NASA Risk Management for IT Security



Similar documents
IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

NASA Information Technology Requirement

How To Improve Nasa'S Security

NASA S PROCESS FOR ACQUIRING INFORMATION TECHNOLOGY SECURITY ASSESSMENT AND MONITORING TOOLS

NASA OFFICE OF INSPECTOR GENERAL

NARA s Information Security Program. OIG Audit Report No October 27, 2014

2014 Audit of the Board s Information Security Program

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

Audit of the Department of State Information Security Program

INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program

NASA Information Technology Requirement

Audit Report. Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland, Oregon

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Continuous Risk Management at NASA

AUDIT OF NASA S EFFORTS TO CONTINUOUSLY MONITOR CRITICAL INFORMATION TECHNOLOGY SECURITY CONTROLS

Get Confidence in Mission Security with IV&V Information Assurance

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

Preparing for the Convergence of Risk Management & Business Continuity

Review of the SEC s Systems Certification and Accreditation Process

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

Metrics that Matter Security Risk Analytics

a GAO GAO INFORMATION SECURITY Department of Homeland Security Needs to Fully Implement Its Security Program

Office of Inspector General

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

IT Security Incident Response Protocol McGill University

CMS INFORMATION SECURITY RISK ASSESSMENT (IS RA) PROCEDURE

GOVERNMENT USE OF MOBILE TECHNOLOGY

Department of Homeland Security Office of Inspector General

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

for Information Security

Intelligence Driven Security

IT Security Handbook. Security Awareness and Training

This document is uncontrolled when printed. Before use, check the Master List to verify that this is the current version. Compliance is mandatory.

Elements of Technology Strategy:

United States Antarctic Program Information Resource Management Directive The USAP Information Security Program

Project Zeus. Risk Management Plan

Risk Management Guide for Information Technology Systems. NIST SP Overview

Transportation Security Administration Enterprise Risk Management. ERM Policy Manual. August 2014

PMI Risk Management Professional (PMI-RMP ) - Practice Standard and Certification Overview

Security Self-Assessment Guide for Information Technology Systems Marianne Swanson

Briefing Report: Improvements Needed in EPA s Information Security Program

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Deputy Chief Financial Officer Peggy Sherry. And. Chief Information Security Officer Robert West. U.S. Department of Homeland Security.

Information Security for Managers

DoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

INFORMATION SECURITY

IA Metrics Why And How To Measure Goodness Of Information Assurance

5 FAM 670 INFORMATION TECHNOLOGY (IT) PERFORMANCE MEASURES FOR PROJECT MANAGEMENT

Performing Effective Risk Assessments Dos and Don ts

GAO INFORMATION SECURITY. FBI Needs to Address Weaknesses in Critical Network

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

Compliance Risk Management IT Governance Assurance

IT Risk Management Era: Research Challenges and Best Practices. Eyal Adar, Founder & CEO Eyal@WhiteCyberKnight.com Chairman of the EU SRMI

NASA s Management of its Smartphones, Tablets, and Other Mobile Devices

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

PROTIVITI FLASH REPORT

Open Certification Framework. Vision Statement

Taking Information Security Risk Management Beyond Smoke & Mirrors

Final Audit Report. Report No. 4A-CI-OO

CMS INFORMATION SECURITY ASSESSMENT PROCEDURE

Office of Audits and Evaluations Report No. AUD The FDIC s Controls over Business Unit- Led Application Development Activities

VA Office of Inspector General

NIST National Institute of Standards and Technology

Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP AP-2/03-1

2012 FISMA Executive Summary Report

PHASE 5: DESIGN PHASE

Chief Risk Officers in the Mutual Fund Industry: Who Are They and What Is Their Role Within the Organization?

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

Measuring The Value of Information Security. Maninder Bharadwaj 23 th July 2011

Transcription:

NASA Risk Management for IT Security NASA Risk Management Conference V October 26-29, 2004 Tom Siu, RS Information Systems GRC Network Security Team tjsiu@grc.nasa.gov

Objectives The Progression of NASA IT Security Risk Assessment and Risk Management Program Where we have been Changes in Federal laws Where we are headed Why CRM Characteristics of IT Security risks What you should expect from IT Security Risk Assessment

2002 OIG and GAO IT Security Findings The lack of a consistent approach to conducting, analyzing, and documenting risk assessments. The agency needs to standardize on a product or an approach to help prevent threats from being totally overlooked due to inexperience in performing assessments and analysis.

