Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Slides:



Advertisements
Similar presentations
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Advertisements

Software Quality Assurance Plan
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
More CMM Part Two : Details.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
ITIL: Service Transition
4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Security Controls – What Works
Managing the Information Technology Resource Jerry N. Luftman
Information Systems Security Officer
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Chapter 2 - Overview of the Systems Engineering Design Process1 Aerospace Systems Engineering Chapter 2 - Overview of the Systems Engineering Design Process.
© 2008 Prentice Hall11-1 Introduction to Project Management Chapter 11 Managing Project Execution Information Systems Project Management: A Process and.
Chapter 17 Acquiring and Implementing Accounting Information Systems
Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.
The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.
Chapter 4 Interpreting the CMM. Group (3) Fahmi Alkhalifi Pam Page Pardha Mugunda.
Condor Technology Solutions, Inc. Grace RFTS Application Extension Phase.
C &A CS Unit 2: C&A Process Overview using DITSCAP Jocelyne Farah Clinton Campbell.
Information Systems Security Computer System Life Cycle Security.
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
Software System Engineering: A tutorial
NIST Special Publication Revision 1
Lecture #9 Project Quality Management Quality Processes- Quality Assurance and Quality Control Ghazala Amin.
Roles and Responsibilities
Project Management Methodology Project Closing. Project closing stage Must be performed for all projects, successfully completed or shut off by management.
FCS - AAO - DM COMPE/SE/ISE 492 Senior Project 2 System/Software Test Documentation (STD) System/Software Test Documentation (STD)
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
Lecture 11 Managing Project Execution. Project Execution The phase of a project in which work towards direct achievement of the project’s objectives and.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Georgia Institute of Technology CS 4320 Fall 2003.
© Mahindra Satyam 2009 Configuration Management QMS Training.
Jewuan Davis DSN Voice Connection Approval Office 18 May 2006 DSN Connection Approval Process (CAP)
Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Gathering Network Requirements Designing and Supporting Computer Networks – Chapter.
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
Chapter 8 Auditing in an E-commerce Environment
State of Georgia Release Management Training
Project Management Strategies Hidden in the CMMI Rick Hefner, Northrop Grumman CMMI Technology Conference & User Group November.
Pertemuan 14 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Information Security tools for records managers Frank Rankin.
6/6/ SOFTWARE LIFE CYCLE OVERVIEW Professor Ron Kenett Tel Aviv University School of Engineering.
Project Management Methodology Project Closing. Project closing stage Must be performed for all projects, successfully completed or shut off by management.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
ITIL: Service Transition
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
Software Configuration Management
Software and Systems Integration
TechStambha PMP Certification Training
Description of Revision
Certification and Accreditation
Engineering Processes
1 Stadium Company Network. The Stadium Company Project Is a sports facility management company that manages a stadium. Stadium Company needs to upgrade.
MODULE B - PROCESS SUBMODULES B1. Organizational Structure
Engineering Processes
PSS verification and validation
Software Reviews.
{Project Name} Organizational Chart, Roles and Responsibilities
Presentation transcript:

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department of Mathematical & Computer Sciences CS 5493/7493 Secure System Administration & Certification Dr. Mauricio Papa

Resources NSTISSI No. 1000NSTISSI No National Information Assurance Certification and Accreditation Process (NIACAP), dated April 2000 DTSCAP manual DITSCAP Article Documents Related to DTSCAP

1.Register the system – Inform DAA, CA, PM and Users. 2.Determine system security requirements. 3.Develop system architecture and define C&A boundary. 4.Identify threat environment. 5.Prepare security CONOPS. 6.Identify organizations involved in the C&A activities. 7.Tailor the activities and determine the level of effort. 8.Develop draft SSAA. Phase 1 Tasks Phase 1 - Definition Initiates the DITSCAP process by acquiring or developing the information necessary to understand the IT and then using that information to plan the C&A tasks.

Phase 2 - Verification Verify the system’s compliance with the requirements agreed on in the SSAA. The goal is to obtain a fully integrated system for certification testing and accreditation. Phase 2 Tasks - Certification 1.Review and validate security architecture. 2.Software design analysis (i.e., NMCI applications). 3.Review network connection rule compliance. 4.Review integration approach of products. 5.Review life cycle management support requirements. 6.Conduct vulnerability assessment.

