Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.

Similar documents
Information Security Program Management Standard

Get Confidence in Mission Security with IV&V Information Assurance

Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP AP-2/03-1

Guidelines 1 on Information Technology Security

IT Security Management Risk Analysis and Controls

NIST Special Publication Version 2.0 Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories

Virginia Commonwealth University School of Medicine Information Security Standard

Information Security for Managers

Standards for Security Categorization of Federal Information and Information Systems

Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

FACT SHEET: Ransomware and HIPAA

CTR System Report FISMA

Minimum Security Requirements for Federal Information and Information Systems

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

Data Classification Methodology Version 1.3

Security Control Standard

UoB Risk Assessment Methodology

Computer Security Lecture 13

INFORMATION TECHNOLOGY POLICY

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

UF Risk IT Assessment Guidelines

HHS Information System Security Controls Catalog V 1.0

Risk Management Policy and Framework

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Advantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

IT Security Incident Management Policies and Practices

Performing Effective Risk Assessments Dos and Don ts

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

Your Guide to Developing a Disaster Recovery Plan

Exam 1 - CSIS 3755 Information Assurance

Cybersecurity for Meaningful Use FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

1. The draft CAPR 1-2, Personally Identifiable Information, was posted on the NHQ website for comments from 20 Dec Jan 12.

Dr. Ron Ross National Institute of Standards and Technology

John Essner, CISO Office of Information Technology State of New Jersey

IMS-ISA Incident Response Guideline

Missouri Student Information System Data Governance

Managing IT Security with Penetration Testing

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

Chapter 4 Information Security Program Development

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

Computer Security course

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

Information Security Program

FISMA Implementation Project

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Information Security. Rick Aldrich, JD, CISSP Booz Allen Hamilton

Basics of Internet Security

Unit Guide to Business Continuity/Resumption Planning

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

Office of Inspector General

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

ISO Controls and Objectives

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Risk Management Policy

White Paper An Enterprise Security Program and Architecture to Support Business Drivers

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

UF IT Risk Assessment Standard

Legislative Language

Application Security in the Software Development Lifecycle

Periodic risk assessment by internal audit

a Medical Device Privacy Consortium White Paper

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

University of Sunderland Business Assurance Information Security Policy

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

Continuity Planning and Disaster Recovery

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

ISO Information Security Management Systems Foundation

System Security Certification and Accreditation (C&A) Framework

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Information Resource Management Directive USAP Contingency & Disaster Recovery Program

CMS Information Security Risk Assessment (RA) Methodology

Information Security Services

787 Wye Road, Akron, Ohio P F

Subject: Internal Audit of Information Technology Disaster Recovery Plan

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Security Control Standard

DETAILED RISK ASSESSMENT REPORT

California State University, Chico. Information Security Incident Management Plan

Cybersecurity Awareness. Part 1

Chapter I: Fundamentals of Business Continuity Management

Information Security Incident Management Guidelines

Information Security for IT Administrators

Information Security: Business Assurance Guidelines

Technical Proposition. Security

United States Antarctic Program Information Resource Management Directive The USAP Information Security Program

Transcription:

Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C. Burget September 14, 2014 1

Agenda Information Assurance Confidentiality Integrity Availability Selecting Projects Determining criticality Impact Likelihood Summary Acknowledgements 2

Information Assurance Managing risk related to the systems that use, process, store, and transmit data NASA s focus Protect data and systems from threats Ensure continuity of operations What are some common threats? Internal System Architecture Developers Users External Natural Disasters Espionage Hacktivism 3

Security Policy 4

Confidentiality Could the entity allow for the unauthorized disclosure of sensitive information to do harm to agency operations, agency assets, or individuals? Could the entity allow for the unauthorized disclosure of information to gain control of agency assets that might result in unauthorized modification of information, destruction of information, or denial of system services that would result in harm to agency operations, agency assets, or individuals? 5

