SECURITY ASSESSMENT OF AUDIOVISUAL CONTROL AND DISTRIBUTION IN THE RISK MANAGEMENT FRAMEWORK
|
|
- Ambrose Stewart
- 7 years ago
- Views:
Transcription
1 SECURITY ASSESSMENT OF AUDIOVISUAL CONTROL AND DISTRIBUTION IN THE RISK MANAGEMENT FRAMEWORK Paul Zielie Manager, Enterprise Solutions Harman Professional 11/16/2015
2 GOVERNMENT TEAM Paul Cantwell VP, Government Sales Whitney Michener Marketing Manager, Government Sonny Lastrella Director, Army Programs Troy Trujillo Director, Air Force Programs Kevin Felts Director, Navy/USMC Programs Richard Gatchell Director, Civilian Programs Bobby Ramoz Government Channels Jon Parker Government Inside Sales
3 HISTORY TRADITIONALLY AV HAS BEEN AN ISOLATED APPLICATION PROPRIETARY COMMUNICATIONS (AXLINK) RS232, IR, RELAY WHEN ETHERNET WAS INTRODUCED THE AV INDUSTRY CONTINUED TO TREAT AV AS AN ISOLATED APPLICATION GROWING TRENDS REQUIRE AV TO INTERACT WITH THE ENTERPRISE NETWORK UNIFIED COMMUNICATIONS CLOUD BASED APPLICATIONS ENTERPRISE MANAGEMENT 3
4 TODAY 4
5 REQUIREMENTS FOR AV / IT SECURITY ORGANIZATIONAL EXPECTATIONS AS AV SYSTEMS ARE BEING MIGRATED ONTO ENTERPRISE DATA NETWORKS, USER ORGANIZATIONS ARE EXPECTING THE AV SYSTEM TO MAINTAIN A SECURITY POSTURE IN ALIGNMENT WITH THEIR SECURITY GOALS. BEST PRACTICE VS REGULATORY COMPLIANCE IN MANY CASES THESE PRACTICES MAY BE MORE THAN A CASE OF BUSINESS BEST PRACTICES, BUT MAY BE A MATTER OF REGULATORY COMPLIANCE. NON-COMPLIANCE IS A MAJOR IMPEDANCE FOR THE END CUSTOMER AND MAY IN SOME CASES DISALLOW INSTALLATION 5
6 COMPLIANCE STANDARDS FISMA (Federal Information Security Management Act of 2002) Risk Management Framework (RMF) Security and Privacy Controls for Federal Information Systems and Organizations (SP Rev. 4) FIPS FIPS-197(AES) National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) Department Of Defense (DoD) Risk Management Framework (RMF) STIGs Security Technical Implementation Guides (STIGs) Common Criteria (NIAP) Control Correlation Identifiers (CCIs), NIST SP Appendix F. Unified Communications Approved Product List (UC APL) ISO series standards
7 DOD RMF IMPLEMENTATION Department of Defense Instruction (DoDI) , March 12, 2014 Establishes an integrated enterprise-wide decision structure for cybersecurity risk management (the RMF) Replaced the DoD Information Assurance Certification and Accreditation Process (DIACAP). Applies to all organizational entities within the Department of Defense and all DoD IT assets which receive, process, store, display, or transmit DoD information.
8 DOD CONTROL GUIDELINES IT products will be configured in accordance with applicable Security Technical Implementation Guides (STIGs) under a cognizant Information System Security Manager (ISSM) and Security Control Assessor (SCA). STIGs are product-specific and document applicable DoD policies and security requirements, as well as best practices and configuration guidelines. STIGs are associated with security controls through Control Correlation Identifiers (CCIs), referenced in NIST SP Appendix F. Security Requirements Guides (SRGs) are developed by DISA to provide general security compliance guidelines and serve as source guidance documents for STIGs. When a STIG is not available for a product, an SRG may be used. STIG and SRG compliance results for products will be documented as security control assessment results within a product level Security Assessment Report (SAR) Plan of Action and Milestones (POA&M) must be developed and maintained to address known vulnerabilities in the IS or PIT system.
