File000171

Module LVIII - Evaluation and
Certification of Information Systems

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Independent Business Continuity
Validation and Certification Services Now
Available
Source: http://www.prlog.org/

EC-Council
News: Security Concerns in the
SaaS Environment
Source: http://www.itworld.com/

EC-Council
Module Objective
• Accreditation
• Type Accreditation
• Approval to Operate (ATO)
• System Security Authorization Agreement (SSAA)
• Cost-Benefit Analysis
• Certification Test & Evaluation (CT&E)
• System Security Architecture
• C&A Process for Information System
This module will familiarize you with

EC-Council
Module Flow
Accreditation
Type Accreditation
Approval to Operate (ATO)
System Security Authorization
Agreement (SSAA)
Cost-Benefit Analysis
Certification Test & Evaluation
(CT&E)
System Security Architecture
C&A Process for Information System

EC-Council
Accreditation
Accreditation is the voluntary process of being certified for meeting minimum
requirements designated by an accrediting agency
This process certifies the competency, authority, and credibility of an
organization
These certificates are issued by certification specialists after testing every
standard in laboratories in compliance with established standards
These standards can be for physical, chemical, forensic, quality, and security
standards
Types of accreditation:
• Type accreditation
• Site accreditation

EC-Council
Importance of Accreditation
Accreditation is important to support a risk management process
It assures about the quality and standards of the organization
It guides managers and technical staff to implement:
• Effective security controls
• Mission requirements
• Technical constraints
• Operational constraints
• Cost/schedule constraints

EC-Council
Type Accreditation
Type accreditation may be issued by the Designated Approving Authority
(DAA) for operating environments
It is used to accredit multiple instances of application or system to operate
in approved location with the similar type of computing environment
The DAA must contain a statement of residual risk and clearly defined
operating environment for the application and or system
The DAA must identify the uses and operational procedures of the
application or system
Security Test and Evaluation (ST&E) should take place at central integration
facility to support accreditation of application and system

EC-Council
Type Accreditation (cont’d)

EC-Council
Site Accreditation
A site accreditation includes site-specific security and protection
methods
It also contains the same information as type accreditation
It identifies the usage and protection features of the training device
• Access policies
• Protection methods for securing sensitive data
• Physical security measures
It contains the documentation of:

EC-Council
Significance of NSTISSP
NSTISSP is a national security community policy governing the acquisition of
information assurance (IA), and IA enabled information technology products
The policy was issued by the Chairman of the National Security
Telecommunications and Information Systems Security Committee (NSTISSC)
It provides the standard to test the design, quality, and performance of the
information technology products to provide confidentiality for data and to
authenticate the identities of individuals or organizations exchanging sensitive
information
The products which validate the NSTISSP performance claims are marketed as
IA products which ensures that these products are responsive to the security
needs of the intended user

EC-Council
Approval to Operate (ATO)
Approval to operate (ATO) is an official permission granted by Designated Approval Authority
(DAA) to operate an AIS or network in a particular security mode
Before granting the permission, DAA verifies an accreditation statement to ensure that the
residual risk is within the acceptable limits
DAA ensures that each AIS is fulfilled with the AIS security requirements, as reported by the
Information System Security Officers (ISSOs)
• Establishing and managing security for the systems which are operated by an agency,
contractors, and command personnel
• Assigning levels of classification required for applications which are operated in the network
environment
• Verifying the accreditation plan and signing the accreditation statement for the network and
AIS
• Verifying the documentation for AIS security requirements which are defined in the AIS
network security program
Responsibilities of ISSOs to get an ATO:

EC-Council
Approval to Operate Form

EC-Council
Interim Approval to Operate
(IATO)
IATO grants temporary authorization to process information and operate
an Automated Information System (AIS) under defined conditions
IATO is provided by the DAA and generally granted for one year
It gives provision for operating AIS with the condition that AIS reaches an
acceptable level of risk
Purpose of IATO:
• Specifies security mode
• Provides technical and non-technical protection measures against a defined threat
• Properly secures operational environment
• Achieves short and long term goals
• Connects to other AIS or network

EC-Council
Interim Approval to Operate
(cont’d)
• The organization’s letterhead and date of signature
• The specified security mode of operations and a specified data
sensitivity or classification level
• Defined security safeguards
• System/Operational Applications
• A defined threat and stated vulnerabilities
• Stated interconnection to other systems
• A statement of acceptance of risk for the system
• A specified period of time
• A specified suite of hardware and software
• A specified operational environment
• Signature and signature block of the DAA
The Interim approval letter contains:

EC-Council
Sample IATO Letter: Screenshot

EC-Council
System Security Authorization
Agreement (SSAA)
A SSAA is an information security document used in the
United States Department of Defense (DoD) to describe and
accredit networks and systems
The SSAA is part of the Department of Defense Information
Technology Security Certification and Accreditation Process
(DITSCAP)
The DoD instruction describes DITSCAP and provides an
outline for the SSAA document

EC-Council
Contents of SSAA
• Mission Description and System Identification
• Environment Description
• System Architectural Description
• System Security Requirements
• Organizations and Resources
• DITSCAP Plan
SSAA is divided into six sections:

EC-Council
Contents of SSAA (cont’d)
Mission Description and System Identification:
• System name and identification
• System description
• Functional description
• System capabilities
• System criticality
• Classification and sensitivity of data processed
• System user description and clearance levels
• Life cycle of the system
• System CONOPS summary
Environment Description:
• Operating Environment
• Facility description
• Physical security
• Administrative issues
• Personnel
• COMSEC
• TEMPEST
• Maintenance procedures
• Training plans
• Software Development and Maintenance Environment
• Threat description

EC-Council
• System architecture description
• System interfaces and external connections
• Data flow
• Accreditation boundary
System Architectural Description:
• National and DoD security requirements
• Governing security requisites
• Data security requirements
• Security CONOPS
• Network connection rules
• Configuration management requirements
• Reaccreditation requirements
System Security Requirements:

EC-Council
Organizations and Resources:
• Organizations
• Resources
• Training
• Other supporting organizations
DITSCAP Plan:
• Tailoring factors
• Programmatic considerations
• Security environment
• Information system characteristics
• Reuse of previously approved solutions
• Tasks and milestones
• Schedule summary
• Level of effort
• Roles and responsibilities

EC-Council
Justification for Waiver
• If an employee from one organization serves for another organization,
and as an assigned official duty, the integrity of the services would be
affected
• If an employee discloses the official matters outside of the organization
• If an employee is not involved in any service grants or contracts, or
other financial matters of an organization
• If an employee is involved in problematic matters such as funding,
regulatory, or investigatory matters affecting the financial interests of
the organization
A waiver is justified in the following situations:

EC-Council
Cost-Benefit Analysis
Cost-benefit analysis is a decision-making process used in public finance
This process is used to determine which alternative is expected to provide the
best return for a proposed investment
This is a suitable process for the businesses as well as to not-for-profit
entities and governmental units
It might be beneficial for a business to use cost-benefit analysis to evaluate
whether additional funds should be invested in a facility in the home country
or in another country
It is used by the federal governmental agency to evaluate which of the several
projects is expected to be most used by interested citizens

EC-Council
Information Classification
Classification of information is important for protecting information from
leakage
It can be done according to the sensitivity and importance of the information
Information can be differentiated as:
• Restricted
• Sensitive
• Operational
• Unrestricted

EC-Council
Importance of Information
Classification
Classified information helps to protect the important and
confidential information from leakage
It also helps to prevent the unauthorized access to the
information
Classification make the sensitivity of the information clear
It also suggests when and how to use the information
strategically

EC-Council
Investigative Authorities
• The proper investigative channels are used according to the appropriate
expertise and jurisdiction
• Appropriate resources and expertise are brought for the timely and
thorough review of reports
• Communications occur across investigative channels as and when
necessary to ensure coordinated and comprehensive attention
• Steps are taken to monitor significant elements and progress of
investigations
• Timely advice is provided on the corrective and remedial action that may
be needed to address investigative findings
Roles and responsibilities of investigative
authorities include:

EC-Council
Key Management Infrastructure
IEEE standard P1619 Security in Storage Working Group (SISWG) will make it easier to
manage the keys used to encrypt data in storage
This standard abstracts the components of a cryptographic system into a key-
management server, a key-management client, and a cryptographic unit
Key-management server creates and distributes keys as well as the policies
Key-management clients get keys and policies from a key-management server on behalf
of a cryptographic unit
Actual encryption and decryption operations with the keys of the key-management
clients are done at the cryptographic unit

EC-Council
Key Management Infrastructure
(cont’d)
Key
Management
Server
Cryptographic
Unit
Cryptographic
Unit
Key
Management
Client
Key
Management
Client
Key
Management
Server

