Download presentation
Presentation is loading. Please wait.
10
CategorizeSelectImplementAssessAuthorizeMonitor
11
“Certification and accreditation is the methodology used to ensure that security controls are established for an information system, that these controls are functioning appropriately, and that management has authorized the operation of the system in is current security posture.” - Official (ISC) 2 Guide to the CAP CBK (1 st ed.)
12
Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. - CNSS Instruction No. 4009
17
“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.” - NIST SP 800-37 rev 1
21
Why are Agencies riddled with security holes?
23
http://gcn.com/articles/2011/07/06/cyber-attacks-take-2-energy-labs-offline.aspx
32
Need consistent management support Without management support people will not fulfill their obligations to the project Without management support you will not have access to needed resources and funding The Chief Information Security Officer (CISO) can keep the program visible by giving regular updates to c-level management
35
Reference: http://www.tess-llc.com/Certification%20&%20Accreditation%20PolicyV4.pdf
36
Life-cycle for the development of the documentation for the RMF process Awareness Monitoring Enforcement Maintenance Retirement Communication Compliance Exceptions Creation Review Approval DevelopmentImplementation MaintenanceDisposal
56
“The Chief Information Officer, with the support of the senior agency information security officer, works closely with authorizing officials and their designated representatives to ensure that an agency-wide security program is effectively implemented, that the certifications and accreditations required across the agency are accomplished in a timely and cost-effective manner, and that there is centralized reporting of all security-related activities. “ NIST SP 800-37
59
“A senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals.” - NIST SP 800-37
61
“Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. “ - (NIST SP 800-37)
62
“Individual responsible for the installation and maintenance of an information system, providing effective information system utilization, adequate security parameters, and sound implementation of established Information Assurance policy and procedures.” CNSS Instruction No. 4009
63
“The information system security officer often plays an active role in developing and updating the system security plan as well as in managing and controlling changes to the system and assessing the security impact of those changes.“ NIST SP 800-37
67
The certification agent is an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. - NIST SP 800-37
77
“At the discretion of senior agency officials, certain security certification and accreditation roles may be delegated and if so, appropriately documented. Agency officials may appoint appropriately qualified individuals, to include contractors, to perform the activities associated with any security certification and accreditation role with the exception of the Chief Information Officer and authorizing official. The Chief Information Officer and authorizing official have inherent United States Government authority, and those roles should be assigned to government personnel only. Individuals serving in delegated roles are able to operate with the authority of agency officials within the limits defined for the specific certification and accreditation activities. Agency officials retain ultimate responsibility, however, for the results of actions performed by individuals serving in delegated roles. “ NIST SP 800-37
78
MissionBusiness UnitITSecurityAudit
79
IGIASCASISOISSMISSOCIOSOSABUMIOEU Program Level System Level AuditSecurity IT Business Unit Middle- Tier Independence AO Risk Executive Function Head of Agency (CEO) SOD Mission
80
DoDI 8510.01 & 8500.2SP 800-37 Rev 1 Head od DoD ComponentsHead of Agency (CEO) Principle Accrediting Authority (PAA)Risk Executive Function and/or Approving Authority (AA) Senior Information Assurance Officer (SIAO) Senior Information Security Officer (SISO) Designated Accrediting Authority (DAA) Approving Authority (AA) Systems ManagerCommon Control Provider and/or Systems Owner Program ManagerCommon Control Provider and/or System Owner Information Assurance Manager (IAM)ISSO and/or SISO Information Assurance Officer (IAO)Information Systems Security Officer (ISSO) Certification AgentSecurity Control Assessor
91
CISSP CISM CISSP ISSMP CAPCISA GSNA SSCP CASP Security+ CISSP ISSEP/ ISSAP CSSLP Management / Risk Audit Software Dev Network / Communications
100
LevelQualifying Certifications CND AnalystGCIA, CEH CND Infrastructure Support SSCP, CEH CND Incident ResponderGCIH, GSIH, CEH CND AuditorCISA, CEH, GSNA CN-SP ManagerCISM, CISSP-ISSEP
107
“The CNSS is directed to assure the security of NSS against technical exploitation by providing: reliable and continuing assessments of threats and vulnerabilities and implementation of effective countermeasures; a technical base within the USG to achieve this security; and support from the private sector to enhance that technical base assuring that information systems security products are available to secure NSS.”
110
You got to be careful if you don’t know where you’re going, because you might not get there. -- Yogi Berra
111
111
112
112
113
113
114
114
115
115
116
116
117
117
118
118
119
119
120
120
121
121
122
122
123
123
124
124
125
125
126
126
127
127
128
128
129
129
130
130
131
131
132
132
133
133
134
134
135
135
136
136
137
137
138
138
139
139
140
140
141
141
142
142
143
143
144
144 Use some method of prioritizing risk posed by each category of threat and its related methods of attack To manage risk, you must identify and assess the value of your information assets Risk assessment assigns comparative risk rating or score to each specific information asset Risk management identifies vulnerabilities in an organization’s information systems and takes carefully reasoned steps to assure the confidentiality, integrity, and availability of all the components in organization’s information system
145
145
146
146
147
147
148
148
149
149
150
150
151
151
152
152
153
153
154
154
155
155
156
156
157
157
158
158
159
159
160
160
161
161
162
162
163
163
164
164
165
165
167
167
168
168
169
169
170
170
171
171
172
172
173
173
174
174
175
175
176
176 “The process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.” – Wiktionary Risk assessments Risk treatment
177
177
178
178
179
179
180
180
181
181
182
182
183
183
184
184
185
185
186
186
187
187
188
188
189
189
190
190
191
191
192
192
193
193
194
194
195
195
196
196
197
197
198
198
199
199
200
200
201
201
202
202
203
203
204
204
205
205
206
206
207
207
208
208
209
209
210
210
214
Connectivity Complexity
220
The Generalized Model Common Information Security Requireme nts Unique Information Security Requiremen ts The “Delta” Foundational Set of Information Security Standards and Guidance Standardized risk management process Standardized security categorization (criticality/sensitivity) Standardized security controls (safeguards/countermeasures) Standardized security assessment procedures Standardized security authorization process Intelligenc e Communit y Departme nt of Defense Federal Civil Agencies National security and non national security information systems
222
Adversaries attack the weakest link…where is yours? Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Links in the Security Chain: Management, Operational, and Technical Controls
224
Security Life Cycle SP 800-39 Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). SP 800-53A ASSESS Security Controls Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. FIPS 199 / SP 800-60 CATEGORIZ E Information System Starting Point Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP 800-37 / SP 800-53A MONITOR Security State SP 800-37 AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. IMPLEMENT Security Controls SP 800-70 FIPS 200 / SP 800-53 SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment.
225
“Building information security into the infrastructure of the organization… so that critical enterprise missions and business cases will be protected.”
226
FIPS 199 LOWMODERATEHIGH Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Example: An Enterprise Information System Mapping Information Types to FIPS 199 Security Categories SP 800-60
227
Minimum Security Controls Low Impact Information Systems Minimum Security Controls High Impact Information Systems Minimum Security Controls Moderate Impact Information Systems Master Security Control Catalog Complete Set of Security Controls and Control Enhancements Baseline #1 Selection of a subset of security controls from the master catalog— consisting of basic level controls Baseline #2 Builds on low baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements Baseline #3 Builds on moderate baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements
229
Minimum Security Controls Low Impact Information Systems Minimum Security Controls High Impact Information Systems Minimum Security Controls Moderate Impact Information Systems Tailored Security Controls Low Baseline Moderate Baseline High Baseline Enterprise #1 Operational Environment #1 Enterprise #2 Operational Environment #2 Enterprise #3 Operational Environment #3 Cost effective, risk-based approach to achieving adequate information security…
230
System security plan reflects information system decomposition with adequate security controls assigned to each subsystem component. Security assessment procedures tailored for the security controls in each subsystem component and for the combined system-level controls. Security assessment performed on each subsystem component and on system-level controls not covered by subsystem assessments. Security authorization performed on the information system as a whole. Authorization Boundary Subsystem Component Local Area Network Alpha Subsystem Component System Guard Subsystem Component Local Area Network Bravo Organizational Information System
231
Applying the Risk Management Framework to Information Systems Risk Management Framework Authorizat ion Package Artifacts and Evidence Near Real Time Security Status Information SECURITY PLAN including updated Risk Assessment SECURITY ASSESSMENT REPORT PLAN OF ACTION AND MILESTONES Output from Automated Support Tools INFORMATION SYSTEM CATEGORIZE Information System ASSESS Security Controls AUTHORIZE Information System IMPLEMENT Security Controls MONITOR Security State SELECT Security Controls
232
POAM SAR SP Authorization Decision Extending the Risk Management Framework to Organizations RISK EXECUTIVE FUNCTION Enterprise-wide Oversight, Monitoring, and Risk Management Policy Guidance INFORMATION SYSTEM INFORMATION SYSTEM Common Security Controls (Infrastructure-based, System-inherited) INFORMATION SYSTEM INFORMATION SYSTEM Security Requirements RMF RISK MANAGEMENT FRAMEWORK Authorization Decision POAM SAR SP POAM SAR SP Authorization Decision POAM SAR SP Authorization Decision POAM SAR SP Authorization Decision POAM SAR SP Authorization Decision
233
Establish organizational information security priorities. Allocate information security resources across the organization. Provide oversight of information system security categorizations. Identify and assign responsibility for common security controls. Provide guidance on security control selection (tailoring and supplementation). Define common security control inheritance relationships for information systems. Establish and apply mandatory security configuration settings. Identify and correct systemic weaknesses and deficiencies in information systems. Managing Risk at the Organizational Level RISK EXECUTIVE FUNCTION Coordinated policy, risk, and security-related activities Supporting organizational missions and business processes Information system-specific considerations Information System Mission / Business Processes
234
Determining risk to the organization’s operations and assets, individuals, other organizations, and the Nation; and the acceptability of such risk. The objective is to achieve visibility into and understanding of prospective partner’s information security programs…establishing a trust relationship based on the trustworthiness of their information systems. Organization One INFORMATION SYSTEM Plan of Action and Milestones Security Assessment Report System Security Plan Business / Mission Information Flow Security Information Plan of Action and Milestones Security Assessment Report System Security Plan Organization Two INFORMATION SYSTEM Determining risk to the organization’s operations and assets, individuals, other organizations, and the Nation; and the acceptability of such risk.
235
Information security requirements must be considered first order requirements and are critical to mission and business success. An effective organization-wide information security program helps to ensure that security considerations are specifically addressed in the enterprise architecture for the organization and are integrated early into the system development life cycle.
236
Provides a common language for discussing information security in the context of organizational missions, business processes, and performance goals. Defines a collection of interrelated reference models that are focused on lines of business including Performance, Business, Service Component, Data, and Technical. Uses a security and privacy profile to describe how to integrate the Risk Management Framework into the reference models.
237
The Risk Management Framework should be integrated into all phases of the SDLC. Initiation (RMF Steps 1 and 2) Development and Acquisition (RMF Step 2) Implementation (RMF Steps 3 through 5) Operations and Maintenance (RMF Step 6) Disposition (RMF Step 6) Reuse system development artifacts and evidence (e.g., design specifications, system documentation, testing and evaluation results) for risk management activities.
240
Information System Producing evidence that supports the grounds for confidence in the design, development, implementation, and operation of information systems. Trust Relationshi p Trustworthiness IT Product IT Product IT Product Information System Functionality and Assurance Trustworthiness IT Product IT Product IT Product Information System Functionality and Assurance Operational Environment
Similar presentations