9 CHALLENGES There is no standardized security control guidance for nonbusiness IT related products. This forces every installation to be treated as an exception to policy with local security authorities interpreting security requirements and accreditation. Additional Paperwork Market Confusion Inconsistent Customer expectations
10 RISK MANAGEMENT FRAMEWORK (RMF) SECURITY CONTROL CATALOG ACCESS CONTROL (AC) (1-25) AWARENESS AND TRAINING (AT) (1-5) AUDIT AND ACCOUNTABILITY (AU) (1-16) SECURITY ASSESSMENT AND AUTHORIZATION (CA) (1-9) CONFIGURATION MANAGEMENT (CM) (1-11) CONTINGENCY PLANNING (CP) (1-13) IDENTIFICATION AND AUTHENTICATION (IA) (1-11) INCIDENT RESPONSE (IR) (1-9) MAINTENANCE (MA) (1-6) MEDIA PROTECTION POLICY AND PROCEDURES (MP) (1-8) PHYSICAL AND ENVIRONMENTAL PROTECTION (PE) (1-20) SECURITY PLANNING POLICY AND PROCEDURES (PL) (1-9) PERSONNEL SECURITY POLICY AND PROCEDURES (PS) (1-8) RISK ASSESSMENT(RA) (1-6) SYSTEM AND SERVICES ACQUISITION (SA) (1-22) SYSTEM AND COMMUNICATIONS PROTECTION (SC) (1-44) SYSTEM AND INFORMATION INTEGRITY (SI) (1-17) INFORMATION SECURITY PROGRAMS PROGRAM MANAGEMENT CONTROLS (PM) (1-16) PRIVACY CONTROL CATALOG AUTHORITY AND PURPOSE (AP) (1-2) ACCOUNTABILITY, AUDIT, AND RISK MANAGEMENT (AR) (1-8) DATA QUALITY AND INTEGRITY (DI) (1-2) DATA MINIMIZATION AND RETENTION (DM) (1-3) INDIVIDUAL PARTICIPATION AND REDRESS (IP) (1-4) SECURITY (SE) (1-2) TRANSPARENCY (TR) (1-3) USE LIMITATION (UL) (1-2)
11 RMF PROCESS Step 1: Categorize 2 3 Committee on National Security Systems (CNSS) Instruction No Step 2: Select Select an initial set of baseline security controls 1 Select Implement 4 Step 3: Implement 1 0 Implement the security controls and document how the controls are implemented. 2 3 Classify 4 Step 4: Assess 6 5 Asess Assess the security controls using appropriate procedures Step 5: Authorize Step 6: Monitor Monitor on an ongoing basis Monitor Authorize
12 STEP 1: CATEGORIZE Committee on National Security Systems (CNSS) Instruction No Security Categorization and Control Selection for National Security Systems Impact on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the Unite States. Confidentiality Integrity Availability DoDD Classification IT products Individual elements (including applications) and devices which perform control, communications, or computing functions in a DoD environment. IT services IT services outside the service user organization s authorization boundary Platform IT (PIT) Computer resources, both hardware and software, that are physically part of, dedicated to, or essential in real time to the mission performance of special-purpose systems. An IT system or IT component cannot be classified as Platform IT simply because it is stand-alone. (DoDD )
13 STEP 2: SELECT Select an initial set of baseline security controls Interaction ACCESS CONTROL (AC) (1-25) IDENTIFICATION AND AUTHENTICATION (IA) (1-11) CONFIGURATION MANAGEMENT (CM) (1-11) MAINTENANCE (MA) (1-6) Data flows IDENTIFICATION AND AUTHENTICATION (IA) (1-11) SYSTEM AND COMMUNICATIONS PROTECTION (SC) (1-44) System protections CONFIGURATION MANAGEMENT (CM) (1-11) MAINTENANCE (MA) (1-6) SYSTEM AND COMMUNICATIONS PROTECTION (SC) (1-44 ACCESS CONTROL (AC) (1-25) Audit AUDIT AND ACCOUNTABILITY (AU) (1-16) SP CCI FISMA FIPS DoDI 8510 SRG STIG
14 EXAMPLE: PASSWORD POLICY IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION IA-5 AUTHENTICATOR MANAGEMENT IA-6 AUTHENTICATOR FEEDBACK IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION IA-11 RE-AUTHENTICATION
15 EXAMPLE: PASSWORD POLICY IA-5 AUTHENTICATOR MANAGEMENT Control Enhancements: 1) The information system, for password-based authentication: a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lowercase letters, numbers, and special characters, including minimum requirements for each type]; b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; c) Stores and transmits only cryptographically-protected passwords; d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; e) Prohibits password reuse for [Assignment: organization-defined number] generations; and f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
16 EXAMPLE: PASSWORD POLICY Specific Control Severity SP v4 CCI SRG The operating system must enforce password complexity by requiring that at least one upper-case character be used. CAT II IA-5 (1) (a) CCI SRG-OS GPOS The operating system must enforce password complexity by requiring that at least one lower-case character be used. CAT II IA-5 (1) (a) CCI SRG-OS GPOS The operating system must enforce password complexity by requiring that at least one numeric character be used. CAT II IA-5 (1) (a) CCI SRG-OS GPOS The operating system must enforce a minimum 15-character password length. CAT II IA-5 (1) (a) CCI SRG-OS GPOS The operating system must require the change of at least eight of the total number of characters when passwords are changed. CAT II IA-5 (1) (b) CCI SRG-OS GPOS The operating system must store only encrypted representations of passwords. CAT II IA-5 (1) (c) CCI SRG-OS GPOS The operating system must transmit only encrypted representations of passwords. CAT II IA-5 (1) (c) CCI SRG-OS GPOS Operating systems must enforce 24 hours/1 day as the minimum password lifetime. CAT II IA-5 (1) (d) CCI SRG-OS GPOS Operating systems must enforce a 60-day maximum password lifetime restriction. CAT II IA-5 (1) (d) CCI SRG-OS GPOS The operating system must prohibit password reuse for a minimum of five generations. CAT II IA-5 (1) (e) CCI SRG-OS GPOS The operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. CAT II IA-6 CCI SRG-OS GPOS-00047
17 EXAMPLE: PASSWORD POLICY IA-5 AUTHENTICATOR MANAGEMENT Control Enhancements: 1) The information system, for password-based authentication: a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lowercase letters, numbers, and special characters, including minimum requirements for each type]; SP v4 CCI Specific Control IA-5 (1) (a) IA-5 (1) (a) IA-5 (1) (a) IA-5 (1) (a) CCI The operating system must enforce password complexity by requiring that at least one upper-case character be used. CCI The operating system must enforce password complexity by requiring that at least one lower-case character be used. CCI The operating system must enforce password complexity by requiring that at least one numeric character be used. CCI The operating system must enforce a minimum 15-character password length.
18 STEP 3: IMPLEMENT Select an initial set of baseline security controls Mission owner(s) must translate security controls into system specifications, ensure the successful integration of those specifications into the system design, and ensure security engineering trades do not impact the ability of the system to meet the fundamental mission requirements. DoDI
19 STEP 4: ASESS Assess the security controls using appropriate procedures
20 Step 5: Authorize Step 6: Monitor Monitor on an ongoing basis
21 AV / IT SECURITY QUESTIONS? 21
22 COLLATERAL Risk Analysis Worksheet
23 COLLATERAL
24 COLLATERAL art2
25 COLLATERAL Risk Analysis Worksheet www2.amx.com/avsecurityreq
26 REFERENCES
Security Controls Assessment for Federal Information Systems
Security Controls Assessment for Federal Information Systems Census Software Process Improvement Program September 11, 2008 Kevin Stine Computer Security Division National Institute of Standards and Technology
More informationHHS Information System Security Controls Catalog V 1.0
Information System Security s Catalog V 1.0 Table of Contents DOCUMENT HISTORY... 3 1. Purpose... 4 2. Security s Scope... 4 3. Security s Compliance... 4 4. Security s Catalog Ownership... 4 5. Security
More informationIT Security Management Risk Analysis and Controls
IT Security Management Risk Analysis and Controls Steven Gordon Document No: Revision 770 3 December 2013 1 Introduction This document summarises several steps of an IT security risk analysis and subsequent
More informationSecurity Control Standards Catalog
Security Control Standards Catalog Version 1.2 Texas Department of Information Resources April 3, 2015 Contents About the Security Control Standards Catalog... 1 Document Life Cycle... 1 Revision History...
