aSecurityControlsMGMT

advertisement

Management Class

Security Control Families

ID Class

CA Management

PL Management

PM Management

RA Management

SA Management

AT Operational

CM Operational

CP

IR

Operational

Operational

MA Operational

MP Operational

PE Operational

PS

SI

Operational

Operational

AC Technical

AU Technical

IA

SC

Technical

Technical

Family

Security Assessment and Authorization

Planning

Program Management

Risk Assessment

System and Services Acquisition

Awareness and Training

Configuration Management

Contingency Planning

Incident Response

Maintenance

Media Protection

Physical and Environmental Protection

Personnel Security

System and Information Integrity

Access Control

Audit and Accountability

Identification and Authentication

System and Communications Protection

10

8

6

6

19

# of

6

5

11

5

9

4

14/40

8

13/84

19

14

8

34/75

Security Controls Overview

 XX-1 Policy and Procedures

Graphic

Summaries

NIST Doc Review Strategy:

Table Summaries

Bulleted

Summaries

Executive Summaries,

Overviews, Introductions

8

XX-1 Policy & Procedures

AC-1 Access Control

AT-1 Security Awareness and Training

AU-1 Audit and Accountability

CA-1 Security Assessment and Authorization

CM-1 Configuration Management

CP-1 Contingency Planning

IA-1 Identification and Authentication

IR-1 Incident Response

MA-1 System Maintenance

MP-1 Media Protection

PE-1 Physical and Environmental Protection

PL-1 Security Planning

PM-1 Information Security Program Plan

PS-1 Personnel Security

RA-1 Risk Assessment

SA-1 System and Services Acquisition

SC-1 System and Communications Protection

SI-1 System and Information Integrity

 SP 800-12

The Handbook

 SP 800-100

Manager’s Handbook

Security Assessment &

Authorization

CA-2 Security Assessments

CA-3 Information System Connections

CA-5 Plan of Action and Milestones

CA-6 Security Authorization

CA-7 Continuous Monitoring

 Core RMF

Documents

 800-47 (SLA)

 800-137 (CM)

Planning Family & Family Plans

PL-2 System Security Plan

PL-4 Rules of Behavior

PL-5 Privacy Impact Assessment

PL-6 Security-Related Activity Planning

CA-5 Plan of Action and Milestones -37

CP-2 Contingency Plan -34

CM-9 Configuration Management Plan -128

IR-8 Incident Response Plan -61

PM-1 Information Security Program Plan

PM-8

RMF

4.1

Critical Infrastructure Plan

Security Assessment Plan -53a

 800-18 (RMF)

 800-100 (PM)

 OMB M-03-22 (Privacy)

Program Management

PM-2 Senior Information Security Officer

PM-3 Information Security Resources

PM-4 Plan of Action and Milestones Process

PM-5 Information System Inventory

PM-6

Information Security Measures of

Performance

PM-7 Enterprise Architecture

PM-8 Critical Infrastructure Plan

PM-9 Risk Management Strategy

PM-10 Security Authorization Process

PM-11 Mission/Business Process Definition

 800-30

 800-37 (RMF)

 800-39 (RMF)

 800-100

 800-55 - Performance

 800-60

 800-65 - CPIC

 FIPS 199

 HSPD 7 – Critical

Infrastructure

 OMB 02-01 - SSP

Program Management

Overview

 Information Security Program Plan (PM)

 Critical Infrastructure Plan (HSPD 7)

 Capital Planning and Investment Control (SP 800-65)

 Measures of Performance (SP 800-55)

 Enterprise Architecture and Mission/Business Process

Definition

Information Security

Program Plan

 Defines Security Program Requirements

 Documents Management and Common Controls

 Defines Roles, Responsibilities, Management

Commitment and Coordination

 Approved by Senior Official (AO)

 Appoint Senior Information Security Officer

Critical Infrastructure Plan

 HSPD-7 Critical Infrastructure Identification,

Prioritization, and Protection

 Essential Services That Underpin American Society

 Protection from Terrorist Attacks

– Prevent Catastrophic Health Effects or Mass Casualties

– Maintain Essential Federal Missions

– Maintain Order

– Ensure Orderly Functioning of Economy

– Maintain Public's Morale and Confidence in Economic and

Political Institutions

 Strategic Improvements in Security

Capital Planning &

Investment Control

 Investment Life Cycle

 Integrating Information Security into the CPIC Process

 Roles and Responsibilities

– Identify Baseline

– Identify Prioritization Criteria

– Conduct System- and Enterprise-Level Prioritization

– Develop Supporting Materials

– IRB and Portfolio Management

– Exhibits 53 and 300 and Program Management

Investment Life Cycle

Integrating Information Security into the CPIC Process

Knowledge Check

 If the interconnecting systems have the same authorizing official, an Interconnection Security Agreement is not required. True or False?

 Which NIST SP, provides a seven-step process for integrating information security into the capital planning process?

 This directive establishes a national policy for Federal departments and agencies to identify and prioritize

United States critical infrastructure and key resources and to protect them from terrorist attacks.

 The corrective action and cost information contained in which document, serve as inputs to the Exhibit 300s and are then rolled into the Exhibit 53?

Measures of Performance

 Metric Types

 Metrics Development and Implementation Approach

 Metrics Development Process

 Metrics Program Implementation

– Prepare for Data Collection

– Collect Data and Analyze Results

– Identify Corrective Actions

– Develop Business Case and Obtain Resources

– Apply Corrective Actions

Metric Types

 “Am I implementing the tasks for which I am responsible?”

 “How efficiently or effectively am I accomplishing those tasks?”

 “What impact are those tasks having on the mission?”

Metrics Development Process

Metrics Program Implementation

Federal Enterprise Architecture

Business Performance Service

Information Type

(SP 800-60)

Technical

Data

Core Principles of the FEA

 Business-driven

 Proactive and collaborative across the Federal government

 Architecture improves the effectiveness and efficiency of government information resources

Defining Mission/Business

Processes

 Defines mission/business processes with consideration for information security and the resulting risk to the organization;

 Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.

RA-2 Security Categorization

RA-3 Risk Assessment

RA-5 Vulnerability Scanning

Risk Assessment

 800-30r1 (draft)

 800-37

 800-40 -

Patch Management

 800-70 - Checklists

 800-115 - Assessments

Patch and Vulnerability

Management Program

 Create a System Inventory

 Monitor for Vulnerabilities, Remediations, and Threats

 Prioritize Vulnerability Remediation

 Create an Organization-Specific Remediation Database

 Conduct Generic Testing of Remediations

 Deploy Vulnerability Remediations

 Distribute Vulnerability and Remediation Information to Local

Administrators

 Perform Automated Deployment of Patches

 Configure Automatic Update of Applications Whenever

Possible and Appropriate.

 Verify Vulnerability Remediation Through Network and Host

Vulnerability Scanning

 Vulnerability Remediation Training

National Checklists Program

 In which NIST special publication might you find guidance for the performance measurement of information systems?

 Which FEA reference model was used to create the guide for mapping information types to security categories, in support of the first step of the Risk

Management Framework?

 What is the name of the security control, represented by the control ID RA-3, must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management

Framework?

 Where can information about vulnerabilities be found?

System & Services Acquisition

SA-2 Allocation of Resources

SA-3 Life Cycle Support

SA-4 Acquisitions

SA-5 Information System Documentation

SA-6 Software Usage Restrictions

SA-7 User-Installed Software

SA-8 Security Engineering Principles

SA-9 External Information System Services

SA-10 Developer Configuration Management

SA-11 Developer Security Testing

SA-12 Supply Chain Protection

SA-13 Trustworthiness

 800-23 – Acquisition

Assurance

 800-35 – Security

Services

 800-36

– Security

Products

 800-53a

 800-64 - SDLC

 800-65 - CPIC

 800-70 - Checklists

Security Services Life Cycle

General Considerations for

Security Services

 Strategic/Mission

 Budgetary/Funding

 Technical/ Architectural

 Organizational

 Personnel

 Policy/Process

Security Product Testing

 Identification and Authentication

 Access Control

 Intrusion Detection

 Common Criteria Evaluation and Validation Scheme

 Firewall

 Public Key Infrastructure

 Malicious Code Protection

 NIST Cryptographic Module

Validation Program

 Vulnerability Scanners

 Forensics

 Media Sanitizing

Considerations for Selecting

Information Security Products

 Organizational

 Product

 Vendor

 Security Checklists for IT Products

 Organizational Conflict of Interest

Management Security Controls

Key Concepts & Vocabulary

 XX-1 Policy & Procedures

 CA - Security Assessment and Authorization

 PL – Planning Family & Family Plans

– Information Security Program Plan (PM)

– Critical Infrastructure Plan (HSPD 7)

 PM - Program Management

– Capital Planning and Investment Control (SP 800-65)

– Measures of Performance (SP 800-55)

– Enterprise Architecture (FEA BRM)

 RA - Risk Assessment

– Security Categorization

– Risk & Vulnerability Assessments

 SA - System and Services Acquisition

Download