Presentation on theme: "Information Security and Privacy Training for [the Agency] Information System Security Officers June 12 & 13, 2000."— Presentation transcript:
1Information Security and Privacy Training for [the Agency] Information System Security Officers June 12 & 13, 2000
2Agenda 1. Introduction to Information Systems Security 2. [the Agency’s] AIS Security Program (AISSP)3. Sensitivity and Criticality4. Risk management5. Management Controls6. Workstation Security7. Malicious Software8. Security in the System Development Life Cycle9. Technical Controls10. Operational Controls11. Network Security12. Information SharingConclusion
3Course Objectives Understand the importance of IS security Understand the importance of protecting the privacy and confidentiality of [the Agency] dataKnow/understand the security- and privacy-related Federal government-wide and organization-specific laws, regulations, policies, guidelines, and standards, and how to apply themKnow/understand your role and responsibilitiesAssist in the risk management program within your componentsBe able to identify management, technical, personnel, operational, and physical security controlsKnow the security requirements for protecting workstations and the information processed on them
4Course Objectives, Cont’d Identify/implement preventative measures for computer viruses, identify signs of an infection, identify a virus hoax, and implement virus recovery proceduresUnderstand general physical/environmental security requirementsKnow key security activities in SDLCUnderstand contingency planning process and your roleGeneral understanding of network securityIdentify and implement policies and best practices for secure Internet, remote access, FAX, and use
5Topic 1 – Introduction to Information Systems Security Learning Objectives Be able to identify the current trends affecting IS securityKnow the definition of IS securityUnderstand the importance of IS security to [the Agency]
6Current Trends Computing has become more decentralized and networked Increase in use of computers to share and distribute sensitive information and dataVast amounts of personal data are collected, stored, and processed electronicallyIncrease in the reliance on computers for daily operationsReports of computer fraud and abuse continue to riseIncrease in the complexity of technologyIncrease in use of the Internet for e-business
7Information Systems Security Information systems security is the protection of information systems against unauthorized access to or modification of information whether in storage, processing, or transit, and against denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.Source: National Security Telecommunications and Information Systems Security Committee (NSTISSC) NSTISSI No National Information Systems Security (INFOSEC) Glossary, January 1999
9Topic 2 – [the Agency’s] AIS Security Program Learning Objectives Know the government regulations regarding the security and privacy of Federal information systems, and the requirements with which [the Agency] must complyKnow the key personnel responsible for implementing the agency-wide information system security and privacy program and their responsibilitiesKnow what your responsibilities are under the [the Agency] security and privacy program
10Federal Laws, Regulations, and Policies The Computer Security Act of 1987 (PL )The Privacy Act of 1974 (PL )The Freedom of Information Act (PL 90-23)The Computer Fraud and Abuse Act of 1986 (PL )The Copyright Act of 1976 (PL )OMB Circular A-130, Appendix III, RevisedHealth Insurance Portability and Accountability Act of 1996 (PL )Presidential Decision Directive 63 – Critical Infrastructure Protection
11Computer Security Act of 1987 (PL 100-235) Identify each computer system that contains or processes sensitive informationDevelop and maintain system security plans for sensitive systemsConduct mandatory periodic computer security awareness training
12Privacy Act of 1974 (PL )Allows individuals to find out what information about them is being maintained and to request the correction of inaccurate informationMandates identification of protection requirements prior to matching individuals in multiple Federal systemsMandates physical security procedures and information management practices to protect personal informationRequires protection of all personal information about an individual
13Freedom of Information Act (PL 90-23) Ensures public access to agency records and informationThere are nine exemptions to this act:National security informationInternal personnel rules and practices of an agencyStatute requirementsTrade secretsInter-agency or intra-agency memorandumsPersonnel and medical filesInformation compiled for law enforcement purposesCommercial and financial informationGeological information data, i.e., maps.
14Computer Fraud and Abuse Act (PL 99-474) Whoever knowingly and intentionally:accesses a protected computer without authorization, to obtain protected information, commit fraud, cause damage, or obtain something of value;transmits malicious code that causes damage to a protected computer;obtains passwords or similar information through which a computer may be accessed without authorization; orextorts any money, or other thing of value, transmits in interstate or foreign commerce any communication containing a threat to cause damage to a protected computer;Shall be punished by fine and/or imprisonment.
15Copyright Act of 1976 PLThe Copyright Act gives the owner of the copyright “the exclusive rights” to “reproduce the copyrighted work” and “to distribute copies of the copyrighted work.”It also states, that “anyone who violates any of the exclusive rights of the copyright owner…is an infringer of the copyright.”
