Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Slides:



Advertisements
Similar presentations
Module N° 4 – ICAO SSP framework
Advertisements

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.
Software Quality Assurance Plan
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Security Controls – What Works
Information Security Policies and Standards
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
1 Samples The following slides are provided as samples and references for the Quarterly Reviews Additional slides will be added.
Managing the Information Technology Resource Jerry N. Luftman
Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.
Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
7.2 System Development Life Cycle (SDLC)
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
4. Quality Management System (QMS)
Release & Deployment ITIL Version 3
What is Business Analysis Planning & Monitoring?
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
S/W Project Management
The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
PMP® Exam Preparation Course
C &A CS Unit 2: C&A Process Overview using DITSCAP Jocelyne Farah Clinton Campbell.
Test Organization and Management
Information Systems Security Computer System Life Cycle Security.
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 7 Software Supporting Processes and Software Reuse.
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
Organize to improve Data Quality Data Quality?. © 2012 GS1 To fully exploit and utilize the data available, a strategic approach to data governance at.
Software System Engineering: A tutorial
NIST Special Publication Revision 1
Demystifying the Business Analysis Body of Knowledge Central Iowa IIBA Chapter December 7, 2005.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.
MD Digital Government Summit, June 26, Maryland Project Management Oversight & System Development Life Cycle (SDLC) Robert Krauss MD Digital Government.
ISM 5316 Week 3 Learning Objectives You should be able to: u Define and list issues and steps in Project Integration u List and describe the components.
Project Life Cycle.
Georgia Institute of Technology CS 4320 Fall 2003.
Jewuan Davis DSN Voice Connection Approval Office 18 May 2006 DSN Connection Approval Process (CAP)
Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.
Chapter 6: THE EIGHT STEP PROCESS FOCUS: This chapter provides a description of the application of customer-driven project management.
Business Analysis. Business Analysis Concepts Enterprise Analysis ► Identify business opportunities ► Understand the business strategy ► Identify Business.
SOLUTION What kind of plan do we need? How will we know if the work is on track to be done? How quickly can we get this done? How long will this work take.
Project Management Project Integration Management Minder Chen, Ph.D. CSU Channel Islands
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
Module 4: Systems Development Chapter 13: Investigation and Analysis.
State of Georgia Release Management Training
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Program Performance Criteria.
Information Technology Project Management, Seventh Edition.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
Fundamentals of Information Systems, Sixth Edition
TechStambha PMP Certification Training
Software Requirements
The Open Group Architecture Framework (TOGAF)
Certification and Accreditation
Engineering Processes
Chapter 1 (pages 4-9); Overview of SDLC
CLINICAL INFORMATION SYSTEM
Engineering Processes
Presentation transcript:

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat

2 Phase-1 Overview n n Phase 1 initiates the DITSCAP process by acquiring or developing the information necessary to understand the Information System under evaluation and then using that information to plan the C&A tasks.

3 Phase-1 Definition n n The objectives of the Phase 1 activities are to agree on - The intended system mission - security requirements - C&A boundary - level of effort and - resources required.

4 Phase-1 Definition Business case Mission Need Threat, Requirement,..etc PreparationRegistrationNegotiation Agreement SSAA Phase 2 Yes No Review Documentation Prepare Mission Description and System Identification Register System Describe Environment & Threat Identify Organization and resources Draft SSAA Certification Requirements review Approve Phase1 SSAA

5 Phase-1 Activities n n Phase 1 activities: - Preparation - Registration - Negotiation

6 Phase-1 Preparation n n The DITSCAP process starts when an Information System is developed or modified in response to a business case, operational requirements, mission needs, or significant change in threats to be countered. n n During the preparation activity, information and documentation is collected about the system.

7 Phase-1 Preparation n n Materials Reviewed During Preparation 1. Business Case 2. Mission Needs Statement 3. System Specifications 4. Architecture and Design Documents 5. User Manuals 6. Operating Procedures 7. Network Diagrams 8. Configuration Management Documents 9. Threat Analysis 10. Federal and Organizational IA and Security Instructions and Policies

8 Phase-1 Registration n n Registration initiates the risk management agreement process among the program manager, DAA, Certifier, and user representative. n n Registration begins with preparing the system description and system identification and concludes with preparing an initial draft of the SSAA.

9 Phase-1 Registration n n Registration Tasks 1. Prepare business or operational functional description and system identification. 2. Inform the DAA, Certifier, and user representative that the system will require C&A support (register the system). 3. Prepare the environment and threat description. 4. Prepare system architecture description and describe the C&A boundary. 5. Determine the system security requirements. 6. Tailor the DITSCAP tasks, determine the C&A level of effort, and prepare a DITSCAP plan. 7. Identify organizations that will be involved in the C&A 8. Develop the draft SSAA.

10 Phase-1 Negotiation  During negotiation all the participants involved in the Information System's development, acquisition, operation, security certification, and accreditation reach agreement on the implementation strategy to be used to satisfy the security requirements identified during system registration.

11 Phase-1 Negotiation n n Negotiation Tasks 1. Conduct the Certification Requirements Review (CRR). 2. Agree on the security requirements, level of effort, and schedule. 3. Approve final Phase 1 SSAA.

12Negotiation n n Negotiation starts with a review of draft SSAA n n All participants review the proposed certification level and resource requirements to determine that the appropriate assurance is being applied.

13Negotiation n n The purpose of negotiation is to ensure that the SSAA properly and clearly defines the approach and level of effort. n n During negotiation all participants must develop an understanding of their roles and responsibilities. n n Negotiation ends when the responsible organizations adopt the SSAA and concur that those objectives have been reached.

14 Phase-1 Tasks  Task 1-1 Review Documentation - Task Objective: The objective of this task is to obtain and review documentation relevant to the system. - Task Description: In the review documentation task, information and documentation is collected about the system. This Information includes - capabilities and functions the system will perform - operational organizations supported - intended operational environment, and operational threat. - T his information is contained in the business case or mission needs statement, system specifications, architecture and design documentation, user manuals, operating procedures, network diagrams, and configuration management documentation.

15 Phase-1 Tasks n Task 1-2 n Task 1-2 Prepare the System and Functional Description and system Identification. n n Task Objective: The objective of this task is to prepare an accurate description of the system. n n Task Description. The system and functional description and system identification task describes the system mission and functions, system capabilities and Concept of Operations (CONOPS) System Identification: Identify the system being developed or entering the C&A process. Provide the name, organization, and location of the organization developing the mission needs and the organizations containing the ultimate user System Description. Describe the system focusing on the information security relevant features of the system. Describe all the components of the system.

16 Phase-1 Tasks Functional Description and Capabilities: Describe the system clearly delineating what functions or capabilities are expected in the fully accredited system. - System Capabilities: The functions or capabilities expected in the fully accredited system and the mission for which it will be used are clearly defined. - System Criticality: system criticality and the acceptable risk for the system in meeting the mission responsibilities are defined. - Classification and Sensitivity of Data: The type and sensitivity of the data processed by the system are defined. - System Users: User's security clearances, their access rights to specific categories of information processed, and the actual information that the system is required to process are defined. - System Life Cycle:. The system life cycle and where the system is in relationship to its life cycle is defined.

17 Phase-1 Tasks System CONOPS : The system CONOPS, including functions performed jointly with other systems are defined. n Task 1-3 n Task 1-3 Register the System. - - Task Objective: The objective of this task is to identify the Agencies and individuals involved in the C&A process and determine the current status of the system. - Task Description. This task identifies the applicable security and user authorities and informs them of the system status Identify Authorities: - The Agency or organization that will serve as the DAA, Certifier, and user representative is identified. - Individuals and their responsibilities in the C&A process are identified.

18 Phase-1 Tasks n n Task 1-4: Prepare the Environment and Threat Description. - Task Objective. The objective of this task is to define the system environment and potential threats to the system. - Task Description. The environment and threat description task describes the operating environment, system development environment, and potential system threats Operating Environment: - The physical, personnel, communications, emanations, hardware, software, and procedural security features that will be necessary to support site operations are described. - Operating environment security involves the measures designed to prevent unauthorized personnel from gaining physical access to equipment, facilities, material and documents and to safeguard the assets against espionage, sabotage, damage, and theft.

19 Phase-1 Tasks n Operating Environment task describes: - - Facility - Physical security - Administrative security - Personnel - COMSEC - TEMPEST - Maintenance - Training

20 Phase-1 tasks n n System Development, Integration, and Maintenance Environment: - The system development approach and the environment within which the system will be developed are described. The system development approach is an information security strategy that incorporates security into each phase of a system's life cycle. n n Threat Description and Risk Assessment: potential threats and single points of failure that can affect - confidentiality - availability - Integrity of the system are defined.

21 Phase-1 Tasks n n Task 1-5: Determine the System Security Requirements - Task Objective: The objective of this task is to identify the system security requirements. - Task Description. The system security requirements task defines the National, DoD and data security requirements, governing security requisites, network connection rules, and configuration management requirements.

22 Phase-1 Tasks Applicable Instructions or Directives: Determine the security instructions or directives applicable to the system Governing Security Requisite: Determine requirements stipulated by local agencies and the DAA. Contact the DAA and user representative to determine if they have any additional security requirements Data Security Requirements: Determine the type of data processed by the system Security Concept of Operations: Security CONOPS including system input, system processing, final outputs, security controls and interactions and connections with external systems are described.

