Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Similar presentations

Presentation on theme: "Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813."— Presentation transcript:

1 Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813

2  Introduction  Legislative and Regulatory Environment Overview  Security and Capital Planning Integration Roles & Responsibilities  Integration of Security Into The CPIC Process  Implementation Issues  Summary 4/18/2008Thelma Ameyaw TEL2813

3  Background Federal Information Security Management Act(FISMA)-2002 FISMA, Clinger Cohen Act, other associated guidance and regulations, and the Office of Management and Budget (OMB) Circulars A-11 and A-130, charge agencies with integrating IT security and the capital planning and Investment Control (CPIC)process  Purpose & Scope Assist federal agencies in integrating IT Security into CPIC processes by providing a systematic approach to selecting, managing, and evaluating IT security investments. 4/18/2008Thelma Ameyaw TEL2813

4 The implementation of IT security and capital planning practices within the federal government is driven by a combination of legislation, rules, and regulations, and agency-specific policies. To be funded, IT investments must demonstrate compliance with all applicable requirements specified in the guidance  Reporting Requirements  FISMA  Charges OBM and NIST to develop security standards and identify tolerable security risk levels  Makes NIST standards compulsory for all agencies - (no waivers)  Charges agencies to integrate IT security into capital planning 4/18/2008Thelma Ameyaw TEL2813

5 FISMA provides overarching requirements for securing federal resources and ensuring that security is incorporated into all phases of the investment lifecycle. 4/18/2008Thelma Ameyaw TEL2813

6 4/18/2008Thelma Ameyaw TEL2813

7  Select-Control-Evaluate Investment Life Cycle: In concert with OMB capital planning and NIST security requirements agencies are required to adhere to the GAO best practices- the 3 phased investment life cycle model for federal IT investments Select : Assessing and prioritizing Control : Monitor investment Evaluate : Efficacy of Investment  Earned Value Management (EMV) EVM is a systematic integration and measurement of cost, schedule, and accomplishments of an investment that enables agencies to evaluate investment performance during Development, Modernization, and/or Enhancement (D/M/E). The EVM enables: Project managers(PM) estimation of time and cost PM to determine what work has been accomplished to date for the funds expanded and how long it will take the investment to reach maturity. 4/18/2008Thelma Ameyaw TEL2813

8  IT Investment Management(ITIM): The GAO maturity framework can be used to determine the current status of an agency’s ITIM capabilities including recommendations.  Plan of Action and Milestones(POA&M): ◦ Through the ILC the POA&M is used to identify security weaknesses and track mitigation efforts of agency IT investments until the weakness has been successfully mitigated.  Risks:  Security Risk  Investment Risk 4/18/2008Thelma Ameyaw TEL2813

9  Integrating IT security into the CP process requires input and collaboration across agencies and functions.  Many different stakeholders from IT security, CP and executive leadership areas play roles and make decisions and ultimately forming a well balanced IT portfolio. Head of Agency Senior Agency Officials Chief information Officer Senior Agency Information Security Officer Chief Financial Officer Investment Review Project Mana ger 4/18/2008Thelma Ameyaw TEL2813

10 NIST recommends a seven-step framework for the process Enterprise-level investments System-level investments  The framework provides a systematic approach to selecting, managing, and evaluating IT security investments. The methodology relies on existing data inputs so it can be readily implemented at federal agencies.  Enterprise-Level Information Stakeholder rankings of enterprise-wide initiatives, Enterprise-wide initiative IT security status, Cost of implementing remaining appropriate security controls for enterprise-wide initiatives  System-Level Information System categorization, Security compliance, Corrective action cost 4/18/2008Thelma Ameyaw TEL2813

11 Integrating IT Security Into the CPIC Process 4/18/2008Thelma Ameyaw TEL2813

12  Identify the Baseline: Using IT security metrics to determine where security weaknesses exist.  Identify Prioritization Requirements: Corrective actions to mitigate vulnerabilities must be evaluated against the security requirements. Requirements can be CIO- articulated security priorities, enterprise-wide initiatives, or NIST SP 800-26 topic areas.  Conduct Enterprise-Level Prioritization: prioritize potential enterprise-level IT security investments against mission and financial impact of implementing appropriate security controls. 4/18/2008Thelma Ameyaw TEL2813

13  Conduct System-Level Prioritization: prioritize potential system-level corrective actions against system category and corrective action impact. Joint Prioritization The final step in the prioritization process is to combine the enterprise- and system-level prioritizations into one prioritization framework to create a security investment strategy for the agency. 4/18/2008Thelma Ameyaw TEL2813

14  Develop Supporting Materials: Enterprise-level investments: Develop concept paper, business case analysis, and Exhibit 300. System-level investments: Adjust Exhibit 300 to request additional funding to mitigate prioritized weaknesses. Concept Paper: It is developed by the investment owner and submitted to the IRB for review. It contains a high level description of the proposed investment and includes rough order of magnitude, costing estimates, benefits, milestones, and agency impacts The Exhibit 300 : is the capture mechanism for all of the analyses and activities required for full internal (IRB, OCIO) review. is the document that OMB uses to assess investments and ultimately make funding decisions. 4/18/2008Thelma Ameyaw TEL2813

15  Implement Investment Review Board (IRB) and Portfolio Management: Prioritize agency-wide business cases against requirements and CIO priorities and determine investment portfolio.  Submit Exhibit 300s, Exhibit 53, and Conduct Program Management: Ensure approved 300s become part of the agency’s Exhibit 53 Ensure investments are managed through their life cycle (using EVM for D /M /E investments and operational assessments for steady state investments) and through the GAO’s ITIM maturity framework. 4/18/2008Thelma Ameyaw TEL2813

16 The agency must implement and monitor these investments. IT security decisions are made based on system security issues and federal budgeting timelines. IT Security Organizational Processes Project Management Legacy Systems Time lines 4/18/2008Thelma Ameyaw TEL2813

17 Traditionally, information technology (IT) security and capital planning and investment control (CPIC) processes have been performed independently by security and capital planning practitioners. However, the Federal Information Security Management Act (FISMA) of 2002 and other existing federal regulations charge agencies with integrating the two activities. NIST recommends a seven-step framework for the process  Enterprise-level investments  System-level investments 4/18/2008Thelma Ameyaw TEL2813

18 4/18/2008Thelma Ameyaw TEL2813

19 4/18/2008Thelma Ameyaw TEL2813

20 4/18/2008Thelma Ameyaw TEL2813

Download ppt "Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813."

Similar presentations

Ads by Google