Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

enclosed

advertisement 
METRICS AND CONTROLS FOR DEFENSE IN DEPTH
AN INFORMATION TECHNOLOGY SECURITY
ASSESSMENT INITIATIVE
Purpose
• Provide an overview of the a DLA Information
Assurance initiative entitled Metrics and
Controls for Defense in Depth (McDiD)
• Illustrate how McDiD applies the Federal
Information Technology Security Assessment
Framework within the DoD Information
Technology Security Certification and
Accreditation Process (DITSCAP)
McDiD Impetus
• Department of Defense Mandate
• DoD Instruction 5200.28, Security Requirements for Automated Information Security Systems
(AIS), 21 March 1988, mandates the accreditation of all AIS to include stand-alone personal
computers, connected systems and networks.
• DoD Instruction 5200.40, DoD Information Technology Security Certification and Accreditation
Process (DITSCAP), 1 November 1999, established a four-phase process, required activities and
general certification and accreditation criteria.
• DoD Chief Information Officer Guidance and Policy Memorandum No. 6-8510, DoD Global
Information Grid (GIG) Information Assurance (IA), June 16, 2000,directed that DoD develop an
enterprise-wide IA architectural overlay to implement a strategy of layered defense (defense-indepth).
• Chairman of the Joint Chiefs of Staff Instruction 6510.04, Information Assurance Metrics, 15
March 2000, establishes reporting requirements for the Chairman’s Joint Monthly Readiness
Reports.
• Need for Improved Security
• Internetworking is increasing the business/mission impact of disruption.
• Vulnerability is increasing due to the ease of access to cyber weapons and capabilities.
• Agency security assessment program has revealed systemic security issues.
McDiD Objectives
• Leverage an existing mandatory program, DITSCAP, as the “container” and delivery mechanism
for all information assurance requirements and initiatives
• Shift certification and accreditation focus and resources from documentation & reporting to active
security management
• Improve quality and consistency of certification and accreditation efforts
• Create an integrated enterprise management view to:
• Support information assurance oversight
• Ensure protection across accreditation boundaries
• Distinguish enterprise versus local roles and responsibilities
• Make policy and technical information easily accessible to DLA security professionals
• Facilitate and enable information/best practices exchange and collaboration within the DLA
security community
• Structure information so as to:
• Satisfy multiple information assurance reporting requirements
• Maximize information reuse among related programs and disciplines, e.g., Architecture,
Program and Budget, Asset Management, Configuration Management, Continuity Planning
• Provide for continuous Information Assurance process improvement
Federal Information Technology Security
Assessment Framework
5
4
LEVELS
3
2
Documented
Procedures &
Controls
1
Documented
Policy
Implemented
Procedures
& Controls
Tested and
Reviewed
Procedures &
Controls
Fully
Integrated
Procedures
and Controls
DoD Information Technology Security
Certification and Accreditation Process
Phase 0 [Implicit]
• Department and Agency
policies are established
• C&A process is established
Phase 3: Validation
• Compliance with controls is
independently tested
• Authority to Operated is
granted
Phase 1: Definition
• SSAA is drafted
• Security requirements are
identified
• SSAA is negotiated and
approved
Phase 2: Verification
• Security Procedures and
Controls are implemented
Phase 4: Post
Accreditation
• SSAA is updated to reflect
changes in IT baseline
• Security assessment is
updated quarterly
• Compliance with controls is
periodically independently
tested
Certification & Accreditation Roles & Responsibilities
Phase
O,1
2
3
4
Action
Enterprise Program Manager
Identify Security
 Assess Enterprise Threat
Requirements and Develop
 Assess IT Trends
Corresponding Controls
 Assess Existing Department
and Agency Governances
 Formulate/Update Agency
Policy
 Develop enterprise level
controls
Implement Controls
 Provide resources and
technical guidance as required
 Develop test procedures to
validate implementation
Validate Effectiveness of
 Conduct enterprise or agencyControls
wide validation, e.g.,
vulnerability assessments,
penetration testing
Continuously Improve
 Assess enterprise security
Security Posture, Policy and
profile revealed by Phase 3
Controls
 Assess process feedback
collected during Phases 2-3
 Repeat Phase 1quarterly and
as needed
 Repeat Phase 3 annually
Network or System Manager
 Assess local and network or
system level security
governances, IT configuration, and
system/network specific threats
 Supplement enterprise controls as
required
 Implement security controls
 Conduct network or system level
testing, e.g., review of plans and
procedures
 Repeat Phase 1 quarterly
 Repeat Phase 3 annually
 Provide feedback to HQ
Security Controls - Translate General Requirements into
Actionable and Testable Objective Security Conditions
Control Number
Control Name
Control Description
2.1. CONFIGURATION CONTROL BOARD.
All information systems are under the control of a chartered Configuration
Control Board (CCB) that meets regularly and reports to the appropriate
Commander. The CCB membership includes an Information Assurance
representative. A record of CCB activities is maintained.
Metric
Metrics
C4: No CCB capability exists.
C3: A CCB is being planned.
