NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.

Slides:

Advertisements

Similar presentations

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.

Advertisements

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

Security Controls – What Works

Managing Risks from Information Systems Building Effective Information Security Programs Data Management Association-National Capital Region January.

Information Security Policies and Standards

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Federal Information Security Management Act Applying NIST Information Security Standards and Guidelines Presented to the State of California April.

Stephen S. Yau CSE , Fall Security Strategies.

Risk Assessment Frameworks

National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.

NIST SP , Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.

Dr. Ron Ross Computer Security Division

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 FISMA Next Generation Managing Risk in an Environment of Advanced Persistent Cyber Threats NASA IT Summit.

Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology.

Complying With The Federal Information Security Act (FISMA)

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Systems Under Attack Managing Enterprise Risk in Today's World of Sophisticated Threats and.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Dr. Ron Ross Computer Security Division Information Technology Laboratory Defending the United States.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Panel: Moderator: Michele Iversen Guest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell.

NHTSA Cyber Security Best Practices Study Tim Weisenberger December 7, 2011.

Information Security Framework & Standards

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Dr. Ron Ross Computer Security Division Information Technology Laboratory Evolving Cybersecurity Strategies.

Information Security Technological Security Implementation and Privacy Protection.

SEC835 Database and Web application security Information Security Architecture.

The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.

Building More Secure Information Systems A Strategy for Effectively Applying the Provisions of FISMA Ron Ross Project Manager FISMA Implementation Project.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.

1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,

Building More Secure Information Systems A Strategy for Effectively Applying the Provisions of FISMA Presented to the FISSEA Conference March 23, 2005.

University of Nevada, Reno Data-Driven Organization Governance 1 Governing a data-driven organization (4/24/2014)  Define governance within organizations.

TEL2813/IS2820 Security Management

1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.

NIST Special Publication Revision 1

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.

National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.

VERSION 1.2 National Institute of Standards and Technology 1 Building More Secure Information Systems A Strategy for Effectively Applying the Provisions.

The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Organization, Mission, and Information Systems View 2009 Workshop.

CyberDefenses Information Assurance In God we trust, in all else, CyberDefenses, Inc.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Information Security IBK3IBV01 College 3 Paul J. Cornelisse.

CategorizeSelectImplementAssessAuthorizeMonitor.

NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

The NIST Special Publications for Security Management By: Waylon Coulter.

National Institute of Standards and Technology 1 Information Systems Under Attack Managing Enterprise Risk in Today's World of Sophisticated Threats and.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.

Computer Security Division Information Technology Laboratory

Risk management.

Introduction to the Federal Defense Acquisition Regulation

Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.

Federal Information Security Management Act Applying NIST Information Security Standards and Guidelines Presented to the State of California April.

IT Management Services Infrastructure Services

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Presentation transcript:

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop on Cloud Computing Security and Compliance Challenges June 11, 2009 Dr. Ron Ross Computer Security Division Information Technology Laboratory

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2 Risk-Based Protection Strategy  Enterprise missions and business processes drive security requirements and associated safeguards and countermeasures for organizational information systems.  Highly flexible implementation; recognizing diversity in mission/ business processes and operational environments.  Senior leaders take ownership of their security plans including the safeguards/countermeasures for the information systems.  Senior leaders are both responsible and accountable for their information security decisions; understanding, acknowledging, and explicitly accepting resulting mission/business risk.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3 External Service Providers  Organizations are becoming increasingly reliant on information system services provided by external service providers to carry out important missions and functions.  Organizations have varying degrees of control over external service providers.  Organizations must establish trust relationships with external service providers to ensure the necessary security controls are in place and are effective in their application.  Where control of external service providers is limited or infeasible, the organization factors that situation into its risk assessment.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4 The Need for Trust Relationships Changing ways we are doing business…  Outsourcing  Service Oriented Architectures  Software as a Service / Cloud Computing  Business Partnerships  Information Sharing

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5 Trust Relationships Determining risk to the organization’s operations and assets, individuals, other organizations, and the Nation; and the acceptability of such risk. The objective is to achieve visibility into and understanding of prospective partner’s information security programs…establishing a trust relationship based on the trustworthiness of their information systems. Organization One INFORMATION SYSTEM Plan of Action and Milestones Security Assessment Report System Security Plan Business / Mission Information Flow Security Information Plan of Action and Milestones Security Assessment Report System Security Plan Organization Two INFORMATION SYSTEM Determining risk to the organization’s operations and assets, individuals, other organizations, and the Nation; and the acceptability of such risk.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6 Elements of Trust Trust among partners can be established by:  Identifying the goals and objectives for the provision of services/information or information sharing;  Agreeing upon the risk from the operation and use of information systems associated with the provision of services/information or information sharing;  Agreeing upon the degree of trustworthiness (i.e., the security functionality and assurance) needed for the information systems processing, storing, or transmitting shared information or providing services/information in order to adequately mitigate the identified risk;  Determining if the information systems providing services/information or involved in information sharing activities are worthy of being trusted; and  Providing ongoing monitoring and management oversight to ensure that the trust relationship is maintained.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7 The Trust Continuum  Trust relationships among partners can be viewed as a continuum—ranging from a high degree of trust to little or no trust…  The degree of trust in the information systems supporting the partnership should be factored into risk decisions. Trust Continuum Untrusted Highly Trusted

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8 Information Security Programs Adversaries attack the weakest link…where is yours? Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Links in the Security Chain: Management, Operational, and Technical Controls

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Risk Management Framework Security Life Cycle SP Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). SP A ASSESS Security Controls Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. FIPS 199 / SP CATEGORIZE Information System Starting Point Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP / SP A MONITOR Security State SP AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. IMPLEMENT Security Controls SP FIPS 200 / SP SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10 Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Project LeaderAdministrative Support Dr. Ron RossPeggy Himes (301) (301) Senior Information Security Researchers and Technical Support Marianne Swanson Dr. Stu Katzke (301) (301) Pat TothArnold Johnson (301) (301) Matt SchollInformation and Feedback (301) Web: csrc.nist.gov/sec-cert Comments: