NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.

Slides:



Advertisements
Similar presentations
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
Advertisements

9/25/08DLP1 OSG Operational Security D. Petravick For the OSG Security Team: Don Petravick, Bob Cowles, Leigh Grundhoefer, Irwin Gaines, Doug Olson, Alain.
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works
Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Managing Risk in Information Systems Lesson.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Risk Assessment Frameworks
Dr. Ron Ross Computer Security Division
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Introduction to Network Defense
Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Framework & Standards
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
Information Systems Security Computer System Life Cycle Security.
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.
NIST Special Publication Revision 1
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.
Computer Security: Principles and Practice
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.
Information Systems Security Operations Security Domain #9.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester.
The NIST Special Publications for Security Management By: Waylon Coulter.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
CS457 Introduction to Information Security Systems
Presenter: Mohammed Jalaluddin
Computer Security Division Information Technology Laboratory
Risk management.
ISSeG Integrated Site Security for Grids WP2 - Methodology
OSG Computer Security Plans
Introduction to the Federal Defense Acquisition Regulation
I have many checklists: how do I get started with cyber security?
Continuous Monitoring
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007

14Mar07Bob Cowles - JSPG2 Required NIST documents C&A Documentation Suite BusinessIT SystemsPeople System Security Categorization Security Controls Threat Statement ATO CSPP ST&E Plan Risk Mitigation Plan

14Mar07Bob Cowles - JSPG3 NIST Process In system security plan, provides an overview of the security requirements for the information system and documents the security controls planned or in place SP Security Control Documentation Defines category of information system according to potential impact of loss FIPS 199 / SP Security Categorization Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system SP / FIPS 200 Security Control Selection Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements SP A / SP Security Control Assessment SP / FIPS 200 / SP Security Control Refinement Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements SP System Authorization Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing SP Security Control Monitoring Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness Implements security controls in new or legacy information systems; implements security configuration checklists Security Control Implementation SP

14Mar07Bob Cowles - JSPG4 Grid Connection Grids are virtual sites in a sense, and will be examined and perhaps even audited using same criteria And all the US labs that have resources used by grids must live by NIST guidelines, so perhaps it is useful build on the NIST framework for documenting grid computing security requirements

14Mar07Bob Cowles - JSPG5 NIST Process Details Each system needs: –Functional description –Hardware and software description (especially description of boundaries) –Risk assessment –Security plan (showing controls to mitigate the greater impact or likelihood risks) –System Sensitivity Categorization (low/moderate/high sensitivity) –Contingency plan –Security control testing and evaluation Process for certification and accreditation

14Mar07Bob Cowles - JSPG6 Risk Assessment In general terms, a risk assessment is: –what could go wrong, –countermeasures to prevent some of these things from happening, and –you will live with the rest (residual risks) Threat: who is knocking on the door Vulnerability: improperly secured door; no risk without both a threat and a vulnerability Likelihood: probability of occurrence Impact: what is the damage if the risk occurs Security controls: mitigations against risks

14Mar07Bob Cowles - JSPG7 Security Plan Fully describe each control mentioned in your risk assessment Controls organized into management, operational and technical controls Show how each control will be assessed (Interview, Examination, Test)

14Mar07Bob Cowles - JSPG8 NIST Control families Management –Management Risk Assessment RA –Management Planning PL –Management System and Services Acquisition SA –Management Certification, Accreditation, and Security Assessments CA Operational –Operational Personnel Security PS –Operational Physical and Environmental Protection PE –Operational Contingency Planning CP –Operational Configuration Management CM –Operational Maintenance MA –Operational System and Information Integrity SI –Operational Media Protection MP –Operational Incident Response IR –Operational Awareness and Training AT Technical –Technical Identification and Authentication IA –Technical Access Control AC –Technical Audit and Accountability AU –Technical System and Communications Protection SC

14Mar07Bob Cowles - JSPG9 Sensitivity Categorization Must evaluate the sensitivity of the information system and the information contained therein on the basis of: –Confidentiality: the unauthorized disclosure of information. –Integrity: the unauthorized modification or destruction of information. –Availability: the disruption of access to or use of information or an information system. Low/moderate/high categorization –The potential impact is LOW if: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. –Moderate: The potential impact is MODERATE if: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. –High: The potential impact is HIGH if: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

14Mar07Bob Cowles - JSPG10 Security Sensitivity Low Impact –Affects individual users or small VOs Medium Impact –Affects large VO or significant infrastructure impact High Impact –Takes down Grid infrastructure or large VO

14Mar07Bob Cowles - JSPG11 Grid Participants Identity Provider – runs an identity vetting service as a CA or IdM Authorization Provider – provides authorization information Software Provider – provides software used by other participants Service Provider – provides computational, data storage or higher level services

14Mar07Bob Cowles - JSPG12 Relationship to Grid VOs VOs assemble software stacks using VDT Components and other software. –Grids for compute and data intensive science are open, evolving. In general VOs run services, and/or supervise the services others run for them. –An example is VOMS (people, roles)

14Mar07Bob Cowles - JSPG13 All Participants (+Authz) Management – C&A, Risk Assessment Operational – Training, Config Mgmt, Contingency Planning, Incident Response, Maintenance, Media Protection, Personnel Security, Integrity Technical – Access Controls (Authz), Audit, Ident and Authn, Integrity

14Mar07Bob Cowles - JSPG14 Additional Protections Software – Maintenance activities monitored Identity Providers – Authenticator content, additional Incident Response, Physical Environment, Security Plan, DoS protection

14Mar07Bob Cowles - JSPG15 Additional Protections-2 Service Providers –Additional access and authentication controls –Physical Environment –Security Plan –Lifecycle planning and documentation ensuring adequate resources for security –Monitoring of key communication boundaries –Malicious code protection

14Mar07Bob Cowles - JSPG16 ST&E Plans (assessment of security controls) All controls must have procedures for testing and evaluation (it is not enough merely to be secure, you must be able to prove that you are secure) –Can be an ongoing process (eg, we continually monitor the logs of all user access to our system) –Can be an annual (at a minimum) special test (eg, once per year we attempt to penetrate our firewall from the outside) –Can be statistical sampling (interviewing or examining some randomly chosen subset of managers or systems) –In either case must provide documentation that the test were performed and their result –Provide some central location for these test results

14Mar07Bob Cowles - JSPG17 Types of assessments The three types of assessment mechanisms used for security controls are Interview (I), Examine (E), and Test (T). As explained in NIST publication A “Guide for Assessing the Security Controls in Federal Information Systems”, these types of assessment mechanisms can be described as follows: –Interview: this involves asking a selected set of individuals, based on their roles, specific questions about configurations, their actions, etc. –Examine: this involves doing an analysis of some existing data sample and recording the results of the analysis. –Test: this involves performing some specific test of the security control to verify that it is performing as expected.

14Mar07Bob Cowles - JSPG18 Challenge Use the framework to “tell a story” Describe the expectations for participants at different levels of impact VOs and other organizations are likely to have a combination of the expectations Expectations would become policy statements referenced directly or indirectly by “AUP” for VOs, service providers, etc.

14Mar07Bob Cowles - JSPG19 What’s next for JSPG? Validate the list of grid participants Define criteria for the levels of sensitivity appropriate for low, medium and high Determine appropriate controls for each participant type at various sensitivity levels Propose how risk assessments and security plans will be developed Propose how certification will be performed

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.