1 / 85

Presentation Contents

Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive; Stop 8930 Gaithersburg, MD 20899 (301) 975-4768 skatzke@nist.gov fax: (301) 975-4964. Presentation Contents.

lotus
Download Presentation

Presentation Contents

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information System Security Control Architecture (ISSCA)Stuart Katzke, Ph.D.Senior Research ScientistNational Institute of Standards & Technology100 Bureau Drive; Stop 8930Gaithersburg, MD 20899(301) 975-4768skatzke@nist.govfax: (301) 975-4964

  2. Presentation Contents • Background/motivation • System security C&A (historical perspective) • OMB A-130; Appendix III • Federal Information Security Management Act 2002 (FISMA) • NIST FISMA implementation project • ISSCA • Significance of NIST’s activities to the commercial sector ----------------------------------------------- • Supporting detail

  3. Background/Motivation • NIST’s system security C&A guidance aging (FIPS 102--1983) • OMB A-130Appendix III: Security of Federal Information Resources (1996) • Proliferation of C&A guidance • FIPS 102 (NIST) • DITSCAP (DoD) • NIACAP (NSTISSC/NSS) • Federal Information Security Management Act 2002 (FISMA)

  4. OMB A-130, Management of Federal Information Resources • Requires Federal agencies to: • Plan for security • Implement controls commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information (called adequate security) • Ensure that appropriate officials are assigned security responsibility • Authorize system processing prior to operations and periodically, thereafter. • Consistent with FISMA

  5. Federal Information Security Management Act (FISMA) Title III of E-Government Act of 2002 (Public Law 107-347)

  6. FISMA Requirements • Federal agency information security (IS) program requirements • NIST requirements • Others (not to be addressed today)

  7. Federal Agency Information Security Programs Must Include (1): • Periodic assessments of the risk • Policies and procedures that are: • Risk-based • Cost-effective • Reduce IS risks to an acceptable level • Ensure IS is addressed throughout the system life cycle • Plans for providing adequate IS for networks, facilities, & information systems (i.e., security planning) • Security awareness training to inform personnel (including contractors and other users of information systems) of the IS risks and their responsibilities

  8. Federal Agency Information Security Programs Must Include (2): • Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices with a frequency depending on risk, but no less than annually • Plans and procedures to ensure continuity of operations • Procedures for detecting, reporting, and responding to security incidents including: • Mitigating risks before substantial damage is done • Notifying/consulting with the Federal IS incident response center , law enforcement agencies, IG, other agency or office, in accordance with law or as directed by the President • A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures and practices of the agency

  9. FISMA Tasks for NIST • Standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels • Guidelines recommending the types of information and information systems to be included in each category • Minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category

  10. FISMA Implementation Project • Phase I: To develop standards and guidelines for: • Categorizing Federal information and information systems • Selecting minimum security controls for Federal information systems • Assessing the security controls in Federal information systems Phase II: To create a national network of accredited organizations capable of providing cost effective, quality security assessment services based on the NIST standards and guidelines

  11. FISMA Implementation Project Standards and Guidelines • FIPS Publication 199 (Security Categorization) • NIST Special Publication 800-37 (C&A) • NIST Special Publication 800-53 (Security Controls) • NIST Special Publication 800-53A (Assessment) • NIST Special Publication 800-59 (National Security) • NIST Special Publication 800-60 (Category Mapping) • FIPS Publication 200 (Minimum Security Controls)

  12. Information System Security Control Architecture (ISSCA) • Key activities in managing risk to agency operations, agency assets, or individuals resulting from the operation of an information system— • Categorize the information system • Select set of minimum (baseline) security controls • Refine the security control set based on risk assessment • Document agreed upon security controls in security plan • Implement the security controls in the information system • Assess the security controls • Determine agency-level risk and risk acceptability • Authorize information system operation • Monitor security controls on a continuous basis

  13. FIPS 199 SP 800-60 SP 800-18 SP 800-37 SP 800-53 FIPS 200 SP 800-37 SP 800-53 FIPS 200 Security Categorization Security Control Selection Security Control Refinement Security Control Documentation System Authorization Security Control Monitoring Defines category of information system according to potential impact of loss Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing SP 800-53A SP 800-37 Security Control Implementation Security Control Assessment Implements security controls in new or legacy information systems In system security plan, provides a an overview of the security requirements for the information system and documents the security controls planned or in place Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements Information System Security Control Architecture

