420 likes | 756 Views
Security Is Everyone’s Business: Role-Based Training for the System Development Life Cycle . Federal Information System Security Educators Association 18 th Annual Conference March 22, 2005 Prepared by: Margaret Spanninger Booz Allen Hamilton (703) 289-5471 spanninger_margaret@bah.com.
E N D
Security Is Everyone’s Business:Role-Based Training for theSystem Development Life Cycle Federal Information System Security Educators Association 18th Annual Conference March 22, 2005 Prepared by: Margaret Spanninger Booz Allen Hamilton (703) 289-5471 spanninger_margaret@bah.com
Security is Everyone’s Business: Role-Based Training for the SDLCToday’s Presentation • Introduction • Federal Information Security Management Act (FISMA) Requirements and Business Drivers • System Development Life Cycle (SDLC) • Personnel with Significant Security Responsibility • Role-Based Training and Assurance • Implementing National Institute of Standards and Technology (NIST) Special Publication (SP) 800-16
Security is Everyone’s Business: Role-Based Training for the SDLCIntroduction This presentation is based on the premise that security integration into organizational business processes, especially the system development life cycle (SDLC) is a fundamental requirement for FISMA compliance and achieving security performance goals. • Security integration into the SDLC is one of the key elements required for resolving many of the long-standing weaknesses in information technology (IT) security and achieving sustainable performance improvements in IT security programs • Personnel at all levels must understand that “security is not an option” but an integral element of all IT systems
Security is Everyone’s Business: Role-Based Training for the SDLCFISMA Requirements and SDLC FISMA states under §3544.Federal agency responsibilities (b) Agency Program— “Each agency shall develop, document, and implement an agency-wide information security program that includes…(2) policies and procedures that…(C) ensure that information security is addressed throughout the life cycle of each agency information system.”
Security is Everyone’s Business: Role-Based Training for the SDLCBusiness Drivers • Security is less expensive to implement if it is planned from the beginning • Building security controls into the system, rather than adding them after the system is already built improves system performance • Security becomes an enabling factor rather than a barrier to success by reducing the need for expensive reengineering and reprogramming • It ensures success of certification and accreditation processes and keeps the project on schedule
Security is Everyone’s Business: Role-Based Training for the SDLCEarlier is Better • If security is not identified with other requirements, it will not be addressed • It is critical that security controls are planned in the earliest phases (BEFORE implementation) to ensure— • Adequate and appropriate resources are allocated for security throughout the system life cycle • The most cost-effective security controls are chosen and implemented • A structured and consistent approach for developing and maintaining security for information systems • Increased homogeneity among information systems and security controls within an organization to reduce operational costs • Certification and accreditation with minimal additional effort
Security is Everyone’s Business: Role-Based Training for the SDLCPhases of the SDLC • Initiation someone has a need or an idea • Development/acquisition build or buy decision • Implementation system development and/or integration • Operation/maintenance system put into service • Disposition system removed from service
Security is Everyone’s Business: Role-Based Training for the SDLCSecurity Tasks In the SDLC • Implementation • Inspection and Acceptance • System Integration • Certification & Accreditation • Operations & Maintenance • Configuration Management and Control • Continuous Monitoring • Disposition • Information Preservation • Media Sanitization • Hardware and Software Disposal • Initiation • Needs Determination • Security Categorization • Risk Assessment • Development/Acquisition • Risk Assessment • Security Functional Requirements Analysis • Security Assurance Requirements Analysis • Cost Considerations • Security Control Development • Developmental Security Test and Evaluation • Acquisition specifications
Security is Everyone’s Business: Role-Based Training for the SDLCPersonnel with Significant Security Responsibilities FISMA states under §3544.Federal agency responsibilities (a) In General.—The head of each agency shall— “(3) delegate to the agency Chief Information Officer…the authority to ensure compliance with the requirements imposed on the agency under this subchapter, including—…(D) training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; (4) ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines;…”
Security is Everyone’s Business: Role-Based Training for the SDLCOPM Clarifies Who Needs Trained • OPM 5 CFR part 930.301 Computer security training program states that the following positions must be trained in computer security basics and other domains • Executives • Program and functional managers • Chief Information Officers (CIO) • IT security program managers • Auditors • System and network administrators • System/application security officers • IT function management and operations personnel
