180 likes | 393 Views
Federal Government Perspectives on Secure Information Sharing Technology Leadership Series. August 14, 2007 Dr. Ron Ross Computer Security Division Information Technology Laboratory. Current State of Affairs.
E N D
Federal Government Perspectives on Secure Information SharingTechnology Leadership Series August 14, 2007 Dr. Ron Ross Computer Security Division Information Technology Laboratory
Current State of Affairs • Continuing serious attacks on federal information systems; targeting key federal operations and assets. • Adversaries are nation states, terrorist groups, hackers, criminals, disgruntled employees. • Attacks are organized, disciplined, aggressive, and well resourced; many are extremely sophisticated. • Significant exfiltration of critical and sensitive information and implantation of malicious software.
Connectivity Complexity Threats to Security
Challenges for Agencies • Large, complex information technology infrastructures; many information systems to manage. • Dynamic operational environments with changing threats, vulnerabilities, and technologies. • Obtaining adequate staffing with requisite information security skills and expertise.
Changing Models of Protection • Risk Avoidance Risk Management • Information Protection Information Protection Information Sharing • Confidentiality Confidentiality, Integrity, Availability
Organization One Information System Organization Two Information System Business / Mission Information Flow System Security Plan System Security Plan Security Assessment Report Security Information Security Assessment Report Plan of Action and Milestones Plan of Action and Milestones Determining the risk to the first organization’s operations and assets and the acceptability of such risk Determining the risk to the second organization’s operations and assets and the acceptability of such risk The objective is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin…establishing levels of security due diligence and trust. The Desired End StateSecurity Visibility Among Business/Mission Partners
Information Security ImperativesFor an Information Sharing Partnership • The need to share depends on a need to trust. • Trust cannot be conferred; it must be earned. • Trust is earned by understanding the security state of your partner’s information system. • Understanding the security state of an information system depends on the evidence produced by organizations demonstrating the effective employment of safeguards and countermeasures. Trust but verify…
Information Security Paradigm Shift • From: Policy-based compliance • Policy dictates discrete, pre-defined information security requirements and associated safeguards/countermeasures; • Minimal flexibility in implementation; and • Little emphasis on explicit acceptance of mission risk. • To: Risk-based mission protection • Enterprise missions and business functions drive security requirements and associated safeguards/countermeasures; • Highly flexible in implementation; and • Focuses on acknowledgement and acceptance of mission risk.
FISMA Strategic Vision • Building a solid foundation of information security across one of the largest information technology infrastructures in the world based on comprehensive security standards and guidelines. • Institutionalizing a comprehensive Risk Management Framework that promotes flexible, cost-effective information security programs for federal agencies and contractors. • Establishing a fundamental level of “information security due diligence” for federal agencies based on a common process to determine adequate protection for enterprise missions and business functions.
Risk Management Framework • The Risk Management Framework and the associated security standards and guidelines provide a process that is: • Disciplined • Structured • Flexible • Extensible • Repeatable “Building information security into the infrastructure of the organization… so that critical enterprise missions and business functions will be protected.”
Managing Enterprise Risk • Key activities in managing enterprise-level risk—risk to the enterprise and to other organizations resulting from the operation of an information system: • Categorize the information system (criticality/sensitivity) • Select and tailor baseline (minimum) security controls • Supplement the security controls based on risk assessment • Document security controls in system security plan • Implement the security controls in the information system • Assess the security controls for effectiveness • Authorize information system operation based on mission risk • Monitor security controls on a continuous basis
Starting Point FIPS 199 / SP 800-60 FIPS 200 / SP 800-53 CATEGORIZE Information System SELECT Security Controls Define criticality /sensitivity of information system according to potential impact of loss Select baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate SP 800-37 SP 800-53 / SP 800-30 AUTHORIZE Information System SUPPLEMENT Security Controls Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation SP 800-53A SP 800-18 SP 800-70 ASSESS Security Controls DOCUMENT Security Controls IMPLEMENT Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements) Document in the security plan, the security requirements for the information system and the security controls planned or in place Implement security controls; apply security configuration settings Risk Management Framework SP 800-37 / SP 800-53A MONITOR Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness
Information Security Program Links in the Security Chain: Management, Operational, and Technical Controls • Risk assessment • Security planning • Security policies and procedures • Contingency planning • Incident response planning • Security awareness and training • Security in acquisitions • Physical security • Personnel security • Security assessments • Certification and accreditation • Access control mechanisms • Identification & authentication mechanisms (Biometrics, tokens, passwords) • Audit mechanisms • Encryption mechanisms • Boundary and network protection devices (Firewalls, guards, routers, gateways) • Intrusion protection/detection systems • Security configuration settings • Anti-viral, anti-spyware, anti-spam software • Smart cards Adversaries attack the weakest link…where is yours?
The Common FoundationFor Managing Enterprise Risk The Generalized Model Unique Information Security Requirements The “Delta” Intelligence Community Department of Defense Federal Civil Agencies • Foundational Set of Information Security Standards and Guidance • Standardized risk management framework • Standardized security categorization (criticality/sensitivity) • Standardized security controls and control enhancements • Standardized security control assessment procedures Common Information Security Requirements National security and non national security information systems
Enterprise-wide Strategy • Facilitates enterprise-wide, mission-oriented decisions on risk mitigation activities based on organizational priorities; • Provides global view of systemic weaknesses and deficiencies occurring in information systems across the organization; • Promotes the development of enterprise-wide solutions to information security problems; and • Increases knowledge base for system owners regarding threats, vulnerabilities, and strategies for more cost-effective solutions to common problems.
Defense-in-Breadth Strategy • Diversify information technology assets. • Reduce the information technology target size. • Consider vulnerabilities of new information technologies before deployment. • Apply a balanced set of management, operational, and technical security controls in a defense-in-depth approach.
Key Standards and Guidelines • FIPS Publication 199(Security Categorization) • FIPS Publication 200(Minimum Security Requirements) • NIST Special Publication 800-18(Security Planning) • NIST Special Publication 800-30(Risk Management) • NIST Special Publication 800-37(Certification & Accreditation) • NIST Special Publication 800-53(Recommended Security Controls) • NIST Special Publication 800-53A(Security Control Assessment) • NIST Special Publication 800-59(National Security Systems) • NIST Special Publication 800-60(Security Category Mapping) Many other FIPS and NIST Special Publications provide security standards and guidance supporting the FISMA legislation…
Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Project Leader Administrative Support Dr. Ron Ross Peggy Himes (301) 975-5390 (301) 975-2489 ron.ross@nist.gov peggy.himes@nist.gov Senior Information Security Researchers and Technical Support Marianne Swanson Dr. Stu Katzke (301) 975-3293 (301) 975-4768 marianne.swanson@nist.gov skatzke@nist.gov Pat Toth Arnold Johnson (301) 975-5140 (301) 975-3247 patricia.toth@nist.govarnold.johnson@nist.gov Matt Scholl Information and Feedback (301) 975-2941 Web:csrc.nist.gov/sec-cert matthew.scholl@nist.gov Comments:sec-cert@nist.gov