More informationSecurity Compliance In a Post-ACA World
1 Security Compliance In a Post-ACA World Security Compliance in a Post-ACA World Discussion of building a security compliance framework as part of an ACA Health Insurance Exchange implementation. Further
More informationNIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich
NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems Samuel R. Ashmore Margarita Castillo Barry Gavrich CS589 Information & Risk Management New Mexico Tech Spring 2007
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationCTR System Report - 2008 FISMA
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
More informationSystem Security Certification and Accreditation (C&A) Framework
System Security Certification and Accreditation (C&A) Framework Dave Dickinson, IOAT ISSO Chris Tillison, RPMS ISSO Indian Health Service 5300 Homestead Road, NE Albuquerque, NM 87110 (505) 248-4500 fax:
More informationSecurity and Privacy Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems JOINT TASK FORCE TRANSFORMATION INITIATIVE This document contains excerpts from NIST Special Publication
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationGet Confidence in Mission Security with IV&V Information Assurance
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
More informationAF Life Cycle Management Center
AF Life Cycle Management Center Avionics Weapon Systems Cybersecurity Risk Management Framework Assessment & Authorization Update Harrell Van Norman AFLCMC/EZAS Cybersecurity Technical Expert aflcmc.en-ez.weapon.systems.ia.team@us.af.mil
More informationSelecting RMF Controls for National Security Systems
SANDIA REPORT SAND2015-6770 Unlimited Release Printed August 2015 Selecting RMF Controls for National Security Systems Edward L. Witzke Prepared by Sandia National Laboratories Albuquerque, New Mexico
More information5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE
5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-510 GENERAL (Office of Origin: IRM/IA) 5 FAH-11 H-511 INTRODUCTION 5 FAH-11 H-511.1 Purpose a. This subchapter implements the policy
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationU.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition
U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition Dr. Charles Kiriakou, Ms. Kate Cunningham, Mr. Kevin Winters, & Mr. Carl Rice September 3, 2014 UNCLASSIFIED 1 Bottom Line Up Front (BLUF) The
More informationCloud Security for Federal Agencies
Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service
More informationCOORDINATION DRAFT. FISCAM to NIST Special Publication 800-53 Revision 4. Title / Description (Critical Element)
FISCAM FISCAM 3.1 Security (SM) Critical Element SM-1: Establish a SM-1.1.1 The security management program is adequately An agency/entitywide security management program has been developed, An agency/entitywide
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationSecurity Control Standard
Department of the Interior Security Control Standard Maintenance January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information Officer
More informationSecurity Self-Assessment Tool
Security Self-Assessment Tool State Agencies Receiving FPLS Information, 7/15/2015 Contents Overview... 2 Access Control (AC)... 3 Awareness and Training (AT)... 8 Audit and Accountability (AU)... 10 Security
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationSecurity Language for IT Acquisition Efforts CIO-IT Security-09-48
Security Language for IT Acquisition Efforts CIO-IT Security-09-48 Office of the Senior Agency Information Security Officer VERSION HISTORY/CHANGE RECORD Change Number Person Posting Change Change Reason
More informationRisk Management Framework (RMF): The Future of DoD Cyber Security is Here
Risk Management Framework (RMF): The Future of DoD Cyber Security is Here Authors: Rebecca Onuskanich William Peterson 3300 N Fairfax Drive, Suite 308 Arlington, VA 22201 Phone: 571-481-9300 Fax: 202-315-3003
More informationBellingham Control System Cyber Security Case Study
Bellingham Control System Cyber Security Case Study Marshall Abrams Joe Weiss Presented at at 2007 Annual Computer Security Applications Conference Case Study Synopsis Examine actual control system cyber
More informationWRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Consulting Services, Inc.
WRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents WRITTEN INFORMATION SECURITY PROGRAM (WISP) OVERVIEW 10 INTRODUCTION 10 PURPOSE 10 SCOPE & APPLICABILITY
More informationWritten Information Security Program (WISP)
Your Logo Will Be Placed Here Written Information Security Program (WISP) ACME Consulting, LLC Copyright 2014 Table of Contents WRITTEN INFORMATION SECURITY PROGRAM (WISP) OVERVIEW 10 INTRODUCTION 10 PURPOSE
More informationSecurity Control Standard
Department of the Interior Security Control Standard Security Assessment and Authorization January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,
More informationFiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Information Technology Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program Report.
More informationDEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release 1. 12 January 2015
DEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release 1 12 January 2015 Developed by the Defense Information Systems Agency (DISA) for the Department of Defense
More informationCMS POLICY FOR THE INFORMATION SECURITY PROGRAM
Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS POLICY FOR THE INFORMATION SECURITY PROGRAM FINAL Version 4.0 August 31, 2010 Document Number: CMS-CIO-POL-SEC02-04.0
More informationDepartment of Defense INSTRUCTION
Department of Defense INSTRUCTION NUMBER 8510.01 March 12, 2014 DoD CIO SUBJECT: Risk Management Framework (RMF) for DoD Information Technology (IT) References: See Enclosure 1 1. PURPOSE. This instruction:
More informationTim Denman Systems Engineering and Technology Dept Chair/ Cybersecurity Lead DAU South, Huntsville Tim.Denman@dau.mil
Tim Denman Systems Engineering and Technology Dept Chair/ Cybersecurity Lead DAU South, Huntsville Tim.Denman@dau.mil Current State of Cybersecurity in the DoD Current Needs Communications focus Changing
More informationIndustrial Security Field Operations
Defense Security Service Industrial Security Field Operations NISP Authorization Office (NAO) (Formerly Office of the Designated Approving Authority) NISPOM to NIST (800-53r4) Security Control Mapping
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationManaging Security and Privacy Risk in Healthcare Applications
Managing Security and Privacy Risk in Healthcare Applications 5 th Annual OCR / NIST HIPAA Security Rule Conference June 6, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory
More informationCybersecurity Throughout DoD Acquisition
Cybersecurity Throughout DoD Acquisition Tim Denman Cybersecurity Performance Learning Director DAU Learning Capabilities Integration Center Tim.Denman@dau.mil Acquisition.cybersecurity@dau.mil Cybersecurity
More informationA Draft List of Software Assurance (SwA) Related NIST SP 800-53 Revision 4 Controls*
!!!!!!!!!!!!! A Draft List of Software Assurance (SwA) Related NIST SP 800-53 Revision 4 Controls* Technical Report: UNO-TGRS-20131121-1 Robin Gandhi, Harvey Siy, Sayonnha Mandal The University of Nebraska
More informationCONTINUOUS MONITORING
CONTINUOUS MONITORING Monitoring Strategy Part 2 of 3 ABSTRACT This white paper is Part 2 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring (CM) and how
More informationThe Cloud in Regulatory Affairs - Validation, Risk Management and Chances -
45 min Webinar: November 14th, 2014 The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - www.cunesoft.com Rainer Schwarz Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH PART
More informationUNCLASSIFIED. Trademark Information
SAMSUNG KNOX ANDROID 1.0 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 1 3 May 2013 Developed by Samsung Electronics Co., Ltd.; Fixmo, Inc.; and General Dynamics C4 Systems,
More informationRequirements For Computer Security
Requirements For Computer Security FTA/IRS Safeguards Symposium & FTA/IRS Computer Security Conference April 2, 2008 St. Louis 1 Agenda Security Framework Safeguards IT Security Review Process Preparing
More informationInformation Security for Managers
Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize
More informationDepartment of Defense INSTRUCTION
Department of Defense INSTRUCTION NUMBER 8551.01 May 28, 2014 DoD CIO SUBJECT: Ports, Protocols, and Services Management (PPSM) References: See Enclosure 1 1. PURPOSE. In accordance with the authority
