430 likes | 630 Views
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition. Chapter 12 Aligning the ICT Organization with Regulatory Requirements. Objectives. Understand the role of government regulatory requirements in shaping ICT security
E N D
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 12 Aligning the ICT Organization with Regulatory Requirements
Objectives • Understand the role of government regulatory requirements in shaping ICT security • Understand how the Federal Information Security Management Act (FISMA) shapes ICT security • Understand the implementation process for FISMA compliance • Understand the specific purpose of NIST 800-53 categories Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Overview of Regulatory Models for ICT Organizations • Regulatory models - an unconventional method for structuring an ICT organization • Compliance with a regulatory model is mandated in several important ICT venues • Health care and government • Regulatory models dictate the way particular types of organizations should perform their ICT work Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Overview of Regulatory Models for ICT Organizations • Examples of frameworks at the federal level: • Sarbanes-Oxley Act (SOX) • Health Information Portability and Accountability Act (HIPAA) • Federal Information Security Management Act (FISMA) • FISMA is comprehensive legislation that dictates every aspect of correct security practice for large-scale information system environments • This chapter focuses on FISMA Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
The Federal Information Security Act of 2002 • FISMA is an element of the E-Government Act • Formerly known as Title III-Section 301 Information Security • FISMA may apply to more than just federal information systems • Private industries that serve as government contractors and their private-sector supply chains • FISMA is implemented by two federal information processing standards publications (FIPS PUBS) • Standards are issued by the National Institute of Standards and Technology (NIST) Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
FIPS 199 • FIPS 199 serves as the basis for selecting appropriate security controls depending on the security needs of the information being protected • Information and information systems are categorized by FIPS 199 based on three levels of risk: • High, medium, and low • Sensitivity of the information in each system must be categorized at its highest level of potential impact on security • Concept known as the high water mark Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
FIPS 199 • The high water mark concept is used to value the overall impact level of the information in the system • Using the high water mark rule: • A low-impact information system is one in which all three security objectives (confidentiality, integrity, and availability) are categorized as low • A moderate-impact information system is one in which at least one of the security objectives is moderate and none are greater than moderate • A high-impact information system is one in which at least one security objective is high Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
FIPS 200 FIPS 200 guides the implementation of security controls for the information and information systems in each of the FIPS 199 categories FIPS 200 specifies minimum security requirements in 17 security-related domains Federal agencies must meet these requirements by using security controls specified in NIST 800-53, “Recommended Security Controls for Federal Information Systems Implementation” Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
FIPS 200 • FIPS 200 adopts a risk-based approach to the selection of security controls needed to satisfy minimum requirements of FIPS 199 • FIPS 200 is meant to promote the development, implementation, and operation of more secure information system within the federal government • It establishes minimum levels of due diligence for security • Helps agencies use a more consistent, comparable, and repeatable approach for specifying security controls Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
FIPS 200 • The following security-related areas are specified in FIPS 200: • Access control • Audit and accountability • Awareness and training • Certification, accreditation, & security assessments • Configuration management • Contingency planning • Identification and authentication • Incident response • Maintenance Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
FIPS 200 • The following security-related areas are specified in FIPS 200 (cont’d): • Media protection • Personnel security • Physical and environmental protection • Planning • Risk assessment • System and communication protection • System and information integrity • Systems and services acquisition Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
NIST 800-53 and General Implementation for FIPS 200 • Minimum security requirements of FIPS 200 are met by selecting the appropriate controls and assurance requirements from NIST 800-53 • After categorizing security for its system • The organization selects a set of security controls from NIST 800-53 that satisfy minimum security requirements for the 17 areas in FIPS 200 • Low-impact systems must employ security controls from the low baseline defined in NIST 800-53 • Moderate-impact from moderate baseline and high-impact from the high baseline in NIST 800-53 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
NIST 800-53 and General Implementation for FIPS 200 • Unless exceptions are granted, organizations must employ all security controls specified for their respective baselines • The process of security categorization should involve senior decision makers, including: • Chief information officers, senior officers for information security, accrediting authorities, information system owners, and information stakeholders • The set of security controls should be documented in the security plan for the information system Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Generic Security Controls Security controls: specific management, operating, and technical behaviors designed to protect information security in an organization Implementation of 800-53 is built around periodic assessments of risk and feedback obtained during preventative maintenance inspections of each control Within larger strategic management plans, specifically targeted plans are documented to ensure sufficient security for individual networks, facilities, or information systems Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Generic Security Controls • The overall plan should also include: • Periodic testing and reviews to evaluate effectiveness of all security policies, procedures, practices, and security controls • Procedures for detecting, reporting, and responding to security incidents to ensure continuity of operations Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
