Presentation is loading. Please wait.

Presentation is loading. Please wait.

For Security Professionals

Published byTerrance Figg Modified over 10 years ago

Similar presentations

Presentation on theme: "For Security Professionals"— Presentation transcript:

1 For Security Professionals
INFORMATION SYSTEM SECURITY For Security Professionals This presentation highlighting the changes to chapter 8 which went into effect on 1 May 2001, was developed by the North East Region Information System Security Managers Association (NERISSMA). It has been modified only slightly to cover any unique information.

2 Objectives Discuss the principles of Computer Security
Identify required IS security documentation Identify the purpose of a System Security Plan (SSP) A. Tie In This section provides an overview of what needs to be included in the System Security Plan B. Objectives Using NISPOM, Chapter 8 Section 6, paragraph 610: Define the security documentation that is needed for accredited Iss Define the purpose of the SSP Identify what information must be included in an SSP.

3 Foundations of Computer Security
Confidentiality Integrity Availability C I A Paragraph NISPOM

4 CONFIDENTIALITY PROTECTION OF DATA IN OR PROCESSED BY THE COMPUTER SYSTEM FROM DISCLOSURE

5 INTEGRITY Protection of data software used or processed on classified systems. FROM: MANIPULATION DELETION

6 or natural disasters AVAILABILITY
Protecting the computer from malicious logic or natural disasters

7 Protection Levels NISPOM 8-402
PL-1 Dedicated PL-3 Compartmented PL-2 System High

8 Protection Level (PL) 1 Dedicated Security Mode
Clearance, N-T-K and, if applicable, all formal access approvals for all information TS It equates to having the combination to a container. Before you are given that combination, it is verified that you have the appropriate clearance and need-to-know for all information in that container. Most systems accredited out there are in this mode No technical IS security is required. Access is determined by physical and administrative controls Just keep unauthorized persons out of the area. TS

9 Protection Level (PL) 2 System High Security Mode
Clearance and access approvals for all information but with different N-T-K TS b There are systems out there accredited at this level, but much less than dedicated mode. It is more complicated, there more stringent protection requirements-need-to-protection or discretionary access controls - the owner of a file has control over who gains access to it, through logical partitions = including user ids and passwords. Object reuse issues are addressed here. Includes physical partitions = printers/monitors segregated to protect NTK a

10 Protection Level (PL) 3 Compartmented Security Mode
Clearance for most restrictive information, but different formal access approvals Pertained to SCI and SAP, NATO, CNWDI and CRYPTO type information It’s the sensitivity level of the information that’s the concern NATO CRYPTO TS- NATO TOP SECRET CNWDI SAP

11 Confidentiality Matrix
TABLE 5 - Protection Profile Table for Confidentiality

12 Levels of Concern 8-403 Confidentality
Level of Concern Qualifiers High TOP SECRET and SECRET Restricted Data (SIGMAs 1,2,14,15) Medium SECRET SECRET Restricted Data Basic CONFIDENTIAL

13 Integrity Matrix Must be contractually imposed.

14 Levels of Concern 8-403 Integrity
Must be contractually imposed.

15 Availability Matrix Must be contractually imposed.

16 Levels of Concern 8-403 Availability
Must be contractually imposed.

17 Cognizant Security Agency
Agencies of the Executive Branch authorized to establish an Industrial Security program The agencies are: DoD, DoE, CIA, and NRC. Provide oversight for information systems that process classified information. This includes the review of your security program to get to a point where DSS can certify and accredit information systems to process classified information. Establish a line of authority for training. We’ll talk later bout some recommended methods and resources you can use. Segue: Remember from this morning, who administers the program for DoD, the CSA? DSS, who is the CSO. 8-101a, NISPOM

18 Cognizant Security Office
The entity designated by the Head of a CSA to administer industrial security on behalf of the CSA. Provide oversight for information systems that process classified information. This includes the review of your security program to get to a point where DSS can certify and accredit information systems to process classified information. Establish a line of authority for training. We’ll talk later bout some recommended methods and resources you can use. Segue: Remember from this morning, who administers the program for DoD, the CSA? DSS, who is the CSO. Performs oversight, program review, training, and certification and accreditation of ISs used by its contractors 8-101a, NISPOM

