nys forum joint initiative security project management business continuity workgroups n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
NYS Forum Joint Initiative Security, Project Management & Business Continuity Workgroups PowerPoint Presentation
Download Presentation
NYS Forum Joint Initiative Security, Project Management & Business Continuity Workgroups

Loading in 2 Seconds...

play fullscreen
1 / 31

NYS Forum Joint Initiative Security, Project Management & Business Continuity Workgroups - PowerPoint PPT Presentation


  • 95 Views
  • Uploaded on

NYS Forum Joint Initiative Security, Project Management & Business Continuity Workgroups. Manage Risk by Building Information Security into Your Projects Addendum to the NYS Project Management Guidebook May 26, 2010. Deborah Snyder, CISSP, GIAC GSLC, PMP

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'NYS Forum Joint Initiative Security, Project Management & Business Continuity Workgroups' - quana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
nys forum joint initiative security project management business continuity workgroups

NYS Forum Joint InitiativeSecurity, Project Management & Business Continuity Workgroups

Manage Risk by Building Information Security into Your Projects

Addendum to the NYS Project Management Guidebook

May 26, 2010

Deborah Snyder, CISSP, GIAC GSLC, PMP

NYS Office of Temporary & Disability Assistance

(518) 473-3195

Deborah.Snyder@otda.state.ny.us

Mark Spreitzer, CBCP

CGI Group Inc.

917.304.1966

mark.spreitzer@cgi.com

agenda
Agenda
  • Welcome and Announcements
    • Chuck Weiss
  • Project Management, Information Security & Business Continuity Work Groups
    • Introductions
    • PM lifecycle & the Secure SDLC
    • Risk Management – Relationship to PM processes
    • 5-Phase Secure SDLC Process
    • Framework for applying Security & BC considerations to each Phase
    • Benefits
    • Resources
  • Q & A
introduction project management work group
IntroductionProject Management Work Group
  • Co-Chairs
    • Brenda Breslin, (NYS Department of Health),
    • Vivian Conboy, (Dept. of Tax & Finance),
    • Chris Foster, (CGI Technologies and Solutions Inc.),
    • Jon Haverly, (Keane Inc.)
  • Overview
    • Support government entities and their PMs
      • as they adopt PM standards and practices,
      • establish PMOs,
      • implement program and portfolio management within their organizations
    • PM Community of Practice provides interactive exchange of ideas, practices, and lessons learned
    • PMO Roundtable to support PM implementation methods

3

introduction security work group
IntroductionSecurity Work Group
  • Co-Chairs
    • Deb Snyder (NYS OTDA), Bob Spina (CISCO), Joe Lynch (ORACLE) & Ted Phelps (SUNY)
  • Overview
    • Work in collaboration with state & local agencies to develop education/training opportunities & tools that address information security issues
    • Support the Information Security Community of Practice
    • Strong working relationships with NYS OFT/CIO & the Office of Cyber Security & Critical Infrastructure Coordination (CSCIC)
    • International MS-ISAC Security Webcasts
    • Educational workshops, seminars & events

4

introduction business continuity bc work group
IntroductionBusiness Continuity (BC) Work Group
  • Co-Chairs:
    • David DeMatteo (SEMO)
    • Ken Mason (SED)
    • Mark Spreitzer, CBCP (CGI)
  • Overview:
    • Primary focus is on the ”how to” of business continuity planning
    • Intended to help facilitate “best practice” development amongst state and local resources & representatives of the IT Corporate Roundtable
    • Provide education & training opportunities
    • Collaborate on tools that address BC planning needs
    • Work to emphasize the importance of BC planning in NYS Government, in lieu of an explicit requirement

5

from an operational perspective
Project Management Life Cycle

Focus on Implementation

Management roles & responsibilities

Framework for planning & managing work

Develop & manage project plan (scope, schedule)

Distinguish PM effort from SD effort

System Development Life Cycle

Focus on Operations

Technical roles & responsibilities

Framework for solving business needs with technology

Design & construct system components (modules, databases)

Distinguish SD effort from PM effort

From an Operational Perspective…

Phase Relationships

Origination

Initiation

Initiation

Planning

Acquisition/

Development

Execution

Implementation/

Assessment

Operations &

Maintenance

Closeout

Production

Disposal

6

secure sdlc high level
PM Life Cycle

SDLC

Secure SDLC (High Level)

SSDLC

  • Focuses on Information Security & Business Continuity

Preparation

Origination

Initiation

Initiation

Risk Level & Security Planning

Planning

Execution

Acquisition/

Development

Security Requirements

& Controls

Execution

Implementation/

Assessment

Security Testing

Documentation, C&A

Maintenance

Operations &

Maintenance

Acceptance &

Change Management

Closeout

Disposition / Transition

Disposal

7

secure system development life cycle ssdlc principles
Secure System Development Life Cycle (SSDLC) Principles
  • To be effective, information security must be integrated from inception of the project and ensured adequate consideration throughout the SDLC.
  • Information security controls applied to a particular information system must be commensurate with its criticality and sensitivity.
  • SSDLC - conceptual framework to ensure this occurs…
  • Structured process and core set of analysis steps and planning considerations to integrate info-security into the SDLC
  • Helps identify, evaluate & minimize info-security risk
  • Defines info-security requirements, appropriate security level & measures/controls to adequately protect the asset
  • Produces clear, well-documented information security plan
  • Based on industry standards, well-established practices, fundamental security principles and concepts
secure sdlc
Secure SDLC

SSDLC “Roadmap” example…

Information Security considerations, checkpoints & deliverables across the SDLC

Source: NYS OTDA ISO, Secure SDLC Roadmap

nist special publications
NIST Special Publications

NIST = National Institute of Standards & Technology

    • Chartered to promote & protect economy & public welfare; collaborated with industry, government & academic organizations; used by FEMA for framework development
    • Defines Security to include Business Continuity and Contingency Planning (CP)
    • Integrates Security activities into system development life-cycle (SDLC)
    • Outlines key security roles and responsibilities
    • Defines Security/BC components as control objectives (Control Gates - permission to proceed)

NIST Special Publication 800 series Guidance http://csrc.nist.gov/publications/PubsSPs.html

    • SP 800-12, The Introduction to Computer Security; NIST Handbook
    • SP 800-18, Guide for Developing Security Plans for Information Technology Systems
    • SP 800-27, Engineering Principles for Information Technology Security
    • SP 800-30, Risk Management Guide for IT Systems
    • SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
    • SP 800-39, Managing Risk from Information Systems: An Organizational Perspective
    • SP 800-34, Contingency Planning
    • SP 800-53, Recommended Security Controls & Annexes 1, 2, 3
    • SP 800-60, Mapping Types of information & Information Systems to Security Categorization Levels
    • SP 800-64, Security Considerations in the System Development Life Cycle
    • SP-800-84. Testing, Training and Exercising
    • NIST SDLC Brochure, August 2004, Information Security in the SDLC http://csrc.nist.gov/SDLCinfosec
  • Federal Information Processing Standards (FIPS) http://csrc.nist.gov/publications/PubsFIPS.html
    • FIPS 199, Standards for Security Categorization
    • FIPS 140-2, Security Requirements for Cryptographic Modules
  • FEMA Continuity Guidance Circular 1 (CGC1) www.fema.gov/pdf/about/org/ncp/cont_guidance1.pdf
nist s security in the sdlc
NIST’s Security in the SDLC
  • Source:
  • NIST SDLC Brochure (Aug. 2004, Information Security in the SDLC.
risk management relationship to all other pm functions
Risk ManagementRelationship to All Other PM Functions

Integration

Life Cycle & Environment Variables

Ideas, Directives, Data Exchange Accuracy

Scope

Communications

Expectations, Feasibility

Cost Objectives, Restraints

Project

RiskManagement

Cost

Time

Time Objectives, Restraints

Services, Plant, Materials: Performance

Quality

Requirements, Standards

Availability, Productivity

Procurement

Human Resources

Source: Project & Program Risk Management,

A Guide to Managing Project Risks & Opportunities, p. II-2.

integrated risk management
Integrated Risk Management

RM can be viewed as a holistic activity that is fully integrated into every aspect of the organization

RM is driven by organization (mission) risk

13

  • Source: NIST SP 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission and Information System View.
risk management framework
Risk Management Framework

