Security Control Families Management Class
Security Controls Overview XX-1 Policy and Procedures
NIST Doc Review Strategy: Bulleted Summaries Executive Summaries, Overviews, Introductions Table Summaries Graphic Summaries 8
XX-1 Policy & Procedures SP The Handbook SP Manager’s Handbook AC-1Access Control AT-1Security Awareness and Training AU-1Audit and Accountability CA-1Security Assessment and Authorization CM-1Configuration Management CP-1Contingency Planning IA-1Identification and Authentication IR-1Incident Response MA-1System Maintenance MP-1Media Protection PE-1Physical and Environmental Protection PL-1Security Planning PM-1Information Security Program Plan PS-1Personnel Security RA-1Risk Assessment SA-1System and Services Acquisition SC-1System and Communications Protection SI-1System and Information Integrity
Security Assessment & Authorization Core RMF Documents (SLA) (CM) CA-2Security Assessments CA-3Information System Connections CA-5Plan of Action and Milestones CA-6Security Authorization CA-7Continuous Monitoring
Planning Family & Family Plans PL-2System Security Plan PL-4Rules of Behavior PL-5Privacy Impact Assessment PL-6Security-Related Activity Planning (RMF) (PM) OMB M (Privacy) CA-5 Plan of Action and Milestones-37 CP-2Contingency Plan-34 CM-9 Configuration Management Plan-128 IR-8Incident Response Plan-61 PM-1Information Security Program Plan PM-8 Critical Infrastructure Plan RMF 4.1 Security Assessment Plan-53a
Program Management PM-2Senior Information Security Officer PM-3Information Security Resources PM-4Plan of Action and Milestones Process PM-5Information System Inventory PM-6 Information Security Measures of Performance PM-7Enterprise Architecture PM-8Critical Infrastructure Plan PM-9Risk Management Strategy PM-10Security Authorization Process PM-11Mission/Business Process Definition (RMF) (RMF) Performance CPIC FIPS 199 HSPD 7 – Critical Infrastructure OMB SSP
Program Management Overview Information Security Program Plan (PM) Critical Infrastructure Plan (HSPD 7) Capital Planning and Investment Control (SP ) Measures of Performance (SP ) Enterprise Architecture and Mission/Business Process Definition
Information Security Program Plan Defines Security Program Requirements Documents Management and Common Controls Defines Roles, Responsibilities, Management Commitment and Coordination Approved by Senior Official (AO) Appoint Senior Information Security Officer
Critical Infrastructure Plan HSPD-7 Critical Infrastructure Identification, Prioritization, and Protection Essential Services That Underpin American Society Protection from Terrorist Attacks –Prevent Catastrophic Health Effects or Mass Casualties –Maintain Essential Federal Missions –Maintain Order –Ensure Orderly Functioning of Economy –Maintain Public's Morale and Confidence in Economic and Political Institutions Strategic Improvements in Security
Capital Planning & Investment Control Investment Life Cycle Integrating Information Security into the CPIC Process Roles and Responsibilities –Identify Baseline –Identify Prioritization Criteria –Conduct System- and Enterprise-Level Prioritization –Develop Supporting Materials –IRB and Portfolio Management –Exhibits 53 and 300 and Program Management
Investment Life Cycle
Integrating Information Security into the CPIC Process
Knowledge Check If the interconnecting systems have the same authorizing official, an Interconnection Security Agreement is not required. True or False? Which NIST SP, provides a seven-step process for integrating information security into the capital planning process? This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks. The corrective action and cost information contained in which document, serve as inputs to the Exhibit 300s and are then rolled into the Exhibit 53?
Measures of Performance Metric Types Metrics Development and Implementation Approach Metrics Development Process Metrics Program Implementation –Prepare for Data Collection –Collect Data and Analyze Results –Identify Corrective Actions –Develop Business Case and Obtain Resources –Apply Corrective Actions
Metric Types “Am I implementing the tasks for which I am responsible?” “How efficiently or effectively am I accomplishing those tasks?” “What impact are those tasks having on the mission?”
Metrics Development Process
Metrics Program Implementation
Federal Enterprise Architecture Performance Data BusinessService Technical Information Type (SP )
Core Principles of the FEA Business-driven Proactive and collaborative across the Federal government Architecture improves the effectiveness and efficiency of government information resources
Defining Mission/Business Processes Defines mission/business processes with consideration for information security and the resulting risk to the organization; Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.
Risk Assessment RA-2Security Categorization RA-3Risk Assessment RA-5Vulnerability Scanning r1 (draft) Patch Management Checklists Assessments
Patch and Vulnerability Management Program Create a System Inventory Monitor for Vulnerabilities, Remediations, and Threats Prioritize Vulnerability Remediation Create an Organization-Specific Remediation Database Conduct Generic Testing of Remediations Deploy Vulnerability Remediations Distribute Vulnerability and Remediation Information to Local Administrators Perform Automated Deployment of Patches Configure Automatic Update of Applications Whenever Possible and Appropriate. Verify Vulnerability Remediation Through Network and Host Vulnerability Scanning Vulnerability Remediation Training
National Checklists Program
In which NIST special publication might you find guidance for the performance measurement of information systems? Which FEA reference model was used to create the guide for mapping information types to security categories, in support of the first step of the Risk Management Framework? What is the name of the security control, represented by the control ID RA-3, must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework? Where can information about vulnerabilities be found?
System & Services Acquisition SA-2Allocation of Resources SA-3Life Cycle Support SA-4Acquisitions SA-5Information System Documentation SA-6Software Usage Restrictions SA-7User-Installed Software SA-8Security Engineering Principles SA-9External Information System Services SA-10Developer Configuration Management SA-11Developer Security Testing SA-12Supply Chain Protection SA-13Trustworthiness – Acquisition Assurance – Security Services – Security Products a SDLC CPIC Checklists
Security Services Life Cycle
General Considerations for Security Services Strategic/Mission Budgetary/Funding Technical/ Architectural Organizational Personnel Policy/Process
Security Product Testing Identification and Authentication Access Control Intrusion Detection Firewall Public Key Infrastructure Malicious Code Protection Vulnerability Scanners Forensics Media Sanitizing Common Criteria Evaluation and Validation Scheme NIST Cryptographic Module Validation Program
Considerations for Selecting Information Security Products Organizational Product Vendor Security Checklists for IT Products Organizational Conflict of Interest
Management Security Controls Key Concepts & Vocabulary XX-1 Policy & Procedures CA - Security Assessment and Authorization PL – Planning Family & Family Plans –Information Security Program Plan (PM) –Critical Infrastructure Plan (HSPD 7) PM - Program Management –Capital Planning and Investment Control (SP ) –Measures of Performance (SP ) –Enterprise Architecture (FEA BRM) RA - Risk Assessment –Security Categorization –Risk & Vulnerability Assessments SA - System and Services Acquisition