Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.

Published byMatthew Hampton Modified over 8 years ago

Similar presentations

Presentation on theme: "Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc."— Presentation transcript:

1 Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.

2 Hosted by Agenda What is an INFOSEC Assessment? The need for a common Assessment Methodology The NSA INFOSEC Assessment Methodology (IAM)

3 Hosted by What Is an INFOSEC Assessment? A review of the Information System Security (INFOSEC) posture of operational system(s) for the purpose of identifying potential vulnerabilities. Once identified, recommendations are provided for the elimination or mitigation of the vulnerability.

4 Hosted by INFOSEC Assurance Vulnerability Discovery Triad Cooperative High Level Overview Information / Mission Criticality Analysis Includes Policy, Procedure & Information Flow No hands on testing Hands-on process Cooperative Testing Specific Technical Expertise Penetration Tools Diagnostic Tools Non-cooperative External Penetration Tests Simulation of Appropriate Adversary Assessments (Level 1) Evaluations (Level 2) Red Team (Level 3)

5 Hosted by INFOSEC Assessment Characteristics No hands-on testing Management buy-in Success depends on cooperation of people Non-attribution

6 Hosted by What Is the Purpose of an INFOSEC Assessment? An INFOSEC Assessment allows one to: Determine which information is critical to the organization Identify the systems that process, store, or transmit that critical information Determine the proper INFOSEC posture for these systems Identify potential vulnerabilities Recommend solutions to mitigate or eliminate those vulnerabilities

7 Hosted by Why the Need for a Common Assessment Methodology? Compare results over time Compare assessments done by different teams

8 Hosted by The NSA INFOSEC Assessment Methodology Developed by the National Security Agency (NSA) during the mid-late 1990’s NSA had more assessment requests than they could handle Needed a common methodology to be used by all contractors performing assessments on NSA’s behalf Provided to the public sector as a community service

9 Hosted by IAM Phases Categorize & Define Information Value Identify Systems and Boundaries Collect System & Security Documentation Generate Assessment Plan Team Assignment & Coordination Analysis of INFOSEC Posture (18 Baseline Categories) Level 1 Document Review Interviews System Demos Level 1+ Non-Intrusive Scans Exit Brief: Strengths and Weaknesses Analysis & Report Generation: Completed 45 – 60 days after Phase 2 Proprietary to Customer Phase 1 Phase 2Phase 3 Pre-AssessmentAssessment Post-Assessment On-Site On/Off-Site

10 Hosted by Pre-assessment Phase Purpose Gain an understanding of the criticality of the customer’s information Identify system, including system boundaries Coordinate logistics with the customer Write an assessment plan

11 Hosted by On-site Activities Purpose To explore and confirm the information and conclusions made during the Pre-Assessment Phase To perform data gathering and validation  Interviews  Documentation  System demonstrations To provide initial analysis and feedback to the customer

12 Hosted by Post-assessment Finalize analysis Preparation and coordination of a final report

13 Hosted by On-site Details Gather and validate system information Interviews System demonstrations Documentation review Analyze assessment information Develop initial recommendations

14 Hosted by Interviews Used to: Gain information from a larger cross section of the organization Learn how operations “really” occur

15 Hosted by System Demonstrations Useful tool to supplement information gathering Can be used to resolve conflicting information

16 Hosted by Additional Documentation Review Supplements information gathered during interviews Added assurance if it is documented Lack of documentation is a finding

17 Hosted by Baseline Information Categories 1. INFOSEC documentation 2. INFOSEC Roles and Responsibilities 3. Identification & Authentication 4. Account Management 5. Session Controls 6. External Connectivity 7. Telecommunications 8. Auditing 9. Virus Protection 10. Contingency Planning 11. Maintenance 12. Configuration Management 13. Back-ups 14. Labeling 15. Media Sanitization / Disposal 16. Physical Environment 17. Personnel Security 18. Training and Awareness

18 Hosted by 1. INFOSEC Documentation Policy Guidelines / requirements System Security Plans (SSP) Standard Operating Procedures (SOP) User system security manuals

19 Hosted by 2. INFOSEC Roles and Responsibilities Upper Level Management Systems Operation User Community

20 Hosted by 3. Identification & Authentication Fundamental building block of INFOSEC Three methods of implementation “Something you know” “Something you have” “Something you are”