19 Contractor Role Publish and promulgate an IS Security Policy
Appoint and train an Information Systems Security Manager (ISSM) Contractor Role Contractor management will publish and promulgate an IS Security Policy addressing the classified processing environment. Appoint ISSM (old ISSR). An IS Security Manager will be appointed with oversight responsibility for the development, implementation and evaluation of the facility’s IS security program. Train ISSM. Contractor management will assure that the ISSM is trained to a level commensurate with the complexity of the facility’s IS. This course meets that requirement. You can also take any nationally known or government agency information system security training which includes testing or certification. 8-101b, NISPOM

20 IS Security Manager (ISSM)
Not necessarily the Facility Security Officer (FSO) Designated by Management The CSA’s point of contact for IS security Generally a very nice guy ISSM The ISSM can be the FSO or it can be delegated to someone else. In any case, the ISSM should have a background in computers. The ISSM is appointed by manaagement If FSO and ISSM different people, ISSM reports security issues and problems to the FSO The FSO has overall security responsibility, however, relies on the ISSM for technical issues just as the ISRep relies on their ISSP for technical issues. The ISSM will be the point of contact for the CSA regarding information systems that process classified information.

21 IS Security Officer (ISSO)
Appointed by ISSM in facilities with multiple accredited IS Assists in day-to-day IS security operations Has PCL, NTK, and formal access approvals for all information processed on accredited IS Not so nice The ISSO is appointed by ISSM in facilities with multiple accredited Iss Assists in day-to-day IS security operations Has PCL, NTO, formal access approvals Have students turn to paragraph 8-104 Examples of responsibilities ISSM can assign: Prepare, maintain, implement the SSP for the assigned IS. Implement security measures in accordance with facility procedures: CM program, unauthorized personnel not granted access to IS, proper marking, handling, controlling of accredited IS, proper media and equipment destruction Notify ISSM when an IS no longer processes classified information or when changes occur that might affect accreditation

22 Security Documentation 8-610 NISPOM
System Security Plan Profile Configuration Plan Risk Acceptance Letter Memorandum of Understanding Protected Distribution System Lesson Title: Certification and Accreditation Date Prepared: March 2001 Time Required for Lesson: min (.5 hr) Method(s) of Instruction: Lecture Instructor(s): One Classroom(s) Requirements: One Instructional Aids: Powerpoint slides Equipment: Computer/projector/screen Handout Materials: Copy of slides

23 Basis for Accreditation
Safeguards Documentation (SSP) Policy Evaluation of security risks 34

24 System Security Plan Defines Security Policy
Includes Configuration Management Plan Covers the life-cycle of system Target audience includes users, system administrative, government, and security staff Best single security tool The NISPOM identifies specific security documentation for Iss processing classified information. Before any processing of classified information on an IS, these documents must be written: Management’s information systems security policy. A Configuration Management Plan which includes a list of the hardware and software. System Security Plan. The SSP Certification and Accreditation documentation These documents can be rolled up into the SSP 8-610

25 Self-Certification Master/Profile Concept
System Security Plan MSSP PP SSP PP What is the purpose of the SSP? The SSP is the basic system protection document and evidence that the proposed system or update to an existing system, meets the protection profile requirements. It provides the Users with their instructions on how to process classified information-it is their guide. The SSP also serves as the basis for inspections of the system. Additionally, if you use the DSS provided template, it allows for uniformity, consistency. DSS has over 11,500 facilities. It would be very difficult to review this required documentation if there wasn’t some uniformity. Practical Exercise will be required, writing an SSP

26 Self-Certification Concept Profile Requirements
Same classification Same PL level Same Level of Concern Same Environment Approved O/S Same system type Approved TD Approved Periods Processing Approved Mobile Systems Approved Test Equipment The SSP is the basic system protection document and evidence that the proposed system or update to an existing system, meets the protection profile requirements. It provides the Users with their instructions on how to process classified information-it is their guide. The SSP also serves as the basis for inspections of the system. Additionally, if you use the DSS provided template, it allows for uniformity, consistency. DSS has over 11,500 facilities. It would be very difficult to review this required documentation if there wasn’t some uniformity. Practical Exercise will be required, writing an SSP

27 Self-Certification Concept Not Authorized
SIPRNET WAN self-certs Systems requiring variances Audit variances Alternate TD procedures Legacy O/S The SSP is the basic system protection document and evidence that the proposed system or update to an existing system, meets the protection profile requirements. It provides the Users with their instructions on how to process classified information-it is their guide. The SSP also serves as the basis for inspections of the system. Additionally, if you use the DSS provided template, it allows for uniformity, consistency. DSS has over 11,500 facilities. It would be very difficult to review this required documentation if there wasn’t some uniformity. Practical Exercise will be required, writing an SSP