C2: A CCB exists, but does not
have a charter signed by the
Commander. (Does not include
IA membership.)
C1: A chartered CCB (including
IA representation) meets
regularly and reports to the
Commander. A record of CCB
activities is maintained.
Rating
Explain or Justify Your Rating for
this Control
Controls are Derived from Many Sources
National & DoD
Policy
DLA Policy
Commercial
Best Practices
DLA Program
Review
Findings
Master
list of IA
Controls
Vulnerability
Assessments
IG/GAO/Other
Audit Findings
Agency System
/ Network
Connection
Agreements
•Number
•Name
•Desc
Local Security
Policy
Local
Configuration
Mgmt Practices
DLA Wide
Legend
System Specific
Information
Category
(Sensitivity and
Classification)
Local System /
Network
Connection
Agreements
DAA Specified
Requirements
A COTS Requirements Management System
Maintains Controls Traceablity
• Provides “provenance” or traceability to authority for or origin of each
control
• Ensures all policy mandates are addressed
• Supports Agency level policy assessment and formulation
• Enables continuous improvement of controls
A COTS Free Form Database Provides a Repository
for IA Reference Material
• Enables research and analysis with Lexus-Nexus like functionality
• Makes IA reference material widely available via web
Standard Tools and Methods Improve the Quality and
Consistency of Certification and Accreditation Process
1. Centralized authorship and promulgation of the
enterprise portions
2. Narrative translated into “fill in the blank”
DATA TYPE AND FLOW
Date Last Updated:
Threat Assessment
Security Requirements (Controls)
Security CONOPS
Test & Evaluation Procedures
Risk Assessment
2/19/01
User
Functional
Data Type
Clearance
Data Category [Unclassified,
Level
[Uncleared,
[e.g., e-mail,
Privacy Act,
No nSensitive,
network
Financially
No nCritical
management
Sensitive,
Sensitive,
traffic, IDS
Admin/Other,
Critical
Sensitive,
data, financial,
Confidential,
Co nfidential,
contract,
Secret, Top
Secret, To p
requirements,
Secret,
Secret,
requisitions, Compartmented / Co mpartment
ed/SA ]
etc.]
Special Access]
3. Centralized development and
promulagation of standard templates for
Authors, Testers, & Reviewers
Data
Source
(Originating
System,
Receiving
Subsytem or System or
Module)
Module
Transm ission
Mode
[Intranet,
Internet, Web,
FTP, Telnet,
Protection
Stand Alone, Mechanism
C&A
Manual
[VPN, SSL, Status of
Procedure,
SecureShell, Interfacing
VAN, Other]
Other]
System
4. Centralized adminstration of a a webbased COTS Configuration
Management system for SSAA document
management and workflow
Better, Cheaper, Faster
Controls Provide an “Index” for the IA Knowledge-Base
Department of Defense
DIRECTIVE
April 1, 2000
NUMBER xxxx.xx
of Defense
Subject: Computer NetworkDepartment
Defense (CND)
ASD(C3I)
DIRECTIVE
April 1, 2000
NUMBER xxxx.xx
References:
(a) DoD 5025.1-M,
of Defense
Computer
NetworkDepartment
Defense (CND)
ASD(C3I)
(b)Subject:
DoD Directive
S-3600-1
April 1, 2000
DIRECTIVE
NUMBER xxxx.xx
(c) DoD Directive 5160
References:
(a) DoD 5025.1-M,
1. PURPOSE
Computer
Network Defense (CND)
ASD(C3I)
(b)Subject:
DoD Directive
S-3600-1
1.1. Establishes computer network defense (CND)
(c) DoD Directive 5160
policy, definition, andReferences:
responsibilities within the
Department of Defense.
(a) DoD 5025.1-M,
1. PURPOSE
(b) DoD
Directive
S-3600-1
1.2. Authorizes
the publication
of DoD
xxxx.xx1.1. Establishes
computer
network
defense (CND)
DoD Directive
5160
R/M/I, consistent
DoD (c)
5025.1-M
(reference
(a)). the
policy, with
definition,
and responsibilities
within
Department of Defense.
2.APPLICABILITY 1. PURPOSE
1.2. Authorizes
the publication
of DoD
xxxx.xx1.1. Establishes
computer
network
defense (CND)
R/M/I, consistent with
DoD 5025.1-M
(referencewithin
(a)). the
andSecretary
responsibilities
This Directive appliespolicy,
to the definition,
Office of the
of
Department
of Defense.
Defense (OSD); the Military
Departments;
the
2.APPLICABILITY
Chairman of the Joint1.2.
Chiefs
of Staff; the
the publication
Combatant of DoD xxxx.xxAuthorizes
Commands; the Inspector
General
of thewith
Department
R/M/I,
consistent
DoD 5025.1-M (reference (a)).
This Directive applies to the Office of the Secretary of
of Defense IG,DoD); the Defense Agencies and DoD
Defense (OSD); the Military Departments; the
field activities (hereafter
referred to collectively as
2.APPLICABILITY
Chairman of the Joint Chiefs of Staff; the Combatant
"the DoD Components").
