SECURITY ASSESSMENT OF AUDIOVISUAL CONTROL AND DISTRIBUTION IN THE RISK MANAGEMENT FRAMEWORK

Similar documents
Security Controls Assessment for Federal Information Systems

HHS Information System Security Controls Catalog V 1.0

IT Security Management Risk Analysis and Controls

Security Control Standards Catalog

Security Compliance In a Post-ACA World

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Looking at the SANS 20 Critical Security Controls

CTR System Report FISMA

System Security Certification and Accreditation (C&A) Framework

Security and Privacy Controls for Federal Information Systems and Organizations

Altius IT Policy Collection Compliance and Standards Matrix

Get Confidence in Mission Security with IV&V Information Assurance

AF Life Cycle Management Center

Selecting RMF Controls for National Security Systems

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition

Cloud Security for Federal Agencies

COORDINATION DRAFT. FISCAM to NIST Special Publication Revision 4. Title / Description (Critical Element)

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Security Control Standard

Security Self-Assessment Tool

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Bellingham Control System Cyber Security Case Study

WRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Consulting Services, Inc.

Written Information Security Program (WISP)

Security Control Standard

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

DEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release January 2015

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

Department of Defense INSTRUCTION

Tim Denman Systems Engineering and Technology Dept Chair/ Cybersecurity Lead DAU South, Huntsville

Industrial Security Field Operations

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Managing Security and Privacy Risk in Healthcare Applications

Cybersecurity Throughout DoD Acquisition

A Draft List of Software Assurance (SwA) Related NIST SP Revision 4 Controls*

CONTINUOUS MONITORING

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

UNCLASSIFIED. Trademark Information

Requirements For Computer Security

Information Security for Managers

Department of Defense INSTRUCTION

FISMA NIST (Rev 4) Audit and Accountability: Shared Public Cloud Infrastructure Standards

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

DoDI IA Control Checklist - MAC 2-Sensitive. Version 1, Release March 2008

Minimum Security Requirements for Federal Information and Information Systems

Compliance Overview: FISMA / NIST SP800 53

SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS

FedRAMP Master Acronym List. Version 1.0

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Privacy Impact Assessment. For ecampus-based System (e/cb) Date: April 26, Point of Contact: Calvin Whitaker

CRR-NIST CSF Crosswalk 1

Supporting FISMA and NIST SP with Secure Managed File Transfer

Government of Canada Managed Security Services (GCMSS) Appendix D: Security Control Catalogue ITSG-33 - Annex 3 DRAFT 3.1

Security Control Standard

POSTAL REGULATORY COMMISSION

FISMA: Securing National Infrastructure

VIRGINIA DEPARTMENT OF MOTOR VEHICLES IT SECURITY POLICY. Version 2.

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

DoDI IA Control Checklist - MAC 3-Public. Version 1, Release March 2008

RMF. Cybersecurity and the Risk Management. Framework UNCLASSIFIED

Opening Up a Second Front for Cyber Security and Risk Management

Privacy Impact Assessment

Review of the SEC s Systems Certification and Accreditation Process

INFORMATION TECHNOLOGY SECURITY POLICY Table of Contents

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

DoD ANNEX FOR MOBILE DEVICE MANAGEMENT (MDM) PROTECTION PROFILE Version 1, Release February 2014

Compliance Risk Management IT Governance Assurance

Security Control Standard

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release July 2015

Security Authorization Process Guide

Security Standards Compliance NIST SP Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.00

Publication Contractor Security Controls

VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data

Meeting Federal Information Assurance (IA) Monitoring Requirements with SecureVue

2015 Security Training Schedule

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing

Federal Highway Administration (FHWA) Cybersecurity Program (CSP) Handbook

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT

DIACAP Presentation. Presented by: Dennis Bailey. Date: July, 2007

COMMONWEALTH OF VIRGINIA

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Publication Contractor Security Controls. ***This Publication Pertains to IT Assets Owned and Managed at Contractor Sites***

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

Meeting Federal Information Assurance (IA) Monitoring Requirements with SecureVue

Office of Inspector General

Recommended Security Controls for Federal Information Systems

Policy on Information Assurance Risk Management for National Security Systems

Meeting RMF Requirements around Audit Log Management

INFORMATION SYSTEMS. Revised: August 2013

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

Transcription:

