Risk Management Framework (RMF) Steps 1-6 Process Overview
Change Control Flow/Process
1. Change Request Identification 2. Change Request Assessment 3. Change Request Analysis 4. Change Request Approval 5. Change Request Implementation 6. Reject or Defer Change Request Change control is a systematic approach to managing all changes made to a product or system. The purpose is to ensure that no unnecessary changes are made, that all changes are documented, that services are not unnecessarily disrupted and that resources are used efficiently. Within information technology (IT), change control is a component of change management.
Classes of Controls Family of Controls
Technical, Management and Operational SP 800-53r2, Seventeen (17) Families Technical, Management and Operational, Eighteen SP 800-53r3, Eighteen (18) Families. Program Management (PM) family has been added. Technical, Management Operational and Privacy, SP 800-53 Rev 4, Twenty-six (26) families. The privacy class brought eight (8) more families.
Artifacts generated at this Phase by the C&A Analyst
Test Plan/Security Assessment Plan (SAP) Security Control Assessment (SCA)/Security Test and evaluation (ST&E) report Security Assessment Report (SAR) NIST Publications SP 800-53A SP 800-53 The test plan specify the controls that needs to be tested, the method of testing, testing procedures and evidence needed to validate the controls. SCA/ST&E is the process of conducting assessment and evaluating validation documents in order to determine whether the controls are adequately implemented.
Configuration Verification and Audit
An independent review of hardware and software for the purpose of assessing compliance and established requirement. eg. The US Government Configuration Baseline (USGCB) /Federal Desktop Core Configuration (FDCC) and Security Technical Implementation Guidelines (STIGS). DoD mandated to build your system. SP 800-70 and 800-70 rev 2 National Vulnerability Database (NVD) Using scanning tools that are FDCC or USGB compliant can help detect whether a system or application is implemented according to the USA government requirements. Example Nessus, Saint and Tanible tool Scanning tool is just a tool to chec the system against. System Admin - Implement patches which is to perform the fix. Remedy change change management software can be used to track and request change
Summary
Artificats are generated at this Phase by the C&A Analyst: Test Plan/SAP (controls that need to be tested, the method of testing, testing Procedures and evidence to validae the controls) SCA/ST&E report (has both pass and fail controls but no recommendations) Security Assessment Report (SAR) - The SAR has findings and recommendations no pass controls are included) Both SAR and ST&E are products of the security Assessment Methodof testing Examination Interview Testing
Differences between the two
A risk assessment is a very high-level overview (Interview and Examination) of your technology, controls, and policies/procedres to identify gaps and areas of risk. An internal audit/SCA on the other hand is a very detailed, thorough examination of said technology, controls and policies/procedures. In an IT Audit, not only are these items listed going to be evaluated, they are going to be tested as well. This is a major difference between the two as the risk assessment looks at wat you have in place and the Audit tests what you have in place. (Examination, Intervie and Testing) A risk assessment can be either a self-assessment or completd by an independent third party. An audit must be completed by an independent, certified third party. Risk assessment is thinking about the (potential) things that could happen in the future, while the internal aduit is dealing with how things were done in the past. Internal Audit/SCA focuses on compliance with various rules and requirements (controls), while risk assessment is nothing but analysis that provides a basis for building up certain rules (controls) Risk assessment is done befoe you start applyig the security controls, while the internal audit is performed once these are already implemented The risk assessment report contains: risk level, threat, vulnerabilities, likelihod, impact, risk type, recommendations, existing, and residual risk. On the other hand The Security Assessment Report (SAR) as a resut of an internal audit or SCA contains: controls, tools, vulnerabilities, risk level, risk type, and recommendation.
Interconnection (CA-3) SP 800-47
A system interconnection is defined as the direct connection of two or more IT systems for the purpose of sharing data and other information resources. Organizations choose to interconnect their IT systems for a variety of reasons: Exhange data and information among selected users Provide customized levels of access to proprietary databases Collaborate on joint projects Provide full time communications, 24 hours per day, 7 days per week Provide online training Provide secure storage of critical data and backup files
Security Control, Classes, Families, and identfiers
AC - Access Control - Technical AT - Awareness and Training - Operational AU - Audit and Accountability - Technical CA - Security Assessment and Authorization - Management CM - Configuration Management - Operational CP - Contingency Planning - operational IA - Identification and Authentication - Technical IR - Incident Response - Operational MA - Maintenance - Operational MP - Media Protection - Operational PE - Physical and Environmental Protection - Operational PL - Planning - Management PS - Personnel Security - Operational RA - Risk Assessment - Management SC - System and Communications Protection - Technical SI - System and Information Integrity - Operational PM - Program Management - Management
Privacy Controls
AP - Authority and Purpose AP-1 Authority to Collect AP-2 Purpose Specification AR - Accountability, Audit and Risk Management AR-1 Governance and Privacy Program AR-2 Privacy Impact and Risk Assessment AR-3 Privacy Requirements for Contractors and Service Providers AR-4 Privacy Monitoring and Auditing AR-5 Privacy Awareness and Training AR-6 Privacy Reporting AR-7 Privacy-Enhanced System Design and Development AR-8 Accounting of Disclosures DI - Data Quality and Integrity DI-1 Data Quality DI-2 Data Integrity and Data Integrity Board DM - Minimization and Retention DM-1 Minimization of Personally Identifiable Information DM-2 Data Retention and Disposal DM-3 Minimization of PII Used in Testing, Training, and Research IP - Individual Participation and Redress IP-1 Consent IP-2 Individual Access IP-3 Redress IP-4 Complaint Management SE Security SE-1 Inventory of Personally Identifiable Information SE-2 Privacy Incident Response TR - Transparency TR-1 Privacy Notice TR-2 System of Records Notices and Privacy Act Statements TR-3 Disseminatin of Privacy Program Information UL - Use Limitation UL-1 Internal Use UL-2 Information Sharing with Third Parties
Step 3 - Control Implementation - Phase 3
After developing a final System Security Control Baseline, the next phase is the implementation of the selected recommended NIST security controls. Recommended controls are implemented according to NIST control objectives/requirements. Implement the security controls and document the design, development, and implementation details for controls
Risk Determination/Acceptance
After reviewing the Security Authorization Package, the Authorizing Official/designated representative makes a decision whether to issue: Authorize to Operate (ATO) letter-AO accept all risks associated with the system. Interim Authorize to Operate letter-AO issue a conditional ATO pending system owner solving all POAM items within a specific period of time, usually 6 months Denial Authorization to Operate-AO do not issue ATO pending system owner solving all POAM items identified Authorize to Operate (ATO) letter- specify the time period within which the system is authorized to operate, and also specify the expiration date. Letter is signed by both System Owner and AO ATO is usually valid for a period of 3 years
Step 5 Authorize - Information System - Authorization - OA happens here and it is affected by the ISCM strategy define under Phase six of the RMF (continuous Monitoring)
Authorize information system operation based on a determination of risk to organizational operations and assets, individuals other organizations, and the Nation resulting from operation and use of the information sysem and the decision that this risk is acceptable; and
CP covers terms like
Backup Type-Incremental, differential and full backup Backup Site - Cold, Warm, and Hot Backup site (secondary site) should be located far away from the primary site so that both sites are not exposed to the same naturel and environmental threats. Example of backup tapes service provider: Iron Mountain, Shred it, etc... NIST SP 800-34
Center for Internet Security (CIS)
Basic CIS Controls 1. Inventory and Control of Hardware Assets - What service and how you can protect them. 2. Inventory and Control or Software Assets - What software is running. 3. Continuous Vulnerability Management - Scan IT environment for any threats or weaknesses and fixes it. 4. Controlled Use of Administrative Priviledges - Level of users usage. 5. Secure Configuation for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers - configure software and hardware 6. Maintenance, Monitoring and Analysis of Audit Logs - keep track of what we put information system. Who is logging in. What users are during in our environment any case of misuse Foundational CIS Controls - Need to know CIS Control 7. Email and Web Browser Protection 8. Malware Defenses - virus (antivirus built in our system) 9. Limitation and Control of Network Ports, Protocols, and servicers. 10. Data Recovery Capabilities - Backup data 11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches. - Configure them securely. Recommended to change the default. 12. Boundary Defense 13. Data Protection 14. Controlled Access Based on the Need to Know. 15. Wireless Access control 16. Account Monitoring and Control Organizational CIS Controls 17. Implement a Security Awareness and Training Program 18. Application Software Security 19. Incident Response and Management 20. Penetration Tests and Red Team Exercises.
Step 4 Security Control Testing
C&A Analyst to evaluate the adequacy of the security control implementd and give recommendations.
Summary
C&A analyst selects Recommended controls from NIST SP 800-53 base on the system categorization - Low, Moderate r High to develop the Security Control Baseline draft C&A Analyst provides Draft of the Security Control Baseline to the ISSO and the System Owner for review ISSO and System Owner identify common control, Hybrid control, System Specific Control and Control Not applicable The above process is called Tailoring of the Security control baseline Final Security Control Baseline is created after system owner and ISSO review and tailor the secuirty control baseline
High Value Asset (HVA)
CARVER - Criticality, Accessibility, Recoverability, Vulnerability, Effect and Recognizability - Done on the enterprise level - Prioritize your system.
