NCI-CBIIT Security in the System/Services Development Life Cycle Presenter: Braulio J. Cabral CBIIT Enterprise Security Coordinator.

Slides:



Advertisements
Similar presentations
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Advertisements

Enterprise Performance Life Cycle (EPLC) Stage Gate Reviews
NRL Security Architecture: A Web Services-Based Solution
Requirements Specification and Management
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
Looking ahead: caGrid community requirements in the context of caGrid 2.0 Lawrence Brem 7 February 2011.
Security and Personnel
NCI Enterprise Security Program
Access Control Methodologies
Risk-Based Policy & Implementation Guidance Risk-Based Policy & Implementation Guidance Program Management Plan Program Management Plan Subordinate System.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Roles and Responsibilities Jahangheer Shaik. Service Specification Specification requires development of three inter-related documents CIM, PIM and PSM.
11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.
Complying With The Federal Information Security Act (FISMA)
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Initial slides for Layered Service Architecture
Methodology and Tools for End-to-End SOA Configurations By: Fumiko satoh, Yuichi nakamura, Nirmal K. Mukhi, Michiaki Tatsubori, Kouichi ono.
Test Organization and Management
1 ECCF Training 2.0 Platform Specific Model (PSM) ECCF Training Working Group January 2011.
 BRIDG R3.0.2 was released in August 2010  The BRIDG Model passed the initial ISO Joint Initiative Council ballot as a Draft International Standard (DIS)
Roles and Responsibilities
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Cancer Clinical Trial Suite (CCTS): An Introduction for Users A Tool Demonstration from caBIG™ Bill Dyer (NCI/Pyramed Research) June 2008.
What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.
MD Digital Government Summit, June 26, Maryland Project Management Oversight & System Development Life Cycle (SDLC) Robert Krauss MD Digital Government.
Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.
United States Department of Justice Implementing Privacy Policy in Justice Information Sharing: A Technical Framework John Ruegg,
Security is not just… 1 A Compliance Exercise Certification and Accreditation FISMA.
Lecture 7: Requirements Engineering
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
1 ECCF Training Computationally Independent Model (CIM) ECCF Training Working Group March 2011.
Module 6 Securing Content. Module Overview Administering SharePoint Groups Implementing SharePoint Roles and Role Assignments Securing and Auditing SharePoint.
1 ECCF Training 2.0 Implemental Perspective (IP) ECCF Training Working Group January 2011.
JRA Execution Plan 13 January JRA1 Execution Plan Frédéric Hemmer EGEE Middleware Manager EGEE is proposed as a project funded by the European.
1 ECCF Training 2.0 Introduction ECCF Training Working Group January 2011.
Security, Accounting, and Assurance Mahdi N. Bojnordi 2004
State of e-Authentication in Higher Education August 20, 2004.
E-Authentication in Higher Education April 23, 2007.
Connecting with Computer Science2 Objectives Learn how software engineering is used to create applications Learn some of the different software engineering.
1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.
1 ECCF Training 2.0 Guidance for the Platform Independent Model (PIM) ECCF Training Working Group January 2011.
Access Security IS3230.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
1 ECCF Training Computationally Independent Model (CIM) ECCF Training Working Group January 2011.
E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.
1 ECCF Training Computationally Independent Model (CIM) ECCF Training Working Group March 2011.
CaGrid 1.0 Security Infrastructure Stephen Langella, Scott Oster, Shannon Hastings, David Ervin, Joshua Phillips, Vinay Kumar, Tahsin Kurc, Joel Saltz.
1515 N. Courthouse Road Suite 310 Arlington, VA Integrating Security into the SDLC Eric Silberman,
The NIST Special Publications for Security Management By: Waylon Coulter.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Enterprise Security Program Overview Presenter: Braulio J. Cabral NCI-CBIIT/caBIG Enterprise Security Program Coordinator.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
1 SAIF-Effects on Interoperability Reviews Baris Suzek Georgetown University Architecture/VCDE Joint Face-to-Face June,3, 2010 St. Louis, Missouri.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
Security in Research Computing John Sandefur UAB Comprehensive Cancer Center John-Paul Robinson UAB Research Computing.
Grid Security.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
CMGT 582 STUDY Education for Service--cmgt582study.com.
PRELIMINARY DESIGN Stage Gate Reviews
Appropriate Access InCommon Identity Assurance Profiles
Access Control What’s New?
Presentation transcript:

NCI-CBIIT Security in the System/Services Development Life Cycle Presenter: Braulio J. Cabral CBIIT Enterprise Security Coordinator

The Path to Security and Compliance Security and Compliance through the SDLC Software Security Requirements ECCF Validating Security (Certification and Accreditation) Roles and Responsibilities Current caBIG Security Infrastructure Future Security as Service Content

The Path to a Secure/Compliant System

Security Requirements Software security requirements Leverage certification tools for security requirements gathering. Prepare for FISMA certification through the SDLC phases. Let’s get the security requirements. Application security requirements (ECCF templates, security conformance statements, security assertions (QA) PIA, E-Auth. Assessment, System Categorization (C&A process) System Security Plan

CIM (CFSS) Conformance Example Conformance No. AE-CP2 Security Pre-Conditions [M] Access control mechanism needs to be in place to ensure that the user is logged in and has valid privileges of a Study Administrator to initiate an Adverse Event

Compliance & Conformance Statements NameTypeViewpointDescriptionTest Method Secured AccessObligationEngineeringThe AE service should 1. Design review have access control 2. Security test case mechanism in place to restricts access to sensitive data

Platform Independent Model (PIM) and Service Specification Operation Behavior Description Security Conditions Describe in detail the security constraints which the user needs to fulfill in order to successful execute this operation. Provide the following details List all the Group / Role / Attribute which the user need to have in order to execute the operation List any specific access control which the user needs to have on the particular instance of the input parameter in order to gain access (Eg. User needs to be a study co-ordinator for the Study id passed) Any additional security requirements (eg. Authentication Required or Anonymous call allowed for the operation )

PIM Conformance Statements Security Conformance Statements Security as conformance statements Security as mandatory constrains or pre- conditions Security as a full conformance profile Deployment considerations Jurisdictional Domains

Platform Specific Model and Service Specification (PSM) Security Standards and Technology Assumptions and Dependencies for Security Operations Details Security Controls Implementation Considerations Access Control Application (service) Security (Access Policy) Cryptography

Platform Specific Model and Service Specification (PSM) Information Security and Risk Management Legal, Regulations, Compliance and Investigations Telecommunications and Network Security Auditing Privacy

Conformance Assertions Quality Control Test Cases

Validating Security FISMA Certification Process PIA e-Authentication assessment System Categorization Appscan Request C&A through security team (ISSO: Bruce Woodcock, Blaise Czkalski, coordinator Braulio J. Cabral Security Plan, Contingency plan, etc.

Security roles & responsibilities Who does what? System Owner: PIA, E-Authentication Assessment, System Categorization, system diagram, request appscan, etc. ISSO: C&A process, appscan CIO: Authorization letter NCI Privacy Office (PIA) POC: Suzanne Millard

Current caBIG Security Infrastructure The Grid Authentication and Authorization with Reliably Distributed Services (GAARDS)

Authentication Dorian Authentication Service (SAML and Grid Certificate) CSM Authentication (user name/password) CSM authentication with NCI-LDAP Single Sign on (SSO)

Authorization CSM Authorization (Application Level) (moving towards Service Level) CSM Authorization (Service Level) GRID Grouper Authorization Combined CSM/GRID Grouper

Authorization Service Level with CSM Example (CCTS Suite) C3PR CS M API CS M API caAERS CS M API CS M API PSC CSM API CS M API Lab Viewer C3D Connecto r CS M API CS M API

Future Security As Services Infrastructure

Useful Links Enterprise Security Program : pageId= System Categorization form (FIPS-199) - gorization/NIH_System_Categorization_form.d oc gorization/NIH_System_Categorization_form.d oc Authentication Risk Assessment Report - Authentication_Report_Template.doc Authentication_Report_Template.doc

Useful Links System Security Plan - Basic-Outline.doc Basic-Outline.doc Contingency plan (if available, part of the system security plan) - Template.doc Template.doc ECCF Templates: ments/artifact_templates/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.