Building A Modern Security Policy For Social Media and Government

Building a Modern Security Policy for Social Media
Page 1

Who is Michael Smith?
8 years active duty army
Graduate of Russian basic course, Defense Language Institute, Monterey, CA
DotCom survivor
Infantryman, deployed to Afghanistan (2004)
CISSP #50247 (2003), ISSEP (2005)
Former CISO, Unisys Federal Service Delivery Center
Currently a Manager in a Big Four Firm

Who is Dan Philpott?
Lifelong technologist ocused on FISMA, cybersecurity, risk management, cloud computing, and social Media
CISSP (2007), CAP (2007)
Federal Information Security Architect for Tantus Technology
Founder of FISMApedia.org and FISMA arts

Goals
Understand the tradeoff between Security, Transparency, and Engagement
Provide an understanding of the frameworks social media policy must inhabit
Describe models of social media policy
Detail security goals and controls social media policy should address or include
Page 4

A Quick Poll
Page 5
Are you using service provider hosting?
Are you using Government-owned hosting?
Do you don’t know how/where you’re being hosted?
Have you ever ignored the IT Security Staff because they just “get in the way”?

Not a Real CISO But It Could Be
Page 6
“I’ve spent my entire 30-year career keeping information from getting into the public domain and keeping your desktop safe from all the malware on social media sites. Now you want to take everything and put it there intentionally?”
The problem for social media practitioners is based on the nature of our security culture.

NIST Risk Management Framework
Page 7

Defining the Problem Space: SDLC
Initiation to O&M is a minimum of 120 days with 6 months being typical. How does this fit into your plans for social media?
Page 8

Understanding Your Objectives
Page 9
Tone: Official v/s comfortable
Hosting: CO-CO v/s GO-GO
Security: Enabler v/s Roadblock
Simplicity: Engagement v/s “Shiny Objects”
Be willing to negotiate with the security staff

Four-Quadrant Government Social Software Framework1
Page 10
Internal
More Guidance Exists
Sharing
Direction
Less Guidance Exists
External
Interaction
Level
Group
Individual
1 Social Software and National Security: An Initial Net Assessment, M. Drapeauand L. Wells via Federal CIO Council Guidelines for the Use of Social Media

Threat Landscape
Government to Government:
Internal social media services within or between agencies
Government (internally hosted) to Public:
Social media services on government sites
Government (externally hosted) to Public:
External social media services used by the government
Government users in public:
Social media services used by government users
Page 11

Getting to a Good SocMed Policy
Engage early, engage often
Policy should focus on risk, not technology
Social media technology changes constantly
Data protection requirement is constant
Consider the business case
Consider the risks to organizational operations, organizational assets, individuals, other organizations, and the Nation
Make risk-based decisions goals
Page 12

Primary Resources
CIO Council
Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0
http://www.cio.gov/library/library_category2.cfm?structure=Information%20Technology&category=IT%20Security%20/%20Privacy
GSA
Terms of Service Agreements with New Media Providers
http://www.usa.gov/webcontent/resources/tools/TOSagreements.shtml
NARA
Records Management Policy and Guidance
http://archives.gov/records-mgmt/policy/
Page 13

Primary Resources - FISMA
NIST SP 800-37 Rev. 1
DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
NIST SP 800-39
DRAFT Managing Risk from Information Systems: An Organizational Perspective
SP 800-53 Rev. 3
Recommended Security Controls for Federal Information Systems and Organizations
http://csrc.nist.gov/publications/PubsSPs.html
Page 14

Related Requirements
Communications Policy
508 Compliance Policy
Federal Records Management Policy
Page 15

Risk Management Hierarchy
Page 16
Risk Executive Function
(Oversight and Governance)
Risk Assessment Methodologies
Risk Mitigation Approaches
Risk Tolerance
Risk Monitoring Approaches
Linkage to ISO/IEC 27001
Risk Management Strategy
TIER 1
Organization
NIST
SP 800-39
TIER 2
Mission / Business Process
TIER 3
Information System

Page 17
Risk Management Strategy
TIER 1
Organization
NIST
SP 800-39
TIER 2
TIER 3
Information System
Mission / Business Processes
Information Flows
Information Categorization
Information Protection Strategy
Information Security Requirements
Linkage to Enterprise Architecture

Page 18
Linkage to SDLC
Information System Categorization
Selection of Security Controls
Security Control Allocation
and Implementation
Security Control Assessment
Risk Acceptance
Continuous Monitoring
TIER 1
Organization
NIST
SP 800-37
TIER 2
Risk Management Framework
TIER 3
Information System

Policy Controls
Social Media Communications Strategy
Acceptable Use Policies (AUP)
Content Filtering and Monitoring
Privacy and Security Support
Integration with NIST SP 800-39 and NIST SP 800-37 Risk Management
Page 19

Policy Controls – NIST Guidance
AC-20 Use of External Information Systems
AC-22 Publicly Accessible Content
IA-2 Identification and Authentication (Organizational Users)
IA-5 Authenticator Management
IA-7 Cryptographic Module Authentication
IA-8 Identification and Authentication (Non-Organizational Users)
Page 20

