1 / 43

Explosive impact of Laws, Regulations and Guidelines

Revolution and Impact of Recent Information Systems Security Laws, Regulations, and Guidelines How it effects the federal information security educator Brian Schultz, CISSP, CISM, CISA, NSA-IAM PEC Solutions. Explosive impact of Laws, Regulations and Guidelines.

nika
Download Presentation

Explosive impact of Laws, Regulations and Guidelines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Revolution and Impact of Recent Information Systems Security Laws, Regulations, and GuidelinesHow it effects the federal information security educatorBrian Schultz, CISSP, CISM, CISA, NSA-IAMPEC Solutions

  2. Explosive impact of Laws, Regulations and Guidelines • “Bush Administration is pulling in the IT security Reins on 18 agencies, requiring them to fix weaknesses in existing systems”…Government Computer News 2/23/04 • “No Security? No money says OMB”… “OMB is saying you are required under law to do this, and we are using this [FISMA] enforcement mechanism to motivate you to do it”…Washington Technology 2/24/04

  3. To understand impact we need to • Learn Laws, Regulations and Guidelines • Learn authority governing… • Learn processes for… • Apply knowledge to direct your program

  4. Benefits….Knowledge=Power • You will become the master of your domain • Knowledge brings confidence • Ability to articulate gets the budget • Knowledge makes you a leader • Through leadership comes momentum • Knowledge enables action • Create effective and compliant programs

  5. What is a LAW • Action of a legislative body - Congress • Example – Computer Security Act of 1987

  6. What is a regulation • Government body creates a regulation in response to a LAW • Example – Office of Management and Budget created OMB A-130 to describe security requirements as designated to it by the Computer Security Act of 1987

  7. What is a guideline • Standards issued in response to a Law or a Regulation • Example – National Institute of Standards and Technology issued NIST 800-16 to specify the security awareness and training requirements set forth from Computer Security Act of 1987

  8. LAWS

  9. Computer Security Act of 1987 • Congress (SBU and right of public to have access to data forces split in responsibilities) • Assigns responsibility to National Bureau of Standards (NIST) to create security standards for all federal systems - except national security systems • Clarifies NSA’s responsibility for national security systems • Affirms OMB’s oversight of computer security for non-national security systems • Assigns physical security to GSA

  10. Computer Security Act of 1987 • Purpose…..”to provide for the training in security matters of persons who are involved in the management, operation, and use of Federal Computer systems”… • Purpose..”to require mandatory periodic training for all persons involved in management, use, or operation of Federal computer systems that contain sensitive information”….

  11. Computer Security Act of 1987 • ..” (NIST) to assist, as appropriate, the Office of Personnel Management (OMB) in developing regulations pertaining to training, as required by section 5 of the Computer Security Act of 1987”..

  12. Computer Security Act of 1987 SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING: (A) Federal agency shall provide for the mandatory periodic training in computer security awareness and accepted computer security practice of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency…

  13. Computer Security Act of 1987 SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING: (B)…Such training shall be designed— (1) to enhance employees' awareness of the threats to and vulnerability of computer systems; and (2) to encourage the use of improved computer security practices.

  14. Related Events to the Computer Security Act of 1987 • Office of Management and Budget (OPM) Guidance OMB A-130 Append III (1985) gains power • National Bureau of Standards (NIST) issues NIST Guidance utilizing information from National Security Agency – NIST 800-16…….. • General Accounting Office creates Federal Information Systems Control Audit Methodology (FISCAM) as audit tool…..

  15. Federal Information Security Management Act of 2002 - FISMA • Congress • Effects all federal agencies • Rigorous security posture reporting with annual budge submissions to OMB • Might mean more money? • Authority/Oversight – OIG, GAO and OMB

  16. Federal Information Security Management Act of 2002 - FISMA • …designate a senior agency information security officer who shall…possess professional qualifications, including training and experience, required to administer the functions • ...ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines

  17. Federal Information Security Management Act of 2002 - FISMA ….security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, “(A) information security risks associated with their activities; and“(B) their responsibilities in complying with agency policies and procedures designed to reduce these risks;

  18. FISMA OMB Report – Due September

  19. REGULATIONS

  20. OMB A-130 • b) Training…. Ensure that all individuals are appropriately trained in how to fulfill their security responsibilities before allowing them access to the system. Such training shall assure that employees are versed in the rules of the system, be consistent with guidance issued by NIST and OPM, and apprise them about available assistance and technical security products and techniques. Behavior consistent with the rules of the system and periodic refresher training shall be required for continued access to the system.

