Presentation is loading. Please wait.

Presentation is loading. Please wait.

Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland 20910 301.565.2988 Telephone 301.565.2995 Facsimile www.e-mcinc.com Satellite.

Published byGilbert Beasley Modified over 8 years ago

Similar presentations

Presentation on theme: "Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland 20910 301.565.2988 Telephone 301.565.2995 Facsimile www.e-mcinc.com Satellite."— Presentation transcript:

1 Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland 20910 301.565.2988 Telephone 301.565.2995 Facsimile www.e-mcinc.com Satellite Offices: 80 M Street, S.E., Suite 715 Washington, DC 20003 13800 Coppermine Road, Suite 221 Herndon, Virginia 20171 e-Management - Proprietary Information SBA certified 8(a) woman-owned, minority-owned small business Navigating the Maze of Shifting Cyber Security Policies An e-Management Webinar Presenter: Rick Randall, PMP, ITILF v3, CISSP Feb. 25, 2009 Call-in #: 1.866.740.1260Access code: 3214011

2 e-Management - Proprietary Information 2 Agenda  Understanding the Maze – Cyber Security Policy Background  Changes Underway and Changes Predicted  Navigating the Maze in Your Organization  Recap

3 e-Management - Proprietary Information 3 The FISMA Law  FISMA – The Federal Information Security Management Act of 2002* – makes the head of each federal agency responsible for: § 3544 (a) (2) (C) “implementing policies and procedures to cost effectively reduce risks to an acceptable level” The Maze – Cyber security policy background * FISMA is published in Title III of the e-Government Act, Public Law 107-347

4 e-Management - Proprietary Information 4 Other Applicable Federal Laws  Other public laws (P.L.) affecting cyber security policy implementation in federal agencies include: –P.L. 97-255: Federal Manager’s Financial Integrity Act of 1982 (FMFIA) –P.L. 104-106: Clinger Cohen Act –P.L. 104-191: Health Insurance Portability and Accountability Act of 1996 (HIPAA) –P.L. 104-208, Federal Financial Management Improvement Act of 1996 (FFMIA) –Agency specific legislation requiring protection of data The Maze – Cyber security policy background

5 e-Management - Proprietary Information 5 Office of Management and Budget (OMB) Circulars and Memoranda  The OMB is empowered by the Clinger- Cohen and FISMA laws to define government-wide directives for cyber security. These include, for example: –OMB Circular A-130 Appendix III: Long standing policy defining agency security responsibilities –OMB Memoranda 07-11 and 08-22 : Federal Desktop Core Configuration (FDCC) –OMB Memoranda 06-16, 07-16, and 08-21: Requirements related to Personally Identifiable Information (PII) protection –OMB Memoranda 08-05 and 08-27: Trusted Internet Connections (TIC) The Maze – Cyber security policy background

6 e-Management - Proprietary Information 6 Policy Hierarchy The Maze – Cyber security policy background

7 e-Management - Proprietary Information 7 Policies are a Subset of Requirements The Maze – Cyber security policy background

8 e-Management - Proprietary Information 8 Policies Versus Suggestions Good Policies Use Compulsory Language, such as: Shall Required Directed to Mandatory Compliant with Conform to Annually / Quarterly Suggestions do not belong in POLICY documents. Use Discretionary Language, such as: Should When possible Advised to Recommended Observing best practices As needed Regularly Weak or Ineffective Policies The Maze – Cyber security policy background

9 e-Management - Proprietary Information 9 Changes Currently Underway – Overview  First, which change trends are likely not changing soon?  NIST’s Risk Management Framework (RMF)  Changes to NIST’s Security Controls Special Publication, SP 800-53  Changes in NIST’s Certification and Accreditation (C&A) guidance  The future of FISMA? Cyber security changes underway and changes predicted

10 e-Management - Proprietary Information 10 Change trends which are likely to continue  Increasing emphasis by OMB and NIST on secure configurations –Federal Desktop Core Configuration (FDCC): Likely not going away –Expect to see server platforms addressed in the future  Increasing emphasis on the automation of testing –We currently see this for FDCC compliance –Policy mandates may expand into other types of security testing –Expect future mandates on agencies to utilize NIST SP 800-53A for Security Test and Evaluation (ST&E) Cyber security changes underway and changes predicted

11 e-Management - Proprietary Information 11 NIST’s Risk Management Framework (1)  Defined in draft NIST Special Publication (SP) 800-39  Integrates several NIST publications into a coherent risk based structure  Describes a risk executive function having an organization- wide risk perspective Cyber security changes underway and changes predicted

12 e-Management - Proprietary Information 12 NIST’s Risk Management Framework (2) Plusses / Benefits  Provides clarity for the FISMA mandate to “reduce risks to an acceptable level”  Explains security management in the context of a life cycle  Integrates the concepts of several existing publications Pitfalls/Yellow Flags  The Risk Management Framework (RMF) is not a policy – Policies will have to be modified to require use of the RMF  The RMF by itself does not ease the paperwork burden of the underlying component publications (NIST SPs 800-60, 800-53, etc) Cyber security changes underway and changes predicted

13 e-Management - Proprietary Information 13 Easing the Paperwork Burden through Risk Management Automation  Consider NIST SP 800-60: –357 pages of material spanning two volumes –Improper security categorization is a frequently cited finding of Inspector General (IG) reports –Automation of 800-60 analysis reduces errors and saves hours of time Automation of NIST SP 800-60 analysis Cyber security changes underway and changes predicted

