Presentation is loading. Please wait.

Presentation is loading. Please wait.

DOE S&S Audit and Tune IT Up Campaign Mark Leininger August 26, 2009.

Published byHector Bishop Modified over 8 years ago

Similar presentations

Presentation on theme: "DOE S&S Audit and Tune IT Up Campaign Mark Leininger August 26, 2009."— Presentation transcript:

1 DOE S&S Audit and Tune IT Up Campaign Mark Leininger August 26, 2009

2 Audits and Compliance Safeguards and Security Audit of Computer Security Program resulted in 6 findings in May 2009 Findings have serious consequences for lab Auditors will keep coming back, we need to work together lab wide to improve We want to fix the underlying causes that led to audit findings, not just address isolated consequences

3 Computer Security Requirements are in Fermilab’s Contract There is a contract between FRA and DOE to manage Fermilab. One of the items specified in that contract is the list of regulations that Fermilab must comply with, and a process for updating that list managed through our DOE site office. Consequences of failing to meet terms of contract can be both tangible (financial, resources, rebid our contract) and intangible (credibility of lab to conduct scientific program)

4 Small Sample of Federal Requirements Applicable Standards and Guidance Legislation Office of Management and Budget (OMB) Memorandum 03-33 Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 September 26, 2003. Office of Management and Budget (OMB) Memorandum 99-05 Instructions For Complying With The President's Memorandum Of May 14, 1998, "Privacy and Personal Information in Federal Records, January 7, 1999. Public Law 107-347 (44 U.S.C. Ch 36) E-Government Act of 2002, Title III— Information Security, also known as the Federal Information Security Management Act (FISMA) of 2002. Office of Management and Budget (OMB) Circular No. A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, February 8, 1996. Public Law, Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) NIST Guidance Federal Information Processing Standards (FIPS) FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, July 2005. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004. Special Publications SP 800-70, The NIST Security Configuration Checklists Program,May 2005.The NIST Security Configuration Checklists Program SP 800-65, Integrating Security into the Capital Planning and Investment Control Process, January 2005. SP 800-64, Security Considerations in the Information System Development Life Cycle, October 2003 (publication original release date) (revision 1 released June 2004). SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, June 2004. SP 800-53, Recommended Security Controls for Federal Information Systems, February 2005. SP 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices, November 2002. SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004. SP 800-34, Contingency Planning Guide for Information Technology Systems, June 2002. SP 800-30, Risk Management Guide for Information Technology Systems, July 2002. SP 800-26, Rev. 1 NIST DRAFT Special Publication 800-26, Revision 1: Guide for Information Security Program Assessments and System Reporting Form.NIST DRAFT Special Publication 800-26, Revision 1: Guide for Information Security Program Assessments and System Reporting Form SP 800-18, Rev. 1 Guide for Developing Security Plans for Federal Information Systems February 2006. DOE Policy and Guidance Revitalization of the Department of Energy Cyber Security Program (1/2006) Department of Energy Cyber Security Management Program Order 205.1, (Draft) Department of Energy Cyber Security Management Program, (3/21/2003) Notice 205.1-1 Incident Prevention Warning and Response Manual Notice 205.2 Foreign National Access to DOE Cyber Systems (extended to 9/30/06) Notice 205.3 Password Generation, Protection and Use, (extended to 9/30/06) Notice 205.4 Handling Cyber Alerts and Advisories, and Reporting Cyber Security Incidents (extended to 07/06/05) Notice 205.8 Cyber Security Requirements for Wireless Devices and Information Systems, (3/18/06) Notice 205.9 Certification and Accreditation Process for Information Systems, including National Security Systems, (3/18/06) Notice 205.10 Cyber Security Requirements for Risk Management, (3/18/06) Notice 205.11 Security Requirements for Remote Access to DOE and Applicable Contractor Information Technology Systems (3/1/8/06) Notice 205.12 Clearing, Sanitizing, and Destroying Information System Storage Media, Memory Devices, and Other Related Hardware (2/19/2004) Notice 205.13 Extension of DOE Directive on Cyber Security, (7/6/2004)

