Presentation is loading. Please wait.

Presentation is loading. Please wait.

NCI Enterprise Security Program

Published byAsher Charles Modified over 9 years ago

Similar presentations

Presentation on theme: "NCI Enterprise Security Program"— Presentation transcript:

1 NCI Enterprise Security Program
Pre-proposal Briefing Presenter: Braulio J. Cabral CBIIT Enterprise Security Coordinator

2 Content Purpose Background Program Related Activities
Program Management Model/Framework Qualifications RFP Information Q&A

3 Purpose The purpose of this RFP is to solicit competitive proposals to establish a contract for the support of the NCI-CBIIT Enterprise Security Program including the following areas: Security Policy Security Engineering and Operations Outreach and awareness

4 Background The National Cancer Institute (NCI) has established the Center for Biomedical Informatics and Information Technology (CBIIT) to provide bioinformatics support and integration of its diverse research initiatives to the cancer research community. NCI CBIIT does this, in part, by providing consistent models and comprehensive data in an accessible format to leverage the breadth of information gathered by the basic and clinical research communities. A very important aspect of the NCI CBIIT program is the assurance of a trust-business model where stakeholders can participate in scientific research and use the technology we provide to advance their work, with confidence that the proper safeguards are in place to ensure confidentiality, availability and integrity of the information and data processed, stored, and exchanged. To accomplish this trust-business model, NCI CBIIT established an Enterprise-wide Security Program. It is the responsibility of this program to provide the necessary means to protect NCI CBIIT stakeholder’s assets while facilitating ease of access to data and services for authorized individuals. The NCI CBIIT ESP implements federal policies, procedures and guidelines for the NCI CBIIT and its hosted systems and provides guidance concerning security requirements to developers of caBIG® applications and services. See ESP ConOps for more information at:

5 Program Vision

6 Scope The scope of the security program is to advice, and assist, and coordinate the execution of security related-activities across the NCI-CBIIT enterprise leading to the goal of protecting confidentiality, integrity and availability for NCI-hosted systems and data, as well as the protection of NCI’s intellectual property and reputation pertaining to matters of security. Activities within the scope of the program include but are not limited to interpretation, and implementation of security policies, guidelines, and standards; assisting in making operational the processes and procedures necessary to implement policies; and promoting security awareness for stakeholders. The enterprise includes systems hosted by NCI and its contractors, such as caGrid core infrastructure and services, and NCI physical information infrastructure (LAN, servers, data storage, etc.).

7 Program Related Activities
Security Policy Third Party Credential Integration NCI Security Policy book review and updates CBIIT/caBIG Security policy book review and update OMB Security Performance Metrics activities (FISMA) Current environment security performance metrics analysis Strategic planning Integration of security within the SDLC Security advising to the NCI Enterprise Systems (Architecture) team Security advising to the NCI Enterprise core infrastructure team.

8 Program Related Activities
Security Monitoring and Audit Control Monitoring and audit planning and execution Assist in executing vulnerability plan of action C&A Program Management, Continuous Monitoring and Compliance Support Systems inventory, categorization, C&A package preparation, submission Security Engineering and Operations Activities Identity Management, Access Management, NCI PIV integration Business Continuity Planning Security Outreach and Awareness

9 NCI Enterprise Security Program Management Model
Contextual Security Architecture The contextual architecture defines security business strategic goals, business vision and the security needs to accomplish the business strategy Conceptual Security Architecture The conceptual architecture defines business attributes, and the business needs for security Logical Security Architecture The logical architecture defines the security policy, security requirements, data sharing security needs, security services, privilege profiles Physical Security Architecture The physical security architecture is concerned with security rules, practice, procedures, and security mechanism Component Security Architecture The component architecture includes, security products and security tools, processes, and protocols Operational Security Architecture The operational architecture is concerned with assurance of operational continuity, risk management, security service management, and security metrics and performance The SABSA® Model

10 Program Management Framework

11 Vendor Qualifications

12 Qualifications Demonstrates experience with similar Information Security Management Projects in a mixed-domain environment including government, academia and private sector. Use of Information Security management methodology/framework/standards (e.g. COBIT, SABSA, ISO, NIST) etc. Availability/experience of project management resources Demonstrates experience with FISMA C&A processes Experience integrating security in the software development Life Cycle.

13 Qualifications Technical writing skills including the ability to document security policies, systems security plan, contingency planning, COOP, etc. Excellent communication resources, capable of representing the security program in the community (both internal and external communities) and present technical solutions. Knowledge of security standards related to FISMA, including but not limited to FIPS200, FIPS199, NIST-SP800 family. Technical expertise in the area of penetration testing, information assurance and privacy, code review for security, security standards such as WS-*, SAML 2.0 Technical expertise in the area of SOA security, and distributed systems security/grid services security. Understanding of iterative and incremental development such as RUP.

14 Qualifications Knowledge of HL7 and HL7 security profile
Knowledge of HL7 Service-aware Interoperability Framework (SAIF).

15 RFP Information

16 RFP Purpose (scope) The scope of the services to be provided include the following areas: Security Policy Procedures and standards for implementation of security plan Assisting in the interpretation of business and technical level security policies related to CBIIT and caGRID services Administration of contract/trust agreements for caGrid users Security Engineering and Operations Security policies and control processes into the SDLC Help in the implementation of security guidance, standards, and procedures to implement and validate the security policy. Assist the security program in defining new security related technologies (e.g. security as service (SaS), access control policies) Assist in the FISMA certification and accreditation process.

17 RFP Purpose (scope) Security Outreach and Awarness
Maintain web security presense (e.g., update web documentation, security training materials, and general security related information) Assist in the distribution of information related to security awareness material and outreach for caGRID community. Assist with strategic communication to and from program office, CIO/ISSO, and the community at large.

18 RFP Response Requirements
Executive Summary Scope, and methodology Service Deliverables Project Management Approach Vendor Qualifications and Experience Project Staffing Price/Cost

19 Security Clearance Requirements
The majority of NIH employees and contractors are in non-sensitive "Level 1" positions and will undergo a ‘National Agency Check with Inquiries’ (NACI). This is the minimum investigation required for new Federal employees and contractors.  All NIH personnel security investigations are processed through the Office of Personnel Management (OPM). For the purpose of this RFP a Level 1 is required (NACI), processed NIH prior to issuing NIH’s contractors ID, unless participating on sensitive activities such as C&A, systems admin, network maintenance, etc. Non-Sensitive positions are those which include mostly low risk, non-sensitive, and non-national security program responsibilities. Level 1 – (Non-sensitive)

20 Security Clearance Requirements
For resources conducting FISMA Certification and Accreditation activities a Level 5 is required, procured by the contractor. Public Trust Public Trust positions are those positions which require a high degree of integrity with public confidence in the individual occupying the position. Level 5 – (Moderate Risk level) Level 6 – (High Risk level) Reference:

21 Questions? Q&A

Download ppt "NCI Enterprise Security Program"

Similar presentations

Centre of Excellence The Housing Authority Network ‘HUB’

Centre of Excellence The Housing Authority Network ‘HUB’
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)

“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Alabama Geospatial Office Established May 2007 Mike Vanhook State GIS Coordinator.

Alabama Geospatial Office Established May 2007 Mike Vanhook State GIS Coordinator.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.

Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
1 IS112 – Chapter 1 Notes Computer Organization and Programming Professor Catherine Dwyer Fall 2005.

1 IS112 – Chapter 1 Notes Computer Organization and Programming Professor Catherine Dwyer Fall 2005.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
project management office(PMO)

project management office(PMO)

Similar presentations

Ads by Google