Contingency Role Test
CP needs to be tested at least annually or whenever there is a major change for effectiveness. CP is a living document and needs to be updated accordingly. Types of CP tests Table Tops/Classroom Exercises - walk through the procedures without any actual recovery operations occurring. Classroom exercises are the most basic and least costly of the two types of exercises and should be conducted before performing a functional exercise. Functional Exercises/Simulated: Functional exercises are more extensive than tabletops, requiring the event to be faked. Other testing terms: Full test Parallel test Partial test
Step 1 Categorize - Information System Phase 1
Categorize the information system based on the information type the system processes, stores, or transmits. SP 800-60 and FIPs Publication 199 to determine impact level (Low, Moderate or High) assigned to the security objectives-Confidentiality, Integrity and Availability (CIA). Highest watermark becomes the overall categorization of the system.
Cloud Computing
Cloud Clients - Web browser, mobile app, thin client, terminal emulator Application - SaaS - CRM, Email, virtual desktop, communication, games Platform - PaaS - Execution runtime, database, webserver, development tools IaaS - Virtual machines, servers, storage, load balancers - distribute the work evenly to ensure availability, network
CMP also includes the following
Configuration Identification - Consists of setting and maintaining baselines, which define the system or subsystem architecture, and components before deployment. Change Control - consists of configurations that are controlled, how changes are requested, approved, approved and implemented. Configuration Status Accounting - Includes the process of recording and reporting configuration item (e.g., hardware, software, firmware, etc.) and How changes are tracked.
Continuous Monitoring Phase 6
Continuous Monitoring Phase involves the following steps: Information System Environment Changes: Any change to the system my follow a Change Control Process System Inventory/Component needs to be current, accurate and updated regularly Develop a Configuration Management Plan and Procedure Implement an Asset Management tool-Dell Asset Manager; SAM This step is handle by the system owner and ISSO Ongoing Security Control Assessment Test one third of the NIST recommended control on annual basis Monitor SANS Top 20 critical control on an ongoing basis Scan system for weaknesses frequently at least monthly or whenever there is a major change to the system Implement automated tools such as Vulnerability Management tools-Tenable security Nessus Secuirty Center Patch Management tools-IBM Tivoli Endpoint Manager This step is handle by the system Owner, ISSO and C&A analyst Onging Remediation Action: Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones This step is handle by the sytem Owner, ISSO and C&A analyst Key Updates Update the following documentation on regular basis inline with the ongoing security assessment results System Secuirty Plan (SSP) Security Assessment Report (SAR) Plan of Action and Milestone (POA&M) This step is handle by the system Owner, ISSO and C&A analyst Security Status Reporting Report the security status of the information system to the authorizing official and on an ongoing basis in accordance with the monitring strategy by submitting th following: System security plan (SSP) Security Assessment Report (SAR) Plan of Action and Milestone (POA&M) The step is handle by the system Owner, ISSO and C&A analyst Ongoing Risk Determination and Acceptance The authorizing official reviews the reported security status (SSP, POAM and SAR) of the information system on an ongoing basis (usually annually assessment and every 3 years for recertification), to determine the current risk to organizational operations and assets, individuals, other organizations, or the Nation. The authorizing official determines, whether the current risk is acceptable and forward appropriate direction to the information system owner. ISSO issues Annual Assessment Letter showing system went through the annual NIST security control assessment New directive Ongoing Authorization Event and time driven (More frequent). More dynamic not static Information System Removal and Decommission Implement an information system decommissioning strategy (Policy and procedures for decommissioning system) required actions when a system is removed from service. Update system inventory and organization inventory accordingly NIST Publication SP 800-137 SP 800-53 SP 800-53A SP 800-30
Phase, Deliverables, Publication and Life Cycle
Control Selection, System Security Baseline, sP 800-53, FIPS 200, Initiation/Development/Acquisition
Criticality, Accessibility, Recoverability, Vulnerability, Effect and Recognizability
Criticality: The target value. How vital is this to the overall organization? A target is critical when its compromise or destruction (failure to provide any of the CIA triad components) has a highly significant impact in the overall organization. Accessibility: How easily can I reach the target? What are the defenses? Do I need an insider? Is the target computer off the internet? Recoverability: How long will it take for the organization to replace, repair, or bypass the destruction or damage caused to the target? Vulnerability: What is the degree of knowledge needed to exploit the target? Can I use known exploits or should I invest in new, possible Zero day exploits? (not known) Effect: What's the impact of the attack on the organization? Similar to the first point (Criticality) this point should also analyze possible reactions from the organization. Recognizability: Can I identify the target as such? How easy is to recognize that a specific system/network/device is the target and not a security countermeasure. Is it visible to customers?
