This document provides an overview of the Risk Management Framework (RMF) and the NIST Special Publication 800-37 Revision 2. It discusses the RMF roles and responsibilities, improvements made in Revision 2 including integrating privacy and supply chain risk management, and the RMF tasks. It also provides timelines for the development and public comment process of SP 800-37 Revision 2 and the upcoming Revision 5 of SP 800-53.
This document outlines the Risk Management Framework which includes 3 phases for managing risk to systems and information. Phase 1 is certification where the system is categorized, controls are selected and implemented, and controls are assessed. Phase 2 is accreditation where the authorizing official accepts any residual risk of the system. Phase 3 is continuous monitoring where controls are monitored on an ongoing basis and the security plan and any issues are updated. It provides steps for each phase including tasks like categorizing the system, developing security plans, assessing controls, issuing accreditation documents, and ongoing monitoring activities.
This document provides summaries of several NIST publications related to computer security:
1) SP 500-299 describes a NIST Cloud Computing Security Reference Architecture framework that identifies security components for securing cloud environments and operations.
2) SP 500-304 defines a conformance testing methodology for ANSI/NIST-ITL 1-2011, a standard for biometric data interchange.
3) SP 800-1 is a bibliography of selected computer security publications from 1980 to 1989 covering access controls, auditing, cryptography, and other topics.
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJames W. De Rienzo
This document provides a summary of key areas and objectives for cyber security frameworks. It discusses concepts for detecting anomalies and events, maintaining detection processes, performing security continuous monitoring, identifying assets and the business environment, assessing risks, establishing a risk management strategy, controlling access to assets, providing security awareness training, protecting data and information, maintaining security policies and procedures, and performing maintenance. The document lists specific objectives and related standards for each concept area.
- The majority of respondents (73%) are aware of the Critical Security Controls and have adopted or plan to adopt them.
- The top drivers for adopting the Controls are improving visibility of attacks, improving response capabilities, and reducing security risks.
- The greatest barriers to implementing the Controls are operational silos within organizations and a lack of security training.
- Most organizations have performed initial gap assessments of their security posture compared to the Controls, but over 70% rely heavily on manual processes for assessments.
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
Extending the 20 critical security controls to gap assessments and security maturity modeling.
Specifically, the controls are decomposed into Base Practices from a Process perspective.
Implementation approaches are viewed from a Robustness perspective.
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
The document discusses the formation of a task force at the University of Pennsylvania to address security risks posed by new financial and data warehouse systems utilizing client/server technologies. The task force was charged with identifying threats, validting them, and developing solutions. They surveyed peer institutions, identified trends in security technologies, and outlined a methodology that included identifying assets, threats, validating threats, and developing solutions. The scope of the task force's work initially focused on the new systems but was expanded to consider some mainframe security issues as well.
This document outlines the Risk Management Framework which includes 3 phases for managing risk to systems and information. Phase 1 is certification where the system is categorized, controls are selected and implemented, and controls are assessed. Phase 2 is accreditation where the authorizing official accepts any residual risk of the system. Phase 3 is continuous monitoring where controls are monitored on an ongoing basis and the security plan and any issues are updated. It provides steps for each phase including tasks like categorizing the system, developing security plans, assessing controls, issuing accreditation documents, and ongoing monitoring activities.
This document provides summaries of several NIST publications related to computer security:
1) SP 500-299 describes a NIST Cloud Computing Security Reference Architecture framework that identifies security components for securing cloud environments and operations.
2) SP 500-304 defines a conformance testing methodology for ANSI/NIST-ITL 1-2011, a standard for biometric data interchange.
3) SP 800-1 is a bibliography of selected computer security publications from 1980 to 1989 covering access controls, auditing, cryptography, and other topics.
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJames W. De Rienzo
This document provides a summary of key areas and objectives for cyber security frameworks. It discusses concepts for detecting anomalies and events, maintaining detection processes, performing security continuous monitoring, identifying assets and the business environment, assessing risks, establishing a risk management strategy, controlling access to assets, providing security awareness training, protecting data and information, maintaining security policies and procedures, and performing maintenance. The document lists specific objectives and related standards for each concept area.
- The majority of respondents (73%) are aware of the Critical Security Controls and have adopted or plan to adopt them.
- The top drivers for adopting the Controls are improving visibility of attacks, improving response capabilities, and reducing security risks.
- The greatest barriers to implementing the Controls are operational silos within organizations and a lack of security training.
- Most organizations have performed initial gap assessments of their security posture compared to the Controls, but over 70% rely heavily on manual processes for assessments.
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
Extending the 20 critical security controls to gap assessments and security maturity modeling.
Specifically, the controls are decomposed into Base Practices from a Process perspective.
Implementation approaches are viewed from a Robustness perspective.
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
The document discusses the formation of a task force at the University of Pennsylvania to address security risks posed by new financial and data warehouse systems utilizing client/server technologies. The task force was charged with identifying threats, validting them, and developing solutions. They surveyed peer institutions, identified trends in security technologies, and outlined a methodology that included identifying assets, threats, validating threats, and developing solutions. The scope of the task force's work initially focused on the new systems but was expanded to consider some mainframe security issues as well.
This document is NIST Special Publication 800-53 Revision 4 which provides a catalog of security and privacy controls for federal information systems. It aims to protect operations, assets, individuals and organizations from threats. The controls are customizable and part of an organization-wide risk management process. It also describes developing specialized control overlays for specific environments. Finally, it addresses security from functionality and assurance perspectives to ensure systems are sufficiently trustworthy.
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
This introductory session will cover the basic steps of the Risk Management Framework (RMF) and the transition away from the previous Certification and Accreditation approach to information systems security and assurance. This will also cover the benefits of the RMF for organizations, local, state, and federal governments.
Are existing compliance requirements sufficient to prevent data breaches? This session will provide a technical assessment of the 2019 Capital One data breach, illustrating the technical modus operandi of the attack and identify related compliance requirements based on the NIST Cybersecurity Framework. Attendees will learn the unexpected impact of corporate culture on overall cyber security posture.
This talk was presented at RSA Conference 2021 (Session RMG-T15) on May 18, 2021.
Original paper available for download at SSRN: Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (28/04/2020). https://ssrn.com/abstract=3570138
This document discusses software security engineering. It covers security concepts like assets, vulnerabilities and threats. It discusses why security engineering is important to protect systems from malicious attackers. The document outlines security risk management processes like preliminary risk assessment. It also discusses designing systems for security through architectural choices that provide protection and distributing assets. The document concludes by covering system survivability through building resistance, recognition and recovery capabilities into systems.
Building a Product Security Practice in a DevOps WorldArun Prabhakar
This document discusses building a product security practice in a DevOps world. It outlines key product security capabilities that enterprises should establish throughout the product lifecycle, including threat modeling, secure coding, software composition analysis, penetration testing, and continuous monitoring. It also discusses the importance of establishing governance around product security through defining roles, processes, and controls for different functions like business, operations, and security. The goal is to integrate software and product lifecycles in a coherent manner so that final products are secure without slowing down development.
This document discusses network security and provides information on key security concepts. It covers prevention, detection, and response as the foundation of security. Integrity, confidentiality, availability, and authentication are discussed in detail. The document emphasizes that network security is as much about business processes and policies as technical controls. Overall prevention is the most important and cost-effective approach to security. Detection and response procedures should also be established in case preventative controls fail.
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
This document discusses prioritizing an audit program using the Consensus Audit Guidelines (CAG). It outlines how audit groups have historically focused on accounting, fraud, and compliance rather than security. It also notes challenges like a lack of accepted security audit practices and subjective risk measurements. The document introduces the 20 Critical Controls as a framework that prioritizes important controls, provides guidance on truly auditing security, and helps with audit strategy, automation, and reporting. It provides examples of technical tests that can be used to evaluate whether controls are effectively meeting their security goals.