28 System Identification
SSP INCLUDES System Identification Purpose Security personnel System description Mission or purpose Architecture Classification Level Formal Access Approvals System requirements Personnel Clearance Level of Users Need to Know of Users Protection Level Physical controls Marking requirements SSP Must Include (slide changed): System Identification Security Personnel: name, location and phone number of the responsible system owner, the ISSM and ISSO (if applicable) System Description - The system description is a brief narrative of the mission or purpose of the system (such as - will be used for creation of classified drawings of the Stealth Bomber) - The system description also includes the architecture of the IS, including subnetworks, communications devices and protocols. A block diagram of the components that show the interconnections between the components as well as to other systems and an information flow diagram should be included. Also need to include a brief description of the security support structure including all controlled interfaces, interconnection criteria and security requirements. Addressed in more detail in the Interconnected Systems Mgmt block SSS addressed briefly in ISL question: 44. 8-610a.(1)(a)

29 SSP-Protection Measures
Audit Capabilities Access Controls Resource Controls System Recovery Security Testing Data Transmission I & A Session Controls System Assurance Physical Security Protection Measures: See Chap 8, Section 4, Table 5 (8-4-3) List of protection measures that must be addressed in the SSP. Depending on the identified Protection Level of the IS, determines what protection measures must be in place and documented in the SSP. Table 5:. These are the items that need to be addressed. The items are detailed in section 6 of the chapter 8. Go to exercise in book (page 26) Lets look at how this works--go to table 5, What is the Audit requirements at PL 1? Answ: Audit 1 What does Audit 1 say (students need to go to 8-602) have them read “(1)Automated Audit Trail Creation: The system shall automatically create and maintain an audit trail or log. What is the Access Control requirement for PL 2? Answ: Access 2 Students read “Discretionary Access controls shall be provided. Resource Controls - System Recovery - is a UPS required; Testing - are the security features appropriate and functional; Data Transmission - is the classified data being protected when it moves through areas where unauthorized persons could have access; I&A - are the user’s unique logon procedures working, Session Controls - are the appropriate warning banners being used, System Assurance - are only those authorized access to the O/S getting access? The next several blocks will address each of these items in more detail.

30 SSP-Protection Measures
Trusted Downloading Software controls Media controls Maintenance Clearing and sanitization Self Inspections SSP -Additional Trusted Downloading. If you intend to download unclassified or lower classified information to media you need to include procedures on how this is going to be done. These procedures must be tested and certified. The SPP must also identify how the software and media that is used for classified processing is going to be protected. This includes examining and reviewing the hardware and media output. Need to include maintenance procedures in the SSP. How it will maintenance be performed and by whom, whether they will be cleared or uncleared personnel. Clearing and sanitization for the type of media and memory involved must also be addressed. More on all of these topics in the blocks to come.

31 SSP-Variances and RAL letters
Description of approved variances from protection measures Attach documentation Documentation of any unique threat or vulnerabilities to system Document if none exists SSP - Variances & Vulnerabilities SSP will also include any variances from the protection measures identified - Examples: 1. Manual logs vs. automated audit trails. Approval documentation must be attached to the SSP. 2. Write protect media vs. test, review media after install Write protect procedures must be documented & approved A description of the risk assessment of any threats or vulnerabilities unique to the system must be documented. Accreditation of a system located in a room where on the other side of the wall is a foreign owned and run firm. That may or may not be an issue but it needs to be explored. If any vulnerabilities are identifie countermeasures must be implemented to mitigate and described in the SSP. If unable to mitigate, an alternative solution must be documented, approved and included in the SSP. If no threats/vulnerabilities, a statement to that effect included in SSP

32 SSP-May Also Include MOU for connections to separately accredited networks & systems Special purpose type systems embedded systems Other contractual issues SSP - Might Also include MOU - If connections to other systems exist, a MOU is necessary if the systems are approved by a person other than the CSA responsible for this system. A copy of the MOU with other agencies must be attached to the SSP. Special categories, such as pure servers, embedded systems, must not be overlooked. Descriptions and protection measures need to be defined. Other contractual Issues - Other contractual issues, such as Integrity, Availability requirements need to be addressed. TEMPEST - Also, if the contract requires TEMPEST, that is extra measures to protect against emanations, particularly on transmission lines. These issues may also need to be addressed in the SSP. Your IS Rep will take a look at the DD 254s involved to see if there are any special requirements that need to be addressed.