5 Examples of what we have to do All passwords on Imap server reset to 10 characters Reset all local admin passwords to comply with domain policy Increase complexity of Domain passwords Automated actions taken on Anti Virus alerts Update desktop operating system baselines Process to maintain them that ensures workability (eg Windows Policy Committee) Make changes known to community Automate monitoring of all machine configurations Alert sysadmins and possibly block misconfigured machines Strengthen our program to protect Personally Identifiable Information (PII)

6 This is what happened

7 They’ve got us in their sights

8 Need an Organized Lab Wide Response Tune IT Up Campaign http://www.fnal.gov/pub/tuneitup/ Lab Director instructed CIO to lead a lab wide response CIO placed Mark Kaletka in charge of leading the lab wide response Progress is being monitored by DOE Site office

9 Duration of the campaign The campaign is expected to last approximately six months with an intense period of activity in the period mid July to mid October, 2009 followed by an ongoing program of work for the remainder of 2009 to ensure that the goals of the campaign are met and that the IT management practices put into place are sustainable. At that time attention will turn to beginning execution of Information Systems projects that are not part of this campaign but are part of the corrective action plan for the audit findings.

10 Campaign Goals Ensure all sensitive data and PII are in systems protected with moderate level controls detailed in “major application” security plans; that those people who have access to such data are approved; and that all lab contracts related to such data are reviewed. Tune up and increase training and education on cyber secure behaviors and how to recognize and protect sensitive data and PII. Tune up and make more rigorous our internal assessments and testing of our cyber security program.

11 Campaign Goals Review and update all security baselines and policies (including password and authentication policies). Improve efficiency and consistency of management of desktop and laptops and move towards standards and central management of all Fermilab systems. Implement request and approval process for local admin privileges to be sure they are used properly and only by people who need them to do their job. Ensure all systems deviating from baselines are assessed and approved (or have risk mitigation plans). Ensure that all Fermilab computers conform to security baselines and security plans and that all applications are patched. Implement network environments that add required protections where necessary (topic of today’s discussion)

12 Discussion Dave Coder will talk about real things that are happening in Networking (Guest Network, VPN, etc) Irwin Gaines will lead discussion: How to implement separate network environments for Machines whose configuration can be confirmed remotely Machines whose configuration cannot be confirmed remotely Goals Minimize chances of a vulnerable machine being infected Minimize chances of infected machine spreading that infection to the rest of the site Still have an environment where people can do their work Nothing has been decided yet Nothing has been purchased yet We’re still in the thinking stage

Download ppt "DOE S&S Audit and Tune IT Up Campaign Mark Leininger August 26, 2009."

Similar presentations

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Policy Formulation, the Real Scoop Computer Security Awareness Day Mark Leininger September 11, 2007.

Policy Formulation, the Real Scoop Computer Security Awareness Day Mark Leininger September 11, 2007.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Tune IT Up Campaign Overview Mark Kaletka Computing Division 9/29/2009 Mark Kaletka Computing Division 9/29/2009.

Tune IT Up Campaign Overview Mark Kaletka Computing Division 9/29/2009 Mark Kaletka Computing Division 9/29/2009.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.
Computing Division Role in “responsibility” for DOE Orders Vicky White 26-Feb-2008.

Computing Division Role in “responsibility” for DOE Orders Vicky White 26-Feb-2008.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
FY2010 PEMP Notable Outcomes October 15, 2009. FRA, LLC Board of Directors 10/15-16/2009 Office of Quality and Best Practices Performance Evaluation Management.

FY2010 PEMP Notable Outcomes October 15, FRA, LLC Board of Directors 10/15-16/2009 Office of Quality and Best Practices Performance Evaluation Management.
OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil March 20, 2015 UNCLASSIFIED Industrial Security.

OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil March 20, 2015 UNCLASSIFIED Industrial Security.
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.

HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.

Similar presentations

Ads by Google