14 e-Management - Proprietary Information 14 NIST SP 800-53 Changes  Initial Public Draft of NIST SP 800-53 Revision 3 was posted on February 5, 2009. Proposed changes in this draft include: –Eight (8) new System and Communications Protection (SC) controls –Fifteen (15) new security controls overall –Sixteen (16) security controls withdrawn –Total controls: 101 for low impact, 151 for moderate, and 162 for high impact systems Too much to track manually in MS-Word documents! Cyber security changes underway and changes predicted

15 e-Management - Proprietary Information 15 Changes to NIST C&A Guidance  NIST has also posted draft Revision 1 to SP 800-37 on its web site. The proposed changes include: – Renaming “C&A” to the “Security Authorization Process” – Linking directly to the Risk Management Framework of SP 800-39, and addressing the entire life cycle of systems – Modifying roles, such as renaming the Certification Agent role to Security Control Assessor, renaming the DAA role to Authorizing Official, and introducing the risk executive function – Providing more specificity on required activities in the process – Now totaling thirty three (33) “tasks” Cyber security changes underway and changes predicted

16 e-Management - Proprietary Information 16 Additional Changes Predicted  Possible new presidential directive topics –Revisions to Homeland Security Presidential Directive 7 (HSPD-7) regarding critical infrastructure responsibilities  Possible new OMB Memoranda topics from the Obama administration –Strengthening of acquisition rules for outsourced IT functions –Specific direction regarding supervisory control and data acquisition (SCADA) systems –Network security testing and network hardening for Trusted Internet Connections (TIC) Cyber security changes underway and changes predicted

17 e-Management - Proprietary Information 17 The Future of FISMA?  At some point, the Congress will likely amend or modify the FISMA law –Has the current FISMA law been helpful since 2002? Accountability has improved Some improvements have occurred in the identification/inventory of systems –How might the FISMA law change? Possibly a greater emphasis on testing Possibly more prescriptive responsibilities for agencies (Less likely) private sector requirements Cyber security changes underway and changes predicted

18 e-Management - Proprietary Information 18 Navigating the Maze in Your Organization (1)  Recall the policy hierarchy. What can you do to navigate policy changes in your immediate organization? –Ensure first that you have clarity about Roles and Responsibilities Who implements C&A/security authorization services? Who implements technical solutions? Who monitors them? Who decides on policy waivers or exceptions? –Remove ambiguities wherever you can Define specific frequencies of when things must be done Invoke specific standards in your policies – Don’t reinvent the wheel in policy documents Provide a realistic waiver/deviation/exception mechanism Applying Policy Changes Locally

19 e-Management - Proprietary Information 19 Navigating the Maze in Your Organization (2)  Work smarter, not harder –Revisit FIPS 199 ratings on systems at least annually – Downgrade a FIPS 199 rating (e.g., High to Moderate) when appropriate and defensible –Automate artifact and report generation: Steer away from endless manual MS-Word/MS-Excel document updating –Mandate greater testing and monitoring rigor in policies for the systems that truly affect the mission –Provide specific policy direction regarding who resolves “mission” questions (i.e., the risk executive function) –Automate your risk collection and reporting to measure your organization’s risk posture Applying Policy Changes Locally

20 e-Management - Proprietary Information 20 Recap  FISMA requires federal agencies to develop policies to reduce risks to an acceptable level  Changes are occurring on many fronts including: Security configurations, organizational risk management, NIST 800-53 controls, and C&A guidance among others  Greater testing requirements for networks and SCADA systems may emerge  Automation is necessary to work smarter and make the best use of your scarce resources

21 e-Management - Proprietary Information 21 Q&A  Rick Randall Director, Strategic IT Solutions and e-Gov RPM™ Product Manager rrandall@e-mcinc.com  e-Management 1010 Wayne Avenue, Suite 1150 Silver Spring, MD 20910 Phone: 301.565.2988 Fax: 301.565.2995 www.e-mcinc.com info@e-mcinc.com Save the Date! Next webinar April 28!

Download ppt "Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland 20910 301.565.2988 Telephone 301.565.2995 Facsimile www.e-mcinc.com Satellite."

Similar presentations

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Unit 1: Introductions and Course Overview Administrative Information  Daily schedule  Restroom locations  Breaks and lunch  Emergency exit routes 

Unit 1: Introductions and Course Overview Administrative Information  Daily schedule  Restroom locations  Breaks and lunch  Emergency exit routes 
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
OMB Circular A-123 Update: Where We Are and Where We Are Going Dana James Office of Federal Financial Management Office of Management and Budget May 8,

OMB Circular A-123 Update: Where We Are and Where We Are Going Dana James Office of Federal Financial Management Office of Management and Budget May 8,
Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland 20910 301.565.2988 Telephone 301.565.2995 Facsimile www.e-mcinc.com Satellite.

Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland Telephone Facsimile Satellite.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
Government Laws FITSP-M Module 2. Government likes to begin things – to declare grand new programs and causes and national objectives. But good beginnings.

Government Laws FITSP-M Module 2. Government likes to begin things – to declare grand new programs and causes and national objectives. But good beginnings.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Federal IT Security Professional - Manager FITSP-M Module 1.

Federal IT Security Professional - Manager FITSP-M Module 1.

Similar presentations

Ads by Google