More informationFISMA NIST 800-53 (Rev 4) Audit and Accountability: Shared Public Cloud Infrastructure Standards
FISMA NIST 800-53 (Rev 4) Audit and Accountability: Shared Public Cloud Infrastructure Standards Standard Requirement per NIST 800-53 (Rev. 4) CloudCheckr Action AU-3/ AU3(1) AU-3 CONTENT OF AUDIT RECORDS
More informationComplying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance
WHITE paper Complying with the Federal Information Security Management Act How Tripwire Change Auditing Solutions Help page 2 page 3 page 3 page 3 page 4 page 4 page 5 page 5 page 6 page 6 page 7 Introduction
More informationSample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat
Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat Centers for Disease and Prevention National Center for Chronic Disease Prevention and Health
More informationCMS SYSTEM SECURITY PLAN (SSP) PROCEDURE
Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE August 31, 2010 Version 1.1 - FINAL Summary of Changes in SSP
More informationUnderstanding HITRUST s Approach to Risk vs. Compliance-based Information Protection
Understanding Compliance vs. Risk-based Information Protection 1 Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection Why risk analysis is crucial to HIPAA compliance and
More informationDoDI 8500-2 IA Control Checklist - MAC 2-Sensitive. Version 1, Release 1.4. 28 March 2008
DoDI 8500-2 IA Control Checklist - MAC 2-Sensitive Version 1, Release 1.4 Developed by DISA for the DOD UNTILL FILLED IN CIRCLE ONE FOR OFFICIAL USE ONLY (mark each page) CONFIDENTIAL and SECRET (mark
More informationMinimum Security Requirements for Federal Information and Information Systems
FIPS PUB 200 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Minimum Security Requirements for Federal Information and Information Systems Computer Security Division Information Technology Laboratory
More informationCompliance Overview: FISMA / NIST SP800 53
Compliance Overview: FISMA / NIST SP800 53 FISMA / NIST SP800 53: Compliance Overview With Huntsman SIEM The US Federal Information Security Management Act (FISMA) is now a key element of the US Government
More informationSECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS
1 CNSSI No. 1253 15 March 2012 SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS Version 2 THIS DOCUMENT PRESCRIBES MINIMUM STANDARDS YOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHER
More informationFedRAMP Master Acronym List. Version 1.0
FedRAMP Master Acronym List Version 1.0 September 10, 2015 Revision History Date Version Page(s) Description Author Sept. 10, 2014 1.0 All Initial issue. FedRAMP PMO How to Contact Us For questions about
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More informationPrivacy Impact Assessment. For ecampus-based System (e/cb) Date: April 26, 2014. Point of Contact: Calvin Whitaker Calvin.Whitaker@ed.
For ecampus-based System (e/cb) Date: April 26, 2014 Point of Contact: Calvin Whitaker Calvin.Whitaker@ed.gov System Owner: Keith Wilson Keith.Wilson@ed.gov Author: Calvin Whitaker Office of Federal Student
More informationCRR-NIST CSF Crosswalk 1
IDENTIFY (ID) Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative
More informationSupporting FISMA and NIST SP 800-53 with Secure Managed File Transfer
IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan
More informationGovernment of Canada Managed Security Services (GCMSS) Appendix D: Security Control Catalogue ITSG-33 - Annex 3 DRAFT 3.1
Government of Canada Managed Security Services (GCMSS) Appendix D: Security Control Catalogue ITSG-33 - Annex 3 DRAFT 3.1 Date: June 15, 2012 Information Technology Security Guidance Guide to Managing
More informationSecurity Control Standard
Department of the Interior Security Control Standard Program Management April 2011 Version: 1.1 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
More informationPOSTAL REGULATORY COMMISSION
POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1
More informationFISMA: Securing National Infrastructure
FISMA: Securing National Infrastructure Using a Holistic Approach to Lower Total Cost of Ownership (TCO) of FISMA Compliance by 50% or More an eiqnetworks White Paper by John Linkous Security and Compliance
More informationVIRGINIA DEPARTMENT OF MOTOR VEHICLES IT SECURITY POLICY. Version 2.
