Secure SDLC
advertisement
NYS Forum Joint Initiative Security, Project Management & Business Continuity Workgroups Manage Risk by Building Information Security into Your Projects Addendum to the NYS Project Management Guidebook May 26, 2010 Deborah Snyder, CISSP, GIAC GSLC, PMP NYS Office of Temporary & Disability Assistance (518) 473-3195 Deborah.Snyder@otda.state.ny.us Mark Spreitzer, CBCP CGI Group Inc. 917.304.1966 mark.spreitzer@cgi.com Agenda • Welcome and Announcements • • Chuck Weiss Project Management, Information Security & Business Continuity Work Groups – Introductions – PM lifecycle & the Secure SDLC – Risk Management – Relationship to PM processes – 5-Phase Secure SDLC Process – Framework for applying Security & BC considerations to each Phase – Benefits – Resources • Q&A 2 Introduction Project Management Work Group • Co-Chairs • • • • Brenda Breslin, (NYS Department of Health), Vivian Conboy, (Dept. of Tax & Finance), Chris Foster, (CGI Technologies and Solutions Inc.), Jon Haverly, (Keane Inc.) • Overview • Support government entities and their PMs • • • as they adopt PM standards and practices, establish PMOs, implement program and portfolio management within their organizations • PM Community of Practice provides interactive exchange of ideas, practices, and lessons learned • PMO Roundtable to support PM implementation methods3 3 Introduction Security Work Group • Co-Chairs • Deb Snyder (NYS OTDA), Bob Spina (CISCO), Joe Lynch (ORACLE) & Ted Phelps (SUNY) • Overview • Work in collaboration with state & local agencies to develop education/training opportunities & tools that address information security issues • Support the Information Security Community of Practice • Strong working relationships with NYS OFT/CIO & the Office of Cyber Security & Critical Infrastructure Coordination (CSCIC) • International MS-ISAC Security Webcasts • Educational workshops, seminars & events 4 4 Introduction Business Continuity (BC) Work Group • Co-Chairs: • • • • David DeMatteo (SEMO) Ken Mason (SED) Mark Spreitzer, CBCP (CGI) Overview: • • • • • Primary focus is on the ”how to” of business continuity planning Intended to help facilitate “best practice” development amongst state and local resources & representatives of the IT Corporate Roundtable Provide education & training opportunities Collaborate on tools that address BC planning needs Work to emphasize the importance of BC planning in NYS Government, in lieu of an explicit requirement 5 5 From an Operational Perspective… Project Management Life Cycle • • • • • Focus on Implementation Management roles & responsibilities Framework for planning & managing work Develop & manage project plan (scope, schedule) Distinguish PM effort from SD effort Phase Relationships • Origination Initiation System Development Life Cycle • Initiation • Planning Acquisition/ Development • Implementation/ Assessment • Execution Closeout Operations & Maintenance Focus on Operations Technical roles & responsibilities Framework for solving business needs with technology Design & construct system components (modules, databases) Distinguish SD effort from PM effort Production Disposal 6 6 Secure SDLC (High Level) PM Life Cycle SDLC SSDLC Focuses on Information Security & Business Continuity Origination Preparation Initiation Initiation Risk Level & Security Planning Acquisition/ Development Security Requirements & Controls Implementation/ Assessment Security Testing Documentation, C&A Operations & Maintenance Acceptance & Change Management Disposal Disposition / Transition Planning Execution Execution Closeout Maintenance 7 Secure System Development Life Cycle (SSDLC) Principles • • • • • • • • To be effective, information security must be integrated from inception of the project and ensured adequate consideration throughout the SDLC. Information security controls applied to a particular information system must be commensurate with its criticality and sensitivity. SSDLC - conceptual framework to ensure this occurs… Structured process and core set of analysis steps and planning considerations to integrate info-security into the SDLC Helps identify, evaluate & minimize info-security risk Defines info-security requirements, appropriate security level & measures/controls to adequately protect the asset Produces clear, well-documented information security plan Based on industry standards, well-established practices, fundamental security principles and concepts 8 Secure SDLC SSDLC “Roadmap” example… Information Security considerations, checkpoints & deliverables across the SDLC 9 Source: NYS OTDA ISO, Secure SDLC Roadmap NIST Special Publications NIST = National Institute of Standards & Technology • • • • • Chartered to promote & protect economy & public welfare; collaborated with industry, government & academic organizations; used by FEMA for framework development Defines Security to include Business Continuity and Contingency Planning (CP) Integrates Security activities into system development life-cycle (SDLC) Outlines key security roles and responsibilities Defines Security/BC components as control objectives (Control Gates - permission to proceed) NIST Special Publication 800 series Guidance • • • • • • • • • • • • • • http://csrc.nist.gov/publications/PubsSPs.html SP 800-12, The Introduction to Computer Security; NIST Handbook SP 800-18, Guide for Developing Security Plans for Information Technology Systems SP 800-27, Engineering Principles for Information Technology Security SP 800-30, Risk Management Guide for IT Systems SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach SP 800-39, Managing Risk from Information Systems: An Organizational Perspective SP 800-34, Contingency Planning SP 800-53, Recommended Security Controls & Annexes 1, 2, 3 SP 800-60, Mapping Types of information & Information Systems to Security Categorization Levels SP 800-64, Security Considerations in the System Development Life Cycle SP-800-84. Testing, Training and Exercising NIST SDLC Brochure, August 2004, Information Security in the SDLC http://csrc.nist.gov/SDLCinfosec Federal Information Processing Standards (FIPS) http://csrc.nist.gov/publications/PubsFIPS.html • FIPS 199, Standards for Security Categorization • FIPS 140-2, Security Requirements for Cryptographic Modules FEMA Continuity Guidance Circular 1 (CGC1) www.fema.gov/pdf/about/org/ncp/cont_guidance1.pdf 10 NIST’s Security in the SDLC Source: NIST SDLC Brochure (Aug. 2004, Information Security in the SDLC. 11 Risk Management Relationship to All Other PM Functions Integration Life Cycle & Environment Variables Scope Expectations, Feasibility Time Time Objectives, Restraints Ideas, Directives, Data Exchange Accuracy Project Risk Management Communications Cost Objectives, Restraints Cost Services, Plant, Materials: Performance Quality Requirements, Standards Availability, Productivity Procurement Human Resources Source: Project & Program Risk Management, A Guide to Managing Project Risks & Opportunities, p. II-2. 12 Integrated Risk Management • RM can be viewed as a holistic activity that is fully integrated into every aspect of the organization • RM is driven by organization (mission) risk 13 Source: NIST SP 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission and Information System View. Risk Management Framework 14 Source: NIST Risk Mnanagement Framework http://csrc.nist.gov/groups/SMA/fisma/framework.html & http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework/index.html Some Key Terms… (see handout) • • • • • • • • • • • • • • After Action Review Artifact Business Continuity (Contingency Planning) Business Impact Analysis (BIA) Controls, Safeguards & Countermeasures Control Gates Information Resources Information Security (Confidentiality, Integrity, Availability) Information System Plan of Action and Milestones (POA&M) Recovery Time Objective (RTO) Recovery Point Objective (RPO) Risk & Residual Risk Risk Management 15 Phase 1: Initiation Resources, Expectations, LOE & Schedule PM Life Cycle SDLC SSDLC Focuses on Information Security & Business Continuity Origination Preparation Initiation Initiation Risk Level & Security Planning Planning KEY PROCESSES • Initial Security Planning • Categorize System • Privacy Impact Analysis • Ensure Secure SDLC • Preliminary Risk Assessment • Business Impact Assessment • Availability requirements analysis • Vital Records Analysis • Data and documentation ARTIFACTS • Awareness Training • Security Categorization • High Level Security Requirements • Development/Coding Standards • QA Plans • Draft Privacy Impact Assessment • Linkages to Business Drivers • Core System Components • Draft Business Impact Analysis • Initial RTO/RPO 16 Phase 1: Initiation Level of Risk - Relating security considerations 17 Phase 2: Acquisition / Development Requirements & Control Selection PM Life Cycle SDLC SSDLC Focuses on Information Security & Business Continuity Acquisition/ Development Security Requirements & Controls Implementation/ Assessment Security Testing Documentation, C&A Execution Execution KEY PROCESSES ARTIFACTS • Update Prelim. Risk Assessment • Updated Risk Assessment • Select & Document Security Controls • Security Plan & list of Variations • Design Security Architecture • List of Shared Services & Risks • Engineer Security in – Develop Controls • Security Integration Schematic • BC & DR Concept of Operations • Recovery Strategy • Contingency Plan (drafts) • Draft Contingency Plan • Notification/activation, incident response • Recovery & Reconstitution • COOP, BC, DR • Common Controls • Vital records analysis • TT&E Results • Policy & Control Adjustments • Test, Train & Exercise (TT&E) • • Scenarios & Additional Documentation Test Results (incl. variations) 18 Phase 2: Acquisition / Development Control Selection - Relating Security Considerations 19 Phase 3: Implementation / Assessment Documenting Results (Baseline) PM Life Cycle SDLC SSDLC Focuses on Information Security & Business Continuity Acquisition/ Development Security Requirements & Controls Implementation/ Assessment Security Testing Documentation, C&A Execution Maintenance KEY PROCESSES • Finalize Detailed Security Plan • Create detailed C&A Plan • Control Integration • System Security Assessment • Product / Component Inspection ARTIFACTS • Verified Operational Security Controls • C&A Work Plan • Completed System Documentation • Security Assessment Report • Security Authorization Decision • • • Finalize BC, COOP & DR Control Integration Implement Vital Records program • • • BC, COOP & DR Plans Updated backup processes After Action Review • • Certification/Acceptance TT&E • • TT&E Plan & Statement of residual risk 20 Phase 3: Implementation / Assessment Documenting Results - Baseline 21 Phase 4: Operations / Maintenance PM Life Cycle Closeout SDLC Focuses on Information Security & Business Continuity Operations & Maintenance Acceptance & Change Management Disposal Disposition / Transition KEY PROCESSES • Awareness Campaign • Configuration Management • Continuous Monitoring • TT&E • Change Control • Incident Management • SSDLC Recertification/Acceptance Maintenance ARTIFACTS • Evaluation/Impact of Changes • Change Control Approvals • Updated Security Documentation • Continuous Monitoring Results • Updated Authorization Pkg. • Authority to Operate (Decision) • Security Evaluations / Audits • POA&M Review • Exercise Schedule • After Action Reviews • Recoverability Statement • BCP Evaluations / Audits 22 Phase 4: Operations / Maintenance Acceptance & Change Management 23 Phase 5: Disposal (Sunset) PM Life Cycle Closeout SDLC SSDLC Focuses on Information Security & Business Continuity Operations & Maintenance Acceptance & Change Management Disposal Disposition / Transition KEY PROCESSES • Disposal / Transition Planning (migration to new system) • • • • • Ensure Information Preservation Media Sanitization Hardware/Software Disposal Control Catalog review Close System • • • • • Business Link Analysis Interdependencies Enterprise BCP Impact analysis Review service agreements Continuous Monitoring ARTIFACTS • Disposal/Transition Plan • Hardware/Software Disposition • Reallocation/Sanitization Records • System Closure Documentation • Information Archiving • Update SLAs & MOUs • Updated Security Controls • Enterprise plan updates – Value Chains – BC, COOP & DR plans • Updated BCP Controls 24 Phase 5: Disposal (Sunset) Data & Partners 25 Mapping the Risk Management to the SDLC Enterprise RISK Management • Review Risk • Assess controls IT Alignment and Planning Information Systems Management IS Architecture • identify • document • implement • monitor Enterprise Architecture & SDLC Compliance Capital Planning and Investment Financial Management Risk Management Risk Based Funding Requests Information Security Origination Initiation Initiation Risk Level & Security Planning Acquisition/ Development Security Requirements & Controls Implementation/ Assessment Security Testing Documentation, C&A Operations & Maintenance Acceptance & Change Management Disposal Disposition / Transition Initiation Planning Execution Closeout Certification & Accreditation Continuous Monitoring 26 Further Observations • All Processes and Artifacts are scalable • • • Preliminary Risk Assessment defines impact & requirements “Right Size” for your project Use common sense • Business Continuity & Information Security interrelate • Common Purpose, Artifacts & Goals • • • Confidentiality Integrity Availability 27 Reflections on SEI | Carnegie Mellon “The surest way to leave risks undocumented is to make the program risks accessible to all members.” • An undocumented risk can get lost to everyone -- far better to have risks documented privately than not documented at all. • Engage a Security team early • Encourages work team agreements on risks and an end-point against which to identify and analyze • Provides a standard way of capturing (documenting) risks • Positions facilitators practiced and comfortable with writing risks in front of a group • Support good risk identification • • • • Encourage documentation of risks privately at the working team level Integrate risk identification and management into normal project management Accept any risk identified – don’t “vet them out” Acknowledge that the program’s decision-makers are the real “risk managers,” and have the decision-makers step up to the job 28 CMMi Capability Maturity Model 29 More Information on CMMI - www.sei.cmu.edu/searchresults.cfm & www.sei.cmu.edu/cmmi/tools/dev/index.cfm Benefits • Advances Organization along CMM • Informed, Risk Management-based, decisions • Improved organization and customer confidence • • • Lower total effort & cost • • • • • • Awareness campaigns Education, ownership/adoption and usage Improved interoperability and integration Early identification of controls Proven methods and techniques Reuse of strategies and tools Shared security services Improved Security & Compliance Posture 30 Questions Deborah Snyder, CISSP, GSLC, PMP NYS Office of Temporary & Disability Assistance (518) 473-3195 Deborah.Snyder@otda.state.ny.us Mark Spreitzer, CBCP CGI Group Inc. (917) 304-1966 Mark.Spreitzer@cgi.com 31
