Categorize Monitor Select Authorize Implement Assess “Certification and accreditation is the methodology used to ensure that security controls are established for an information system, that these controls are functioning appropriately, and that management has authorized the operation of the system in is current security posture.” - Official (ISC)2 Guide to the CAP CBK (1st ed.) Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. - CNSS Instruction No. 4009 “The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.” - NIST SP 800-37 rev 1 Why are Agencies riddled with security holes? http://gcn.com/articles/2011/07/06/cyber-attacks-take-2-energy-labs-offline.aspx • • • • Need consistent management support Without management support people will not fulfill their obligations to the project Without management support you will not have access to needed resources and funding The Chief Information Security Officer (CISO) can keep the program visible by giving regular updates to c-level management Reference: http://www.tess-llc.com/Certification%20&%20Accreditation%20PolicyV4.pdf • Creation • Review • Approval • Retirement • Communication • Compliance • Exceptions Development Implementation Disposal Maintenance • • • • Awareness Monitoring Enforcement Maintenance Life-cycle for the development of the documentation for the RMF process “The Chief Information Officer, with the support of the senior agency information security officer, works closely with authorizing officials and their designated representatives to ensure that an agency-wide security program is effectively implemented, that the certifications and accreditations required across the agency are accomplished in a timely and cost-effective manner, and that there is centralized reporting of all security-related activities. “ NIST SP 800-37 “A senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals.” NIST SP 800-37 “Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. “ - (NIST SP 800-37) “Individual responsible for the installation and maintenance of an information system, providing effective information system utilization, adequate security parameters, and sound implementation of established Information Assurance policy and procedures.” CNSS Instruction No. 4009 “The information system security officer often plays an active role in developing and updating the system security plan as well as in managing and controlling changes to the system and assessing the security impact of those changes.“ NIST SP 800-37 The certification agent is an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. - NIST SP 800-37 “At the discretion of senior agency officials, certain security certification and accreditation roles may be delegated and if so, appropriately documented. Agency officials may appoint appropriately qualified individuals, to include contractors, to perform the activities associated with any security certification and accreditation role with the exception of the Chief Information Officer and authorizing official. The Chief Information Officer and authorizing official have inherent United States Government authority, and those roles should be assigned to government personnel only. Individuals serving in delegated roles are able to operate with the authority of agency officials within the limits defined for the specific certification and accreditation activities. Agency officials retain ultimate responsibility, however, for the results of actions performed by individuals serving in delegated roles. “ NIST SP 800-37 Mission Business Unit IT Security Audit Head of Agency (CEO) Audit Program Level IT Security Mission Business Unit Risk Executive Function IG SISO CIO BUM System Level IA SCA Independence ISSM ISSO SOD Middle- Tier SOD AO SO IO SA EU DoDI 8510.01 & 8500.2 SP 800-37 Rev 1 Head od DoD Components Head of Agency (CEO) Principle Accrediting Authority (PAA) Risk Executive Function and/or Approving Authority (AA) Senior Information Assurance Officer (SIAO) Senior Information Security Officer (SISO) Designated Accrediting Authority (DAA) Approving Authority (AA) Systems Manager Common Control Provider and/or Systems Owner Program Manager Common Control Provider and/or System Owner Information Assurance Manager (IAM) ISSO and/or SISO Information Assurance Officer (IAO) Information Systems Security Officer (ISSO) Certification Agent Security Control Assessor Management / Risk CISM CISSP ISSMP CAP CISSP Audit CISA GSNA Network / Communications SSCP CASP Security+ CISSP ISSEP/ ISSAP Software Dev CSSLP Level Qualifying Certifications CND Analyst GCIA, CEH CND Infrastructure Support SSCP, CEH CND Incident Responder GCIH, GSIH, CEH CND Auditor CISA, CEH, GSNA CN-SP Manager CISM, CISSP-ISSEP “The CNSS is directed to assure the security of NSS against technical exploitation by providing: reliable and continuing assessments of threats and vulnerabilities and implementation of effective countermeasures; a technical base within the USG to achieve this security; and support from the private sector to enhance that technical base assuring that information systems security products are available to secure NSS.” You got to be careful if you