This document introduces version 6.0 of the Center for Internet Security's Critical Security Controls (CIS CSCs) for effective cyber defense. It provides an overview of the 20 CIS CSCs, which are a prioritized set of actions that collectively form a defense-in-depth approach to security. The controls focus on systematically improving an organization's cyber defenses to mitigate known attack techniques. The document also includes appendices that discuss evolving attack models, aligning the controls with other frameworks like NIST, and considerations for privacy impact assessments.
This document provides a comprehensive checklist to help create or audit an IT security policy. The checklist covers a wide variety of topics including web browsing, usernames/passwords, email, file access permissions, backups, disaster recovery, physical security, and security for PCs/laptops. For each topic, it lists key planning items and considerations to develop a thorough policy that protects organizational assets and data.
Secure by design and secure software developmentBill Ross
This secure lifecycle management process (SLCMP said slickum) defines the basic and most realistic way to develop secure software. While the briefing is a bit dated slide 34 is still a very relevant process. What is below the green line is the security dynamic process that happens supporting the basic development process seen above the green line. SLCMP is supported by building a complementary and excellent information risk framework system security plan or IRASSP. SLCMP is operationally deployed.
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.
The document discusses how to implement standards from the National Institute of Standards and Technology (NIST) Cybersecurity Framework in an organization. It covers the origins and goals of the NIST CSF, how it applies to organizations, the five pillars of the framework (Identify, Protect, Detect, Respond, Recover), common mistakes to avoid when implementing it, and leaves time for questions. The overall purpose of the NIST CSF is to help organizations manage cybersecurity risks through a common language and comprehensive programs.
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
The document discusses NIST Special Publication 800-30, which provides guidance on conducting risk assessments. It describes the key steps in the risk management process, including framing risk, assessing risk, responding to risk, and monitoring risk. The risk assessment process involves identifying threats, vulnerabilities, potential impacts, and likelihoods to determine risks. NIST SP 800-30 focuses specifically on the risk assessment component and provides a methodology for conducting risk assessments.
Information Assurance, A DISA CCRI Conceptual FrameworkJames W. De Rienzo
The document provides an overview of the Defense Information Systems Agency's (DISA) Command Cyber Readiness Inspection (CCRI) process. It discusses:
1) The background and phases of the CCRI program, which evaluates sites' security posture and compliance.
2) How CCRIs determine compliance with DISA security requirements and involve aspects beyond just technical compliance.
3) A proposed conceptual framework for the CCRI process, consisting of four phases: defining inspection scope, inspecting assets, documenting observations, and reporting findings.
The document discusses various aspects of program security including types of flaws, malicious code, and controls against threats. It describes different types of flaws such as buffer overflows, incomplete mediation, and time-of-check to time-of-use errors. Malicious code like viruses, trojan horses, and worms are also explained. Controls during software development include following principles of modularity, encapsulation, and information hiding. Techniques like code reviews and testing aim to identify and fix flaws to enhance program security.
The document contains 89 entries listing security compliance standards and their implementation specifications. It appears to be an audit checklist for an organization to evaluate their adherence to various healthcare security regulations. Each entry includes the regulatory standard being addressed, such as "Security Management Process" or "Contingency Plan" along with questions about how the organization implements policies, procedures, documentation and other controls to satisfy each standard.
Importance Of Structured Incident Response ProcessAnton Chuvakin
This document discusses the importance of having a structured incident response process and methodology. It outlines the SANS Six Step incident response methodology, which includes preparation, identification, containment, eradication, recovery, and follow-up. An example incident involving a worm at Example Corporation is provided to illustrate how having a structured response process allows the organization to more effectively identify, contain, and recover from the incident. The document emphasizes that response is an important part of the overall security prevention, detection, response model and that having a standardized methodology helps ensure all necessary steps are followed during an incident.
1. The document discusses threat modeling and security principles like reducing attack surface, defense in depth, and least privilege. It provides examples of how these principles can be applied, like turning off unused ports and services to reduce attack surface.
2. Defense in depth is explained as having multiple layers of defense so that if one layer is breached, the next prevents damage. An example is provided of how Windows Server 2003 was unaffected by a vulnerability through defense in depth techniques.
3. These include changes to the underlying code, default configuration differences, and additional protections like buffer overrun detection that together prevented exploitation even if the vulnerability was present.
NIST SP 800-37 Revision 2 updates guidelines for applying the Risk Management Framework to federal information systems. It aims to improve communication between risk management processes at the organizational and system levels, institutionalize critical enterprise-wide preparatory activities, demonstrate how to implement the Cybersecurity Framework using NIST processes, and integrate privacy concepts. The revision emphasizes establishing organizational preparation activities centered around roles, strategy, stakeholders, information lifecycles, system placement, and monitoring. It also coordinates with updates to NIST SP 800-53 regarding security and privacy controls.
This document discusses an upcoming presentation on the Risk Management Framework (RMF). The presentation goals are to review RMF terminology and resources, set expectations for documentation, provide examples for discussion, and address authorization requests. The presentation will cover RMF basics, terminology, resources, the RMF process, and transitioning from the previous Certification and Accreditation process to RMF. It will discuss key RMF concepts like security controls, continuous monitoring, and the roles of stakeholders in the RMF process.
This document is NIST Special Publication 800-53 Revision 4 which provides a catalog of security and privacy controls for federal information systems. It aims to protect operations, assets, individuals and organizations from threats. The controls are customizable and part of an organization-wide risk management process. It also describes developing specialized control overlays for specific environments. Finally, it addresses security from functionality and assurance perspectives to ensure systems are sufficiently trustworthy.
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
This introductory session will cover the basic steps of the Risk Management Framework (RMF) and the transition away from the previous Certification and Accreditation approach to information systems security and assurance. This will also cover the benefits of the RMF for organizations, local, state, and federal governments.
Are existing compliance requirements sufficient to prevent data breaches? This session will provide a technical assessment of the 2019 Capital One data breach, illustrating the technical modus operandi of the attack and identify related compliance requirements based on the NIST Cybersecurity Framework. Attendees will learn the unexpected impact of corporate culture on overall cyber security posture.
This talk was presented at RSA Conference 2021 (Session RMG-T15) on May 18, 2021.
Original paper available for download at SSRN: Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (28/04/2020). https://ssrn.com/abstract=3570138
This document discusses software security engineering. It covers security concepts like assets, vulnerabilities and threats. It discusses why security engineering is important to protect systems from malicious attackers. The document outlines security risk management processes like preliminary risk assessment. It also discusses designing systems for security through architectural choices that provide protection and distributing assets. The document concludes by covering system survivability through building resistance, recognition and recovery capabilities into systems.
Building a Product Security Practice in a DevOps WorldArun Prabhakar
This document discusses building a product security practice in a DevOps world. It outlines key product security capabilities that enterprises should establish throughout the product lifecycle, including threat modeling, secure coding, software composition analysis, penetration testing, and continuous monitoring. It also discusses the importance of establishing governance around product security through defining roles, processes, and controls for different functions like business, operations, and security. The goal is to integrate software and product lifecycles in a coherent manner so that final products are secure without slowing down development.
This document discusses network security and provides information on key security concepts. It covers prevention, detection, and response as the foundation of security. Integrity, confidentiality, availability, and authentication are discussed in detail. The document emphasizes that network security is as much about business processes and policies as technical controls. Overall prevention is the most important and cost-effective approach to security. Detection and response procedures should also be established in case preventative controls fail.
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
This document discusses prioritizing an audit program using the Consensus Audit Guidelines (CAG). It outlines how audit groups have historically focused on accounting, fraud, and compliance rather than security. It also notes challenges like a lack of accepted security audit practices and subjective risk measurements. The document introduces the 20 Critical Controls as a framework that prioritizes important controls, provides guidance on truly auditing security, and helps with audit strategy, automation, and reporting. It provides examples of technical tests that can be used to evaluate whether controls are effectively meeting their security goals.
This document introduces version 6.0 of the Center for Internet Security's Critical Security Controls (CIS CSCs) for effective cyber defense. It provides an overview of the 20 CIS CSCs, which are a prioritized set of actions that collectively form a defense-in-depth approach to security. The controls focus on systematically improving an organization's cyber defenses to mitigate known attack techniques. The document also includes appendices that discuss evolving attack models, aligning the controls with other frameworks like NIST, and considerations for privacy impact assessments.
This document provides a comprehensive checklist to help create or audit an IT security policy. The checklist covers a wide variety of topics including web browsing, usernames/passwords, email, file access permissions, backups, disaster recovery, physical security, and security for PCs/laptops. For each topic, it lists key planning items and considerations to develop a thorough policy that protects organizational assets and data.
Secure by design and secure software developmentBill Ross
This secure lifecycle management process (SLCMP said slickum) defines the basic and most realistic way to develop secure software. While the briefing is a bit dated slide 34 is still a very relevant process. What is below the green line is the security dynamic process that happens supporting the basic development process seen above the green line. SLCMP is supported by building a complementary and excellent information risk framework system security plan or IRASSP. SLCMP is operationally deployed.
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.
The document discusses how to implement standards from the National Institute of Standards and Technology (NIST) Cybersecurity Framework in an organization. It covers the origins and goals of the NIST CSF, how it applies to organizations, the five pillars of the framework (Identify, Protect, Detect, Respond, Recover), common mistakes to avoid when implementing it, and leaves time for questions. The overall purpose of the NIST CSF is to help organizations manage cybersecurity risks through a common language and comprehensive programs.
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
The document discusses NIST Special Publication 800-30, which provides guidance on conducting risk assessments. It describes the key steps in the risk management process, including framing risk, assessing risk, responding to risk, and monitoring risk. The risk assessment process involves identifying threats, vulnerabilities, potential impacts, and likelihoods to determine risks. NIST SP 800-30 focuses specifically on the risk assessment component and provides a methodology for conducting risk assessments.
Information Assurance, A DISA CCRI Conceptual FrameworkJames W. De Rienzo
The document provides an overview of the Defense Information Systems Agency's (DISA) Command Cyber Readiness Inspection (CCRI) process. It discusses:
1) The background and phases of the CCRI program, which evaluates sites' security posture and compliance.
2) How CCRIs determine compliance with DISA security requirements and involve aspects beyond just technical compliance.
3) A proposed conceptual framework for the CCRI process, consisting of four phases: defining inspection scope, inspecting assets, documenting observations, and reporting findings.
The document discusses various aspects of program security including types of flaws, malicious code, and controls against threats. It describes different types of flaws such as buffer overflows, incomplete mediation, and time-of-check to time-of-use errors. Malicious code like viruses, trojan horses, and worms are also explained. Controls during software development include following principles of modularity, encapsulation, and information hiding. Techniques like code reviews and testing aim to identify and fix flaws to enhance program security.
The document contains 89 entries listing security compliance standards and their implementation specifications. It appears to be an audit checklist for an organization to evaluate their adherence to various healthcare security regulations. Each entry includes the regulatory standard being addressed, such as "Security Management Process" or "Contingency Plan" along with questions about how the organization implements policies, procedures, documentation and other controls to satisfy each standard.
Importance Of Structured Incident Response ProcessAnton Chuvakin
This document discusses the importance of having a structured incident response process and methodology. It outlines the SANS Six Step incident response methodology, which includes preparation, identification, containment, eradication, recovery, and follow-up. An example incident involving a worm at Example Corporation is provided to illustrate how having a structured response process allows the organization to more effectively identify, contain, and recover from the incident. The document emphasizes that response is an important part of the overall security prevention, detection, response model and that having a standardized methodology helps ensure all necessary steps are followed during an incident.
1. The document discusses threat modeling and security principles like reducing attack surface, defense in depth, and least privilege. It provides examples of how these principles can be applied, like turning off unused ports and services to reduce attack surface.
2. Defense in depth is explained as having multiple layers of defense so that if one layer is breached, the next prevents damage. An example is provided of how Windows Server 2003 was unaffected by a vulnerability through defense in depth techniques.
3. These include changes to the underlying code, default configuration differences, and additional protections like buffer overrun detection that together prevented exploitation even if the vulnerability was present.
NIST SP 800-37 Revision 2 updates guidelines for applying the Risk Management Framework to federal information systems. It aims to improve communication between risk management processes at the organizational and system levels, institutionalize critical enterprise-wide preparatory activities, demonstrate how to implement the Cybersecurity Framework using NIST processes, and integrate privacy concepts. The revision emphasizes establishing organizational preparation activities centered around roles, strategy, stakeholders, information lifecycles, system placement, and monitoring. It also coordinates with updates to NIST SP 800-53 regarding security and privacy controls.
This document discusses an upcoming presentation on the Risk Management Framework (RMF). The presentation goals are to review RMF terminology and resources, set expectations for documentation, provide examples for discussion, and address authorization requests. The presentation will cover RMF basics, terminology, resources, the RMF process, and transitioning from the previous Certification and Accreditation process to RMF. It will discuss key RMF concepts like security controls, continuous monitoring, and the roles of stakeholders in the RMF process.
NIST SP 800-37 Revision 2 updates guidelines for applying the Risk Management Framework to federal information systems. It aims to improve communication between risk processes at executive and operational levels, institutionalize enterprise-wide risk preparation, demonstrate how to use the Cybersecurity Framework through RMF, and integrate privacy concepts. A key objective is putting organizational preparation activities like role assignment and risk strategy development at the center.
NIST SP 800-34, Revision 1 updates the guidance for contingency planning for federal information systems. The revision:
- Aligns with NIST SP 800-53 and incorporates contingency planning into the Risk Management Framework.
- Provides more templates and guidance for developing system-specific contingency plans tailored to impact levels.
- Clarifies relationships between various continuity/contingency plans like COOP, BCP, and ISCPs.
- Links testing, training, and exercise requirements more closely to NIST and FIPS standards.
Comparative of risk analysis methodologiesRamiro Cid
A Comparison done by me of 3 different risk analysis methodologies: CRAMM, NIST and Octave.
Una comparativa desarrollada por mi de 3 metodologías diferentes de análisis de riesgo: CRAMM, NIST y Octave.
This document provides an overview of NIST SP 800-37, Revision 1, which establishes a risk management framework (RMF) for federal information systems. The RMF is a six-step process for managing risk to systems: (1) categorize the system, (2) select security controls, (3) implement controls, (4) assess controls, (5) authorize the system, and (6) monitor controls continuously. The RMF aims to integrate security into system development lifecycles and provide near real-time risk management through continuous monitoring. It also links system-level risk management to the organizational level through a risk executive function.
This document provides guidance on securing industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and programmable logic controllers (PLC). It discusses ICS and typical topologies, identifies common threats and vulnerabilities, and recommends security countermeasures. The document aims to address ICS unique performance, reliability, and safety requirements. It has been updated with the latest ICS threats, practices, architectures, activities, and security capabilities. An overlay of tailored NIST SP 800-53 controls for low, moderate, and high impact ICS is included.
Implementing CSIRT based on some frameworks and maturity modelRakuten Group, Inc.
We implemented CSIRT based on some frameworks and maturity model including FIRST Service Framework, SIM3 and some document devised in Japan. We will explain how to use these documents in this presentation.
This document provides a Cyber Incident Response Plan (CIRP) for an organization. It outlines the roles and responsibilities for responding to cyber incidents, including establishing a Cyber Incident Response Team (CIRT) and Crisis Management Team. The CIRP describes an 8-step incident response process that includes preparing, identifying, analyzing, containing, eradicating, recovering from, reporting on, and learning from incidents. It also provides guidance on communications, updating the plan, and includes appendices on forensic imaging, contact information for response teams, and abbreviations.
Developing a Continuous Monitoring Action PlanTripwire
At the direction of OMB and NIST, security and IT pros in federal government must develop plans to implement "continuous monitoring," the practice of using IT security controls to constantly monitor and manage the security status of their information systems and networks. The transition from static security to continuous monitoring requires a new approach to IT security, and IT teams must devise a strategy and roadmap to be successful.
In this editorial Webcast, cybersecurity experts will help discuss the tools and processes involved in moving from a traditional security environment to one designed around continuous monitoring. This Webcast will help government IT pros:
Understand the objectives of continuous monitoring, such as reduced threat exposure through real time risk assessment and response.
Identify the steps involved, including determining the security impact of changes to IT systems and producing assessment reports.
Assess system requirements in areas such as malware detection and event and incident management.
Determine the need for upgrades and investment in new technologies.
Risk Management for Public Cloud ProjectsAlex Mags
Use NIST Risk Management and Cybersecurity Frameworks to understand and manage business risk as you extend the network to public cloud or move data outside the datacentre perimeter.
A Comprehensive Overview Of Techniquess For Measuring System Readiness Final ...jbci
This document discusses several techniques for measuring system readiness, including Technology Readiness Levels (TRL), Risk Identification, Integration, and Illities (RI3), Advancement Degree of Difficulty (AD2), and various System Readiness Level (SRL) approaches. It provides an overview of each technique, how they are used, and what aspects of readiness they aim to evaluate, such as design maturity, integration complexity, and manufacturing readiness. The document also lists several tools that have been developed to help conduct assessments using these techniques.
RiskWatch for Physical & Homeland Security™CPaschal
RiskWatch for Physical and Homeland Security™ assists the user in conducting automated risk analyses, physical security reviews, audits and vulnerability assessments of facilities and personnel. Security threats addressed include crimes against property, crimes against people, equipment of systems failure, terrorism ,natural disasters, fire and bomb threats. Question sets include entry control, perimeters, fire, facilities management, guards, including a specialized set of questions for the maritime/shipping industry. New ASP functionality allows the organization in question to put the entire questionnaire process on it\'s server, where users can easily log in by ID # and answer questions appropriative to their job. From there, all answers are instantly imported into the RiskWatch for Physical and Homeland Security™ program.
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxstilliegeorgiana
Project #3: IT Security Controls Baseline for Red Clay Renovations
To ensure compatibility with existing policy and documentation, Red Clay Renovations’ IT Security policies, plans, and procedures will continue to use the following security control classes (management, operational, technical), as defined in NIST SP 800-53 rev 3 (p. 6).
Security Controls Baseline
Red Clay Renovations Security Controls Baseline shall include the security controls listed below. Security control definitions and implementation guidance shall be obtained from the most recent version of NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
1. AC: Access Controls (Technical Controls Category)
AC-1
Access Control Policy and Procedures
AC-1
AC-2
Account Management
AC-2 (1) (2) (3) (4)
AC-3
Access Enforcement
AC-3
AC-4
Information Flow Enforcement
AC-4
AC-5
Separation of Duties
AC-5
AC-6
Least Privilege
AC-6 (1) (2) (5) (9) (10)
AC-7
Unsuccessful Logon Attempts
AC-7
AC-8
System Use Notification
AC-8
AC-11
Session Lock
AC-11 (1)
AC-12
Session Termination
AC-12
AC-14
Permitted Actions without Identification or Authentication
AC-14
AC-17
Remote Access
AC-17 (1) (2) (3) (4)
AC-18
Wireless Access
AC-18 (1)
AC-19
Access Control for Mobile Devices
AC-19 (5)
AC-20
Use of External Information Systems
AC-20 (1) (2)
AC-21
Information Sharing
AC-21
AC-22
Publicly Accessible Content
AC-22
2. AT: Awareness and Training (Operational Controls Category)
AT-1
Security Awareness and Training Policy and Procedures
AT-1
AT-2
Security Awareness Training
AT-2 (2)
AT-3
Role-Based Security Training
AT-3
AT-4
Security Training Records
AT-4
3. AU: Audit and Accountability (Technical Controls Category)
AU-1
Audit and Accountability Policy and Procedures
AU-1
AU-2
Audit Events
AU-2 (3)
AU-3
Content of Audit Records
AU-3 (1)
AU-4
Audit Storage Capacity
AU-4
AU-5
Response to Audit Processing Failures
AU-5
AU-6
Audit Review, Analysis, and Reporting
AU-6 (1) (3)
AU-7
Audit Reduction and Report Generation
AU-7 (1)
AU-8
Time Stamps
AU-8 (1)
AU-9
Protection of Audit Information
AU-9 (4)
AU-10
Non-repudiation
Not Selected
AU-11
Audit Record Retention
AU-11
AU-12
Audit Generation
AU-12
4. CA: Security Assessment and Authorization (Management Controls Category)
CA-1
Security Assessment and Authorization Policies and Procedures
CA-1
CA-2
Security Assessments
CA-2 (1)
CA-3
System Interconnections
CA-3 (5)
CA-5
Plan of Action and Milestones
CA-5
CA-6
Security Authorization
CA-6
CA-7
Continuous Monitoring
CA-7 (1)
CA-9
Internal System Connections
CA-9
5. CM: Configuration Management (Operational Controls Category)
CM-1
Configuration Management Policy and Procedures
CM-1
CM-2
Baseline Configuration
CM-2 (1) (3) (7)
CM-3
Configuration Change Control
CM-3 (2)
CM-4
Security Impact Analysis
CM-4
CM-5
Access Restrictions fo ...
The document discusses the Common Vulnerability Scoring System (CVSS). It provides a history of CVSS and describes the development of CVSS version 2. It outlines the base, temporal, and environmental metrics used in CVSS scoring. It notes some caveats in CVSS scoring, including subjective interpretations by vendors and a lack of representation from some groups. It also discusses politics around CVSS scoring and challenges in initial adoption.
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
Denise Tawwab's presentation on "Understanding the NIST Risk Management Framework" given at the Techno Security & Digital Forensics Conference on June 3, 2019 in Myrtle Beach, SC.
The document summarizes the process and benefits of conducting an SAP security and compliance audit using the SAST SUITE tool. The audit focuses on authorization management, system configuration, and ABAP development/customizing. SAST SUITE comprehensively checks over 4,000 system settings and authorization rules. It generates a detailed report highlighting vulnerabilities and recommendations for remediation. On average, SAST SUITE can complete an audit in half the time required for a manual audit, reducing the resource burden on audited departments.
Analyze:
1. Foreign Stock
a. Samsung Electronics LTD. (Korean Stock Exchange)
b. Focus on phone explosions
*Monitor their performance throughout the semester (begin: 9/15/2016, end: 12/2/2016), reflecting on the performance of each at the end of the semester, and providing a forward looking discussion of their prospects as of end of the semester.
→ what happened, why, recommendation/opinion (hold, sell), future performance
*the more graphs/data the better!!
Grading of the project will be based on the following criteria: (1) the neatness of the written report, (2) the extensiveness and relevance of research information gathered regarding each asset, (3) the inclusion of your own opinions and observations in the report
Fill this out:
Price Information on Holdings
Foreign Stock
Ticker
Beginning Value on __/__/___
in Local Currency
Exchange Rate of Local Currency with USD on __/__/____
Beginning Value on __/__/___
in USD
Ending Value on __/__/___
in Local Currency on __/__/____
Exchange Rate of Local Currency with USD on __/__/____
Ending Value on __/__/___
in USD
Percentage Change in the Value of Local Currency
Percentage Change in the Value of Stock in Local Currency
Percentage Change in the Value of Stock in USD
Framework for Improving
Critical Infrastructure Cybersecurity
Version 1.0
National Institute of Standards and Technology
February 12, 2014
February 12, 2014 Cybersecurity Framework Version 1.0
Table of Contents
Executive Summary .........................................................................................................................1
1.0 Framework Introduction .........................................................................................................3
2.0 Framework Basics...................................................................................................................7
3.0 How to Use the Framework ..................................................................................................13
Appendix A: Framework Core.......................................................................................................18
Appendix B: Glossary....................................................................................................................37
Appendix C: Acronyms .................................................................................................................39
List of Figures
: Framework Core Structure .............................................................................................. 7
Figure 1
Figure 2: Notional Information and Decision Flows within an Organization .............................. 12
List of Tables
Table 1: Function and Category Unique Identifiers ..................................................................... 19
Table 2: Framework Core ..................................................................................................
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
This document provides recommendations to the Department of Homeland Security on cybersecurity priorities and a roadmap. It outlines a phased approach over several years to improve the overall cybersecurity posture. Phase I focuses on establishing a baseline of security across government systems through mandates and best practices. Phase II enhances security controls and expands training and collaboration. The roadmap calls for securing infrastructure, changing culture, improving the IT business model, developing the workforce, and advancing technologies over time to reduce vulnerabilities and attacks on critical systems.
Many companies and agencies conduct IT audits to test and assess the.docxtienboileau
Many companies and agencies conduct IT audits to test and assess the rigor of IT security controls in order to mitigate risks to IT networks. Such audits meet compliance mandates by regulatory organizations. Federal IT systems follow Federal Information System Management Act (FISMA) guidelines and report security compliance to US-CERT, the United States Computer Emergency Readiness Team, which handles defense and response to cyberattacks as part of the Department of Homeland Security. In addition, the Control Objective for Information Technology (COBIT) is a set of IT security guidelines that provides a framework for IT security for IT systems in the commercial sector.
These audits are comprehensive and rigorous, and negative findings can lead to significant fines and other penalties. Therefore, industry and federal entities conduct internal self-audits in preparation for actual external IT audits, and compile security assessment reports.
In this project, you will develop a 12-page written
security assessment report
and
executive briefing (slide presentation)
for a company and submit the report to the leadership of that company.
There are six steps to complete the project. Most steps in this project should take no more than two hours to complete, and the project as a whole should take no more than three weeks to complete. Begin with the workplace scenario, and then continue to Step 1.
Step 1: Conduct a Security Analysis Baseline
In the first step of the project, you will conduct a security analysis baseline of the IT systems, which will include a data-flow diagram of connections and endpoints, and all types of access points, including wireless. The baseline report will be part of the overall security assessment report (SAR).
You will get your information from a data-flow diagram and report from the Microsoft Threat Modeling Tool 2016. The scope should include network IT security for the whole organization. Click the following to view the data-flow diagram:
[diagram and report]
Include the following areas in this portion of the SAR:
Security requirements and goals for the preliminary security baseline activity.
Typical attacks to enterprise networks and their descriptions. Include Trojans, viruses, worms, denial of service, session hijacking, and social engineering. Include the impacts these attacks have on an organization.
Network infrastructure and diagram, including configuration and connections. Describe the security posture with respect to these components and the security employed: LAN, MAN, WAN, enterprise. Use these questions to guide you:
What are the security risks and concerns?
What are ways to get real-time understanding of the security posture at any time?
How regularly should the security of the enterprise network be tested, and what type of tests should be used?
What are the processes in play, or to be established to respond to an incident?
Workforce skill is a critical success factor in any.
Similar to NIST Framework for Information System (20)
Digital forensic principles and procedurenewbie2019
This document provides an overview of digital forensics principles and procedures. It discusses key guidelines for digital forensic investigations from organizations like ACPO and NIJ. The core principles of digital forensics are outlined, including that investigators should not alter original data and must have the skills to explain their examination process. The document also categorizes different types of digital forensics like computer, mobile, and audio/video forensics. The typical processes in a digital investigation are identified as identification, preservation, analysis, documentation, and presentation. Evidence can come from various electronic sources like computers, phones, and storage devices.
This document provides an overview of digital forensics. It defines digital forensics and forensic science. Digital forensics involves the preservation, collection, analysis and presentation of digital evidence. There are different branches of digital forensics related to different devices. Examples of digital evidence include emails, photos, transaction logs, documents and computer memory contents. Characteristics of good digital evidence are that it is admissible, authentic, fragile, accurate and convincing. Several digital forensic models are described that involve multiple phases of an investigation. The benefits of digital forensics include protecting against theft, fraud, hacking and viruses. Skills required for digital forensics include technical experience, strong analysis and evidence handling skills.
This document provides an introduction and overview of an IT Forensics course. The course objectives are to understand basic IT Forensics concepts and various forensic methods for file systems, operating systems, web, networks, computers, and mobile devices. The course material will cover topics like digital forensic principles, triage procedures, analyzing file systems, mobile forensics, audio forensics, video forensics, image forensics, and network forensics tools. Students are expected to attend at least 80% of classes and follow Teknokrat rules. Grading will be based on quizzes, assignments, midterms, and a final exam. The course website provides additional resources. Digital forensics is
This document discusses incident response and handling. It outlines the key steps in the incident response process: preparation, identification, containment, eradication, recovery, and lessons learned. Preparation involves forming a response team, developing procedures, and gathering resources. Identification involves determining the scope of an incident and preserving evidence. Containment focuses on limiting the damage of an incident through actions like quarantining systems, analyzing initial data, and making backups. Eradication aims to completely remove malicious software from affected systems.
This document discusses SQL injection attacks and how to mitigate them. It begins by defining injection attacks as tricks that cause an application to unintentionally include commands in user-submitted data. It then explains how SQL injection works by having the attacker submit malicious SQL code in a web form. The document outlines several examples of SQL injection attacks, such as unauthorized access, database modification, and denial of service. It discusses techniques for finding and exploiting SQL injection vulnerabilities. Finally, it recommends effective mitigation strategies like prepared statements and input whitelisting to protect against SQL injection attacks.
- Cross-site scripting (XSS) occurs when malicious scripts are executed in a user's browser from a vulnerable web application. This allows attackers to steal authentication cookies and sensitive information or take actions on the user's behalf.
- The same-origin policy is intended to isolate scripts and resources from different origins to prevent unauthorized access, but it has limitations that can be exploited in XSS attacks.
- Cross-site request forgery (CSRF or XSRF) is an attack where unauthorized commands are transmitted from a user who is currently authenticated to a target site, such as making payments on a banking site the user has logged into. This is possible because browsers include cookies in all requests to the originating
This document summarizes NIST Special Publication 800-37, Revision 2 which provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF is a structured process for managing security and privacy risks. Key updates in Revision 2 include aligning with the NIST Cybersecurity Framework, integrating privacy risk management, aligning with system development lifecycles, and incorporating supply chain risk management. Organizations can use the RMF and other frameworks in a complementary manner to effectively manage security and privacy risks.
This document provides an overview of information security management systems (ISMS) and the family of ISO/IEC 27000 standards related to ISMS. It defines key terms and describes the basic components of an ISMS, including identifying security requirements, assessing risks, selecting controls, and monitoring/improving the system. The standards provide requirements, guidelines, and sector-specific implementation guidance for establishing, operating, and improving an ISMS to manage information security risks.
This document provides an overview of information security based on ISO 27001. It defines key terms like information, information security, risk, threats and vulnerabilities. It discusses the people, processes, and technologies involved in information security. It also summarizes the main clauses of ISO 27001 for implementing an information security management system, including establishing policies, controls, documentation, and user responsibilities.
This document provides summaries of several information security frameworks and standards, including:
- ISO/IEC 27002:2005 which provides guidelines for information security management across 10 security domains.
- ISO/IEC 27001:2005 which specifies requirements for establishing an Information Security Management System using a PDCA model.
- Payment Card Industry Data Security Standard which consists of 12 requirements to enhance payment data security.
- COBIT which links IT initiatives to business requirements and defines management control objectives across 34 IT processes.
It also briefly outlines US regulations including Sarbanes-Oxley, COSO, HIPAA, and FISMA which aim to improve corporate disclosures, define healthcare information
This document discusses the history and concepts of cryptography. It begins with classical cryptography and how encryption has evolved with computers to become more complex. It then covers specific ciphers like the Enigma machine and how the British broke German codes during WWII. The document discusses the development of modern ciphers like DES and AES, how public key cryptography works using RSA, and concepts of symmetric and asymmetric encryption. It provides details on block ciphers and the design of ciphers like DES.
The document discusses classical cryptography and symmetric encryption. It covers the following key points:
1) Symmetric encryption uses a shared secret key between the sender and receiver to encrypt and decrypt messages. It was the only type of encryption prior to public-key cryptography being invented in the 1970s.
2) The basic components of cryptography are plaintext, ciphertext, encryption/decryption algorithms, and keys. Cryptanalysis is the study of decrypting ciphertext without knowing the key.
3) For secure symmetric encryption, a strong algorithm and a secret key only known to the sender and receiver are required.
4) Classical ciphers include the Caesar cipher which shifts letters and monoalphabetic ciphers which map each plaintext
Chapter 6 information hiding (steganography)newbie2019
The document discusses information hiding techniques for secure communication, specifically focusing on steganography. It defines steganography as hiding information in an unremarkable carrier such as images, video, or audio in a way that prevents detection. The document outlines some goals and applications of steganography, describes some historical steganography techniques, and discusses how modern digital steganography can hide information in the least significant bits of files' color values. It also distinguishes steganography from cryptography and watermarking.
This document provides an overview of network security concepts. It begins by stating the goals of network security are to protect confidentiality, maintain integrity, and ensure availability. It then discusses common network security vulnerabilities and threats that can arise from misconfigured hardware/software, poor network design, inherent technology weaknesses, end-user carelessness, or intentional end-user acts. The document also covers the need for network security due to increased connectivity from closed to open networks and differentiates between open versus closed security models. It emphasizes striking a balance between security and user productivity.
Chapter 4 vulnerability threat and attack newbie2019
This document discusses threats, vulnerabilities, and attacks related to information security. It defines threats as potential dangers that could breach security, and lists categories of threats like deliberate threats, environmental threats, and accidental threats. Vulnerabilities are weaknesses that can be exploited by threats, like physical vulnerabilities, hardware/software vulnerabilities, and human vulnerabilities. Attacks are exploits of vulnerabilities that damage systems. Common attacks are discussed like passive attacks that obtain information and active attacks that alter systems. The document also categorizes attacks as interruptions, interceptions, modifications, or fabrications of systems and assets. The three biggest common attacks are said to be virus, worm, and Trojan horse attacks.
The document discusses authentication, authorization, and accounting (the three As) as a leading model for access control. It describes authentication as identifying users, usually with a username and password. Authorization gives users access to resources based on their identity. Accounting (also called auditing) tracks user activity like time spent and services accessed. The document provides details on different authentication methods like passwords, PINs, smart cards, and digital certificates. It emphasizes the importance of strong passwords and changing them regularly.
This document discusses several key concepts in information system security:
Authentication involves verifying the identity of a user or system, usually through passwords, ID cards, or biometrics. Authorization determines what resources a user can access after authentication. Privacy/confidentiality ensures sensitive personal data and messages are kept secret through encryption. Integrity keeps information from being altered without authorization. Availability ensures security services and data remain accessible. Non-repudiation prevents denied participation in online transactions. Auditing records network activity and communications for security monitoring through system logging.
This document discusses information system security. It defines information system security as collecting activities to protect information systems and stored data. It outlines four components of an IT security policy framework: policies, standards, procedures, and guidelines. It also discusses vulnerabilities, threats, attacks, and trends in attacks. Vulnerabilities refer to weaknesses, while threats use tools and scripts to launch attacks like reconnaissance, access, denial of service, and viruses/Trojans. Common attacks trends include malware, phishing, ransomware, denial of service, man-in-the-middle, cryptojacking, SQL injection, and zero-day exploits.
Fundamentals of information systems security ( pdf drive ) chapter 1newbie2019
This document discusses the growth of the internet and increased connectivity of devices beyond just computers. It notes that as internet usage has increased, issues of privacy, data security, and protecting sensitive information have become more important for both personal and business use. The document provides an overview of common security concepts and terms to help understand how to prevent cyberattacks and secure sensitive data. It also includes a table summarizing several high-profile data breaches between 2013-2015 at companies like Target, Anthem, and Sony Pictures that compromised personal and financial information for millions of customers.
This document provides an overview of an information system security course, including:
- The course aims to teach basic concepts of information system security and how to implement a secure system.
- Topics that will be covered include introduction to security, scanning and probing, steganography, cryptography, email security, wireless security, web security, web application security, cyber law, and information security management.
- Students are expected to attend at least 80% of classes, follow Teknokrat rules, and assignments, midterms, and final exams will determine grades.
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
This presentation was provided by Steph Pollock of The American Psychological Association’s Journals Program, and Damita Snow, of The American Society of Civil Engineers (ASCE), for the initial session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session One: 'Setting Expectations: a DEIA Primer,' was held June 6, 2024.
Main Java[All of the Base Concepts}.docxadhitya5119
This is part 1 of my Java Learning Journey. This Contains Custom methods, classes, constructors, packages, multithreading , try- catch block, finally block and more.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
How to Fix the Import Error in the Odoo 17Celine George
An import error occurs when a program fails to import a module or library, disrupting its execution. In languages like Python, this issue arises when the specified module cannot be found or accessed, hindering the program's functionality. Resolving import errors is crucial for maintaining smooth software operation and uninterrupted development processes.
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.
Assessment and Planning in Educational technology.pptxKavitha Krishnan
In an education system, it is understood that assessment is only for the students, but on the other hand, the Assessment of teachers is also an important aspect of the education system that ensures teachers are providing high-quality instruction to students. The assessment process can be used to provide feedback and support for professional development, to inform decisions about teacher retention or promotion, or to evaluate teacher effectiveness for accountability purposes.
Thinking of getting a dog? Be aware that breeds like Pit Bulls, Rottweilers, and German Shepherds can be loyal and dangerous. Proper training and socialization are crucial to preventing aggressive behaviors. Ensure safety by understanding their needs and always supervising interactions. Stay safe, and enjoy your furry friends!
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
NIST Framework for Information System
1. RMF
RISK MANAGEMENT FRAMEWORK
NIST SP 800-37 Revision 2
Risk Management Framework for Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
2.0
1
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
2. NIST/ITL/CSD Public Comment
Process
2
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
All publications produced by CSD go through the
public comment process
Your voice will be heard!!
Receive notifications of newly posted drafts (and more) by
subscribing at
http://csrc.nist.gov/publications/subscribe.html
There may be one or more drafts of a given publication
Drafts are published at
http://csrc.nist.gov/publications/PubsDrafts.htm
l
Lengths of public comment periods vary
3. Risk Management
“If we guard our toothbrushes
and diamonds with equal zeal, we will lose
fewer toothbrushes and more diamonds.”
-McGeorge Bundy, National Security
Advisor to U.S. Presidents Kennedy and
Johnson
3
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
4. Risk can never be eliminated and so it
must be
MANAGED!!
• Managing risk doesn’t mean
• fixing everything,
• nor does it mean
• not fixing anything…
• Risk Management
is about
knowledge and understanding!
