Proactive Lifecycle Security Management
advertisement
OWASP Minneapolis St Paul Local Chapter Proactive Lifecycle Security Management February 16th, 2009 Survey Which of the following is the responsibility of IT? System owner Data owner System custodian All of the above True or False – The CIO/IT Director is responsible for accepting information and system security risks on behalf of the organization? True or False – The individual in charge of information security is responsible for: Defining security controls Implementing security controls Managing security controls All of the above Setting the Stage In the last four years, approximately 250 million records containing personal identifiable information of United States residents stored in government and corporate databases was either lost or stolen. Since little attention was given to database breaches prior to 2005, it is safe to assume that every man, woman and child has had their personal information exposed at least once statistically. Quote from InsideIDTheft.info Data theft and breaches from cybercrime may have cost businesses as much as $1 trillion globally in lost intellectual property and expenditures for repairing the damage last year, according to a survey of more than 800 chief information officers in the U.S., United Kingdom, Germany, Japan, China, India, Brazil, and Dubai. The respondents estimated that they lost data worth a total of $4.6 billion and spent about $600 million cleaning up after breaches McAfee Report - "Unsecured Economies: Protecting Vital Information" According to the “Open Security Foundation's DATALOSSdb” this pie chart represents events involving the loss, theft, or exposure of personally identifiable information (PII) for 2008. No Lack of Publicity or Victims Customer loss following data breach PGP Corporation and the Ponemon Institute annual report - U.S. Cost of a Data Breach Study Cost of Data Breach PGP Corporation and the Ponemon Institute annual report - U.S. Cost of a Data Breach Study Cost of a Security Bug Phase Production Non-Technical Cost Technical Cost to Fix Total Cost $166,272 for 1000 records $8,500 $174,772 Test $1,500/vulnerability (prevent approx. 20 bugs) $2,125 (man-power, computer, testing, configuration management) $3,625 Code $600 $920 (dev, test) $1,520 $150/vulnerability (prevent approx. 100 bugs) $142 (developer, architect time) $292 Design Courtesy of SecurityCompass – presented at 2008 Minnesota Government IT Symposium Non-Technical Costs = breach reporting, regulatory violation (penalties), legal fees What is the reputational cost: ?????? Security Authorization Process Summary Security authorization (formerly called certification and accreditation) ensures that on a near real-time basis, the organization’s senior leaders understand the security state of the information system and explicitly accept the resulting risk to organizational operations and assets, individuals, and other organizations. “An information system is authorized for operation at a specific point in time based on the risk associated with the current security state of the system.” Who is this process targeted at? Business owners Data owners Personnel responsible for: Development, acquisition and integration System security Auditors/assessors Security implementation and operations Security Authorization History Roots go back to 1983 Federal Information Processing Standard (FIPS) 102 Known by many different names; Certification & Accreditation (C&A) National Information Assurance Certification & Accreditation Process (NIACAP) Defense Information Technology Security Certification and Accreditation Process (DITSCAP) DOD Information Assurance Certification and Accreditation Process (DIACAP) Director of Central Intelligence Directive (DCID) 6/3 Key Definitions Information System – A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information Security Authorization – The testing and/or evaluation of management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting security requirements for the system Security Control Assessment – The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system Security Authorization Boundary – All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected Plan of Action and Milestones – A document that identifies tasks needing to be accomplished, resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones. Security Plan - Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements List not all inclusive – See NIST SP 800-37, Appendix B for more detailed list Key Process Players Authorizing Official – A senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations, assets, individuals, and other organizations Information (data) Owner – Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal Information System Owner – Official responsible for the overall procurement, development, integration, modification, operation and maintenance of an information system Information System Security Officer – Individual assigned responsibility for maintaining the appropriate operational security posture for an information system or program Security Control Assessor – The individual, group or organization responsible for conducting a security control assessment !!! Discussion Point: Conflicts of interest !!! Other Process Roles Common Control Provider Information System Security Engineer Chief/Corporate Security Officer Risk Executive Function Regulatory & Industry Requirements Payment Card Industry (PCI) Requirement # 6 – Develop and maintain secure systems and applications Requirement # 6.6 – Application security assessment Health Insurance Portability and Accountability Act (HIPAA) §164.308 Administrative Safeguards (a)(1)(ii)(A) Risk Analysis Gramm-Leach-Bliley