Policy Controls – NIST Guidance
IR-5 Incident Monitoring
IR-6 Incident Reporting
IR-7 Incident Response Assistance
IR-8 Incident Response Plan
PL-4 Rules of Behavior
PL-5 Privacy Impact Assessment
RA-1 Risk Assessment Policy and Procedures
SI-12 Information Output Handling and Retention
Page 21

Acquisition Controls
Strong Authentication
Social Media services security practice
Comment moderation and monitoring social media
Ensure federal security requirements are met by using dedicated resources from vendors
Modify user’s public profiles from .gov or .mil email addresses to provide stronger security
Page 22

Partner with social media services to:
Provide traceability to federal employee accounts
Improve communications between providers and Security Operations Centers (SOC)
Allow independent monitoring of social media service providers
Encourage use of validated and signed code
Ensure social media provider maintains appropriate configuration, patch and technology refresh levels
Page 23

Ensure an independent risk assessment
Records management in accordance with NARA record schedules, FOIA requests and e-discovery litigation holds
Ensure hosted federal content is accessible at any time and stored in editable and non-proprietary formats
Page 24

Acquisition Controls – NIST Guidance
SA-1 System and Services Acquisition Policy and Procedures
SA-2 Allocation of Resources
SA-3 Life Cycle Support
SA-4 Acquisitions
SA-5 Information System Documentation
SA-9 External Information System Services
Page 25

Acquisition Controls – GSA Guidance
Terms of Service Agreements
Social media services standard Terms of Service (TOS) Agreements present legal problems
Many services are free, making it hard to encourage services to negotiate new TOS
On behalf of the government, GSA has negotiated new TOS for many social media services
http://www.usa.gov/webcontent/resources/tools/TOSagreements.shtml
Page 26

Training Controls
Provide awareness, guidance and training on:
Information to that can be shared, can not be shared and with whom it can be shared
Social media policies and guidelines including AUP
Blurring of personal and professional life as appropriate
For Operations Security (OPSEC) on risks of social media
Federal employees self-identification on social media sites, depending on roles
Page 27

Training Controls
Provide awareness, guidance and training on:
Privacy Act requirements and restrictions
Specific social media threats before granting access to social media sites
Possible negative outcomes of information leakage, social media misuse and password reuse
Possible impact on security clearance
Page 28

Training Controls – NIST Guidance
AT-2 Security Awareness:
Add social media usage related awareness training
AT-3 Security Training:
Create specific role-based training for those with social media responsibility
AT-5 Contacts with Security Groups and Associations:
Establish contacts with security groups addressing web application and social media security
Page 29

Host Controls
Require use of a hardened Common Operating Environment (COE):
Federal Desktop Core Configuration (FDCC)
Security Content Automation Protocol (SCAP)
Encourage use of strong authentication for greater assurance of a user’s identity:
Two-factor authentication (e.g., HSPD-12 & PIN)
Page 30

Host Controls
Ensure strong change management, patch management, configuration management:
Includes applications and Operating Systems
Enforces strong logging
Reports to SOC
Desktop virtualization technologies:
Allows safer viewing of potentially malicious websites
Virtual sandbox protects base operating system
Page 31

Host Controls
Browser versioning:
Ensure use latest browsers which include additional security measures
Encourage use of signed code or white listing:
Provides higher level of assurance software comes from approved vendor or is approved software
Page 32

Host Controls – NIST Guidance
Audit and Accountability (AU) Family of controls, as applicable
AC-1 Access Control Policy and Procedures
AC-7 System Use Notification
CM-1 Configuration Management Policy and Procedures
CM-2 Baseline Configuration
CM-6 Configuration Settings
CM-7 Least Functionality
Page 33

Host Controls – NIST Guidance
SA-7 User-Installed Software
SI-1 System and Information Integrity Policy and Procedures
SI-2 Flaw Remediation
SI-3 Malicious Code Protection
SI-5 Security Alerts, Advisories, and Directives
Page 34

Network Controls
Federal Trusted Internet Connection (TIC) program protections:
Reduced number of internet connections
Einstein traffic inspection
Security Operations Center (SOC) and Network Operations Center (NOC):
Visibility and centralized control for incident response and risk reduction
These should all be provided to you as “infrastructure”
Page 35

Network Controls
Web content filtering:
Beyond Einstein protections
Granular control of web applications, data and protocols
Trust Zones dependent on security assurance requirements
DNSSEC to better ensure website name resolution integrity
Page 36

Network Controls
Focus on data-centric protection
URL Shortening:
http://go.usa.gov/
Page 37

Network Controls – NIST Guidance
SC-1 System and Communications Protection Policy and Procedures
SC-7 Boundary Protection
SC-13 Use of Cryptography
SC-14 Public Access Protections
SC-15 Collaborative Computing Devices
SC-20 Secure Name /Address Resolution Service (Authoritative Source)
Page 38

Questions, Comments, or War Stories?
http://www.potomacforum.org/
Michael Smith: rybolov(a)ryzhe.ath.cx
http://www.guerilla-ciso.com/
Dan Philpott: danphilpott(a)gmail.com
http://www.fismapedia.org/
39

http://www.guerilla-ciso.com	230
http://www.slideshare.net	16
http://translate.googleusercontent.com	2

Building A Modern Security Policy For Social Media and Government

by Michael Smith on Dec 09, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 248

Statistics

Building A Modern Security Policy For Social Media and Government — Presentation Transcript