Database development and security certification and accreditation plan  pitwg
Upcoming SlideShare
Loading in...5
×
 

Database development and security certification and accreditation plan pitwg

on

  • 2,304 views

Information Systems Development and Database Development Management Meeting Security legal security requirements

Information Systems Development and Database Development Management Meeting Security legal security requirements

Statistics

Views

Total Views
2,304
Views on SlideShare
2,300
Embed Views
4

Actions

Likes
0
Downloads
33
Comments
0

3 Embeds 4

http://seaplowing.blogspot.com 2
http://www.slideshare.net 1
http://www.blogger.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Database development and security certification and accreditation plan  pitwg Database development and security certification and accreditation plan pitwg Document Transcript

    • Presented by John M. Kennedy October 30, 2007 ProMonsterMedia, LLP
    •  Incident Response Plan  Security Requirements  Information System Security Policy  Contingency Plan  Security Education, Training and Awareness Program [SETA]
    •  How do I deal with this?  What impact does it have?  Who needs to know?
    •  DITSCAP  HIPAA  Sarbanes-Oxley
    •  Phone Contact List  Check List  Goals and Objectives  Attack Impact Matrix  Notification Matrix  Evidence Guidance  Actual Procedures Guides (appendix)
    •  Senior Management  Provides Support, Authority to Act  Provides Funding  Provides Approval
    •  Steering Committee  Overall direction of IRP  Frequent review of draft plans  One member from each impacted department
    •  Development Team  Project Officer  Support Staff (each department)
    •  Create Steering Committee  Establish Team Lead  Identifying Critical Systems and Data  Identifying Disasters  Draft Plan According to Matrix  Plan Review  Plan Approval
    •  Developed after the initial design of system  Step 1 - Definition  Used after system has been put into place.  Step 4 – Post Accreditation
    •  No Simple Answer  No “Canned” Solution  Time to Prepare (depends…)  How Prepared (documented)  How Skilled (development team)  Level of Support (departments)  Size of Plan (manual size)  Identify Members  Identify Critical Systems  Identify Critical Data  Identify Appropriate Response
    •  Incident Response Team  Members (Maiwald, 2002)
    •  Security Policy  Purpose  Audience  Security Measures  Ongoing Monitoring  Deployment of necessary security measures tools.
    •  Initiation  System-Level Phase Prioritization  Development  Enterprise- Phase Level  Implementati Prioritization on Phase  Operations Phase  Disposal Phase
    • Security Database Feature Security Mechanism Protection Objective
    • • Security Features Security Features the system- to-be must have (e.g. Privacy) • Protection Objectives Principles that contribute towards the security features (e.g. Access Control) • Security Mechanisms Mechanisms to achieve the protection objectives (e.g. Authentication)
    •  Awareness and Training  Awareness  Training  Education  Certification
    •  Vulnerabilities assessment  Access control  Passwords  Physical security  Access cards  Biometric Authentication  Wireless security  Network security  TCP/IP Standards  The internet protocol
    •  Firewalls and Anti-virus  Types of protection  Firewall architecture  Host security  Servers hardening  Patching  Clients Hardening
    •  Cryptography  Symmetric vs. Asymmetric encryption  Public key infrastructure (PKI) encryption  Digital certificates  E-Mail security  Intrusion detection system (IDS)  Penetration testing  Logging and Traffic monitoring
    •  Audit  RiskAssessment  Disaster and Recovery
    •  Vulnerabilities assessment  Defining the scope of vulnerability management  Asset inventory  Information management  Tools  Reporting and remediation  Response planning
    •  Access controls  Reusable passwords  Passwords must be changed periodically  Password policies  Good password  Physical security  To buildings and infrastructure  Access cards  Biometric authentication  Wireless security
    •  Network security  TCP/IP Standards  Internet protocol  HTTPS Protocol  Secure Socket Layer (SSL)
    •  Firewall  Types of protection  Packet inspection  Application inspection  Denial of service inspection  Authentication of users  Types of firewalls  Router screening  Computer based  Host firewalls  Stateful, ACLS, and application firewalls