EC-Council
Information Marking
Classifying the information according to the sensitivity
and confidentiality is called as information marking
Information marking helps in separately identifying the
sensitive information from the other non-critical
information and helps in determining appropriate control
for it
This also helps to decide the accessibility to the
information according to the designation and authority of
the user

EC-Council
Certification Test & Evaluation
(CT&E)
CT&E is the software and hardware security tests conducted during the
development of the information system
Penetration testing is conducted to test the security of the information system
It is the complex test process which follows the standards and guidelines
provided by the accredited certification bodies

EC-Council
Certification Tools
Certification tools provide assistance in different stages of certification
process
These tools analyze several dimensions such as the certification stages
supported, targeted industry sectors, and features
These tools provide support for the system analysis, system
implementation, system review, and maintenance stages
These tools are targeted specifically for the manufacturing sector,
general business sector, assessment activities, and for documentation
No single tool covers all activities of the certification process

EC-Council
Product Assurance
Product assurance is defined as the management function which verifies
customer requirements
Protection profile standard is followed to provide product assurance
All the security targets are tested to provide product assurance
Characteristics of Product Assurance:
• All critical activities are identified
• Required resources are made available for each activity
• All resources are applied efficiently and effectively

EC-Council
Protection Profiles
Protection Profile is an implementation independent specification of
information assurance security requirements
They provide a complete combination of security objectives, security related
functional requirements, information assurance requirements, assumptions,
and rationale
It is necessary to state a security problem rigorously for a given collection of
systems or products
It specifies security requirements to address that problem without dictating
how these requirements will be implemented

EC-Council
Security Targets
Security target is defined as the information assurance security requirements for
the given information system product
It is a complete and rigorous description of a security problem in terms of Target
of Evaluation (TOE) description, threats, assumptions, security objectives,
security functional requirements (SFRs), security assurance requirements
(SARs), and rationales
It contains some implementation-specific information that demonstrates how
the product addresses the security requirements
It may refer to one or more protection profiles

EC-Council
Contracting For Security
Services
• Lay down clear written policies and procedures governing the
procurement of contract security services
• Cover the methods to be adopted in obtaining these services in the
procedures
• Ensure the procurement process is fair and transparent so that all
eligible contractors can compete e.g. Competitive tendering
• Regularly review/update these procurement policies and procedures
Guidelines for contracting security services:

EC-Council
Disposition of Classified Material
Destruction method is chosen depending on the media type and the data storage
mechanism
• Non-Volatile Magnetic: Hard Disk Drives
• Pattern wiping, Incineration, and Physical Destruction
• Write Once Optical: CDROM and DVD-R
• Abrasion, Incineration, and Physical Destruction
• Write Many Optical: CD-RW and DVD-RW
• Abrasion, Incineration, and Physical Destruction
• Solid-State
• Pattern wiping and Physical destruction
• Paper Based
• Shredding, Incineration
The media and data destruction methods are as
follows:

EC-Council
Optical Remanence
Residue of the information remains even after the removal of the data from
the optical storage media
Optical Remanence deals with residual information that remains on the
storage media
Physical destruction helps to fully erase the information stored on CD-ROM,
CD-R, and DVD-R
Shredders are inexpensive and convenient mean of disposing optical storage
media

EC-Council
Magnetic Remanence
Magnetic Remanence is the magnetic representation of residual
information stored in hard drives, floppy disks, or magnetic tapes
Some residue of the information remains on hard drives, floppy disks
even after the removal of the data
It can be tackled by the degausser device
Degaussing is a process of thoroughly deleting the data in the magnetic
media

EC-Council
Facilities Planning
Facility planning is important for the smooth functioning of the organization
Steps in the facility planning:
• Problem definition
• Analysis & synthesis
• Alternatives
• Evaluation
• Selection
• Implementation
Facility planning should be:
• Flexible and open-ended
• Attentive to the needs
• Affordable

EC-Council
Importance of Facilities Planning
Facilities planning helps to minimize overall production time
It effectively utilizes space, people, equipment, and energy
It facilitates ease of maintenance

EC-Council
System Disposition/Reutilization
The steps for the system disposition/reutilization are as follows:
• Develop system disposition plan:
• Verify that software/applications have not been compromised
• Archive or transfer data, software components, and life cycle documentation and
artifacts
• Dispose of equipment:
• Ensure that the equipment is disposed of in accordance with the system’s
disposition plan
• Any equipment that can be used elsewhere in the organization shall be recycled
• Conduct a disposition review:
• Document the lessons learned from the shutdown and archiving of the terminated
system
Improper system disposition can lead to disruption in routine system
operations

