Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Risk Analysis for Lunar and Martian Colonies

Created as a part of my Information Assurance Master's Degree coursework, the assignment is to document a system security authorization program for a fictitious U.S. government agency. I had fun here and created the "Office for Lunar and Martian Affairs" based on some creative rewriting of 20th century history.

This document is primarily based on the NIST Risk Management Framework found in SP 800-37.

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

  • Be the first to like this

Risk Analysis for Lunar and Martian Colonies

  1. 1. Final Research Paper Agency System Security Authorization Program IA 500 – Seminar on Public Sector Security Shawn Nicolen 3/17/2015
  2. 2. Agency System Security Authorization Program 2 Contents Agency Charter...................................................................................................................................6 Overview ...........................................................................................................................................6 Program Objectives ............................................................................................................................7 The Risk Management Framework.......................................................................................................8 Information Categorization .................................................................................................................8 Types of Information Systems..........................................................................................................9 Notable Information Types ........................................................................................................10 Security Controls ..............................................................................................................................15 Access Control (AC).......................................................................................................................16 AC-2 Account Management .......................................................................................................16 AC-18 Wireless Access...............................................................................................................17 Awareness and Training (AT) .........................................................................................................17 AT-2 Security Awareness............................................................................................................17 Audit and Accountability(AU)........................................................................................................18 AU-2 Auditable Events...............................................................................................................18 AU-13 Monitoringfor Information Disclosure .............................................................................18 Certification, Accreditation, and Security Assessments(CA).............................................................19 CA-5 Plan of Action and Milestones............................................................................................19 Configuration Management (CM) ..................................................................................................19 CM-2 Baseline Configuration......................................................................................................19
  3. 3. Agency System Security Authorization Program 3 Contingency Planning(CP).............................................................................................................20 CP-2 Contingency Plan...............................................................................................................20 Identification and Authentication(IA) ............................................................................................20 IA-2 Identification and Authentication (Organizational Users) ......................................................20 Incident Response (IR)...................................................................................................................21 IR-2 Incident Response Training .................................................................................................21 Maintenance (MA)........................................................................................................................22 MA-6 Timely Maintenance.........................................................................................................22 Media Protection (MP)..................................................................................................................22 MP-4 Media Storage..................................................................................................................22 Physical and Environmental Protection (PE)....................................................................................23 PE-11 Emergency Power............................................................................................................23 Planning (PL).................................................................................................................................23 PL-2 System Security Plan ..........................................................................................................23 Personnel Security (PS)..................................................................................................................24 PS-3 Personnel Screening...........................................................................................................24 Risk Assessment (RA) ....................................................................................................................24 RA-2 Security Categorization......................................................................................................24 RA-3 Risk Assessment................................................................................................................25 System and ServicesAcquisition (SA) .............................................................................................25
  4. 4. Agency System Security Authorization Program 4 SA-2 Allocation of Resources......................................................................................................25 System and Communications Protection(SC)..................................................................................26 DC-9 Transmission Confidentiality..............................................................................................26 System and Information Integrity (SI).............................................................................................27 SI-4 Information System Monitoring...........................................................................................27 Risk Assessment...............................................................................................................................27 Threat..........................................................................................................................................28 Vulnerability.................................................................................................................................28 Impact..........................................................................................................................................28 A Note on Measurement...............................................................................................................29 System Security Authorization...........................................................................................................29 Plan of Action and Milestones .......................................................................................................29 Security Authorization Package......................................................................................................30 Risk Determination .......................................................................................................................31 Risk Acceptance............................................................................................................................31 Information System Monitoring.........................................................................................................32 Asset Management.......................................................................................................................32 Configuration Management...........................................................................................................32 Event and Incident Management...................................................................................................32 Information Management.............................................................................................................33
  5. 5. Agency System Security Authorization Program 5 License Management....................................................................................................................33 Malware Detection.......................................................................................................................33 Network Management..................................................................................................................33 Software Assurance ......................................................................................................................33 Vulnerability and Patch Management ............................................................................................34 References.......................................................................................................................................35
  6. 6. Agency System Security Authorization Program 6 Agency Charter The Office forLunar and Martian Affairs(OLMA) wasfoundedin1964 to addressgrowingconcerns surroundingcolonial political tensions withinthe UnitedStates Lunarand Martian colonies established by EdwinHubble andThe ExplorersClubin1932. In additiontoadministratingthe daytoday operational andmissionbasedobjectivesof these coloniesthe agencywasalsochargedwith the separate butequallyimportanttaskof keepingknowledge of the coloniesasecretfromthe general publicof planetEarth,per Executive Order1111A issuedbypresidentKennedyinhisaddresstothe JointChiefsof Staff onNovember3,1963 (OLMA, STIMU DocumentLibrary). Overview Thisdocumentdescribesthe policiesgoverninginformationtechnologyusage andsecurityatOLMA in compliance withdirectionsestablishedbyfederallaws,policies,andregulations. In1996 the Office of ManagementandBudget statedthat federal agencies mustprovide,“security commensuratewiththe riskand magnitude of the harmresultingfromthe loss,misuse,orunauthorizedaccesstoor modificationof information”(OMBA-130, Page 5). Thiswas furtherenforcedbythe Federal Information SecurityManagementActof 2002 (FISMA),whichrequiredfederalagenciesto,“provide a comprehensive frameworkforensuringthe effectivenessof informationsecuritycontrolsover informationresourcesthatsupportFederal operationsandassets”(FISMA,Section3541). In compliance withthesedirectives OLMA hasadoptedthe standardsfor informationsecuritydescribed inthe following:  Federal InformationProcessingStandards (FIPS) Publication199: StandardsforSecurity Categorization of FederalInformation and Information Systems andPublication200: Minimum SecurityRequirementsforFederal Information and Information Systems.
