Information Security Rick Aldrich, JD, CISSP Booz Allen Hamilton Aldrich_Richard@bah.com
Overview (Fed Info Sys) From NIST SP 800-60, Vol 1, Guide for Mapping Types of Information Systems to Security Categories
Overview (NSS) From CNSSP-22, Information Assurance Risk Management Policy for NSS CATSS not an NSS so will address only federal information systems for remaining presentation
Step 1: Categorization Is vendor operated/maintained CATSS a federal information system? Yes, per 40 USC 11331: An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency
Per FIPS 199 Step 1: Categorization SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)} Impact can be Low, Moderate or High Must consider all information types on the information system
System Categorization Impact values Low Loss of C-I-A could be expected to have a limited adverse effect on operations, assets, or individuals. Moderate serious adverse effect High severe or catastrophic effect
Amplification Mission capability Low Moderate High Degraded, effectiveness noticeably reduced Degraded, effectiveness significantly reduced Not able to perform one or more of primary functions Org. assets Minor damage Significant dmg Major damage Financial loss Harm to individuals Minor loss Significant loss Major loss Minor Significant Loss of life or serious lifethreatening injuries Categories are logically or ed
Identify Information Types Based on hypo, info types would include, for example: Personal Identity/Authentication Info type Payments Information type
Assign Provisional Values for Info Types Based on NIST 800-60, vol. 2 Personal Identity/Authentication Info type Security Category = {(confidentiality, Moderate), (integrity, Moderate), (availability, Moderate)} Payments Information type Security Category = {(confidentiality, Low/Moderate), (integrity, Moderate), (availability, Low) Other types
Assign System Security Category Based on NIST 800-60, vol. 1 Select high water mark of aggregated information types on system In this case Personal ID/ Authentication Confidentiality Integrity Availability Moderate Moderate Moderate Payment L ow (Moderate) Moderate Low System Moderate Moderate Moderate System is highest among C-I-A, so Moderate
System Architecture Architecture description is also key to Step 1 Key to understanding perimeter of the information system Plays a key role in selecting security controls in Step 2 Increasing use of cloud computing introduces dynamic sub-systems and external sub-systems
Steps 2, 3, 4: Security Controls What is the effect of determining the security category of the IS? Drives the security controls to be Selected (FIPS 200 and SP 800-53) under Step 2 Implemented (SP 800-70) under Step 3 Assessed (SP 800-53) under Step 4
Use 800-53 to Select Controls per Impact Level Select initial Baseline Security Controls Tailor the Baseline Security Controls Scoping Compensating controls Organization-defined control parameters Coordinate with Authorizing official Obtain approval from Authorizing official
Security Controls Moderate controls require, e.g. Info flow enforcement Separation of duties Least privilege Audit reduction and report generation Configuration change control Configuration management plan Access restrictions for change Alternate storage site Alternate processing site
System Security Plan Per OMB A-11 and NIST 800-18 has many inputs and outputs
System Security Plan Template 1. Information System Name/Title Unique Identifier (OMB A-11) 2. Information System Categorization 3. Information System Owner 4. Authorizing Official 5. Other Designated Contacts 6. Assignment of Security Responsibility 7. Info System Operational Status 8. Info System Type
System Security Plan Template (cont.) 9. General System Description/ Purpose 10. System Environment 11. System Interconnections/Info Sharing 12. Related Laws/Regulations/Policies 13. Minimum Security Controls 14. IS Security Plan Completion Date 15. IS Security Plan Approval Date
System Security Plan Review Who reviews the security plan? Senior Agency Information Security Officer Review at least annually for changes in information system owner information security representative system architecture system status system interconnections system scope authorizing official system authorization status
E-Authentication Authentication is a Step 2 control Per NIST 800-63 and OMB 04-04 Applies to remote authentication of users of Agency IT to conduct gov t business Not applicable to NSS Two types of authentication Identity confirming a unique person Attribute confirming membership in a particular group (e.g., military veterans, US citizens)
Assurance Levels Level 1 (no ID proofing req t) Little or no confidence in the asserted identity s validity Level 2 (single factor, PW or pin) Some confidence Level 3 (multi-factor, soft, hard or 1- time PW tokens) High confidence Level 4 (multi-factor, hard tokens) Very high confidence
Determining Assurance Level Determining max impacts for each assurance level From OMB 04-04
Factors Choosing Assurance Level Access over Internet Access from PCs outside of Agency s control Includes access to sensitive PII on 1M applicants Need to attribute as US citizen Chosen assurance level must be made public (website, Fed Reg, etc.)
Encryption Encryption required for levels 3, 4 Level 4 must use FIPS 140-2 validated encryption modules All sensitive data transfers must be encrypted CATSS website should use TLS (via https) and require multi-factor authentication
Web Services Security Security actions to consider (NIST 800-95): Replicate Data and Services to Improve Availability May require regular back-ups and alternate COOP locations to address DOS, faults, disruptions Use Logging of Transactions to Improve Non-repudiation and Accountability Hypo identifies logging of visits, pages
Web Services Security Security actions to consider (cont): Use Threat Modeling and Secure Software Design Techniques to Protect from Attacks Use Performance Analysis and Simulation Techniques for End to End QoS and QoP Digitally Sign UDDI Entries to Verify the Author of Registered Entries Enhance Existing Security Mechanisms and Infrastructure Consider employing a database security, risk and compliance tool to enhance the security of this CATSS
Step 5: Security Authorization What is the security authorization process? New name for C&A, Step 5, set out in 800-37 Security authorization package: Security plan Security assessment report Plan of action and milestones (POAM) Authorizing official makes risk-based decision, based on above, regarding information system s authority to operate
Step 5: Security Authorization Who are the authorizing officials? Senior official or executive with the authority to formally assume responsibility for operating an IS at an acceptable level of risk to an organization s operations, assets, individuals, other organizations, and the Nation. Same as DAA (CNSSI 4009)
Step 6: Continuous Monitoring Per OMB Memo 11-33 For Agencies with a continuous monitoring program Security reauthorizations not required every three years or after significant change Rather, risk-based decisions should rely on results of continuous monitoring Effectiveness of deployed security controls Changes to info systems Compliance with laws, directives, policies, etc.
Questions? Rick Aldrich, JD, CISSP Booz Allen Hamilton Aldrich_Richard@bah.com