CP Process
Develop Contigency Planning Policy (CP-1) Conduct Business Impact Analysis Identity Preventive Controls Create Contigency Strategies Develop Contigency Plan (CP-2) Plan Testing, Training, and Exercises (CP-3, CP-4) Plan Maintenance
Electronic Authentication - 5 artifact
E-Authentication artifact is appicable when the system is accessible remotely (e.g. Web) Authentication artifact involves the following: Conduct a risk assessment of the e-government system (Risk, vulnerability&threat) Map identified risks to the applicable assurance level (Level 1, 2, 3, or 4) Select technology based on e-authentication technical guidance (Single factor, Two factor and Multi factor) Validate that the implemented system has achieved the required assurance level (Test the control) Periodically reassess the system to determine technology refresh requirements (Continuous assessment) SP 800-63
Method of Testing
Examination Review exisitng documents (policies, procedures, previous assessment, etc...) Observation-Observe the implementation of controls Walkthrough-Take tour of a building to take note of security control implementation Interview - System Owner, System Administrators, developer etc... Testing - Test existing control (Test fail login attempt)/scans and penetration results In most cases th test plan with testing results is termed Security Test and evaluation (ST&E) Report or Security Control Assessment (SCA) report SP 800-53A specifies methods of testing, testing procedures and evidence to validate the controls SAR also called the Final Risk Assessment Reort documents all the findings (failed controls) and is more thorough than the initial Risk Assessment Report. The SAR has findings and recommendations and no pass controls are included ST&E has both pass and fail controls but no recommendations Both SAR and ST&E are products of the security Assessment Annual Assessment/one third SCA: subset of the controls are assessed (e.g. 1/3 of the total controls) Comprehensive SCA: all controls allocated to the system are tested.
Done by using various techniques
Examining all the documentation and records; personal observations (e.g., walking aruond the premises Interviewing the employees Testing
Full SA&A/C&A Package
FIPS 199 Risk Assessment Report PTA PIA E-authentication SORN System Security Plan Configuration Management Plan Contingency Plan Contingency Plan Test Security Control Baseline Test Plan ST&E SAR POA&M ATO
Categorization - systems based on type of information type transmit, store and process.
FIPS199 SP-800-60 Risk Assessment Report SP-800-30 E-Authentication SP 800-63 E-authentication process-OMB Memo M-04-04 http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf Privacy Threshold Analysis (PTA) Privacy Impact Analyst (PIA) SP 800-122 System of Records Notice (SORN)
Interconnection Security (ISA) and Memorandum of Understanding/Agreement (MOU/A)
ISA and MOU/A are required when two systems inerconnect. ISA specifies the technical and security requirements of the interconnection (interface characteristics, security requirements, and the nature of rhe information communicated), and MOU/A defines he responsibilities of the participating organizations. ISA and MOU are required when the connection is going out the agencies boundary. Only the MOU is required when th two systems interconnecting are both within the agencies boundary Data Use Agreement (DUA) establishes who is premitted to use and receive protected information, and the permitted uses and disclosures of such information by the recipient, and provides that the recipient will: Not use or dislcose the information other than as permitted by the DUA or as otherwise required by law, Use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the DUA, and Report to the covered entity uses or disclosures that are in violation of he DUA, of which it becomes aware.
Plan of Action and Milestone (POA&M)
Identifies vulnerabiity, resources, impact, recommendation and time needed to resolve identified vulnerabiities during te assessment Phase. Vulnerabilities - Risk, weaknesses findings
Risk Assessment you have to do the following
Identify all the risks related to your information Identify the risk owners Identify threats Assess the impact and likelihood of risks Determine the level of risks Decide whether the risk needs to be treated or not/Respond to the risk.
