1 / 34

Session T- 2

Session T- 2. Ensuring Information Security Bob Ingwalson & Tom Peters U.S. Department of Education. Secure Your Information. 2. Systems are Vulnerable! . We Implement Security Based on Cost vs. Risk . 5. Protect Sensitive Information. 07 RECAP In the Office On the System

juliet-wise
Download Presentation

Session T- 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session T- 2 Ensuring Information Security Bob Ingwalson & Tom Peters U.S. Department of Education

  2. Secure Your Information 2

  3. Systems are Vulnerable!

  4. We Implement Security Based on Cost vs. Risk 5

  5. Protect Sensitive Information • 07 RECAP • In the Office • On the System ============= • Ensuring Security • Incident Detection and Reporting

  6. Office Security • Handling and storage • Phones • Faxes • Shipping and deliveries • CDs/DVDs • Printers • USB/Flash/Thumb drives • Physical Security • Personnel Security • Policy and Procedures 7

  7. System Security(Defense in Depth) • Policy • Personnel Security • Physical Security • Network Security • Host based Security • Application Security www.macroview.com/solutions/infosecurity/

  8. Ensure Security • Federal law requires Federal Agencies to comply with NIST standards • Federal Student Aid security is based on NIST standards and guides • Federal Student Aid uses US-CERT’s reporting guidance for security incidents

  9. Ensuring Security Using the NIST System Security Lifecycle

  10. Security Categorization • Security Categorization begins by identifying the system • Boundaries • Organizational Importance/Criticality • Information Sensitivities • CIA - HML • FIPS 199, SP 800-60

  11. Information Sensitivities

  12. Security Control Selection Select controls based on data sensitivity and system criticality NIST SP 800-53, Recommended Security Controls for Federal Information Systems “In addition to the agencies of the federal government, state, local, and tribal governments, and private sector organizations that compose the critical infrastructure of the United States, are encouraged to use these guidelines, as appropriate.” 17 Control Families 171 Controls each providing high, moderate, and low baselines

  13. Security Control Selection

  14. Security Control Selection PE-8 ACCESS RECORDS Control: The organization maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) that includes: (i) name and organization of the person visiting; (ii) signature of the visitor; (iii) form of identification; (iv) date of access; (v) time of entry and departure; (vi) purpose of visit; and (vii) name and organization of person visited. Designated officials within the organization review the visitor access records [Assignment: organization-defined frequency]. Supplemental Guidance: None. Control Enhancements: (1) The organization employs automated mechanisms to facilitate the maintenance and review of access records. (2) The organization maintains a record of all physical access, both visitor and authorized individuals.

  15. Security Control Refinement(assess the risk – SP 800-30)

  16. Security Control Refinement High If an observation or finding is evaluated as high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible. Moderate If an observation is rated as moderate risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. Low If an observation is described as low risk, the system’s authorizing official must determine whether corrective actions are still required or decide to accept the risk.

  17. Security Control Refinement

  18. Security Control Documentation • Plans of Actions and Milestones (SP 800-37) • Security Control Weaknesses • Plan of remediation • System Security Plan (SP 800-18, SP 800-53) • System Description • Rules of Behavior • Security Controls (in-place and planned) • Contingency Plan (SP 800-34) • Business Impact Analysis (BIA) • System Description • Notification / Activation Recovery Deactivation

  19. Security Control Implementation • Implement Plans of Actions and • Milestones (POAMs) • Update system controls based on • security plan • Use security configuration guides • (SP 800-70) • Update System Security Plan

  20. Security Control Assessment (SP 800-53A, SP 800-37) • Independent reviewer(Certification Agent) • Reviews controls identified in System • Security Plan • Determines control effectiveness • Use to update POAMs • Provides input to system authorization • official

  21. Security Authorization (SP 800-37) Determines Risk to agency, agency assets, or individuals

  22. Security Control Monitoring (SP 800-37, SP 800-53A) • Continuously track changes and new • vulnerabilities to system • Vulnerability scans and penetration testing • Audit and Log monitoring • Security configuration and compliance • Assessments and reviews • Intrusion detection and prevention systems • (IDPSs) for effective incident response

  23. Security Incident Response and Reporting • What’s a Security Incident? • An incident can be unintentional or malicious. SP 800-61 states: “A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of incidents are as follows:” • Denial of Service • Malicious Code   • Unauthorized Access • Inappropriate Usage

  24. Security Incident Response and Reporting US-CERT’s Classification of Incidents

  25. Security Incident Response and Reporting

  26. Preparation • Creating an incident response policy • Statement of management commitment • Purpose and objectives of the policy • Scope of the policy (to whom, what it applies to, and under what circumstances) • Definition of computer security incidents and their consequences within the context of the organization • Organizational structure and delineation of roles, responsibilities, and levels of authority • Prioritization or severity ratings of incidents • Performance measure • Reporting and contact forms

  27. Preparation (con’t) • Developing procedures for performing incident handling and reporting, based on the incident response policy • Setting guidelines for communicating with outside parties regarding incidents • Selecting a team structure and staffing model • Establishing relationships between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies) • Determining what services the incident response team should provide • Staffing and training the incident response team.

  28. Detection and Analysis • Incident Categories • Signs of an Incident • Sources of Precursors and Indications • Incident Analysis • Incident Documentation • Incident Prioritization • Incident Notification

  29. Contain, Eradicate, Recover • Enact your containment strategy • Isolate affected systems • Evidence Gathering and Evidence Handling • Chain of Custody • Remove the risks to the systems • Recover the systems • Restore from clean backups • Rebuild systems • Replace compromise files and applications • Install patches • Change passwords

  30. Post Incident Activities • Lessons Learn (Hotwash) • Be critical • Use collected data • Review security settings (what allowed incident to occur) • Review what went right and what needs improvement • Evidence Retention • Prosecution • Data Retention • Costs

  31. Resources Vulnerabilities: • OWASP (http://www.owasp.org) • SANS Top 20 (www.sans.org/top20) • National Vulnerability Database (http://nvd.nist.gov) • cgisecurity (http//www.cgisecurity.com) Guidance: • National Institute of Standards and Technology (NIST) Computer Security Resource Center(http://csrc.nist.gov/publications/nistpubs/) • Center for Internet Security (CIS) (http://www.cisecurity.org/) • Educause (http://connect.educause.edu/term_view/Cybersecurity) 32

  32. Questions?

  33. Contact Information • We appreciate your feedback and comments. We can be reached at: • Bob Ingwalson • Phone: 202.377.3563 • Email: Robert.Ingwalson@ed.gov • Fax: 202.275.0907 • Tom Peters • Phone: 202.377.3938 • Email: Thomas.Peters@ed.gov • Fax: 202.275.0907 34

More Related