – Categorize Information System Step 6 – Monitor Controls Step 6 – Monitor Controls Step 5 - Authorize Information System Step 4 – Assess Controls Step 3 – Implement Controls Step 2 – Select Controls

Questions? Next Module: AuthorizationAuthorization

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.