FISMA NextGen - Continuous Monitoring, Near Real-Time Risk Management

Near Real-Time Risk Management
Continuous Monitoring, Configuration Managementand SCAP
ACT/IAC Information Security and Privacy SIG
501 School Street SW
Suite 800
Washington, DC 20024
202-567-2777
www.tantustech.com
Daniel Philpott, CISSP, CAP
Federal Information Security Architect
Tantus Technologies
March 22, 2010

Continuous Monitoring
“The objective of the continuous monitoring program is to determine if the set of deployed security controls continue to be effective over time in light of the inevitable changes that occur.”
- NIST SP 800-37 Revision 1, Appendix G
“Continuous monitoring of security controls using automated support tools facilitates near real-time risk management …”
- NIST SP 800-37 Revision 1, Appendix G
2

Monitoring: High Level Overview
Strategy
Organizations, information system owners and common control providers should develop a strategy to plan how continuous monitoring can effectively be established in their environment to support near real-time risk management.
Program Functions
Track changes to the system and its environment of operation;
Conduct security impact analyses;
Take remediation actions;
Reassess security controls;
Record and report the security status of the system; and
Determine risk and decide whether the risk is acceptable.
3

Monitoring: What?
What do we monitor?
Primary Focus: Security Controls
Hardware
Software
Firmware
Secondary Focus: Operational Environment
Threat space/environment
Mission and business
Policy and law
Changes
4

Monitoring: Which?
Which Security Controls do we monitor?
Decisions belong to Information System Owner and Common Control Providers
Authorizing Official or AODR approves decisions
How Many Security Controls
Consider the categorization of the system and importance to organizational mission
Consider recent risk assessments and threat environment
Selecting Security Controls
Volatility – How often will the control change?
Effectiveness – Does the control have a known weakness?
Impact – How important is the control in relation to threats?
5

Monitoring: How?
How do we monitor?
Methods of monitoring vary by class of Security Control:
Technical Controls – Best monitored by automated mechanisms, configuration management and SCAP
Operational Controls – Interviews with knowledgeable staff
Management Controls – Reviews of pertinent documentation and interviews with knowledgeable staff
Automation can be applied anywhere:
Create automated mechanisms to monitor for document changes
Configuration Management processes offer a rich source of operational and management change information
6

Monitoring: Configuration Management
What is Configuration Management?
A collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems.
How does it work with Continuous Monitoring?
Anticipated changes to security controls are tracked by it
Assessment of anticipated control changes occur within it
Remediation of control weaknesses are enacted through it
Records of control changes are maintained in it
NIST SP 800-128 Guide for Security Configuration Management of Information Systems (Draft)
7

Monitoring: SCAP
Security Content Automation Protocol (SCAP)
Six specifications and associated content which enable:
Documentation of configuration standards for software and operating systems
Validation of software and operating system configurations against the standard
Scanning for vulnerabilities and patch levels
Discovery of known insecure configuration settings
Asset management
Best known use: Federal Desktop Core Configuration
NIST SP 800-126 Technical Specification for the Security Content Automation Protocol (SCAP) v1.0
8

Resources
NIST SP 800-37 Revision 1:
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
NIST SP 800-128 (Configuration Management Draft):
http://csrc.nist.gov/publications/drafts/800-128/draft_sp800-128-ipd.pdf
NIST SP 800-126 (SCAP):
http://csrc.nist.gov/publications/nistpubs/800-126/sp800-126.pdf
9

10
Contacts
Buck Keswani
Chief Executive Officer
Tel 202-567-2720
Cell 703-582-7664
bkeswani@tantustech.com

Peter Rath
Information Assurance Program Director
Cell 703 624-2796
prath@tantustech.com
Daniel Philpott
Federal Information Security Architect
Cell 301-825-5722
dphilpott@tantustech.com
www.tantustech.com

http://securityorb.com	18
http://www.slideshare.net	15
https://mymasonportal.gmu.edu	1

FISMA NextGen - Continuous Monitoring, Near Real-Time Risk Management

by danphilpott on Apr 05, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 34

Statistics

FISMA NextGen - Continuous Monitoring, Near Real-Time Risk Management — Presentation Transcript