33 Audit Records Who fills out what? What logs are required? - Manual
ISSOs & Users What logs are required? - Manual Maintenance Hardware & Software Upgrade/Downgrade Sanitization Weekly Audit Log Seal Log (If Applicable) Receipt/Dispatch (If Applicable) Depending on the size of the system, the ISSO may fill out all the logs or delegate it to the users. The larger systems with a lot of people on the access list (may work more than 1st shift also), usually the users annotates the logs. The ISSO will see this when they check the logs weekly and annotate the "weekly" audit log.

34 Audit Records - cont’d What logs are required - Automated
if technically capable Successful and unsuccessful logons and logoffs Unsuccessful accesses to security-relevant objects and directories, including: creation open modification and deletion Point out that the increased audit log requirement will take up a lot of space on your systems. Think about saving archives to tape or alternative disk

35 Audit Records - cont’d Changes in user authenticators, i.e., passwords
Denial of system access resulting from an excessive number of unsuccessful logon attempts. If not technically capable, the Authorized Users list will be retained as an audit record Point out that the increased audit log requirement will take up a lot of space on your systems. Think about saving archives to tape or alternative disk

36 Re-Accreditation & Protection Measures
Every Three Years Major Changes If no changes updated SSP may not be required. Reaccreditation is required every three years or when there are major changes to the IS Define what constitutes a major change: Operating System, i.e., Windows NT to Windows 2000, Unix to Windows, Hardware that is not “like” equipment, security relevant software, i.e., biometrics, firewall software, etc. Protection Measures - Every user must have a unique identifier and be capable of some sort of authentication: Passwords, biometrics, smart cards. The User ID shall be associated with all auditable actions taken by the individual.

37 Passwords Minimum 8* Characters
Classified to the highest level of the system Changed at least every 365* days Changed when compromised Automated generation when possible Reemphasize the password requirements. Need to specify in the profile: 1. Password generation method 2. If the system is technically capable of enforcing password length 3. Password composition enforcement capabilities. 4. Technical or procedural controls for ensuring passwords are changed when required. 5. Boeing CSRM (Computing Security Requirements Manual) requires passwords to be changed at least every 180 days.

38 DoD Warning Banner Required Positive User Action Prominently displayed
DoD Warning Banner is required. There must be some positive user action to get past the banner. If technically impossible to display on the system, it needs to be prominently displayed. Tape it to the monitor screen so the user has to lift the banner prior to working on the system.

39 Login Attempts Maximum of 5* attempts Lockout for 15* minutes
At a minimum and if technically possible, The system should be set to allow a maximum of 5 login attempts The login attempts should be limited to 5 minutes If there is a failed login, the account should be disabled for a minimum of 5 minutes, or until an authorized administrator re-sets the account.

40 Customer can require additional requirements above NISPOM
Special Categories Section 5, Chapter 8 May not meet all NISPOM Requirements Single-users Stand-alones Only one users accesses system Pure Servers No user code on system Tactical, Embedded Special-Purpose Systems Configured as directed by customer Customer can require additional requirements above NISPOM

41 Clearing and Sanitization
You probably won’t sanitize the floppies, but in some cases (SAPs) they require you do so prior to shredding. Sanitizing the printer requires printing one unclassified page such as the font test. After review, you can treat the page as unclassified The printer must be powered down

42 Clearing Removal of data from an IS, its storage devices and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e., keyboard strokes). DCID 6/3 Clearing The definition from the Director of Central Intelligence Directive (DCID) 6/3 “Removal of data from an IS, its storage devices and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e. keyboard strokes)”

43 Sanitization The process of removing information from media or equipment such that data recovery using any known technique or analysis is prevented, as well as the removal of all classified labels and markings DCID 6/3 Sanitizing definition taken from the DCID 6/3 Sanitization is the process of removing the data from media before reusing the media or equipment in an environment that does not provide an acceptable level of protection for the data that was in the media before sanitization. Sanitized media can be released outside the protected enviornment.

