Information Security Risk and Compliance Series Risking Your Business



Similar documents
Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition

STREAM Cyber Security

DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN

Security Control Standard

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Security Authorization Process Guide

Data- Centric Enterprise Approach to Risk Management Gregory G. Jackson, Sr. Cyber Analyst Cyber Engineering Division Dynetics Inc.

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Automate Risk Management Framework

Cloud Security for Federal Agencies

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA Office: Fax:

December 8, Security Authorization of Information Systems in Cloud Computing Environments

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

Policy on Information Assurance Risk Management for National Security Systems

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Overview. FedRAMP CONOPS

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Cybersecurity The role of Internal Audit

Compliance Risk Management IT Governance Assurance

Hosted by Lunarline: School of Cyber Security

DOD Medical Device Cybersecurity Considerations

Frequently Asked Questions about the HITRUST Risk Management Framework

Information Technology Control Framework in the Federal Government Considerations for an Audit Strategy

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South

2015 Security Training Schedule

Report of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.

Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services

Continuous Network Monitoring

FISMA Cloud GovDataHosting Service Portfolio

IT-CNP, Inc. Capability Statement

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Information Security for Managers

Tim Denman Systems Engineering and Technology Dept Chair/ Cybersecurity Lead DAU South, Huntsville

Out with. AP, In. with. (C&A) and (RMF) LUNARLINE, INC

BPA Policy Cyber Security Program

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

FFIEC Cybersecurity Assessment Tool

Critical Controls for Cyber Security.

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE

Security Control Standard

Department of Defense INSTRUCTION

CORE Security and GLBA

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Cyber Education triangle clarifying the fog of cyber security through targeted training

A Comprehensive Cyber Compliance Model for Tactical Systems

RMF. Cybersecurity and the Risk Management. Framework UNCLASSIFIED

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION

Information Technology Risk Management

Why you should adopt the NIST Cybersecurity Framework

Security Control Standard

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

The Premier IA & Cyber Security Training Specialist

CSF Support for HIPAA and NIST Implementation and Compliance

CS 2 SAT: The Control Systems Cyber Security Self-Assessment Tool

Information Assurance Branch (IAB) Cybersecurity Best Practice for Executive Level Managers

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Information Security Management System for Microsoft s Cloud Infrastructure

Review of the SEC s Systems Certification and Accreditation Process

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Cybersecurity. Are you prepared?

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

Securing business data. CNS White Paper. Cloud for Enterprise. Effective Management of Data Security

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Publication 805-A Revision: Certification and Accreditation

Vendor Risk Management Financial Organizations

DEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release January 2015

2015 Cybersecurity Awareness

Network Management and Defense Telos offers a full range of managed services for:

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Symantec Control Compliance Suite Standards Manager

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

Key Components of a Risk-Based Security Plan

I D C A N A L Y S T C O N N E C T I O N

RSA, The Security Division of EMC. Zamanta Anguiano Sales Manager RSA

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

United States Department of Agriculture. Office of Inspector General

Transcription:

Information Security Risk and Compliance Series Risking Your Business Sergio Saenz and Ron Nemes June 2015 Introduction As the DoD Information Assurance Certification and Accreditation Process (DIACAP) begins to make its curtain call from a defense compliance standpoint, a new process emerges and takes its place, the Risk Management Framework (RMF). How will this new process work? And more importantly, what does this mean for the way you do business? In most organizations, governance, risk, and compliance (GRC) are the pillars that ensure a business is capable of performing to meet its objectives. The national defense information security realm is no different. In the Department of Defense (DoD), cybersecurity governance is handled through various instructions, directives, and manuals. In the past, compliance was met through adherence to these rules, and validated using DIACAP. The RMF introduces a method to incorporate all three areas. It uses an established methodology through its special publication series, and incorporates DoD guidance within its 800-53 Revision 4 control set. These publications also provide information on Managing Information Security Risk (800-39) and a Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans (800-53 A) to ensure compliance to the DoD and National Institute of Standards and Technology (NIST) standards. DIACAP offered a control set to measure against, but fell short in its implementation and risk assessment guidance. Leaving the Legacy Approach DIACAP, the DoD Information Assurance Certification and Accreditation Process. The name itself is a mouthful. For years, these words were synonymous with dedicating more time, budget, and resources to comply with standards while bolting on security to already existing infrastructure. This exercise seemed to generate more paper work and documentation, but did it make our systems any more secure and averse to risk vulnerabilities? Managers might dedicate resources for a few months to prepare the system to be accredited and check the necessary boxes, only to be left on the shelf until the next review years in the future. Even worse, organizations could be forced into fitting their system in a box that didn t make sense and didn t make them any more secure, while negatively affecting their efficiency or the way they do business. In March 2014, DoDI 8500.01 was announced and made DoD RMF official. 1

