NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI 48917.

Slides:

Advertisements

Similar presentations

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.

Advertisements

The International Security Standard

Secure Systems Research Group - FAU Process Standards (and Process Improvement)

OMB Exhibit 53 Changes Briefing Presented by the Office of the Chief Information Officer June 5, 2002.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.

CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

Security Controls – What Works

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Information Systems Security Officer

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

Risk Assessment Frameworks

Risk Management Framework

Federal IT Security Professional - Manager FITSP-M Module 1.

Dr. Ron Ross Computer Security Division

Fraud Prevention and Risk Management

Complying With The Federal Information Security Act (FISMA)

US Federal Industrial Control System (ICS) Security Standards and Guidelines Keith Stouffer National Institute of Standards and Technology (NIST) June.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Framework & Standards

Laboratory Biorisk Management Standard CWA 15793:2008

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.

1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.

NIST Special Publication Revision 1

Federal IT Security Professional - Auditor

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.

National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

Business and Systems Aligned. Business Empowered. TM Federal Identity Management Handbook May 5, 2005.

Security is not just… 1 A Compliance Exercise Certification and Accreditation FISMA.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.

Eliza de Guzman HTM 520 Health Information Exchange.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

1 National Audioconference Sponsored by the HIPAA Summit June 6, 2002 Chris Apgar, CISSP Data Security & HIPAA Compliance Officer Providence Health Plan.

Seeking a National Standard for Security: Developing a Systematic Crosswalk of the Final HIPAA Security Rule, the NIST SP , NIST SP Security.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

NIST / URAC / WEDi Health Care Security Workgroup Presented by: Andrew Melczer, Ph.D. Illinois State Medical Society.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.

Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester.

The NIST Special Publications for Security Management By: Waylon Coulter.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Implementing Security Education, Training, and Awareness Programs By: Joseph Flynn.

CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Using GAO’s Fraud Risk Management Framework

Models of Security Management Matt Cupp. Overview What is Security Management? What is Security Management? ISO/IEC ISO/IEC NIST Special Publication.

Safeguarding CDI - compliance with DFARS

Presenter: Mohammed Jalaluddin

Computer Security Division Information Technology Laboratory

Introduction to the Federal Defense Acquisition Regulation

Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.

Matthew Christian Dave Maddox Tim Toennies

MBUG 2018 Session Title: NIST in Higher Education

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

HIPAA Security Standards Final Rule

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Presentation transcript:

NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI

Agenda Ground Level 0 (Zero) = What is NIST (Really Fast) Basics 101 – Controls By The Section / Number (Spreadsheet) Specific Application (Beware the Minimum) References

What Is NIST? - 1 National Institute of Standards and Technology is a USA Federally sponsored agency. They set the standards that all other agencies have to follow. Federal Information Processing Standard Publication (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.

What is NIST? – 2 FIPS "Federal Information Processing Standard" / FIPPS "Fair Information Practice Principles (FIPPs)" Introductory Reading, Should be required; Summary of NIST SP Revision 4.

What is NIST – 3? FIPS 200 and NIST Special Publication , in combination, ensure that appropriate security requirements and security controls are applied to all federal information and information systems. An organizational assessment of risk validates the initial security control selection and determines if additional controls are needed to protect organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation. The resulting set of security controls establishes a level of security due diligence for the organization. OK so if you are going down the NIST SP r4 path, you have to put FIPS 200 in your backpack. This presentation is NOT about FIPS 200. I will come back to that in section 3.

Basics Risk Based Framework Divided into 3 Catagories Control Familes Uses Priorities Considered the defacto standard

Basics Key quote that you need to embrace: “the security controls and control enhancements listed in the initial baselines are not a minimum— but rather a proposed starting point from which controls and controls enhancements may be removed or added.”

Basics Based on Security Impact of the System » Low Impact » Moderate Impact » High Impact

Basics Controls – Management Controls Catagory Management Controls Certification, Accreditation, and Security Assessments Planning Risk Assessment System and Services Acquisition

Basics Controls – Operational Controls Catagory Operational Controls Awareness and Training Configuration Management Contingency Planning Incident response Maintenance Media Protection Physical and environmental Protection Personnel Security System and Information Integrity

Basics Controls – Technical Controls Catagory Technical Controls Access Control Audit and Accountability Identification and Authentication System and Communications Protection

Basics Controls – Technical Controls Catagory Technical Controls Access Control Audit and Accountability Identification and Authentication System and Communications Protection

Basics Doing this in slides is hard to wrap your mind around. It is easier to think in spreadsheets. In the main document there are some really great appendix pieces. DO NOT IGNORE THEM!

Basics NIST is the defacto standard. From SANS NewsBites February 23, 2016 Vol. 18, Num. 015 OPM CIO and Inspector General Out. Appropriate Accountability At Last. (February 22, 2016) The chief information officer of the U.S. Office of Personnel Management (OPM) quit today, under pressure, two days before she was due to testify before a Congressional panel. She was responsible for cybersecurity programs at OPM that followed NIST guidance but did not implement and measure the Critical Security Controls, which are widely recognized as the minimum standard of due care. Her resignation follows the resignation of the OPM Inspector General (IG) who was equally responsible for forcing the agency to follow guidelines (from OMB and NIST) that documented the cybersecurity gaps but did not close those gaps. Bold added for clarity.

Specific Application – 1 Work / Practice Sessions Example Practice Session

Specific Application – 2 Beware the Minimum from FIPS 200 (2006 is the last published edition as of DANGER - Your Regulators will use more current standards. Specifically, NIST Special Publication covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200.) Federal Information Processing Standard

References - 1 All NIST Documents Main SP800 53R4 Document -

References - 2 Given to the this meetings organizers - NIST – SP Table.xls (My Modified Spreadsheet that includes priorities and Risk Levels.) SP800-53r4_summary.pdf (From NIST main site.)