44 Clearing and Sanitization Matrix www.dss.mil
Hard drives May be degaussed or destroyed at end of life cycle CPUs Remove power for one minute Printers Print one page (font test) then power down You probably won’t sanitize the floppies, but in some cases (SAPs) they require you do so prior to shredding. Sanitizing the printer requires printing one unclassified page such as the font test. After review, you can treat the page as unclassified The printer must be powered down

45 Configuration Management Plan
Formal change control procedures for security-relevant hardware and software Management of all documentation Implement, test and verify CM plan 12. CM Plan The facility CM program shall be documented in a CM plan and shall include: a. Formal change control procedures to ensue the =review an approval of security -relevant hardware and software: O/S, media, any hardware where there is a sanitization issue b. Procedures for management of all documentation, such the SSP and security test plans c. Workable processes to implement, periodically test and verify the CM plan d. A verification process to provide additional assurance that the CM process is working effectively and changes outside the CM process are technically or procedurally not allowed

46 CM Plan Documents: Procedures to identify and document type, model and brand of IS hardware Procedures to identify and document product names and version or release numbers and location of security relevant software System connectivity CM Documentation CM procedures must be a part of the security documentation. It is documented procedures for controlling, changing, maintaining, and acceptability of the system hardware and software. CM document must contain: - Type, model and brand of system or network components (e.g. a workstation, PRINTER, or router ,KEYBOARDS AND MONITORS) - Security relevant software product names and version or release numbers and physical location. In other words-a hardware/software listing for the systems. - System connectivity, including any software used for wireless communication and any communications media. 8-311

47 Periods Processing Separate Sessions Different Classification Levels
Different Need-To-Know Removable Media for each processing session Periods processing is using the same equipment for different levels and needs to know running in separate sessions. Removable media is required. Each program will have their own removable media.

48 Summary Principals of Computing Security System Security Plan
Purpose Contents NISPOM = What SSP = How Summary We have reviewed the purpose and contents of the SSP. The NISPOM tells you what you need to include and the SSP tells the users and the government how you are implementing those NISPOM requirements for your specific system. So, what is the purpose of the SSP? It’s the basic system protection document. It evidence that the accredited IS meets the protection profile requirements. If provided the Users with instructions on how to use the IS to process classified information; and serves as an inspection guide. Contents: CONOPS (Sys Id & Specification Requirements); identifies classification level; PCL, NTK, hardware/software baselines, physical security, hardware/software controls, maintenance, auditing, clearing/sanitization, etc. NISPOM = What. NISPOM identifies what the security requirements are for the various levels of Iss processing classified information. SSP = identifies how these requirements will be carried out.

49

Download ppt "For Security Professionals"

Similar presentations

AP STUDY SESSION 2.

AP STUDY SESSION 2.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
1 Introducing the Specifications of the Metro Ethernet Forum MEF 19 Abstract Test Suite for UNI Type 1 February 2008.

1 Introducing the Specifications of the Metro Ethernet Forum MEF 19 Abstract Test Suite for UNI Type 1 February 2008.
Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.

Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.
Human Service Providers and Referrals Chapter 5. Human Service Providers and Referrals 5-2 Objectives Demonstrate the process for entering a Human Service.

Human Service Providers and Referrals Chapter 5. Human Service Providers and Referrals 5-2 Objectives Demonstrate the process for entering a Human Service.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.

Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
Custom Services and Training Provider Details Chapter 4.

Custom Services and Training Provider Details Chapter 4.
1 Chapter 12 File Management Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

1 Chapter 12 File Management Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Plan My Care Brokerage Training Working in partnership with Improvement and Efficiency South East.

Plan My Care Brokerage Training Working in partnership with Improvement and Efficiency South East.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.

1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
Site Safety Plans PFN ME 35B.

Site Safety Plans PFN ME 35B.
© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.

© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.
© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.

© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.
© © QA Software Pty Ltd All rights reserved 1 Project Information Management Tools Inspection and Defects Management System for Projects By QA Software.

© © QA Software Pty Ltd All rights reserved 1 Project Information Management Tools Inspection and Defects Management System for Projects By QA Software.
Chapter 7: Physical & Environmental Security

Chapter 7: Physical & Environmental Security
PP Test Review Sections 6-1 to 6-6

PP Test Review Sections 6-1 to 6-6
Health Artifact and Image Management Solution (HAIMS)

Health Artifact and Image Management Solution (HAIMS)
Chapter 1 Computer Technology: Your Need to Know

Chapter 1 Computer Technology: Your Need to Know
2009 Data Protection Seminar

2009 Data Protection Seminar

Similar presentations

Ads by Google