VIRGINIA DEPARTMENT OF MOTOR VEHICLES IT SECURITY POLICY Version 2., 2012 Revision History Version Date Purpose of Revision 2.0 Base Document 2.1 07/23/2012 Draft 1 Given to ISO for Review 2.2 08/15/2012
More informationIndependent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
More informationDoDI 8500-2 IA Control Checklist - MAC 3-Public. Version 1, Release 1.4. 28 March 2008
DoDI 8500-2 IA Control Checklist - MAC 3-Public Version 1, Release 1.4 Developed by DISA for the DOD UNTILL FILLED IN CIRCLE ONE FOR OFFICIAL USE ONLY (mark each page) CONFIDENTIAL and SECRET (mark each
More informationRMF. Cybersecurity and the Risk Management. Framework UNCLASSIFIED
Cybersecurity and the Risk Management Framework Wherewe ve been and where we re going Information Assurance DoD Instruction 8500.01,Para 1(d),adoptsthe term cybersecurity as it is defined in National Security
More informationOpening Up a Second Front for Cyber Security and Risk Management
Opening Up a Second Front for Cyber Security and Risk Management Annual Computer Security Applications Conference December 4, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory
More informationPrivacy Impact Assessment
For: Great Lakes Computer System (GLCS) Great Lakes Educational Loan Services, Inc. (GOALS) Date: June 18, 2013 Point of Contact: Gregory Plenty (202) 377-3253 Gregory.Plenty@ed.gov System Owner: Keith
More informationReview of the SEC s Systems Certification and Accreditation Process
Review of the SEC s Systems Certification and Accreditation Process March 27, 2013 Page i Should you have any questions regarding this report, please do not hesitate to contact me. We appreciate the courtesy
More informationINFORMATION TECHNOLOGY SECURITY POLICY 60-702. Table of Contents
Department of Commerce National Oceanic & Atmospheric Administration National Weather Service NATIONAL WEATHER SERVICE INSTRUCTION 60-702 December 21, 2009 Information Technology INFORMATION TECHNOLOGY
More informationPrivacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)
Privacy Impact Assessment (PIA) for the Cyber Security Assessment and Management (CSAM) Certification & Accreditation (C&A) Web (SBU) Department of Justice Information Technology Security Staff (ITSS)
More informationDoD ANNEX FOR MOBILE DEVICE MANAGEMENT (MDM) PROTECTION PROFILE Version 1, Release 1. 14 February 2014
DoD ANNEX FOR MOBILE DEVICE MANAGEMENT (MDM) PROTECTION PROFILE Version 1, Release 1 14 February 2014 Trademark Information Names, products, and services referenced within this document may be the trade
More informationCompliance Risk Management IT Governance Assurance
Compliance Risk Management IT Governance Assurance Solutions That Matter Introduction to Federal Information Security Management Act (FISMA) Without proper safeguards, federal agencies computer systems
More informationSecurity Control Standard
Department of the Interior Security Control Standard Risk Assessment January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
More informationRED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 8. 24 July 2015
RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 8 24 July 2015 Developed by Red Hat, NSA, and for the DoD Trademark Information Names, products, and
More informationSecurity Authorization Process Guide
Security Authorization Process Guide Office of the Chief Information Security Officer (CISO) Version 11.1 March 16, 2015 TABLE OF CONTENTS Introduction... 1 1.1 Background... 1 1.2 Purpose... 2 1.3 Scope...
