Federal Enterprise Architecture
This presentation is the property of its rightful owner.
Sponsored Links
1 / 5

Federal Enterprise Architecture Security and Privacy Profile Update Briefing – November 20, 2008 PowerPoint PPT Presentation


  • 55 Views
  • Uploaded on
  • Presentation posted in: General

Federal Enterprise Architecture Security and Privacy Profile Update Briefing – November 20, 2008 Architecture and Infrastructure Committee Federal CIO Council Co-Leads: Scott A. Bernard Deputy CIO, FRA/DOT Ron Ross FISMA PMO, NIST

Download Presentation

Federal Enterprise Architecture Security and Privacy Profile Update Briefing – November 20, 2008

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Federal enterprise architecture security and privacy profile update briefing november 20 2008

Federal Enterprise Architecture

Security and Privacy Profile

Update Briefing – November 20, 2008

Architecture and Infrastructure Committee

Federal CIO Council

Co-Leads:

Scott A. Bernard Deputy CIO, FRA/DOT

Ron Ross FISMA PMO, NIST

Ken Mortensen Chief Privacy Officer, DOJ


Federal enterprise architecture security and privacy profile update briefing november 20 2008

  • Ongoing Activities:

  • 1. SPP Being Virtualized Into:

  • Federal Segment Architecture Methodology (FSAM) Done

  • NIST SP800-37 Guide to Security C&A

  • NIST SP800-39 Managing Risk from Info Systems

  • NIST SP800-53 Security Controls for Info Systems

  • SPP White Paper in Development (Due Dec 31)

  • Working Group Meetings to resume in December.


Federal enterprise architecture security and privacy profile update briefing november 20 2008

Information Security and Data Privacy Framework

Federal Enterprise Architecture

Requirement / Solution

Identification and

Implementation

NIST Risk Mgmt.

Framework

Security / Privacy

Control Development

Enterprise Level

“Common Controls”

for Security/Privacy

Categorize

Performance

Architecture

(PRM)

Select

Business

Architecture

(BRM)

Implement

Segment

Level

Controls

Information Security / Privacy Control

Guidance and Supporting Documentation

Enterprise Architecture

Guidance and Supporting Documentation

Assess

ServiceComponent

Architecture

(SRM)

Authorize

Data/Information

Architecture

(DRM)

Solution / System

Level Controls

Technology

Architecture

(TRM)

Monitor

Governance Process

Lifecycle Development & Maintenance Process


Risk management framework

Starting Point

CATEGORIZE Information System

Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business.

MONITOR

Security Controls

SELECT Security Controls

Continuously track changes to the information system that may affect security controls and reassess control effectiveness.

Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment.

Security Life Cycle

AUTHORIZE Information System

IMPLEMENT Security Controls

Determine risk to organizational operations and assets, individuals, other organizations, and the Nation;

if acceptable, authorize operation.

Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings.

ASSESS

Security Controls

Determine security control effectiveness

(i.e., controls implemented correctly, operating as intended, meeting security requirements for information system).

Risk Management Framework


Federal enterprise architecture security and privacy profile update briefing november 20 2008

RISK EXECUTIVE FUNCTION

Enterprise-wide Oversight, Monitoring, and Risk Management

Organizational Inputs

Laws, Directives, Policy Guidance

Strategic Goals and Objectives

Priorities and Resource Availability

Supply Chain Considerations

Architecture Description

Architecture Reference Models

Segment and Solution Architectures

Mission and Business Processes

Information System Boundaries

RMF

RISK MANAGEMENT FRAMEWORK

INFORMATION

SYSTEM

INFORMATION

SYSTEM

Authorization Decision

Authorization Decision

SP

SP

SP

SP

SP

SP

SAR

SAR

SAR

SAR

SAR

SAR

INFORMATION

SYSTEM

INFORMATION

SYSTEM

Authorization Decision

POAM

POAM

POAM

POAM

POAM

POAM

Authorization Decision

Common Controls

(Inherited by Information Systems)

Authorization Decision

Authorization Decision

SP: Security Plan

SAR: Security Assessment Report

POAM: Plan of Action and Milestones


  • Login