  21. OMB A-130 • b) Training. The Computer Security Act requires Federal agencies to provide for the mandatory periodic training in computer security awareness and accepted computer security practice of all employees who are involved with the management, use or operation of a Federal computer system within or under the supervision of the Federal agency……

  22. Guidelines

  23. Information Technology Security Training Requirements: A role- and Performance-Based Model..NIST 800-16 • Focuses on job functions, or roles and responsibilities specific to individuals, not job titles, and recognizes that individuals have unique backgrounds, and therefore, different levels of understanding • Delineates the differences among awareness, training, and education

  24. Information Technology Security Training Requirements: A role- and Performance-Based Model..NIST 800-16 • Provides an integrated framework (planning tool) to identify training needs throughout the workforce and ensure that everyone receives appropriate training • Provides a course development tool • Provides a structure for evaluating learning effectiveness • Is extensible

  25. Security Self-Assessment Guide for Information Technology Systems NIST 800-26 • Used as a tool to perform an agency’s annual security posture review that has to be reported to OBM in September and Congress by March • Has specific questions regards security training and awareness

  26. Security Self-Assessment Guide for Information Technology Systems NIST 800-26 • Have employees received adequate training to fulfill their security responsibilities? • Have employees received a copy of the Rules of Behavior? • Are employee training and professional development documented and monitored?

  27. Security Self-Assessment Guide for Information Technology Systems NIST 800-26 • Is there mandatory annual refresher training? • Are methods employed to make employees aware of security, i.e., posters, booklets? • Have employees received a copy of or have easy access to agency security procedures and policies?

  28. Federal Information Systems Control Audit Methodology - FISCAM • Used by GAO to perform IT audits • Similar questions to 800-26

  29. National Security Systems

  30. National Security Decision Directive 145 (NSDD-145) • 9/17/84 executive branch issued National Security Decision Directive 145 (NSDD-145), "National Policy on Telecommunications and Automated Information Systems Security". • creates the National Telecommunications and Information Systems Security Committee (NTISSC), a panel of 22 voting representatives from 12 defense/intelligence agencies and 10 civilian agencies.

  31. National Security Decision Directive 145 (NSDD-145) • Assistant Secretary of Defense chairs NTISSC, and the Director of the National Security Agency acts as the National Manager for implementing policy under NSDD-145 • NTISSC is empowered to issue operating policies to assure the security of telecommunications and automated information systems that process and communicate both classified national security information and other sensitive information.

  32. National Security Telecommunications and Information Systems Security Directive – 500NSTISSD – 500 2/25/93 • National Security Telecommunications and Information Systems Security Committee • All employees and contractors who use national security systems • Federal department and agencies must develop and implement information systems security education., training and awareness programs for national security systems

  33. Committee on National Security Systems Instruction # 4009 – National Information Assurance Glossary • Committee on National Security Systems • Available to all – Revised May 2003 • Useful Reference • Builds Common Language For IA

  34. National Security Telecommunications and Information Systems Security Instruction # 4011 – National Training Standard For Information Systems Security (INFOSEC) Professionals • Committee on National Security Systems • ..to provide and maintain an INFOSEC training standards for INFOSEC professionals who work with national security systems • Establishes Awareness Level • Establishes Performance Level

  35. National Security Telecommunications and Information Systems Security Instruction # 4012 – National Training Standard For Designated Approving Authority (DAA) • Issued August 1997 • Committee on National Security Systems • Details standards for DAAs who work with national security systems • Robust

  36. National Security Telecommunications and Information Systems Security Instruction # 4013 – National Training Standard For Systems Administrators • Issued August 1997 • Committee on National Security Systems • Details training standards for systems administrators who work with national security systems • Robust

  37. National Security Telecommunications and Information Systems Security Instruction # 4014 – National Training Standard For Information Systems Security Officers (ISSO) • Issued August 1997 • Committee on National Security Systems • Details training standards for systems Information Systems Security Officers • Robust – Entry Level, Intermediate and Advanced Level

  38. National Security Telecommunications and Information Systems Security Instruction # 4015 – National Training Standard For System Certifiers • Issued December 2000 • Committee on National Security Systems • Details training standards for System Certifiers (those who provide accreditation recommendations to the DAA) • NIST to come out with certification for certifier

  39. DCID 6/3 • For Official Use Only

  40. Governing Authorities

  41. Governing Authorities • CIO’s Office • CSO’s or ISSO’s Office • Inspector General (IG) • Independent Auditor (contractor) • OMB • GAO • Congress…..

  42. Congress • Federal Computer Security Report Card • Issued by Rep. Adam Putnam, chairman of a House Government Reform subcommittee • Quarterly report card that rates 24 agencies' cyber security • Information comes from OMB and agencies directly • Recent scorecard gave the 24 agencies an overall grade of D.

  43. Brian Schultz, CISSP, CISM, CISA, NSA-IAMPEC Solutionsbrian.schultz@pec.com703.653.1915

More Related