2. Transition
Certification and Accreditation Process
NIST Developed
Waterfall approach
ATO Cycle - 3 years
Issues
Monitoring
Interconnected Systems
4. Initiation Phase
System
Function
Data Types
SP800-60 Volume I and II
Tasks
Preparation
SSP
Notification
Resource Identification
Analyze, Update, and Approve (SSP)
5. Certification Phase
Security Control Verification
Assembling Documentation
Developed tools and procedures
Assemble Team
Review technical, operational, management controls
SAR
System Certification Documentation
C&A Package
7. Continuous Monitoring Phase
Tasks
Configuration Management
CCB
Control Verification
Annual Assessments
Status Reporting
8. RMF
NIST SP800-53 - FIPS 200
DOD and NSS
Moving towards RMF
More flexible
Cost effective
Better management of Risks (Wholelistickly)
Risk Management
Impact as a whole
Continuous Monitoring
9. Categorize the System
Phase 1
Categorize the System
FIPS-199
Define the System
System Boundary
Other technical details
Registered
10. Select the Security Controls
Phase 2:
Common Control Identifications
Security Control Selection
Task 1-1 (Baseline)
System Specific
Continuous Monitoring Plan
SSP Approvals
11. Implement the Security Controls
Phase 3
Security Control Implementation
Security Control Documentation
SP800-53
FIPS-200
12. Assess Security Controls
Phase 4
Assessment Preparation
Assessment of the Security Controls
SAR
Remediation Actions
15. Key Positions and Roles
Head of Agency
CEO
Risk Executive
Holistic approach to addressing Risk
Commonly a board
RAR
CIO
Appoints CISO
16. Key positions and Roles
Information Owner
Maintaining Security During storage and
processing
CISO
Oversight
AO
Delegated (Approves Packages)
Information System Owner
Devloping, using, and maintaining the System
17. Key Positions and Roles
ISSO
Maintaining Security
Information Security Architect
Security Built into the System
ISSE
Security Built into the System
Security Control Assessor
Assesses the System
19. Security Awareness and Training
Why do we need Security Awareness and
Training?
All users
Specialized Training
Uninformed Users
20. Security Awareness and Training
Types of Training
“One in five workers (21%) let family and friends use company
laptops and PCs to access the Internet”(Schneier, 2005).
“More than half (51%) connect their own devices or gadgets
to their work PC...a quarter of who do so every day”(Schneier,
2005).
“One in ten confessed to downloading content at work they
should not”(Schneier, 2005).
“Two thirds (62%) admitted they have a very limited knowledge
of IT Security” (Schneier, 2005).
“More than half (51%) had no idea how to update the anti-virus
protection on their company PC” (Schneier, 2005).
“Five percent say they have accessed areas of their IT system
they should not have” (Schneier, 2005).
21. Types of Training
Classroom
Website
Visual Aids
Promotions
Security Awareness and Training
25. Rules of Behavior
User Agreement Form
User signs
Keeps
Redone on an annual basis
Internal and External
26. Rules of Behavior
Rules to include
Applications
General Support Systems
Mobile Devices
Laptops/Desktops
Privileged Users
Noncompliance
Disciplinary Actions
Training
Examples: Table 10.1 – 10.4
28. IR
Why?
Need of a mechanism to address incidences that happen within
an organization
Even the best information security infrastructure cannot
guarantee that intrusions or other malicious acts will not happen.
When computer security incidents occur, it will be critical for an
organization to have an effective way to respond.
CSIRT
A Computer Security Incident Response Team (CSIRT) is a
service organization that is responsible for receiving, reviewing,
and responding to computer security incident reports and activity.
Their services are usually performed for a defined constituency
that could be a parent entity such as a corporate, governmental,
or educational organization; a region or country; a research
network; or a paid client.
29. IR
Security Incident
Each organization will need to define what a computer security
incident is for their site. Examples of general definitions for a
computer security incident might be:
Any real or suspected adverse event in relation to the security of
computer systems or computer networks
The act of violating an explicit or implied security policy
Examples of incidents could include activity such as
attempts (either failed or successful) to gain unauthorized access to a
system or its data
unwanted disruption or denial of service
unauthorized use of a system for the processing or storage of data
changes to system hardware, firmware, or software characteristics
without the owner's knowledge, instruction, or consent
Computer security incident activity can be defined as network or
host activity that potentially threatens the security of computer
systems.
30. IR
Roles and Responsibilities
SO and ISSO
Agencies' IRP
Incident Response Manager
Incident
A security incident is a violation of a security policy for a system,
network, telecommunications, system, or facility
A security incident is any real or suspected adverse event in
relation to the security of computers or computer networks
A security incident is any compromised or suspected
compromised system; any type of attack or preattack
reconnaissance levied on or from a computer resource; or
misuse of IT resources, or any other anomalous activities
detected.
31. IR
1. Impact
2. Notification
3. Handling
a) Detecting
b) Containment/Eradication
c) Recovery/Closure
4. Escalation
5. Forensic Investigations
a) Time?
b) What to look for?
32. IR
Types
Internal CSIRTs provide incident handling services to their parent organization.
This could be a CSIRT for a bank, a manufacturing company, a university, or a
federal agency.
National CSIRTs provide incident handling services to a country. Examples
include: the Japan CERT Coordination Center (JPCERT/CC) or the Singapore
Computer Emergency Response Team (SingCERT).
Coordination Centers coordinate and facilitate the handling of incidents across
various CSIRTs. Examples include the CERT Coordination Center or the United
States Computer Emergency Readiness Team (US-CERT).
Analysis Centers focus on synthesizing data from various sources to determine
trends and patterns in incident activity. This information can be used to help
predict future activity or to provide early warning when the activity matches a set
of previously determined characteristics.
Vendor Teams handle reports of vulnerabilities in their software or hardware
products. They may work within the organization to determine if their products are
vulnerable and to develop remediation and mitigation strategies. A vendor team
may also be the internal CSIRT for a vendor organization.
Incident Response Providers offer incident handling services as a for-fee
service to other organizations.