Cybersecurity Summit 2004

1. Cybersecurity Summit 2004 Andrea NorrisDeputy Chief Information Officer/ Director of Division of Information Systems

2. Federal Information Security Act (FISMA) Overview “Each Federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…” -- Federal Information Security Management Act of 2002

3. Legislation and Policy • Public Law 107-347 (Title III) • Federal Information Security Management Act of 2002 (FISMA) (December 2002) http://www.fedcirc.gov/library/legislation/FISMA.html • Office of Management and Budget Circular A-130 (Appendix III) • Security of Federal Automated Information Resources (February 1996) http://www.whitehouse.gov/omb/circulars/a130/appendix_iv.pdf • National Institute of Standards and Technology (NIST) Special Publication Guidance • Special Publications at http://csrc.nist.gov/publications/nistpubs/ • National Science Foundation Information Security Handbook – Manual 7 (April 2004) • http://www.inside.nsf.gpv/oirm/dis/itsecur/docs/securityhb.pdf

4. Information Security Program ElementsReference: FISMA • Periodic assessments of risk • Security policies and procedures • Security planning for networks and information systems • Security awareness training for employees and contractors • Periodic testing and evaluation of security practices annually • Plans for continuity of operations and disaster recovery • Procedures for detecting and reporting security incidents • Process to document and address security weaknesses • Report security status to Congress annually

5. Key DefinitionsReference: OMB A-130 Appendix III • General Support System (GSS, i.e. LAN) • An interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, application, communications, and people. • Major Application • Application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. • Application • The use of information resources to satisfy a specific set of user requirements.

6. Key NIST Publications • 800-12 Introduction to Computer Security: The NIST Handbook • 800-18 Guide for Developing Security Plans • 800-26 Security Self Assessment • 800-30A Risk Management Guide • 800-34 Contingency Planning Guide

7. NSF Information Security Handbook • Management Control Procedures • Risk Management, Security Control Review, Life Cycle, Security Planning • Operational Control Procedures • Personnel, Physical, Contingency Planning, HW/SW, Training, Incident Response • Technical Control Procedures • Identification and Authentication, Logical Access Controls, Audit Trails • Appendices with Report Templates • Security & Contingency Plans, Risk Assessment

8. NSF Keys to Success • Top Down Commitment to Security as a Strategic Priority • Comprehensive Security Program • Sustained Levels of Investment • Performance Goals and Measures

9. NSF IT Security Program Confidentiality Integrity Availability Security Open Collaborative Environment for Research and Discovery Risk Management Approach Risks are assessed, understood and appropriately mitigated

10. Security Management Structure NSF Director CIO Sr. Agency Information Security Officer Security Working Group DIS Security Officer Program Office Security Liaisons NSF Employees and Contractors NSF Customers and Stakeholders

11. NSF IT Security Program NSF IT Security Program Vulnerability Assessment & Penetration Tests Policies, Procedures & Plans Security Assessments, Audits & Controls Intrusion Detection & CIRT Security Awareness Training Certification & Accreditation

12. Proactive Measures Event Reactive Functions Protect Detect React (Cited only as examples) Deter e.g., Warning Banner Detect e.g., Intrusion Detection Delay e.g., Firewall Defend e.g., Encryption Deny, Defeat Monitoring CIRT Forensics BCP/COOP Critical Data, Information, & Systems Defense in Depth Escalation by Severity Layered Approach Protecting Critical Assets Requires Layered Proactive Controls, Monitoring the Environment and Reactive Functionsfor Effective Response

13. Management Controls • Management Structure, Roles and Responsibilities • Policy and Procedures • System Inventory • Security Reviews, Assessments, and Plans • Certification and Accreditation • Agency-Level Plan of Action and Milestones • Security Awareness and Training

14. The Visible and Known Establishes Confidence Technical and Operational Controls • Connectivity Standards • External and Internal Networks • Firewall Architecture • Intrusion Detection • Vulnerability Scans • Penetration Tests • Patch Management • Laptop Scanning • Anti-Virus Protection • Continuity of Operations, Contingency, and Disaster Recovery

15. Lesson Learned – Securityis a Continuous Process Managed Security Services Intrusion Detection Firewall Management Incident Reporting Vulnerability Scan Run Assessments Risk – Threats Privacy Security Test & Eval. Compliance Assess Security is a continuous process of evaluation and monitoring Implement Product Selection Product Implementation Centralized Security Mgt. Strategy Business Continuity Solution Planning Resource Allocation Plan Design Policy Standards Enterprise Architecture Configuration Standards

16. Challenges • Changing Threat Environment • Cultural Change • Awareness and Education • Security Investment