14

  • Source: NIST Risk Mnanagement Framework http://csrc.nist.gov/groups/SMA/fisma/framework.html & http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework/index.html
some key terms see handout
Some Key Terms… (see handout)

After Action Review

Artifact

Business Continuity (Contingency Planning)

Business Impact Analysis (BIA)

Controls, Safeguards & Countermeasures

Control Gates

Information Resources

Information Security (Confidentiality, Integrity, Availability)

Information System

Plan of Action and Milestones (POA&M)

Recovery Time Objective (RTO)

Recovery Point Objective (RPO)

Risk & Residual Risk

Risk Management

phase 1 initiation resources expectations loe schedule
PM Life Cycle

SDLC

Phase 1: InitiationResources, Expectations, LOE & Schedule

SSDLC

  • Focuses on Information Security & Business Continuity

Preparation

Origination

Initiation

Initiation

Risk Level & Security Planning

Planning

  • KEY PROCESSES
  • Initial Security Planning
  • Categorize System
  • Privacy Impact Analysis
  • Ensure Secure SDLC
  • Preliminary Risk Assessment
  • Business Impact Assessment
  • Availability requirements analysis
  • Vital Records Analysis
      • Data and documentation
  • ARTIFACTS
  • Awareness Training
  • Security Categorization
  • High Level Security Requirements
  • Development/Coding Standards
  • QA Plans
  • Draft Privacy Impact Assessment
  • Linkages to Business Drivers
  • Core System Components
  • Draft Business Impact Analysis
      • Initial RTO/RPO

16

phase 2 acquisition development requirements control selection
PM Life Cycle

SDLC

Phase 2: Acquisition / Development Requirements & Control Selection

SSDLC

  • Focuses on Information Security & Business Continuity

Execution

Acquisition/

Development

Security Requirements

& Controls

Execution

Implementation/

Assessment

Security Testing

Documentation, C&A

  • KEY PROCESSES
  • Update Prelim. Risk Assessment
  • Select & Document Security Controls
  • Design Security Architecture
  • Engineer Security in – Develop Controls
  • Recovery Strategy
  • Draft Contingency Plan
    • COOP, BC, DR
    • Vital records analysis
  • Test, Train & Exercise (TT&E)
  • ARTIFACTS
  • Updated Risk Assessment
  • Security Plan & list of Variations
  • List of Shared Services & Risks
  • Security Integration Schematic
  • BC & DR Concept of Operations
  • Contingency Plan (drafts)
      • Notification/activation, incident response
      • Recovery & Reconstitution
  • Common Controls
  • TT&E Results
      • Policy & Control Adjustments
      • Scenarios & Additional Documentation
      • Test Results (incl. variations)

18

phase 3 implementation assessment documenting results baseline
PM Life Cycle

SDLC

Phase 3: Implementation / Assessment Documenting Results (Baseline)

SSDLC

  • Focuses on Information Security & Business Continuity

Maintenance

Acquisition/

Development

Security Requirements

& Controls

Execution

Implementation/

Assessment

Security Testing

Documentation, C&A

  • KEY PROCESSES
  • Finalize Detailed Security Plan
  • Create detailed C&A Plan
  • Control Integration
  • System Security Assessment
  • Product / Component Inspection
  • Finalize BC, COOP & DR
  • Control Integration
  • Implement Vital Records program
  • Certification/Acceptance
  • TT&E
  • ARTIFACTS
  • Verified Operational Security Controls
  • C&A Work Plan
  • Completed System Documentation
  • Security Assessment Report
  • Security Authorization Decision
  • BC, COOP & DR Plans
  • Updated backup processes
  • After Action Review
  • TT&E Plan &
  • Statement of residual risk

20

phase 4 operations maintenance
PM Life Cycle

SDLC

Phase 4: Operations / Maintenance

SSDLC

  • Focuses on Information Security & Business Continuity

Maintenance

Operations &

Maintenance

Acceptance &

Change Management

Closeout

Disposal

Disposition / Transition

  • KEY PROCESSES
  • Awareness Campaign
  • Configuration Management
  • Continuous Monitoring
  • TT&E
  • Change Control
  • Incident Management
  • Recertification/Acceptance
  • ARTIFACTS
  • Evaluation/Impact of Changes
  • Change Control Approvals
  • Updated Security Documentation
  • Continuous Monitoring Results
  • Updated Authorization Pkg.
  • Authority to Operate (Decision)
  • Security Evaluations / Audits
  • POA&M Review
  • Exercise Schedule
  • After Action Reviews
  • Recoverability Statement
  • BCP Evaluations / Audits