  7. 7. Agency System Security Authorization Program 7  The National Institute of StandardsandTechnology(NIT) Special Publication800series pertainingtocomputersecurity, especiallythose on the riskmanagementframework(SP800- 37), informationsystemcategorization(SP800-67), andsecuritycontrols (SP800-53). It shouldbe notedthatthe policiesandpracticesinthisdocumentdonotapplyto systemsdesignated as national securitysystemsorinformationdesignatedas classifiedasdescribedinExecutive Order 13526, Classified NationalSecurityInformation anditsamendments.Forguidance inidentifyingthese national security systemspleaserefertoNISTSP800-59, Guideline forIdentifying an Information System as a NationalSecurity System. Program Objectives The goal of processesoutlined inthisdocumentisto provide governanceineffortstosecure the informational resourcesof the OLMA inaccordance withfederal directivesandstandards. This documentderivesitsprocessesfromthose establishedbyNISTinsupportof the Federal Information SecurityManagementActof 2002 (FISMA). FISMA chargedNISTwiththe developmentof three keydirectivesinsupportof informationsecurity whichdefinedthe scope of theirefforts (FIPS199,Page 1):  The creationof standardsforall federal agenciesforcategorizationof all informationand informationsystemsusedbythose agencieswiththe goal of providingadequate securitybased on riskexposure.  Guidelinesregardingthe typesof informationandinformationsystemsineachof those categories.  The minimummanagement, operational, andtechnical control requirementsforsecuring informationand informationsecuritysystemsineachof those definedcategories.
  8. 8. Agency System Security Authorization Program 8 The RiskManagement Framework The Office forLunar and Martian Affairsutilizesthe RiskManagementFrameworkdescribedinNISTSP 800-37 Revision1, Guide forApplying theRisk ManagementFrameworkto FederalInformation Systems. These standards have beencreatedtoensure thatthe managementof riskas itrelatedtoinformation and informationsystemsisconsistentwiththe missionandfunctionof the agency. The six stepsof thisprocessare: 1. Categorize the InformationandInformationSystem. 2. Selectaprovisional setof baseline securitycontrolsbasedonthe systemcategorization. 3. Implementthe provisional securitycontrols. 4. Assessthe effectivenessof the provisional securitycontrols. 5. Authorize the informationsystemforuse basedona determinationthe riskpresentonthat system. 6. Monitorthe informationsystemanditssecuritycontrolscontinuouslytoassesstheir effectiveness.Changesmade tothe systemare notedandevaluatedforimpactonthe level of riskpresentonthat system. InformationCategorization Securitycategorization isanecessarystep inintegratingagencybusiness andtechnologymanagement withsecurity,establishingthe pathtothe standardization,measurement,andevaluationof security efforts(NISTSP800-60, Page 4), and isthe firststepof the risk managementframeworkoutlinedinSP 800-37. FIPS199 providesstandardsforcategorizinginformationandinformationsystemsbasedonthe impactto the agency of eventsthat jeopardize the accomplishmentof itsmission,assets,legal responsibilities,daytodayfunctions,andpeople (FIPS199,Page 1). These categoriesare usedin
  9. 9. Agency System Security Authorization Program 9 assessingthe risktoan informationsystemalongside informationaboutrelevantthreatsand vulnerabilities asa part of a formal,standardized,andmeasurableriskassessmentprocess. FISMA section3532 describes athree axessystemformeasuringinformationrelevance toan informationsecurityprogram:  Confidentiality,ameasure of the desiredlevel of disclosureof information.  Integrity,ameasure of the intactness,non-repudiation,andauthenticityof information.  Availability, the timelinessandreliabilityof accesstoinformation. PerFIPS199, the OLMA usesthese three securityobjectives tomeasure the potential impactthatthe lossor compromise of informationwouldhave onthe agenciesassets,operations,mission,orpeople. A lowimpactis attributedtoan eventthatcausesa limitedadverseeffect,amoderate impactisdue toan eventwithaseriousadverse effect,andahighimpact isdescribedassevere orcatastrophic:preventing the accomplishmentof the agenciesprimaryfunction. The securitycategoryof an informationsystemonwhichinformationof variouslevelsof impactresides isbasedon the highestlevelof impactwithineachof those informationtypes.FIPS199 refersto thisas the “highwater mark” method(Page 4),beingthe “highestvaluesfromamongthose securitycategories that have beendeterminedforeachtype of informationresidentonthe informationsystem.” Itisthe role of the informationsystemowner,withsupportof otherofficialssuchasthe InformationSystem SecurityOfficer,toprovide thiscategorization. Types of Information Systems NISTprovidesguidance inmappingtypesof informationsystemstorecommendedsecuritycategoriesin SP 800-60: Guide forMapping Typesof Information and Information Systemsto Security Categories, volumesIandII. Thisdocumentprovidesacatalogof typesof informationsystemswhichcanbe referredtoinorderto determine aprovisionalrecommendedsecuritycategoryforthose systems.While these recommendedsecuritycategoriescanbe used initially inthe initialabsence of aformal impact
  10. 10. Agency System Security Authorization Program 10 analysiseveryattemptshouldbe takentodeterminethe actual securitycategoryforeachinformation systemunderthe responsibilityof the OLMA. Early coloniststookstepstoensure the secrecyof theireffortsand,forthe mostpart, common terrestrial technologies werenotinplace toadequatelydetecttheirpresence onthese worldsuntilthe mid-1950s whensome evidence of theiractivitieswasleakedtothe general publicbut,fortunately, interpretedasscience fiction. PursuanttoExecutive Order1111A of 1963 one of the OLMA’s missionsis to conceal the existence of the coloniesfromthe general public until atime whichknowledge of their existence wouldnolongerpose ariskof disruptiontothe societiesandnationsof Earth.Because of this some information of anytype maybe classifiedand,therefore,notsubjecttothe policiesandguidance withinthisdocument. NotableInformationTypes While the OLMA’scharter extendstonearlyall aspectsof life onthe Lunarand Martian colonies, some systemfunctionsandtypesof informationmaybe of notable regard to itsmission of the agencyor have special considerationstothe unique nature of the OLMA’smission. Energy Supply InformationType Thistype of informationisinregardtothe generation,obtaining,use, distribution,andconsumptionof power. While the original LunarandMartian colonistsgeneratedandgovernedthe generationof theirown energysupply,mainly viause of atomicreactors,these operationswere laterfederalizedunderthe authorityof the OLMA in 1964. The provisional securitycategoryof systemsinthisfunctionorcontainingthistype of informationis moderate. The provisional impactforeachaxisis:  Confidentiality:Low