Integrity Could the entity allow for unauthorized modification or destruction of information to do harm to agency operations, agency assets, or individuals? Notes: The most serious impacts of integrity compromise occur when some action is taken that is based on the modified information or the modified information is disseminated to other organizations or the public. Undetected loss of integrity can be catastrophic for many information types. The consequences of integrity compromise can be either direct (e.g., modification of a financial entry, medical alert, or criminal record) or indirect (e.g., facilitation of unauthorized access to sensitive or private information or deny access to information or information system services). Malicious use of write access to information and information systems can do enormous harm to an agency s mission and can be employed to use an agency system as a proxy for attacks on other systems. In many cases, the consequences of unauthorized modification or destruction of information to agency mission functions and public confidence in the agency can be expected to be limited. In other cases, integrity compromises can result in the endangerment of human life or other severe consequences. The impact can be particularly severe in the case of time-critical information. 6

Availability Could the entity contribute to the withholding or disruption of access to or use of information or services to do harm to agency operations, agency assets, or individuals? Notes: For many information types and information systems, the availability impact level depends on how long the information or system remains unavailable. Undetected loss of availability can be catastrophic for many information types. For example, permanent loss of budget execution, contingency planning, continuity of operations, service recovery, debt collection, taxation management, personnel management, payroll management, security management, inventory control, logistics management, or accounting information databases would be catastrophic for almost any agency. Complete reconstruction of such databases would be time consuming and expensive. In most cases, the adverse effects of a limited-duration availability compromise on an organization s mission functions and public confidence will be limited. In contrast, for time-critical information types, availability is less likely to be restored before serious harm is done to agency assets, operations, or personnel (or to public welfare). In such instances, the documented availability impact level recommendations should indicate the information is time-critical and the basis for criticality. 7

Selecting Projects IV&V services are expanding to projects of varying domains (e.g. ground systems, integrated networks, etc.) Somewhat different than the typical flight software projects supported in years past Crucial that IV&V processes mature such that they maintain applicability What kind of projects need Information Assurance? Those that store, use, process, or rely upon data What projects don t do that?? What risks exist to projects that provide for Information Assurance? Confidentiality Integrity Availability 8

Determining Criticality To determine criticality, the IV&V Program uses: Portfolio Based Risk Assessments (PBRA) Risk Based Assessments (RBA) o is used to create a mission-specific view to support planning and scoping of NASA IV&V Project work on each individual IV&V Project. o Results in a risk score for each system/software entity for a particular mission based on Impact categories of: Performance personnel safety operational software control Likelihood categories of Complexity Testability Degree of innovation Developer characteristics 9

Why Incorporate the IA Perspective? Criteria tailored to allow for a thorough assessment of the system entities and their potential risk as it relates to maintaining system security/information assurance. Some aspects of security (e.g. integrity and availability) could be assessed per the existing impact criteria for performance Separately rating the entities based on their overall contribution to the system security to include confidentiality, integrity, & availability forces the individual perspective 10