21 Hosted by 4. Account Management Documented account management policy and procedures Written formal account request General and privileged user agreements Supervisor and data owner approval for access Minimal privilege access Account initialization

22 Hosted by 4. Account Management (Cont.) Account termination Account maintenance Special accounts

23 Hosted by 5. Session Controls Protected, logged on workstation Time-outs Lock-screen capability with password Warning banner

24 Hosted by 6. External Connectivity Internet Modems Dedicated

25 Hosted by 7. Telecommunications Documented requirements and procedures for transmitting sensitive information Encryption issues Purpose (confidentiality, integrity, non- repudiation) Trust in communications medium Strength of algorithm Alternate routes for increased availability

26 Hosted by 8. Auditing Policy requiring mandatory auditing SOP defining what to audit Audit analysis and reporting on a timely basis SSA trained in audit analysis

27 Hosted by 9. Virus Protection Written policy Personal software allowed? Scan incoming software System scans Update tools Employee education/training

28 Hosted by 10. Contingency Planning Documented plan Identify mission or business critical functions Uninterruptible Power Supply (UPS)

29 Hosted by 11. Maintenance Policy and procedures Personnel clearance level Control of diagnostic software Remote maintenance access

30 Hosted by 12. Configuration Management Documented configuration control plan Configuration Control Board (CCB) Software loading issues for SSA approval

31 Hosted by 13. Back-ups Documented in SSP and SOP Schedule Proper storage Periodic testing of back-ups

32 Hosted by 14. Labeling Policy/SOPs Document what/why information is sensitive Employees trained on proper marking procedures Removable media System components

33 Hosted by 15. Media Sanitization/Disposal Documented policy and SOPs Media sanitization methods Establish responsibilities User education/training Contract concerns

34 Hosted by 16. Physical Environment Physical environment can be used to offset lack of system security capabilities Ramifications to INFOSEC posture

35 Hosted by 17. Personnel Security Background checks Security clearance Signed user agreements Employee awareness of social engineering techniques

36 Hosted by 18. Training and Awareness Users are usually the weakest link in security Documented responsibilities Formal INFOSEC training program for users and SSA

37 Hosted by Baseline Information Categories Summary All categories need to be addressed Category details will be dependent on the specific system Additional categories can be included

38 Hosted by Analysis of Vulnerabilities Identify weaknesses or vulnerabilities in the system and operations that could potentially be exploited by an adversary

39 Hosted by Threat Aspects Environmental Human External Internal malicious Internal inadvertent

40 Hosted by Develop Recommendations The assessment team will develop a list of recommended technical and operational security countermeasures to the identified system vulnerabilities

41 Hosted by Post-assessment Activities Phase Additional review of documentation Additional expertise Report Coordination

42 Hosted by Summary IAM Baseline Activities Pre-Assessment On-site customer coordination  Information criticality analysis with matrices  Customers concerns Documented INFOSEC assessment plan

43 Hosted by Summary IAM Baseline Activities On-site Assessment Information gathering  Interviews  Documentation review  System demonstrations 18 baseline information categories

44 Hosted by Summary IAM Baseline Activities Post-Assessment Documented report

45 Hosted by Useful Links http://www.iatrp.com/iam.cfm Official IAM site http://www.iatrp.com/iam.cfm http://www.iatrp.com/indivu2.cfm List of individuals certified to perform assessments using IAM http://www.iatrp.com/indivu2.cfm http://www.iatrp.com/certclass.cfm Information on 2-day IAM training leading to certification http://www.iatrp.com/certclass.cfm

46 Hosted by Contact Information Stephen Mencik Sr. INFOSEC Engineer ACS Defense, Inc. 9020 Mendenhall Ct., Suite J. Columbia, MD 21045 (410) 953-7313 stephen.mencik@acs-inc.com steve@mencik.com

Download ppt "Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc."

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Software Quality Assurance Plan

Software Quality Assurance Plan
Preparing for Compliance Monitoring Reviews Understanding CMS Protocols Used by Review Organizations January 14, 2009 Presented by: Margaret deHesse, RN,

Preparing for Compliance Monitoring Reviews Understanding CMS Protocols Used by Review Organizations January 14, 2009 Presented by: Margaret deHesse, RN,
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Information Systems Security Officer

Information Systems Security Officer
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Similar presentations

Ads by Google