Data- Centric Enterprise Approach to Risk Management Gregory G. Jackson, Sr. Cyber Analyst Cyber Engineering Division Dynetics Inc. May 2012 (Updated)
About the Author Gregory G. Jackson is a senior cyber analyst at Dynetics Inc. in Huntsville, Alabama. He served in the U.S. Air Force for more than 20 years in a variety of intelligence and communications assignments. Since retiring from the Air Force in 2001, Jackson has served a range of U.S. government and contractor customers working within various cybersecurity regulatory regimes, including DITSCAP, DIACAP, NIST, and FISMA. Jackson serves as chief architect of the data- centric approach to certification and accreditation and risk management, as well the Dynetics AssuredCompliance software products, described in this whitepaper. 2
The Data- Centric Enterprise Approach to Risk Management Managing risk in an enterprise can be a daunting task. The process includes everything from identifying threats, implementing controls, developing artifacts such as security assessment reports, plans of action and milestones (POA&M), and authorization/accreditation packages, to continuous monitoring to maintain situational awareness. For many in the cybersecurity field, the risk management process is an endless cycle of documentation that results in a loss of focus on the real task at hand namely, maintaining security across the enterprise. But there is a better approach to risk management. It is a data- centric approach that leverages the power of industry- standard data management and business intelligence technologies informed by a deep understanding of real- world information security to transform today s disjointed, manually oriented certification and accreditation (C&A) and risk management activities into a consistent, repeatable business process for managing risks within the enterprise. Based on a dozen years cybersecurity experience with some of the most security- conscious customers in the world, Dynetics has designed a data- centric enterprise approach to C&A/risk management, which is modeled after the U.S. Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) and the Risk Management Framework as defined by the National Institute of Standards and Technology (NIST) in Special Publications 800-39 and 800-37. Simply put, this approach utilizes data gathered from validation activities to drive the automatic creation of scorecards, security assessment reports, POA&Ms, and authorization and accreditation packages. This approach also enables the auto- generation of dashboards for dynamic, role- based management and visibility of risk information throughout the enterprise. The Dynetics approach and tools support both the DoD and federal NIST processes. Dynetics didn t set out to develop a new approach to C&A and risk management, much less new software for these purposes. In fact, Dynetics has primarily been a provider of cybersecurity services, including independent vulnerability testing, risk data analysis, preparation of authorization/ accreditation report packages, and information system security engineering. As the company s cybersecurity business expanded in recent years, automated tools became a necessity for keeping pace with customer requirements. Unfortunately, a tool search revealed that available commercial off- the- shelf (COTS) and government off- the- shelf (GOTS) tools did not actually automate and streamline processes. Available tools did not make a material difference in the workflow, because the approach upon which the tools were based was only designed to provide templates for manual input of data or repositories for storing manually created artifacts. None of the available COTS and GOTS products was designed to use compliance data to automate the C&A/risk management process. This marketplace reality motivated Dynetics to develop in- house tools that supported a real- world C&A/risk management process, which was efficient, accurate, and consistent. Thus, the enterprise data- centric approach was developed. Origins of the data- centric approach Before Dynetics developed the data- centric approach to C&A/risk management, approximately four months were required to plan compliance test events, execute the collection of validation data, reduce and analyze compliance data, and provide high- level reports to customers. For the efficiency reasons outlined above, Dynetics cybersecurity professionals developed a process and accompanying in- house 3
tools to bring more and more efficiency, accuracy, and consistency to the process. As a result, Dynetics reduced the days required for the entire process to approximately 20 business days and this included delivery of a complete authorization/ accreditation package. No magic was involved in reducing the C&A/risk management project from 100 or more to 20 working days. Dynetics achieved common- sense efficiencies by eliminating the redundant tasks inherent in a manual approach. The strategies developed during the analysis phase to eliminate or mitigate validated risks were captured and utilized throughout the rest of the process. This eliminated the need to re- enter the data into POA&Ms. This enabled the automatic creation of artifacts from analyzed data and introduced accuracy by eliminating the potential for errors when manually entering analysis results into security assessment reports, POA&M, authorization/ accreditation packages, and other artifacts. Workdays to Complete C&A Projects Before and After Data- Centric Approach Implemented Ultimately, Dynetics brought an n Workdays before Data- Centric Approach entirely new level of consistency to n Workdays after Data- Centric Approach this process by developing an analyst tool that n Total Workdays before Data- Centric Approach could store vulnerability mapping information. n Total Workdays after Data- Centric Approach As a result, when analysts completed their analysis of vulnerabilities, they could match, or map, individual findings to the security control made non- compliant by the findings. This mapping was then saved and used each time new validated data was introduced to the system. When a previously analyzed vulnerability was identified in new scans, Dynetics consistently reported the same non- compliant control. Of course, greater efficiency and consistency brought significant time and cost savings, plus the ability to undertake more work without increasing staffing. These accomplishments were the result of implementing a data- centric approach to C&A/risk management, as conceptualized and implemented by a team of highly skilled information security analysts. This same team also created and managed a software development process that has now taken in- house tools and transformed them into a suite of COTS software products for DIACAP and NIST C&A and risk management throughout the enterprise. The technology foundation of the data- centric approach The technology foundation of the Dynetics data- centric approach involves three web- based software applications collectively known as Dynetics AssuredCompliance. In short, the three applications are: Interrogator: used to gather non- technical audit data from interviews, documentation, and observations through an expert question- and- answer approach commonly used in tools such as those for tax preparation 4
Analyzer: used for detailed analysis of audit data from interviews, documentation, and observations, along with technical scan data collected using standard COTS and GOTS vulnerability scanning products Knowledge Manager: used as single, authoritative data management system for ongoing C&A/risk management; once analysis of gathered audit and technical scan data has been performed in Analyzer, output flows directly into to Knowledge Manager via industry- standard XML formatted data, which is used throughout AssuredCompliance; Knowledge Manager provides dynamic visibility into the C&A and risk management process for all stakeholders throughout the enterprise. Dynetics AssuredCompliance supports the entire C&A/risk management process, providing automation of back- end audit and analysis functions as well as front- end knowledge management for stakeholders throughout the enterprise. AssuredCompliance provides this end- to- end support through its use of the data- centric approach to C&A/risk management. Key to the capabilities of each AssuredCompliance product is its data- centric foundation on Microsoft SQL Server. This structure can support an agency as large as the U.S. Army or as small as an organization whose designated approving authority or authorizing official is responsible for 10 or fewer enclaves.* AssuredCompliance is engineered to accept data at the asset/system location level and then roll up data into aggregate views at multiple hierarchical levels, providing dynamic management and visibility of the risk management process throughout the enterprise. 5
*An enclave is an accreditation or authorization boundary that can encompass standalone assets and information systems or multiple, networked assets and information systems. Risk Management Framework The Dynetics data- centric enterprise approach and the AssuredCompliance products that serve as the technology foundation for the approach support the entire C&A and risk management process for the DoD and federal communities, per DIACAP and the Risk Management Framework defined by NIST Special Publications 800-37 and 800-39. DIACAP 6
Supporting the risk management process in 5 steps AssuredCompliance and the data- centric approach supports the entire risk management process from both the DoD and federal perspectives, as prescribed by DIACAP and NIST SP 800-37 and 800-39. The following outlines this support: The first step in the risk management process is to initiate, plan, and categorize information on the asset or information system being managed and then select a baseline set of security controls to protect the information about that asset. AssuredCompliance Knowledge Manager enables users to accomplish this step. Dynetics AssuredCompliance Knowledge Manager supports the first step in the risk management process by enabling users to initiate, plan, categorize, and manage C&A and risks for information on assets or information systems throughout their lifecycles from a single, authoritative data management system for the enterprise. Within Knowledge Manager, users will interact with the asset manager to identify the categorization of assets, select initial sets of baseline security controls, identify security teams, define assets, and develop implementation plans to ensure security is built into assets from the beginning of their development lifecycles. Much of t the process cannot be automated at this stage. However, because the data- centric approach is designed around a consolidated database, information captured during this phase remains a living component of the asset throughout its lifecycle, as a viable part of continuous monitoring efforts as well as future accreditation decisions. The asset manager within Knowledge Manager also enables users to track the current authorization/accreditation of assets, even providing an interface to manage artifacts and interconnections. Knowledge Manager also allows users to create workflows to track progress in particular parts of the process. From the Knowledge Manager asset management interface, users can also document how controls are to be implemented, who is responsible for the implementation, and what funds will be required. Common or inherited controls can also be managed in 7
the asset manager. Once the asset profile has been built and an implementation plan created, users proceed to the second step of the risk management process to implement baseline controls and validate that implemented controls are actually working. The process of validating, or assessing, the controls can be grouped into four independent but interrelated data- gathering activities: Interviews of key personnel, reviews of Documentation, making visual Observations, and gathering Technical data through the use of network and host- based vulnerability scan tools. In fact, it is this IDO&T data that drives the data- centric approach to C&A/risk management. The most formidable part of the data- gathering process is the non- technical activity of compiling the IDO data. When executed correctly, this thorough process will take an average of 30 hours to complete. In the case of a first- time look at an enclave, this process will typically exceed 50 hours. Gathering IDO data involves security analysts as well as key personnel associated with the asset throughout the enterprise. Because of this extensive investment in time and resources, it is imperative that the results of the IDO process are captured in a manner that permits the IDO data to be used later in the validation process without manually re- entering it. For this reason, Dynetics developed AssuredCompliance Interrogator. Dynetics AssuredCompliance Interrogator serves as an expert system, designed and built by senior cybersecurity professionals, to simulate and automate the interview, documentation, and observation process undertaken to determine an asset s compliance with non- technical security controls. Interrogator is designed as an expert system that capitalizes on the experience and knowledge of senior cyber analysts to capture the questions an analyst would ask an interviewee to determine an asset s compliance with a single security control. Senior analysts who build and maintain Interrogator 8