Terms that are used to describe the status of each recommended security control in the SSP
Implemented/In Place Partial Implemented Planned Inherited Not Applicable Not Implemented
Cyber Security Framework
NIST Cybersecurity Framework (NIST CSF) provides a policy framework of computer secuirty guidance for how private sector organizations in the US can assess and improve their ability to prevent, detect, and respond t cyber attacks. Created through collaboration between industry and government, the voluntary Framework consists of standards, guidelines, and practices to promote the protectionof critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk. Currently this framework applies to both government and private entities Framework Respond - Recover - Identify - Protect - Detect
Incident Response / Handling
Incident handling is an action plan for dealing with misuse of computer systems or network: Intrusion Malicious Code Cyber theft Denial of Service Have written procedures and policy in place so you know what to do when incident occurs Incident is an adverse event in an information system or network (unauthorized use of account/sysem privilege) An event is an observable occurrence in a system or network (system boot, traffic, etc.) NIST Computer Security Incident Handling Guide- SP 800-62 - 61a2 Preparation Detection and Analysis Containment/Eradication/Recovery Post Incident Activity Preparation Develop IR Plan, Policy and Procedures Train staff on their incident response responsibilities Test your IR Plan Identification Monitor abnormal events/Identify incidents thoroughly; going through the IR process Containment Prevent the attacker to getting any deeper/disconnect or isolate system Categorize (Internal hacking, external hacking, malware etc.) and identify the sensitivity of the event (Critical or sensitive) Inform management/Notify appropriate officials-business unit/security officer Eradication Determine cause and symptoms of the incident Get rid of the malicious code, unauthorized account, or bad employee that caused the incident Apply patches and fixes to vulnerabiities found Recovery Test and validate the impacted system Put the system back into production and monitor for re-comprise Lessons Learned Create report detailing what happened, why it happened, what could have prevented it, and what you'll be doing to prevent it from happening again. Meet with management to go over the report and get buy-in for the changes needed to prevet similar incidents in the furture.
Contingency Plan Componets:
Initiation Phase - Role and Task Activation phase - Notification steps Recovery Phase - Step for alternate site Reconstruction Phase-Recover original site Appendixes-calling tree - vendor and contact list
Assurance Level Authentication Method
Level 1: Little or no confidence in the asserted identity's validity Level 2: Some confidence in the asserted identity's validity Level 3: High confidence in the asserted identity's validity Level 4: Very high confidence in the asserted identity's validity Single factor - What you know (user name password, pin) Two factor - What you know and what you have (pin and token/card) Multifactor - what you are, where you are, and what you have (fingerprint, IP address and token)
Monitor - Security Controls
Monitor the security controls in the information system and environment of operation or an ongoing basis to control effectiveness, changes to the sysem/environment, and compliance to legislation, Executive Orders, directives, policies, regulation, and standards. Continuous Monitoring System Security Plan (SSP) SP 800-18/53 Maintenance/Operation Plan of Action and Milestone (POAM) SP 800-53A/37 Security Assessment Report (SAR) SP 800-53A Annual Assessment Letter SP 800-53A SP 800-137
Summary
NIST Publications: SP 800-53A SP 800-53 From NIST SP 800-53Rev2 to rev3 Program Management families was added. From Rev3 to Rev4, the Privacy class was added. This class brought 8 families and 26 controls Title Internal Auditors Role Help prepare all system documentations, conduct internal assessment in preparation for external assessment, coordinate with external assessors by providing the needed assistance (e.g. schedule meeting, provide evidence, etc.). Phase One, Two, Three, Four, Five and Six Report To System Owner Title External Auditors/Independent Assessors Role Conduct assessment and the results are most of the time use toward the ATO process. Phase Four Report To ISSO, CISO or CIO Phase Assessing Control Deliverables Security Assessment Plan (SAP) System Security Assessment Report (SAR) Security Test Evaluation (ST&E) Report/Security Control Assessment (SCA) Publications SP 800-53A Life Cycle Development/Acquistion
Identify controls
Not Applicable - Is a control that can not be test or implement because it is irrelevant to the particular system. For example a public accessible website would not require log in credentials (username and password) Therefore IA-5 Authenticator Management and IA-6 Authenticator Feedback will not be implemented or tested. Tailoring of Security control Baseline Common Control/Inherited - Is a control that is provided by another system or department/business unit. For example PS-1 Personal Security Policy annd Procedures is handled by the HR and not the responsibility of the System Owner in our Smart Portal test case. Hybrid - Control Implementation is owned by two different system owners. For example At-2 Security Awareness Training for example HR prepares all IT security training material and the system owner ensures of his/her staffs undertake the IT training and in addition, provide and keep records showing that training has been completed by staff members. System Specific - Is a control that is not hybrid but maintained by only one System Owner. For example CM-2 Configuration Settings in our smart Portal test case.
