1. Security Control Families Management Class

7. Security Controls Overview  XX-1 Policy and Procedures

8. NIST Doc Review Strategy: Bulleted Summaries Executive Summaries, Overviews, Introductions Table Summaries Graphic Summaries 8

9. XX-1 Policy & Procedures  SP 800-12 The Handbook  SP 800-100 Manager’s Handbook AC-1Access Control AT-1Security Awareness and Training AU-1Audit and Accountability CA-1Security Assessment and Authorization CM-1Configuration Management CP-1Contingency Planning IA-1Identification and Authentication IR-1Incident Response MA-1System Maintenance MP-1Media Protection PE-1Physical and Environmental Protection PL-1Security Planning PM-1Information Security Program Plan PS-1Personnel Security RA-1Risk Assessment SA-1System and Services Acquisition SC-1System and Communications Protection SI-1System and Information Integrity

10. Security Assessment & Authorization  Core RMF Documents  800-47 (SLA)  800-137 (CM) CA-2Security Assessments CA-3Information System Connections CA-5Plan of Action and Milestones CA-6Security Authorization CA-7Continuous Monitoring

11. Planning Family & Family Plans PL-2System Security Plan PL-4Rules of Behavior PL-5Privacy Impact Assessment PL-6Security-Related Activity Planning  800-18 (RMF)  800-100 (PM)  OMB M-03-22 (Privacy) CA-5 Plan of Action and Milestones-37 CP-2Contingency Plan-34 CM-9 Configuration Management Plan-128 IR-8Incident Response Plan-61 PM-1Information Security Program Plan PM-8 Critical Infrastructure Plan RMF 4.1 Security Assessment Plan-53a

12. Program Management PM-2Senior Information Security Officer PM-3Information Security Resources PM-4Plan of Action and Milestones Process PM-5Information System Inventory PM-6 Information Security Measures of Performance PM-7Enterprise Architecture PM-8Critical Infrastructure Plan PM-9Risk Management Strategy PM-10Security Authorization Process PM-11Mission/Business Process Definition  800-30  800-37 (RMF)  800-39 (RMF)  800-100  800-55 - Performance  800-60  800-65 - CPIC  FIPS 199  HSPD 7 – Critical Infrastructure  OMB 02-01 - SSP

13. Program Management Overview  Information Security Program Plan (PM)  Critical Infrastructure Plan (HSPD 7)  Capital Planning and Investment Control (SP 800-65)  Measures of Performance (SP 800-55)  Enterprise Architecture and Mission/Business Process Definition

14. Information Security Program Plan  Defines Security Program Requirements  Documents Management and Common Controls  Defines Roles, Responsibilities, Management Commitment and Coordination  Approved by Senior Official (AO)  Appoint Senior Information Security Officer

15. Critical Infrastructure Plan  HSPD-7 Critical Infrastructure Identification, Prioritization, and Protection  Essential Services That Underpin American Society  Protection from Terrorist Attacks –Prevent Catastrophic Health Effects or Mass Casualties –Maintain Essential Federal Missions –Maintain Order –Ensure Orderly Functioning of Economy –Maintain Public's Morale and Confidence in Economic and Political Institutions  Strategic Improvements in Security

16. Capital Planning & Investment Control  Investment Life Cycle  Integrating Information Security into the CPIC Process  Roles and Responsibilities –Identify Baseline –Identify Prioritization Criteria –Conduct System- and Enterprise-Level Prioritization –Develop Supporting Materials –IRB and Portfolio Management –Exhibits 53 and 300 and Program Management

17. Investment Life Cycle

18. Integrating Information Security into the CPIC Process

19. Knowledge Check  If the interconnecting systems have the same authorizing official, an Interconnection Security Agreement is not required. True or False?  Which NIST SP, provides a seven-step process for integrating information security into the capital planning process?  This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.  The corrective action and cost information contained in which document, serve as inputs to the Exhibit 300s and are then rolled into the Exhibit 53?

20. Measures of Performance  Metric Types  Metrics Development and Implementation Approach  Metrics Development Process  Metrics Program Implementation –Prepare for Data Collection –Collect Data and Analyze Results –Identify Corrective Actions –Develop Business Case and Obtain Resources –Apply Corrective Actions

21. Metric Types  “Am I implementing the tasks for which I am responsible?”  “How efficiently or effectively am I accomplishing those tasks?”  “What impact are those tasks having on the mission?”

22. Metrics Development Process

23. Metrics Program Implementation

24. Federal Enterprise Architecture Performance Data BusinessService Technical Information Type (SP 800-60)

25. Core Principles of the FEA  Business-driven  Proactive and collaborative across the Federal government  Architecture improves the effectiveness and efficiency of government information resources

26. Defining Mission/Business Processes  Defines mission/business processes with consideration for information security and the resulting risk to the organization;  Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.

27. Risk Assessment RA-2Security Categorization RA-3Risk Assessment RA-5Vulnerability Scanning  800-30r1 (draft)  800-37  800-40 - Patch Management  800-70 - Checklists  800-115 - Assessments

28. Patch and Vulnerability Management Program  Create a System Inventory  Monitor for Vulnerabilities, Remediations, and Threats  Prioritize Vulnerability Remediation  Create an Organization-Specific Remediation Database  Conduct Generic Testing of Remediations  Deploy Vulnerability Remediations  Distribute Vulnerability and Remediation Information to Local Administrators  Perform Automated Deployment of Patches  Configure Automatic Update of Applications Whenever Possible and Appropriate.  Verify Vulnerability Remediation Through Network and Host Vulnerability Scanning  Vulnerability Remediation Training

29. National Checklists Program

30.  In which NIST special publication might you find guidance for the performance measurement of information systems?  Which FEA reference model was used to create the guide for mapping information types to security categories, in support of the first step of the Risk Management Framework?  What is the name of the security control, represented by the control ID RA-3, must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework?  Where can information about vulnerabilities be found?

31. System & Services Acquisition SA-2Allocation of Resources SA-3Life Cycle Support SA-4Acquisitions SA-5Information System Documentation SA-6Software Usage Restrictions SA-7User-Installed Software SA-8Security Engineering Principles SA-9External Information System Services SA-10Developer Configuration Management SA-11Developer Security Testing SA-12Supply Chain Protection SA-13Trustworthiness  800-23 – Acquisition Assurance  800-35 – Security Services  800-36 – Security Products  800-53a  800-64 - SDLC  800-65 - CPIC  800-70 - Checklists

32. Security Services Life Cycle

33. General Considerations for Security Services  Strategic/Mission  Budgetary/Funding  Technical/ Architectural  Organizational  Personnel  Policy/Process

34. Security Product Testing  Identification and Authentication  Access Control  Intrusion Detection  Firewall  Public Key Infrastructure  Malicious Code Protection  Vulnerability Scanners  Forensics  Media Sanitizing  Common Criteria Evaluation and Validation Scheme  NIST Cryptographic Module Validation Program

35. Considerations for Selecting Information Security Products  Organizational  Product  Vendor  Security Checklists for IT Products  Organizational Conflict of Interest

36. Management Security Controls Key Concepts & Vocabulary  XX-1 Policy & Procedures  CA - Security Assessment and Authorization  PL – Planning Family & Family Plans –Information Security Program Plan (PM) –Critical Infrastructure Plan (HSPD 7)  PM - Program Management –Capital Planning and Investment Control (SP 800-65) –Measures of Performance (SP 800-55) –Enterprise Architecture (FEA BRM)  RA - Risk Assessment –Security Categorization –Risk & Vulnerability Assessments  SA - System and Services Acquisition