SECURITY ASSESSMENT OF AUDIOVISUAL CONTROL AND DISTRIBUTION IN THE RISK MANAGEMENT FRAMEWORK

Transcription

1 SECURITY ASSESSMENT OF AUDIOVISUAL CONTROL AND DISTRIBUTION IN THE RISK MANAGEMENT FRAMEWORK Paul Zielie Manager, Enterprise Solutions Harman Professional 11/16/2015

2 GOVERNMENT TEAM Paul Cantwell VP, Government Sales Whitney Michener Marketing Manager, Government Sonny Lastrella Director, Army Programs Troy Trujillo Director, Air Force Programs Kevin Felts Director, Navy/USMC Programs Richard Gatchell Director, Civilian Programs Bobby Ramoz Government Channels Jon Parker Government Inside Sales

3 HISTORY TRADITIONALLY AV HAS BEEN AN ISOLATED APPLICATION PROPRIETARY COMMUNICATIONS (AXLINK) RS232, IR, RELAY WHEN ETHERNET WAS INTRODUCED THE AV INDUSTRY CONTINUED TO TREAT AV AS AN ISOLATED APPLICATION GROWING TRENDS REQUIRE AV TO INTERACT WITH THE ENTERPRISE NETWORK UNIFIED COMMUNICATIONS CLOUD BASED APPLICATIONS ENTERPRISE MANAGEMENT 3

4 TODAY 4

5 REQUIREMENTS FOR AV / IT SECURITY ORGANIZATIONAL EXPECTATIONS AS AV SYSTEMS ARE BEING MIGRATED ONTO ENTERPRISE DATA NETWORKS, USER ORGANIZATIONS ARE EXPECTING THE AV SYSTEM TO MAINTAIN A SECURITY POSTURE IN ALIGNMENT WITH THEIR SECURITY GOALS. BEST PRACTICE VS REGULATORY COMPLIANCE IN MANY CASES THESE PRACTICES MAY BE MORE THAN A CASE OF BUSINESS BEST PRACTICES, BUT MAY BE A MATTER OF REGULATORY COMPLIANCE. NON-COMPLIANCE IS A MAJOR IMPEDANCE FOR THE END CUSTOMER AND MAY IN SOME CASES DISALLOW INSTALLATION 5

6 COMPLIANCE STANDARDS FISMA (Federal Information Security Management Act of 2002) Risk Management Framework (RMF) Security and Privacy Controls for Federal Information Systems and Organizations (SP Rev. 4) FIPS FIPS-197(AES) National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) Department Of Defense (DoD) Risk Management Framework (RMF) STIGs Security Technical Implementation Guides (STIGs) Common Criteria (NIAP) Control Correlation Identifiers (CCIs), NIST SP Appendix F. Unified Communications Approved Product List (UC APL) ISO series standards

7 DOD RMF IMPLEMENTATION Department of Defense Instruction (DoDI) , March 12, 2014 Establishes an integrated enterprise-wide decision structure for cybersecurity risk management (the RMF) Replaced the DoD Information Assurance Certification and Accreditation Process (DIACAP). Applies to all organizational entities within the Department of Defense and all DoD IT assets which receive, process, store, display, or transmit DoD information.

8 DOD CONTROL GUIDELINES IT products will be configured in accordance with applicable Security Technical Implementation Guides (STIGs) under a cognizant Information System Security Manager (ISSM) and Security Control Assessor (SCA). STIGs are product-specific and document applicable DoD policies and security requirements, as well as best practices and configuration guidelines. STIGs are associated with security controls through Control Correlation Identifiers (CCIs), referenced in NIST SP Appendix F. Security Requirements Guides (SRGs) are developed by DISA to provide general security compliance guidelines and serve as source guidance documents for STIGs. When a STIG is not available for a product, an SRG may be used. STIG and SRG compliance results for products will be documented as security control assessment results within a product level Security Assessment Report (SAR) Plan of Action and Milestones (POA&M) must be developed and maintained to address known vulnerabilities in the IS or PIT system.

