Download
1 / 31
310 likes | 412 Views
NYS Forum Joint Initiative Security, Project Management & Business Continuity Workgroups. Manage Risk by Building Information Security into Your Projects Addendum to the NYS Project Management Guidebook May 26, 2010. Deborah Snyder, CISSP, GIAC GSLC, PMP
E N D
NYS Forum Joint InitiativeSecurity, Project Management & Business Continuity Workgroups Manage Risk by Building Information Security into Your Projects Addendum to the NYS Project Management Guidebook May 26, 2010 Deborah Snyder, CISSP, GIAC GSLC, PMP NYS Office of Temporary & Disability Assistance (518) 473-3195 Deborah.Snyder@otda.state.ny.us Mark Spreitzer, CBCP CGI Group Inc. 917.304.1966 mark.spreitzer@cgi.com
Agenda • Welcome and Announcements • Chuck Weiss • Project Management, Information Security & Business Continuity Work Groups • Introductions • PM lifecycle & the Secure SDLC • Risk Management – Relationship to PM processes • 5-Phase Secure SDLC Process • Framework for applying Security & BC considerations to each Phase • Benefits • Resources • Q & A
IntroductionProject Management Work Group • Co-Chairs • Brenda Breslin, (NYS Department of Health), • Vivian Conboy, (Dept. of Tax & Finance), • Chris Foster, (CGI Technologies and Solutions Inc.), • Jon Haverly, (Keane Inc.) • Overview • Support government entities and their PMs • as they adopt PM standards and practices, • establish PMOs, • implement program and portfolio management within their organizations • PM Community of Practice provides interactive exchange of ideas, practices, and lessons learned • PMO Roundtable to support PM implementation methods 3
IntroductionSecurity Work Group • Co-Chairs • Deb Snyder (NYS OTDA), Bob Spina (CISCO), Joe Lynch (ORACLE) & Ted Phelps (SUNY) • Overview • Work in collaboration with state & local agencies to develop education/training opportunities & tools that address information security issues • Support the Information Security Community of Practice • Strong working relationships with NYS OFT/CIO & the Office of Cyber Security & Critical Infrastructure Coordination (CSCIC) • International MS-ISAC Security Webcasts • Educational workshops, seminars & events 4
IntroductionBusiness Continuity (BC) Work Group • Co-Chairs: • David DeMatteo (SEMO) • Ken Mason (SED) • Mark Spreitzer, CBCP (CGI) • Overview: • Primary focus is on the ”how to” of business continuity planning • Intended to help facilitate “best practice” development amongst state and local resources & representatives of the IT Corporate Roundtable • Provide education & training opportunities • Collaborate on tools that address BC planning needs • Work to emphasize the importance of BC planning in NYS Government, in lieu of an explicit requirement 5
Project Management Life Cycle Focus on Implementation Management roles & responsibilities Framework for planning & managing work Develop & manage project plan (scope, schedule) Distinguish PM effort from SD effort System Development Life Cycle Focus on Operations Technical roles & responsibilities Framework for solving business needs with technology Design & construct system components (modules, databases) Distinguish SD effort from PM effort From an Operational Perspective… Phase Relationships Origination Initiation Initiation Planning Acquisition/ Development Execution Implementation/ Assessment Operations & Maintenance Closeout Production Disposal 6
PM Life Cycle SDLC Secure SDLC (High Level) SSDLC • Focuses on Information Security & Business Continuity Preparation Origination Initiation Initiation Risk Level & Security Planning Planning Execution Acquisition/ Development Security Requirements & Controls Execution Implementation/ Assessment Security Testing Documentation, C&A Maintenance Operations & Maintenance Acceptance & Change Management Closeout Disposition / Transition Disposal 7
Secure System Development Life Cycle (SSDLC) Principles • To be effective, information security must be integrated from inception of the project and ensured adequate consideration throughout the SDLC. • Information security controls applied to a particular information system must be commensurate with its criticality and sensitivity. • SSDLC - conceptual framework to ensure this occurs… • Structured process and core set of analysis steps and planning considerations to integrate info-security into the SDLC • Helps identify, evaluate & minimize info-security risk • Defines info-security requirements, appropriate security level & measures/controls to adequately protect the asset • Produces clear, well-documented information security plan • Based on industry standards, well-established practices, fundamental security principles and concepts
Secure SDLC SSDLC “Roadmap” example… Information Security considerations, checkpoints & deliverables across the SDLC Source: NYS OTDA ISO, Secure SDLC Roadmap