Phase 3 - Validation Validates the fully integrated system compliance with the requirements stated in the SSAA. The goal is to obtain full approval to operate the system - accreditation. Phase 3 Tasks - Validation 1.Conduct Security Test and Evaluation. 2.Conduct penetration testing. 3.Validation of security requirements compliance. 4.Conduct site accreditation survey. 5.Develop and exercise contingency/incident response plan. 6.Conduct risk management review. 7.Identify residual risk and review with CA. 8.Present ST&E results and residual risk to the DAA.

Phase 4 – Post Accreditation Phase 1: Definition SSAA System Operation Compliance Validation Validation Req’d? No Yes No Change Required? Yes Objective is to maintain an acceptable level of residual risk DITSCAP responsibilities shift to site system manager or maintenance organization Major changes or periodic validation reinitiates the DITSCAP process to Phase 1 Ends with system termination

Inputs SSAA from Phase 3 Test Procedures Site Information

System and Security Operations Tasks 1.SSAA Maintenance 2.Physical Personnel and Management Control 3.Tempest Evaluation 4.COMSEC Evaluation 5.Contingency Plan Maintenance 6.Change Management 7.System Security Management 8.Risk Management

Task Analysis Report Topics Record of findings Evaluation of vulnerabilities Summary of the analysis level of effort Summary of tools used and results obtained Recommendations

SSAA Management Update, as needed, to reflect current operating system mission Changes in the system should be reflected in the SSAA according to Security Level Output: A revised SSAA

Physical, Personnel, and Management Control Review Analyze the operational procedures, environmental concerns, operational procedures, personnel security controls, and physical security for any unacceptable risks Complete Minimum Security Activity Checklist Output:Physical, Personnel, and Management Control Review Summary Report

TEMPEST Evaluation Periodic TEMPTEST and RED-BLACK verification may be required to ensure that the equipment meet security requirements Output: A TEMPTEST Evaluation Summary Report

COMSEC Compliance Validate appropriate COMSEC approval and compliance with SSAA Verifies that the COMSEC approved key management procedures continue to be used Output: COMSEC Compliance Evaluation Summary Report

Contingency Plan Management Review Contingency Plans and related to procedures to ensure that they remain current Complete the Minimum Security Activity Checklist Output : Contingency Plan Maintenance Summary

Configuration Management Assess proposed changes to the system to determine if they will impact system security Accreditation ties certified hardware and software to the configuration of the computing environment The SSAA defines the Configuration Management Strategy Significant changes to the security posture must be forwarded to the DAA, Certifier, User Rep, and Program manager Output: Configuration Management Summary Report

Risk Management Review Assess the risk to confidentiality, integrity, and availability of the system and its information Any changes to risk should be reported immediately to the DAA Complete the Minimum Security Activity Checklist Output: Updated SSAA and Risk Management Review Summary Report

Threat Changes IT Mission or User Profile IT architecture Criticality/Sensitivity level Security policy Threat or System risk Activity that requires a different Security mode Breach of Security, System integrity, or unusual situation Results of an audit or external assessment

Roles and Responsibilities Describes the functional relationships and integration of these roles of each of the In some cases the roles may be performed by three separate organizations In other cases some roles may be combined

Compliance Validation Periodic review of the operational system and its computing predefined intervals (as defined in the SSAA). The purpose is to ensure the system continues to comply with the security requirements, current threat assessment and concept of operations. The compliance review should ensure that the contents of the SSAA adequately address the functional environment into which the IS has been placed. Should repeat all the applicable tasks from Phase 2 (Verification) and Phase 3 (Validation).

Compliance Validation (cont…) Phase 2 Tasks (Verification) 1. System Architecture Analysis. 2. Software Design Analysis. 3. Network Connection Rule Compliance Analysis. 4. Integrity Analysis of Integrated Products. 5. Life-Cycle Management Analysis. 6. Security Requirements Validation Procedures Preparation. 7. Vulnerability Assessment.

Compliance Validation (cont…) Phase 3 Tasks (Validation) 1. Security Test and Evaluation 2. Penetration Testing 3. TEMPEST and RED-BLACK Evaluation 4. COMSEC Compliance Evaluation 5. System Management Analysis 6. Site Accreditation Survey 7. Contingency Plan Evaluation 8. Risk Management Review

Compliance Validation (cont…) Minimal Tasks 1. Site and Physical Security Validation 2. Security Procedures Validation 3. System Changes and Related Impact Validation 4. System Architecture and System Interfaces Validation 5. Management Procedures Validation 6. Risk Decisions Validation

Compliance Validation (cont…) Complete the Minimal Security Activity Checklist Prerequisite Tasks: All Phase 2 and Phase 3 tasks. Input: Approved SSAA and Task Summary Reports from all prerequisite tasks. Output/Products: A Compliance Validation Summary Report, which must include the following: - Record of findings. - Evaluation of vulnerabilities discovered during evaluations. - Summary of the analysis level of effort. - Summary of tools used and results obtained. - Recommendations.