Step 2 - Security Controls Selection Phase 2
Now that we finished classifying the system, the next step is to selected NIST recommended security controls that apply to the system's classification (high, moderate or low) NIST Publication FIPS 200-Minimum security requirement http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf NIST SP 800-53 Rev4 and 5 is the latest NIST Recommended security controls (New version with the privacy family-Total of 26 families: Management, Operational, technical, and Privacy) http://nvlpubsnist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf SANS TOP20 critical Security Control-SANS controls are mapped to NIST controls http://www.sans.org/critical-security-controls The security controls selected is termed System Security Control Baseline. This is usual in a form of a spread sheet. The security controls (e.g., AC-2) prescribe specific security-related activities or actions to be carried out by organizations or by information systems. The security control enhancements (e.g., AC-2(7)) provides statements of security capability to: (i) add functionality/specificity to a control; and/or (ii) increase the strength of a control. Select the aplicable security control baseline based on the results of the security categorization and apply tailoring guidance is largely based on our categorizations. applies to the system's classification (High, Moderate or Low). NIST sp 800-53 Rev. 4 or 5. Security control is the safeguards we put in place to minimize risk.
Third party Websites and Applications Privacy Impact Assessment
OMB and Budget Memorandum 10-23 requires that agencies assess their uses of third-party websites and applications to ensure that the uses protect privacy.
OnPremises
Our responsibilities OnPremises - Applications, Data, Middleware, Operationg System, Virtualization, Server, Storage, Network, App IaaS - Applications, Data, Middleware, Operating System PaaS - Applications, Data Cloud Provider Responsibility IaaS - Virtualization, Server, Storage, Network PaaS - Middleware, Operating System, Virtualization, Server, Storage, Network SaaS - Applications, Data, MIddleware, Operating System, Virtualization, Server, Storage, Network
Privacy Threshold Analysis (PTA) and Privacy Impact Assessment (PIA) - applies to system PII - Personal Identifiable Information 800-122 - 3rd - artifacts
PTA - (3rd artifacts in the categorization process) purpose is to identify whether the system processes, transmits or stores any Personal Identifiable Information (PII). Anything that can lead me directly to you. Examples of PII: Name, Address, telephone number, Social Security numbers, Passport numbers, Driver's license numbers, Biometric information, DNA information, Bank account numbers When the PTA is positive (This means the system processes, transmits or stores PII) then a Privacy Impact Analysis (PIA) is conducted. If PTA is negative, no PIA is conducted). PIA is the 4th artifact in the categorization process. SP 800-122 PIA - purpose is to identify and understand any risks the system may pose to the privacy, civil rights, and civil liberties of personally identifiable information. It also elaborate on how the PII should be handled/collected/maintained and protected. In most cases PTA and PIA are the responsibilites of the privacy department, however a security analyst can also handle this process. PIA's are published on the department website. PTA - To determine if system deals with PII. PTA is positive if PII is collected if not PTA is negative. PIA - is conducted if PTA is positive-Identify risk for collecting PII and controls in place to protect the PII. PIA applies to system (Federal Facilitated Market Place website) and SORN applies to program (e.g. Obamacare-the affordable care act). Federal Facilitated Market Place website is one of the numerous systems that support the Obamacare.
Summary
Plan of Action and Milestone (POA&M)-Identifies vulnerability, resources, impact, recommendation and time needed to resolve identified vulnerabilities during the assessment phase. This is prepared by the C&A analyst and the System Owner. Security Authorization Package is reviewed by the AO to issue ATO Authorize to Operate (ATO) letter-AO accept all risks associated with the system Interim Authorize to Operate letter-AO issue a conditional ATO pending System Owner solving all POAM items within a specific period of time, usually 6 month Denial Authorization to Operate-AO do not issue ATO pending system owner solving all POAM items identified Security Authorization Package includes SSP SAR POAM
Deployment Models
Private Cloud: Deploy for a single organization. For example National Cancer Institute (NCI) Public Cloud: Deploy for all organizations over the internet/public network Community Cloud: Deploy for several organizations, that share the same mission. For example all organizations under NIH (NCI, CIT, NIA, NIAAA etc...) Hybrid Cloud: Combination of any of the above Advantages Accessible Everywhere - No georgraphical barrier Pay Per Use-Pay for what you need More economical/Cheap-Pool of resource for many people/muti tenant Faster Deployment Disaster recovery Disadvantages Compliance-Enforcement is hard, manage by different entity Legal-Laws vary by countries Data Security-Manage by different entity and delivered over the internet (CIA) Privacy -Deivered over the internet (Appropriate use of data) FedRAMP is a application for cloud systems. When FedRAMP system started they never allow HIGH system to go in the cloud.