  11. 11. Agency System Security Authorization Program 11  Integrity:Moderate  Availability:Moderate Note that,due to the factthat the coloniesrely,inpart,onatomicenergy,some informationinthis categoryis consideredclassifiedandnational securityrelated.Thatinformationisoutside of the scope of thisdocument. The above informationregardingthisinformationtype wasdrawnfromNISTSP800-60 Vol 2, section D.7.1, on page 133. Fore more detailsaboutthistype of information please refertothatdocument. EnvironmentalMonitoringand ForecastingInformationType Thistype of informationisinregardtothe observationandpredictionof environmentalconditions, includingairquality,waterlevelsandquality,emissions,andweather. ConditionsonLunaand Mars are quite differentfromEarthand as suchsometimesrequire specialized techniquestomeasure orpredict.Insome casesenvironmental forecastingiscritical tothe continued existence of the colony,suchasinthe case of solar flares,Martianduststorms,and continuous monitoringof artificial environments. The provisional securitycategoryof systemsinthisfunctionorcontainingthistype of informationis moderate accordingtodefaultNISTguidance.The provisional impactforeachaxisis:  Confidentiality:Low  Integrity:Moderate  Availability:Low (See Note Below) In the case of informationregarding off world systemsOLMA recommendsthatthe provisionalimpact alongthe availabilityaxisisraisedtohigh,due tothe extreme nature andsuddenchangesinthe environments of the off worldcolonies.Insome caseschangesinthe environmentcanhave a catastrophiceffectresultinginthe lossof humanlife and,therefore,itiscritical thatinformationabout
  12. 12. Agency System Security Authorization Program 12 such potentiallydeadlyenvironmental factorsshouldalwaysbe immediatelyavailable tothe off world colonists andsupportteamsonEarth. The above informationregardingthisinformationtype wasdrawnfromNISTSP800-60 Vol 2, section D.8.1, on page 139. For more detailsaboutthistype of informationpleaserefertothatdocument. SpaceOperations InformationType Thistype of informationdescribesandsupportsactivitiesrelatedtomissionsandpeople conducting aerospace basedmissionsandoperations. The missionof OLMA isdirectlyrelatedtospace andspace travel toand fromoff worldcoloniesonLuna and Mars. Since the federalizationof the coloniesOLMA hastakenstepsto bringthe securityof informationregardingspace operationstothese colonieswithinfederallymandatedguidelines. The provisional securitycategoryof systemsinthisfunctionorcontainingthistype of informationishigh accordingto defaultNISTguidance.The provisional impactforeachaxisis:  Confidentiality:Low(See Note Below)  Integrity:High  Availability:High OLMA recommendsthatthe provisional confidentialityimpactforspace operations information,and therefore space operationsrelatedinformationsystems,to be moderate.While notall information regardingthe off worldcoloniesisclassifiedanyinformationregardingspace operations,especially regardingthe SaganSpace Center(SSC) inAntarctica,isparticularlytellingandcouldleadtofurther unwantedinquiriesthatmaycompromise the secrecyof the OLMA’smission. The above informationregardingthisinformationtype wasdrawnfromNISTSP800-60 Vol 2, section D.11.4, onpage 158. For more detailsaboutthistype of informationplease refertothatdocument.
  13. 13. Agency System Security Authorization Program 13 SpaceExplorationand Innovation InformationType Informationregardinginnovationanddevelopmentof technologiesandknowledge relatedtospace, space basedtransportation,andthe explorationof space. The OLMA isdirectly engagedtosupportoff word Lunar andMartian colonistsintheirpursuittofurther researchand developmentof technologies inextra-terrestrialenvironments.Whilemostresearchis conductedwithinplanetaryormoonbasedboundariesitisstill consideredtofall withinthisinformation type due to the heavylevel of interactionthe off worldcolonistshave withouterspace andregions where there islittle tonoboundarybetweenthe surface andspace,suchas on the surface of Luna. The provisional securitycategoryof systemsinthisfunctionorcontainingthistype of informationis moderate accordingtodefaultNISTguidance.The provisional impactforeachaxisis:  Confidentiality:Low (See Below)  Integrity:Moderate  Availability:Low OLMA recommendsthatthe provisional confidentialityimpactforspace explorationandinnovation shouldbe moderate. The technologiesresearchedonthe off worldcoloniesare,insome cases, extremelydangerousorunacceptablewithinthe currentsocial andcultural climate.Detailedknowledge of suchresearcheffortscouldhave a seriousadverse effectonthe missionof the OLMA. The above informationregardingthisinformationtype wasdrawnfromNISTSP800-60 Vol 2, section D.12.2, onpage 202. For more detailsaboutthistype of informationplease refertothatdocument. CivilianOperations InformationType Thisinformationtype describesthe provisioningof non-militaryservice byfederal government employees.
  14. 14. Agency System Security Authorization Program 14 The personnel conductingeffortsandresearchonthe off worldcoloniesare primarilycivilianwith guidance,direction,andsupportfromthe OLMA, whichisa militaryagency.Thoughnotalwaysthe case mostsupportoperationsare conductedperdirectionof the OLMA whichresearchandscientificefforts are directedbycivilianoperations. Informationabout CivilianOperations isavehicle bywhichthe federal governmentprovidesservicesto the citizensof the off worldcolonies underthe care of the OLMA. Thisinformationtype isessentiallya meansof deliveryforothermission-basedservicesinformationandsubjecttothe provisional security categoryand impactlevelsdescribedforeachof those servicesasdescribedinNISTSP800-60 Revision 1, Volume 2. InformationSecurityInformationType All functionsregardingaddressingthe securityneedsof federalinformationsystemsfallunderthe informationsecurityinformationtype.Thisincludesbutisnotlimitedtocreationof securitypolicies, guidelines,procedures,securitycontrolsregardingauthentication,authorization,investigations,non- repudiation,andriskdetermination. While notof great concernin the past,the recentactionsof native Martiansregardingcolonial separationhave spurredthe developmentandenforcementof ITSecuritypoliciesandprocedures specifictothe off worldcolonies underthe OLMA’sguidance. The provisional securitycategoryof systemsinthisfunctionorcontainingthistype of informationis moderate accordingtodefaultNISTguidance.The provisional impactforeachaxisis:  Confidentiality:Low  Integrity:Moderate  Availability:Low
  15. 15. Agency System Security Authorization Program 15 The above informationregardingthisinformationtype wasdrawnfromNISTSP800-60 Vol 2, section C.3.5.5, on page 96. For more detailsaboutthistype of informationplease refertothatdocument. Security Controls FIPSPublication200: MinimumSecurityRequirementsforFederal Information and Information Systems, establishes the minimumrequirementsforthe securityof federal informationsystems overseventeen differentareas.The minimumrequirements forthese areas are metby implementingandexercising securitycontrolsasdescribedinNIST SP800-53 Revision3:Recommended Security ControlsforFederal Information Systems applicable withineachof those areas. Control selectionisdone inconsiderationof the securitycategoryof the informationsystemand determinedlevel of impactof the informationalongthe three axesof confidentiality,integrity,and availability.Thisisdone bymeansof anestablishedbaselinesetof controls whichrepresentthe minimumcontrolsrequiredtoadequatelysecure the informationsystem.These controlsmustalso then be appropriatelytailored,ormodifiedforuse onthe informationsystemaccordingtoitsoperational scope and functional purpose. As definedinFIPS200 securitycontrol selectionbasedoninformationsystemimpactisdone inthe followingmanner:  Low-impactinformationsystemsmust,atminimum, use securitycontrolsfromthe low baseline setof controls.  Medium-impactinformationsystemsmust,atminimum, use securitycontrolsfromthe medium baseline setof controls.  High-impactinformationsystemsmust,atminimum, use securitycontrolsfromthe high baseline setof controls. For eachof the seventeensecurityareas thatFIPS200 has identifiedNISTSP800-53 lists,amongstother controlsspecifictoeacharea, governance basedcontrolsthatare bothcommonto all areas and
  16. 16. Agency System Security Authorization Program 16 consistentlywithinthe highestprioritygrouping.Whilenotexplicitlymentionedascontrolsof note belowthe sectionbelowthese,“policyandprocedure”controlsare exercisesforeachof these security areas at the OLMA, as governance createsthe foundationand authorityuponwiththe implementation and exercise of othercontrolsrelies. More informationonpolicyandprocedure controls andtheir implementation foreachof the seventeensecurityareascanbe foundintheirrespective sectionsof the Office forLunar andMartian Affairs securitypolicydocuments (OLMA, STIMU DocumentLibrary). While manydifferentsecuritycontrolsmaybe deployedonthe informationsystemsthe OLMA there are some of note withineachcategorythat may require special consideration orsupplemental guidance basedon the missionandoperational requirementsunique tothisagency. Access Control (AC) The agency limitsaccesstoinformationsystemssuchthatonlyauthorizedusers,theirprocesses,or knowndevicescanutilize these appropriate informational resources. AC-2AccountManagement Thiscontrol requiresthatthe agencymanage information systemaccountsbyidentifyingaccounttypes, groupmemberships,accessprivileges,managingaccountlifecycle,reviewingaccounts,andgranting access basedonvalidauthorization. Due to the nature of some of the systemsthatthe OLMA manages,including life supportandaccessto sensitivescientificinformation,itisimperative thataccountsare managed,tracked,andprovisioned appropriately.Asoff-worldcolonistsrarely,if ever,returntoEarth the terminationof theiraccountsis generallyonlydone atthe time of theirretirement,death,ortransfertoan unrelatedsystemwiththeir ownseparate account managementsystem. Control Reference:NISTAP800-53 Revision3,Page I-5
  17. 17. Agency System Security Authorization Program 17 AC-18WirelessAccess Wirelessaccesscontrol createsguidance forthe implementationof wirelesscommunicationssystems, monitorsthose systemsforunauthorizedaccess,authorizesaccess,andenforcesotherrequirements. While manywirelesscommunicationssystemsare usedbythe OLMA it isimportantto note that the lack of a magnetosphereonLunaand Mars presentssome technical hurdlesnotfoundintraditional long range wirelesscommunicationsimplementations,possiblyallowingforthe range of the signalstobe modifieddependingonthe technologyusedtoeitherfurtherlimitthe use of communicationsorinthe signalsradiatingbeyondexpectedboundaries.Inthe lattercase thismayleadto a lossof confidentiality and care shouldbe exercised. Control Reference:NISTAP800-53 Revision3,Page I-6 Awareness and Training (AT) The agency ensuresthatpersonnelare made aware of securityrisks,governance requirements,and applicable procedureswhile alsobeingadequatelytrainedtocarryout theirsecurityrelatedfunctions. AT-2SecurityAwareness All newusersare givena basicsecurityawarenesstraining.Existingusersare givensupplemental trainingperiodicallyorwhenconditionsarise whichwarrantit.Thistrainingincludesinformationabout the needforsecurityprogramsas well asactionstheycan take themselvesin ordertoensure or promote a secure environment.Thiscaninclude techniquessuchasuse of posters,communicationsand newsarticles,remindersoncomputerscreens,andeventsdesignedtopromote securityawarenesssuch as seminarsorsimulations. Thiscontrol and agencyspecificreasoningisrelatedtocontrol IR-2IncidentResponse Training.
  18. 18. Agency System Security Authorization Program 18 Control Reference:NISTAP800-53 Revision3,Page F-21 Audit and Accountability (AU) The agency monitorsandcollectsinformationsystemauditrecordssufficientforpurposesof analysis and investigationof impactful securityevents. AU-2AuditableEvents Informationsystemsmustbe capable of auditingaspecifiedsetof eventsdefinedbythe agency. The OLMA placesemphasisonauditingeventsassociatedwithenvironmental controlsthathave the potential toeitherplace apersonintoimmediate danger,suchasan airlockopeningorclosing,and eventswhichhave the potentialtoplace multiple peopleingreatdangeraftera periodof time,suchas a leakinan atmosphericseal.The abilitytotrackthese eventsandgatherinformationaboutthemis paramountto the safetyof the off worldcolonistsunderthe OLMA’sgovernance. Control Reference:NISTAP800-53 Revision3,Page F-24 AU-13MonitoringforInformationDisclosure The agency monitorsavailable sourcesof informationforevidence of unauthorizedinformationleakage. Much of the work happeningatthe off wordcoloniesunderthe OLMA’sguidance isconfidential and couldpose a dangerto the missionandfunction of the scientificcoloniesonLunaand Mars if exposed. Because of thisOLMA has dictated,asone of itssecurityfunctions,thatopensourcesof information such as the internetortelevisionbe monitoredforinformationwhichmayreveal orleadtobe revealed the importantworkbeingdone inthe off worldcolonies. Control Reference:NISTAP800-53 Revision3,Page F-31
  19. 19. Agency System Security Authorization Program 19 Certification, Accreditation, and Security Assessments (CA) The agency periodicallyassesses the effectivenessof securitycontrolson informationsystemsto determine theirlevel of effectiveness. CA-5Planof ActionandMilestones Whennecessarythe agencywill developaPlanof Actionand Milestones (POA&M) documenttotrack remediationeffortsforweaknessesidentifiedinits informationsystemssuchasvulnerabilitiesor misconfigurations. The POA&Mdocumentisan essential partof the systemauthorizationprocessemployedbythe OLMA, whichisin turnbasedon standardsestablishedby NISTSP800-37 Revision3:Guide forApplying theRisk ManagementFrameworkto FederalInformation Systems.Seesection3.5,step5.1 of the Risk ManagementFrameworkformore information. Control Reference:NISTAP800-53 Revision3,Page F-35 Configuration Management (CM) The agency establishes andenforcesbaselinescontrolsandconfigurationsforitsinformationsystems and maintainsandinventoryof those systems. CM-2BaselineConfiguration The agency creates,maintains,anddocumentsabaseline configurationforinformationsystems. Standardizationcreatesabaselineof measurementfromwhichdeviationscanbe detectedand resolved.Inhostile environmentwhere resources,eventime,are scarce it isimportantto be able to find
  20. 20. Agency System Security Authorization Program 20 and remediate problemsininformationsystemswhichmayresultinacompromise ordelayof the missionof the OLMA. Control Reference:NISTAP800-53 Revision3,Page F-38 Contingency Planning (CP) The agency creates,maintains,andexercisesplansforresponsetoemergencysituations, implementationof backupoperations,anddisasterrecoveryscenarios. CP-2ContingencyPlan Informationsystemsthatprovideessential functionsmusthave contingencyplansthatprovide for recoveryviarecoverypointobjectives,recoverypriorities,metrics,definedrolesandresponsibilities, contact information,abilitytomaintainessential functionsdespite disruption,andleadtowardsfull informationsystemrecovery. As the OLMA operatedinenvironmentshostiletolife itisof essentialimportance thatthe coloniesare able to continue inthe eventof anincidentordisaster.The civiliancolonistsrelyonthe OLMA to provide safetyandsecuritysothattheirfocuscan be onthe continuance of theirimportantwork. Control Reference:NISTAP800-53 Revision3,Page F-47 Identification and Authentication (IA) The agency identifiessystemdevices,users,andtheirprocessesandverifiestheiridentitiestogrant themaccess toagency informationsystems. IA-2 IdentificationandAuthentication(Organizational Users) Informationsystemsmusthave the abilitytoidentifyagencypersonnel.
  21. 21. Agency System Security Authorization Program 21 The OLMA representsaunique partnershipbetweenthe civiliancolonistsof Lunaand Mars and the UnitedStatesfederal government.Whilethe OLMA providesservicestothe coloniststheyare expected to, inturn,work alongside the agency.Insome casesitisimportantthanan informationsystemmay needtorespond or grant authorization differentlytoOLMA personnel thanitwouldtoa civiliancolonist inorder to properly maintainthispartnership.Thiscontrol andreasoningare alsorelateddirectlyto control IA-8 IdentificationandAuthentication(Non-Organizational Users). Control Reference:NISTAP800-53 Revision3,Page F-54 Incident Response (IR) The agency createsa processwhichincludespreparation,detection,analysis,containment,and recoveryactivitiestorespondtoincidentswhichmayhave anegative impactonthe organization.These incidentsare monitored,documented,andreportedtothe appropriate agencypersonnel or authorities. IR-2 IncidentResponseTraining As the resourcesonthe off worldcoloniesare spreadoverthe vastdistancesof space the OLMA holds securityawareness andthe abilitytorespondtoanincidentare of high priority;eachpersonmustbe responsible forthe securityof theirenvironmentandinformationsystemstosome degree asrapid response maynotbe presentdue to eitherthe distance betweenphysical securityresourcesorthe time it takesforcommunicationssignalstopassbetweencoloniesondifferentastral bodiesdependingon theircurrentorbital positions.Forexample,itwill take onaverage between4and5 minutesforsignals to travel betweenLunaandMars. Because of thisa certaindegree of self-reliance isnecessaryforall of the OLMA’s personnel. Thiscontrol and reasoningare relatedtocontrol AT-2: SecurityAwareness. Control Reference:NISTAP800-53 Revision3,Page F-61
  22. 22. Agency System Security Authorization Program 22 Maintenance (MA) The agency performsperiodicmaintenance onitsinformationsystems andprovidesoversightonthe tools,practices,andpeople involvedinthose maintenanceactivities. MA-6TimelyMaintenance Thiscontrol ensuresthatsupportor parts are available forinformationsystemswithinagiventime span of failure. As the OLMA overseesvariousenvironmental control systemsessential tolife onthe off worldcolonies it isof highimportance thatmaintenance isperformedonaregularand timelybasis.Ingeneral systems whichhave a higheravailabilityimpacthave alowerresponse time andfastertime tocompletionfor maintenance activities. Control Reference:NISTAP800-53 Revision3,Page F-70 Media Protection (MP) The agency takesstepstoprotectboth analogand digital informationmedia,limitingaccesstothat mediatoappropriate personnelanddestroyingthe mediawhere necessary. MP-4MediaStorage Thiscontrol dictatesthat storage mediaisto be storedsecurelyandprotectedfromdamage. As boththe coloniesof Lunaand Mars lacka magnetosphere of Earth theyare subjecttoexposure to varioussourcesof radiationandenergyfromspace.While mostof the coloniesare underground, providingshieldingfromthese harmful sourcesof radiation,somepartsof themare exposed.Inall cases any mediasubjectto damage frominterstellarradiation,suchasmagnetictapes,shouldbe storedin properlyshieldedcontainers.
  23. 23. Agency System Security Authorization Program 23 Control Reference:NISTAP800-53 Revision3,Page F-72 Physical and Environmental Protection (PE) The agency limitsphysicalaccesstoits informational resources,protectsphysical informationsystem componentsandinfrastructure,andprovidesenvironmentalcontrolsforfacilitieswherethose informationsystemsare located. PE-11EmergencyPower Short termpowerisavailable tofacilitatethe propershutdownof aninformationsystem.Insome cases longtermemergencypowersuppliesmaybe necessary. Informationsystemsmaintainedbythe OLMA may be performingimportantscientificcalculations, simulations,orsupportslife sustainingenvironmental function.The higherthe securitycategoryof an informationsystemthe longeranemergencypowersupply shouldbe able tooperate foruntil normal operationsare restored. Control Reference:NISTAP800-53 Revision3,Page F-81 Planning (PL) The agency develops,revises,andexercisessecurityplansforinformationsystemswhichdescribethe use of securitycontrolsandbehaviorrequirementsforassignedpersonell. PL-2 SystemSecurityPlan The agency createsa securityplanforan informationsystemthatdefinesboundaries,categorization rationale,requirements,relationshipstoothersystems,anddescribesexistingsecuritycontrolsalready inplace.