  14. Significance of NIST’s activities to the commercial sector (1) • ISSCA applicable to both government and commercial sector organizations • NIST is contributing its standards/guidelines to IEEE as candidates for common industry-government standards/guidelines • NIST Minimum control sets/baselines incorporate security controls from many public and private sector sources: • CC Part 2 • ISO/IEC 17799 • COBIT • GAO FISCAM • NIST SP 800-26 Self Assessment Questionnaire • CMS (healthcare) • D/CID 6-3 Requirements • DoD Policy 8500 • BITS functional packages

  15. Significance of NIST’s activities to the commercial sector (2) • Control sets mapped to threat coverage • Can be adjusted to widen/reduce threat coverage • Can be adjusted based on risk analytic process • Unique, ambitious attempt by NIST to do control mapping • Control sets adaptable and adoptable by other communities • Control catalogue provides a rich set of controls to meet many needs • Communities can tailor control sets/baselines according to their needs • Healthcare (to demonstrate HIPPA compliance) • Other communities

  16. Significance of NIST’s activities to the commercial sector (3) • Based on expectations of wide adoption by US government agencies, NIST standards/guidelines may become de facto “due diligence” for commercial sector • Will result in accredited individuals/organizations competent to perform system security evaluations • NIST invites industry review and comment on applicability of NIST standards/guidelines to commercial sector systems • NIST and IEEE invite participation in security standardization activities

  17. Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Project Manager Assessment Program Dr. Ron Ross Arnold Johnson (301) 975-5390 (301) 975-3247 rross@nist.gov arnold.johnson@nist.gov Special Publications Assessment Methodologies Joan Hash Annabelle Lee (301) 975-3357 (301) 975-2941 joan.hash@nist.gov annabelle.lee@nist.gov Gov’t and Industry Outreach Technical Advisor Dr. Stu Katzke Gary Stoneburner (301) 975-4768 (301) 975-5394 skatzke@nist.gov gary.stoneburner@nist.gov Organizational Accreditations Administrative Support Pat Toth Peggy Himes (301) 975-5140 (301) 975-2489 patricia.toth@nist.gov peggy.himes@nist.gov Comments to: sec-cert@nist.gov World Wide Web: http://csrc.nist.gov/sec-cert

  18. Security Certification (of an IT system) • The comprehensive assessment of the management, operational, and technical security controls in an information system • Assessment supports the security accreditation process • Assessment performed by security expert (may be contractor) • Assesses (in a particular environment of operation) the extent to which the implemented security controls are: • Correctly implemented? • Operating as intended? • Producing the desired outcome with respect to meeting the system’s security requirements

  19. Security Certification (of an IT system)(continued) • Determines remaining vulnerabilities in the information system based on the assessment. • The results of a security certification are used to reassess the risks and update the system security plan • Provides the factual basis for an authorizing official to render a security accreditation decision

  20. Security Accreditation (of an IT system) • Official management decision to authorize operation of a system : • Made by a senior agency official • Is applicable to a particular environment of operation of the IT system • Explicitly accepts the level of residual risk to agency: • Operations (including mission, functions, image or reputation), • Assets, & • Individuals that remain after the implementation of an agree upon set of security controls in the IT system.

  21. Security Accreditation (of an IT system)(continued) • Authorizing agency official accepts: • Responsibility for system’s security • Accountability for adverse impacts of security breaches

  22. C: Assess residual vulnerabilities; A: Assess residual risk C = Certification A = Accreditation Initiation Development/Acquisition Categorize System • Security Planning • Determine Security Requirements • Select Security Controls Disposal Risk Assessment Development/Acquisition Configuration Management and control Information Security Activities Security Control Development Continuous Monitoring of Security Control Effectiveness Operation/ Maintenance • Developmental Security Test & Evaluation • Develop Security Test Plan • Test & Evaluate Security Controls Security Control Integration SecurityAccreditation Implementation C: Determine control effectiveness; Determine & document residual vulnerabilities; A: Assess residual risk; Make accreditation determination System Security Activities (Inside) within the System Development Life Cycle (Outside)