17OMB Circular A-130, Appendix III, Revised “Security of Federal Automated Information Systems” Establishes minimum set of controls to be included in Federal Automated Information SystemsAssigns Federal agency responsibilities for security
18OMB Circular A-130, Appendix III, Revised General Support SystemsAn interconnected set of information resources under the same direct management control which shares a common functionality.Major ApplicationsAn application which uses information and information technology to satisfy a specific set of user requirements, where special management attention to security is required.
19Major Application and General Support System Controls Assign responsibilityDevelop a system security planReview security controlsManagement authorization
20HIPAAEnsure the integrity and confidentiality of medical information for both public and private health care industriesProtect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of health informationIndustry-wide and applies to all health care industry and medical information, public and private
21HIPAA Requirements Agreed standard content format Development and use of standard identifiersAll electronically maintained or transmitted health information must be secureAn electronic signature standard will be established
22Presidential Decision Directive 63 National center to warn of and respond to attacksCapability to protect critical infrastructuresCyber and physical infrastructure vulnerabilitiesFederal government to serve as a modelVoluntary participation from industryProtect privacy rights
23[the Agency’s] IS Security Organization CIO, and Director, Office of Information ServicesDirector, Security and Standards GroupSenior Security AdvisorSenior Information Systems Security Officer
24Security Program Elements Personnel securityAwareness & TrainingRisk ManagementSecurity in the SDLCSecurity designationsSSP and CertificationSystems AccessAcquisitions/ContractsPrivacy & confidentialityRemote AccessAudit systemsContingency PlanningNetwork & computer workstationSystem security Incident reporting/FAXMalicious software
26[the Agency’s] Beneficiary Confidentiality Board Use of beneficiary informationDisclosing beneficiary informationRelease least amount of informationCollecting least amount of information
27ISSO Responsibilities Primary point of contact for securityDisseminate security awareness informationAssist with security plans, risk assessments, and contingency plansDevelop security guidelines and proceduresEnsure compliance with copyright laws/site licensesEnsure malicious software safeguards are implementedEnsure all suspected system security intrusion incidents are reportedAssist in the System Development Life Cycle processEnsure compliance with Program requirementsEnsure adherence to national security policies
28Topic 3 - Sensitivity and Criticality Learning Objectives Know what sensitive information and operational criticality areUnderstand that there are different levels of sensitivity and operational criticalityBe able to identify the minimum security requirements for each level
29Sensitive Information “Information, the loss, misuse, or unauthorized access to or modification of, which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled to by law.”NSTISSI No. 4009
30Sensitivity LevelsLevel 1: LowLevel 2: ModerateLevel 3: High
31Critical Information Resources Information resources essential to the minimum operations of the agency.
32Criticality LevelsLevel 1: LowLevel 2: ModerateLevel 3: High
33Security Level Requirements Level 1 AIS security awareness and trainingSensitivity designationsPhysical access controlsComplete set of AIS documentation for each system
34Security Level Requirements Level 2 All requirements for Level 1Detailed risk management planSystem security planRecord retention proceduresList of authorized usersSecurity review and certification proceduresBackground investigations for employees and contractorsFire emergency planFormal, written contingency planRisk assessmentAutomated audit trailAuthorized access and control proceduresSecure physical transportation proceduresSecure telecommunicationsEmergency power program
35Security Level Requirements Level 3 All requirements for Levels 1 and 2Inventory of hardware and software
36Topic 4 – Risk Management Learning Objectives Understand the concepts of risk and risk managementBe able to assist in the risk management programs within your component, by identifying threats and vulnerabilities, and identifying appropriate safeguards in order to mitigate risk
37Potential for harm or loss RiskPotential for harm or loss
38Risk ManagementProcess of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk
39ISSO Responsibilities Assist in risk management programMaintain copies of all completed risk assessment reportsProvide Sr. ISSO with copies of all completed risk management reports
40Risk AssessmentRisk assessment is the process of identifying threats to and vulnerabilities of an information system and the potential impact the loss of information or capabilities of a system would have on the agency’s mission
41ISSO Responsibilities Assist in the identification of threats and vulnerabilitiesAssist in the identification of safeguardsProvide information to risk team, as necessary
42Threats and Vulnerabilities A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited.A threat is any circumstance or event with the potential to harm an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.
43Deliberate or Accidental ThreatsNatural or HumanDeliberate or Accidental
44SafeguardsSafeguards are actions, devices, procedures, techniques, or other measures that reduce the vulnerability of a information system or the threats to that information system.
