Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,

Published bySamson Harris Modified over 9 years ago

Similar presentations

Presentation on theme: "1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,"— Presentation transcript:

1 1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14, 2007 Dr. Ron Ross Computer Security Division Information Technology Laboratory

2 2 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Current State of Affairs  Continuing serious attacks on federal information systems; targeting key federal operations and assets.  Adversaries are nation states, terrorist groups, hackers, criminals, disgruntled employees.  Attacks are organized, disciplined, aggressive, and well resourced; many are extremely sophisticated.  Significant exfiltration of critical and sensitive information and implantation of malicious software.

3 3 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Threats to Security Connectivity Complexity

4 4 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Challenges for Agencies  Large, complex information technology infrastructures; many information systems to manage.  Dynamic operational environments with changing threats, vulnerabilities, and technologies.  Obtaining adequate staffing with requisite information security skills and expertise.

5 5 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Changing Models of Protection  Risk Avoidance  Risk Management  Information Protection  Information Protection Information Sharing  Confidentiality  Confidentiality, Integrity, Availability

6 6 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY The Desired End State Security Visibility Among Business/Mission Partners Organization One Information System Plan of Action and Milestones Security Assessment Report System Security Plan Determining the risk to the first organization’s operations and assets and the acceptability of such risk Business / Mission Information Flow The objective is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin…establishing levels of security due diligence and trust. Determining the risk to the second organization’s operations and assets and the acceptability of such risk Organization Two Information System Plan of Action and Milestones Security Assessment Report System Security Plan Security Information

7 7 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Information Security Imperatives For an Information Sharing Partnership  The need to share depends on a need to trust.  Trust cannot be conferred ; it must be earned.  Trust is earned by understanding the security state of your partner’s information system.  Understanding the security state of an information system depends on the evidence produced by organizations demonstrating the effective employment of safeguards and countermeasures. Trust but verify…

8 8 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Information Security Paradigm Shift  From: Policy-based compliance  Policy dictates discrete, pre-defined information security requirements and associated safeguards/countermeasures;  Minimal flexibility in implementation; and  Little emphasis on explicit acceptance of mission risk.  To: Risk-based mission protection  Enterprise missions and business functions drive security requirements and associated safeguards/countermeasures;  Highly flexible in implementation; and  Focuses on acknowledgement and acceptance of mission risk.

9 9 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY FISMA Strategic Vision  Building a solid foundation of information security across one of the largest information technology infrastructures in the world based on comprehensive security standards and guidelines.  Institutionalizing a comprehensive Risk Management Framework that promotes flexible, cost-effective information security programs for federal agencies and contractors.  Establishing a fundamental level of “information security due diligence” for federal agencies based on a common process to determine adequate protection for enterprise missions and business functions.

10 10 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Risk Management Framework  The Risk Management Framework and the associated security standards and guidelines provide a process that is:  Disciplined  Structured  Flexible  Extensible  Repeatable “Building information security into the infrastructure of the organization… so that critical enterprise missions and business functions will be protected.”

11 11 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Managing Enterprise Risk  Key activities in managing enterprise-level risk—risk to the enterprise and to other organizations resulting from the operation of an information system: Categorize the information system (criticality/sensitivity) Select and tailor baseline (minimum) security controls Supplement the security controls based on risk assessment Document security controls in system security plan Implement the security controls in the information system Assess the security controls for effectiveness Authorize information system operation based on mission risk Monitor security controls on a continuous basis

12 12 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Risk Management Framework Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements) SP 800-53A ASSESS Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness SP 800-37 / SP 800-53A MONITOR Security Controls Document in the security plan, the security requirements for the information system and the security controls planned or in place SP 800-18 DOCUMENT Security Controls SP 800-37 AUTHORIZE Information System Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation SP 800-53 / SP 800-30 SUPPLEMENT Security Controls Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence FIPS 200 / SP 800-53 SELECT Security Controls Select baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate Implement security controls; apply security configuration settings IMPLEMENT Security Controls SP 800-70 Define criticality /sensitivity of information system according to potential impact of loss FIPS 199 / SP 800-60 CATEGORIZE Information System Starting Point

13 13 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Information Security Program Adversaries attack the weakest link…where is yours? Risk assessment Security planning Security policies and procedures Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Links in the Security Chain: Management, Operational, and Technical Controls

14 14 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY The Common Foundation For Managing Enterprise Risk The Generalized Model Common Information Security Requirements Unique Information Security Requirements The “Delta” Foundational Set of Information Security Standards and Guidance Standardized risk management framework Standardized security categorization (criticality/sensitivity) Standardized security controls and control enhancements Standardized security control assessment procedures Intelligence Community Department of Defense Federal Civil Agencies National security and non national security information systems

15 15 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Enterprise-wide Strategy  Facilitates enterprise-wide, mission-oriented decisions on risk mitigation activities based on organizational priorities;  Provides global view of systemic weaknesses and deficiencies occurring in information systems across the organization;  Promotes the development of enterprise-wide solutions to information security problems; and  Increases knowledge base for system owners regarding threats, vulnerabilities, and strategies for more cost-effective solutions to common problems.

16 16 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Defense-in-Breadth Strategy  Diversify information technology assets.  Reduce the information technology target size.  Consider vulnerabilities of new information technologies before deployment.  Apply a balanced set of management, operational, and technical security controls in a defense-in- depth approach.

17 17 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Key Standards and Guidelines  FIPS Publication 199 (Security Categorization)  FIPS Publication 200 (Minimum Security Requirements)  NIST Special Publication 800-18 (Security Planning)  NIST Special Publication 800-30 (Risk Management)  NIST Special Publication 800-37 (Certification & Accreditation)  NIST Special Publication 800-53 (Recommended Security Controls)  NIST Special Publication 800-53A (Security Control Assessment)  NIST Special Publication 800-59 (National Security Systems)  NIST Special Publication 800-60 (Security Category Mapping) Many other FIPS and NIST Special Publications provide security standards and guidance supporting the FISMA legislation…

18 18 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Project LeaderAdministrative Support Dr. Ron RossPeggy Himes (301) 975-5390(301) 975-2489 ron.ross@nist.gov peggy.himes@nist.gov Senior Information Security Researchers and Technical Support Marianne Swanson Dr. Stu Katzke (301) 975-3293 (301) 975-4768 marianne.swanson@nist.govskatzke@nist.gov Pat TothArnold Johnson (301) 975-5140(301) 975-3247 patricia.toth@nist.gov arnold.johnson@nist.gov Matt SchollInformation and Feedback (301) 975-2941Web: csrc.nist.gov/sec-cert matthew.scholl@nist.gov Comments: sec-cert@nist.gov

Download ppt "1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,"

Similar presentations

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.

Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
Managing Risks from Information Systems Building Effective Information Security Programs Data Management Association-National Capital Region January.

Managing Risks from Information Systems Building Effective Information Security Programs Data Management Association-National Capital Region January.
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Federal Information Security Management Act Applying NIST Information Security Standards and Guidelines Presented to the State of California April.

Federal Information Security Management Act Applying NIST Information Security Standards and Guidelines Presented to the State of California April.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Risk Assessment Frameworks

Risk Assessment Frameworks
National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.

National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
NIST SP 800-37, Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.

NIST SP , Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.
Dr. Ron Ross Computer Security Division

Dr. Ron Ross Computer Security Division
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 FISMA Next Generation Managing Risk in an Environment of Advanced Persistent Cyber Threats NASA IT Summit.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 FISMA Next Generation Managing Risk in an Environment of Advanced Persistent Cyber Threats NASA IT Summit.
Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology.

Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology.

Similar presentations

Ads by Google