Information Security. Rick Aldrich, JD, CISSP Booz Allen Hamilton

Transcription

1 Information Security Rick Aldrich, JD, CISSP Booz Allen Hamilton

2 Overview (Fed Info Sys) From NIST SP , Vol 1, Guide for Mapping Types of Information Systems to Security Categories

3 Overview (NSS) From CNSSP-22, Information Assurance Risk Management Policy for NSS CATSS not an NSS so will address only federal information systems for remaining presentation

4 Step 1: Categorization Is vendor operated/maintained CATSS a federal information system? Yes, per 40 USC 11331: An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency

5 Per FIPS 199 Step 1: Categorization SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)} Impact can be Low, Moderate or High Must consider all information types on the information system

6 System Categorization Impact values Low Loss of C-I-A could be expected to have a limited adverse effect on operations, assets, or individuals. Moderate serious adverse effect High severe or catastrophic effect

7 Amplification Mission capability Low Moderate High Degraded, effectiveness noticeably reduced Degraded, effectiveness significantly reduced Not able to perform one or more of primary functions Org. assets Minor damage Significant dmg Major damage Financial loss Harm to individuals Minor loss Significant loss Major loss Minor Significant Loss of life or serious lifethreatening injuries Categories are logically or ed

8 Identify Information Types Based on hypo, info types would include, for example: Personal Identity/Authentication Info type Payments Information type

9 Assign Provisional Values for Info Types Based on NIST , vol. 2 Personal Identity/Authentication Info type Security Category = {(confidentiality, Moderate), (integrity, Moderate), (availability, Moderate)} Payments Information type Security Category = {(confidentiality, Low/Moderate), (integrity, Moderate), (availability, Low) Other types

10 Assign System Security Category Based on NIST , vol. 1 Select high water mark of aggregated information types on system In this case Personal ID/ Authentication Confidentiality Integrity Availability Moderate Moderate Moderate Payment L ow (Moderate) Moderate Low System Moderate Moderate Moderate System is highest among C-I-A, so Moderate

11 System Architecture Architecture description is also key to Step 1 Key to understanding perimeter of the information system Plays a key role in selecting security controls in Step 2 Increasing use of cloud computing introduces dynamic sub-systems and external sub-systems

12 Steps 2, 3, 4: Security Controls What is the effect of determining the security category of the IS? Drives the security controls to be Selected (FIPS 200 and SP ) under Step 2 Implemented (SP ) under Step 3 Assessed (SP ) under Step 4

13 Use to Select Controls per Impact Level Select initial Baseline Security Controls Tailor the Baseline Security Controls Scoping Compensating controls Organization-defined control parameters Coordinate with Authorizing official Obtain approval from Authorizing official

14 Security Controls Moderate controls require, e.g. Info flow enforcement Separation of duties Least privilege Audit reduction and report generation Configuration change control Configuration management plan Access restrictions for change Alternate storage site Alternate processing site

15 System Security Plan Per OMB A-11 and NIST has many inputs and outputs

16 System Security Plan Template 1. Information System Name/Title Unique Identifier (OMB A-11) 2. Information System Categorization 3. Information System Owner 4. Authorizing Official 5. Other Designated Contacts 6. Assignment of Security Responsibility 7. Info System Operational Status 8. Info System Type

17 System Security Plan Template (cont.) 9. General System Description/ Purpose 10. System Environment 11. System Interconnections/Info Sharing 12. Related Laws/Regulations/Policies 13. Minimum Security Controls 14. IS Security Plan Completion Date 15. IS Security Plan Approval Date

18 System Security Plan Review Who reviews the security plan? Senior Agency Information Security Officer Review at least annually for changes in information system owner information security representative system architecture system status system interconnections system scope authorizing official system authorization status

19 E-Authentication Authentication is a Step 2 control Per NIST and OMB Applies to remote authentication of users of Agency IT to conduct gov t business Not applicable to NSS Two types of authentication Identity confirming a unique person Attribute confirming membership in a particular group (e.g., military veterans, US citizens)

20 Assurance Levels Level 1 (no ID proofing req t) Little or no confidence in the asserted identity s validity Level 2 (single factor, PW or pin) Some confidence Level 3 (multi-factor, soft, hard or 1- time PW tokens) High confidence Level 4 (multi-factor, hard tokens) Very high confidence

21 Determining Assurance Level Determining max impacts for each assurance level From OMB 04-04

22 Factors Choosing Assurance Level Access over Internet Access from PCs outside of Agency s control Includes access to sensitive PII on 1M applicants Need to attribute as US citizen Chosen assurance level must be made public (website, Fed Reg, etc.)

23 Encryption Encryption required for levels 3, 4 Level 4 must use FIPS validated encryption modules All sensitive data transfers must be encrypted CATSS website should use TLS (via https) and require multi-factor authentication

24 Web Services Security Security actions to consider (NIST ): Replicate Data and Services to Improve Availability May require regular back-ups and alternate COOP locations to address DOS, faults, disruptions Use Logging of Transactions to Improve Non-repudiation and Accountability Hypo identifies logging of visits, pages

25 Web Services Security Security actions to consider (cont): Use Threat Modeling and Secure Software Design Techniques to Protect from Attacks Use Performance Analysis and Simulation Techniques for End to End QoS and QoP Digitally Sign UDDI Entries to Verify the Author of Registered Entries Enhance Existing Security Mechanisms and Infrastructure Consider employing a database security, risk and compliance tool to enhance the security of this CATSS

26 Step 5: Security Authorization What is the security authorization process? New name for C&A, Step 5, set out in Security authorization package: Security plan Security assessment report Plan of action and milestones (POAM) Authorizing official makes risk-based decision, based on above, regarding information system s authority to operate

27 Step 5: Security Authorization Who are the authorizing officials? Senior official or executive with the authority to formally assume responsibility for operating an IS at an acceptable level of risk to an organization s operations, assets, individuals, other organizations, and the Nation. Same as DAA (CNSSI 4009)

28 Step 6: Continuous Monitoring Per OMB Memo For Agencies with a continuous monitoring program Security reauthorizations not required every three years or after significant change Rather, risk-based decisions should rely on results of continuous monitoring Effectiveness of deployed security controls Changes to info systems Compliance with laws, directives, policies, etc.

29 Questions? Rick Aldrich, JD, CISSP Booz Allen Hamilton