Graphic copied from:
http://www.featurepics.com/online/Risk-
1109124.aspx
4
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
5. RMF Roles and Responsibilities
5
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Senior Accountable Official for Risk Management and
Risk Executive (Function)
Senior Agency Official for Privacy
Authorizing Official (AO) and Designated Rep
Senior Information Security Officer
Common Control Provider
System Owner
Information Owner/Steward
System Security/Privacy Officer
Control Assessor
6. SP 800-37 Rev 2 Timeline So Far
6
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Federal interagency working group review during
spring 2017
Extensive discussion sessions with OMB OIRA
throughout winter/spring 2017/2018
JTF Review
Initial Public Draft released 9 May 2018 with six
week comment period
NIST adjudicated ~400 comments and developed FPD
OIRA review and approval
FPD released 2 October 2018
7. SP 800-37 Rev 2 Final Timeline
7
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Public comment period through 31 October 2018
https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft
NIST and OIRA adjudicate FPD public comments
NIST develops final publication
Review by JTF
Review and approval by OIRA
Final publication planned for December 2018*
*Publication date dependent on OMB OIRA review and approval
8. RMF 2.0
CATEGORIZE
FIPS 199
SP 800-60
CUI Registry
ASSESS
SP 800-53A
AUTHORIZE
SP 800-37
MONITOR
SP 800-137/137A
NISTIR 8011
NISTIR 8212 & Tool
PREPARE
SP 800-18
SP 800-30
SP 800-39
SP 800-160 IMPLEMENT
Many NISTPubs
SELECT
FIPS200
SP 800-53
8
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
9. Authorization Boundaries
(Section 2.5/App G)
9
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Defines the scope of protection for systems (i.e.,
what is included with the system to be authorized
WRT information, components, people, etc.)
Includes system hardware, software, firmware,
processes, and technologies needed to support
organizational missions/business processes
May or may not include the environment of operation
Is established before system security categorization and
the development of security plans
10. Improvements in RMF 2.0
10
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Addition of organization and system level Prepare
Step and associated tasks
Integrates privacy risk management
Integrates supply chain risk management
Expansion of Authorization options
Aligns RMF with CSF
Aligns RMF with security engineering processes
11. RMF 2.0 Task Outcomes
11
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Tasks Outcomes
Task I-1
CONTROL
IMPLEMENTATION
Controls specified in the security and privacy plans are
implemented.
[Cybersecurity Framework: PR.IP-1]
Systems security and privacy engineering methodologies are
used to implement the controls in the system security and
privacy plans. [Cybersecurity Framework: PR.IP-2]
Task I-2
BASELINE
CONFIGURATION
The configuration baseline is established.
[Cybersecurity Framework: PR.IP-1]
The security and privacy plans are updated based on information
obtained during the implementation of the controls.
[Cybersecurity Framework: Profile]
12. RMF 2.0 Task Structure
RISK ASSESSMENT—ORGANIZATION
Task P-3 Assess organization-wide security and privacy risk and update the results on an ongoing
basis.
Potential Inputs: Risk management strategy; mission or business objectives; current threat
information; system-level risk assessment results; previous organization-level risk assessment
results; security- and privacy-related information from continuous monitoring; information
sharing agreements or memoranda of understanding.
Potential Outputs: Organization-level risk assessment results.
Primary Responsibility: Senior Accountable Official for Risk Management or Risk Executive
(Function); Senior Agency Information Security Officer; Senior Agency Official for Privacy.
Supporting Roles: Chief Information Officer; Mission or Business Owner; Authorizing Official or
Authorizing Official Designated Representative.
Discussion: Risk assessment at the organizational level is focused on risk to mission or business
objectives and leverages aggregated information from system-level risk…..
References: NIST SP 800-30; NIST SP 800-39 (Organization Level, Mission/Business Process
Level); NIST SP 800-161; NIST IR 8062.
New
12
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
13. Privacy is Fully Integrated into RMF
13
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
In accordance with OMB Circular A-130
Privacy in the RMF addressed in section 2.3
Privacy called out in task text as appropriate (e.g.,
Task P-3 is to assess security and privacy risk)
Privacy-specific Inputs, Outputs, Roles, and
References specified as appropriate in tasks
Privacy-specific detail in task discussions
14. RMF and CSF Alignment
14
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Inputs and Outputs reference CSF as applicable, e.g.,
CSF profile as potential output from Task P-4
Task Outcome tables reference CSF sections, categories,
or sub-categories as applicable
References for tasks list applicable CSF sections
15. Security Engineering and RMF
Alignment
15
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Task references list related 800-160 process as applicable
Section 2.4 discusses system elements/enabling systems
and tasks focus on stakeholder requirements
16. Supply Chain and RMF Alignment
16
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Discussion of Supply Chain Risk Management
(SCRM) within the RMF added in section 2.8
SCRM addressed in Task discussions as applicable
SCRM artifacts included in task Inputs and Outputs as
applicable
SCRM responsibilities noted in Appendix D
Supply chain risk is addressed as part of security risk
17. Prepare Step: Organization Level
17
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Task P-1: ID and assign people to RM roles
Task P-2: Establish an org-wide RM strategy
Task P-3: Assess organization-wide risk
Task P-4: Org-wide tailored baselines (optional)
Task P-5: Common Control identification
Task P-6: Prioritize within impact level (optional)
Task P-7: Organization-wide ISCM strategy
18. Prepare Step: System Level (1 of 2)
18
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Task P-8: ID missions/business functions and
processes to be supported by the system
Task P-9: ID system stakeholders
Task P-10: ID assets that require protection
Task P-11: Determine authorization boundary
Task P-12: ID information types
19. Prepare Step System Level (2 of 2)
19
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Task P-13: ID information lifecycle
Task P-14: Assess system-level risk
Task P-15: Define security and privacy
requirements for system and environment
Task P-16: Determine placement within EA
Task P-17: System registration IAW org policy
20. New/Revised Tasks in Existing Steps (1 of 2)
20
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Categorize, Task C-2: Review and approve
categorization results and decision
Select, Task S-1: Allocate requirements
(expanded from identify common controls)
Select, Task S-3: Tailor selected controls
Select, Task S-4: Document planned
implementation details in plans
Implement, Task I-2: Document implementation details
different from planned (config baseline)
21. New/Revised Tasks in Existing Steps (2 of 2)
21
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Assess, Task A-1: Select appropriate assessor
Assess, Task A-6: POA&M (moved from Authorize)
Authorize, Task R-2: Risk analysis added to risk
determination by AO
Authorize, Task R-3: Respond to risk
Authorize, Task R-5: Report the authorization
decision and significant risk as required
22. Authorization Options
22
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Authorization to Operate
System Authorization (Traditional or Joint)
Type Authorization
Facility Authorization
Common Control Authorization
Authorization to Use
Denial of Authorization
Note: Ongoing authorization supplemental
guidance
(June 2014) incorporated into Appendix F
23. SP 800-53 Revision 5
23
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Security and Privacy Controls for Information Systems and Organizations
24. Call for pre-comments spring 2016
Adjudicated ~3000 comments and coordinated with
SMEs (Privacy, SCRM, ID Mgmt., Crypto, etc.)
Federal interagency working group baseline review
during late winter/early spring 2017
Extensive discussion sessions with OMB OIRA
throughout spring/summer 2017
IPD published 15 August 2017
Adjudicated ~2000 public comments as above
FPD currently under development
24
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
800-53 Rev 5 Timeline So Far
25. 800-53 Rev 5 Timeline for FPD and Final
25
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Final Public Draft (FPD) next steps:
Review by JTF
Review and approval by OMB OIRA
FPD publication planned for January 2019*
Final publication next steps:
Adjudicate public comments on the FPD
NIST develops final publication
Reviews and approvals as above
Final publication planned for Spring 2019*
*Publication date dependent on OMB OIRA review
and approval
26. Complete integration of privacy controls (removal of
Appendix J with App J mapping in FPD)
Two new Privacy Control families in IPD changed
to different new Privacy Control family in FPD
New Supply Chain control family in FPD
Incorporated Program Management family into
main control set
Complete control set in Chapter 3
26
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
800-53 Rev 5 Changes Summary (1 of 4)
27. Baselines and tailoring guidance will be placed in
new volume, SP 800-53B
Some changes to all baselines, mostly in accordance
with suggestions from working group
Revised/clarified/added control language and
supplemental guidance
Streamlined front matter to focus only on the
control set and how to use it
27
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
800-53 Rev 5 Changes Summary (2 of 4)
28. Removed lead-in entities to each control
Focus on outcomes
Align with security engineering
Align with Cybersecurity Framework
Retained entity info in a column in table (App ?)