22

phase 5 disposal sunset
PM Life Cycle

SDLC

Phase 5: Disposal (Sunset)

SSDLC

  • Focuses on Information Security & Business Continuity

Continuous

Monitoring

Operations &

Maintenance

Acceptance &

Change Management

Closeout

Disposition / Transition

Disposal

  • KEY PROCESSES
  • Disposal / Transition Planning
      • (migration to new system)
  • Ensure Information Preservation
  • Media Sanitization
  • Hardware/Software Disposal
  • Control Catalog review
  • Close System
  • Business Link Analysis
    • Interdependencies
    • Enterprise BCP
  • Impact analysis
  • Review service agreements
  • ARTIFACTS
  • Disposal/Transition Plan
  • Hardware/Software Disposition
    • Reallocation/Sanitization Records
  • System Closure Documentation
  • Information Archiving
  • Update SLAs & MOUs
  • Updated Security Controls
  • Enterprise plan updates
      • Value Chains
      • BC, COOP & DR plans
  • Updated BCP Controls

24

mapping the risk management to the sdlc
Mapping the Risk Management to the SDLC

Enterprise RISK Management

  • Review Risk
  • Assess controls
    • identify
    • document
    • implement
    • monitor

Enterprise Architecture

& SDLC

Information Systems

Management

Initiation

Origination

IT Alignment and

Planning

IS Architecture

Initiation

Risk Level & Security Planning

Initiation

Compliance

Planning

Financial

Management

Risk

Management

Capital Planning and

Investment

Certification

&

Accreditation

Security Requirements

& Controls

Acquisition/

Development

Information

Security

Risk Based

Funding Requests

Execution

Implementation/

Assessment

Security Testing

Documentation, C&A

Continuous

Monitoring

Acceptance &

Change Management

Operations &

Maintenance

Closeout

Disposition / Transition

Disposal

further observations
Further Observations
  • All Processes and Artifacts are scalable
    • Preliminary Risk Assessment defines impact & requirements
    • “Right Size” for your project
    • Use common sense
  • Business Continuity & Information Security interrelate
  • Common Purpose, Artifacts & Goals
    • Confidentiality
    • Integrity
    • Availability
reflections on sei carnegie mellon
Reflections on SEI | Carnegie Mellon

“The surest way to leave risks undocumented is to make the program risks accessible to all members.”

An undocumented risk can get lost to everyone -- far better to have risks documented privately than not documented at all.

Engage a Security team early

Encourages work team agreements on risks and an end-point against which to identify and analyze

Provides a standard way of capturing (documenting) risks

Positions facilitators practiced and comfortable with writing risks in front of a group

Support good risk identification

Encourage documentation of risks privately at the working team level

Integrate risk identification and management into normal project management

Accept any risk identified – don’t “vet them out”

Acknowledge that the program’s decision-makers are the real “risk managers,” and have the decision-makers step up to the job

cmmi capability maturity model
CMMi Capability Maturity Model

29

  • More Information on CMMI - www.sei.cmu.edu/searchresults.cfm & www.sei.cmu.edu/cmmi/tools/dev/index.cfm
benefits
Benefits

Advances Organization along CMM

Informed, Risk Management-based, decisions

Improved organization and customer confidence

Awareness campaigns

Education, ownership/adoption and usage

Lower total effort & cost

Improved interoperability and integration

Early identification of controls

Proven methods and techniques

Reuse of strategies and tools

Shared security services

Improved Security & Compliance Posture

questions
Questions

Deborah Snyder, CISSP, GSLC, PMP

NYS Office of Temporary & Disability Assistance

(518) 473-3195

Deborah.Snyder@otda.state.ny.us

Mark Spreitzer, CBCP

CGI Group Inc.

(917) 304-1966

Mark.Spreitzer@cgi.com