23 Phase-1 Tasks Network Connection Rules: Identify any additional requirements incurred if the system is to be connected to any other network or system Configuration Management: Additional requirements based on the Configuration Management Plan are determined Reaccreditation Requirements: Unique organizational requirements related to the reaccredidation or reaffirmation of the approval to operate the system are determined Requirements Traceability Matrix (RTM) : The directives and security requisites used to determine the system security requirements are analyzed.

24 Task 6: Prepare the System Architecture Description n Objective: To prepare a high level overview of the types of hardware, software, and firmware and associated interfaces n Description: The system architecture task defines the system hardware, software, firmware, and interfaces

25 Task 6 Description n System Hardware: Target hardware and its function n System Software: OS, DBMS, and software applications n System Firmware: Firmware stored permanently in a hardware device n System Interfaces: The system's external interfaces, purpose and the relationship between the interface and the system n Data Flows: The system's internal interfaces and data flows including the types of data and the general methods for data transmission

26 Task 7: Identify the C&A Organizations and the Resources Required n Objective: To identify the organizations and individuals involved in the C&A process. n Description: Identify the appropriate authorities, resource, and training requirements and determines the certification team's roles and responsibilities

27 Task 7 Description n Organizations: Identify the organizations, individuals, and titles of the key authorities in the C&A process. n Resources: Identify the resources required to conduct the C&A. Identify the roles of the certification team and their responsibilities n Resources and Training Requirements: –Describe the training requirements, –types of training, –who is responsible for preparing and conducting the training n Other Supporting Organizations: Identify supporting groups to the C&A process.

28 Task 8: Tailor the DITSCAP and Prepare the DITSCAP Plan n Objective: To tailor the DITSCAP to the system and prepare the DITSCAP plan. n Determines the appropriate certification level n Adjusts the DITSCAP activities to the program strategy and system life cycle. n Tailors the security activities to system development activities, ensures that the security activities are relevant to the process and provide the required degree of analysis.

29 Task 9: Draft the SSAA n Objective: Complete and assemble the SSAA document. n Description: –Completes the SSAA document. –Assemble into the formal SSAA document. –Submit the draft SSAA to the DAA, Certifier. –The draft SSAA establishes a reference for discussions during negotiation

30 Task 10: Conduct Certification Requirements Review n Objective: To conduct a CRR. n Description: –Provides an opportunity for the DAA, Certifier, to discuss the system functionality, security requirements, and planned C&A scheduled. –The CRR results in an agreement regarding the level of effort and the approach that will be taken to implement the security requirements

31 Task 11: Establish Agreement on Level of Effort and Schedule n Objective: To agree on the C&A level of effort and schedule. n Description: This task ensures that the DAA, Certifier, program manager, and user representative agree to the level of effort and schedule for the C&A activities

32 Task 12: Approve Phase 1 SSAA n Objective: To obtain the DAA's approval on the Phase 1 SSAA. n Description: DAA makes a decision on approving the system functionality, operating environment, development environment, potential threats, security requirements, system architecture, organization and resource requirements, tailoring factors, certification level, and DITSCAP plan

33 PHASE 1 ROLES AND RESPONSIBILITIES

34 DAA Responsibilities n DAA Responsibilities n Define accreditation requirements. n Obtain a threat assessment for the system. n Assign a Certifier to conduct vulnerability and risk assessments. n Support the DITSCAP tailoring and level of effort determination. n Approve the SSAA

35 Certifier and Certification Team Responsibilities n Support the DAA as the technical expert in the certification process. n Begin vulnerability and risk assessments. n Review threat definition. n Identify the security requirements. n Tailor the DITSCAP, determine the appropriate certification level, and prepare the DITSCAP Plan. n Provide level of effort and resource requirements. n Develop the SSAA. n Provide oversight for the CRR.

36 ISSO Responsibilities n Assist the DAA, Certifier, and certification team in the certification effort n Review the business case or mission statement to determine that it accurately describes the system n Review the environment description to verify that it accurately describes the system

37 User Representative Responsibilities n Support the DITSCAP tailoring and level of effort determination n Provide a business case or mission statement n Validate or define system performance, availability, and functionality requirements n Provide data sensitivity, end user functionality, and user organization information n Verify the ability to comply with the SSAA during operations

38 Acquisition or Maintenance Organization Responsibilities n Program Manager Responsibilities – –Initiate the dialogue with the DAA, Certifier, and user representative. – –Define the system schedule and budget. – –Support the DITSCAP tailoring and determine the certification level. – –Define the system architecture. – –Integrate system security requirements into the system. – –Prepare Life-Cycle Management Plans. – –Define the security architecture.

39 Developer, Integrator or Maintainer Responsibilities n n Provide technical equipment environment requirements. n n Provide target hardware and software architecture. n n Provide information regarding the system development organization. n n Determine the feasibility of technical solutions and security requirements.

40 Configuration Management Responsibilities n The configuration management staff support the program manager in the development and maintenance of system and system documentation

41 System Administration Responsibilities n There are no system administration responsibilities in Phase 1.

42Questions