Presentation is loading. Please wait.

Presentation is loading. Please wait.

NCI-CBIIT Security in the System/Services Development Life Cycle Presenter: Braulio J. Cabral CBIIT Enterprise Security Coordinator.

Published byMeagan McCarthy Modified over 8 years ago

Similar presentations

Presentation on theme: "NCI-CBIIT Security in the System/Services Development Life Cycle Presenter: Braulio J. Cabral CBIIT Enterprise Security Coordinator."— Presentation transcript:

1 NCI-CBIIT Security in the System/Services Development Life Cycle Presenter: Braulio J. Cabral CBIIT Enterprise Security Coordinator

2 The Path to Security and Compliance Security and Compliance through the SDLC Software Security Requirements ECCF Validating Security (Certification and Accreditation) Roles and Responsibilities Current caBIG Security Infrastructure Future Security as Service Content

3 The Path to a Secure/Compliant System

4 Security Requirements Software security requirements Leverage certification tools for security requirements gathering. Prepare for FISMA certification through the SDLC phases. Let’s get the security requirements. Application security requirements (ECCF templates, security conformance statements, security assertions (QA) PIA, E-Auth. Assessment, System Categorization (C&A process) System Security Plan

5 CIM (CFSS) Conformance Example Conformance No. AE-CP2 Security Pre-Conditions [M] Access control mechanism needs to be in place to ensure that the user is logged in and has valid privileges of a Study Administrator to initiate an Adverse Event

6 Compliance & Conformance Statements NameTypeViewpointDescriptionTest Method Secured AccessObligationEngineeringThe AE service should 1. Design review have access control 2. Security test case mechanism in place to restricts access to sensitive data

7 Platform Independent Model (PIM) and Service Specification Operation Behavior Description Security Conditions Describe in detail the security constraints which the user needs to fulfill in order to successful execute this operation. Provide the following details List all the Group / Role / Attribute which the user need to have in order to execute the operation List any specific access control which the user needs to have on the particular instance of the input parameter in order to gain access (Eg. User needs to be a study co-ordinator for the Study id passed) Any additional security requirements (eg. Authentication Required or Anonymous call allowed for the operation )

8 PIM Conformance Statements Security Conformance Statements Security as conformance statements Security as mandatory constrains or pre- conditions Security as a full conformance profile Deployment considerations Jurisdictional Domains

9 Platform Specific Model and Service Specification (PSM) Security Standards and Technology Assumptions and Dependencies for Security Operations Details Security Controls Implementation Considerations Access Control Application (service) Security (Access Policy) Cryptography

10 Platform Specific Model and Service Specification (PSM) Information Security and Risk Management Legal, Regulations, Compliance and Investigations Telecommunications and Network Security Auditing Privacy

11 Conformance Assertions Quality Control Test Cases

12 Validating Security FISMA Certification Process PIA e-Authentication assessment System Categorization Appscan Request C&A through security team (ISSO: Bruce Woodcock, Blaise Czkalski, coordinator Braulio J. Cabral Security Plan, Contingency plan, etc.

13 Security roles & responsibilities Who does what? System Owner: PIA, E-Authentication Assessment, System Categorization, system diagram, request appscan, etc. ISSO: C&A process, appscan CIO: Authorization letter NCI Privacy Office (PIA) POC: Suzanne Millard (suzanne.millard@nih.gov)

14 Current caBIG Security Infrastructure The Grid Authentication and Authorization with Reliably Distributed Services (GAARDS)

15

16 Authentication Dorian Authentication Service (SAML and Grid Certificate) CSM Authentication (user name/password) CSM authentication with NCI-LDAP Single Sign on (SSO)

17 Authorization CSM Authorization (Application Level) (moving towards Service Level) CSM Authorization (Service Level) GRID Grouper Authorization Combined CSM/GRID Grouper

18 Authorization Service Level with CSM Example (CCTS Suite) C3PR CS M API CS M API caAERS CS M API CS M API PSC CSM API CS M API Lab Viewer C3D Connecto r CS M API CS M API

19 Future Security As Services Infrastructure

20 Useful Links Enterprise Security Program : https://wiki.nci.nih.gov/pages/viewpage.action? pageId=24276546 System Categorization form (FIPS-199) - http://ocio.nih.gov/nihsecurity/InventoryandCate gorization/NIH_System_Categorization_form.d oc http://ocio.nih.gov/nihsecurity/InventoryandCate gorization/NIH_System_Categorization_form.d oc Authentication Risk Assessment Report - http://ocio.nih.gov/nihsecurity/HHS_E- Authentication_Report_Template.doc http://ocio.nih.gov/nihsecurity/HHS_E- Authentication_Report_Template.doc

21 Useful Links System Security Plan - http://ocio.nih.gov/nihsecurity/FIPS-200-SSP- Basic-Outline.doc http://ocio.nih.gov/nihsecurity/FIPS-200-SSP- Basic-Outline.doc Contingency plan (if available, part of the system security plan) - http://ocio.nih.gov/nihsecurity/NIH-CP- Template.doc http://ocio.nih.gov/nihsecurity/NIH-CP- Template.doc ECCF Templates: http://gforge.nci.nih.gov/svnroot/candc/trunk/docu ments/artifact_templates/

Download ppt "NCI-CBIIT Security in the System/Services Development Life Cycle Presenter: Braulio J. Cabral CBIIT Enterprise Security Coordinator."

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Enterprise Performance Life Cycle (EPLC) Stage Gate Reviews

Enterprise Performance Life Cycle (EPLC) Stage Gate Reviews
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
Requirements Specification and Management

Requirements Specification and Management
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
Looking ahead: caGrid community requirements in the context of caGrid 2.0 Lawrence Brem 7 February 2011.

Looking ahead: caGrid community requirements in the context of caGrid 2.0 Lawrence Brem 7 February 2011.
Security and Personnel

Security and Personnel
NCI Enterprise Security Program

NCI Enterprise Security Program
Access Control Methodologies

Access Control Methodologies
Risk-Based Policy & Implementation Guidance Risk-Based Policy & Implementation Guidance Program Management Plan Program Management Plan Subordinate System.

Risk-Based Policy & Implementation Guidance Risk-Based Policy & Implementation Guidance Program Management Plan Program Management Plan Subordinate System.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Roles and Responsibilities Jahangheer Shaik. Service Specification Specification requires development of three inter-related documents CIM, PIM and PSM.

Roles and Responsibilities Jahangheer Shaik. Service Specification Specification requires development of three inter-related documents CIM, PIM and PSM.
11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.

11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Similar presentations

Ads by Google