Act (GLBA) Manage & Control Risk requirement Federal Financial Institutions Examination Council (FFIEC) Information Security Booklet -Information Security Risk Assessment -Systems Development, Acquisition, and Maintenance Sarbanes-Oxley (SOX) Section 404, Management Requirements PCAOB Auditing Standard No. 2 Federal Information Security Management Act (FISMA) § 3544. Federal agency responsibilities IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies & Entities CA -1 Certification, Accreditation, and Security Assessment Policies and Procedures Federal Energy Regulatory Commission (FERC) – 18 CFR Part 40, Mandatory Reliability Standards for Critical Infrastructure Protection CIP-007-1 – Cyber Security – Systems Security Management Government Accounting Office (GAO) Federal Information System Controls Audit Manual (FISCAM) Chapter 4 - Evaluating and Testing Business Process Application Controls Standards ISO 27001 – Information Technology – Security Techniques – Information Security Management Systems - Requirements Control Objectives and Controls – Internal Organization • • A.6.1.4 – Authorization process for information processing facilities A.10.4 – System Acceptance Information Security Forum (ISF) – The Standard of Good Practice for Information Security SD - Systems Development Control Objectives for Information and related Technology (COBIT) AI2 – Acquire and Maintain Application Software AI4 – Enable Operation and Use AI6 – Manage Changes AI7 – Install and Accredit Solutions and Changes Additional Benefits “Direct” business participation Pre-production security authorization = $avings Risk acceptance at the appropriate level of management Risks are documented and mitigated Business explicitly accept residual risk and recommended security controls Standardization Assessment, documentation and acceptance of security risks Architecture and configuration documentation Documentation (i.e. BCP/DR, policies, asset inventory, etc.) Unbiased security controls assessment Relationship to System Lifecycle Dark gray = Acquisition Lifecycle Phases Light gray = Development Lifecycle Phases Risk Management Framework Security Authorization is part of a dynamic risk management process Security Authorization Process RMF = Risk Management Function Preparation Phase Categorize Information System • Task 1: Describe the information system Define system boundary Document system in security plan • Task 2: Register system in organization asset inventory • Task 3: Determine security category and document in security plan Organizational/business criticality Relationship/impact to other systems Classification of data processed by system Security Control Selection • Task: Select security controls and document in security plan System specific (implemented), common (inherited) and/or hybrid controls Controls used to manage system risk (i.e. management controls) Automated system safeguards and countermeasures (i.e. technical controls) Policy, standards, and procedural measures (i.e. operational controls) Security Plan Approval • Task: Review and approve the security plan Authorization Boundary • • • Purpose = Reduce cost and complexity, and facilitate more targeted application of security controls Must be done before system categorization and security plan development Separate of large and complex systems into multiple components or subsystems. Sub-systems… • • • • • • • • include data, technology and personnel should generally be under the same direct management control have same function or mission/business objective have the same operating characteristics and information security needs that reside in the same general operating environment that reside in different locations with similar operating systems Software applications do not require a separate security authorization but rather include them in the authorization boundary of the host system Use commonsense System Security Plan • • • • Prepared and maintained by the information system owner Living document Provides overview of security requirements and description of security controls Should contain supporting appendices or reference appropriate sources • • • • • • • • • • • Should be updated whenever events impact agreed upon security controls • • • • • • • • Risk assessments System interconnection diagrams Service level agreements Data flow diagrams Disaster recovery and contingency plans Security configurations Configuration management plan Incident response plan Applicable policies and procedures Hardware and software inventories Vulnerability scan New threat to system Redefinition of business priorities/objectives Addition of new hardware, software or firmware Change to operating environment Addition of new connections Weaknesses or deficiencies discovered (before or after a breach) Classify accordingly Preparation Phase Implement Security Controls • • Task 1: Implement security controls specified in security plan Task 2: Document “implemented” security controls in security plan Functional description Planned inputs Expected behavior and outputs Security Controls Assessment (examination, interview and test) • • • • • • • • • • • • Task Task Task Task Task Task Task Task Task Task Task Task 1: 2: 3: 4: Select an assessor Develop a plan to assess “all” security controls Review and approve assessment plan Obtain appropriate documentation needed to assess security controls 5: Perform assessment 6: Prepare preliminary assessment report 7: Review preliminary assessment report with system owner 8: Perform remediation actions 9: Assess remediated security controls 10: Update security assessment report and prepare executive summary 11: Update security plan 12: Prepare Plan of Action & Milestones Authorization - Execution Phase Authorize Information System • Task 1: Assemble authorization package to submit to authorizing official for approval • Task 2: Determine the risk to the organization • Task 3: Formally accept risk (authorization decision) Compensating controls Risk mitigation strategy Residual risk • Task 4: Prepare the security authorization decision and document Authorization decision Terms and conditions for the authorization Authorization termination date Authorization Package Security Plan Authorization Package AUTHORIZATION PROCESS Security Assessment Report Plan of Action & Milestones Continuous Monitoring Maintenance Phase Strategy: Maintain the security authorization for the system over time in highly dynamic operational environment with changing threats, vulnerabilities, technologies and business processes Objectives: • • • • • Track the security “state” of a system on a continuous basis Ensure security controls are checked for effectiveness on an ongoing basis Address the security impact to systems when changes occur to hardware, software, firmware and operational environment Provide an effective process for updating security plans, security assessment reports and plans of action and milestones Security status reporting to authorizing official Continuous Monitoring Program includes: • • • • • Configuration management Security impact analysis on actual or proposed changes Assessment of selected controls Ongoing status reporting to appropriate levels of management Active involvement of Information System Owner, Security Control Assessor and Authorizing Official Continuous Monitoring Continues Until… • • • Changes to the system have affected security controls in the system or introduced new vulnerabilities into the system and; Organizational level risk to the business operations, assets or individuals has been affected or; The authorization deadline has passed, then…. “Reauthorization begins!” Reauthorization Reauthorization occurs at the discretion of the authorizing official in accordance with federal or organizational policy Time Driven Event Authorization termination date has been reached Authorizing official changes Routine environment/system changes Significant environment/system changes (per NIST 800-37) Installation of a new or upgraded operating system, middleware component or application Modifications to system ports, protocols or services Installation of a new or upgraded hardware platform or firmware component Modifications to cryptographic modules or services Changes in laws, directives, policies or regulations NOTE: Event driven reauthorization should be avoided in situations where the continuous monitoring process provides the necessary and sufficient information to the authorizing official to manage the potential risk arising from significant environment or system changes. Process Implementation “Crawl before you walk, walk before you run” If you have to comply with FISMA, you must have a security authorization process in place Based on NIST SP 800-37 Flexibility Even if you don’t implement this process, consider the value of this process Pre-production assessment Security plan 3rd party assessment Business involvement Where to get more information I-Assure Forum www.i-assure.com/forums/Default.aspx NIST SP 800-37 http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdf Books FISMA Certification & Accreditation Handbook by Laura Taylor (ISBN-10: 1597491160) Building and Implementing a Security Certification and Accreditation Program by Patrick D. Howard (ISBN-10: 0849320623) 2009 Prediction “More and more private sector companies and universities will have to comply with FISMA. Why? Many companies that are government contractors are being required to comply with FISMA already as a stipulation in their contracts with the government. Organizations that accept grants from the government are increasingly being required to comply with FISMA.” “FISMA 2008 will pass and government CISOs will become more empowered.” Laura Taylor, Founder of Relevant Technologies and author of the “FISMA Certification & Accreditation Handbook” Status of FISMA Related NIST Publications SP 800-30, Revision 1: Guide for Conducting Risk Assessments FEBRUARY 2010 SP 800-37, Revision 1: Guide for the Security Authorization of Federal Information Systems: A Security Life Cycle Approach - JUNE 2009 SP 800-39: Managing Risk from Information Systems: An Organizational Perspective - JULY 2009 SP 800-53A, Revision 1: Guide for Assessing the Security Controls in Federal Information Systems – DECEMBER 2009 SP 800-CM: Guide for Security Configuration Management and Control (Publication number TBD) – NOVEMBER 2009 Points to Remember Assess a defined environment (authorization boundary) not the world Security authorization is an ongoing process Security control assessors make recommendations, they do not accept risk or approve mitigating controls on behalf of the organization Risk acceptance is the sole responsibility of the authorizing official Reuse and share of security control development, implementation, and assessment-related information to reduce cost and time An active continuous monitoring program reduces time and effort Lets try again! Which of the following is the responsibility of IT? System owner Data owner System custodian All of the above True or False – The CIO/IT Director is responsible for accepting information and system security risks on behalf of the organization? True or False – The individual in charge of information security is responsible for: Defining security controls Implementing security controls Managing security controls All of the above Questions Thank You! Rick Ensenbach CISSP-ISSMP, CISA, CISM Rick.Ensenbach@state.mn.us 651-201-2790