EC-Council
Life Cycle System Security
Planning
Steps for Life Cycle System Security Planning are as follows:
• Appraise the life-cycle system security planning proposed by the development team
• Assist with the information security planning for life-cycle system security
• Explain the life-cycle system security planning to the development team
• Influence the development team's approach to life-cycle system security planning
• Verify that the life-cycle system security planning has been accomplished
It is important because it is always evaluated by the development team to
find deficiency in the existing security plan

EC-Council
System Security Architecture
Security architecture is a simple view of the overall system architecture from a security
perspective
It should be established as an integral part of the system’s architecture
It consists of those attributes of the architect that deals with the protection or
safeguarding the operational assets
It includes network architecture or physical connectivity architectures
It focuses on:
• System security services and high level mechanisms
• Allocation of security related functionality
• Identified independencies among security related components, services, mechanisms, and
technologies

EC-Council
C&A Process for the Information
System
• This phase deals with documentation of the security requirements, assigning
responsibilities, and negotiating agreement among stakeholders
Phase I:Definition:
• This phase begins with preparing the system security authorization agreement and
continues with the certification analysis
Phase II: Verification:
• This phase deals with analyzing the findings of vulnerability test and certification test
and statement of certification provided by the certification authority
Phase III: Validation/Certification & Accreditation:
• This phase deals with reviewing the system’s security authorization agreement for
monitoring system operations to fulfill the requirements
Phase IV: Post Accreditation:

EC-Council
C&A Life Cycle

EC-Council
Responsibilities Associated with
Accreditation
The C&A process guarantees that the Information System will achieve the
standard security requirements and continuously maintain the accredited
security postures by using the process of periodic recertification
Information assurance security controls are the management protection
schemes provided to an information system to achieve the required level of
confidentiality, integrity, availability by identifying the threats and
vulnerabilities through the process of risk assessment
The C&A process identifies security requirements and provides the process of
identifying and testing the IA security controls for those requirements

EC-Council
Roles Associated with Certification
• Chief Information Officer:
• Agency official responsible for designating a senior agency information security
officer
• Authorizing Official:
• Senior management official responsible to operate an information system at an
acceptable level of risk to agency operations, agency assets, or individuals
• Designated Representative:
• Responsible for coordinating and carrying out the necessary activities during the
security certification and accreditation of an information system
• Senior Agency Information Security Officer:
• Agency official responsible for carrying out the Chief Information Officer
responsibilities under FISMA
• User Representatives:
• Represent the operational interests of the user community and serve as liaisons for
that community throughout the system development life cycle of the information
system
Roles Associated with Certification:

EC-Council
Roles Associated with Certification
(cont’d)
• Information System Owner:
• Responsible for the overall procurement, development, integration,
modification, or operation and maintenance of an information system
• Information Owner:
• Statutory or operational authority for specified information and
responsibility for establishing the controls for its generation, collection,
processing, and dissemination
• Information System Security Officer:
• Responsible to the authorizing official, information system owner for
ensuring the appropriate operational security posture is maintained for
an information system
• Certification Agent:
• Responsible for conducting a security certification or comprehensive
assessment of the management in an information system
Roles Associated with Certification:

EC-Council
Information Ownership
Information ownership is a responsibility for protecting the confidential data
It allows the selected group of people to view the confidential information
• Confidentiality:
• Only authorized persons will be allowed to view the document
• Integrity:
• Only appropriate persons can change the content of the document
• Availability:
• Ensures that the information is available when you need it
It provides the following types of protections:

EC-Council
Summary
Accreditation is the voluntary process of being certified for meeting minimum
requirements designated by an accrediting agency
Type accreditation may be issued by the Designated Approving Authority (DAA) for
operating environments
NSTISSP is a national security community policy governing the acquisition of
information assurance (IA), and IA enabled information technology products
IATO grants temporary authorization to process information and operate an Automated
information system (AIS)under defined conditions
The SSAA is part of the Department of Defense Information Technology Security
Certification and Accreditation Process (DITSCAP)
CT&E is the software and hardware security tests conducted during the development of
the information system

EC-Council

File000171

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to File000171

Similar to File000171 (20)

More from Desmond Devendran

More from Desmond Devendran (18)

Recently uploaded

Recently uploaded (20)

File000171