Impact Criteria Impact Very Low(1) Low (2) Moderate (3) High (4) Very High (5) SEC - System Security / Information Assurance (CIA - Confidentiality, Integrity, and Availability) No effect on Information Assurance The loss of C or I or A could be expected to have a limited adverse effect on mission capabilities, organizational operations, organizational assets, or individuals The loss of C or I or A could be expected to have a serious adverse effect on mission capabilities, organizational operations, organizational assets, or individuals The loss of C or I or A could be expected to have a severe adverse effect on mission capabilities, organizational operations, organizational assets, or individuals The loss of C or I or A could be expected to have a catastrophic adverse effect on mission capabilities, organizational operations, organizational assets, or individuals Elaborated Criteria Does not cause degradation of mission capability but may cause user inconvenience A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: A severe adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: A catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: 11 (i) cause a degradation in mission capability to an extent and duration that the organization or mission is able to perform its primary objectives, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational or mission assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. See FIPS-199 further amplification (i) cause a significant degradation in mission capability to an extent and duration that the organization or mission is able to perform its primary objective(s), but the effectiveness is significantly reduced; (ii) result in significant damage to organizational or mission assets; (iii) result in significant financial loss (Ex: Loss of sensitive data (Intellectual Property), Incurred recovery costs after incident); or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries (Should also be classified under Personnel Safety if the security of it can affect human life). See FIPS-199 further amplification (i) cause a severe degradation in mission capability to an extent and duration that the organization or mission is not able to perform one or more of its primary objectives; (Ex: Marginal loss of agency s reputation, Loss of multiple mission objectives) (ii) result in major damage to organizational or mission assets; (iii) result in severe harm to individuals involving loss of life or serious life threatening injuries (Should also be classified under Personnel Safety if the security of it can affect human life). See FIPS-199 further amplification (i) cause a loss of mission capability to an extent and duration that the organization or mission is not able to perform its primary objectives; (Ex: Substantial loss of agency s reputation, Loss of asset, Loss of all primary objectives(s), Loss of sensitive data) (ii) result in major damage to organizational or mission assets; (iii) result in major financial loss (Ex: Loss of sensitive data (Intellectual Property), Incurred recovery costs after incident); or (iv) result in catastrophic harm to individuals involving loss of life or serious life threatening injuries (Should also be classified under Personnel Safety if the security of it can affect human life). See FIPS-199 further amplification

Scoring Impact Impact = max (PS, SEC, average (P, OSC)) PS = Personnel Safety P = Performance OSC = Operational Software Control SEC = Security When assessing impact referencing the FIPS categorization can aid in determining the potential impact that the loss of C, I, or A could be to a mission/organization. If available the information type identified in the FIPS categorization can be linked to the PBRA capability / RBA entity which can support your assessment on what the impact would be (Low, Moderate, or High) if a loss of C, I, or A occurs. 12

Likelihood Criteria Likelihood Very Low(1) Low (2) Moderate (3) High (4) Very High (5) Security Posture The system has a mature security infrastructure with well documented controls which have been evaluated for completeness and accuracy. A security vulnerability cannot be exploited The system is not exposed and not a target for threats The system has a well-defined security infrastructure and has a small number of accepted risks. A security vulnerability is unlikely to be exploited The system has limited exposure and is an unlikely target for threats The system has a security plan, but it also has a large number of risks to be accepted. A security vulnerability is somewhat likely to be exploited The system is moderately exposed and a moderate target for threats The system does not have a welldefined security infrastructure, but a system security plan has been drafted. A security vulnerability is likely to be exploited The system is somewhat visible, has some exposure, and is a potential target for threats Infrastructure encompasses security requirements, architecture, concept of operations, etc. The system has no security infrastructure and has no system security plan. A security vulnerability is highly likely to be exploited The system is highly visible, exposed, and a prime target for threats Elaborated Criteria Likelihood from IA perspective can be thought of from two perspectives: The likelihood of occurrence which can be driven down by having a mature security infrastructure and implementing proper security controls. The second perspective is the likelihood of exploitation if the vulnerability exists. Both of these perspectives should be considered when determining the likelihood. For example, the likelihood of occurrence could be high but the likelihood of exploitation could be low due various factors. Some examples (but not limited to) that may contribute to likelihood for becoming a target for threats: importance of data (sensitive, classified, etc.), physical location, isolated network, and access to internet. Threats also include environmental / natural disasters, etc. 13

Scoring Likelihood Likelihood = max (SP, average (Complexity, Testability, Degree of Innovation, Development Characteristics) SP = Security Posture 14

Summary Adding IA specific criteria forces the perspective for IV&V More rigor in defining criticality Supports FIPS & industry best practices 15

Acknowledgements Brandon Bailey Information Assurance Analysis Techniques CD lead Roger Harris SGSS IV&V Project Manager SGSS IV&V Team 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information