1 / 19

Department of Defense Intelligence Community National Institute of Standards and Technology

Integrated Enterprise-wide Risk Management Information Security Transformation for the Federal Government AFCEA Cybersecurity Symposium June 25, 2009. Department of Defense Intelligence Community National Institute of Standards and Technology. Information Security Transformation.

kentaro
Download Presentation

Department of Defense Intelligence Community National Institute of Standards and Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Integrated Enterprise-wide Risk ManagementInformation Security Transformation for the Federal GovernmentAFCEA Cybersecurity SymposiumJune 25, 2009 Department of Defense Intelligence Community National Institute of Standards and Technology

  2. Information Security Transformation Establishing a common approach to risk management Converging parallel efforts across the IC, DoD, and federal civil agencies. Leveraging partnerships with CNSS and NIST Benefiting the federal government and its partners Facilitating information sharing and reciprocity Achieving process efficiencies Improving communication and increasing decision advantage Promoting outreach to state and local governments and private sector (including contracting base)

  3. Transformation Goals Establish a common approach to risk management. Define a common set of trust (impact) levels; adopt and apply those levels across the federal government. Adopt reciprocity as the norm, enabling organizations to accept the approvals by others without retesting or reviewing. Define, document, and adopt common security controls. Adopt a common security lexicon—providing a common language and common understanding.

  4. Transformation Goals Institute a senior risk executive function, which bases decisions on an “enterprise” view of risk considering all factors, including mission, IT, budget, and security. Incorporate information security into Enterprise Architectures and deliver security as common enterprise service across the federal government. Enable a common process that incorporates information security within the “life cycle” processes and eliminate security-specific processes.

  5. Unique Information Security Requirements The “Delta” Intelligence Community Department of Defense Federal Civil Agencies • Foundational Set of Information Security Standards and Guidance • Standardized risk management process • Standardized security categorization (criticality/sensitivity) • Standardized security controls (safeguards/countermeasures) • Standardized security assessment procedures • Standardized security authorization process Common Information Security Requirements Unified Information Security Framework The Generalized Model National security and non national security information systems

  6. STRATEGIC RISK FOCUS TACTICAL RISK FOCUS • Multi-tiered Risk Management Approach • Implemented by the Risk Executive Function • Enterprise Architecture and SDLC Focus • Flexible and Agile Implementation LEVEL 1 Organization NIST SP 800-39 LEVEL 2 Mission / Business Process LEVEL 3 Information System Risk Management Hierarchy

  7. Risk Executive Function (Oversight and Governance) • Risk Assessment Methodologies • Risk Mitigation Approaches • Risk Tolerance • Risk Monitoring Approaches • Linkage to ISO/IEC 27001 Risk Management Strategy LEVEL 1 Organization NIST SP 800-39 LEVEL 2 Mission / Business Process LEVEL 3 Information System Risk Management Hierarchy

  8. Risk Management Strategy LEVEL 1 Organization NIST SP 800-39 LEVEL 2 Mission / Business Process LEVEL 3 Information System Risk Management Hierarchy • Mission / Business Processes • Information Flows • Information Categorization • Information Protection Strategy • Information Security Requirements • Linkage to Enterprise Architecture

  9. LEVEL 1 Organization NIST SP 800-37 LEVEL 2 Mission / Business Process • Linkage to SDLC • Information System Categorization • Selection of Security Controls • Security Control Allocation and Implementation • Security Control Assessment • Risk Acceptance • Continuous Monitoring Risk Management Framework LEVEL 3 Information System Risk Management Hierarchy

  10. Starting Point FIPS 199 / SP 800-60 / CNSSI 1253 CATEGORIZE Information System FIPS 200 / SP 800-53 / CNSSI 1253 SP 800-37 / SP 800-53A Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. SELECT Security Controls MONITOR Security State Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Security Life Cycle SP 800-39 SP 800-37 AUTHORIZE Information System SP 800-53A SP 800-70 Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. ASSESS Security Controls IMPLEMENT Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). Risk Management Framework

