Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Title of Presentation - Security Innovation Network

advertisement 
Panel:
Moderator: Michele Iversen
Guest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell
Adhering to laws, regulations, standards, best practices, and
contractual requirements (collectively referred to as “mandates”)
•
•
Includes the PROCESS of becoming and remaining compliant
Ongoing state of continuous improvement that requires discipline across
the enterprise, over the business and product lifecycle
• It contributes to achieving Risk Management objectives
•
•
•
•
•
Mechanism for controlling and managing risk
Protects nonpublic, sensitive information
Establishes standards for information security
Deters cybercriminals, including insiders
Holds corporate boards and senior executives accountable
Risk management has industry standards that cross industries
and geographies; they can be quite complex !
Federal Government
• Federal Information Security Management
Act (FISMA)
• Federal Risk and Authorization
Management Program (FedRAMP)
• FIPS Standards
• Common Criteria
• Security Technical Implementation Guides
(STIGS)
• U.S. Rehabilitation Act & Section 508
• Communications Assistance for Law
Enforcement Act (CALEA)
Privacy
• New York State Privacy Law
• California Privacy and Identity Management
Law
• And other States!
• Europe and other countries
Banking & Finance
• Sarbanes-Oxley Act (SOX)
• National Automated Clearing House
Association (NACHA ) Electronic
Payments Association Electronic Data
Interchange (EDI)
• Payment Card Industry Data Security
Standard (PCI DSS)
Health Care
• Health Insurance Portability and
Accountability Act (HIPAA)
• HIGHTECH
• Meaningful Use
• Health Level Seven International (HL7)
Standards Development Organization
Federal Information Systems Management Act
(FISMA)
•
•
Federal law enacted in 2002 as Title III of the E-Government Act, which
recognizes the importance of information security to the economic and
national security interests of the U.S.
Provides a framework for ensuring the effectiveness of information security
controls over information resources supporting federal operations.
•
Requires that agencies identify and provide information security protections
commensurate with the risk and magnitude of harm resulting from the
unauthorized access, use, disclosure, disruption, modification, or destruction
of information and information systems.
•
States that the head of each agency is responsible for providing information
security protections.
STRATEGIC RISK
FOCUS

Multi-tiered Risk Management Approach
 Implemented by the Risk Executive
Function
 Enterprise Architecture and SDLC Focus
 Information Security Architecture
 Flexible and Agile Implementation
 Threat Aware
TIER 1
Organization
(Governance)
TIER 2
Mission / Business Process
(Information and Information Flows)
TIER 3
Information System
(Environment of Operation)
National Institute of Standards and Technology
TACTICAL RISK
FOCUS
Starting Point
FIPS 199 / SP 800-60
CATEGORIZE
Information System
SP 800-137
MONITOR
Security State
Continuously track changes to the
information system that may affect
security controls and reassess
control effectiveness.
SP 800-37
Define criticality/sensitivity of
information system according to
potential worst-case, adverse
impact to mission/business.
Security Life Cycle
SP 800-39
FIPS 200 / SP 800-53
SELECT
Security Controls
Select baseline security controls;
apply tailoring guidance and
supplement controls as needed
based on risk assessment.
SP 800-70 / SP 800-160
AUTHORIZE
IMPLEMENT
Information System
Security Controls
Determine risk to organizational
operations and assets, individuals,
other organizations, and the Nation;
if acceptable, authorize operation.
SP 800-53A
ASSESS
Security Controls
Determine security control effectiveness
(i.e., controls implemented correctly,
operating as intended, meeting security
requirements for information system).
National Institute of Standards and Technology
Implement security controls within
enterprise architecture using sound
systems engineering practices; apply
security configuration settings.