Where We Have Been NPG 2810.1 - Security of Information Technology IT Security Plans- all NASA systems, due Sep 30, 2001 NPG 8000.4 and NPG 7120.5 refer to NPG 2810.1 for IT security risk management IT Security risk assessments inconsistent across NASA Using NPG 2810 Appendix A as taxonomy questionnaire Comparing set analysis of best security practices Not updated with the pace of change in the IT world Not looking for risks, but controls not in place, regardless of environment

Why Inconsistent Risk Management? Follow the money Programs and Projects fund IT systems NASA CIO responsible for IT infrastructure 11 different visions of risk tolerance (Center specific) IT and IT security staff not familiar with formal risk management (CRM) at NASA Some management to reports rather than risk management Not a Project Management culture or focus Ideally: IT Security and Information Security Balance security with connectivity and functionality

Changes in Federal Laws Federal Information Security Management Act of 2002 (FISMA) Requires IT security practice to be based on Risk assessments Risk managed approach to manage IT infrastructure & systems Dictates compatibility with NIST guidelines for ALL Federal Agencies NIST Special Publication 800-30 - Risk Management Use of CRM is consistent with NIST SP 800-30 Can no longer use cursory risk assessments in IT security planning. Certification and Accreditation requirements increase costs and effort levels for IT security planning CAIB Report- subsystems risk correlation

Where We Are Headed The new NPR 2810.1A (DRAFT) driving toward continuous approach to risk management. Agency Wide Applications- move IT risk decisions beyond Center local risk tolerance- have Agency wide impacts IRIS ODIN Consolidated Help Desk OneNASA Portals Shifting to use CRM for IT security (at GRC) Not unanimous with IT security practitioners Deputy CIO for IT Security interested in promoting this approach Need an Agency IT Security Risk Manager CIO, Safety & Mission Assurance, Chief Engineer, Security and Program Protection: it s a big job

Why CRM? Project risks will overshadow IT security risks Using the CRM approach and language permits IT security risks to be managed by the project manager Consistency for NASA the long term goal For RM professionals For IT Security professionals Federal compatibility with NIST Adaptable to rapid change in IT arena Threats change on a daily basis

IT Security Risk Condition: a combination of -Threat source -Vulnerability Qualitative or Quantitative Consequence: Impact -Disclosure -Modification -Loss/Destruction -Interruption of service - Qualitative or Quantitative Risk = Likelihood * Severity

IT Security Risk Matrix 5 4 LIKELIHOOD 3 2 1 1 2 3 4 5 CONSEQUENCE

Properties of IT Security Risks Infrastructure risks impact multiple projects and programs Data driven attacks, SQL slammer worm example Condition-to-consequence timeframes can be on the order of 5 days or less Can have a high cost to mitigate. Can cross Centers and NASA partners Examples Hard to quantify- analysis is highly qualitative People sourced, technology impacted Projects could use multiple systems, multiple infrastructures Follow the information trail vs. technology trail

What You Should Expect From NASA IT Security Professionals NASA GRC IT Security Facilitate CRM-based risk assessments No longer ask vendors/systems administrators/project teams to do their own risk assessments. Assist you with identification of Top Risks Include infrastructure risks to your projects Provide guidance with the IT security planning processes Have a good understanding of the local threat environments of networked information systems Provide liaison with Security and Program Protection information security staff Be responsible (through NASA and Center CIOs) for IT infrastructure risks

Program Manager s Perspective schedule Decision making authority Information owner COST Technical data Mission success Political IT Security Use CRM language IDENTIFY and insert IT Security related risks in to Program s Risk Management Working security issues from the inside vs. outside Rigorous focus of IT Security Expertise Environmental Project Risk Stack

Summary NASA has a very mature risk management program in CRM CRM is consistent with Federal IT security risk management directives Common taxonomy between Project Managers and IT/IT Security Need NASA Safety and Mission Assurance, at the Agency level, to champion CRM to CIO for IT security Agency-wide IT applications are the drivers Improved management of IT security risks across the Agency

Questions

References SOLAR Risk Assessment Introduction- under Safety and Mission Assurance, Risk Management Overview CBT NPG 8705 Risk Management Procedures and Guidelines NPG 7120.5A NASA Program and Project Management Processes and Requirements Process Based Mission Assurance site- risk mgt plans: http://pbma.hq.nasa.gov/sma/sma_pm_rmp.html NPR 2810.1A Draft- currently not yet in NODIS for review

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information