Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems."— Presentation transcript:

1 Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems

2 Federal Information Security Act (FISMA) Overview “Each Federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…” -- Federal Information Security Management Act of 2002

3 3 Legislation and Policy  Public Law 107-347 (Title III) –Federal Information Security Management Act of 2002 (FISMA) (December 2002) http://www.fedcirc.gov/library/legislation/FISMA.html http://www.fedcirc.gov/library/legislation/FISMA.html  Office of Management and Budget Circular A-130 (Appendix III) –Security of Federal Automated Information Resources (February 1996) http://www.whitehouse.gov/omb/circulars/a130/appendix_iv.pdf http://www.whitehouse.gov/omb/circulars/a130/appendix_iv.pdf  National Institute of Standards and Technology (NIST) Special Publication Guidance –Special Publications at http://csrc.nist.gov/publications/nistpubs/http://csrc.nist.gov/publications/nistpubs/  National Science Foundation Information Security Handbook – Manual 7 (April 2004) –http://www.inside.nsf.gpv/oirm/dis/itsecur/docs/securityhb.pdfhttp://www.inside.nsf.gpv/oirm/dis/itsecur/docs/securityhb.pdf

4 4 Information Security Program Elements Reference: FISMA  Periodic assessments of risk  Security policies and procedures  Security planning for networks and information systems  Security awareness training for employees and contractors  Periodic testing and evaluation of security practices annually  Plans for continuity of operations and disaster recovery  Procedures for detecting and reporting security incidents  Process to document and address security weaknesses  Report security status to Congress annually

5 5 Key Definitions Reference: OMB A-130 Appendix III  General Support System (GSS, i.e. LAN) –An interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, application, communications, and people.  Major Application –Application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application.  Application –The use of information resources to satisfy a specific set of user requirements.

6 6 Key NIST Publications  800-12 Introduction to Computer Security: The NIST Handbook  800-18 Guide for Developing Security Plans  800-26 Security Self Assessment  800-30A Risk Management Guide  800-34 Contingency Planning Guide

7 7 NSF Information Security Handbook  Management Control Procedures –Risk Management, Security Control Review, Life Cycle, Security Planning  Operational Control Procedures –Personnel, Physical, Contingency Planning, HW/SW, Training, Incident Response  Technical Control Procedures –Identification and Authentication, Logical Access Controls, Audit Trails  Appendices with Report Templates –Security & Contingency Plans, Risk Assessment

8 8 NSF Keys to Success  Top Down Commitment to Security as a Strategic Priority  Comprehensive Security Program  Sustained Levels of Investment  Performance Goals and Measures

9 9 NSF IT Security Program Risk Management Approach Risks are assessed, understood and appropriately mitigated Confidentiality Integrity Availability Security Open Collaborative Environment for Research and Discovery

10 10 Security Management Structure DIS Security Officer NSF Director CIO Sr. Agency Information Security Officer Security Working Group Program Office Security Liaisons NSF Employees and Contractors NSF Customers and Stakeholders

11 11 NSF IT Security Program Policies, Procedures & Plans Security Assessments, Audits & Controls Security Awareness Training Certification & Accreditation Intrusion Detection & CIRT Vulnerability Assessment & Penetration Tests NSF IT Security Program

12 12 Layered Approach Protecting Critical Assets Requires Layered Proactive Controls, Monitoring the Environment and Reactive Functions for Effective Response Proactive MeasuresEventReactive Functions Critical Data, Informatio n, & Systems ProtectDetectReact (Cited only as examples) Defense in DepthEscalation by Severity Deter e.g., Warning Banner Detect e.g., Intrusion Detection Delay e.g., Firewall Defend e.g., Encryption Deny, Defeat Monitoring CIRT Forensics BCP/COOP

13 13 Management Controls  Management Structure, Roles and Responsibilities  Policy and Procedures  System Inventory  Security Reviews, Assessments, and Plans  Certification and Accreditation  Agency-Level Plan of Action and Milestones  Security Awareness and Training

14 14 Technical and Operational Controls  Connectivity Standards  External and Internal Networks  Firewall Architecture  Intrusion Detection  Vulnerability Scans  Penetration Tests  Patch Management  Laptop Scanning  Anti-Virus Protection  Continuity of Operations, Contingency, and Disaster Recovery The Visible and Known Establishes Confidence

15 15 Lesson Learned – Security is a Continuous Process Policy Standards Enterprise Architecture Configuration Standards Security is a continuous process of evaluation and monitoring Managed Security Services Intrusion Detection Firewall Management Incident Reporting Vulnerability Scan Assessments Risk – Threats Privacy Security Test & Eval. Compliance Product Selection Product Implementation Centralized Security Mgt. Strategy Business Continuity Solution Planning Resource Allocation Run Assess Plan Design Implement

16 16 Challenges  Changing Threat Environment  Cultural Change –Awareness and Education  Security Investment

Download ppt "Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems."

Similar presentations

Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]

Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
MAINSTAY ENTERPRISES, INC. “We Support Your Security Needs” Information System Security Services In today’s competitive marketplace, facilitating electronic.

MAINSTAY ENTERPRISES, INC. “We Support Your Security Needs” Information System Security Services In today’s competitive marketplace, facilitating electronic.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Information Security Policies and Standards

Information Security Policies and Standards
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
OPM Cybersecurity Competencies by Occupation (Technical Competencies) 2210085508540391 Information Technology Management Series Electronics Engineering.

OPM Cybersecurity Competencies by Occupation (Technical Competencies) Information Technology Management Series Electronics Engineering.
Information Systems Security Officer

Information Systems Security Officer
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Information Security Training for Management Complying with the HIPAA Security Law.

Information Security Training for Management Complying with the HIPAA Security Law.

Similar presentations

Ads by Google