Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Slides:



Advertisements
Similar presentations
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Advertisements

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Office of Inspector General (OIG) Internal Audit
Computer Security: Principles and Practice
First Practice - Information Security Management System Implementation and ISO Certification.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Risk Management Framework
Session 3 – Information Security Policies
Dr. Ron Ross Computer Security Division
UNLV Data Governance Executive Sponsors Meeting Office of Institutional Analysis and Planning August 29, 2006.
Network security policy: best practices
Introduction to Network Defense
Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology.
Complying With The Federal Information Security Act (FISMA)
SDLC: System Development Life Cycle cs5493. SDLC Classical Model Linear Sequential – Aka waterfall model.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Framework & Standards
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.
1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,
NIST Special Publication Revision 1
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.
ISM 5316 Week 3 Learning Objectives You should be able to: u Define and list issues and steps in Project Integration u List and describe the components.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Working with HIT Systems
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
University of Maryland University College (UMUC) 3/11/2004 POA&M and FISMA What does it really mean? FISSEA Annual Conference.
Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
SecSDLC Chapter 2.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
Chapter 8 Auditing in an E-commerce Environment
Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester.
The NIST Special Publications for Security Management By: Waylon Coulter.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Computer Security Division Information Technology Laboratory
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Software Configuration Management
Introduction to the Federal Defense Acquisition Regulation
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
Matthew Christian Dave Maddox Tim Toennies
How to Mitigate the Consequences What are the Countermeasures?
PLANNING A SECURE BASELINE INSTALLATION
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent

NIST National Institute of Standards and Technology, US Department of Commerce Guide for the Security Certification and Accreditation of Federal Information Systems

National Policy Office of Management and Budget Circular A-130, Management of Federal Information Resources requires federal agencies to:

National Policy Office of Management and Budget Circular A-130, Management of Federal Information Resources requires federal agencies to:  Plan for security

National Policy Office of Management and Budget Circular A-130, Management of Federal Information Resources requires federal agencies to:  Plan for security  Ensure that appropriate officials are assigned security responsibility

National Policy Office of Management and Budget Circular A-130, Management of Federal Information Resources requires federal agencies to:  Plan for security  Ensure that appropriate officials are assigned security responsibility  Review security controls

Security Controls The countermeasures used to protect assets and manage the confidentiality, integrity, and availability of assets. – Anti-virus software – Network Firewall – User awareness training – Access controls

Purpose Provide guidelines for the security certification and accreditation of information systems supporting executive agencies of the US federal government.

Purpose Enable consistent and repeatable assessments of information systems

Purpose Enable consistent and repeatable assessments of information systems Promote an understanding of risks involved in operating information systems

Purpose Enable consistent and repeatable assessments of information systems Promote an understanding of risks involved in operating information systems Create complete and reliable information used by professionals to make an informed certification/accreditation decision.

Purpose Enable consistent and repeatable assessments of information systems Promote an understanding of risks involved in operating information systems Create complete and reliable information used by professionals to make an informed certification/accreditation decision. Assignment of responsibility and accountability to the individuals overseeing the information system.

Risk Management Adversaries attack the weakest link…where is yours? Risk assessment Security planning Security policies and procedures Contingency planning Incident response planning Physical security Personnel security Security assessments Security accreditation Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Firewalls and network security mechanisms Intrusion detection systems Anti-malware Smart cards Links in the Security Chain: Management, Operational, and Technical Controls

Managing Agency Risk Key activities in managing agency-level risk — risk resulting from the operation of an information system: Select a set of security controls Document security controls in the system security plan Implement the security controls in the information system Assess the security controls Determine risk acceptability Authorize information system operation Monitor security controls on a continuous basis

Certification vs Accreditation

Certification Definition Certification occurs when security controls in the information system are: – implemented correctly,

Certification Definition Certification occurs when security controls in the information system are – implemented correctly, – operate as intended, and

Certification Definition Certification occurs when security controls in the information system are – implemented correctly, – operate as intended, and – produce the desired outcome

Accreditation Definition An acknowledgment of risk acceptance. Accreditation occurs when the agency has determined that an accepted level of risk to assets and operations has been achieved.

The Primary Officials’ Titles With regard to the Certification and Accreditation process, … – There are titles assigned to individuals within an agency undergoing Cert-Acc. Many of the titles can be artificially assigned to meet the suggested requirements. – These titles come with a well defined group of responsibilities.

