NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.

Slides:



Advertisements
Similar presentations
NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
Advertisements

A comparison of Systems Engineering and Security Engineering practices and professionals Or maybe a commercial for the INCOSE working group!
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works
Managing Risks from Information Systems Building Effective Information Security Programs Data Management Association-National Capital Region January.
Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Federal Information Security Management Act Applying NIST Information Security Standards and Guidelines Presented to the State of California April.
Stephen S. Yau CSE , Fall Security Strategies.
Risk Management Framework
NIST SP , Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.
1 Dan Steinberg, JD Portland, OR May 4, 2011 Speaking Notes Privacy and Security for Research Repositories Please do not reuse or republish without attribution.
Dr. Ron Ross Computer Security Division
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 FISMA Next Generation Managing Risk in an Environment of Advanced Persistent Cyber Threats NASA IT Summit.
Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology.
Complying With The Federal Information Security Act (FISMA)
Ensuring Information Security
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Systems Under Attack Managing Enterprise Risk in Today's World of Sophisticated Threats and.
US Federal Industrial Control System (ICS) Security Standards and Guidelines Keith Stouffer National Institute of Standards and Technology (NIST) June.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Dr. Ron Ross Computer Security Division Information Technology Laboratory Defending the United States.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Panel: Moderator: Michele Iversen Guest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell.
NHTSA Cyber Security Best Practices Study Tim Weisenberger December 7, 2011.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Dr. Ron Ross Computer Security Division Information Technology Laboratory Evolving Cybersecurity Strategies.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Building More Secure Information Systems A Strategy for Effectively Applying the Provisions of FISMA Ron Ross Project Manager FISMA Implementation Project.
1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,
Building More Secure Information Systems A Strategy for Effectively Applying the Provisions of FISMA Presented to the FISSEA Conference March 23, 2005.
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
TEL2813/IS2820 Security Management
1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.
NIST Special Publication Revision 1
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.
VERSION 1.2 National Institute of Standards and Technology 1 Building More Secure Information Systems A Strategy for Effectively Applying the Provisions.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Organization, Mission, and Information Systems View 2009 Workshop.
CyberDefenses Information Assurance In God we trust, in all else, CyberDefenses, Inc.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
CategorizeSelectImplementAssessAuthorizeMonitor.
NIST HIPAA Security Rule Toolkit Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
Chapter 1: Security Governance Through Principles and Policies
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
The NIST Special Publications for Security Management By: Waylon Coulter.
National Institute of Standards and Technology 1 Information Systems Under Attack Managing Enterprise Risk in Today's World of Sophisticated Threats and.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI
The Risk Management Framework (RMF)
Computer Security Division Information Technology Laboratory
Introduction to the Federal Defense Acquisition Regulation
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
Federal Information Security Management Act Applying NIST Information Security Standards and Guidelines Presented to the State of California April.
An Urgent National Imperative
IT Management Services Infrastructure Services
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop April 17, 2009 Dr. Ron Ross Computer Security Division Information Technology Laboratory

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2 Information Security Programs Adversaries attack the weakest link…where is yours? Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Links in the Security Chain: Management, Operational, and Technical Controls

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3 Risk Management Framework Security Life Cycle SP Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). SP A ASSESS Security Controls Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. FIPS 199 / SP CATEGORIZE Information System Starting Point Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP / SP A MONITOR Security State SP AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. IMPLEMENT Security Controls SP FIPS 200 / SP SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4 Applying the Risk Management Framework to Information Systems Risk Management Framework Authorization Package Artifacts and Evidence Near Real Time Security Status Information SECURITY PLAN including updated Risk Assessment SECURITY ASSESSMENT REPORT PLAN OF ACTION AND MILESTONES Output from Automated Support Tools INFORMATION SYSTEM CATEGORIZE Information System ASSESS Security Controls AUTHORIZE Information System IMPLEMENT Security Controls MONITOR Security State SELECT Security Controls

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5 RISK EXECUTIVE FUNCTION Enterprise-wide Oversight, Monitoring, and Risk Management INFORMATION SYSTEM INFORMATION SYSTEM Common Controls (Inherited by Information Systems) INFORMATION SYSTEM INFORMATION SYSTEM RMF RISK MANAGEMENT FRAMEWORK POAM SAR SP Authorization Decision POAM SAR SP POAM SAR SP Authorization Decision POAM SAR SP Authorization Decision POAM SAR SP Authorization Decision POAM SAR SP Authorization Decision Architecture Description Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations SP: Security Plan SAR: Security Assessment Report POAM: Plan of Action and Milestones

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6 Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Project LeaderAdministrative Support Dr. Ron RossPeggy Himes (301) (301) Senior Information Security Researchers and Technical Support Marianne Swanson Dr. Stu Katzke (301) (301) Pat TothArnold Johnson (301) (301) Matt SchollInformation and Feedback (301) Web: csrc.nist.gov/sec-cert Comments:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.