use security control definitions in conjunction with the validation or assessment procedures to develop the question set. Questions are arranged in a parent- child relationship so that a response to a parent question determines which follow- up, or child, questions become relevant. Each question is focused on a single objective and is written in such a way as to elicit a yes or no response. Interrogator also accommodates instances in which quantitative answers are required, such as the length of passwords used within the enclave, by permitting users to predefine appropriate quantitative responses. Users interact with Interrogator through a graphical user interface to respond to questions and upload artifacts to support their responses. When all relevant questions for a given test event have been answered, users save a report that displays all gathered information, organized by security control and containing references to supporting artifacts. This report can be a valuable tool for future security inspections. The primary output from Interrogator is an XML file, which can be imported into Knowledge Manager or Analyzer. The most common use of the XML file is to import it into the AssuredCompliance Analyzer. Dynetics AssuredCompliance Interrogator serves as an expert system, designed and built by senior cybersecurity professionals, to simulate and automate the interview, documentation, and observation process undertaken to determine an asset s compliance with non- technical security controls. Dynetics AssuredCompliance Analyzer supports the cybersecurity analyst s role in the C&A/risk management, acting as the single tool into which all compliance data can be imported to accomplished automated formatting of disparate data into a common XML format, detailed analysis, mapping of vulnerabilities to security controls, and saving of those mappings for future reuse. As its name implies, Analyzer is the AssuredCompliance product in which analysis of all data that supports a test event takes place. The XML data imported from Interrogator accounts for all the IDO data. The technical data, or T data, is parsed directly into Analyzer from technical vulnerability scan tool output files through the use of plug- ins. By employing plug- ins to support third- party vulnerability 9
and network scanners, such as Nessus and eeye Retina, Dynetics can develop additional plug- ins to support new scanners, as necessary to support customers, without modifying Analyzer application source code. Once IDO and T data have been loaded against a test event in Analyzer, analysts can begin performing analysis on the data to determine the validity of each finding. This approach gives analysts a very unique perspective, as it enables them to see all gathered data for a single test event in one interface. This is a significant improvement over the conventional method of analyzing disparate data formats through stovepipe analysis. The Analyzer approach enables users to map all valid findings to the single control, which has been made non- compliant because of the identified exposure or vulnerability. Analysts can now conveniently and efficiently see all IDO&T findings, which caused a particular control to be non- compliant and, thereby, enhance the accuracy of the recommended risk of non- compliant controls to the certifier. Another important benefit of this application is the Analyzer Encyclopedia. As vulnerabilities are analyzed and mapped to a control, analysts can save their mapping to the encyclopedia. Down the road, Analyzer will use the encyclopedia to automatically map incoming findings to security controls based on saved mappings in the encyclopedia. This increases the efficiency of the analysis process by utilizing previous analysis results to determine the non- compliant control. As the single, authoritative data management system for the C&A/risk management process, Dynetics AssuredCompliance Knowledge Manage supports the compliance test data approval process and then automatically generates POA&Ms, scorecards, security assessment reports, and accreditation/authorization packages. All these artifacts and reports, as well as web- based dashboards are dynamically managed and updated on an ongoing basis. By leveraging this knowledge, analysts are only required to identify valid findings by eliminating false- positives, determine risk to the system at the control level, and analyze previously unseen vulnerabilities to determine their mapping. With each successive test event, the Analyzer Encyclopedia becomes more and more mature, which reduces the number of vulnerabilities that have not been seen previously. The output from Analyzer is validated data in an XML format, which means that all findings are valid, mapped to a single security control, and that control has an associated risk to the enclave from the 10
analysts perspective. The XML data from Analyzer is used as input to AssuredCompliance Knowledge Manager. Once in Knowledge Manager, the data goes through a two- stage approval process - - test- team approval and certifier s approval - - and then the POA&M, scorecard, and security assessment report or accreditation package are automatically created. These are living documents within the Knowledge Manager, which are continually and automatically updated based on changes to data as a result of POA&M management or new assessment data. Specifically, as the status of controls change in response to the elimination or mitigation of weaknesses in the POA&M, the dashboard and security assessment report or accreditation package update automatically to display the most up- to- date information. Conversely, the scorecard is only automatically updated when the changes identified in the ongoing management of the POA&M are validated through another assessment of the security controls. This is the stage of the process where weaknesses are