Traditional Technology Spaces Overlapping or Merged Areas Issues arise Types of Risk faced by each area: Security Organizational Financial Multiple intersecting corporate functions Greatest value Most complicated Conflict most likely exists Multiple intersecting corporate functions Greatest value Most complicated Conflict most likely exists Complication Value 20 June 2006 DALE B. NORTH, CISSP Chief & Program Manager Information Assurance Office of the CIO (OCIO) National Geospatial-Intelligence Agency (NGA) W: 703-735-2404 C: 301-346-1285 [email_address] Security Event Management Administration/ Asset Management Network Management SMS, WIN 2003, Scripts HPOV, Sun Net Manager, Tivoli, DNS IDS, Firewalls, Anti-Virus, Scanners, SIM Normally respected and recognized operations area Admin function where the user accesses critical resources Separation from operations required for credible assurance processes Overlapping or Merged Areas Operational issues arise Overlapping or Merged Areas Operational issues arise

Traditional Technology Spaces Security Event Management Network Management Administration/ Asset Management Types of Risks Financial – programmatic Security – physical & information Organizational Separation of operations required For credible assurance processes Admin function where the user Accesses critical resources Normally respected and recognized operations area CIAD CI IDS VAT ISS PKI TSO AV PD COM SEC SMS EMO OLAs National Protection Strategy Verification Certification & Accreditation Availability Integrity Confidentiality Defense in Depth Protection Verified Connections Investigation SEM Event Multiple intersecting corporate functions Greatest value Most complicated Conflict most likely exists IAS Contract COMSEC (CSIK) Security & Installations (SI) ISP Core Services (ES) DALE B. NORTH, CISSP Chief & Program Manager Information Assurance Office of the CIO (OCIO) National Geospatial-Intelligence Agency (NGA) W: 703-735-2404 C: 301-346-1285 [email_address]

Multiple intersecting corporate functions

Greatest value

Most complicated

Conflict most likely exists

Costs of Information System Security Practices / Lifecycle R I S K TIME DALE B. NORTH, CISSP Chief & Program Manager Information Assurance Office of the CIO (OCIO) National Geospatial-Intelligence Agency (NGA) W: 703-735-2404 C: 301-346-1285 [email_address] Meetings, POA&Ms, Reporting = More $$$$$ Months 43 ( ideally ) Days 1 - 10 Time Invested Internal Audits ECV / LW07 Findings Disconnects Memorandums to communities/CIOs/DAAs Mission Impact to Agency Exploited System / Bad Press CS – CSR Assessments DoD/DISA & AFWIC IC/DNI & NSA CIOs, DoD & IC COCOMs – Denying Connections SI – CIAD (Security Violations) CS DAA IAOs IAMs CA/CEs VAT SI – CIAD (Securtiy Violations) CS Technical Service Office (TSO) E & A Engineers IT IS Contractors/Subs Offices Properly Configured = Secure System Internal & External SSAAs CONOPs Test Results Engineering Order Infrastructure Requests Customer Requests Products/Actions Improperly Configured System = Not Secure Exploits / Bad Press Assessments Addressed here with Internal/external reporting? C&A Addressed here with delays? If not here… SDLC If not addressed here Activity Outcome ! $ RISK $ RISK $ RISK Costs & Categories