    •  Host security  Hardening servers  Hardening clients  Hosting servers in a separate secure buildings  Patching installation  Managing permissions  Testing for vulnerabilities
    •  Cryptography  Symmetric vs. Asymmetric encryption  Public key infrastructure (PKI) encryption  Digital certificates  E-Mail security  Intrusion detection system (IDS)  Penetration testing  Logging and Traffic monitoring
    •  Auditing  Audit trails  Purpose of audit mechanism  Aspects of effective auditing  Risk assessment  Periodically assess risks  Threat, vulnerability and asset identification  Disaster and recovery
    •  System milestones  The development process will start at the beginning of the project and will be an ongoing process  Estimated number of hours to complete appendix-F = 10 Hours  Estimated number of pages =  5 IT personnel x ($35/hr) = $175  $175x17(pages)x10(hrs/page)= $ 29,750 total cost for appendix-F
    • Information System Security Policy
    •  Purposeof the Information System Security Policy  Target Information System
    •  Policy Content  Identify Roles and Responsibilities  Access Control & External Access  User Characteristics  Sensitivity of Processed Data  Tasks and Estimates
    •  Informs all users of the goals and constraints of using the system.  Explains how the security program is structured.  Provides scope and direction for all security activities within the organization.  Recognizes the system’s sensitive assets.
    •  Characteristics of a well developed security policy:  Coverage  Durability  Realism  Usefulness  Comply with applicable laws and regulations
    • System Description System  Distributed Capabilities Database  Stores and  Queried by distributes telecommuting information to employees and clients clients  Sensitive data processed  Malpractice Lawsuits  Disciplinary Actions
    • Roles & Access Control & Responsibilities External Access  Designated Approving  Auditing Authority (DAA)  Public Key  Information System Infrastructure & E- Security Officer (ISSO) mail  User Representatives  Internet Security  Database  Virus Definition Administrator Updates
    • User Sensitivity of Characteristics Processed Data  Data Classification  Discretionary Access Control  Data Markings  Password Management  Printed Data
    •  Tasks  1st : Draft of document  2nd : Release of document  3rd : Baseline document  If approved
    •  Estimate based off NWA 50193/0002 for completion of 100 pages.  8 man hours per page @ 1FTE =105 USD  13 pgs x 105 USD = 10,500 USD  Estimate  10 pgs x 8 hrs = 80 hours  80hr x 105 USD = 8,400 USD  FTE (Full Time Engineer $13.13)  USD (United States Dollars)
    •  “What do we do when we can not use our facility?”  “What can we do now to better prepare our business unit to respond when our facility is unavailable?”
    •  The best way to  Observe prepare for a information disaster is to security avoid the procedures disaster. regarding Therefore, look computers in for any potential your facility, and problems you encourage can find and increased correct them. security when appropriate.  Observe physical security  Consider procedures in encouraging your facility, and security-training encourage sessions where increased appropriate. security when appropriate.
    • To maintain an acceptable level of residual risk throughout the lifecycle
    •  ITSystem Contingency Plans  Must be tested annually  Table Top exercise  Functional exercise
    •  Public Law 107-347, also known as Federal Information Security Management Act of 2002 (FISMA)  Require agencies to identify and provide information security protections commensurate with risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems
    •  Contingency planning is the task that develops a plan for emergency response, backup operations, and post-disaster recovery.
    •  Thecontingency plan evaluation task analyzes the contingency, back-up, and continuity of service plans to ensure the plans are consistent with the requirements identified in the SSAA.
    •  Theteam plan has been developed by the ProMonsterMedia IT Working Group  Team Leaders are responsible for part of the plan development process.
    •  The form is to chart the progress in developing your business resumption plan  Each plan segment/module is listed with the development responsibility.