Reduced the federal focus
More usable and welcoming for all sectors
More usable and applicable for all system types
More usable for security engineering in all sectors
28
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
800-53 Rev 5 Changes Summary (3 of 4)
29. Rearranged appendices
Removed priority codes
Keywords appendix added in IPD to be removed in
FPD and provided as supplemental material
Thorough scrub of:
Related Controls
References
Glossary
ISO 27001 Mapping
29
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
800-53 Rev 5 Changes Summary (4 of 4)
30. Security Control Structure – Revision 5
30
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
AU-4 AUDIT LOG STORAGE CAPACITY
Control: Allocate audit log storage capacity to accommodate [Assignment: organization-
defined audit log retention requirements].
Discussion: Organizations consider the types of audit logging to be performed and the audit
log processing requirements when allocating audit log storage capacity. Allocating
sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded
and resulting in the potential loss or reduction of audit logging capability.
Related controls: AU-2, AU-5, AU-6, AU-7, AU-9, AU-11, AU-12, SI-4.
Control Enhancements:
(1) AUDIT LOG STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
Transfer audit logs [Assignment: organization-defined frequency] to a different system, system
component, or media other than the system or system component conducting the logging.
Supplemental Guidance: This type of transfer, also known as off-loading, is a common process in systems
with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log
storage is used only in a transitory fashion until the system can communicate with the secondary or alternate
system allocated to audit log storage, at which point the audit logs are transferred. This control enhancement
is similar to AU-9(2) in that the audit logs are transferred to a different entity; however, the primary purpose
of selecting AU-9(2) is to protect the confidentiality and integrity of auditrecords.
Organizations can select either enhancement to obtain the dual benefit of increased audit log storage
capacity and preserving the confidentiality, integrity, and availability of audit records and logs.
Related controls: None
References: None.
31. Security Controls are Technology Neutral
31
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Security controls are intentionally not focused on
any specific technologies
Security control implementations & assessment
methods will likely vary based on the technology
to which the control is being applied, e.g.:
Cloud-based systems
Mobile systems
Applications
Sensors
“IoT”
32. 800-53B Rev 5 Baselines
32
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
CNTL
NO. CONTROL NAME
PRIVAC
Y
-
RELATE
D
CONTROL BASELINES
LOW MODERATE HIGH
Access Control – AC
AC-1 Access Control Policy and
Procedures
AC-1 AC-1 AC-1
AC-2 Account Management AC-2 AC-2 (1) (2)
(3) (4) (10)
(13)
AC-2 (1) (2)
(3) (4) (5) (10)
(11) (12) (13)
AC-3 Access Enforcement AC-3 AC-3 AC-3
AC-4 Information Flow Enforcement — AC-4 AC-4 (4)
AC-5 Separation of Duties — AC-5 AC-5
AC-6 Least Privilege AC-6 (7) (9) AC-6 (1) (2)
(5) (7) (9) (10)
AC-6 (1) (2)
(3) (5) (7) (9)
(10)
AC-7 Unsuccessful LogonAttempts AC-7 AC-7 AC-7
AC-8 System Use Notification AC-8 AC-8 AC-8
AC-9 Previous Logon (Access) Notification — — —
AC-10 Concurrent Session Control — — AC-10
AC-11 Device Lock — AC-11 (1) AC-11 (1)
AC-12 Session Termination — AC-12 AC-12
AC-13 Withdrawn
AC-14 Permitted Actions without
Identification or Authentication
AC-14 AC-14 AC-14
33. 800-53 Rev 5 Appendix Excerpt
33
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
CONTROL NAME
CONTROL ENHANCEMENT NAME
WITHDRAWN
PRIVACY
-
RELATE
D
IMPLEMENTE
D
BY
ASSURANCE
PL-1 Planning Policy and Procedures P O A
PL-2 Security and Privacy Plans P O A
PL-2(1) Concept of operations W Incorporated into PL-7.
PL-2(2) Functional architecture W Incorporated into PL-8.
PL-2(3) Plan and coordinate with other organizational
entities
P O A
PL-3 System Security Plan Update W Incorporated into PL-2.
PL-4 Rules of Behavior P O A
PL-4(1) Social media and networking restrictions O A
PL-5 Privacy Impact Assessment W Incorporated into RA-8.
PL-6 Security-Related ActivityPlanning W Incorporated into PL-2.
PL-7 Concept of Operations P O
PL-8 Security and PrivacyArchitectures P O A
PL-8(1) Defense-in-depth O A
PL-8(2) Supplier diversity P O A
PL-9 Central Management P O A
PL-10 Baseline Selection O
PL-11 Baseline Tailoring O
Note: Privacy-related controls and control enhancements are not allocated to baselines in this table. See XXX for control selection and
implementation guidance
34. Privacy fully integrated throughout Rev 5
Privacy controls from App J and OMB A-130 privacy
requirements incorporated into main control set
Privacy controls added in existing families
Most in Program Management family
Some in other families (SA, SI)
“Sharing” existing controls
New privacy family: Processing Permissions (PP)
Privacy Appendix to include:
Mappings to OMB requirements and controls from
App J
Summary tables
34
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
800-53 Rev 5 Privacy Integration
35. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35
800-53 Rev 5 FPD Control Families
ID FAMILY ID FAMILY
AC Access Control PE Physical and
Environmental Protection
AT Awareness and Training PL Planning
AU Audit and Accountability PM Program Management
CA Security Assessment and
Authorization
PP Processing Permissions*
CM Configuration Management PS Personnel Security
CP Contingency Planning RA Risk Assessment
IA Identification and
Authentication
SA System and Services
Acquisition
IR Incident Response SC System & Communications
Protection
MA Maintenance SP Supply Chain Protection*
MP Media Protection SI System and Information
Integrity
*New families in Rev 5 FPD
36. 36
Purpose: Increase agility and reduce effort and angst due to
significant change every 3-5 years
Web application operational immediately after R5 final
Provides workflows for:
Customers to propose changes to all aspects of controls
NIST staff to review proposals and push to SMEs if
necessary
Public comments on proposed changes
Saving approved changes in a sandbox until next version
JTF review, OIRA review/approval, Editorial Review Board
Versions:
Minor (to include errata) – planned for quarterly
Major – planned for annually
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
800-53 Update Automation Application
37. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 37
Status of Other FISMA Publications
SP 800-18 Rev 2, Security Plan Guideline: In progress, IPD early CY 2019.
SP 800-47 Rev 1, Managing System Information Exchanges (working
title): In progress, IPD early CY 2019 (Current version title is Security
Guide for Interconnecting Information Technology Systems)
SP 800-60 Rev 2, Information Types Guideline: Partnering with NARA
to incorporate CUI - Temporarily on hold
SP 800-137A, Assessment Procedures for the ISCM Program: In progress,
IPD before end of CY 2018
NIST SP 800-160*, Systems Security Engineering: Volume 1 published
11- 16, Volume 2 IPD on Multidisciplinary Approach to SE published 3-18
NISTIR 8011*, Automation Support for Ongoing Assessment, Volumes 1 and
2: Final June 2017; Volume 3 in ERB/final to be published in next few weeks
NISTIR 8212 and Tool, ISCM Assessment: In Progress, IPD early CY 2019
* Multiple volumes planned
38. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 38
Contact Information
Comments: sec-cert@nist.gov (goes to all of the above)
Web: csrc.nist.gov/sec-cert
Position Name
Project Leader and NIST Fellow Dr. Ron Ross
Team Lead and Senior Information
Security Specialist
Victoria Pillitteri
Senior Information Security Specialist Kelley Dempsey
Information Security Specialists Ned Goren, Jody Jacobs
Administrative Support Jeff Brewer