9 CHALLENGES There is no standardized security control guidance for nonbusiness IT related products. This forces every installation to be treated as an exception to policy with local security authorities interpreting security requirements and accreditation. Additional Paperwork Market Confusion Inconsistent Customer expectations

10 RISK MANAGEMENT FRAMEWORK (RMF) SECURITY CONTROL CATALOG ACCESS CONTROL (AC) (1-25) AWARENESS AND TRAINING (AT) (1-5) AUDIT AND ACCOUNTABILITY (AU) (1-16) SECURITY ASSESSMENT AND AUTHORIZATION (CA) (1-9) CONFIGURATION MANAGEMENT (CM) (1-11) CONTINGENCY PLANNING (CP) (1-13) IDENTIFICATION AND AUTHENTICATION (IA) (1-11) INCIDENT RESPONSE (IR) (1-9) MAINTENANCE (MA) (1-6) MEDIA PROTECTION POLICY AND PROCEDURES (MP) (1-8) PHYSICAL AND ENVIRONMENTAL PROTECTION (PE) (1-20) SECURITY PLANNING POLICY AND PROCEDURES (PL) (1-9) PERSONNEL SECURITY POLICY AND PROCEDURES (PS) (1-8) RISK ASSESSMENT(RA) (1-6) SYSTEM AND SERVICES ACQUISITION (SA) (1-22) SYSTEM AND COMMUNICATIONS PROTECTION (SC) (1-44) SYSTEM AND INFORMATION INTEGRITY (SI) (1-17) INFORMATION SECURITY PROGRAMS PROGRAM MANAGEMENT CONTROLS (PM) (1-16) PRIVACY CONTROL CATALOG AUTHORITY AND PURPOSE (AP) (1-2) ACCOUNTABILITY, AUDIT, AND RISK MANAGEMENT (AR) (1-8) DATA QUALITY AND INTEGRITY (DI) (1-2) DATA MINIMIZATION AND RETENTION (DM) (1-3) INDIVIDUAL PARTICIPATION AND REDRESS (IP) (1-4) SECURITY (SE) (1-2) TRANSPARENCY (TR) (1-3) USE LIMITATION (UL) (1-2)

11 RMF PROCESS Step 1: Categorize 2 3 Committee on National Security Systems (CNSS) Instruction No Step 2: Select Select an initial set of baseline security controls 1 Select Implement 4 Step 3: Implement 1 0 Implement the security controls and document how the controls are implemented. 2 3 Classify 4 Step 4: Assess 6 5 Asess Assess the security controls using appropriate procedures Step 5: Authorize Step 6: Monitor Monitor on an ongoing basis Monitor Authorize

12 STEP 1: CATEGORIZE Committee on National Security Systems (CNSS) Instruction No Security Categorization and Control Selection for National Security Systems Impact on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the Unite States. Confidentiality Integrity Availability DoDD Classification IT products Individual elements (including applications) and devices which perform control, communications, or computing functions in a DoD environment. IT services IT services outside the service user organization s authorization boundary Platform IT (PIT) Computer resources, both hardware and software, that are physically part of, dedicated to, or essential in real time to the mission performance of special-purpose systems. An IT system or IT component cannot be classified as Platform IT simply because it is stand-alone. (DoDD )

13 STEP 2: SELECT Select an initial set of baseline security controls Interaction ACCESS CONTROL (AC) (1-25) IDENTIFICATION AND AUTHENTICATION (IA) (1-11) CONFIGURATION MANAGEMENT (CM) (1-11) MAINTENANCE (MA) (1-6) Data flows IDENTIFICATION AND AUTHENTICATION (IA) (1-11) SYSTEM AND COMMUNICATIONS PROTECTION (SC) (1-44) System protections CONFIGURATION MANAGEMENT (CM) (1-11) MAINTENANCE (MA) (1-6) SYSTEM AND COMMUNICATIONS PROTECTION (SC) (1-44 ACCESS CONTROL (AC) (1-25) Audit AUDIT AND ACCOUNTABILITY (AU) (1-16) SP CCI FISMA FIPS DoDI 8510 SRG STIG