NIST 800-53 Catalog of Baseline Controls • The goal of 800-53 is to facilitate a more consistent, comparable, and repeatable approach for selecting and specifying security controls • And to provide a catalog of those controls • The control catalog provides a complete set of prototype controls to enable a comprehensive security response • The 800-53 baseline ensures that security controls are defined consistently across the organization Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Organizational Risk Management and NIST 800-53 • The standard recommends the following steps for building an effective risk management system: • 1. Understand the impact of risk on each system in the organization • 2. Select and set a baseline for a satisfactory set of security controls to address estimated impacts on each system • 3. Adjust or tailor the initial baseline of security controls after assessing the impacts of identified risk on the system’s operating environment Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Organizational Risk Management and NIST 800-53 • Steps for building an effective risk management system (cont’d): • 4. Document the security controls in the system security plan, including justification for refinements or adjustments to the initial set of controls • 5. Implement the security controls in the system • 6. Assess the performance of the security controls to determine that they were implemented correctly, operate correctly, and satisfy security requirements • 7. Monitor and assess the selected controls continually Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Organizational Risk Management and NIST 800-53 • Security risks have to be categorized • To align specific implemented security measures with the importance of the information they are designed to protect • After selecting an appropriate security control baseline: • The organization must consult the standard to apply scoping to the initial baseline • Scoping ensures a proper balance between degree of protection and the assumed level of threat Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Practical Security Control Architectures • Security controls in NIST 800-53 are organized into classes and families for ease of use • Three general classes of security controls are: • Management, operational, and technical • Characterization of security control architecture involves three elements: • A control description section • A supplemental guidance section for application of the control • A control enhancements section Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Part One of the Control Statement: Control Section • The control section is a concise statement of the security capability that must be implemented to protect a particular aspect of an information system • The control catalog allows a degree of flexibility in tailoring some of its controls • Lets the organization selectively define how to carry out any set of actions associated with the control Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Part Two of the Control Statement: Supplemental Guidance • This section provides additional information that might be needed to clarify the control statement • Example: • The standard suggests that any applicable federal legislation, executive orders, directives, policies, regulations, standards, and other reference documents might be included in the control documentation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Part Three of the Control Statement: Control Enhancements • Control enhancement: a security capability that is required to create additional functionality or strength for a basic control • Control enhancements are numbered sequentially within the document for each control • Each addition to the basic functionality can be easily identified during an inspection or audit Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Real-World Control Formulation and Implementation • A challenge in formulating and implementing security controls: • Identifying the right set of controls to address the real-world situation • Using a standard baseline of “must address” controls as a starting point is helpful • For conventional organizations, assurance requirements would probably be established based on a comprehensive threat analysis Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Real-World Control Formulation and Implementation • For government organizations: • Requirements are dictated by the formal security categorizations and baseline controls in FIPS 199 • NIST 800-53, Appendix D specifies three sets of minimum security baseline controls that correspond to impact levels in FIPS 199 (low, medium, high) • The baseline controls provide a point of reference for the organization to select and install necessary countermeasures to achieve security goals for a system’s impact level Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Real-World Control Formulation and Implementation • 800-53 control activities are applied one control at a time • The controls are grouped by security control baseline • Supplemental guidance is provided to help tailor the final set of controls to the specific application • When an organization’s security needs do not conform to the assurance provided by the standard baseline Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
NIST 800-53 Control Baselines • NIST 800-53 baselines provide the initial point of reference for selecting and implementing controls to achieve security goals • The baseline is used to design and implement safeguards and countermeasures that mitigate risks to an organization’s operations and assets • Requirements for security controls within each category of baselines are described by three tables in three annexes to the standard • Annex One, Annex Two, and Annex Three Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