More informationSecurity Standards Compliance NIST SP 800-53 Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.00
Security Standards Compliance NIST SP 800-53 Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.00 Document TMIC-003-N Version 1.00. 15 August 2012 1 Security and Privacy Controls
More informationPublication 4812. Contractor Security Controls
Publication 4812 Handling and Protecting Information or Information Systems ***This Publication Pertains to IT Assets Owned and Managed at Contractor Sites*** July 2014 Highlights of Publication 4812
More informationVISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data
VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data 1 Table of Contents Executive Summary... 3 Template
More informationMeeting Federal Information Assurance (IA) Monitoring Requirements with SecureVue
Meeting Federal Information Assurance (IA) Monitoring Requirements with SecureVue Solution Brief Meeting Federal Information Assurance (IA) Monitoring Requirements with SecureVue Federal Security Monitoring
More information2015 Security Training Schedule
2015 Security Training Schedule Risk Management Framework Course (RMF) / $1,950.00 Per Student Dates June 1-4 Location 4775 Centennial Blvd., Suite 103 / Colorado Springs, CO 80919 July 20 23 444 W. Third
More informationNATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL
NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION S COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)
More informationProposed Security Assessment & Authorization for U.S. Government Cloud Computing
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing Draft version 0.96 November 2, 2010 Preface Proposed Security Assessment and Authorization for U.S. Government Cloud Computing:
More informationFederal Highway Administration (FHWA) Cybersecurity Program (CSP) Handbook
For Official Use Only Version 1 Federal Highway Administration (FHWA) Cybersecurity Program (CSP) Handbook OFFICE OF INFORMATION TECHNOLOGY SERVICES Information Technology Strategic Objective APRIL 2014
More informationASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA AND PACIFIC OFFICE ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT DRAFT Second Edition June 2010 3.4H - 1 TABLE OF CONTENTS 1.
More informationDIACAP Presentation. Presented by: Dennis Bailey. Date: July, 2007
DIACAP Presentation Presented by: Dennis Bailey Date: July, 2007 Government C&A Models NIST SP 800-37 - Guide for the Security Certification and Accreditation of Federal Information Systems NIACAP - National
More informationCOMMONWEALTH OF VIRGINIA
COMMONWEALTH OF VIRGINIA Information Technology Resource Management Information Security Standard Virginia Information Technologies Agency (VITA) Page i ITRM Publication Version Control ITRM Publication
More informationFEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL
FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL Clifton Gunderson LLP s Independent Audit of the Federal Housing Finance Agency s Information Security Program - 2011 Audit Report: AUD-2011-002
More informationAudit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013
Audit Report The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 A-14-13-13086 November 2013 MEMORANDUM Date: November 26,
More informationPublication 4812. Contractor Security Controls. ***This Publication Pertains to IT Assets Owned and Managed at Contractor Sites***
Information Technology CYBERSECURITY Publication 4812 Handling and Protecting Information or Information Systems ***This Publication Pertains to IT Assets Owned and Managed at Contractor Sites*** Publicationn
More informationImproving Critical Infrastructure Cybersecurity Executive Order 13636. Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationSECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK
SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK BACKGROUND The National Institute of Standards and Technology (NIST) Special Publication 800-53 defines a comprehensive set of controls that is the basis
More informationMeeting Federal Information Assurance (IA) Monitoring Requirements with SecureVue
Meeting Federal Information Assurance (IA) Monitoring Requirements with SecureVue Solution Brief Meeting Federal Information Assurance (IA) Monitoring Requirements with SecureVue Federal Security Monitoring
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationRecommended Security Controls for Federal Information Systems
NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Ron Ross Stu Katzke Arnold Johnson Marianne Swanson Gary Stoneburner George Rogers Annabelle Lee I N F O R
More informationPolicy on Information Assurance Risk Management for National Security Systems
CNSSP No. 22 January 2012 Policy on Information Assurance Risk Management for National Security Systems THIS DOCUMENT PRESCRIBES MINIMUM STANDARDS YOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHER IMPLEMENTATION
More informationMeeting RMF Requirements around Audit Log Management
Meeting RMF Requirements around Audit Log Management An EiQ Networks White Paper Purpose The purpose of this paper is to provide some background on the transition from DIACAP to the Risk Management Framework
More informationINFORMATION SYSTEMS. Revised: August 2013
Revised: August 2013 INFORMATION SYSTEMS In November 2011, The University of North Carolina Information Technology Security Council [ITSC] recommended the adoption of ISO/IEC 27002 Information technology
More informationFY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0
FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0 June 20, 2016 Document History Version Date Comments Sec/Page 1.0 19 June 2016 Aligned questions
More information