  24. 24. Agency System Security Authorization Program 24 Thisplanis reviewedandapprovedbythe authorizingofficialduringthe systemauthorizationprocess. Control Reference:NISTAP800-53 Revision3,Page F-85 Personnel Security (PS) The agency takesstepstoensure the trustworthinessof peopleinpositionsof responsibilityandthe securityof informationsystemsinuse bythose people.When necessary,formal actionistakenagainst personnel whohave violatedagencysecuritypolicies. PS-3Personnel Screening Thiscontrol dictatesthat potential employeesare screenedpriortogainingauthorizationtoagency informationsystemsandrescreened whencertainconditionsare met. The OLMA musttake great care inensuringthatit can trustsits personnel due tothe secretiveand impactful nature of the workbeingdone underitspurview.Inadditional tobackgroundchecksto ensure a historyof trustworthinessfurtherbehavioral analysisbasedinterviewtechniquesare used duringany screeningprocess,bothinitial andsubsequent. Control Reference:NISTAP800-53 Revision3,Page F-89 Risk Assessment (RA) The agency periodicallyassessesthe risk toitspeople,assets,andinformationsystems. RA-2SecurityCategorization The informationandinformationsystemswithinthe responsibilityof the agencyare categorizedin accordance withfederal lawsandstandards.
  25. 25. Agency System Security Authorization Program 25 Categorizationisthe firststepof the RiskManagementframeworkdescribedinNISTSP800-37 Revision 3. The OLMA followsthisprocessameanstoproperlydetect,manage,andremediateriskonits informationsystems. Control Reference:NISTAP800-53 Revision3,Page F-92 RA-3RiskAssessment The agency performsaformalizedassessmentof riskpresentonaninformationsystem,reviewsthe results,andperformsperiodicupdatesof the assessments. A riskassessmentisauseful tool whendone asapart of the risk managementframeworkandits associatedprocesses.AccordingtoNISTSP800-37 Revision3,“a risk assessmentguidesthe prioritizationprocessforitemsincludedinthe planof actionandmilestones.” Guidance onrisk assessmentscanbe foundinNISTSP800-30 Revision1:Guide forConducting Risk Assessments. Control Reference:NISTAP800-53 Revision3,Page F-93 System and Services Acquisition (SA) The agency allocatessufficientresourcestoprovide adequateprotectiontoitsinformationsystems, utilizesasystemsdevelopmentlifecycle thataddressessecurityconcerns,andmonitorsthe use of software. SA-2AllocationofResources The agency determinesthe resourcesrequiredtoimplementthe securitycontrolsnecessarytoprovide an informationsystemwithadequatesecurity.
  26. 26. Agency System Security Authorization Program 26 As resourcesinthe off worldcoloniesare extremelylimiteditisimportanttobe able toknow exactly howmany will be requiredbythe securitycontrolsassignedforuse onthat system.ColoniesonLuna may have more immediate accesstoresourcesfromEarth,while resource scarcityonMars isalwaysan issue.Inmanycasesthe coloniesmustbe self-sufficientwithanyadditional resourcesfromEarthseen as unnecessarybutnotunwelcome. Control Reference:NISTAP800-53 Revision3,Page F-96 System and Communications Protection (SC) The agency monitors,controlsandprotectscommunicationof informationatkeypointsalongsystem boundaries,bothexternal andinternal,andmakesuse of architectural,softwaredevelopment,and engineeringtechniquesthat contribute tosecure informationtransmissionpractices. DC-9TransmissionConfidentiality Informationwithaconfidentialityrequirementmustbe protectedfromunauthorizeddisclosure while in transit. As muchof the OLMA’s workisdone in secretthe classificationof muchof the informationaboutthis workalongthe confidentialitydimensionishigh.Encryptedcommunicationstunnels,especiallythose for sharedcommunicationschannelssuchasthe mainbandusedby Mars andLuna to communicate withSagan StationonEarth, mustbe used. Thiscontrol and reasonare alsorelateddirectlytocontrol SC-28Protectionof InformationatRest. Control Reference:NISTAP800-53 Revision3,Page F-112
  27. 27. Agency System Security Authorization Program 27 System and Information Integrity (SI) The agency locates,reports, andremediatesinformationsystemflawsinatimelymanner,providing protectionfrommaliciouscode,andmonitoringsecurityalertsandintelligence inordertofacilitate an appropriate response. SI-4 InformationSystemMonitoring The agency tracks eventsoninformationsystemsinaccordance withitsobjectivesandisable todetect informationsystemsattacks. Thiscontrol and itsreasoningare directlyrelatedtocontrolsAU-2Auditable Eventsandcontrol AU-13 MonitoringforInformationDisclosure. Control Reference:NISTAP800-53 Revision3,Page F-126 RiskAssessment "I often say that when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind;itmay be thebeginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of science, whatever the matter may be.” – William Thomson, Lord Kelvin The OLMA measuresriskaccordingtothe followingconceptual formula: Risk = Threat x Vulnerability x Impact There are several variantsof the riskformulainuse throughoutthe securityindustry.Some risk assessmentmodels,suchasthe NISTmodel,alsoinclude the likelihood of athreateventoccurringas a componentof risk.Forthe purposesof the OLMA likelihoodisconsideredafactorof threatand will be includedthereinasmanyof our assessmenttoolsalreadyuse thismethodology.