Looking at Risk The RMF, or DoD RMF in the defense industry, aims to change the way information assurance (IA) and cybersecurity is implemented. Instead of performing an after the fact analysis and adding security, the RMF allows the organization to bake in security in all phase of the System Development Lifecycle (SDLC), and take a security development lifecycle approach. This means designing in security in all phases, from coding an application to the locks on your datacenter. Customization and tailoring of the control sets, which we ll discuss in a later white paper, are also new additions to assist the Chief Information Security Officer (CISO) and cybersecurity teams in addressing their needs, as opposed to forcing the organization into a dated set of standards in which it doesn t fit. In order to stay current with the ever-changing threat landscape, NIST plans to update the 800-53 control set every 18 months. Control responsibility and inheritance gets a refresh as well. Many organizations have moved to an enterprise information system where a larger network supports many smaller networks or information systems (IS). Having to do a complete control assessment for each system would be time consuming and cumbersome, that s why DoD RMF implements control responsibility into three categories: common, hybrid, and system level. Larger systems can provide common controls for the smaller IS to inherent, transferring the risk to the appropriate owner. Hybrid controls allow the risk to be shared between the sources, and system level controls put the onus of risk at the lowest level. The increased use of commercial cloud services and the Federal Risk and Authorization Management Program (FedRAMP) also make DoD RMF the right choice. Their standards and assessments are already based off the 800-53 control set, making inheritance a smooth transition. The federal sector already implements the 800-53 control, which helps remove confusion from reciprocity agreements between DoD and non-dod organizations. 2

Risk-Based Application Moving towards a risk-based approach means assigning values and prioritization to different security assets and business needs. This means taking a look at threats and vulnerabilities to your information and the way you do business. From a business standpoint, DoD RMF goes a step further by utilizing the CIA (Confidentiality, Integrity, and Availability) triad during the system categorization and control tailoring, allowing for more flexibility and customization. This means National Security Systems (NSS) can focus their needs differently than an organization providing public content on the web. At a granular level, this allows cybersecurity teams to address more important (most vulnerable) concerns first, such as an unpatched public-facing web server, instead of the internal, non-networked workstation behind a network security stack with a legacy vulnerability. With this approach, Information System Security Officers (ISSOs) can move from simply saying a control is compliant/non-complaint, to a detailed risk assessment and what it means for the organization. Using tools such as the risk matrix below, cybersecurity teams can provide management with a clear, concise look at the likelihood and consequence of risk exposure. 3

What Next? Now that you have your risks identified, what happens next? Luckily, the answer is spelled out in the name Risk Management Framework the risks need to be managed. There are four basic strategies for managing risk: mitigation, transference, acceptance and avoidance. The risk matrix (shown above) can assist executives with the decision making process. Some lower risks may simply be accepted, while others may be transferred to a third party, either through outsourcing or insurance in the case of natural disasters. Documenting these actions in a table can be helpful later when generating Plans of Action & Milestones (POA&Ms) required for remediation and necessary for authorization. Continuously Monitoring The NIST Special Publications (800 Series) offers cybersecurity professionals an outstanding library of resources for implementing security in their organizations. One of the documents included in this library is 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations. With DoD RMF also comes a more focused approach to continuous monitoring. Under DIACAP, performing an annual document review or updating POA&Ms on a quarterly basis were the only view into a systems security posture on a regular basis. The RMF continues to distance itself from the legacy three-year accreditation approach, and aims to take a near real-time look at cyber threats and risks to the network. Systems can take the controls that are the most critical to them, such as unauthorized device management, incident response, and privileged access monitoring, and monitor them on a continual basis that fits their needs. Dashboards can be generated to show real-time status of network components and their risk to the enterprise. Compliance is checked on a continual basis and any deviation to the standard is displayed through an alert, at various levels. Final Thoughts The DoD is taking a leap forward with their approach to cybersecurity and risk management by integrating security into all aspects through the security development lifecycle. The new process and framework is a lot to take in at first, but will pay dividends through its real-time implementation and value added through risk-based decision making. The Future Having successfully migrated multiple clients from legacy DIACAP to DoD RMF, as well as developed a comprehensive customer specific Risk Matrix Dashboard, Veris Group is uniquely positioned to assist federal organizations with the implementation of DoD RMF. 4

Related Content For more detail on the differences between DIACAP and DoD RMF, please read our RMF for DoD IT: How to Get Ahead of the Transition white paper. Check back soon to read our follow up white papers discussing the tailoring of control sets, risk appetite, and prioritization in further detail. Sergio Saenz and Ron Nemes are Government Program Associates of Veris Group, LLC, an industryleading, award-winning cybersecurity company headquartered in Vienna, VA. verisgroup.com E: info@verisgroup.com T: 703.760.9160 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information