Defense-in-Breadth
RISK EXECUTIVE FUNCTION
Security
Assessment
Report
Security
Plan
INFORMATION
SYSTEM
INFORMATION
SYSTEM
System-specific
Controls
System-specific
Controls
Plan of Action
and Milestones
Security
Assessment
Report
Plan of Action
and Milestones
RISK
MANAGEMENT
FRAMEWORK
(RMF)
COMMON CONTROLS
Security Controls Inherited by Organizational Information Systems
Security
Plan
Security
Assessment
Report
Ongoing Authorization Decisions
Security
Plan
Hybrid Controls
Tactical Risk
Management
Focus
Core Missions / Business Processes
Security Requirements
Policy Guidance
Hybrid Controls
Strategic Risk
Management
Focus
Ongoing Authorization Decisions
Organization-wide Risk Governance and Oversight
Top Level Risk
Management
Strategy Informs
Operational
Elements
Enterprise-Wide
Plan of Action and
Milestones
Ongoing Authorization Decisions
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
27
The length of the FISMA compliance process is highly variable,
depending on several factors such as:
The Security Category (FIPS 199 Low, Moderate, High)
The availability of resources with skills and spare time to
manage the process
The current level of security controls
The total number of users in a project
The complexity of the computing environment.
8
The Federal Risk and Authorization Management Program (FedRAMP) provides
a standardized approach to security assessment, authorization, and
continuous monitoring for cloud products and services.
FedRAMP is mandatory for federal agency cloud deployments and service
models at low- and moderate-risk impact levels.
To initiate the process, a cloud service provider (CSP) or federal agency
submits a completed FedRAMP request form and Federal Information Process
Standards (FIPS) 1999 worksheet to FedRAMP.
The FedRAMP Joint Authorization Board reviews the risk posture of cloud
systems and provides “provisional authorizations” based on the submitted
security package.
FEDRAMP Documentation Requirements
(Authorization Package)
Deliverable
System Security Plan
Description
This document describes how the controls are implemented within the
cloud information system and its environment of operation. The SSP
is also used to describe the system boundaries.
Information Security Policies
This document describes the CSP’s Information Security Policy that
governs the system described in the SSP.
User Guide
This document describes how leveraging agencies use the system.
Rules of Behavior
This document is used to define the rules that describe the system
user's responsibilities and expected behavior with regard to
information and information system usage and access.
IT Contingency Plan
This document is used to define and test interim measures to recover
information system services after a disruption. The ability to prove
that system data can be routinely backed up and restored within
agency specified parameters is necessary to limit the effects of any
disaster and the subsequent recovery efforts.
Configuration Management Plan
This plan describes how changes to the system are managed and
tracked. The Configuration Management Plan should be consistent
with NIST SP 800-128.
FEDRAMP Documentation Requirements
(Authorization Package) 2 of 2
Deliverable
Incident Response Plan
Description
This plan documents how incidents are detected, reported, and escalated
and should include timeframes, points of contact, and how incidents are
handled and remediated. The Incident Response Plan should be consistent
with NIST Special Publication 800-61.
E-Authentication Workbook
This template will be used to indicate if E-Authentication will be used in the
cloud system and defines the required authentication level (1-4) in terms of
the consequences of the authentication errors and misuse of credentials.
Authentication technology is selected based on the required assurance level.
Privacy Threshold Analysis
This questionnaire is used to help determine if a Privacy Impact
Privacy Impact Assessment
Assessment is required.
This document assesses what Personally Identifiable Information (PII) is
captured and if it is being properly safeguarded. This deliverable is not
always necessary.
• Understand the mandates: both how your product
meets the applicable compliance framework
requirements and/or how your product helps your
customer meet them.
• Identify and document your baseline state of
compliance; develop a requirements traceability matrix
as appropriate.
• Validate compliance through third party audits– have
documentation that you’re willing to share
• Identify gaps and plan for remediation
Related documents
Assessment and Authorization for Cloud Computing
Assessment and Authorization for Cloud Computing
Continuous Monitoring
Continuous Monitoring
IB MYP Authorization Timeline
IB MYP Authorization Timeline
Who, What, When, Where, How, and Why State Authorization
Who, What, When, Where, How, and Why State Authorization
Slide - People
Slide - People
End-to-end Authorization
End-to-end Authorization
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
FedRAMP SSP Template
FedRAMP SSP Template
FIPS and the Common Criteria: Finding the Least Common
FIPS and the Common Criteria: Finding the Least Common
Panel Data Analysis
Panel Data Analysis
Download
advertisement