  23. Security Controls:Special Publication 800-53

  24. Special Publication 800-53 The purpose of SP 800-53 is to provide— • Guidance on how to use a FIPS Publication 199 security categorization to identify minimum security controls (baseline) for an information system • Minimum (baseline) sets of security controls for low, moderate, and high impact information systems • Estimated threat coverage for each baseline • A catalog of security controls for information systems requiring additional threat coverage

  25. Applicability • Applicable to all Federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542 • Broadly developed from a technical perspective to complement similar guidelines issued by agencies and offices operating or exercising control over national security systems • Provides guidance to Federal agencies until the publication of FIPS Publication 200, Minimum Security Controls for Federal Information Systems

  26. Special Publication 800-53 • Special Publication 800-53 is not a tutorial on the security control selection process or a security engineering handbook. An additional guidance document is needed that addresses: • Relationship of minimum security controls (baselines) to threat coverage • Relationships among basic, enhanced, and strong controls • How to select additional security controls from the control catalogue

  27. Document Architecture • Main Body • Catalog of Security Controls (complete set) • Minimum Security Controls for Low Impact Systems (subset of controls from catalog) • Minimum Security Controls for Moderate Impact Systems (subset of controls from catalog) • Minimum Security Controls for High Impact Systems (subset of controls from catalog) • Estimated Threat Coverage

  28. Security Categorization Potential Impact Security Objective

  29. SP 800-60 Security Categorization Example: Law Enforcement Witness Protection Information System Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories

  30. SP 800-60 Security Categorization Example: Law Enforcement Witness Protection Information System Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories Minimum Security Controls for High Impact Systems

  31. Why High Water Mark • Strong dependencies among security objectives of confidentiality, integrity, and availability • In general, the impact values for all security objectives must be commensurate—a lowering of an impact value for one security objective might affect all other security objectives • Example: A lowering of the impact value for confidentiality and the corresponding employment of weaker security controls may result in a breach of security due to an unauthorized disclosure of system password tables—thus, causing a subsequent integrity loss and denial of service…

  32. Minimum Security Controls • Minimum security controls and associated threat coverage in each of the designated baselines: • Provide a starting point for organizations and communities of interest in their security control selection process • Are used in the within the context of the agency’s ongoing risk management process

  33. Terminology • Security control strength or goodness rating defined in the control catalog as: • Basic • Enhanced • Strong • Appropriate security controls from the catalog are selected to populate the sets of minimum security controls (baselines) for: • Lowimpact information systems • Moderateimpact information systems • Highimpact information systems • No direct correlation between strength/goodness rating and impact level—select the controls best suited to do the job…

  34. Security Control Catalog Complete Set of Basic, Enhanced, and Strong Security Controls Minimum Security Controls Low Impact Information Systems Minimum Security Controls Moderate Impact Information Systems Minimum Security Controls High Impact Information Systems Baseline #1 Baseline #2 Baseline #3 Selection of a subset of security controls from the catalog—all basic level controls Selection of a subset of security controls from the catalog—combination of basic and enhanced controls Selection of a subset of security controls from the catalog—combination of basic, enhanced, and strong controls Minimum Security Controls SetsBaselines Provided by Special Publication 800-53

  35. Security Control Catalog Complete Set of Basic, Enhanced, and Strong Security Controls Minimum Security Controls Low Impact Information Systems Minimum Security Controls Moderate Impact Information Systems Minimum Security Controls High Impact Information Systems Low Baseline Moderate Baseline High Baseline Estimated Threat Coverage Estimated Threat Coverage Estimated Threat Coverage Estimated Threat CoverageProvided by Special Publication 800-53

  36. Starting Point Initial Coverage Security Control Catalog Complete Set Basic, Enhanced, and Strong Security Controls Minimum Security Controls Moderate Impact Information Systems 1 2 3 Additional Security Controls Additional Threat Coverage 4 5 Risk Assessment Process Incorporates Local Conditions and Specific Agency Requirements to Adjust Initial Set of Security Controls Estimated Threat Coverage 3 3 Security Control RefinementAgency-level Activity Guided by Risk Assessment

  37. Tagging of Security Controls Why aren’t security controls partitioned by security objectives (e.g., C, I, A)? • In general, it is difficult to assign proper security objectives (i.e., confidentiality, integrity, or availability) to individual security controls • In many cases, multiple security objectives apply to a single security control • Availability may be the exception due to the potential for downgrading availability impact values during FIPS 199 security categorizations