NIST Special Publications NIST = National Institute of Standards & Technology • Chartered to promote & protect economy & public welfare; collaborated with industry, government & academic organizations; used by FEMA for framework development • Defines Security to include Business Continuity and Contingency Planning (CP) • Integrates Security activities into system development life-cycle (SDLC) • Outlines key security roles and responsibilities • Defines Security/BC components as control objectives (Control Gates - permission to proceed) NIST Special Publication 800 series Guidance http://csrc.nist.gov/publications/PubsSPs.html • SP 800-12, The Introduction to Computer Security; NIST Handbook • SP 800-18, Guide for Developing Security Plans for Information Technology Systems • SP 800-27, Engineering Principles for Information Technology Security • SP 800-30, Risk Management Guide for IT Systems • SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach • SP 800-39, Managing Risk from Information Systems: An Organizational Perspective • SP 800-34, Contingency Planning • SP 800-53, Recommended Security Controls & Annexes 1, 2, 3 • SP 800-60, Mapping Types of information & Information Systems to Security Categorization Levels • SP 800-64, Security Considerations in the System Development Life Cycle • SP-800-84. Testing, Training and Exercising • NIST SDLC Brochure, August 2004, Information Security in the SDLC http://csrc.nist.gov/SDLCinfosec • Federal Information Processing Standards (FIPS) http://csrc.nist.gov/publications/PubsFIPS.html • FIPS 199, Standards for Security Categorization • FIPS 140-2, Security Requirements for Cryptographic Modules • FEMA Continuity Guidance Circular 1 (CGC1) www.fema.gov/pdf/about/org/ncp/cont_guidance1.pdf
NIST’s Security in the SDLC • Source: • NIST SDLC Brochure (Aug. 2004, Information Security in the SDLC.
Risk ManagementRelationship to All Other PM Functions Integration Life Cycle & Environment Variables Ideas, Directives, Data Exchange Accuracy Scope Communications Expectations, Feasibility Cost Objectives, Restraints Project RiskManagement Cost Time Time Objectives, Restraints Services, Plant, Materials: Performance Quality Requirements, Standards Availability, Productivity Procurement Human Resources Source: Project & Program Risk Management, A Guide to Managing Project Risks & Opportunities, p. II-2.
Integrated Risk Management RM can be viewed as a holistic activity that is fully integrated into every aspect of the organization RM is driven by organization (mission) risk 13 • Source: NIST SP 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission and Information System View.
Risk Management Framework 14 • Source: NIST Risk Mnanagement Framework http://csrc.nist.gov/groups/SMA/fisma/framework.html & http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework/index.html
Some Key Terms… (see handout) After Action Review Artifact Business Continuity (Contingency Planning) Business Impact Analysis (BIA) Controls, Safeguards & Countermeasures Control Gates Information Resources Information Security (Confidentiality, Integrity, Availability) Information System Plan of Action and Milestones (POA&M) Recovery Time Objective (RTO) Recovery Point Objective (RPO) Risk & Residual Risk Risk Management
PM Life Cycle SDLC Phase 1: InitiationResources, Expectations, LOE & Schedule SSDLC • Focuses on Information Security & Business Continuity Preparation Origination Initiation Initiation Risk Level & Security Planning Planning • KEY PROCESSES • Initial Security Planning • Categorize System • Privacy Impact Analysis • Ensure Secure SDLC • Preliminary Risk Assessment • Business Impact Assessment • Availability requirements analysis • Vital Records Analysis • Data and documentation • ARTIFACTS • Awareness Training • Security Categorization • High Level Security Requirements • Development/Coding Standards • QA Plans • Draft Privacy Impact Assessment • Linkages to Business Drivers • Core System Components • Draft Business Impact Analysis • Initial RTO/RPO 16
Phase 1: Initiation Level of Risk -Relating security considerations
PM Life Cycle SDLC Phase 2: Acquisition / Development Requirements & Control Selection SSDLC • Focuses on Information Security & Business Continuity Execution Acquisition/ Development Security Requirements & Controls Execution Implementation/ Assessment Security Testing Documentation, C&A • KEY PROCESSES • Update Prelim. Risk Assessment • Select & Document Security Controls • Design Security Architecture • Engineer Security in – Develop Controls • Recovery Strategy • Draft Contingency Plan • COOP, BC, DR • Vital records analysis • Test, Train & Exercise (TT&E) • ARTIFACTS • Updated Risk Assessment • Security Plan & list of Variations • List of Shared Services & Risks • Security Integration Schematic • BC & DR Concept of Operations • Contingency Plan (drafts) • Notification/activation, incident response • Recovery & Reconstitution • Common Controls • TT&E Results • Policy & Control Adjustments • Scenarios & Additional Documentation • Test Results (incl. variations) 18
Phase 2: Acquisition / DevelopmentControl Selection - Relating Security Considerations