Internal Risk Assessment Report 800-30 and 800-37 - 2nd artifact
RAR is the second deliverable/airtifact at the categorization Phase it contains: System description Scope/boundary Threat Vulnerabiity/Weakness Impact Likelihood Recommendation to avoid risk
System of Records Notice (SORN) - applies to program
SORN is a requirement for Federal agency under Privacy Act of 1974. A SORN is required when all of the following apply: Records are maintained by a Federal agency The records contain information about an individual (PII) The records are retrieved by a personal identifier
NIST Publications
SP 800-18 Guide for developing SSP Sp 800-53 NIST Recommend security controls FIPS 200 Minimum Control SP 800-128 Guide for configuration Management SP 800-70 National checklist program for IT product SP 800-34 Guide for contingency planning NIST 800-84 Guide to Test, Training and Exercise Programs
Class of Controls Family of Controls fips 200
SP 800-53 Rev 2 - Technical, Management and Operational Seventeen (17) Families SP 800-53 Rev 3 - Technical, Management and Operational Eighteen (18) Families. Program Management (PM) family has been added. sP 800-53 Rev 4 - Technical, Management Operational and Privacy. Twenty-six (26) families. The privacy class brought eight (8) more families.
NIST Publications
SP-800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations SP 800-171A Security Requirements for Controlled Unclassifed Information
Terms are used to show a control evaluation status
Satisfied Other than satisfied Inherited Not Applicable Other (ex. Risk Acceptance Memo on file) Fail Pass
Security Authorization Package -POAM is created the AO is presented with the Security authorizing Package - Authorizing Official or Designated Representative
Security Plan - Overview requirements, description of agreed-upon security controls, and other supporting security-related documents Security Assessment Report - Security control assessment results and recommended corrective actions for control weaknesses or deficiencies. Plan of Action and Milestones - Measures plannned to correct weaknesses or deficiencies and to reduce or eliminate known vulnerabilities
Could Service Models
Service Model SaaS PaaS IaaS Who uses it End Users, Consume Developers and Application Managers Build IT System Managers Host Available Services Software applications such as email, word processing, and customer relation management tools Services for creating, and testing, web server, database Virtual machines, storage services, and backup services Why Use It Complete business tasks that are typically performed locally n a computer Establish a common and consistent platform for application development Build a customized computing environment Iaas Infrastructure as a Service - Host PaaS Platform as a Service - build SaaS Software as a Service - consume
Categorization Process Kick Off Mtg. 1st Artifact FIPS 199
Starts with a kick off meeting System Owner (SO) Security Control Assessor/C&A Analyst Information System Security Officer (ISSO), AO, System Owner and Information Owner Links: http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60 Vol2- Rev1.pdf http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf System is catgorize base on information type (Process, Store or Transmit) FIPS 199-Overall system categorization is base on the high water mark of the CIA-Low, Moderate or High. FIPS 199, SP 800-60 Initial Risk Assessment Report - Threat, vulnerability, Impact and recommendation. SP 800-30 and SP 800-37 PTA - To determine if system deals with PII. PTA is positive if PII is collected if not PTA is negative. SP 800-122 PIA is conducted if PTA is positive- Identify risk for collecting PII and recommend safeguards. SP 800-122 SORN is developed if system deal with PII-SORN is publish for public comments (purpose for collecting PII, ensure accuracy and how the PII is protected) E-authentication is applicable when system is accessible remotely. This identify the appropriate authentication mechanism base on risk-single, multifactor et...SP 800-63 TPWA - OMB Memorandum 10-23 requires that agencies assess third-party Websites and applications to ensure privacy before using them. Ex. CMS page on FB. CMS needs needs to complete TPWA on Facebook before creating a FB page.
SSP contains two major sections
System Information-description, name points of contacts, inventory, categorization, E-authentication, system diagram Security Control Section-Security controls and how they have been implemented. Describe the status of each recommended control. Implementation Statement - Document how we have implemented in our environment.
Artifacts/deilverables are developed at this phase
System Security Plan (SSP) Most important document Configuration Management Plan (CMP) Contigency Plan (CP) Contingency Plan Test
Authorizing
System Security Plan (SSP) SP 800-18/53 Implementation Plan of Action and Milestone (POA&M) SP 800-39/37 Security Assessment Report (SAR) SP 800-53A Authorization To Operator (ATO) SP 800-39/37
Risk Management Framework (RMF)
The RMF addresses the security concerns of organizations related t the design, developmet, implementation, operation, and disposal of information systems and the environments in which those systems operate.