Security is Everyone’s Business: Role-Based Training for the SDLCMoving from Theory to Practice • It is critical that personnel in positions with significant security responsibilities actively participate in the SDLC • Their participation provides assurance that— 1) security requirements have been addressed 2) countermeasures have been identified 3) controls have been properly implemented and tested 4) all changes to the operational system are reviewed to ensure the integrity of the system and security solution that have been certified and accredited 5) the data, hardware, software, and documentation are disposed of properly
Security is Everyone’s Business: Role-Based Training for the SDLCNIST 800-16 Provides Framework • Three primary domains of security knowledge • Laws and regulations • Security programs with two sub-categories • Security in the SDLC with six subcategories • Six functional roles associated with each of the primary categories • Manage • Acquire • Design and develop • Implement and operate • Review and evaluate • Use • Twenty-six positions with significant security responsibilities
Security is Everyone’s Business: Role-Based Training for the SDLCPersonnel With Significant Security Responsibilities Play Critical Role • CIO • Sr. IRM Official • System Owner • Program Manager • Information Resource Manager • Records Mgt. Official • FOIA Official • Privacy Act Official • DAA • Certification Reviewer • ISO/ISM • Auditor, Internal • Auditor External • Source Selection Board • Contracting Officer • COTR • System Designer/Developer • System/Program Analyst • Data Center Manager • Network Administrator • System Administrator • Database Administrator • Technical Support (Help Desk) • System Operator • Telecommunications Specialist • Any position that uses IT resources Executive Acquisition Design and Development Management Operations Compliance User
Security is Everyone’s Business: Role-Based Training for the SDLCThe NIST Core Body of Knowledge • Risk management • Life cycle controls • Management controls • Operational controls • Technical controls • Awareness, training and education • Laws and regulations • IT security programs • System environment • System interconnection (physical access) • Information sharing (logical access) • Sensitivity
CIO Sr. IRM Official System Owner Program Manager Information Resource Mgr. Records Mgt. Official FOIA Official Privacy Act Official Source Selection Board Contracting Officer COTR System Designer/Developer System/Program Analyst Data Center Manager Network Administrator System Administrator Database Administrator Technical Support (Helpdesk) System Operator Telecomm. Specialist DAA Certification Reviewer ISO/ISM Auditor, Internal Auditor External Users SDLC Phase Initiation Development/Acquisition Implementation/Integration Operations & Maintenance Disposal Security is Everyone’s Business: Role-Based Training for the SDLCStakeholders and the SDLC
Security is Everyone’s Business: Role-Based Training for the SDLCRole-Based Training and NIST SP 800-16
ISO/ISM Info. Resource Manager CIO Senior IRM Official Program Manager System Owner System Designer/Developer Network Administrator System Administrator Data Center Manager Database Administrator Positions Security is Everyone’s Business: Role-Based Training for the SDLCManage Role, CBK, and Positions Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Life Cycle Controls Operational Controls Awareness and Training Technical Controls Core Body of Knowledge Cell 1A 2.1A 2.2A 3.1A 3.2A NA 3.4A 3.5A 3.6A Key: Domains Laws and Regulations SP – Planning SP – Management SLCS – Initiation SLCS – Development SLCS – Test & Evaluation SLCS – Implementation SLCS – Operation SLCS – Termination SP = Security Program SLCS = Sys Life Cycle Security
Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Manage (1 of 3) • 1A, Laws and Regulations – Managers are able to understand applicable governing documents and their relationships and interpret and apply them to the manager’s area of responsibility. • 2.1A, Security Program: Planning – Individuals involved in the management if IT security programs are able to understand principles and processes of program planning and can organize resources to develop a security program that meets organizational needs. • 2.2A, Security Program: Management – Individuals in IT security program management understand and are able to implement a security program that meets their organization’s needs.
Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Manage (2 of 3) • 3.1A, Life Cycle: Initiation – Individuals with management responsibilities are able to identify steps in the SDLC where security requirements and concerns need to be considered and to define the processes to be used to resolve those concerns. • 3.2A, Life Cycle: Development – Individuals with management responsibilities are able to ensure that the formal development baseline includes approved security requirements and that security-related features are installed, clearly identified, and documented. • 3.3A, Life Cycle: Test & Evaluation – Not applicable.
Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Manage (3 of 3) • 3.4A, Life Cycle: Implementation – Individuals with management responsibilities are able to oversee the implementation and deployment of an IT system in a manner that does not compromise in-place and tested security safeguards. • 3.5A, Life Cycle: Operations – Individuals with management responsibilities are able to monitor operations to ensure that safeguards are effective and have the intended effect on balancing efficiency with minimized risk. • 3.6A, Life Cycle: Termination – Individuals with management responsibilities are able to understand the special IT security considerations and measures required during the shutdown of a system, and effectively plan and direct these activities.
Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Life Cycle Controls Operational Controls Awareness and Training Technical Controls ISO/ISM COTR Contracting Officer Source Selection Board Senior IRM Official Telecomm Specialist Info. Resource Manager System Designer/Developer System Owner Program Manager Positions Core Body of Knowledge Cell 1B 2.1B 2.2B 3.1B 3.2B NA 3.4B 3.5B NA Key: Domains Laws and Regulations SP – Planning SP – Management SLCS – Initiation SLCS – Development SLCS – Test & Evaluation SLCS – Implementation SLCS – Operation SLCS – Termination SP = Security Program SLCS = Sys Life Cycle Security Security is Everyone’s Business: Role-Based Training for the SDLCAcquire Role, CBK, and Positions
Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Acquire (1 of 3) • 1B, Laws and Regulations – Individuals involved in the acquisition of information technology resources have sufficient understanding of IT security requirements and issues to protect the government’s interests in such acquisitions. • 2.1B, Security Program: Planning – Individuals involved in planning the IT security program can identify the resources required for successful implementation. Individuals recognize the need to include IT security requirements in IT acquisitions and to incorporate appropriate acquisition policy and oversight in the IT security program. • 2.2B, Security Program: Management – Individuals involved in managing the IT security program have a sufficient understanding of IT security and the acquisition process to incorporate IT security program requirements into acquisition work steps.
Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Acquire (2 of 3) • 3.1B, Life Cycle: Initiation – Individuals with acquisition responsibilities are able to analyze and develop acquisition documents and/or provide guidance which ensures that functional IT security requirements are incorporated. • 3.2B, Life Cycle: Development – Individuals with acquisition responsibilities are able to monitor procurement actions to ensure that IT security requirements are satisfied. • 3.3B, Life Cycle: Test & Evaluation – Not applicable.
Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Acquire (3 of 3) • 3.4B, Life Cycle: Implementation – Individuals with acquisition responsibilities are able to ensure that the system, as implemented, meets all contractual requirements related to the security and privacy of IT resources. • 3.5B, Life Cycle: Operations – Individuals with acquisition responsibilities are able to understand the IT security concerns associated with system operations and to identify and use the appropriate contract vehicle to meet current needs in a timely manner. • 3.6B, Life Cycle: Termination – Not applicable.
Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Life Cycle Controls Operational Controls Awareness and Training Technical Controls ISO/ISM Sys. Designer/Developer Program/Sys Analyst Program Manager Info. Resource Mgr. Auditor, Internal CIO Senior IRM Official System Owner Records Mgt. Official FOIA Official ISO/ISM Sys. Designer/Developer Program/Sys Analyst Program Manager Info. Resource Mgr. Auditor, Internal Privacy Act Official Database Administrator Network Administrator System Administrator System Operator Core Body of Knowledge Position Positions Cell 1C 2.1C 2.2C 3.1C 3.2C 3.3C 3.4C 3.5C NA Key: Domains Laws and Regulations SP – Planning SP – Management SLCS – Initiation SLCS – Development SLCS – Test & Evaluation SLCS – Implementation SLCS – Operation SLCS – Termination SP = Security Program SLCS = Sys Life Cycle Security Security is Everyone’s Business: Role-Based Training for the SDLCDesign/Develop Role, CBK, and Positions
(1 of 3) Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Design/Develop • 1C, Laws and Regulations – Individuals responsible for the design and development of automated information systems are able to translate IT laws and regulations into technical specifications which provide adequate and appropriate levels of protection • 2.1C, Security Program: Planning – Individuals responsible for the design and development of an IT security program are able to create a security program specific to a business process or organizational entity. • 2.2C, Security Program: Management – Individuals responsible for the design and development of an IT security program have sufficient understanding of the appropriate program elements and requirements to be able to translate them into detailed policies and procedure which provide adequate and appropriate protection for the organization’s IT resources in relation to acceptable levels of risk.