don’t know where you’re going, because you might not get there. -- Yogi Berra 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 • Attack Accomplished by a threat agent that damages or steals an organization’s information or physical asset • Exploit: technique or mechanism used to compromise a system • Vulnerability: identified weakness of a controlled system in which necessary controls are not present or are no longer effective 141 142 143 • Use some method of prioritizing risk posed by each category of threat and its related methods of attack • To manage risk, you must identify and assess the value of your information assets • Risk assessment assigns comparative risk rating or score to each specific information asset • Risk management identifies vulnerabilities in an organization’s information systems and takes carefully reasoned steps to assure the confidentiality, integrity, and availability of all the components in organization’s information system 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 Information Security and Risk Management 167 168 169 170 171 172 173 174 175 • “The process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.” – Wiktionary Risk assessments Risk treatment 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 highly dependent dependable protected Continuing serious cyber attacks on federal information systems, large and small; targeting key federal operations and assets… Connectivity Complexity The weapons of choice are— Resulting in low-cost, highly destructive attack potential. Energy (electrical, nuclear, gas and oil, dams) Transportation (air, road, rail, port, waterways) Public Health Systems / Emergency Services Information and Telecommunications Defense Industry Banking and Finance Postal and Shipping Agriculture / Food / Water / Chemical -- USA Patriot Act (P.L. 107-56) 90% partnership For economic and national security reasons, we need— The Generalized Model Unique Information Security Requiremen ts Common The “Delta” Information Security Requireme nts Intelligenc Departme Federal Civil Agencies e nt of Communit Defense y Foundational Set of Information Security Standards and Guidance • Standardized risk management process • Standardized security categorization (criticality/sensitivity) • Standardized security controls (safeguards/countermeasures) National security and non national security information systems • Standardized security assessment procedures • Standardized security authorization process Links in the Security Chain: Management, Operational, and Technical Controls Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Adversaries attack the weakest link…where is yours? Starting Point FIPS 199 / SP 800-60 SP 800-37 / SP 800-53A MONITOR Security State Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP 800-37 CATEGORIZ E Information Define criticality/sensitivity of System information system according to potential worst-case, adverse impact to mission/business. FIPS 200 / SP 800-53 SELECT Security Controls Security Life Cycle Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. SP 800-39 SP 800-70 AUTHORIZE IMPLEMENT Information System Security Controls Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. SP 800-53A ASSESS Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. “Building information security into the infrastructure of the organization… so that critical enterprise missions and business cases will be protected.” Example: An Enterprise Information System FIPS 199 Mapping Information Types to FIPS 199 Security Categories LOW MODERATE HIGH Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. SP 800-60 Availability Master Security Control Catalog Complete Set of Security Controls and Control Enhancements Minimum Security Controls Minimum Security Controls Minimum Security Controls Low Impact Information Systems Baseline #1 Moderate Impact Information Systems Baseline #2 High Impact Information Systems Baseline #3 Selection of a subset of security controls from the master catalog— consisting of basic level controls Builds on low baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements Builds on moderate baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements Minimum Security Controls Low Impact Information Systems Low Baseline Minimum Security Controls Moderate Impact Information Systems Moderate Baseline Minimum Security Controls High Impact Information Systems High Baseline Tailored Security Controls Tailored Security Controls Tailored Security Controls Enterprise #1 Enterprise #2 Enterprise #3 Operational Environment #1 Operational Environment #2 Operational Environment #3 Cost effective, risk-based approach to achieving adequate information security… Authorization Boundary Organizational Information System Subsystem Component Subsystem Component Subsystem Component System Guard Local Area Network Alpha Local Area Network Bravo System security plan reflects information system decomposition with adequate security controls assigned to each subsystem component. Security assessment procedures tailored for the security controls in each subsystem component and for the combined system-level controls. Security