45Topic 5 - Management Controls Learning Objectives Be able to distinguish between policies, standards, procedures, and guidelinesUnderstand the personnel security concepts of separation of duties and least privilegeBe able to identify the security activities that need to be performed when an employee leaves [the Agency]Understand your responsibilities for security awareness and training
47Personnel Security Separation of duties Least privilege Employee exit procedures
48Separation of DutiesDividing roles and responsibilities so that a single individual cannot subvert a critical process
49Least PrivilegeThe security objective of granting users only those accesses they need to perform their official duties
50Exit Procedures for Termination Surrender of keys and badgesReturn of agency materials and equipmentRemoval of system access and authoritiesChange passwords, locks, access, and authority codes
51Unfriendly Termination Security Considerations Immediate removal of system accessLimit user’s access and activitiesLog on-line activitiesPhysical removal from the building
52Security AwarenessThe purpose of awareness presentations is simply to focus attention on security.They are intended to ensure individuals can recognize IT security and privacy concerns and respond accordingly.
53TrainingTraining focuses on providing the knowledge, skills, and abilities specific to an individual’s role and responsibilities relative to IT systems.
54EducationEducation focuses on developing the ability and vision to perform complex multi-disciplinary activities and the skills needed to further the IT security profession.
55Topic 6 – Workstation Security Learning Objectives Know the general security requirements for protecting workstations and the information processed on themBe able to identify the additional security requirements for workstations that process sensitive information and critical applicationsKnow your responsibilities in this area
56Questions Concerning Your Workstation Is valuable information stored on your workstation?Are you sure that it will be there in the morning and that it won’t be changed?Are you sure that it will not appear in the next edition of the Washington Post or Baltimore Sun?What will you do if your hard disk crashes right now or the office is gutted by fire overnight?
57ISSO Responsibilities Ensure policies are implementedEnsure all users are following these policiesDevelop local guidelines as necessary
58General Workstation Security Requirements Protect from theftDo not remove from [the Agency] premisesDo not bring in personally-owned equipmentUse only authorized software and comply with copyright lawsSecure all software when not is useUse your installed anti-virus software regularlyObserve same practices when working at home
59Physical SafeguardsPosition computer screen to preclude unauthorized viewingUse anchor pads and lockable cables, where necessary and in public areasUse CPU keylocks to prevent access during non-business hours
60Storage Safeguards Use removable media Properly store and label removable mediaEnsure access to media is on a need-to-know basisDo not store both sensitive and non-sensitive data on the same mediaEncrypt sensitive data stored on hard disksProperly remove data from mediaDo not leave workstations unattended when processing sensitive data or a critical application is resident in memory
61Requirements for Critical Applications Audit TrailsContingency Plans
62Questions Concerning Your Workstation Is valuable information stored on your workstation?Are you sure that it will be there in the morning and that it won’t be changed?Are you sure that it will not appear in the next edition of the Washington Post or Baltimore Sun?What will you do if your hard disk crashes right now or the office is gutted by fire overnight?
63Topic 7 – Malicious Software Learning Objectives Know what malicious software isIdentify and implement preventive measuresDetect a virus infectionIdentify a possible virus hoaxIdentify and implement virus recovery techniques
64Computer VirusA computer virus is unauthorized software that replicates itself and a set of instructions, sometimes called a payload.The payload causes unauthorized actions such as displaying odd messages or corrupting or destroying data or programs.
65Malicious Code Types File virus Boot sector virus Time or logic bomb Macro virusTrojan HorseWorms
66Computer Virus Detection Slower response timeBlinking drive lights (when they are empty)Unusual program messagesAbnormal workstation behaviorWarning message from anti-virus softwareUnexplained system crashesFiles missing or corruptedUnexpected sound effectsUnknown new files or directoriesSudden decrease in free space
67If Your Suspect You Have A Computer Virus: 1. Stop!!!2. Take Notes3. Call the [the Agency] Action Desk
68Computer Virus Hoax Characteristics It is a warning message about a virusIt is usually from an individual, occasionally from a company, but rarely from the cited sourceIt warns you not to read or download the supposed virusIt describes the virus as having horrific destructive powersIt has lots of words in all CAPs and loads of exclamation points
69It is a hoax, ifIt urges you to alert everyone you know, and usually tells you more than onceIt seeks credibility by citing some authoritative source as the issuer of the warningIt seeks creditability by describing the virus in misleading technical jargonJoseph Wells, How to Spot a Virus Hoax, antivirus online (January 1997)
70Computer Virus Recovery Planning Back-up! Back-up! Back-up!Maintain virus-free backup copies of all software installed on your computerMake regular and systematic back-ups of all important data stored on your computerKeep hard copies of critical data
71ISSO Responsibilities Prepare suspected system security incident reportCoordinate suspected security incident reports within component or regionIdentify trends or spreading viruses
72Topic 8 – Security in the SDLC Learning Objectives Identify the security activities that are or should be included at each phase of the systems development life cycleUnderstand the System Security Plan Certification/Accreditation ProgramKnow your responsibilities in these processes
73ISSO Responsibilities Assisting Application System Managers in:Selecting and implementing appropriate administrative, physical, and technical safeguardsDetermining the sensitivity level of the application systemDefining and approving security specificationsConducting design reviews of security featuresTesting security features
74Life Cycle Phases Predevelopment 2. Development 3. Post Development Definition of the need to acquire a system, software product, or software service2. DevelopmentActivities and tasks of the developer3. Post DevelopmentSystem is accepted and operations and maintenance processes begin
76Phase 2: Development Requirements Design Programming, Coding, and TestingSoftware Acceptance Support
77Requirements Security Activities Initiation of system security planIdentify responsibilitiesDefine detailed functional and security requirementsIdentify job functions and interfacesIdentify sensitive data objects and operationsIdentify requirements for the operating environmentIdentify administrative controlsValidate security requirements
78Design Security Activities Design security controlsPerform design reviewDevelop test planTest security features
79Programming, Coding, and Testing Security Activities Develop security-related code/databasesInclude information on security features in documentationPerform peer reviewPerform unit and integration testing
80Software Acceptance Support Security Activities Include security features in user manualInclude security awareness in trainingDevelop security test dataEvaluate access and security controlsTest backup, contingency and disaster recovery plansConduct certification and accreditation
81Phase 3: Post Development Installation and Operations Security Activities Provide complete documentationConduct post-implementation review and recertification/reaccreditationConduct periodic risk assessmentsConduct periodic security trainingEnforce strict change-control proceduresRegularly test contingency plansMaintain security documentationMonitor application/system securityReview audit reports/logs
82Disposal Security Activities Move, archive, discard, or destroy informationSanitize storage mediaDetermine disposition of hardware and software
83System Security Plan Certification/Accreditation Program Sensitivity Level DesignationsSystem Security PlansReviews and TestsCertification/Accreditation and Recertifications/Reaccreditations
84ISSO Responsibilities Provide technical security supportEnsure systems have adequate security documentationIdentifying and nominating systems for inclusion in the [the Agency] SSP Certification/Accreditation Program
85System Security PlanProvides an overview of the security requirements of the systemDescribes the controls in place for meeting those requirementsDelineates responsibilities and expected behavior of all individuals who access the system
86Reviews and Tests Internal Procedural and Technical Reviews or IV&V’s Systems Security Life Cycle Process
87Certification and Recertification Prior to implementationAt least every 3 years for major applications, or annually for general support systemsWhen there are significant changes to the system
88AccreditationAccreditation is the formal process by which the [the Agency] CIO verifies that a system has achieved a satisfactory level of operational security and signs a formal accreditation statement authorizing the system to process.
89Topic 9 – Technical Controls Learning Objectives Know what identification and authentication controls areKnow good password management practicesUnderstand what access controls areKnow what audit trails are and their appropriate use at [the Agency]
90Identification Must be unique Must correlate actions to users Must be maintained
91Authentication Something known by the individual Something possessed by the individualSomething about the individual
92A Strong Password Has non-alphabetic characters Is at least 6 characters longIs changed every 60 daysIs not a dictionary wordIs NEVER shared
93Password Management Allowable character set Minimum/maximum length Password agingNumber of generations of expired passwordsProcedures for password changes, handling lost passwords, and password compromise
94Access ControlsThe means whereby it is determined who will have what access to which objects and resources
95ISSO Responsibilities Use audit trails in accordance with [the Agency] policiesRequest audit trail access for members of your staff who need to use this dataRecommending changes to audit trails based on your knowledge of system vulnerabilities, instances of system abuse, and audit records within your area of responsibility
96Audit Trails Individual accountability Reconstruction of events Intrusion detectionProblem identification
97Audit Trails Type of event When the event occurred User-Id associated with the eventProgram or command used to initiate the eventWhere the event occurred
98Proper UsesObtain information on a suspect claim, applicant, or actionTo support a regional office integrity review functionTrack a profile for suspicious types of actions
99Other Things to Consider Ensure audit trails are protectedEnsure audit trails are reviewedEnsure separation of duties between security personnel who administer the access control function and those who administer the audit trail
100Topic 10 – Operational Controls Learning Objectives Be able to identify physical and environmental controlsKnow [the Agency’s] security incident handling and reporting proceduresUnderstand the contingency planning process and your involvement
101Physical SecurityThose measures or tangible defenses that you can take to protect your facility, equipment, and information from theft, tampering, careless misuse, and natural disasters.