(2 of 3) Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Design/Develop • 3.1C, Life Cycle: Initiation – Individuals responsible for the design and development of IT systems are able to translate IT security requirements into system-level security specifications. • 3.2C, Life Cycle: Development – Individuals responsible for system design, development or modification are able to use baseline IT security requirements to select and install appropriate safeguards. • 3.3C, Life Cycle: Test & Evaluation – Individuals are able to design tests to evaluate the adequacy of security safeguards in IT systems.
(3 of 3) Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Design/Develop • 3.4C, Life Cycle: Implementation – Individuals responsible for system design and/or modification are able to participate in the development of procedures which ensure the safeguards are not compromised as they are incorporated into the production environment. • 3.5C, Life Cycle: Operations – Individuals responsible for system development are able to make procedural and operational changes necessary to maintain the acceptable level of risk. • 3.6C, Life Cycle: Termination – Not applicable.
Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Life Cycle Controls Operational Controls Awareness and Training Technical Controls Core Body of Knowledge ISO/ISM Network Administrator System Administrator System Operator Technical Support Program/System Analyst Auditor, Internal CIO Information Resource Mgr System Owner Senior IRM Official ISO/ISM Sys. Designer/Developer Program/Sys Analyst Program Manager Info. Resource Mgr. Program Manager System Designer/Developer Database Administrator Data Center Manager Certification Reviewer/DAA Telecom Specialist Position Position Cell 1D 2.1D 2.2D NA 3.2D 3.3D 3.4D 3.5D 3.6D Key: Domains Laws and Regulations SP – Planning SP – Management SLCS – Initiation SLCS – Development SLCS – Test & Evaluation SLCS – Implementation SLCS – Operation SLCS – Termination SP = Security Program SLCS = Sys Life Cycle Security COTRRecords Mgt OfficialFOIA OfficialPrivacy Act Official Security is Everyone’s Business: Role-Based Training for the SDLCImplement/Operate Role, CBK, and Positions
(1 of 3) Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Implement/Operate • 1D, Laws and Regulations – Individuals responsible for technical implementation and daily operations of an automated information system are able to understand IT security laws and regulations in sufficient detail to ensure that appropriate safeguards are in place and enforced • 2.1D, Security Program: Planning – Individuals responsible for implementing and operating an IT security program are able to develop plans for countermeasures, security controls, and processes as required to execute the existing program. • 2.2D, Security Program: Management – Individuals who are responsible for the implementation and daily operations of an IT security program have a sufficient understanding of the appropriate program elements and requirements to be able to apply them in a manner which provides adequate and appropriate levels of protection for the organization’s IT resources.
(2 of 3) Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Implement/Operate • 3.1D, Life Cycle: Initiation – Not applicable. • 3.2D, Life Cycle: Development – Individuals responsible for system implementation or operation are able to assemble, integrate, and install systems so that the functionality and effectiveness of safeguards can be tested and evaluated. • 3.3D, Life Cycle: Test & Evaluation – Individuals responsible for system implementation of operation are able to conduct tests of the effectiveness of security safeguards in the integrated system.
(3 of 3) Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Implement/Operate • 3.4D, Life Cycle: Implementation – Individuals responsible for system implementation or operation ensure the approved safeguards are in place and effective as the system moves into production. • 3.5D, Life Cycle: Operations – Individuals responsible for system implementation or operation are able to maintain appropriate safeguards continuously within acceptable levels of risk. • 3.6D, Life Cycle: Termination – Individuals responsible for IT system operations are able to develop and implement the system termination plan, including security requirements for archiving/disposing of resources.
Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Life Cycle Controls Operational Controls Awareness and Training Technical Controls ISO/ISM Auditor, Internal Auditor, External Certification Reviewer Info. Resource Manager Senior IRM Official CIO System Owner Program Manager DAA Records Mgt. Official Core Body of Knowledge Position Cell 1E 2.1E 2.2E 3.1E 3.2E 3.3E 3.4E 3.5E 3.6E Key: Domains Laws and Regulations SP – Planning SP – Management SLCS – Initiation SLCS – Development SLCS – Test & Evaluation SLCS – Implementation SLCS – Operation SLCS – Termination SP = Security Program SLCS = Sys Life Cycle Security Security is Everyone’s Business: Role-Based Training for the SDLCReview/Evaluate Role, CBK and Positions
(1 of 3) Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Review/Evaluate • 1E, Laws and Regulations – Individuals responsible for the review/evaluation of an automated information system are able to use IT security laws and regulations in developing a comparative baseline and determining the level of system compliance • 2.1E, Security Program: Planning – Individuals responsible for the review/evaluation of an IT security program are able to review the program to determine its continuing capability to cost-effectively address identified requirements. • 2.2E, Security Program: Management – Individuals responsible for the review/evaluation of an IT security program have adequate understanding of IT security laws, regulations, standards, guidelines, and the organizational environment to determine if the program adequately addresses all threats and areas of potential vulnerability.
