Ensuring Information Security

Slides:



Advertisements
Similar presentations
CIP Cyber Security – Security Management Controls
Advertisements

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Security Controls – What Works
Information Security Policies and Standards
Session # 48 Security on Your Campus: How to Protect Privacy Information Robert Ingwalson.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice
First Practice - Information Security Management System Implementation and ISO Certification.
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Network security policy: best practices
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Complying With The Federal Information Security Act (FISMA)
Incident Response Updated 03/20/2015
Security Information Management Firewall Management, Intrusion Detection, and Intrusion Prevention Intrusion Detection Busters Katherine Jackowski Elizabeth.
APA of Isfahan University of Technology In the name of God.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
NIST Special Publication Revision 1
Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.
FORESEC Academy FORESEC Academy Security Essentials (II)
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Practice Management Quality Control
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Note1 (Admi1) Overview of administering security.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
SecSDLC Chapter 2.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Information Security tools for records managers Frank Rankin.
Incident Response Christian Seifert IMT st October 2007.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Business Continuity Planning 101
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
WSU IT Risk Assessment Process
Cybersecurity Policies & Procedures ICA
Introduction to the Federal Defense Acquisition Regulation
Joe, Larry, Josh, Susan, Mary, & Ken
Red Flags Rule An Introduction County College of Morris
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
The Elements of appropriate Internal Controls
Presentation transcript:

Ensuring Information Security Session T- 2 Ensuring Information Security Bob Ingwalson & Tom Peters U.S. Department of Education

Secure Your Information 2

Systems are Vulnerable!

We Implement Security Based on Cost vs. Risk 5

Protect Sensitive Information 07 RECAP In the Office On the System ============= Ensuring Security Incident Detection and Reporting

Shipping and deliveries CDs/DVDs Printers USB/Flash/Thumb drives Office Security Handling and storage Phones Faxes Shipping and deliveries CDs/DVDs Printers USB/Flash/Thumb drives Physical Security Personnel Security Policy and Procedures 7

System Security (Defense in Depth) Policy Personnel Security Physical Security Network Security Host based Security Application Security www.macroview.com/solutions/infosecurity/

Ensure Security Federal law requires Federal Agencies to comply with NIST standards Federal Student Aid security is based on NIST standards and guides Federal Student Aid uses US-CERT’s reporting guidance for security incidents

Ensuring Security Using the NIST System Security Lifecycle

Security Categorization Security Categorization begins by identifying the system Boundaries Organizational Importance/Criticality Information Sensitivities CIA - HML FIPS 199, SP 800-60

Information Sensitivities

Security Control Selection Select controls based on data sensitivity and system criticality NIST SP 800-53, Recommended Security Controls for Federal Information Systems “In addition to the agencies of the federal government, state, local, and tribal governments, and private sector organizations that compose the critical infrastructure of the United States, are encouraged to use these guidelines, as appropriate.” 17 Control Families 171 Controls each providing high, moderate, and low baselines

Security Control Selection

Security Control Selection PE-8 ACCESS RECORDS Control: The organization maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) that includes: (i) name and organization of the person visiting; (ii) signature of the visitor; (iii) form of identification; (iv) date of access; (v) time of entry and departure; (vi) purpose of visit; and (vii) name and organization of person visited. Designated officials within the organization review the visitor access records [Assignment: organization-defined frequency]. Supplemental Guidance: None. Control Enhancements: (1) The organization employs automated mechanisms to facilitate the maintenance and review of access records. (2) The organization maintains a record of all physical access, both visitor and authorized individuals.

Security Control Refinement (assess the risk – SP 800-30)

Security Control Refinement High If an observation or finding is evaluated as high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible. Moderate If an observation is rated as moderate risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. Low If an observation is described as low risk, the system’s authorizing official must determine whether corrective actions are still required or decide to accept the risk.

Security Control Refinement

Security Control Documentation Plans of Actions and Milestones (SP 800-37) Security Control Weaknesses Plan of remediation System Security Plan (SP 800-18, SP 800-53) System Description Rules of Behavior Security Controls (in-place and planned) Contingency Plan (SP 800-34) Business Impact Analysis (BIA) Notification / Activation Recovery Deactivation

Security Control Implementation Implement Plans of Actions and Milestones (POAMs) Update system controls based on security plan Use security configuration guides (SP 800-70) Update System Security Plan

Security Control Assessment (SP 800-53A, SP 800-37) Independent reviewer (Certification Agent) Reviews controls identified in System Security Plan Determines control effectiveness Use to update POAMs Provides input to system authorization official

Security Authorization (SP 800-37) Determines Risk to agency, agency assets, or individuals

Security Control Monitoring (SP 800-37, SP 800-53A) Continuously track changes and new vulnerabilities to system Vulnerability scans and penetration testing Audit and Log monitoring Security configuration and compliance Assessments and reviews Intrusion detection and prevention systems (IDPSs) for effective incident response Good Day!. As Bob mentioned a

Security Incident Response and Reporting What’s a Security Incident? An incident can be unintentional or malicious. SP 800-61 states: “A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of incidents are as follows:” Denial of Service   Malicious Code   Unauthorized Access   Inappropriate Usage

Security Incident Response and Reporting US-CERT’s Classification of Incidents

Security Incident Response and Reporting

Preparation Creating an incident response policy Statement of management commitment Purpose and objectives of the policy Scope of the policy (to whom, what it applies to, and under what circumstances) Definition of computer security incidents and their consequences within the context of the organization Organizational structure and delineation of roles, responsibilities, and levels of authority Prioritization or severity ratings of incidents Performance measure Reporting and contact forms

Preparation (con’t) Developing procedures for performing incident handling and reporting, based on the incident response policy Setting guidelines for communicating with outside parties regarding incidents Selecting a team structure and staffing model Establishing relationships between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies) Determining what services the incident response team should provide Staffing and training the incident response team.

Detection and Analysis Incident Categories Signs of an Incident Sources of Precursors and Indications Incident Analysis Incident Documentation Incident Prioritization Incident Notification

Contain, Eradicate, Recover Enact your containment strategy Isolate affected systems Evidence Gathering and Evidence Handling Chain of Custody Remove the risks to the systems Recover the systems Restore from clean backups Rebuild systems Replace compromise files and applications Install patches Change passwords

Post Incident Activities Lessons Learn (Hotwash) Be critical Use collected data Review security settings (what allowed incident to occur) Review what went right and what needs improvement Evidence Retention Prosecution Data Retention Costs

Resources Vulnerabilities: Guidance: OWASP (http://www.owasp.org) SANS Top 20 (www.sans.org/top20) National Vulnerability Database (http://nvd.nist.gov) cgisecurity (http//www.cgisecurity.com) Guidance: National Institute of Standards and Technology (NIST) Computer Security Resource Center (http://csrc.nist.gov/publications/nistpubs/) Center for Internet Security (CIS) (http://www.cisecurity.org/) Educause (http://connect.educause.edu/term_view/Cybersecurity) 32

Questions?

Contact Information We appreciate your feedback and comments. We can be reached at: Bob Ingwalson Phone: 202.377.3563 Email: Robert.Ingwalson@ed.gov Fax: 202.275.0907 Tom Peters Phone: 202.377.3938 Email: Thomas.Peters@ed.gov 34 34