1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.

Slides:



Advertisements
Similar presentations
NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
Advertisements

Protective Security Advisors Securing the Nations critical infrastructure one community at a time.
Idaho Critical Infrastructure and Key Resources Protection Program and Fusion Center Brief.
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
Dr. Warren K. Vaneman Department of Systems Engineering Naval Postgraduate School Monterey, CA Dr. Kostas Triantis Grado Department of.
Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.
National Space-Based Positioning, Navigation, and Timing (PNT) Federal Advisory Board DHS Challenges & Opportunities Captain Curtis Dubay, P.E. Department.
US Army Corps of Engineers BUILDING STRONG ® Ty Brumfield (LNO to FEMA –RSF-IS National Coordinator Office of Homeland Security Directorate of Contingency.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works
Managing Risks from Information Systems Building Effective Information Security Programs Data Management Association-National Capital Region January.
Federal Information Security Management Act Applying NIST Information Security Standards and Guidelines Presented to the State of California April.
Risk Assessment Frameworks
National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.
Dr. Ron Ross Computer Security Division
Food Safety and Inspection Service U.S. Department of Agriculture Homeland Security: Protecting the U.S. Food Supply Office of Food Security & Emergency.
Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology.
Complying With The Federal Information Security Act (FISMA)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Systems Under Attack Managing Enterprise Risk in Today's World of Sophisticated Threats and.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Building More Secure Information Systems A Strategy for Effectively Applying the Provisions of FISMA Ron Ross Project Manager FISMA Implementation Project.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.
1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Building More Secure Information Systems A Strategy for Effectively Applying the Provisions of FISMA Presented to the FISSEA Conference March 23, 2005.
Assurance Case Approach TECNALIA Inspiring Business Novara November, 2013 TRIAL WS.
Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.
NIST Special Publication Revision 1
Federal IT Security Professional - Auditor
CRITICAL INFRASTRUCTURE & CONTINUITY OF OPERATIONS IN A POST 9/11 WORLD Presented by: Dr. Pamela Collins, EKU/JSC.
The New FISMA Standards and Guidelines or Building More Secure Information Systems A Strategy for Effectively Applying the Provisions of FISMA Dr. Ron.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Critical Infrastructure Protection Overview Building a safer, more secure, more resilient America The National Infrastructure Protection Plan, released.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
The NIGF CONFERENCE © 2013 ADDRESSING THE VULNERABILITY OF CRITICAL ICT INFRASTRUCTURE by Ernest Ndukwe, OFR Chairman Openmedia Communications Ltd 18 th.
Catastrophe Readiness and Response Session 7b 1 Session 7b Critical Infrastructure Drew Bumbak.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
Critical Infrastructure Protection Critical Infrastructure Protection Private Sector Programs April 7, 2005 Rod Nydam, JD, GMU Law School Private Sector.
National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.
VERSION 1.2 National Institute of Standards and Technology 1 Building More Secure Information Systems A Strategy for Effectively Applying the Provisions.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
1 Session 7, Section 2 Critical Infrastructure Drew Bumbak.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
The Challenging Landscape of Critical Information Infrastructure: Are We Ready? Leonard Bailey Senior Counsel Computer Crime & Intellectual Property Section.
A Global Approach to Protecting the Global Critical Infrastructure Dr. Stephen D. Bryen.
1 Washington State Critical Infrastructure Program “No security, No infrastructure” Infrastructure Protection Office Emergency Management Division Washington.
Governor’s Office of Homeland Security & Emergency Preparedness LOUISIANA BANKERS ASSOCIATION 2010 Louisiana Emergency Preparedness Coalition Meetings.
National Cybersecurity Center of Excellence Increasing the deployment and use of standards-based security technologies Mid-Atlantic Federal Lab Consortium.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
Lecture1.1(Chapter 1) Prepared by Dr. Lamiaa M. Elshenawy 1.
Homeland Security, First Edition © 2012 Pearson Education, Inc. All rights reserved. Overview of National Infrastructure Protection CHAPTER 3.
National Institute of Standards and Technology 1 Information Systems Under Attack Managing Enterprise Risk in Today's World of Sophisticated Threats and.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment, Safety, and Occupational Health Opportunities in DoD Business Transformation May 4, 2006.
Computer Security Division Information Technology Laboratory
WHAT is Project Matrix? An effort designed to:
French Port Cybersecurity Initiative
Federal Information Security Management Act Applying NIST Information Security Standards and Guidelines Presented to the State of California April.
An Urgent National Imperative
The U.S. Department of Homeland Security
Group Meeting Ming Hong Tsai Date :
European Programme for Critical Infrastructure Protection (EPCIP)
Deborah Housen-Couriel, ADV.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Adding security to your ICS environment? Fine! But how?!
Civil Air Patrol Critical Infrastructure Austin Worcester 15 Jul 2019.
Presentation transcript:

