Information Assurance Awareness, Training and Education
University of Phoenix Presented to 4/21/2017 By: Francine C. Hammond Introduction
Agenda and Background
IA Mission and Strategied IA Capabilities IA Strategies Summary IA Background Why IA? IA Mission and Strategied IA Capabilities IA Strategies Summary Discuss the agenda
Background In response to the terrorist attack against the Pentagon on September 11, 2001, the Department of Defense established the Pentagon Force Protection Agency (PFPA). The new agency absorbed the Pentagon’s police force, formerly known as the Defense Protective Service (DPS) and its role of providing basic law enforcement and security for the Pentagon and DOD interests in the National Capitol Region (NCR). PFPA expanded that mission to provide force protection against the full spectrum of potential threats through robust prevention, preparedness, detection, and response measures. The PFPA became an agency because of 9/11…
Mr. Bush Supports Information Security
Why Information Assurance? Publicity of attacks on information systems is increasing and Identity Thieves Prosper in Information Age. Identity thieves assume the identities of other individuals and use these identities to obtain credit cards, loans and other things of value. The old methods used to obtain information still apply: stealing credit card statements, bank checks, and other personal information from mailboxes. However, the openness of the Internet has given identity thieves access to a wealth of personal information stored in the databases of online data brokers, who collect and sell personal information. A secure information system provides three properties
Information Assurance Integrity Availability Confidentiality Information Assurance Awareness, Training , and Education
CIA Confidentiality ensures that people who don't have the appropriate clearance, access level and "need to know" do not access the information. Integrity ensures that information cannot be modified or destroyed. Availability means that information services are there when you need them.
What would happen if someone changed your data?
Waht wuold hppaen if someone chagned your adat?
Wtah wuold henapp if sooneme chagend yrou adat?
Is Your Organization Secure?
Implement IA Program…
IA Mission and Strategies
Strengthen risk mitigation policies by successfully implementing sound Information Assurance and Information Technology practices to… Protect the integrity, confidentiality, and availability of IT systems, ensuring that all personnel who use the IT systems are trained to understand their responsibilities, both individual position requirements and those concerning the security of systems. IAD’s mission is to: and we will accomplish the mission by accomplishing the following goals… Mission
Risk Management Strategies Knowing that we encounter threats and vulnerabilities, we are prepared to manage and mitigate the risks and adverse affects by implementing the following controls…
Risk Management Strategies Manage and mitigate the risks of threats and vulnerabilities by implementing the following controls: Policies and Regulations; Certification and Accreditation (C&A); Computer Incident Response Team (CIRT); and IA Awareness Program. To ensure we mitigate the risks of threats and vulnerabilities, we have 4 solutions in place
Policies and Regulations
Implement policies, standards and procedures which are consistent with statutory, Federal, and DOD policies and procedures for securing information systems and networks that include the following controls: Assign responsibility for security; Maintain a security plan for all systems and major applications; Provide for the review of security controls; and Require authorization before processing.
Certification and Accreditation
Implement the DOD established standard process to identify, implement, and validate IA controls for: Authorizing the operation of DOD information systems and; Managing IA posture across DOD information systems consistent with the Federal Information Security Management Act (FISMA).
Computer Incident Response Team
CIRT security analysts provide support in: Day-to-day intrusion detection operations Remote vulnerability detection On-line system survey Information protection support Tool design and integration Technical support For example, Checkpoint’s firewall SmartCenter provides a dashboard to centrally define Virtual Private Network (VPN), firewall, and Quality of Service (QoS) policies; a management server to store these policies; and the ability to push out automatic policy updates. All IDS information will be centrally collected. At DTRA, we are using the Common Intrusion Detection Director (CIDD) to aggregate all the IDS events. We have also deployed Snort’s Analysis Console for Intrusion Databases (ACID). For monitoring of network services (SMTP, POP3, HTTP, NNTP, PING, TELNET, etc.), host resources, and their environment, we would deploy a tool such as Nagios, described above. Nagios would be hosted on a hardened Linux platform and provide real-time network status, host status, and event notification.
