S.ICZ Frantisek Vosejpka The enforcement of NATO INFOSEC requirements into the policy and architecture of CISs CATE 2003 Brno,

Slides:

Advertisements

Similar presentations

Migration Considerations and Techniques to MPLS-TP based Networks and Services Nurit Sprecher / Nokia Siemens Networks Yaacov Weingarten / Nokia Siemens.

Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

DR MACIEJ JUNKIERT PRACOWNIA BADAŃ NAD TRADYCJĄ EUROPEJSKĄ Guide for Applicants.

SL21 Information Security Board Mission, Goals and Guiding Principles.

Effective Design of Trusted Information Systems Luděk Novák,

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

Protection of Classified Information & Cyber Security

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

Security Controls – What Works

Information Security Policies and Standards

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

Information Systems Security Officer

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Stephen S. Yau CSE , Fall Security Strategies.

Session 3 – Information Security Policies

PROTECTION OF NATO INFORMATION AND NATO CIS Col

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Enterprise Architecture

Factors influencing open source software adoption

Gurpreet Dhillon Virginia Commonwealth University

SEC835 Database and Web application security Information Security Architecture.

Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.

EOSC Generic Application Security Framework

1 NATO HQ C 3 Staff The NATO HQ need for the Web: How policy requirements are affected by the need to take web development into account Georges D’hollander.

GENERAL BANK MANAGEMENT Technology Management

N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa

Mantychore Oct 2010 WP 7 Andrew Mackarel. Agenda 1. Scope of the WP 2. Mm distribution 3. The WP plan 4. Objectives 5. Deliverables 6. Deadlines 7. Partners.

ETF Conference, Building & Financing European Transport Infrastructure, Brussels, 23rd Oct Building & Financing European Transport Infrastructures.

Security Architecture

Auditing services for assurance in evaluation of companies’ information systems (technologies) efficiency Kherson State University Samchynska Yaroslava.

SCSC 311 Information Systems: hardware and software.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.

6 April Research for a secure Europe Christiane BERNARD European Commission - DG Enterprise and Industry Athens.

Security Management Chao-Hsien Chu, Ph.D.

Chapter 5 Network Security

Policy and IT Security Awareness Amy Ginther Policy Develoment Coordinator University of Maryland Information Technology Security Workshop April 2, 2004.

Engineering Essential Characteristics Security Engineering Process Overview.

Massachusetts Open Standards Policy Claudia Boldman Director of Policy and Architecture Information Technology Division, MA.

Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

1 International Telecommunication Union ITU CHALLENGES AND RESPONSES (Fabio Bigi – TSB Deputy Director) (

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

© 2004 The IPR-Helpdesk is a project of the European Commission DG Enterprise, co-financed within the fifth framework programme of the European Community.

Information Security IBK3IBV01 College 2 Paul J. Cornelisse.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

STRATEGY FOR DEVELOPMENT OF ISIS AND IT STRATEGY IN THE NSI-BULGARIA Main principles, components, requirements.

SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:

National INFOSEC Organisations and INFOSEC Management in Hungary.

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

A security policy defines what needs to be done. A security mechanism defines how to do it. All passwords must be updated on a regular basis and every.

EGEE is a project funded by the European Union under contract IST EGEE Summary NA2 Partners April

Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

Introduction to ITIL and ITIS. CONFIDENTIAL Agenda ITIL Introduction  What is ITIL?  ITIL History  ITIL Phases  ITIL Certification Introduction to.

DG CONNECT NIPS Study – CONSULTATION CONFERENCE 13 November 2013

M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 31 - Foreign, security and defence.

For Official Use Only (FOUO) and Similar Designations NPS Security Office

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

Models of Security Management Matt Cupp. Overview What is Security Management? What is Security Management? ISO/IEC ISO/IEC NIST Special Publication.

Microsoft 365 Get help with regulatory compliance

Software Requirements

GENERAL BANK MANAGEMENT Technology Management

HIPAA Security Standards Final Rule

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Presentation transcript:

S.ICZ Frantisek Vosejpka The enforcement of NATO INFOSEC requirements into the policy and architecture of CISs CATE 2003 Brno, April 2003

2 1. The objectives To sum up the breaches that have caused that some Czech government CISs have not reached the required functionality and failed their certification process. General INFOSEC requirements of: - Czech Act No 148/1998, and - revised NATO Security Policy. Possible „Target CIS INFOSEC architecture“ and migration steps.

3 2. The limitations of this presentation The content of this article is unclassified and limited by quite weak access of a civil firm (even with industrial security clearance) to the whole suite of NATO Security Policy documents.

4 3. NATO INFOSEC Policy within the national conditions sets out the policy and minimum standards for the protection of NATO classified information, supporting system services, and resources; addresses: - the activities in system life cycle, - security principles, - INFOSEC responsibilities, and - system interconnection requirements.

5 continuation NATO INFOSEC policy is: mandatory whenever the NATO CIS or its node is deployed within national conditions, recommended and very useful in many other cases within national CISs. NATO INFOSEC policy and the documents on INFOSEC Architecture contributes to compatibility and interoperability.

6 continuation NATO INFOSEC policy is applicable to MoD, MFA and other organizations, whose CISs should be connected to a CIS of the European Union. The Security Arrangements: All NATO classified information that is released to WEU is for official use only. It will be disseminated to individuals in WEU on a Need- To-Know basis; WEU security regulations are based on NATO regulations; NATO Unclassified information is only for official use and should be appropriately protected.

7 4. Current state of CISs within the CZ gov. organizations Some government organizations currently have a large deployed base of problem- oriented CISs: designed to different standards and are not interoperable, information protection at its specific classification level, use of different confidentiality algorithms. The need to develop an integrated CIS of the entire organization has arisen.

8 5. Problems of integration Diversity of CISs leads to difficulty in systems integration: Broad diversity of technology; Multiplicity of databases, mail and other common services; High project investment needs and their low efficiency; High operation and maintenance; requirements, lack of IT specialists; High requirements on communication infrastructure;

9 continuation … difficulty in systems integration: Failure to meet user requirements on the operability and information availability from a single workstation; Failure to meet security requirements necessary for issue of “Approval to Operate” classified information (the certificate); Inability to fulfil security requirements simultaneously in all sites leads to operation limited to unclassified information; “Approval to Operate” limited at one or several sites also causes failure to meet operational requirements.

10 The user access fails from one computer

11 6. Way to integrate … The analysis and design of the INFOSEC Architecture of the Target CIS Core Services; Functional Applications. Projection of a Migration Plan Definition of the Community Security Requirement Statement (CSRS); Migration of CISs into the common network of the future “Target CIS“; Smooth migration IT to common standards.

12 The CISs integrated within the frame of CSRS

13 The IT integrated within the common standards

14 7. Policy, classification level, and security mode of operation Requirements: Operational requirements; Classified information of different levels. Limitations Commercial Off-The-Shelf (COTS) IT; Security environment (physical, personnel); Security mode of operation; Need-to-know and other security principles.

15 The CISs integrated within the frame of CSRS

16 9. Conclusions CZ CISs that handle classified information: have to invoke minimum security requirement of Czech Act No 148/1998; should follow NATO Security Policy Directives and NATO INFOSEC Architecture to implement the detailed: security principles and minimum standards, life cycle requirements, risk evaluation and vulnerability reports, risk management procedures, security operational procedures, etc.