The Primary Officials and Their Titles Authorizing Official, The AO Information System Owner, the ISO. – AKA System Owner Certification Agent, The CA

Authorizing Official  Senior management position  Formally assumes responsibility for operating an information system at an acceptable level of risk to an agency ’ s assets and operations. (primary role)  Is accountable for the risks associated with operating an information system.  Oversees the budget and business operations of the information system

Authorizing Official The industry equivalent could include job titles like VP of Information Technology. The AO would report to the CIO

Information System Owner  Procures, develops, integrates, modifies, operates or maintains an information system (primary role)

Information System Owner  Procures, develops, integrates, modifies, operates or maintains an information system (primary role)  Responsible for development and maintenance of the system security plan.

Information System Owner  Procures, develops, integrates, modifies, operates or maintains an information system (primary role)  Responsible for development and maintenance of the system security plan.  Ensures the system is deployed and operated according to the agreed upon security requirements.

Information System Owner  Procures, develops, integrates, modifies, operates or maintains an information system (primary role)  Responsible for development and maintenance (sustainability cycle) of the system security plan.  Ensures the system is deployed and operated according to the agreed upon security requirements.  Grants access (and their respective privileges) to the information system.

Information System Owner  Procures, develops, integrates, modifies, operates or maintains an information system (primary role)  Responsible for development and maintenance of the system security plan.  Ensures the system is deployed and operated according to the agreed upon security requirements.  Grants access (and their respective privileges) to the information system.  Provide users and support staff with appropriate security training.

Information System Owner  Procures, develops, integrates, modifies, operates or maintains an information system (primary role)  Responsible for development and maintenance of the system security plan.  Ensures the system is deployed and operated according to the agreed upon security requirements.  Grants access (and their respective privileges) to the information system.  Provide users and support staff with appropriate security training.  Ensures the appropriate resources are available for certification and accreditation, and reports this to the AO.

Certification Agent  Provides an independent assessment of the system security plan (primary role)

Certification Agent  Provides an independent assessment of the system security plan (primary role)  Assesses the security controls in the information system to determine the extent to which the controls are: Implemented correctly; Operating as intended; and Producing the desired outcome

Certification Agent  Provides an independent assessment of the system security plan (primary role)  Assesses the security controls in the information system to determine the extent to which the controls are: Implemented correctly; Operating as intended; and Producing the desired outcome with respect to meeting the security requirements  Provides recommended corrective actions to reduce or eliminate vulnerabilities in the information system

Certification Agent Independent from the persons directly responsible for the development and maintenance of the information system’s operation. – See FIPS-199 to determine an appropriate level of independence.

Other Roles Authorizing Official Designated Representative, reports to the AO. Chief Information Officer, appoints the SAISO Senior Agency Information Security Officer, liason between the CIO and the AO. Information System Security Officer, reports to the AO or the ISO. User Representatives, those using the information systems.

Delegation of Roles At the discretion of senior agency officials, roles may be delegated and appropriately documented. Officials may appoint qualified individuals including contractors or regular employees. – exceptions Chief Information Officer & Authorizing Official.

Four phases to the security certification and accreditation process 1. Initiation

Four phases to the security certification and accreditation process 1. Initiation 2. Certification

Four phases to the security certification and accreditation process 1. Initiation 2. Certification 3. Accreditation

Four phases to the security certification and accreditation process 1. Initiation 2. Certification 3. Accreditation 4. Monitoring

Four phases to the security certification and accreditation process 1. Initiation 2. Certification 3. Accreditation 4. Monitoring Each phase is broken up into tasks and each task has a series of sub-tasks

Phases, Tasks, & Sub-Tasks There are a total of – 4 phases – 10 tasks – 31 sub-tasks

Phase 1: Initiation The purpose of this phase is to ensure the AO and ISO are in agreement with the contents of the – System security plan – System’s security requirements The CA begins the assessment of the security controls for the information system after phase 1 is completed.

Phase 1: Initiation Tasks Three tasks must be completed for the initiation phase: 1.Preparation The ISO is responsible for all three tasks.

Phase 1: Initiation Tasks Three tasks must be completed for the initiation phase: 1.Preparation 2.Notification and resource identification 3. The ISO is responsible for all three tasks.

Phase 1: Initiation Tasks Three tasks must be completed for the initiation phase: 1.Preparation 2.Notification and resource identification 3.System security plan analysis update and acceptance The ISO is responsible for all three tasks.

Initiation: Preparation Task 1 Include the following in a security plan: Describe the system and define the boundary Determine the security category of the system. Identify threats Identify vulnerabilities Identify the security controls (safeguards to minimize risks) Determine initial risks

Task 1 Guidance Example Give the system a unique identification Status with respect to the development life-cycle. Location Contact information Purpose and function Hardware and software used Network topology Etc.

Initiation: Notification and Resource Identification, Task 2 ISO Notifies officials that the process of certification and accreditation procedure is progressing. AO prepares a plan of execution to identify the level of resources required for the certification and accreditation procedure.