SECURITY ASSESSMENT OF AUDIOVISUAL CONTROL AND DISTRIBUTION IN THE RISK MANAGEMENT FRAMEWORK Paul Zielie Manager, Enterprise Solutions Harman Professional 11/16/2015

GOVERNMENT TEAM Paul Cantwell VP, Government Sales 240.676.4001 Paul.Cantwell@harman.com Whitney Michener Marketing Manager, Government 603.988.7849 Whitney.Michener@harman.com Sonny Lastrella Director, Army Programs 303.856.6996 Sonny.Lastrella@harman.com Troy Trujillo Director, Air Force Programs 202-595-4666 Troy.Trujillo@harman.com Kevin Felts Director, Navy/USMC Programs 858.249.9620 Kevin.Felts@harman.com Richard Gatchell Director, Civilian Programs 240.299.2429 Richard.Gatchell@harman.com Bobby Ramoz Government Channels 214.914.9419 Bobby.Ramoz@harman.com Jon Parker Government Inside Sales 469.624.6518 Jon.Parker@harman.com

HISTORY TRADITIONALLY AV HAS BEEN AN ISOLATED APPLICATION PROPRIETARY COMMUNICATIONS (AXLINK) RS232, IR, RELAY WHEN ETHERNET WAS INTRODUCED THE AV INDUSTRY CONTINUED TO TREAT AV AS AN ISOLATED APPLICATION GROWING TRENDS REQUIRE AV TO INTERACT WITH THE ENTERPRISE NETWORK UNIFIED COMMUNICATIONS CLOUD BASED APPLICATIONS ENTERPRISE MANAGEMENT 3

TODAY 4

REQUIREMENTS FOR AV / IT SECURITY ORGANIZATIONAL EXPECTATIONS AS AV SYSTEMS ARE BEING MIGRATED ONTO ENTERPRISE DATA NETWORKS, USER ORGANIZATIONS ARE EXPECTING THE AV SYSTEM TO MAINTAIN A SECURITY POSTURE IN ALIGNMENT WITH THEIR SECURITY GOALS. BEST PRACTICE VS REGULATORY COMPLIANCE IN MANY CASES THESE PRACTICES MAY BE MORE THAN A CASE OF BUSINESS BEST PRACTICES, BUT MAY BE A MATTER OF REGULATORY COMPLIANCE. NON-COMPLIANCE IS A MAJOR IMPEDANCE FOR THE END CUSTOMER AND MAY IN SOME CASES DISALLOW INSTALLATION 5

COMPLIANCE STANDARDS FISMA (Federal Information Security Management Act of 2002) Risk Management Framework (RMF) Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53 Rev. 4) FIPS-140-2 FIPS-197(AES) National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) Department Of Defense (DoD) Risk Management Framework (RMF) STIGs Security Technical Implementation Guides (STIGs) Common Criteria (NIAP) Control Correlation Identifiers (CCIs), NIST SP 800-53 Appendix F. Unified Communications Approved Product List (UC APL) ISO 27000 series standards

DOD RMF IMPLEMENTATION Department of Defense Instruction (DoDI) 8510.01, March 12, 2014 Establishes an integrated enterprise-wide decision structure for cybersecurity risk management (the RMF) Replaced the DoD Information Assurance Certification and Accreditation Process (DIACAP). Applies to all organizational entities within the Department of Defense and all DoD IT assets which receive, process, store, display, or transmit DoD information.

DOD CONTROL GUIDELINES IT products will be configured in accordance with applicable Security Technical Implementation Guides (STIGs) under a cognizant Information System Security Manager (ISSM) and Security Control Assessor (SCA). STIGs are product-specific and document applicable DoD policies and security requirements, as well as best practices and configuration guidelines. STIGs are associated with security controls through Control Correlation Identifiers (CCIs), referenced in NIST SP 800-53 Appendix F. Security Requirements Guides (SRGs) are developed by DISA to provide general security compliance guidelines and serve as source guidance documents for STIGs. When a STIG is not available for a product, an SRG may be used. STIG and SRG compliance results for products will be documented as security control assessment results within a product level Security Assessment Report (SAR) Plan of Action and Milestones (POA&M) must be developed and maintained to address known vulnerabilities in the IS or PIT system.