The Low Baseline • Assurance requirement for the low baseline: • The organization can demonstrate that the security control is in place and generally achieves the expressed requirements in the control statement • Primary outcomes of the low baseline: • All security controls are defined • No obvious errors are likely to exist • Any flaws in the security scheme will be addressed promptly as they are discovered Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
The Low Baseline • The organization provides a description of the control’s functional properties • As well as its design and development requirements • The organization develops a precise description of all requisite behaviors, technical actions, and activities • To ensure that the control will satisfy all intended outcomes when implemented properly • The organization must also include a description of how it will continually assess and improve the effectiveness of the control Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
The Moderate Baseline • Organizations must: • Design and document each control so that defects and anomalies will be detected and corrected • Be able to demonstrate that these security controls are present and documented • Develop a description of behaviors that the control must exhibit • Ensure the performance of the people involved in designing and operating the security controls • Provide a detailed policy description of staff responsibilities and behaviors Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
The High Baseline • Assurance requirements must be trustworthy enough to ensure reliable execution of control and its continual improvement • The organization must: • Use formal and well-defined processes to design, develop, and implement its controls • Produce documentation to support audited proof of compliance with security requirements for high-impact baselines Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
The High Baseline • The prior requirements for low and moderate baseline security apply to high-impact baselines • The organization must provide a description of expected outcomes for each control’s operation • To ensure a control works properly: • All interactions with hardware, software, vendors, and other personnel must be described and documented • The description should include relevant contractors and ancillary stakeholders Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Enhancements to Control Baselines • The need might arise to add unconventional assurance requirements • To enhance protection and supplement the minimum assurance requirements stipulated for the moderate and high baselines Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Six Feasibility Considerations for NIST 800-53 • Influences on how baseline controls are applied: • Technological feasibility - an organization cannot recommend a control without considering whether the needed technology is in place • Compatibility of management processes - an organization must be able to say with assurance that a change to operating processes will not harm security • Denial of service - the addition of a behavioral control that causes a conflict with an everyday business process can lead to a security exposure or harm business operations Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Six Feasibility Considerations for NIST 800-53 • Influences on how baseline controls are applied (cont’d): • System evolution - the ability to extend a system over the long term • Economy of mechanism - the user is less likely to make a mistake in executing a control if it is intuitively obvious to operate • Consideration of injected risk - a new risk can be mitigated if it is properly considered at the time the change is made Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Compensating Security Controls • Modifications to baseline recommendations will probably be needed • To achieve the requisite level of assurance • Modifications are mostly driven by a supplemental risk evaluation • That leads to tailoring decisions and the eventual controls that are documented in the security plan • Security control baselines in 800-53 should be viewed as a starting point • The control catalog in Annex D can be used to add additional controls Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Compensating Security Controls • Determination of the final set of security controls is dictated by the organization’s risk environment • Ongoing assessments of existing security threats should occur • Controls specified in the NIST 800-53 control catalog might not be part of a particular low, moderate, or high baseline • The standard states that the organization may “employ a compensating security control that provides equivalent or comparable protection” Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Compensating Security Controls • The organization selects the compensating control from the security control catalog • Then provides a comprehensive justification for how the compensating control represents an equivalent security capability or level of protection • Next, the organization assesses and formally accepts the risk associated with employing an alternative control • Use of the control must be reviewed by the appropriate authority and then documented in the security plan Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Summary • Regulatory models are excellent examples of frameworks for defining processes • FISMA, the Federal Information Security Management Act, is known officially as Title III of P.L. 107-347, the E-Government Act • Three standards guide compliance with FISMA • FIPS 200 is further implemented by a third standard called Special Publication 800-53 from the National Institute of Standards and Technology (NIST) • FIPS 199 is an organization’s basis for selecting appropriate security controls for information Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Summary • The applications of FISMA’s requirements is dictated by the information’s classification level • Information and information systems are categorized in FIPS 199 based on three levels of risk: high, medium, and low • FIPS 200 specifies minimum security requirements for federal agencies in 17 domains • Federal agencies meet minimum security requirements in each domain by using the security controls specified in NIST 800-53 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Summary • FIPS 200 implements a risk-based process for selecting security controls • The controls in NIST 800-53 represent a range of safeguards and countermeasures Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition