1 / 34

NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems An Introductory Tutoria

Part I Introduction. Security Controls. The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.-- [FIPS Publication 199]. Key Questi

yazid
Download Presentation

NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems An Introductory Tutoria

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems An Introductory Tutorial Dr. Ron Ross Computer Security Division Information Technology Laboratory

    2. Part I Introduction

    3. Security Controls The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. -- [FIPS Publication 199]

    4. Key Questions What security controls are needed to adequately protect an information system that supports the operations and assets of the organization? Have the selected security controls been implemented or is there a realistic plan for their implementation? To what extent are the security controls implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements?

    5. Purpose The purpose of Special Publication 800-53 is to provide— Guidance on how to use a FIPS Publication 199 security categorization to identify minimum security controls for an information system Minimum (baseline) security controls for low, moderate, and high impact information systems A catalog of security controls for information systems requiring additional threat coverage

    6. Applicability Applicable to all Federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542 Broadly developed from a technical perspective so as to be complementary to similar guidelines for national security systems Provides guidance to Federal agencies until the publication of FIPS Publication 200, Minimum Security Controls for Federal Information Systems

    7. Document Structure Introduction The importance of security controls—relating to key legislative and policy drivers The Fundamentals The structure and types of security controls, organization of the security control catalog, methods to instantiate control variables The Process The process of selecting minimum security controls using FIPS 199 and how the process relates to the organization’s risk management process Appendices Minimum security controls, minimum assurance requirements, security control catalog, and other supporting information

    8. Security Control Structure Simplified structure consisting of three sections: Token-level security control statement Supplemental guidance Control enhancements

    9. Security Control Example CP-8 TELECOMMUNICATIONS SERVICES Control: The organization identifies primary and alternate telecommunications services to support the information system and initiates necessary agreements to permit the resumption of system operations for critical mission/business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable. Supplemental Guidance: In the event that the primary and/or alternate telecommunications services are provided by a wireline carrier, the organization should ensure that it requests Telecommunications Service Priority (TSP) for all telecommunications services used for national security emergency preparedness (see http://tsp.ncs.gov for a full explanation of the TSP program). Control Enhancements: (1) Primary and alternate telecommunications service agreements contain priority-of-service provisions in accordance with the organization’s availability requirements. (2) Alternate telecommunications services do not share a single point of failure with primary telecommunications services. (3) Alternate telecommunications service providers are sufficiently separated from primary service providers so as not to be susceptible to the same hazards. (4) Primary and alternate telecommunications service providers have adequate contingency plans. LOW Not Selected MOD CP-8 (1) (2) HIGH CP-8 (1) (2) (3) (4)

    10. Security Controls Families Access Control Awareness and Training Audit and Accountability Certification, Accreditation, and Security Assessments Configuration Management Contingency Planning

    11. Security Controls Families Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Protection Planning

    12. Security Controls Families Personnel Security Risk Assessment System and Information Integrity System Acquisition System and Communications Protection

    13. Part II Organizational Use

    14. Security Categorization This chart shows examples Security Categorizations. There is guidance for mapping types of information and information systems to FIPS Publication 199 Security Categories. The chart has headers along each axis was designed to be navigable to explain the effects that would occur to organizational operations, assets or individuals. The vertical access has the title “Security Objectives” and the horizontal title on top is “Potential Impact”This chart shows examples Security Categorizations. There is guidance for mapping types of information and information systems to FIPS Publication 199 Security Categories. The chart has headers along each axis was designed to be navigable to explain the effects that would occur to organizational operations, assets or individuals. The vertical access has the title “Security Objectives” and the horizontal title on top is “Potential Impact”

    15. Security Categorization This chart shows examples Security Categorizations. There is guidance for mapping types of information and information systems to FIPS Publication 199 Security Categories. The chart has headers along each axis was designed to be navigable to explain the effects that would occur to organizational operations, assets or individuals. On left side of the chart is an arrow pointing to it with the text “SP 800-60” and the words Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security CategoriesThis chart shows examples Security Categorizations. There is guidance for mapping types of information and information systems to FIPS Publication 199 Security Categories. The chart has headers along each axis was designed to be navigable to explain the effects that would occur to organizational operations, assets or individuals. On left side of the chart is an arrow pointing to it with the text “SP 800-60” and the words Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories

    16. Security Categorization

    17. Why High Water Mark Strong dependencies among security objectives of confidentiality, integrity, and availability In general, the impact values for all security objectives must be commensurate—a lowering of an impact value for one security objective might affect all other security objectives Example: A lowering of the impact value for confidentiality and the corresponding employment of weaker security controls may result in a breach of security due to an unauthorized disclosure of system password tables—thus, causing a subsequent integrity loss or denial of service…

    18. Minimum Security Controls Minimum security controls in each of the designated baselines: Provide a starting point for organizations and communities of interest in their security control selection process Are used in the context of the organization’s ongoing risk management process

    19. Scoping Guidance Provides organizations with considerations on the applicability and implementation of individual security controls in the control baselines— Technology-related considerations Infrastructure-related considerations Public access-related considerations Scalability-related considerations Common security control-related considerations Risk-related considerations

    20. Compensating Controls Management, operational, or technical security controls employed by an organization in lieu of recommended controls in the baselines Provides equivalent or comparable protection for the information system Employed under strict terms and conditions with appropriate oversight

    21. Minimum Security Controls Sets Baselines Provided by Special Publication 800-53 This slide is called Minimum Security Controls Sets (baselines provided by SP 800-53) and shows the baselines for Low, Moderate and High Impact Information Systems. For Minimum Secutiry Controls Low Impact Information Systems, Baseline #1 is Selection of a subset of security controls from the master catalog—consisting of basic level controls. For Minimum Security Controls Moderate Impact Information Systems, Baseline #2 is Selection of a subset of security controls from the master catalog—consisting of basic level controls, plus additional controls and control enhancements, as needed . For Minimum Security Controls High Impact Information Systems Baseline #3, Selection of a subset of security controls from the master catalog—consisting of basic level controls, plus additional controls and control enhancements, as needed .This slide is called Minimum Security Controls Sets (baselines provided by SP 800-53) and shows the baselines for Low, Moderate and High Impact Information Systems. For Minimum Secutiry Controls Low Impact Information Systems, Baseline #1 is Selection of a subset of security controls from the master catalog—consisting of basic level controls. For Minimum Security Controls Moderate Impact Information Systems, Baseline #2 is Selection of a subset of security controls from the master catalog—consisting of basic level controls, plus additional controls and control enhancements, as needed . For Minimum Security Controls High Impact Information Systems Baseline #3, Selection of a subset of security controls from the master catalog—consisting of basic level controls, plus additional controls and control enhancements, as needed .

    22. Estimated Threat Coverage This slide called Estimated Threat Coverage shows a box called Master Security Control Catalog. It has a subtitle of “Complete Set of Security Controls Control Enhancements.” Underneath this box there are more boxes which show that with Minimum Security Controls Low Impact Information Systems there is a low baseline which should help you understand your estimated threat coverage. Minimum Security Controls Moderate Impact Information Systems there is a moderate baseline which should help you understand your estimated threat coverage, and for your Minimum Security Controls High Impact Information Systems there is a high baseline which should help you understand your estimated threat coverage. This slide called Estimated Threat Coverage shows a box called Master Security Control Catalog. It has a subtitle of “Complete Set of Security Controls Control Enhancements.” Underneath this box there are more boxes which show that with Minimum Security Controls Low Impact Information Systems there is a low baseline which should help you understand your estimated threat coverage. Minimum Security Controls Moderate Impact Information Systems there is a moderate baseline which should help you understand your estimated threat coverage, and for your Minimum Security Controls High Impact Information Systems there is a high baseline which should help you understand your estimated threat coverage.

    23. Security Control Refinement Organization-level Activity Guided by Risk Assessment This slide is called Security Control Refinement—an organization level activity guided by risk assessment. It shows a cycle which begins with: Security Control Master Catalog Complete Set Security Controls plus Control Enhancements THEN to the starting point which is: 1. Minimum Security Controls Organizational Information System THEN 2. Estimated Threat Coverage THEN 3. Additional Threat Coverage THEN 4. Additional Security Controls THEN Additional Threat Coverage. The accompanying text says “Risk Assessment Process Incorporates Local Conditions and Specific Security Requirements to Adjust Initial Set of Security Controls”. This slide is called Security Control Refinement—an organization level activity guided by risk assessment. It shows a cycle which begins with: Security Control Master Catalog Complete Set Security Controls plus Control Enhancements THEN to the starting point which is: 1. Minimum Security Controls Organizational Information System THEN 2. Estimated Threat Coverage THEN 3. Additional Threat Coverage THEN 4. Additional Security Controls THEN Additional Threat Coverage. The accompanying text says “Risk Assessment Process Incorporates Local Conditions and Specific Security Requirements to Adjust Initial Set of Security Controls”.