1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security Division Information Technology Laboratory National Institute of Standards and Technology

2 The Information Age  Information systems are an integral part of government and business operations today  Information systems are changing the way we do business and interact as a society  Information systems are driving a reengineering of business processes in all sectors including defense, healthcare, manufacturing, financial services, etc.  Information systems are driving a transition from a paper-based society to a digital society

3 The Protection Gap  Information system protection measures have not kept pace with rapidly advancing technologies  Information security programs have not kept pace with the aggressive deployment of information technologies within enterprises  Two-tiered approach to security (i.e., national security community vs. everyone else) has left significant parts of the critical infrastructure vulnerable

4 The Global Threat  Information security is not just a paperwork drill…there are dangerous adversaries out there capable of launching serious attacks on our information systems that can result in severe or catastrophic damage to the nation’s critical information infrastructure and ultimately threaten our economic and national security…

5 U.S. Critical Infrastructures Definition  “...systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.” -- USA Patriot Act (P.L )

6 U.S. Critical Infrastructures Examples  Energy (electrical, nuclear, gas and oil, dams)  Transportation (air, road, rail, port, waterways)  Public Health Systems / Emergency Services  Information and Telecommunications  Defense Industry  Banking and Finance  Postal and Shipping  Agriculture / Food / Water  Chemical

7 Critical Infrastructure Protection  The U.S. critical infrastructures are over 90% owned and operated by the private sector  Critical infrastructure protection must be a partnership between the public and private sectors  Information security solutions must be broad- based, consensus-driven, and address the ongoing needs of government and industry

8 Scope  The proposed IEEE Information System Security Assurance Architecture (ISSAA) standard specifies the architecture of a systematic approach for managing the health/state of the security controls of an information system  The architecture includes activities for the cost- effective selection, documentation, implementation, and ongoing assessment of information system security controls and for making and maintaining system security accreditation decisions

9 Purpose  Activities critical to societal infrastructure are highly dependent on information systems for continuity and survival  The proposed ISSAA standard will improve an organization's confidence that information system security controls are adequate and effective in protecting information and that interconnecting systems can be trusted

10 Information System Security Assurance Architecture In system security plan, provides a an overview of the security requirements for the information system and documents the security controls planned or in place Security Control Documentation Defines security category of information system according to potential impact of loss Security Categorization Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system Security Control Selection Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements Security Control Assessment Security Control Refinement Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements System Authorization Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing Security Control Monitoring Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness Implements security controls in new or legacy information systems; implements security configuration checklists Security Control Implementation

11 Plug and Play Architecture  Organizations can employ their preferred security controls, risk assessment methods, and security certification and accreditation procedures within the standardized ISSAA framework  For example, the Department of Defense may instantiate security controls from DoD Instruction and use the DIACAP for its preferred C&A process

12 Another Example Using NIST’s Security Standards and Guidelines In system security plan, provides a an overview of the security requirements for the information system and documents the security controls planned or in place SP Security Control Documentation Defines category of information system according to potential impact of loss FIPS 199 / SP Security Categorization Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system SP / FIPS 200 Security Control Selection Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements SP A / SP Security Control Assessment SP / FIPS 200 / SP Security Control Refinement Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements SP System Authorization Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing SP Security Control Monitoring Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness Implements security controls in new or legacy information systems; implements security configuration checklists Security Control Implementation SP Starting Point

13 The Desired End State Security Visibility Among Business/Mission Partners Organization One Information System Plan of Action and Milestones Security Assessment Report System Security Plan Determining the risk to the first organization’s operations and assets and the acceptability of such risk Business / Mission Information Flow The objective is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin…establishing levels of security due diligence. Determining the risk to the second organization’s operations and assets and the acceptability of such risk Organization Two Information System Plan of Action and Milestones Security Assessment Report System Security Plan Security Information

14 Information Assurance Project P1700 – IEEE Standard for Information System Security Assurance Architecture (ISSAA)  Working Group Web Page  Project Approved: August 2004  Working Group Chair: Jack Cole, Army Research Lab  Telephone:  Fax: 