Panel: Moderator: Michele Iversen Guest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell
Adhering to laws, regulations, standards, best practices, and contractual requirements (collectively referred to as “mandates”) Includes the PROCESS of becoming and remaining compliant Ongoing state of continuous improvement that requires discipline across the enterprise, over the business and product lifecycle It contributes to achieving Risk Management objectives Mechanism for controlling and managing risk Protects nonpublic, sensitive information Establishes standards for information security Deters cybercriminals, including insiders Holds corporate boards and senior executives accountable Risk management has industry standards that cross industries and geographies; they can be quite complex !
Federal Government Federal Information Security Management Act (FISMA) Federal Risk and Authorization Management Program (FedRAMP) FIPS Standards Common Criteria Security Technical Implementation Guides (STIGS) U.S. Rehabilitation Act & Section 508 Communications Assistance for Law Enforcement Act (CALEA) Banking & Finance Sarbanes-Oxley Act (SOX) National Automated Clearing House Association (NACHA ) Electronic Payments Association Electronic Data Interchange (EDI) Payment Card Industry Data Security Standard (PCI DSS) Health Care Health Insurance Portability and Accountability Act (HIPAA) HIGHTECH Meaningful Use Health Level Seven International (HL7) Standards Development Organization Privacy New York State Privacy Law California Privacy and Identity Management Law And other States! Europe and other countries
Federal Information Systems Management Act (FISMA) Federal law enacted in 2002 as Title III of the E-Government Act, which recognizes the importance of information security to the economic and national security interests of the U.S. Provides a framework for ensuring the effectiveness of information security controls over information resources supporting federal operations. Requires that agencies identify and provide information security protections commensurate with the risk and magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems. States that the head of each agency is responsible for providing information security protections.
TIER 3 Information System (Environment of Operation) TIER 2 Mission / Business Process (Information and Information Flows) TIER 1 Organization (Governance) STRATEGIC RISK FOCUS TACTICAL RISK FOCUS Multi-tiered Risk Management Approach Implemented by the Risk Executive Function Enterprise Architecture and SDLC Focus Information Security Architecture Flexible and Agile Implementation Threat Aware National Institute of Standards and Technology
Security Life Cycle SP Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). SP A ASSESS Security Controls Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. FIPS 199 / SP CATEGORIZE Information System Starting Point Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP MONITOR Security State SP AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. IMPLEMENT Security Controls SP / SP FIPS 200 / SP SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. National Institute of Standards and Technology
The length of the FISMA compliance process is highly variable, depending on several factors such as: The Security Category (FIPS 199 Low, Moderate, High) The availability of resources with skills and spare time to manage the process The current level of security controls The total number of users in a project The complexity of the computing environment. 8
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is mandatory for federal agency cloud deployments and service models at low- and moderate-risk impact levels. To initiate the process, a cloud service provider (CSP) or federal agency submits a completed FedRAMP request form and Federal Information Process Standards (FIPS) 1999 worksheet to FedRAMP. The FedRAMP Joint Authorization Board reviews the risk posture of cloud systems and provides “provisional authorizations” based on the submitted security package.
FEDRAMP Documentation Requirements (Authorization Package) DeliverableDescription System Security PlanThis document describes how the controls are implemented within the cloud information system and its environment of operation. The SSP is also used to describe the system boundaries. Information Security PoliciesThis document describes the CSP’s Information Security Policy that governs the system described in the SSP. User GuideThis document describes how leveraging agencies use the system. Rules of BehaviorThis document is used to define the rules that describe the system user's responsibilities and expected behavior with regard to information and information system usage and access. IT Contingency PlanThis document is used to define and test interim measures to recover information system services after a disruption. The ability to prove that system data can be routinely backed up and restored within agency specified parameters is necessary to limit the effects of any disaster and the subsequent recovery efforts. Configuration Management PlanThis plan describes how changes to the system are managed and tracked. The Configuration Management Plan should be consistent with NIST SP
DeliverableDescription Incident Response PlanThis plan documents how incidents are detected, reported, and escalated and should include timeframes, points of contact, and how incidents are handled and remediated. The Incident Response Plan should be consistent with NIST Special Publication E-Authentication WorkbookThis template will be used to indicate if E-Authentication will be used in the cloud system and defines the required authentication level (1-4) in terms of the consequences of the authentication errors and misuse of credentials. Authentication technology is selected based on the required assurance level. Privacy Threshold AnalysisThis questionnaire is used to help determine if a Privacy Impact Assessment is required. Privacy Impact AssessmentThis document assesses what Personally Identifiable Information (PII) is captured and if it is being properly safeguarded. This deliverable is not always necessary. FEDRAMP Documentation Requirements (Authorization Package) 2 of 2
Understand the mandates: both how your product meets the applicable compliance framework requirements and/or how your product helps your customer meet them. Identify and document your baseline state of compliance; develop a requirements traceability matrix as appropriate. Validate compliance through third party audits– have documentation that you’re willing to share Identify gaps and plan for remediation