  28. 28. Agency System Security Authorization Program 28 The resultsof a riskassessment,includingsource documentsforeachcomponentof the riskformula, are thendocumentedforlaterreference throughoutthe RiskManagementFramework. The components of thisformulaare definedinNISTSP800-30 Revision1: Threat “Any circumstanceor eventwith the potentialto adversely impactorganizationaloperationsand assets, individuals,otherorganizations…through an information systemvia unauthorized access,destruction, disclosure,or modification of information,and/ordenialof service.” Thisvalue istypicallyprovidedforusbyautomatedvulnerabilityscannersandstoredinreports generatedbythose scanners.Sourcesof threatsmaybe intentional,accidental,orenvironmental. Vulnerability “A weaknessin an information system,system,security procedures,internal controls,orimplementation thatcould be exploited by a threatsource.” Thisvalue istypicallyprovidedforusbyautomatedvulnerabilityscannersandstoredinreports generatedbythose scanners. Impact “The level of impactfroma threat eventis the magnitudeof harmthatcan be expected to resultfrom the consequencesof unauthorized disclosureof information,unauthorized modificationof information, unauthorized destruction of information,orlossof information orinformation systemavailability.” It shouldbe notedthatimpactis partiallydefinedbythe thingbeingaffectedbythe threatand vulnerability.Thatis,noexternal source canautomaticallytell uswhatthe impactonour own environmentwillbe because itisoursandunique to its use andpositionwithinthe OLMA.
  29. 29. Agency System Security Authorization Program 29 The classificationof the informationpresentonorusedby an informationsystemcanbe usedto help determine thisvalue.Informationof ahighersecuritycategoryshouldbe representedashavinga greaterlevel of impacton the level of riskdetermined. A Note on Measurement Measurementsof componentsof riskforthe OLMA’sinformationsystemsare gatheredaccordingtoa 0.0 to 10.0 scale.If these valuesare goingtobe usedinothercalculationstheyshouldbe keptonthis scale to preserve likenessandprecision. Resultsof calculations,foruse inreportsor presentations,can be translatedintootherscalesasneeded,suchasthe 1-5 scale usedby mostcorporate riskassessment methodologiesorthe 1-3 scale usedbysome federal agenciesorthe CVSS2.0 ratingsystem. For our purposesvaluesshowninreportswill use the followingscale: Rating Scale (0-5) None Very Low Low Medium High Critical System Security Authorization Step5 of the RiskManagementFramework isthe authorizationof aninformationsystembasedupona determinationof the riskpresentonthatsystem. Thisisaddressedbyseveral tasks,eachof whichisalso representedbyacorrespondingsecuritycontrol. Plan of Action and Milestones The Planof Actionand Milestones (POA&M) document describesactionsnecessaryto addressand correct weaknesses inthe securitycontrolsused onaninformation systemorthe vulnerabilities onthe
  30. 30. Agency System Security Authorization Program 30 informationsystem whichthose securitycontrolsdonotadequatelyaddress.The documentthen describesthe issuesandtaskstoremediate those issues,the resourcesnecessarytodoso,and any milestones metduringthe course of completionof the plan. Riskassessmentsare usedtoassignprioritytothese tasksbasedonthe issuestheyaddressandhelpto guide time requirementsforcompletionof tasks. Control RA-3RiskAssessmentrepresentsthe correspondingsecuritycontrol forthisstep. The correspondingsecuritycontrol forthisstepis CA-5Planof Actionand Milestones.The OLMA specificreasoningandconsiderationscanbe foundinthe correspondingsectionof thisdocument. Reference:NISTSP800-37 Revision1,Page 34 Security Authorization Package The POA&M, alongwiththe securityassessmentdocumentandthe securityplancreatedduringearlier stepsof the Risk ManagementFrameworkprocess,isusedtocomplete the securityauthorization package.The Authorizingofficial canuse the informationinthispackage to conductfurtheranalysis basedon the vulnerabilities,threats,andimpactdescribedthereintomake adeterminationof risk.The authorizingofficial canrequestadditional informationtoaddto the authorizationpackage asnecessary inorder to make a more accurate determinationof risk. The securityplanis relatedtocontrol PL-2 SystemSecurityPlan.The security assessmentis relatedto control CA-2 SecurityAssessments. More informationonsecuritycontrolsnotexplicitlydescribedinthis documentare describedinNISTSP800-53 Revision3. Reference:NISTSP800-37 Revision1,Page 34
  31. 31. Agency System Security Authorization Program 31 Risk Determination The authorizingofficial,workingwiththe seniorinformationsecurityofficer asappropriate,reviewsthe informationinthe authorizationpackage toexamine security controlscurrentlyinplace on the informationsystem, determine the current level of riskpresent,andreview the recommendations providedinthe POA&Mdocument.The currentrisklevel is determinedalongwithriskmitigation strategies.Remainingriskiscomparedtothe level of acceptablerisktodetermineif furtheractionis required. The OLMA has determinedthataverylow level of risk,basedonthe five pointratingscale described earlierinthisdocument, isacceptable tothe agencydue tothe heavyreliance of the missionand functionof the agencyon informationtechnology. Reference:NISTSP800-37 Revision1,Page 35 Risk Acceptance It isthe authorizingofficial’s role todetermine if the risktothe mission,function,image,reputation, assets,people,ororganizationsisacceptable withinthe boundssetbythe OLMA’sriskpolicies while weighingthisrisk againstcontinuedoperationalandmissiondemandsplacedonthe system. This decisionisdocumentedinthe authorizationdecisiondocument detailingthe final decisionof the authorizingofficial regardingthe acceptance of riskassociatedwiththisinformationsystemandif that systemisauthorizedto beginorcontinue operations.Termsandconditionsmayalsobe includedinthis document,providingforspecial casesforuse ordescribinglimitsonuse of the informationsystem.This documentalsodescribesthe periodof expirationof thisauthorization,promptinganotherauthorizing reviewtotake place.Thisinformationisthengiventothe systemownerandsecuritycontrol provideras well asotherpartiesas necessary.
  32. 32. Agency System Security Authorization Program 32 Reference:Reference:NISTSP800-37 Revision1,Page 35 InformationSystem Monitoring Because people and resourcesare relativelyscarce onoff worldcoloniesthe OLMA reliesheavilyon automationandautomatedprocessedtomonitorthe securityof itsinformationsystems. NISTSP800- 137 AppendixDdescribesseveral typesof toolsthat,whendeployedappropriatelyandwithoversight of humanexpertise,are usefulinsystemmonitoringpractices. Asset Management These toolsletsecurityanalysisknowwhatsystemsare presentintheirenvironment.Thisisthe foundationof anefforttosecure all of the systemsinanorganization,assecuritycontrolscannotbe deployedtosystemsif youdon’tknowwhatsystemsyouhave inthe firstplace,especiallyif the environmentissolarge or widespreadthananaccurate and timelymanual inventorywouldbe impossible. Configuration Management Centralizedconfigurationmanagementallowsadministratorstodeployconsistentsettingstomany categoriesof systemssimultaneously,ensuringcompliance withpre-establishedparametersassecurity controls.Thistool can alsofind deviationsinsettingsfromthe establishednormal identifyingthese flawedsecuritycontrol deploymentsinreal time and,inmanycases,correct themautomatically. Event and Incident Management These toolsare usedto gatherinformationaboutspecific occurrenceshappeningona givensystem, such as detectionof attacksbasedonknownsignatures,systembehavioral patterns,orotherlogsof activity.If there isa commoncause to particularsetsof behaviorthe informationcanbe organizedasan incidentenablingforcommonreference of relatedevents.
