Presentation is loading. Please wait.

Presentation is loading. Please wait.

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.

Similar presentations


Presentation on theme: "METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE."— Presentation transcript:

1 METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE

2 Purpose Provide an overview of the a DLA Information Assurance initiative entitled Metrics and Controls for Defense in Depth (McDiD) Illustrate how McDiD applies the Federal Information Technology Security Assessment Framework within the DoD Information Technology Security Certification and Accreditation Process (DITSCAP)

3 McDiD Impetus Department of Defense Mandate DoD Instruction , Security Requirements for Automated Information Security Systems (AIS), 21 March 1988, mandates the accreditation of all AIS to include stand-alone personal computers, connected systems and networks. DoD Instruction , DoD Information Technology Security Certification and Accreditation Process (DITSCAP), 1 November 1999, established a four-phase process, required activities and general certification and accreditation criteria. DoD Chief Information Officer Guidance and Policy Memorandum No , DoD Global Information Grid (GIG) Information Assurance (IA), June 16, 2000,directed that DoD develop an enterprise-wide IA architectural overlay to implement a strategy of layered defense (defense-in- depth). Chairman of the Joint Chiefs of Staff Instruction , Information Assurance Metrics, 15 March 2000, establishes reporting requirements for the Chairman’s Joint Monthly Readiness Reports. Need for Improved Security Internetworking is increasing the business/mission impact of disruption. Vulnerability is increasing due to the ease of access to cyber weapons and capabilities. Agency security assessment program has revealed systemic security issues.

4 McDiD Objectives Leverage an existing mandatory program, DITSCAP, as the “container” and delivery mechanism for all information assurance requirements and initiatives Shift certification and accreditation focus and resources from documentation & reporting to active security management Improve quality and consistency of certification and accreditation efforts Create an integrated enterprise management view to: Support information assurance oversight Ensure protection across accreditation boundaries Distinguish enterprise versus local roles and responsibilities Make policy and technical information easily accessible to DLA security professionals Facilitate and enable information/best practices exchange and collaboration within the DLA security community Structure information so as to: Satisfy multiple information assurance reporting requirements Maximize information reuse among related programs and disciplines, e.g., Architecture, Program and Budget, Asset Management, Configuration Management, Continuity Planning Provide for continuous Information Assurance process improvement

5 Tested and Reviewed Procedures & Controls Documented Procedures & Controls Fully Integrated Procedures and Controls Documented Policy Implemented Procedures & Controls Federal Information Technology Security Assessment Framework LEVELS

6 DoD Information Technology Security Certification and Accreditation Process Phase 3: Validation Compliance with controls is independently tested Authority to Operated is granted Phase 4: Post Accreditation SSAA is updated to reflect changes in IT baseline Security assessment is updated quarterly Compliance with controls is periodically independently tested Phase 1: Definition SSAA is drafted Security requirements are identified SSAA is negotiated and approved Phase 2: Verification Security Procedures and Controls are implemented Phase 0 [Implicit] Department and Agency policies are established C&A process is established

7 Certification & Accreditation Roles & Responsibilities

8 Security Controls - Translate General Requirements into Actionable and Testable Objective Security Conditions Control NumberControl NameControl Description Metrics

9 Master list of IA Controls Number Name Desc National & DoD Policy DLA Policy DLA Program Review Findings Vulnerability Assessments IG/GAO/Other Audit Findings Agency System / Network Connection Agreements Commercial Best Practices Local Security Policy Local System / Network Connection Agreements Local Configuration Mgmt Practices Information Category (Sensitivity and Classification) DLA Wide System Specific Legend DAA Specified Requirements Controls are Derived from Many Sources

10 A COTS Requirements Management System Maintains Controls Traceablity Provides “provenance” or traceability to authority for or origin of each control Ensures all policy mandates are addressed Supports Agency level policy assessment and formulation Enables continuous improvement of controls

11 A COTS Free Form Database Provides a Repository for IA Reference Material Enables research and analysis with Lexus-Nexus like functionality Makes IA reference material widely available via web

12 1. Centralized authorship and promulgation of the enterprise portions 2. Narrative translated into “fill in the blank” Threat Assessment Security Requirements (Controls) Security CONOPS Test & Evaluation Procedures Risk Assessment 3. Centralized development and promulagation of standard templates for Authors, Testers, & Reviewers 4. Centralized adminstration of a a web- based COTS Configuration Management system for SSAA document management and workflow Standard Tools and Methods Improve the Quality and Consistency of Certification and Accreditation Process System Security Authorization Agreement Better, Cheaper, Faster

13 Master list of IA Controls Number Name Desc McDiD is Administered Through a Comprehensive IA Knowledge-Base (CIAK) Navigation Aid for “Drill Down” to Supporting Engineering Guides and Contract Clauses Navigation Aid to “Trace Back” to Policy & Requirements Each Control is Supported by Metrics McDiD Implementation Schedules Drive C&A and Budget CIAK Feeds Defense Operational Readiness Reporting System Controls Provide an “Index” for the IA Knowledge-Base

14 Conclusion The McDiD Information Assurance initiative, while still early in its implementation, has: –Reduced SSAA preparation costs & time by an order of magnitude –Improved quality Standard controls & metrics Standard scope & level of effort Infused learning & common understanding –Identified additional opportunities for collaboration and process improvement


Download ppt "METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE."

Similar presentations


Ads by Google