Commands; the Inspector General of the Department
This Directive applies to the Office of the Secretary of
of Defense IG,DoD); the Defense Agencies and DoD
Defense (OSD); the Military Departments; the
field activities (hereafter referred to collectively as
Chairman of the Joint Chiefs of Staff; the Combatant
"the DoD Components").
Commands; the Inspector General of the Department
of Defense IG,DoD); the Defense Agencies and DoD
field activities (hereafter referred to collectively as
"the DoD Components").
Navigation Aid to
“Trace Back” to
Policy &
Requirements
McDiD is Administered
Through a
Comprehensive IA
Knowledge-Base (CIAK)
COUNTER
DIRECTIVE
April 1, 2000
NUMBER xxxx.xx
DIRECTIVE
April 1, 2000
NUMBER xxxx.xx
References:
(a) DoD 5025.1-M,
of Defense
Computer
NetworkDepartment
Defense (CND)
ASD(C3I)
(b)Subject:
DoD Directive
S-3600-1
April 1, 2000
DIRECTIVE
NUMBER xxxx.xx
(c) DoD Directive 5160
References:
(a) DoD 5025.1-M,
1. PURPOSE
Computer
Network Defense (CND)
ASD(C3I)
(b)Subject:
DoD Directive
S-3600-1
1.1. Establishes computer network defense (CND)
(c) DoD Directive 5160
policy, definition, andReferences:
responsibilities within the
Department of Defense.
(a) DoD 5025.1-M,
1. PURPOSE
(b)
DoD
Directive
S-3600-1
1.2. Authorizes
the publication
of DoD
xxxx.xx1.1. Establishes
computer
network
defense (CND)
DoD Directive
5160
R/M/I, consistent
DoD (c)
5025.1-M
(reference
(a)). the
policy, with
definition,
and responsibilities
within
Department of Defense.
2.APPLICABILITY 1. PURPOSE
1.2. Authorizes
the publication
of DoD
xxxx.xx1.1. Establishes
computer
network
defense (CND)
R/M/I, consistent
with
DoD
5025.1-M
(reference
(a)). the
andSecretary
responsibilities
within
This Directive appliespolicy,
to the definition,
Office of the
of
Department
of Defense.
Defense (OSD); the Military
Departments;
the
2.APPLICABILITY
Chairman of the Joint1.2.
Chiefs
of Staff; the
the publication
Combatant of DoD xxxx.xxAuthorizes
Commands; the Inspector
General
of thewith
Department
R/M/I,
consistent
DoD 5025.1-M (reference (a)).
This Directive applies to the Office of the Secretary of
of Defense IG,DoD); the Defense Agencies and DoD
Defense (OSD); the Military Departments; the
field activities (hereafter
referred to collectively as
2.APPLICABILITY
Chairman of the Joint Chiefs of Staff; the Combatant
"the DoD Components").
Commands; the Inspector General of the Department
This Directive applies to the Office of the Secretary of
of Defense IG,DoD); the Defense Agencies and DoD
Defense (OSD); the Military Departments; the
field activities (hereafter referred to collectively as
Chairman
of the Joint Chiefs of Staff; the Combatant
"the DoD Components").
Commands; the Inspector General of the Department
of Defense IG,DoD); the Defense Agencies and DoD
field activities (hereafter referred to collectively as
"the DoD Components").
Navigation Aid for “Drill
Down” to Supporting
Engineering Guides and
Contract Clauses
ATTACKS
EASURE
THREAT
VALUE
LEVEL
OF
CLASS
INFORMA
SECURIT
SERVICE
ION
Department of Defense
of Defense
Subject: Computer NetworkDepartment
Defense (CND)
ASD(C3I)
CIAK Feeds Defense
Operational Readiness
Reporting System
Master
list of IA
Controls
TECHNIC
NONTECH
ROBUSTN
L
ICAL
SS
COUNTER
COUNTER
EASURES
EASURES
SERVICE
TECHNOL
TECHNOL
MECHANI
GY
GY GAPS
MS
ELEMENT
McDiD Implementation
Schedules Drive C&A and
Budget
•Number
•Name
•Desc
Each Control is
Supported by Metrics
Conclusion
The McDiD Information Assurance initiative, while still early
in its implementation, has:
– Reduced SSAA preparation costs & time by an order of
magnitude
– Improved quality
• Standard controls & metrics
• Standard scope & level of effort
• Infused learning & common understanding
– Identified additional opportunities for collaboration and
process improvement
Related documents
Military Family Support – Barbara Thompson
Military Family Support – Barbara Thompson
financial-analyst-1-3
financial-analyst-1-3
DOD
DOD
UEC Electronics Presentation
UEC Electronics Presentation
Schaefer
Schaefer
DAY 2 Role of PA&E Kathleen Conley
DAY 2 Role of PA&E Kathleen Conley
GENERAL INFORMATION
GENERAL INFORMATION
Senior-Information-Systems-Security
Senior-Information-Systems-Security
Download
advertisement