Summary
The following artifacts/deliverables are developed at this phase System Security Plan (SSP) - Most important document Configuration Management Plan (CMP) Contingency Plan (CP) Contigency Plan Test (CPT) The implementation and creation of relevant artifact for this phase is normally the responsibiity of the system owner. The C&A analyst might be asked to assist in the development of the artifacts (C&A analyst collects information from the system owner or system POC and incorporate it into existing templates). NIST Publicatins SP 800-18 Gude for developing SSP SP 800-53 NIST Recommend security controls FIPS200 - Minimum Control SP 800-128 Guide for configuration Management SP 800-70 National checklist Program for IT Product SP 800-34 Guide for contingency planning SP 800-84 Guide to Test, Training, and Exercise Programs SP 800-47 Interconnecting Information Technology Systems Implementation of Control SSP SP 800-18/53 CMP SP 800-128/70 CP SP 800-34 CP Test SP 800-84 IR SP 800-62 Interconnecting Information Technology Systems SP 800-47 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations SP 800-171 Security Requirements for controlled Unclassified information SP 800-171A
Risk Acceptance Memo/Waiver
This memo is used to justify a risk acceptance of a known deficiency or deviation from mandatory policies or controls. The system owner/project manager is responsible for writing the justification and the compensating control. It is a requirement that a compensating control be defined in order to obtain full approval for a risk acceptance. Waiver normally is timed for moving data.
Initial Risk Assessment Report
Threat, Vulnerability/Weakness, Impact Risk Assessment (RA) is conducted through: Examination Review existing documents (policies, procedures, previous assessment, etc.) Observation-Observe the impleemtation of controls Walkthrough-Take tour of a building to take note of security control implementation Interview-System owner, system administrators, developer etc. Testing-Test existing control (Test fail login attempt)
Cloud clients
Web Brower, Mobile Apps, Thin Client
Cloud Computing
a general term for anything that involves delivering hosted services over the internet Examples: Email Service, Apps, Microsoft 365, cloud storage Data is stored in the cloud. Services are broadly divied into three categories Infrastructure as a Service Platform as a Service Software as a Service
System Security Plan (SSP)
describes the security controls that are in use, or plan to be used to protect all aspects of the system. At this stage no testing is conducted to evaluate the effectiveness of the control SSP is mostly completed through interviews. Information governance process reach out and document in SSP.
Base control and Enhanced based control
ex. lock and what type of lock. Enchanced improve upon the part of the base control. Give you more - more capabilites then the baseline control.
Configuration Management Plan
includes Personnel, Responsibilities, Resources, Training Requirements, Administrative Meeting guidelines. Setting up the system - How we build our process.
Mechanism by which agencies perform this assessment
is Privacy Impact Assessment (PIA) Third-Party Privacy Policies: The agency should examine the third party's privacy policy to evaluate the risks and determine whether the website or application is appropriate for the agency use. External Links: If an agency posts a link that leads to a third-party webite or any other location that is not part of an official government domain, the agency should provide an alert to the visitor. Embedded Applications: If an agency incorporates or embeds a third-party application on its website or any other official government domain, the agency should disclose the third party's involvement. Agency Branding: In general, when an agency uses a third-party website or application that is not part of an official government domain, the agency should apply appropriate branding to distinguish the agency's activities from those of nongovernment actors.
Contingency Plan
is a process that prepares an organization to respond coherently to an unplanned event. The contingency plan can also be used as an alternative for action if expected results fail to materialize. A contingency plan is sometimes referred to as Plan B.
Business Impact Analysis (BIA)
is conducted before the development of a CPBIA identifies and prioritize business units and assets Recovery Point Objective (RPO) How much data do you need Recovery time objective (RTO) How long can you stay offline
Final Security Control Baseline
is created after system owner and ISSO review and tailor the security control baseline.
Purpose of internal audit/security control assessment (SCA)
is nothing more than listing all the rules and requirements (controls) and then finding out if those rules and requirements are complied with (testing controls).
Security Impact Analysis (SIA)
is the analysis conducted by an organizational official to determine the extent to which changes to the informatin system will affect the security state of the system prior to change implementation. Security impact analysis may include, for example, reviewing security plans to understand security control requriements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Change control or change request: How it can affect security posture. Any changes to come up changes to the system.
Purpose of risk assessment
is to findout which problems can happen to your information and/or operations - that is, what can jeopardize the confidentiality, integrity, and availability of your information, or what can threaten the continuity of your operations
Contigency Planning - Integrated Suites of Plans
provides instructions, disaster declaration criteria, and procedures to recover information systems and associated services after a disruption through a suite of plans and documents including the Business Impact Analysis (BIA), Continuity of Operations (COOP), Disaster Recovery Plan (DRP), and the Contingency Plan (CP). Interdependent plans inform one another COOP - Enterprise Level - Defines all operations, including personnel actions. BIA sets restoration priorities for hosting facility and sysem maintainers BIA - Component Level - Defines prioritization based on mission, function, business process. DRP - Infrasturcture Level - Defines hosting facility processes for system reestablishment. CP - System Level - MTD, RTO, RPO defined for "App A"
When performing an internal audit
you need to check if each and every rule and requirement was complied with.