  33. 33. Agency System Security Authorization Program 33 Information Management The securitycategoryof a systemisdeterminedbythe type of dataon that system.Information managementtoolsare able totrack thisinformationandhow itmovesoverthe network, possibly preventinginformationleakage andallowingthe securityteamtoidentifythe sensitivityof agiven systembasedonthe type of informationpresentonthatsystem. License Management License managementcandetectthe numberof installationsof anapplicationinthe environmentand compare thisagainstthe numberwhichthe organizationisallowedorhaspurchased.Thisallowsfor avoidance of feesorlegal actionbythe software distributorbydetectingthisdeviationandenablingthe securityteamto correctit, or by preventingthe installationof the unlicensedsoftware inthe firstplace. Malware Detection Symanteccorporationdefines Malware as,“a categoryof maliciouscode thatincludesviruses,worms, and Trojanhorses.”Thistool is used tofindsuch software and,inmanycases,take a predetermined actionagainstit, enablingforreal-time protectionof asystemandmitigationof the riskcreatedbythe malware threat. Network Management Networkmanagementtoolsallow fordiscoveryof new hostsonthe networkandmonitoringof traffic. These toolsallowforreal time discoveryof systemsonthe networkwhichare notinthe inventoryof allowedsystemsornetworkdevices. Software Assurance Thisset of toolsallowsforthe analysisof software behaviorenablinganorganizationtoverifythe trustworthinessof anapplication.Forsoftware developedinternallythiscanbe utilizedaspartof the software developmentcycle toimprove onthe securitycompliance of anapplication.
  34. 34. Agency System Security Authorization Program 34 Vulnerability and Patch Management These toolsscansystemstodetectsoftware flawsordetermine if asoftware update isavailableand neededtoaddressaknownissue.These toolscanallow forquickdiscoveryof suchissuesthrough regularlyscheduledscansandremediationviapre-determinedpatchingmechanisms.
  35. 35. Agency System Security Authorization Program 35 References 1. E-GovernmentActof 2002. Pub.L. No. 347.107, Stat. 2899, P.116. RetrievedJanuary2015 from U.S. GovernmentPrintingOfficeat: http://www.gpo.gov/fdsys/pkg/PLAW- 107publ347/html/PLAW-107publ347.htm 2. Mell,P.,Scarfone,K.,Romanosky S.(2007 January).A Complete Guide tothe Common VulnerabilityScoringSystemVersion2.0.RetrievedMarch2015 fromFirstat https://www.first.org/cvss/cvss-guide.pdf 3. National Institute of StandardsandTechnology.(2014 April 1). FISMA – Detailed Overview. RetrievedJanuary2015 from NISTat: http://csrc.nist.gov/groups/SMA/fisma/overview.html 4. National Institute of Standardsand Technology.(2004 February). FederalInformation Processing StandardsPublication:StandardsforSecurity Categorization of FederalInformation and Information Systems.RetrievedFebruary2015 fromNIST at: http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf 5. National Institute of StandardsandTechnology.(2006 March). FederalInformation Processing StandardsPublication:MinimumSecurity Requirementsfor FederalInformation and Information Systems.RetrievedMarch2015 fromNIST at: http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf 6. National Institute of StandardsandTechnology.(2015 January28). NIST ComputerSecurity Publications - NIST SpecialPublications(SPs).RetrievedMarch2015 from http://csrc.nist.gov/publications/PubsSPs.html 7. National Institute of StandardsandTechnology.(2010 February). NISTSpecialPublication 800-37 Revision 1: Guide forApplying theRisk ManagementFrameworkto FederalInformation Systems. RetrievedFebruary2015 fromNISTat: http://csrc.nist.gov/publications/nistpubs/800-37- rev1/sp800-37-rev1-final.pdf
  36. 36. Agency System Security Authorization Program 36 8. National Institute of StandardsandTechnology.(2013 April). NISTSpecialPublication 800-53 Revision 4: Security and Privacy ControlsforFederalInformation Systemsand Organizations. RetrievedFebruary2015 fromNISTat: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf 9. National Institute of StandardsandTechnology.(2003 August). NISTSpecialPublication 800-59: Guideline for Identifying an Information Systemasa NationalSecurity System.RetrievedMarch 2015 fromNIST at: http://csrc.nist.gov/publications/nistpubs/800-59/SP800-59.pdf 10. National Institute of StandardsandTechnology.(2008 August). NISTSpecialPublication 800-60 Revision 1: Volume1: Guide for Mapping Typesof Informationand Information Systemsto SecurityCategories.RetrievedFebruary2015 fromNISTat: http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf 11. National Institute of StandardsandTechnology.(2008 August). NISTSpecialPublication 800-60 Revision 1: Volume2: Appendicesto Guide for Mapping Typesof Informationand Information Systemsto Security Categories.RetrievedFebruary2015 fromNISTat: http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol2-Rev1.pdf 12. Nicolen,Shawn.(2015March 21). OLMA STIMU:Stuff ThatIMadeUp.Personal Interview, March 2015. 13. Office andManagementandBudget.(1996 February8). CIRCULARNO.A-130. RetrievedMarch 2015 fromthe OMB at: https://www.whitehouse.gov/omb/circulars_a130 14. Office of the PressSecretary.(2009 December29). Executive Order13526- ClassifiedNational SecurityInformation.RetrievedMarch2015 from The White House at: https://www.whitehouse.gov/the-press-office/executive-order-classified-national-security- information 15. Symantec. Malware- MaliciousVirus CodeDetection - Trojan - Trojan Horse.Retrieved March 2015 fromNortonat: http://us.norton.com/security_response/malware.jsp

×