(2 of 3) Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Review/Evaluate • 3.1E, Life Cycle: Initiation – Individuals are able to evaluate planning documents associated with a particular system to ensure that appropriate IT security requirements have been considered and incorporated. • 3.2E, Life Cycle: Development – Individuals responsible for review and evaluation are able to examine development efforts at specified milestones to ensure that approved safeguards are in place and documented. • 3.3E, Life Cycle: Test & Evaluation – Individuals are able to evaluate the appropriateness of test methodologies, and conduct independent tests and evaluations to ensure that adequate and appropriate safeguards are in place, effective, and documented; and to prepare C&A documentation.
(3 of 3) Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Review/Evaluate • 3.4E, Life Cycle: Implementation – Individuals responsible for review and evaluation are able to analyze system and test documentation to determine whether the system provides adequate and appropriate IT security to support C&A. • 3.5E, Life Cycle: Operations – Individuals responsible for review and evaluation are able to examine the operational system to determine the adequacy and effectiveness of safeguards and to ensure that a consistent and appropriate level of security is maintained. • 3.6E, Life Cycle: Termination – Individuals responsible for review and evaluation are able to verify the appropriateness of the termination plan and processes used to terminate the IT system securely.
Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Life Cycle Controls Operational Controls Awareness and Training Technical Controls Core Body of Knowledge Position ISO/ISM Users System Owner Info. Resource Manager Cell 1F NA NA 3.1E 3.2E 3.3E 3.4E 3.5E NA Key: Domains Laws and Regulations SP – Planning SP – Management SLCS – Initiation SLCS – Development SLCS – Test & Evaluation SLCS – Implementation SLCS – Operation SLCS – Termination SP = Security Program SLCS = Sys Life Cycle Security Security is Everyone’s Business: Role-Based Training for the SDLCUse Role, CBK and Positions (1 of 3)
Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Use (1 of 3) • 1F, Laws and Regulations – users understand individual accountability and applicable governing documents (e.g., Computer Security Act, Computer Fraud and Abuse Act, Copyright Act, Privacy Act) • 2.1F, Security Program: Planning – Not applicable. • 2.2F, Security Program: Management – Not applicable.
Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Use (2 of 3) • 3.1F, Life Cycle: Initiation – Potential users are able to participate in needs analyses and understand the various points of view involved in setting the balance between IT security controls and system efficiency. • 3.2F, Life Cycle: Development – Potential users are able to provide input to system development efforts to ensure that IT security safeguards are as transparent to the user as feasible and are balanced with ease of use. • 3.3F, Life Cycle: Test & Evaluation – Users are able to participate in acceptance tests and evaluate the impact of security safeguards on the operational environment.
Security is Everyone’s Business: Role-Based Training for the SDLCBehavioral Outcome for Use (3 of 3) • 3.4F, Life Cycle: Implementation – Users are able to identify and report security and efficiency concerns encountered during normal operations. • 3.5F, Life Cycle: Operations – Users are able to understand the objectives of and comply with the “rules of behavior” for the system. • 3.6F, Life Cycle: Termination – Not applicable.
Security is Everyone’s Business: Role-Based Training for the SDLCFinal thoughts • Training can promote cultural change • It can shift the workforce from being observers who show interest in security to becoming participants who demonstrate commitment to security • It is only through the understanding of these security roles and their relationships among each other and across the life cycle that total security integration can occur
Security Is Everyone’s Business:Role-Based Training for theSystem Development Life Cycle Thanks for attending this session! Federal Information System Security Educators Association 18th Annual Conference March 22, 2005 Prepared by: Margaret Spanninger Booz Allen Hamilton (703) 289-5471 spanninger_margaret@bah.com