  38. Cost Effective Implementation:Common Security Controls

  39. Common Security Controls • Common security controls are those controls that can be applied to one or more agency information systems and have the following properties: • The development, implementation, and assessment of common security controls can be assigned to responsible officials or organizational elements (other than the information system owner) • The results from the assessment of the common security controls can be reused in security certifications and accreditations of agency information systems where those controls have been applied

  40. Common Security Controls • Identification of common security controls is an agency-level activity in collaboration with Chief Information Officer, authorizing officials, information system owners, system security managers, and system security officers • Potential for significant cost savings for the agency in security control development, implementation, and assessment

  41. Common Security Controls • Common security controls can be applied agency-wide, site-wide, or to common subsystems and assessed accordingly— For example: • Contingency planning • Incident response planning • Security training and awareness • Physical and personnel security * • Common hardware, software, or firmware ** *Related to the concept of site certification in certain communities **Related to the concept of type certification in certain communities

  42. Responsibility of Information System Owners • Common security controls developed, implemented, and assessed one time by designated agency official(s) • Development and implementation cost amortized across all agency information systems • Results shared among all information system owners and authorizing officials where common security controls are applied Example: Moderate Impact Agency Information Systems • Maximum re-use of assessment evidence during security certification and accreditation of information systems • Security assessment reports provided to information system owners to confirm the security status of common security controls • Assessments of common security controls not repeated; only system specific aspects when necessary System Specific Security Controls Common Security Controls Responsibility of Designated Agency Official Other Than Information System Owner (e.g., Chief Information Officer, Facilities Manager, etc.) Common Security Controls

  43. Certification & Accreditation:Special Publication 800-37

  44. C: Assess residual vulnerabilities; A: Assess residual risk C = Certification A = Accreditation Initiation Development/Acquisition Categorize System • Security Planning • Determine Security Requirements • Select Security Controls Disposal Risk Assessment Development/Acquisition Configuration Management and control Information Security Activities Security Control Development Continuous Monitoring of Security Control Effectiveness Operation/ Maintenance • Developmental Security Test & Evaluation • Develop Security Test Plan • Test & Evaluate Security Controls Security Control Integration SecurityAccreditation Implementation C: Determine control effectiveness; Determine & document residual vulnerabilities; A: Assess residual risk; Make accreditation determination System Security Activities (Inside) within the System Development Life Cycle (Outside)

  45. Key Roles • Authorizing Official • Authorizing Official Designated Representative • Chief Information Officer • Senior Agency Information Security Officer • Information System Owner • Information System Security Officer • Certification Agent • User Representatives

  46. Authorizing Official • Reviews and approves the security categorizations of information systems • Reviews and approves system security plans • Determines agency-level risk from information generated during the security certification • Makes accreditation decisions and signs associated transmittal letters for accreditation packages (authorizing official only) • Reviews security status reports from continuous monitoring operations; initiates reaccreditation actions

  47. Designated Representative • Selected by the authorizing official to coordinate and carry out the necessary activities required during the security certification and accreditation process • Empowered to make certain decisions with regard to the: • Planning and resourcing of the security certification and accreditation activities • Acceptance of the system security plan • Determination of risk to agency operations, assets, and individuals • Prepares accreditation decision letter • Obtains authorizing official’s signature on the accreditation decision letter and transmits accreditation package to appropriate agency officials

  48. Chief Information Officer • Designates a senior agency information security officer • Develops and maintains information security policies, procedures, and control techniques to address all applicable requirements • Trains and oversees personnel with significant responsibilities for information security • Assists senior agency officials concerning their security responsibilities • Coordinates with other senior agency officials, reporting annually to the agency head on the effectiveness of the agency information security program

  49. Senior Agency Information Security Officer • Serves in a position with primary responsibilities and duties related to information security • Carries out the Chief Information Officer responsibilities under FISMA • Possesses professional qualifications required to administer information security program functions • Heads an office with the mission and resources to assist in ensuring agency compliance with FISMA

  50. Information System Owner • Procures, develops, integrates, modifies, operates or maintains an information system. • Prepares system security plan and conducts risk assessment • Informs agency officials of the need for certification and accreditation; ensures appropriate resources are available • Provides necessary system-related documentation to the certification agent • Prepares plan of action and milestones to reduce or eliminate vulnerabilities in the information system • Assembles final accreditation package and submits to authorizing official

More Related