PM Life Cycle SDLC Phase 3: Implementation / Assessment Documenting Results (Baseline) SSDLC • Focuses on Information Security & Business Continuity Maintenance Acquisition/ Development Security Requirements & Controls Execution Implementation/ Assessment Security Testing Documentation, C&A • KEY PROCESSES • Finalize Detailed Security Plan • Create detailed C&A Plan • Control Integration • System Security Assessment • Product / Component Inspection • Finalize BC, COOP & DR • Control Integration • Implement Vital Records program • Certification/Acceptance • TT&E • ARTIFACTS • Verified Operational Security Controls • C&A Work Plan • Completed System Documentation • Security Assessment Report • Security Authorization Decision • BC, COOP & DR Plans • Updated backup processes • After Action Review • TT&E Plan & • Statement of residual risk 20
Phase 3: Implementation / AssessmentDocumenting Results - Baseline
PM Life Cycle SDLC Phase 4: Operations / Maintenance SSDLC • Focuses on Information Security & Business Continuity Maintenance Operations & Maintenance Acceptance & Change Management Closeout Disposal Disposition / Transition • KEY PROCESSES • Awareness Campaign • Configuration Management • Continuous Monitoring • TT&E • Change Control • Incident Management • Recertification/Acceptance • ARTIFACTS • Evaluation/Impact of Changes • Change Control Approvals • Updated Security Documentation • Continuous Monitoring Results • Updated Authorization Pkg. • Authority to Operate (Decision) • Security Evaluations / Audits • POA&M Review • Exercise Schedule • After Action Reviews • Recoverability Statement • BCP Evaluations / Audits 22
Phase 4: Operations / MaintenanceAcceptance & Change Management
PM Life Cycle SDLC Phase 5: Disposal (Sunset) SSDLC • Focuses on Information Security & Business Continuity Continuous Monitoring Operations & Maintenance Acceptance & Change Management Closeout Disposition / Transition Disposal • KEY PROCESSES • Disposal / Transition Planning • (migration to new system) • Ensure Information Preservation • Media Sanitization • Hardware/Software Disposal • Control Catalog review • Close System • Business Link Analysis • Interdependencies • Enterprise BCP • Impact analysis • Review service agreements • ARTIFACTS • Disposal/Transition Plan • Hardware/Software Disposition • Reallocation/Sanitization Records • System Closure Documentation • Information Archiving • Update SLAs & MOUs • Updated Security Controls • Enterprise plan updates • Value Chains • BC, COOP & DR plans • Updated BCP Controls 24
Mapping the Risk Management to the SDLC Enterprise RISK Management • Review Risk • Assess controls • identify • document • implement • monitor Enterprise Architecture & SDLC Information Systems Management Initiation Origination IT Alignment and Planning IS Architecture Initiation Risk Level & Security Planning Initiation Compliance Planning Financial Management Risk Management Capital Planning and Investment Certification & Accreditation Security Requirements & Controls Acquisition/ Development Information Security Risk Based Funding Requests Execution Implementation/ Assessment Security Testing Documentation, C&A Continuous Monitoring Acceptance & Change Management Operations & Maintenance Closeout Disposition / Transition Disposal
Further Observations • All Processes and Artifacts are scalable • Preliminary Risk Assessment defines impact & requirements • “Right Size” for your project • Use common sense • Business Continuity & Information Security interrelate • Common Purpose, Artifacts & Goals • Confidentiality • Integrity • Availability
Reflections on SEI | Carnegie Mellon “The surest way to leave risks undocumented is to make the program risks accessible to all members.” An undocumented risk can get lost to everyone -- far better to have risks documented privately than not documented at all. Engage a Security team early Encourages work team agreements on risks and an end-point against which to identify and analyze Provides a standard way of capturing (documenting) risks Positions facilitators practiced and comfortable with writing risks in front of a group Support good risk identification Encourage documentation of risks privately at the working team level Integrate risk identification and management into normal project management Accept any risk identified – don’t “vet them out” Acknowledge that the program’s decision-makers are the real “risk managers,” and have the decision-makers step up to the job
CMMi Capability Maturity Model 29 • More Information on CMMI - www.sei.cmu.edu/searchresults.cfm & www.sei.cmu.edu/cmmi/tools/dev/index.cfm
Benefits Advances Organization along CMM Informed, Risk Management-based, decisions Improved organization and customer confidence Awareness campaigns Education, ownership/adoption and usage Lower total effort & cost Improved interoperability and integration Early identification of controls Proven methods and techniques Reuse of strategies and tools Shared security services Improved Security & Compliance Posture
Questions Deborah Snyder, CISSP, GSLC, PMP NYS Office of Temporary & Disability Assistance (518) 473-3195 Deborah.Snyder@otda.state.ny.us Mark Spreitzer, CBCP CGI Group Inc. (917) 304-1966 Mark.Spreitzer@cgi.com