    24. Requirements Traceability This slide called Requirements Traceability shows a box called High Level Security Requirements. It has a subtitle of “Derived from Legislation, Executive Orders, Policies, Directives, Regulations, Standards Examples: HIPAA, Graham-Leach-Bliley, Sarbanes-Oxley, FISMA, OMB Circular A-130.” Underneath this box there are 3 more boxes. Box one called Enterprise #1 says Security Controls SP 800-53 / FIPS 200, Enterprise #2 says Security Controls SP 800-53 / FIPS 200 and Enterprise #3 Security Controls SP 800-53 / FIPS 200. The bottom of the slide that refers to all the information on the slide asks “What set of security controls, if implemented within an information system and determined to be effective, can show compliance to a particular set of security requirements?” This slide called Requirements Traceability shows a box called High Level Security Requirements. It has a subtitle of “Derived from Legislation, Executive Orders, Policies, Directives, Regulations, Standards Examples: HIPAA, Graham-Leach-Bliley, Sarbanes-Oxley, FISMA, OMB Circular A-130.” Underneath this box there are 3 more boxes. Box one called Enterprise #1 says Security Controls SP 800-53 / FIPS 200, Enterprise #2 says Security Controls SP 800-53 / FIPS 200 and Enterprise #3 Security Controls SP 800-53 / FIPS 200. The bottom of the slide that refers to all the information on the slide asks “What set of security controls, if implemented within an information system and determined to be effective, can show compliance to a particular set of security requirements?”

    25. Large and Complex Systems This slide called Large and Complex Systems has a graphic that shows what is called an Accreditation Boundary. Inside are three boxes in what is titled an “Organization General Support System”. Box one is called System Component and is listed with “Local Area Network Alpha.” A two way arrow then connects this to box two which says Subsystem Component which is listed with “System Guard”. It then has a two way arrow to box 3 which is called Subsystem Component which is listed with “Local Area Network Bravo.” Text below this graphic reads: System security plan reflects information system decomposition with adequate security controls assigned to each subsystem component Security assessment methods and procedures tailored for the security controls in each subsystem component and for the combined system-level controls Security certification performed on each subsystem component and on system-level controls not covered by subsystem certifications Security accreditation performed on the information system as a wholeThis slide called Large and Complex Systems has a graphic that shows what is called an Accreditation Boundary. Inside are three boxes in what is titled an “Organization General Support System”. Box one is called System Component and is listed with “Local Area Network Alpha.” A two way arrow then connects this to box two which says Subsystem Component which is listed with “System Guard”. It then has a two way arrow to box 3 which is called Subsystem Component which is listed with “Local Area Network Bravo.” Text below this graphic reads: System security plan reflects information system decomposition with adequate security controls assigned to each subsystem component Security assessment methods and procedures tailored for the security controls in each subsystem component and for the combined system-level controls Security certification performed on each subsystem component and on system-level controls not covered by subsystem certifications Security accreditation performed on the information system as a whole

    26. Common Security Controls Security controls that can be applied to one or more organizational information systems and have the following properties: The development, implementation, and assessment of the controls can be assigned to responsible officials or organizational elements other than the information system owner The results from the assessment of the controls can be reused in security certifications and accreditations of organizational information systems where those controls have been applied

    27. Common Security Controls Common security controls can be applied organization-wide, site-wide, or to common subsystems and assessed accordingly— Examples include: Contingency planning Incident response planning Awareness and training Physical and personnel security Common hardware, software, or firmware

    28. Common Security Controls This slide is called Common Security Controls. It has a graphic that shows the interrelationship between the responsibility of information system owners (System Specific Security Controls) and the Responsibility of designated organizational officials other than information system owners e.g., Chief Information Officer, facilities manager, etc. (Common Security Controls.) The text on the page reads as follows: Maximum re-use of assessment evidence during security certification and accreditation of information systems Security assessment reports provided to information system owners to confirm the security status of common security controls Assessments of common security controls not repeated; only system specific aspects when necessary Common security controls developed, implemented, and assessed one time by designated organizational official(s) Development and implementation cost amortized across all information systems Assessment results shared among all information system owners and authorizing officials where common security controls are applied This slide is called Common Security Controls. It has a graphic that shows the interrelationship between the responsibility of information system owners (System Specific Security Controls) and the Responsibility of designated organizational officials other than information system owners e.g., Chief Information Officer, facilities manager, etc. (Common Security Controls.) The text on the page reads as follows: Maximum re-use of assessment evidence during security certification and accreditation of information systems Security assessment reports provided to information system owners to confirm the security status of common security controls Assessments of common security controls not repeated; only system specific aspects when necessary Common security controls developed, implemented, and assessed one time by designated organizational official(s) Development and implementation cost amortized across all information systems Assessment results shared among all information system owners and authorizing officials where common security controls are applied

    29. Part III Summary

    30. Special Publication 800-53 Establishes the foundation for— More consistent, comparable specifications of security controls for information systems More consistent, comparable, and repeatable system assessments of information systems More complete and reliable information for authorizing officials to facilitate better risk-based security accreditation decisions And, ultimately, more secure information systems for organizations…

    31. The Desired End State Security Visibility Among Business/Mission Partners This slide called: The Desired End State Security Visibility Among Business/Mission Partners shows a flow of information using arrows to show how important is to so achieve visibility among business and mission partners. Just as business and mission information flow, so must security information including system security plans, security assessment reports and Plans of actions and milestones. First one must Determine the risk to the first organization’s operations and assets and the acceptability of such risk then Determine the risk to the second organization’s operations and assets and the acceptability of such risk. As has been stated prior to this review: The objective is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin…establishing levels of security due diligence. This slide called: The Desired End State Security Visibility Among Business/Mission Partners shows a flow of information using arrows to show how important is to so achieve visibility among business and mission partners. Just as business and mission information flow, so must security information including system security plans, security assessment reports and Plans of actions and milestones. First one must Determine the risk to the first organization’s operations and assets and the acceptability of such risk then Determine the risk to the second organization’s operations and assets and the acceptability of such risk. As has been stated prior to this review: The objective is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin…establishing levels of security due diligence.

    32. Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Project Manager Administrative Support Dr. Ron Ross Peggy Himes (301) 975-5390 (301) 975-2489 rross@nist.gov peggy.himes@nist.gov Senior Information Security Researchers and Technical Support Marianne Swanson Arnold Johnson (301) 975-3293 (301) 975-3247 marianne.swanson@nist.gov arnold.johnson@nist.gov Dr. Stu Katzke Pat Toth (301) 975-4768 (301) 975-5140 skatzke@nist.gov patricia.toth@nist.gov Comments to: sec-cert@nist.gov World Wide Web: http://csrc.nist.gov/sec-cert

    33. Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Project Manager Administrative Support Dr. Ron Ross Peggy Himes (301) 975-5390 (301) 975-2489 rross@nist.gov peggy.himes@nist.gov Senior Information Security Researchers and Technical Support Marianne Swanson Arnold Johnson (301) 975-3293 (301) 975-3247 marianne.swanson@nist.gov arnold.johnson@nist.gov Dr. Stu Katzke Pat Toth (301) 975-4768 (301) 975-5140 skatzke@nist.gov patricia.toth@nist.gov Comments to: sec-cert@nist.gov World Wide Web: http://csrc.nist.gov/sec-cert

    34. Speaker Biography Ron Ross... is a senior computer scientist and information security researcher at the National Institute of Standards and Technology (NIST). His areas of specialization include security requirements definition, security testing and evaluation, and information assurance. Dr. Ross currently leads the FISMA Implementation Project for NIST, which includes the development of key security standards and guidelines for the federal government and critical information infrastructure. His recent publications include FIPS 199 (the security categorization standard), Special Publication 800-53 (the security controls guideline), and Special Publication 800-37 (the system certification and accreditation guideline). Dr. Ross is also the architect of the risk management framework that integrates the suite of NIST security standards and guidelines into a comprehensive enterprise security program. Dr. Ross previously served as the Director of the National Information Assurance Partnership.

More Related