102Audit and Variance Detection Reviewing and monitoring to ensure that system controls are adequate, and to detect anomalies.
103Categories of Security Incidents Physical crimesIllegal access/disclosureMisuse of Government propertySystems security incidentSecurity violation
104Incident Handling and Notification Determine if an incident has occurredContain the incident and avoid any further incidents or damageCall the Action Desk to notify the Sr. ISSOMaintain and restore data and serviceDetermine what happened and howIdentify the perpetrators and take appropriate action
105ISSO Responsibilities Identify the incidentReceive or complete a Systems Security Incident ReportReport the incident to the Sr. ISSOEnsure incident is investigatedAssist in the investigation as necessary
106Contingency planning Contingency Plans The process for assuring, in advance, that any reasonable and foreseeable disruptions will have a minimal effectContingency PlansCurrent documented guidance for actions to be taken after a disruption occurs
107Back-Ups Criticality and sensitivity Frequency of updates Frequency of accessDegree of reliance of other functionsTime-sensitivityDifficulty in re-creating the information
108Good Back-Up Practices Ensure that back-up media are labeled properlyEnsure that back-up procedures are documented and followedKeep back-ups off-site and on-site in a locked, fireproof, waterproof containerEnsure that back-ups are periodically verified
109ISSO Responsibilities Assist in contingency planning process, as necessary
110Test and revise the plan Typical PartsPreliminary planningPreparatory actionsAction planTest and revise the plan
111Topic 11 – Network Security Learning Objectives Be familiar with some common network terminologyHave a basic understanding of secure communications and remote access securityKnow good and fax security practicesUnderstand securing [the Agency’s] network from the Internet
112Common Terminology Network LAN, MAN, WAN Internet Extranet Intranet VPN
117Threats People Eavesdropping Spoofing Vandalism or mischief Hijacked connectionsTheft of computing or communication servicesDenial of service
118Firewalls Prevent access to internal network from external sources Control connections between internal and external hostsHide information about the internal networkDefend against attacksProvide for centralized network security administrationProvide for centralized network logging and incident detection
119Modem Use Dramatically increases the risk to [the Agency’s] systems Circumvents security controlsMust be authorizedNetwork is audited / monitored for modem use
120Remote Access Policies Protect [the Agency] information from unauthorized accessClear workstation of sensitive information prior to use for non-[the Agency] purposesUse anti-virus softwareDisable all connections to non-[the Agency] networks when connected to the [the Agency] network
121ISSO Responsibilities Ensure [the Agency] and FAX policies are implementedDevelop local guidelines, as necessary
122E-Mail and Fax Policy For official and authorized use only Messages are Government propertyInformation is subject to statutes, regulations, and policiesProtect copyright informationPrivileged users are expressly prohibited from reading the electronic messages of othersAbuse and/or misuse can lead to disciplinary action
123E-Mail and Fax Security Practices Immediately forward misdirected messagesExit software when not in use. If is left open, have screensaver password activeDo not leave Fax machines unattended during transmissionEnsure that documents are transmitted to intended person(s)Protect your passwordNever send sensitive information via unless it is protectedDo not send executable files via
124EncryptionTransforms intelligible data, called plaintext, into an unintelligible form, called ciphertext.This process is reversed through the process of decryption.
125Types of Encryption Systems Private or Secret KeyPublic Key
126Encryption Features Data confidentiality Data integrity Authentication of message originatorAuthentication of system userElectronic certification and digital signatureNonrepudiation
127Topic 12 – Information Sharing Learning Objectives Understand the security and privacy requirements when inter/intra-agency agreement is usedUnderstand the requirements for data use agreements
128Inter/intra-agency Agreements Data Use Agreements
129Course Objectives Understand the importance of IS security Understand the importance of protecting the privacy and confidentiality of [the Agency] dataKnow/understand the security- and privacy-related Federal government-wide and organization-specific laws, regulations, policies, guidelines, and standards, and how to apply themKnow/understand your role and responsibilitiesAssist in the risk management program within your componentsBe able to identify management, technical, personnel, operational, and physical security controlsKnow the security requirements for protecting workstations and the information processed on them
130Course Objectives, Cont’d Identify/implement preventative measures for computer viruses, identify signs of an infection, identify a virus hoax, and implement virus recovery proceduresUnderstand general physical/environmental security requirementsKnow key security activities in SDLCUnderstand contingency planning process and your roleGeneral understanding of network securityIdentify and implement policies and best practices for secure Internet, remote access, FAX, and use