    •  Thiscertification task that ensures that change control and configuration management practices are, or will be, in place and are sufficient to preserve the integrity of the security relevant software and hardware.
    •  Inspectionsof operational sites to ensure their compliance with the physical security, procedural security, TEMPEST, and COMSEC requirements.
    •  Review configuration & security Management  Follow change mgmt documented in SSAA  Determine if system security mgmt continues to support mission and architecture  Conduct risk management review  Assess if risk to CIAA is being maintained at an acceptable level  Conduct compliance validation if needed  Ensure continued compliance w/SSAA requlations, current threat assessment, and concept of operations  Maintain SSAA
    • 1. Definition 2. The Target Audience 3. Rationale and Purpose 4. System Milestones 5. Content Development 6. Estimates 7. References 8. Appendices
    • Definition
    • What is Security Education, Training and Awareness [SETA] Plan? Michael Whitman (2006) stated that a SETA plan is a: “Program designed to provide direct, applied measures to influence employee behavior, increase employee abilities and enable the organization to hold employees accountable for their actions.” (p. 22.). Now, why educating, training and People awareness is so important for protecting and Securing Critical or sensitive information?
    • The Target Audience
    • The Weakest Link The most secure Point of Failure in any Security program. Security is everyone's responsibility!  According to Wilson & Hash (2003) the key factor to provide security is not the technology or the state of the art efforts to protect and secure the Information Systems [IS].  To provide adequate information security the people factor is the key factor because they are the system’s weakest link. (p. 1) SEC_RITY is not complete without U!
    • Database Security SETA PROGRAM RATIONALE All people perusing or administering the Database Management System and Information Systems must:  Understand the ProMonsterMedia’s mission and their roles and responsibilities  Follow ProMonsterMedia’s Information System Security Policy, regulations and practices.  Be trained and/or aware of the risks, threats and the methods of controls implemented to protect and secured the Information System assets and resources and critical (Wilson & Hash October 2003).
    • The Rationale and Purpose
    •  “Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.”  “Problemscannot be solved at the same level of awareness that created them.” (Whitman, 2006, p. 30)
    • Best Practices & Guides Legal Components: Official Sources and Documentation 1. ISO 17799 2. COBIT 4.0 3. HIPAA (Privacy & Security Rules) 4. GLB-A 5. PCI Data Security Standard 6. OMB Circular A-130 7. FISMA Public Law 107-347 8. NIST SP 800-16 9. NIST SP 800-50 10. Section 508 of the Rehabilitation Act (Addison, 2007)
    •  1. By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems  2. By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely  3. By improving awareness of the need to protect system resources (NIST, 1995).
    • The System Milestones
    • 1 2 Program Strategy Design & Planning Development 3 Delivery, Administration & Post-implementation
    • These are the following phases of this life cycle development process for SETA described by Wilson and Hash (2003) in the NIST SP800-50: 1. Awareness and Training Program Design (Wilson & Hash, 2003, Section 3) 2. Awareness and Training Material Development (Wilson & Hash, 2003, Section 4) 1. Program Implementation (Wilson & Hash, 2003, Section 5) 2. Post-Implementation (Wilson & Hash, 2003, Section 6)
    • Specific Content Development
    •  Laws And Regulations  It Security Program  System Environment  System Interconnection  Information Sharing  Sensitivity  Risk Management  Management Controls  Acquisition/Development/Installat ion/  Implementation Controls  Operational Controls  Awareness, Training, And Education Controls  Technical Controls (Wilson, Zafra de, Tressler, & Ippolito, April 1998)
    • Three models: 1. Centralized 2. Partially Decentralized 3. Fully Decentralized (Wilson & Hash, 2003) Figure 2 Model 1 – Centralized Program Management (Wilson & Hash, 2003, p. 23, figure 3-1)