IA Awareness Program
National Information Assurance Training and Education Center “Literacy, Awareness, Training and Education Because there is no patch for ignorance” National Information Assurance Training and Education Center
Implement the IA Awareness Program by focusing on the following learning components: Focus attention on security Training Produce relevant and needed security skills and competency Education Integrate all (security skills and competencies) into a common body of knowledge, adding a multidisciplinary study of concepts, issues, and principles Professional Development Imply a guarantee as meeting a standard by applying evaluation or measurement criteria We will implement the Awareness Program by focusing on the following learning components…
IA Awareness Program Objectives Enhance understanding of IA issues among all system users; Encourage meaningful behavioral change; Provide coherent accessible technical training; Deliver flexible content for different audience groups; and… Keep training current and relative. We will implement the plan by
IA Awareness Program Deliverables Training Programs General Awareness Training Briefings, Distributed Security Tips, Newsletters Technical Training System Administrators, Help Desk personnel, Directors Training Materials Handbooks, Reference Guides, Presentations IA Intraweb/Intranet ‘One-stop shop’ portal for awareness training
IA Strategy Program Category and Life Cycle StatusIdentify Identify the Acquisition Category (Acquisition Category) of the program. Identify current acquisition life cycle phase and next milestone decision. Identify whether the system has been designated "Mission Critica" or "Mission Essentia" in accordance with DoD Instruction 5000.2. Include a graphic representation of the program's schedule. Mission Assurance Category (MAC) and Confidentiality Level Provide a high-level overview of the specific system being acquired. Provide a graphic (block diagram) that shows the major elements/subsystems that make up the system or service being acquired, and how they fit together. Describe the system's function, and summarize significant information exchange requirements (IER) and interfaces with other IT or systems, as well as primary databases supported. Describe, at a high level, the IA technical approach that will secure the system, including any protection to be provided by external systems or infrastructure. PMs should engage National Security Agency (NSA) early in the acquisition process for assistance in developing an IA approach, and obtaining information systems security engineering (ISSE) services, to include describing information protection needs, defining and designing system security to meet those needs, and assessing the effectiveness of system security. Threat Assessment Describe the methodology used to determine threats to the system (such as the System Threat Assessment), and whether the IT was included in the overall weapon system assessment. In the case of an AIS application, describe whether there were specific threats unique to this system's IT resources due to mission or area of proposed operation. For MAIS programs, utilization of the "Information Operations Capstone Threat Capabilities Assessment" (DIA Doc # DI-1577-12-03) [1st Edition Aug 03] is required by DoD Instruction 5000.2. Risk Assessment Describe the program's planned regimen of risk assessments, including a summary of how any completed risk assessments were conducted. For systems where software development abroad is a possible sourcing option, describe how risk was assessed. Information Assurance Requirements Describe the program's methodology used for addressing IA requirements early in the acquisition lifecycle. Specify whether any specific IA requirements are identified in the approved governing requirements documents (e.g. Capstone Requirements Document, Initial Capabilities Document, Capabilities Design Document, or Capabilities Production Document). Describe how IA requirements implementation costs (including costs associated with certification and accreditation activities) are included and visible in the overall program budget. DoD Information Technology Security Certification and Accreditation Process Provide the name, title, and organization of the Designated Approving Authority (DAA), Certification Authority (CA), and User Representative. If the program is pursuing an evolutionary acquisition approach (spiral or incremental development), describe how each increment will be subjected to the certification and accreditation process. Provide a timeline describing the target completion dates for each phase of certification and accreditation in accordance with DoD Instruction 5200.40. Normally, it is expected that DITSCAP Phase 1 will be completed prior to or soon after Milestone B; Phase 2 and 3 completing prior to Milestone C; and Authority to Operate (ATO) issued prior to operational test and evaluation. If the DITSCAP process has started, identify the latest phase completed, and whether an Authority to Operate (ATO) or Interim Authority to Operate (IATO) was issued. If the system being acquired will process, store or distribute Sensitive Compartmented Information (SCI), compliance with Director of Central Intelligence Directive (DCID) 6/3 "Protecting Sensitive Compartmented Information Within Information System" is required, and approach to compliance should be addressed. Policy/Directives List the primary policy guidance employed by the program in preparing and executing the Acquisition IA Strategy, including the DoD 8500 series, and DoD Component, Major Command/Systems Command, or program-specific guidance, as applicable. The Information Assurance Support Environment web site provides an actively maintained list of relevant statutory, Federal/DoD regulatory, and DoD guidance that may be applicable
Summary
Risk Management Strategies IA Mission Strengthen the risk mitigation policies and the PFPA defense-in-depth by successfully implementing sound Information Assurance (IA) and Information Technology (IT) practices. Risk Management Strategies Policies and Regulations Certification and Accreditation CIRT IA Awareness Program Our mission is to strengthen the risk mitigation policies…thereby managing the risk through policies and regulations, supporting an Incident Response Team, developing and deploying an IA Awareness program, and through certification and accreditation of the system
Q & A
THANK YOU! Obrigado Gracias Danke Merci Domo Arrigato Kat Ouen Diloch Salamat Takk Cheers Nani Toda Mahalo Do Jeh M’goy Thoinks Moite