Initiation: Analyze, Update and accept System Security Plan, Task-3 Review of the appropriateness of the security plan by the AO and CA. Analyze security plan by the AO and CA. Update security plan by the ISO. Updates are based on recommendations of the CA and AO. Obtain AO acceptance of the security plan.

Phase 2: Certification Two Tasks of certification: 1.Assess and evaluate security controls 2.Document security certification

Phase 2: Certification Two Tasks of certification: 1.Assess and evaluate security controls 2.Document security certification The purpose of this phase is to determine if the security controls are implemented correctly, operating as intended, and produce the desired outcome.

Phase 2: Certification: Assess and evaluate security controls, Task-4 Prepare documentation and supporting materials. This is completed by the ISO for the CA. Procedures, reports, and logs showing evidence of security controls are in place.

Phase 2: Certification: Assess and evaluate security controls, Task-4 Prepare documentation and supporting materials. This is completed by the ISO for the CA. Procedures, reports, and logs showing evidence of security controls are in place. Review methods and test procedures (CA)

Phase 2: Certification: Assess and evaluate security controls, Task-4 Prepare documentation and supporting materials. This is completed by the ISO for the CA. Procedures, reports, and logs showing evidence of security controls are in place. Review methods and test procedures (CA) Assess and evaluate security controls. (CA)

Phase 2: Certification: Assess and evaluate security controls, Task-4 Prepare documentation and supporting materials. This is completed by the ISO for the CA. Procedures, reports, and logs showing evidence of security controls are in place. Review methods and test procedures (CA) Assess and evaluate security controls. (CA) Report security assessment results (CA). This is part of the accreditation package.

Phase 2: Certification: document security certification, Task-5 Provide findings and recommendations (CA)

Phase 2: Certification: document security certification, Task-5 Provide findings and recommendations (CA) Update security plan by the ISO.

Phase 2: Certification: document security certification, Task-5 Provide findings and recommendations (CA) Update security plan by the ISO. The ISO prepares a plan of action and sets milestones based on the CA recommendations.

Phase 2: Certification: document security certification, Task-5 Provide findings and recommendations (CA) Update security plan by the ISO. The ISO prepares a plan of action and sets milestones based on the CA recommendations. The ISO assembles the accreditation package and submits it to the Authorizing Official.

Phase 3: Accreditation Two tasks completed by the AO Make Security Accreditation decision Document Security Accreditation

Accreditation: Make Security Accreditation Decision, Task 6 AO determines final risk levels AO then makes a decision about accepting any residual risk.

Accreditation: Make Security Accreditation Decision, Task 6 Possible AO decisions: 1.Authorization to operate

Accreditation: Make Security Accreditation Decision, Task 6 Possible AO decisions: 1.Authorization to operate 2.Interim authorization to operate under specific terms and conditions (things to fix).

Accreditation: Make Security Accreditation Decision, Task 6 Possible AO decisions: 1.Authorization to operate 2.Interim authorization to operate under specific terms and conditions (things to fix). 3.Denial of authorization to operate.

Phase 3: Accreditation: Document Security Accreditation, Task-7 The AO transmits the Security Accreditation package along with the accreditation letter to the ISO and other officials. The ISO updates the security plan

Phase 4: Monitoring Three tasks managed by the ISO 1.Manage and control configuration The purpose of this phase to provide oversight and monitoring of the security controls in the information system on an ongoing basis.

Phase 4: Monitoring Three tasks managed by the ISO 1.Manage and control configuration 2.Monitor security controls 3. The purpose of this phase to provide oversight and monitoring of the security controls in the information system on an ongoing basis.

Phase 4: Monitoring Three tasks managed by the ISO 1.Manage and control configuration 2.Monitor security controls 3.Report and document status The purpose of this phase to provide oversight and monitoring of the security controls in the information system on an ongoing basis.

Phase 4: Monitoring: Manage and Control Configuration, Task-8 The ISO documents system changes.

Phase 4: Monitoring: Manage and Control Configuration, Task-8 The ISO documents system changes. The ISO analyzes and documents security impacts resulting from system changes.

Phase 4: Monitoring: Monitor security controls, Task 9 Select in-place security controls to monitor

Phase 4: Monitoring: Monitor security controls, Task 9 Select in-place security controls to monitor Assess selected security controls to determine if they operate as intended.

Phase 4: Monitoring: Status Reporting and Documentation, Task-10 ISO updates the security plan as dictated by events over time.

Phase 4: Monitoring: Status Reporting and Documentation, Task-10 ISO updates the security plan as dictated by events over time. The ISO updates the plan of action and milestones

Phase 4: Monitoring: Status Reporting and Documentation, Task-10 ISO updates the security plan as dictated by events over time. The ISO updates the plan of action and milestones ISO sends the security status of the information system to the AO.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.