CHALLENGES There is no standardized security control guidance for nonbusiness IT related products. This forces every installation to be treated as an exception to policy with local security authorities interpreting security requirements and accreditation. Additional Paperwork Market Confusion Inconsistent Customer expectations

RISK MANAGEMENT FRAMEWORK (RMF) SECURITY CONTROL CATALOG ACCESS CONTROL (AC) (1-25) AWARENESS AND TRAINING (AT) (1-5) AUDIT AND ACCOUNTABILITY (AU) (1-16) SECURITY ASSESSMENT AND AUTHORIZATION (CA) (1-9) CONFIGURATION MANAGEMENT (CM) (1-11) CONTINGENCY PLANNING (CP) (1-13) IDENTIFICATION AND AUTHENTICATION (IA) (1-11) INCIDENT RESPONSE (IR) (1-9) MAINTENANCE (MA) (1-6) MEDIA PROTECTION POLICY AND PROCEDURES (MP) (1-8) PHYSICAL AND ENVIRONMENTAL PROTECTION (PE) (1-20) SECURITY PLANNING POLICY AND PROCEDURES (PL) (1-9) PERSONNEL SECURITY POLICY AND PROCEDURES (PS) (1-8) RISK ASSESSMENT(RA) (1-6) SYSTEM AND SERVICES ACQUISITION (SA) (1-22) SYSTEM AND COMMUNICATIONS PROTECTION (SC) (1-44) SYSTEM AND INFORMATION INTEGRITY (SI) (1-17) INFORMATION SECURITY PROGRAMS PROGRAM MANAGEMENT CONTROLS (PM) (1-16) PRIVACY CONTROL CATALOG AUTHORITY AND PURPOSE (AP) (1-2) ACCOUNTABILITY, AUDIT, AND RISK MANAGEMENT (AR) (1-8) DATA QUALITY AND INTEGRITY (DI) (1-2) DATA MINIMIZATION AND RETENTION (DM) (1-3) INDIVIDUAL PARTICIPATION AND REDRESS (IP) (1-4) SECURITY (SE) (1-2) TRANSPARENCY (TR) (1-3) USE LIMITATION (UL) (1-2) 254 42

RMF PROCESS Step 1: Categorize 2 3 Committee on National Security Systems (CNSS) Instruction No. 1253 Step 2: Select Select an initial set of baseline security controls 1 Select Implement 4 Step 3: Implement 1 0 Implement the security controls and document how the controls are implemented. 2 3 Classify 4 Step 4: Assess 6 5 Asess Assess the security controls using appropriate procedures Step 5: Authorize Step 6: Monitor Monitor on an ongoing basis Monitor Authorize

STEP 1: CATEGORIZE Committee on National Security Systems (CNSS) Instruction No. 1253 Security Categorization and Control Selection for National Security Systems Impact on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the Unite States. Confidentiality Integrity Availability DoDD 8500.1 Classification IT products Individual elements (including applications) and devices which perform control, communications, or computing functions in a DoD environment. IT services IT services outside the service user organization s authorization boundary Platform IT (PIT) Computer resources, both hardware and software, that are physically part of, dedicated to, or essential in real time to the mission performance of special-purpose systems. An IT system or IT component cannot be classified as Platform IT simply because it is stand-alone. (DoDD 8500.1)

STEP 2: SELECT Select an initial set of baseline security controls Interaction ACCESS CONTROL (AC) (1-25) IDENTIFICATION AND AUTHENTICATION (IA) (1-11) CONFIGURATION MANAGEMENT (CM) (1-11) MAINTENANCE (MA) (1-6) Data flows IDENTIFICATION AND AUTHENTICATION (IA) (1-11) SYSTEM AND COMMUNICATIONS PROTECTION (SC) (1-44) System protections CONFIGURATION MANAGEMENT (CM) (1-11) MAINTENANCE (MA) (1-6) SYSTEM AND COMMUNICATIONS PROTECTION (SC) (1-44 ACCESS CONTROL (AC) (1-25) Audit AUDIT AND ACCOUNTABILITY (AU) (1-16) SP 800-53 CCI FISMA FIPS DoDI 8510 SRG STIG