eliminated or mitigated, based on the security assessment, in an effort to reduce risk to the system. Knowledge Manager provides users with an easy- to- use interface for managing the status of each non- compliant and not- applicable control. On a day- to- day basis, C&A/risk management stakeholders can use the data- centric Dynetics AssuredCompliance Knowledge Manager to plan and manage elimination and mitigation of POA&M line items, as required to achieve C&A/risk management objectives. From this interface, the user can create a plan to eliminate or mitigate the issues that are causing a control to fail by developing individual tasks. You can assign each task to a different technical point- of- contact, track funding at the task level, and even map individual findings that will be eliminated by the completion of the task. This ongoing process immediately updates the dashboard and enhances the security of the enterprise. The ultimate goal is an authorization/ accreditation decision and, in some cases, a certification determination prior to that decision. There are situations where another security 11
assessment is required before a certifier will pass the package forward to the authorization/accreditation decision maker. The third step in the risk management process is where a decision is made to either authorize or accredit the enclave. As a web application and an enterprise solution, Knowledge Manager provides risk decision makers with enterprisewide visibility. Rather than send several documents through e- mail or review hardcopy documents of continuity of operations or disaster recovery plans, decision makers simply login to Knowledge Manager, view asset profiles, implementation plans, scorecards, POA&Ms, and all artifacts associated with the enclave and then either approve or disapprove the authorization/accreditation. All these tasks are accomplished using a single tool built on top of a single enterprise database. When the decision is made, a snapshot of the package is saved as a historical document and attached to the system as an artifact. Throughout the enterprise, from top- level accreditation/authorization decision makers to teams responsible for managing assets and mitigating vulnerabilities, Dynetics AssuredCompliance supports ongoing continuous monitoring of C&A/risk management. This visibility and manageability are made possible by AssuredCompliance s easy- to- use, consolidated data management system, which provides role- based accessibility enterprisewide via the web. 12
The fourth step in the risk management process is the continuous monitoring of authorized/accredited enclaves to maintain situational awareness and security posture. To accomplish this, users will periodically scan the networks or individual hosts to discover new or previously unidentified weaknesses. Users can also reassess non- technical controls using Interrogator. This new IDO data can then be imported directly into Knowledge Manager or, alternatively, analyzed in Analyzer and then imported into Knowledge Manager to update the current status of the enclave. The import of validated data immediately updates the dashboard, POA&M, scorecard, security assessment report, and current authorization/accreditation package. Thereafter, each time validated date is imported into Knowledge Manager, all the same dashboards and products associated with the enclave are automatically updated to reflect the latest information on a continuous basis. The final step in the risk management process over the lifecycle of an asset or system is decommissioning of the asset or system. When an asset or system is decommissioned, Knowledge Manager is used to permanently remove it from the backend AssuredCompliance database and all dashboard views. Conclusion There is a variety of approaches and supporting tools for C&A/risk management. Some are provided by commercial providers, others by government agencies. But virtually all of them fail to approach C&A/risk management from the bottom up. That is, they fundamentally miss the reality that the process is driven by data. Available COTS and GOTS solutions approach C&A/risk management from the standpoint of only one or maybe several aspects of the process, rather than seeking to maximize the value of compliance data to automate, streamline, and expedite C&A/risk management. Sure, the solutions may provide an artifact repository or report template, but they fail to actually automate a process, the results of which save time and position users to focus time and energy away from paperwork and onto risk management and real security of their assets. The Dynetics data- centric approach, on the other hand, uses compliance data as the life s blood of the C&A/risk management process. With Dynetics AssuredCompliance architected as a system that drives and manages data logically and effectively, users enjoy the following: Single, authoritative source that supports the functions of all roles involved in the risk management process Enterprisewide view of all authorizations/accreditations being managed by organizations and risk management stakeholders Drill- down capability, from the agency level down to the IP address at specific locations where risks to assets/systems have been identified Roll- up capability from location to component level Role- based access to risk management information 13
End- to- end support of the risk management process Automated input of virtually all risk management data Efficient, data- driven workflow that involves touching data once, then it is used in an automated way throughout the rest of the risk management process Significant reduction in time required to initiate, perform, manage, and continually monitor risk management Enforcement of consistency through automated mapping of vulnerabilities to security controls For more information on the Dynetics data- centric enterprise approach to risk management and Dynetics AssuredCompliance products, please call 800-922- 9261 x5020, email assuredcompliance@dynetics.com, or visit assuredcompliance.dynetcs.com. Disclaimer: Screenshot images of Dynetics AssuredCompliance product interfaces in this document display notional data only. No actual C&A/risk management data from any source is used. Dynetics is a registered trademark and AssuredCompliance is a trademark of Dynetics. All other brands and product names are trademarks of their respective owners. Copyright 2012. Dynetics Inc., Huntsville, Alabama, USA. 14