    • The NIST SP800.16 states: “Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response.” (Wilson, Zafra, Tressler et al, 1998) Wilson & Hash (2003) indicated that “Training strives to produce relevant and needed security skills and competencies.” (p. 9) “Awareness is not training or education, is bringing the attention on the importance of Security Issues.” (Wilson, Zafra, Tressler et al, 1998) Figure 2 is Depicting the continuum (Wilson & Hash, 2003, p. 18, figure 2-1 )
    • Figure 3 Need assessment (Wilson & Hash, 2003, p. 29, figure 3-5 ).
    • The NIST SP800-50 (2003) provides the following questions (p. 29): • What awareness, training, and/or education are needed (i.e., what is required)? • What is currently being done to meet these needs? • What is the current status regarding how these needs are being addressed (i.e., how well are current efforts working)? • Where are the gaps Figure 4 shows the required between the needs and level of training versus the what is being done (i.e., current level of effort what more needs to be (Wilson & Hash, 2003, p. 30, figure 3-7 ) done)? • Which needs are most critical?
    •  Did our team completed a needs assessment?  did our team develop a overall strategy?  Did our team complete an awareness and training Program for implementing the strategy previously developed?  did the security team finally develop the awareness and training material? Figure 5 Key Steps Leading to Program Implementation (Wilson & Hash, 2003, p. 42, figure 5-1 )
    • Figure 6 The Post-implementation (Wilson & Hash, 2003, p. 46, figure 6-1 )
    • Figure 7 Evaluation and Feedback Methodology (Wilson & Hash, 2003, p. 48, figure 6-2 )
    • Estimates
    •  Government Security Classification Costs Estimate Fiscal Year 2005 Total = $7.7 Billion Personnel Security = $1.15 Billion Physical Security = $1 Billion Information Security = $4 Billion Information Technology = $3.6 Billion Classification Management = $310 Million Declassification = $57 Million Professional Education and Training = $219 Million Security Management and Planning = $1.2 Billion Unique = $6.6 Million (ISOO, 2005)
    • Total = 60 Estimated SETA Team 1 Program 2 Strategy Design & Hours per 180 Estimated pages. PlanningDevelopment 3 Delivery, Administration & Post-implementation PHASE Estimating Estimated SETA Team Hours Number of Pages The SETA 1s t STRATEGIC PLANNING 5 50 Program Design 2n d And Development 30 50 Delivery, Administration & Post- 25 80 3r Implementation d
    • Estimate based for completion of 180 pages 1 SETA Security Team hours equals $250.00 US Dollars [USD] Estimated Total of pages equals 180 Estimated Total amount of SETA Security Team equals 60 Estimate Appendix “O” SETA plan cost 60 SETA Security TEAM hours x $250.00 per hours = $15,000.00 US Dollars Other expenses and Misc. = 5,000.00 USD ESTIMATED TOTAL COST = $20,000.00
    • Thank you for your attention and just as a reminder: Security is about “us” not only about you. We are all in it. Do you have any questions?
    • SETA Appendices
    • 2007 LandWarNet Conference. (2007, Aug 21) Notes Addison, S. (July 3, 2007) Best Practices for Security Awareness Training. Security-awareness.com. Retrieved on October 24, 2007, from http://security-awareness- training.com/2007/07/23/best-practices-for-security- awareness-training/ Bowen, p. Hash, J. & Wilson, M.(2006). Information Security Handbook. Retrieved October26, 2007, from http://www.nist.gov Brackin, C. (2003). Vulnerability Management: Tools, Challenges, & Best Practices. Retrieved October 26, 2007, from http://www.sans.org/reading room Business Resumption Development Guide (2006, May 5) Buckley King LPA Canavan, S. & Diver, S. (2007). Information Security Policy- A Development Guide for Large & Small Companies. Retrieved October 26, 2007, from http://www.sans.org/reading room Department of Defense [DoD]. (July 31, 2000). Information Technology Security Certification and Accreditation Process (DITSCAP). Application Manual DoD 8510.1-M. Retrieved October 24, 2007, from http://www.dtic.mil/whs/directives/corres/pdf/851001m. pdf