EXAMPLE: PASSWORD POLICY IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION IA-5 AUTHENTICATOR MANAGEMENT IA-6 AUTHENTICATOR FEEDBACK IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION IA-11 RE-AUTHENTICATION

EXAMPLE: PASSWORD POLICY IA-5 AUTHENTICATOR MANAGEMENT Control Enhancements: 1) The information system, for password-based authentication: a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lowercase letters, numbers, and special characters, including minimum requirements for each type]; b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; c) Stores and transmits only cryptographically-protected passwords; d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; e) Prohibits password reuse for [Assignment: organization-defined number] generations; and f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.

EXAMPLE: PASSWORD POLICY Specific Control Severity SP 800-53v4 CCI SRG The operating system must enforce password complexity by requiring that at least one upper-case character be used. CAT II IA-5 (1) (a) CCI-000192 SRG-OS-000069- GPOS-00037 The operating system must enforce password complexity by requiring that at least one lower-case character be used. CAT II IA-5 (1) (a) CCI-000193 SRG-OS-000070- GPOS-00038 The operating system must enforce password complexity by requiring that at least one numeric character be used. CAT II IA-5 (1) (a) CCI-000194 SRG-OS-000071- GPOS-00039 The operating system must enforce a minimum 15-character password length. CAT II IA-5 (1) (a) CCI-000205 SRG-OS-000078- GPOS-00046 The operating system must require the change of at least eight of the total number of characters when passwords are changed. CAT II IA-5 (1) (b) CCI-000195 SRG-OS-000072- GPOS-00040 The operating system must store only encrypted representations of passwords. CAT II IA-5 (1) (c) CCI-000196 SRG-OS-000073- GPOS-00041 The operating system must transmit only encrypted representations of passwords. CAT II IA-5 (1) (c) CCI-000197 SRG-OS-000074- GPOS-00042 Operating systems must enforce 24 hours/1 day as the minimum password lifetime. CAT II IA-5 (1) (d) CCI-000198 SRG-OS-000075- GPOS-00043 Operating systems must enforce a 60-day maximum password lifetime restriction. CAT II IA-5 (1) (d) CCI-000199 SRG-OS-000076- GPOS-00044 The operating system must prohibit password reuse for a minimum of five generations. CAT II IA-5 (1) (e) CCI-000200 SRG-OS-000077- GPOS-00045 The operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. CAT II IA-6 CCI-000206 SRG-OS-000079- GPOS-00047

EXAMPLE: PASSWORD POLICY IA-5 AUTHENTICATOR MANAGEMENT Control Enhancements: 1) The information system, for password-based authentication: a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lowercase letters, numbers, and special characters, including minimum requirements for each type]; SP 800-53v4 CCI Specific Control IA-5 (1) (a) IA-5 (1) (a) IA-5 (1) (a) IA-5 (1) (a) CCI-000192 The operating system must enforce password complexity by requiring that at least one upper-case character be used. CCI-000193 The operating system must enforce password complexity by requiring that at least one lower-case character be used. CCI-000194 The operating system must enforce password complexity by requiring that at least one numeric character be used. CCI-000205 The operating system must enforce a minimum 15-character password length.

STEP 3: IMPLEMENT Select an initial set of baseline security controls Mission owner(s) must translate security controls into system specifications, ensure the successful integration of those specifications into the system design, and ensure security engineering trades do not impact the ability of the system to meet the fundamental mission requirements. DoDI 8510.01

STEP 4: ASESS Assess the security controls using appropriate procedures

Step 5: Authorize Step 6: Monitor Monitor on an ongoing basis

AV / IT SECURITY QUESTIONS? 21

COLLATERAL http://www.amx.com/automate/workbook-securitynetworked-av.aspx http://www2.amx.com/avsecuritypart2 Risk Analysis Worksheet http://www2.amx.com/avsecurityreq

COLLATERAL www.amx.com/automate/workbook-security-networked-av.aspx

COLLATERAL http://www2.amx.com/avsecurityp art2

COLLATERAL Risk Analysis Worksheet www2.amx.com/avsecurityreq

REFERENCES http://iase.disa.mil/stigs/cci/pages/index.aspx http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information