assessment performed on each subsystem component and on system-level controls not covered by subsystem assessments. Security authorization performed on the information system as a whole. Applying the Risk Management Framework to Information Systems Output from Automated Support Tools Authorizat ion Package SECURITY PLAN including updated Risk Assessment Near Real Time Security Status Information SECURITY ASSESSMENT REPORT PLAN OF ACTION AND MILESTONES INFORMATION SYSTEM CATEGORIZE Information System MONITOR SELECT Security State Security Controls AUTHORIZE Information System Risk Management Framework ASSESS Security Controls IMPLEMENT Security Controls Artifacts and Evidence Extending the Risk Management Framework to Organizations RISK EXECUTIVE FUNCTION Enterprise-wide Oversight, Monitoring, and Risk Management Security Requirements Policy Guidance SP Authorization Decision SAR SP INFORMATION SYSTEM RMF INFORMATION SYSTEM RISK MANAGEMENT FRAMEWORK POAM Authorization Decision SAR SP INFORMATION SYSTEM INFORMATION SYSTEM SAR POAM POAM SP SP SAR POAM Authorization Decision POAM SP Authorization Decision SAR Common Security Controls (Infrastructure-based, System-inherited) SAR POAM Authorization Decision Authorization Decision Managing Risk at the Organizational Level RISK EXECUTIVE FUNCTION Coordinated policy, risk, and security-related activities Supporting organizational missions and business processes Mission / Business Processes Information System Mission / Business Processes Information System Mission / Business Processes Information System Information System Information system-specific considerations Establish organizational information security priorities. Allocate information security resources across the organization. Provide oversight of information system security categorizations. Identify and assign responsibility for common security controls. Provide guidance on security control selection (tailoring and supplementation). Define common security control inheritance relationships for information systems. Establish and apply mandatory security configuration settings. Identify and correct systemic weaknesses and deficiencies in information systems. Organization One Business / Mission Information Flow INFORMATION SYSTEM INFORMATION SYSTEM System Security Plan System Security Plan Security Assessment Report Organization Two Security Information Plan of Action and Milestones Determining risk to the organization’s operations and assets, individuals, other organizations, and the Nation; and the acceptability of such risk. Security Assessment Report Plan of Action and Milestones Determining risk to the organization’s operations and assets, individuals, other organizations, and the Nation; and the acceptability of such risk. The objective is to achieve visibility into and understanding of prospective partner’s information security programs…establishing a trust relationship based on the trustworthiness of their information systems. Information security requirements must be considered first order requirements and are critical to mission and business success. An effective organization-wide information security program helps to ensure that security considerations are specifically addressed in the enterprise architecture for the organization and are integrated early into the system development life cycle. Provides a common language for discussing information security in the context of organizational missions, business processes, and performance goals. Defines a collection of interrelated reference models that are focused on lines of business including Performance, Business, Service Component, Data, and Technical. Uses a security and privacy profile to describe how to integrate the Risk Management Framework into the reference models. The Risk Management Framework should be integrated into all phases of the SDLC. Initiation (RMF Steps 1 and 2) Development and Acquisition (RMF Step 2) Implementation (RMF Steps 3 through 5) Operations and Maintenance (RMF Step 6) Disposition (RMF Step 6) Reuse system development artifacts and evidence (e.g., design specifications, system documentation, testing and evaluation results) for risk management activities. (Security Categorization) (Minimum Security Requirements) (Security Planning) (Risk Assessment) (Risk Management) (Certification & Accreditation) (Recommended Security Controls) (Security Control Assessment) (National Security Systems) (Security Category Mapping) (Operational environments) Security controls Configuration settings (Laboratory environments) Security functionality (features) Configuration settings Trustworthiness Information System IT Product IT Product IT Product Trustworthiness Trust Relationshi p IT Product Information Information System System IT Product IT Product Functionality and Assurance Functionality and Assurance Operational Environment Operational Environment Producing evidence that supports the grounds for confidence in the design, development, implementation, and operation of information systems. Frequently Asked Questions Publication Summary Guides (Quickstart Guides) Formal Curriculum and Training Courses And finally…