    • Department of Defense (1997, Dec 30). Information Assurance. Retrieved October 28, 2007, from http://iase.disa.mil/ditscap/DitscapFrame.html DIACAP and the GIGIA Archicture. (2005, March). Retrieved October 27, 2007, from http://www.afei.org/documents/DIACAPandtheGIGCCRTS_3 71.pdf DISA (June 21, 2007). Enclave Security Technical Implementation Guide Version 4, Release 1. DISA Field Security Operations. Developed by DISA for the DoD. Retrieved on October 28, 2007, from http://iase.disa.mil/stigs/stig/enclave-stig- v4r1.pdf DOD 5200.28-STD. (1985, December 26). Trusted Computer System Evaluation Criteria. Security Functionality Requirements. (1992, January 28). Minimum Security Functionality Requirements For Multi-User Operating Systems. Retrieved October 15, 2007 from http://security.isu.edu/pdf/secfunreq.pdf dWarNet Conference. (2007, Aug 21) NotesDepartment of Defense Information Assurance. (1997, Dec 30). Retrieved October 28, 2007, from http://iase.disa.mil/ditscap/DitscapFrame.html Foix, R. (2004, October 4). Expanding responsibility for incident response. Computerworld, 38(40), 28-28. Retrieved October 27, 2007, from Computer Source database.
    • G. (2002). Implementing an Effective IT Security Program. Retrieved October 27, 2007, from http://www.sans.org/reading room GadAllah, S. (2003). The Importance of Logging & Traffic Monitoring for Information Security. Retrieved October 27, 2007, from http://www.sans.org/reading room Iase.disa.mil. Information Assurance Support Environment Profile: Retrieved October 26, 2007, from http://iase.disa.mil/ Information Security Oversight Office [ISOO]. (2005). Report On Cost Estimates For Security Classification Activities Background And Methodology. Retrieved on October 28, 2007, from http://www.archives.gov/isoo/reports/2005- cost-report.html Kyle, S. (2003). Biometrics: An In Depth Examination. Retrieved October 27, 2007, from http://www.sans.org/reading room Maiwald, Eric. Security Planning and Disaster Recovery. Blacklick, OH, USA: McGraw-Hill Professional, 2002. National Computer Security Center (NCSC).(1987). A Guide to Understanding Audit in Trusted Systems. Retrieved October 27, 2007, from http://csrc,ncsl.nist.gov/publications/secpubs/rainbow/tg001.tx t
    • Panko, R. (2004). Corporate Computer and Network Security. Upper Saddle River, NJ: Pearson Education Inc. Pfleeger, C. & Pfleeger, S. (2003). Security In Computing (3rd ed).Upper Saddle River, NJ: Pearson Education Inc. Pfleeger, Charles, P. & Pfleeger, Shari, L. (2003) Pratt, M. (2007, May 16). Five tips for building an incident response plan. Retrieved October 27, 2007, from Computerworld Web site: http://www.computerworld.com/action/article.do?command =viewArticleBasic&articleId=9019558&pageNumber=1 Ross, R. (2004) Guide for the Security Certification and Accreditation of Federal Information Systems. Maryland: Diana Publishing Company Security in Computing (3rd Edition) New Jersey: Prentice Hall Setty, H. (2001). System Administrator-Security Best Practices. October 26, 2007, from http://www.sans.org/reading room
    • Thompson, D. (2005). Implementing a Secure Wireless Network for a Windows Environment. Retrieved October 27, 2007, from http://www.sans.org/reading room Whitman, M. E. (2006). Assuring the Integrity of Financial Information Systems: Awareness and Responsibility of Employees and Business Partners. Michael E., Ph.D., CISSP. Center for Information Security Education. Kennesaw State University. Retrieved October 24, 2007 from http://www3.uakron.edu/cba/cretisa/2006/whitman_infosec .pdf Wilson, M., & Hash, J. (October 2003). Building an Information Technology. Security Awareness and Training Program. NIST Special Publication 800-50. Computer Security Division. Information Technology Laboratory. National Institute of Standards and Technology. Gaithersburg, MD 20899-8933. Wilson, M., & Hash, J. (October, 2003). Information Technology Security Awareness, Training, Education, And Certification. Computer Security Division Information Technology Laboratory, ITL Bulletin. National Institute of Standards and Technology, NIST. Retrieved on October 23, 2007 from http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm.
    • Wilson, M., Zafra de, D. E., Tressler, J.D., Ippolito, J.B. (April 1998).Information Technology Security Training Requirements: A Role- and Performance-Based Model. Computer Security. Information Technology Laboratory National Institute of Standards and Technology, NIST Special Publication 800-16 U.S. Supersedes Special Publication 500-172DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards and Technology Performance-Based Model. Gaithersburg, MD 20899-0001. Retrieved October 24, 2007, from http://csrc.nist.gov/publications/nistpubs/800-16/800- 16.pdf www.dtic.mil (n.d). Retrieved October 22, 2007, from http://www.dtic.mil/whs/directives/corres/text/p85101m.txt