  11. RISK EXECUTIVE FUNCTION Enterprise-wide Oversight, Monitoring, and Risk Management Strategy Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations Architecture Description Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries RMF RISK MANAGEMENT FRAMEWORK INFORMATION SYSTEM INFORMATION SYSTEM Authorization Decision Authorization Decision SP SP SP SP SP SP SAR SAR SAR SAR SAR SAR INFORMATION SYSTEM INFORMATION SYSTEM Authorization Decision POAM POAM POAM POAM POAM POAM Authorization Decision Common Controls (Inherited by Information Systems) Authorization Decision Authorization Decision SP: Security Plan SAR: Security Assessment Report POAM: Plan of Action and Milestones

  12. Organization One INFORMATION SYSTEM Business / Mission Information Flow Security Plan Security Assessment Report Plan of Action and Milestones Recognition of Authorization Results Organization Two INFORMATION SYSTEM Security Plan Risk Management Information Security Assessment Report Plan of Action and Milestones Determining risk to the organization’s operations and assets, individuals, other organizations, and the Nation; and the acceptability of such risk. Determining risk to the organization’s operations and assets, individuals, other organizations, and the Nation; and the acceptability of such risk. The objective is to achieve transparency of prospective partner’s information security authorization processes…establishing trust relationships based on common, shared risk management principles.

  13. Common Community-wide Information Security Publications CNSS and NIST Information Security Publications DoD, Intelligence Community, and NIST Information Security Publications The Path to Convergence Stage 1

  14. NIST SP 800-53 NIST SP 800-37 Common Community-wide Information Security Publications Stage 2 CNSS and NIST Information Security Publications DoD, Intelligence Community, and NIST Information Security Publications The Path to Convergence

  15. NIST SP 800-53 Key Risk Management Publication • NIST Special Publication 800-53, Revision 3 (Final Public Draft) Recommended Security Controls for Federal Information Systems and Organizations Published: June 2009 • Updating all material from NIST Special Publication 800-53, Revision 2 • Incorporating security controls from Draft CNSS Instruction 1253 • Incorporating new security controls for advanced cyber threats • Incorporating information security program-level controls • Incorporating threat appendix for cyber preparedness (Separately vetted and added to SP 800-53, Revision 3 when completed)

  16. NIST SP 800-37 Key Risk Management Publication • NIST Special Publication 800-37, Revision 1 (Final Public Draft) Applying the Risk Management Framework to Federal Information Systems Projected: August 2009 • Incorporating comments from Initial Public Draft • Implementing guideline for Risk Management Framework • Transforming previous certification and accreditation process • Integrating Risk Management Framework into the SDLC • Greater emphasis on ongoing monitoring of information system security state • Ongoing security authorizations informed by risk executive function • Greater accountability and assurances for common (inherited) controls • Increased use of automated support tools

  17. NIST SP 800-39 Key Risk Management Publication • NIST Special Publication 800-39 (Third Public Draft) Managing Enterprise Risk: An Integrated System Life Cycle Approach Projected: September 2009 • Incorporating public comments from NIST Special Publication 800-39, Second Public Draft • Incorporating three-tiered risk management approach: organization, mission/business process, and information system views • Incorporating cyber preparedness information • Providing ISO/IEC 27001 mapping to risk management publications

  18. NIST SP 800-30 Key Risk Management Publication • NIST Special Publication 800-30, Revision 1 (Initial Public Draft) Guide for Conducting Risk Assessments Projected: December 2009 • Down scoping current publication from risk management focus to risk assessment focus • Providing guidance for conducting risk assessments at each step in the Risk Management Framework • Incorporating threat information for cyber preparedness

  19. Transformation… Getting There Current State Lack of reciprocity in authorization and assessment results Resource intensive Redundant and duplicative activities Inconsistent policy and process implementation Lack of automation (for both workflow and testing tools) Lack of standardized documentation and artifacts to facilitate informed decisions Three-year “Paperwork Drill” The Future • Enabled reciprocity and information sharing • Improve security postures (architecture and information) • Streamline process and improve end-product quality • Uniform set of policies and practices • Consistent implementation • Streamline resources and cut costs • Continuous monitoring

More Related