Information Security Risk and Compliance Series Risking Your Business

Transcription

1 Information Security Risk and Compliance Series Risking Your Business Sergio Saenz and Ron Nemes June 2015 Introduction As the DoD Information Assurance Certification and Accreditation Process (DIACAP) begins to make its curtain call from a defense compliance standpoint, a new process emerges and takes its place, the Risk Management Framework (RMF). How will this new process work? And more importantly, what does this mean for the way you do business? In most organizations, governance, risk, and compliance (GRC) are the pillars that ensure a business is capable of performing to meet its objectives. The national defense information security realm is no different. In the Department of Defense (DoD), cybersecurity governance is handled through various instructions, directives, and manuals. In the past, compliance was met through adherence to these rules, and validated using DIACAP. The RMF introduces a method to incorporate all three areas. It uses an established methodology through its special publication series, and incorporates DoD guidance within its Revision 4 control set. These publications also provide information on Managing Information Security Risk (800-39) and a Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans ( A) to ensure compliance to the DoD and National Institute of Standards and Technology (NIST) standards. DIACAP offered a control set to measure against, but fell short in its implementation and risk assessment guidance. Leaving the Legacy Approach DIACAP, the DoD Information Assurance Certification and Accreditation Process. The name itself is a mouthful. For years, these words were synonymous with dedicating more time, budget, and resources to comply with standards while bolting on security to already existing infrastructure. This exercise seemed to generate more paper work and documentation, but did it make our systems any more secure and averse to risk vulnerabilities? Managers might dedicate resources for a few months to prepare the system to be accredited and check the necessary boxes, only to be left on the shelf until the next review years in the future. Even worse, organizations could be forced into fitting their system in a box that didn t make sense and didn t make them any more secure, while negatively affecting their efficiency or the way they do business. In March 2014, DoDI was announced and made DoD RMF official. 1

2 Looking at Risk The RMF, or DoD RMF in the defense industry, aims to change the way information assurance (IA) and cybersecurity is implemented. Instead of performing an after the fact analysis and adding security, the RMF allows the organization to bake in security in all phase of the System Development Lifecycle (SDLC), and take a security development lifecycle approach. This means designing in security in all phases, from coding an application to the locks on your datacenter. Customization and tailoring of the control sets, which we ll discuss in a later white paper, are also new additions to assist the Chief Information Security Officer (CISO) and cybersecurity teams in addressing their needs, as opposed to forcing the organization into a dated set of standards in which it doesn t fit. In order to stay current with the ever-changing threat landscape, NIST plans to update the control set every 18 months. Control responsibility and inheritance gets a refresh as well. Many organizations have moved to an enterprise information system where a larger network supports many smaller networks or information systems (IS). Having to do a complete control assessment for each system would be time consuming and cumbersome, that s why DoD RMF implements control responsibility into three categories: common, hybrid, and system level. Larger systems can provide common controls for the smaller IS to inherent, transferring the risk to the appropriate owner. Hybrid controls allow the risk to be shared between the sources, and system level controls put the onus of risk at the lowest level. The increased use of commercial cloud services and the Federal Risk and Authorization Management Program (FedRAMP) also make DoD RMF the right choice. Their standards and assessments are already based off the control set, making inheritance a smooth transition. The federal sector already implements the control, which helps remove confusion from reciprocity agreements between DoD and non-dod organizations. 2

3 Risk-Based Application Moving towards a risk-based approach means assigning values and prioritization to different security assets and business needs. This means taking a look at threats and vulnerabilities to your information and the way you do business. From a business standpoint, DoD RMF goes a step further by utilizing the CIA (Confidentiality, Integrity, and Availability) triad during the system categorization and control tailoring, allowing for more flexibility and customization. This means National Security Systems (NSS) can focus their needs differently than an organization providing public content on the web. At a granular level, this allows cybersecurity teams to address more important (most vulnerable) concerns first, such as an unpatched public-facing web server, instead of the internal, non-networked workstation behind a network security stack with a legacy vulnerability. With this approach, Information System Security Officers (ISSOs) can move from simply saying a control is compliant/non-complaint, to a detailed risk assessment and what it means for the organization. Using tools such as the risk matrix below, cybersecurity teams can provide management with a clear, concise look at the likelihood and consequence of risk exposure. 3

4 What Next? Now that you have your risks identified, what happens next? Luckily, the answer is spelled out in the name Risk Management Framework the risks need to be managed. There are four basic strategies for managing risk: mitigation, transference, acceptance and avoidance. The risk matrix (shown above) can assist executives with the decision making process. Some lower risks may simply be accepted, while others may be transferred to a third party, either through outsourcing or insurance in the case of natural disasters. Documenting these actions in a table can be helpful later when generating Plans of Action & Milestones (POA&Ms) required for remediation and necessary for authorization. Continuously Monitoring The NIST Special Publications (800 Series) offers cybersecurity professionals an outstanding library of resources for implementing security in their organizations. One of the documents included in this library is , Information Security Continuous Monitoring for Federal Information Systems and Organizations. With DoD RMF also comes a more focused approach to continuous monitoring. Under DIACAP, performing an annual document review or updating POA&Ms on a quarterly basis were the only view into a systems security posture on a regular basis. The RMF continues to distance itself from the legacy three-year accreditation approach, and aims to take a near real-time look at cyber threats and risks to the network. Systems can take the controls that are the most critical to them, such as unauthorized device management, incident response, and privileged access monitoring, and monitor them on a continual basis that fits their needs. Dashboards can be generated to show real-time status of network components and their risk to the enterprise. Compliance is checked on a continual basis and any deviation to the standard is displayed through an alert, at various levels. Final Thoughts The DoD is taking a leap forward with their approach to cybersecurity and risk management by integrating security into all aspects through the security development lifecycle. The new process and framework is a lot to take in at first, but will pay dividends through its real-time implementation and value added through risk-based decision making. The Future Having successfully migrated multiple clients from legacy DIACAP to DoD RMF, as well as developed a comprehensive customer specific Risk Matrix Dashboard, Veris Group is uniquely positioned to assist federal organizations with the implementation of DoD RMF. 4

5 Related Content For more detail on the differences between DIACAP and DoD RMF, please read our RMF for DoD IT: How to Get Ahead of the Transition white paper. Check back soon to read our follow up white papers discussing the tailoring of control sets, risk appetite, and prioritization in further detail. Sergio Saenz and Ron Nemes are Government Program Associates of Veris Group, LLC, an industryleading, award-winning cybersecurity company headquartered in Vienna, VA. verisgroup.com E: T: