200 likes | 366 Views
Integrating IT Security into the Capital Planning and Investment Control Process National Institute of Standards and Technology (NIST). Presented By: Thelma Ameyaw Security Management TEL2813. AGENDA. Introduction Legislative and Regulatory Environment Overview
E N D
Integrating IT Security into the Capital Planning and Investment Control ProcessNational Institute of Standards and Technology (NIST) Presented By: Thelma Ameyaw Security Management TEL2813 Thelma Ameyaw TEL2813
AGENDA • Introduction • Legislative and Regulatory Environment Overview • Security and Capital Planning Integration Roles & Responsibilities • Integration of Security Into The CPIC Process • Implementation Issues • Summary Thelma Ameyaw TEL2813
Introduction • Background • Federal Information Security Management Act(FISMA)-2002 • FISMA, Clinger Cohen Act, other associated guidance and regulations, and the Office of Management and Budget (OMB) Circulars A-11 and A-130 , charge agencies with integrating IT security and the capital planning and Investment Control (CPIC)process • Purpose & Scope • Assist federal agencies in integrating IT Security into CPIC processes by providing a systematic approach to selecting, managing, and evaluating IT security investments. Thelma Ameyaw TEL2813
Legislative and Regulatory Environment Overview (LREO) The implementation of IT security and capital planning practices within the federal government is driven by a combination of legislation, rules, and regulations, and agency-specific policies. To be funded, IT investments must demonstrate compliance with all applicable requirements specified in the guidance • Reporting Requirements • FISMA • Charges OBM and NIST to develop security standards and identify tolerable security risk levels • Makes NIST standards compulsory for all agencies - (no waivers) • Charges agencies to integrate IT security into capital planning Thelma Ameyaw TEL2813
Federal IT Security and Capital Planning Legislation, Regulations, and Guidance FISMA provides overarching requirements for securing federal resources and ensuring that security is incorporated into all phases of the investment lifecycle. Thelma Ameyaw TEL2813
The Selection-Control-Evaluate Investment Life Cycle Thelma Ameyaw TEL2813
LREO - Contd • Select-Control-Evaluate Investment Life Cycle: In concert with OMB capital planning and NIST security requirements agencies are required to adhere to the GAO best practices- the 3 phased investment life cycle model for federal IT investments • Select : Assessing and prioritizing • Control : Monitor investment • Evaluate : Efficacy of Investment • Earned Value Management (EMV) EVM is a systematic integration and measurement of cost, schedule, and accomplishments of an investment that enables agencies to evaluate investment performance during Development, Modernization, and/or Enhancement (D/M/E). The EVM enables: • Project managers(PM) estimation of time and cost • PM to determine what work has been accomplished to date for the funds expanded and how long it will take the investment to reach maturity. Thelma Ameyaw TEL2813
LREO - Contd • IT Investment Management(ITIM): The GAO maturity framework can be used to determine the current status of an agency’s ITIM capabilities including recommendations. • Plan of Action and Milestones(POA&M): • Through the ILC the POA&M is used to identify security weaknesses and track mitigation efforts of agency IT investments until the weakness has been successfully mitigated. • Risks: • Security Risk • Investment Risk Thelma Ameyaw TEL2813
Security and Capital Planning Integration Roles & Responsibilities • Integrating IT security into the CP process requires input and collaboration across agencies and functions. • Many different stakeholders from IT security , CP and executive leadership areas play roles and make decisions and ultimately forming a well balanced IT portfolio. • Head of Agency • Senior Agency Officials • Chief information Officer • Senior Agency Information Security Officer • Chief Financial Officer • Investment Review • Project Manager Thelma Ameyaw TEL2813
Integration of Security Into The CPIC Process NIST recommends a seven-step framework for the process • Enterprise-level investments • System-level investments • The framework provides a systematic approach to selecting, managing, and evaluating IT security investments. The methodology relies on existing data inputs so it can be readily implemented at federal agencies. • Enterprise-Level Information Stakeholder rankings of enterprise-wide initiatives, Enterprise-wide initiative IT security status, Cost of implementing remaining appropriate security controls for enterprise-wide initiatives • System-Level Information System categorization, Security compliance, Corrective action cost Thelma Ameyaw TEL2813
Integrating IT Security Into the CPIC Process Thelma Ameyaw TEL2813
Integration of Security Into The CPIC Process (Contd) • Identify the Baseline: Using IT security metrics to determine where security weaknesses exist. • Identify Prioritization Requirements: Corrective actions to mitigate vulnerabilities must be evaluated against the security requirements. Requirements can be CIO-articulated security priorities, enterprise-wide initiatives, or NIST SP 800-26 topic areas. • Conduct Enterprise-Level Prioritization: prioritize potential enterprise-level IT security investments against mission and financial impact of implementing appropriate security controls. Thelma Ameyaw TEL2813
Integration of Security Into The CPIC Process (Contd) • Conduct System-Level Prioritization: prioritize potential system-level corrective actions against system category and corrective action impact. Joint Prioritization The final step in the prioritization process is to combine the enterprise- and system-level prioritizations into one prioritization framework to create a security investment strategy for the agency. Thelma Ameyaw TEL2813
Integration of Security Into The CPIC Process (Contd) • Develop Supporting Materials: • Enterprise-level investments: Develop concept paper, business case analysis, and Exhibit 300. • System-level investments: Adjust Exhibit 300 to request additional funding to mitigate prioritized weaknesses. Concept Paper: It is developed by the investment owner and submitted to the IRB for review. It contains a high level description of the proposed investment and includes rough order of magnitude, costing estimates, benefits, milestones, and agency impacts The Exhibit 300 : is the capture mechanism for all of the analyses and activities required for full internal (IRB, OCIO) review. is the document that OMB uses to assess investments and ultimately make funding decisions. Thelma Ameyaw TEL2813
Integration of Security Into The CPIC Process (Contd) • Implement Investment Review Board (IRB) and Portfolio Management: • Prioritize agency-wide business cases against requirements and CIO priorities and determine investment portfolio. • Submit Exhibit 300s, Exhibit 53, and Conduct Program Management: • Ensure approved 300s become part of the agency’s Exhibit 53 • Ensure investments are managed through their life cycle (using EVM for D /M /E investments and operational assessments for steady state investments) and through the GAO’s ITIM maturity framework. Thelma Ameyaw TEL2813
Implementation Issues The agency must implement and monitor these investments. IT security decisions are made based on system security issues and federal budgeting timelines. • IT Security Organizational Processes • Project Management • Legacy Systems • Time lines Thelma Ameyaw TEL2813
Summary Traditionally, information technology (IT) security and capital planning and investment control (CPIC) processes have been performed independently by security and capital planning practitioners. However, the Federal Information Security Management Act (FISMA) of 2002 and other existing federal regulations charge agencies with integrating the two activities. NIST recommends a seven-step framework for the process • Enterprise-level investments • System-level investments Thelma Ameyaw TEL2813
Layers of Integration of Security into the CPIC Process Thelma Ameyaw TEL2813
That’s it That’s it Thelma Ameyaw TEL2813
Questions ???? Thelma Ameyaw TEL2813