Presentation is loading. Please wait.

Presentation is loading. Please wait.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.

Published byDerek Sullivan Modified over 8 years ago

Similar presentations

Presentation on theme: "NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop."— Presentation transcript:

1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop April 17, 2009 Dr. Ron Ross Computer Security Division Information Technology Laboratory

2 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2 Information Security Programs Adversaries attack the weakest link…where is yours? Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Links in the Security Chain: Management, Operational, and Technical Controls

3 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3 Risk Management Framework Security Life Cycle SP 800-39 Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). SP 800-53A ASSESS Security Controls Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. FIPS 199 / SP 800-60 CATEGORIZE Information System Starting Point Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP 800-37 / SP 800-53A MONITOR Security State SP 800-37 AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. IMPLEMENT Security Controls SP 800-70 FIPS 200 / SP 800-53 SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment.

4 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4 Applying the Risk Management Framework to Information Systems Risk Management Framework Authorization Package Artifacts and Evidence Near Real Time Security Status Information SECURITY PLAN including updated Risk Assessment SECURITY ASSESSMENT REPORT PLAN OF ACTION AND MILESTONES Output from Automated Support Tools INFORMATION SYSTEM CATEGORIZE Information System ASSESS Security Controls AUTHORIZE Information System IMPLEMENT Security Controls MONITOR Security State SELECT Security Controls

5 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5 RISK EXECUTIVE FUNCTION Enterprise-wide Oversight, Monitoring, and Risk Management INFORMATION SYSTEM INFORMATION SYSTEM Common Controls (Inherited by Information Systems) INFORMATION SYSTEM INFORMATION SYSTEM RMF RISK MANAGEMENT FRAMEWORK POAM SAR SP Authorization Decision POAM SAR SP POAM SAR SP Authorization Decision POAM SAR SP Authorization Decision POAM SAR SP Authorization Decision POAM SAR SP Authorization Decision Architecture Description Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations SP: Security Plan SAR: Security Assessment Report POAM: Plan of Action and Milestones

6 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6 Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Project LeaderAdministrative Support Dr. Ron RossPeggy Himes (301) 975-5390(301) 975-2489 ron.ross@nist.gov peggy.himes@nist.gov Senior Information Security Researchers and Technical Support Marianne Swanson Dr. Stu Katzke (301) 975-3293 (301) 975-4768 marianne.swanson@nist.govskatzke@nist.gov Pat TothArnold Johnson (301) 975-5140(301) 975-3247 patricia.toth@nist.gov arnold.johnson@nist.gov Matt SchollInformation and Feedback (301) 975-2941Web: csrc.nist.gov/sec-cert matthew.scholl@nist.gov Comments: sec-cert@nist.gov

Download ppt "NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop."

Similar presentations

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
A comparison of Systems Engineering and Security Engineering practices and professionals Or maybe a commercial for the INCOSE working group!

A comparison of Systems Engineering and Security Engineering practices and professionals Or maybe a commercial for the INCOSE working group!
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.

Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
Managing Risks from Information Systems Building Effective Information Security Programs Data Management Association-National Capital Region January.

Managing Risks from Information Systems Building Effective Information Security Programs Data Management Association-National Capital Region January.
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Federal Information Security Management Act Applying NIST Information Security Standards and Guidelines Presented to the State of California April.

Federal Information Security Management Act Applying NIST Information Security Standards and Guidelines Presented to the State of California April.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Risk Management Framework

Risk Management Framework
NIST SP 800-37, Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.

NIST SP , Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.
1 Dan Steinberg, JD Portland, OR May 4, 2011 Speaking Notes Privacy and Security for Research Repositories Please do not reuse or republish without attribution.

1 Dan Steinberg, JD Portland, OR May 4, 2011 Speaking Notes Privacy and Security for Research Repositories Please do not reuse or republish without attribution.
Dr. Ron Ross Computer Security Division

Dr. Ron Ross Computer Security Division
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 FISMA Next Generation Managing Risk in an Environment of Advanced Persistent Cyber Threats NASA IT Summit.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 FISMA Next Generation Managing Risk in an Environment of Advanced Persistent Cyber Threats NASA IT Summit.
Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology.

Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology.

Similar presentations

Ads by Google