Change Requested or Required 2 Possibilities 1. No change 2. Changes returns to Phase 1 (Definition )

Roles and Responsibilities 1. Security Team Responsibilities - DAA Responsibilities - Certifier (CA) and Certification Team Responsibilities 2. User Responsibilities - User Representative Responsibilities - ISSO Responsibilities 3. Acquisition or Maintenance Organization Responsibilities - Program Manager Responsibilities - Program Management Support Staff Responsibilities - Developer, Integrator or Maintainer Responsibilities - Configuration Control and Configuration Management Responsibilities - System Administration Responsibilities

Roles and Responsibilities (cont…) DAA 1. Review proposed security changes. 2. Oversee compliance validation. 3. Monitor C&A integrity. 4. Establish reaccredidation requirements and ensuring all assigned systems comply with these requirements. 5. Decide to reaccreditate, accredit, IATO, or if the SSAA is no longer valid, terminate system operations. 6. Review the system for compliance with the SSAA. 7. Must be notified of any changes that significantly affect the security posture of the system.

Roles and Responsibilities (cont…) Certifier (CA) and Certification Team 1. Typically serve in a support role to the DAA, system operators and ISSO. 2. Review the SSAA. 3. Review proposed changes. 4. Oversee compliance validation. 5. Must be notified of any changes that significantly affect the security posture of the system.

Roles and Responsibilities (cont…) User Representative 1. Oversee the system operation according to the SSAA. 2. Report vulnerability and security incidents. 3. Report threats to the mission environment. 4. Review and update the system vulnerabilities. 5. Review changes to the security policy and standards. 6. Initiate SSAA review if there are changes in the threat or system configuration (review SSAA). 7. Maintain an acceptable level of residual risk. 8. Review and approve proposed changes. 9. Submit significant changes to the DAA and the CA. 10. Perform compliance validation actions.

Roles and Responsibilities (cont…) ISSO 1. Security focal point responsible for the secure operation of the IS within the environment as agreed on in the SSAA. 2. Ensures the IS is deployed and operated according to the SSAA to maintain an acceptable level of residual risk. 3. Periodically review the mission statement, operating environment, and security architecture to determine compliance with the approved SSAA. 4. Maintain the integrity of the site environment and accredited security posture. 5. Ensure that configuration management adheres to the security policy and security requirements. 6. Initiate the C&A process when periodic reaccredidation is required or system change dictates.

Roles and Responsibilities (cont…) Program Manager 1. Report security related changes in the IS to the DAA and user representative. 2. Update the IS to address reported vulnerabilities and patches under configuration management. 3. Review and update life-cycle management policies and standards. 4. Resolve security discrepancies. 5. Review the SSAA periodically. 6. Operate system as prescribed in the SSAA. 7. Maintain an acceptable level of residual risk. 8. Submit proposed changes to the user representative, ISSO, DAA and CA, as applicable. 9. Support compliance validation.

Roles and Responsibilities (cont…) Program Management Support Staff 1. Cost and schedule determinations. 2. Level of effort evaluation of subsequent C&A efforts. 3. System documentation.

Roles and Responsibilities (cont…) Developer, Integrator or Maintainer 1. Provide hardware and software architecture to the acquisition organization. 2. Provide system modifications or changes to the ISSO and informing the program manager, DAA, Certifier, and user representative. 3. Develop or integrate technical security solutions and security requirements.

Roles and Responsibilities (cont…) Configuration Control and Configuration Management 1. Supports the PM in the development and maintenance of system documentation.

Roles and Responsibilities (cont…) System Administration 1. Operate the system according to the SSAA. 2. Maintain an acceptable level of residual risk. 3. Inform the ISSO of any proposed changes or modifications to the system, information processed, operating procedures, operating environment that affect security.

Phase 4 - Overview 1.SSAA Maintenance 2.Physical Personnel and Management Control 3.Tempest Evaluation 4.COMSEC Evaluation 5.Contingency Plan Maintenance 6.Change Management 7.System Security Management 8.Risk Management Objective is to maintain an acceptable level of residual risk DITSCAP responsibilities shift to site system manager or maintenance organization

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.