14 EXAMPLE: PASSWORD POLICY IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION IA-5 AUTHENTICATOR MANAGEMENT IA-6 AUTHENTICATOR FEEDBACK IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION IA-11 RE-AUTHENTICATION

15 EXAMPLE: PASSWORD POLICY IA-5 AUTHENTICATOR MANAGEMENT Control Enhancements: 1) The information system, for password-based authentication: a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lowercase letters, numbers, and special characters, including minimum requirements for each type]; b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; c) Stores and transmits only cryptographically-protected passwords; d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; e) Prohibits password reuse for [Assignment: organization-defined number] generations; and f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.

16 EXAMPLE: PASSWORD POLICY Specific Control Severity SP v4 CCI SRG The operating system must enforce password complexity by requiring that at least one upper-case character be used. CAT II IA-5 (1) (a) CCI SRG-OS GPOS The operating system must enforce password complexity by requiring that at least one lower-case character be used. CAT II IA-5 (1) (a) CCI SRG-OS GPOS The operating system must enforce password complexity by requiring that at least one numeric character be used. CAT II IA-5 (1) (a) CCI SRG-OS GPOS The operating system must enforce a minimum 15-character password length. CAT II IA-5 (1) (a) CCI SRG-OS GPOS The operating system must require the change of at least eight of the total number of characters when passwords are changed. CAT II IA-5 (1) (b) CCI SRG-OS GPOS The operating system must store only encrypted representations of passwords. CAT II IA-5 (1) (c) CCI SRG-OS GPOS The operating system must transmit only encrypted representations of passwords. CAT II IA-5 (1) (c) CCI SRG-OS GPOS Operating systems must enforce 24 hours/1 day as the minimum password lifetime. CAT II IA-5 (1) (d) CCI SRG-OS GPOS Operating systems must enforce a 60-day maximum password lifetime restriction. CAT II IA-5 (1) (d) CCI SRG-OS GPOS The operating system must prohibit password reuse for a minimum of five generations. CAT II IA-5 (1) (e) CCI SRG-OS GPOS The operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. CAT II IA-6 CCI SRG-OS GPOS-00047

17 EXAMPLE: PASSWORD POLICY IA-5 AUTHENTICATOR MANAGEMENT Control Enhancements: 1) The information system, for password-based authentication: a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lowercase letters, numbers, and special characters, including minimum requirements for each type]; SP v4 CCI Specific Control IA-5 (1) (a) IA-5 (1) (a) IA-5 (1) (a) IA-5 (1) (a) CCI The operating system must enforce password complexity by requiring that at least one upper-case character be used. CCI The operating system must enforce password complexity by requiring that at least one lower-case character be used. CCI The operating system must enforce password complexity by requiring that at least one numeric character be used. CCI The operating system must enforce a minimum 15-character password length.

18 STEP 3: IMPLEMENT Select an initial set of baseline security controls Mission owner(s) must translate security controls into system specifications, ensure the successful integration of those specifications into the system design, and ensure security engineering trades do not impact the ability of the system to meet the fundamental mission requirements. DoDI

19 STEP 4: ASESS Assess the security controls using appropriate procedures

20 Step 5: Authorize Step 6: Monitor Monitor on an ongoing basis

21 AV / IT SECURITY QUESTIONS? 21

22 COLLATERAL Risk Analysis Worksheet

23 COLLATERAL

24 COLLATERAL art2

25 COLLATERAL Risk Analysis Worksheet www2.amx.com/avsecurityreq

26 REFERENCES