1 / 20

Integrating IT Security into the Capital Planning and Investment Control Process National Institute of Standards and Tec

Integrating IT Security into the Capital Planning and Investment Control Process National Institute of Standards and Technology (NIST). Presented By: Thelma Ameyaw Security Management TEL2813 . AGENDA. Introduction Legislative and Regulatory Environment Overview

tavita
Download Presentation

Integrating IT Security into the Capital Planning and Investment Control Process National Institute of Standards and Tec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integrating IT Security into the Capital Planning and Investment Control ProcessNational Institute of Standards and Technology (NIST) Presented By: Thelma Ameyaw Security Management TEL2813 Thelma Ameyaw TEL2813

  2. AGENDA • Introduction • Legislative and Regulatory Environment Overview • Security and Capital Planning Integration Roles & Responsibilities • Integration of Security Into The CPIC Process • Implementation Issues • Summary Thelma Ameyaw TEL2813

  3. Introduction • Background • Federal Information Security Management Act(FISMA)-2002 • FISMA, Clinger Cohen Act, other associated guidance and regulations, and the Office of Management and Budget (OMB) Circulars A-11 and A-130 , charge agencies with integrating IT security and the capital planning and Investment Control (CPIC)process • Purpose & Scope • Assist federal agencies in integrating IT Security into CPIC processes by providing a systematic approach to selecting, managing, and evaluating IT security investments. Thelma Ameyaw TEL2813

  4. Legislative and Regulatory Environment Overview (LREO) The implementation of IT security and capital planning practices within the federal government is driven by a combination of legislation, rules, and regulations, and agency-specific policies. To be funded, IT investments must demonstrate compliance with all applicable requirements specified in the guidance • Reporting Requirements • FISMA • Charges OBM and NIST to develop security standards and identify tolerable security risk levels • Makes NIST standards compulsory for all agencies - (no waivers) • Charges agencies to integrate IT security into capital planning Thelma Ameyaw TEL2813

  5. Federal IT Security and Capital Planning Legislation, Regulations, and Guidance FISMA provides overarching requirements for securing federal resources and ensuring that security is incorporated into all phases of the investment lifecycle. Thelma Ameyaw TEL2813

  6. The Selection-Control-Evaluate Investment Life Cycle Thelma Ameyaw TEL2813

  7. LREO - Contd • Select-Control-Evaluate Investment Life Cycle: In concert with OMB capital planning and NIST security requirements agencies are required to adhere to the GAO best practices- the 3 phased investment life cycle model for federal IT investments • Select : Assessing and prioritizing • Control : Monitor investment • Evaluate : Efficacy of Investment • Earned Value Management (EMV) EVM is a systematic integration and measurement of cost, schedule, and accomplishments of an investment that enables agencies to evaluate investment performance during Development, Modernization, and/or Enhancement (D/M/E). The EVM enables: • Project managers(PM) estimation of time and cost • PM to determine what work has been accomplished to date for the funds expanded and how long it will take the investment to reach maturity. Thelma Ameyaw TEL2813

  8. LREO - Contd • IT Investment Management(ITIM): The GAO maturity framework can be used to determine the current status of an agency’s ITIM capabilities including recommendations. • Plan of Action and Milestones(POA&M): • Through the ILC the POA&M is used to identify security weaknesses and track mitigation efforts of agency IT investments until the weakness has been successfully mitigated. • Risks: • Security Risk • Investment Risk Thelma Ameyaw TEL2813

  9. Security and Capital Planning Integration Roles & Responsibilities • Integrating IT security into the CP process requires input and collaboration across agencies and functions. • Many different stakeholders from IT security , CP and executive leadership areas play roles and make decisions and ultimately forming a well balanced IT portfolio. • Head of Agency • Senior Agency Officials • Chief information Officer • Senior Agency Information Security Officer • Chief Financial Officer • Investment Review • Project Manager Thelma Ameyaw TEL2813

  10. Integration of Security Into The CPIC Process NIST recommends a seven-step framework for the process • Enterprise-level investments • System-level investments • The framework provides a systematic approach to selecting, managing, and evaluating IT security investments. The methodology relies on existing data inputs so it can be readily implemented at federal agencies. • Enterprise-Level Information Stakeholder rankings of enterprise-wide initiatives, Enterprise-wide initiative IT security status, Cost of implementing remaining appropriate security controls for enterprise-wide initiatives • System-Level Information System categorization, Security compliance, Corrective action cost Thelma Ameyaw TEL2813

  11. Integrating IT Security Into the CPIC Process Thelma Ameyaw TEL2813

  12. Integration of Security Into The CPIC Process (Contd) • Identify the Baseline: Using IT security metrics to determine where security weaknesses exist. • Identify Prioritization Requirements: Corrective actions to mitigate vulnerabilities must be evaluated against the security requirements. Requirements can be CIO-articulated security priorities, enterprise-wide initiatives, or NIST SP 800-26 topic areas. • Conduct Enterprise-Level Prioritization: prioritize potential enterprise-level IT security investments against mission and financial impact of implementing appropriate security controls. Thelma Ameyaw TEL2813

  13. Integration of Security Into The CPIC Process (Contd) • Conduct System-Level Prioritization: prioritize potential system-level corrective actions against system category and corrective action impact. Joint Prioritization The final step in the prioritization process is to combine the enterprise- and system-level prioritizations into one prioritization framework to create a security investment strategy for the agency. Thelma Ameyaw TEL2813

  14. Integration of Security Into The CPIC Process (Contd) • Develop Supporting Materials: • Enterprise-level investments: Develop concept paper, business case analysis, and Exhibit 300. • System-level investments: Adjust Exhibit 300 to request additional funding to mitigate prioritized weaknesses. Concept Paper: It is developed by the investment owner and submitted to the IRB for review. It contains a high level description of the proposed investment and includes rough order of magnitude, costing estimates, benefits, milestones, and agency impacts The Exhibit 300 : is the capture mechanism for all of the analyses and activities required for full internal (IRB, OCIO) review. is the document that OMB uses to assess investments and ultimately make funding decisions. Thelma Ameyaw TEL2813

  15. Integration of Security Into The CPIC Process (Contd) • Implement Investment Review Board (IRB) and Portfolio Management: • Prioritize agency-wide business cases against requirements and CIO priorities and determine investment portfolio. • Submit Exhibit 300s, Exhibit 53, and Conduct Program Management: • Ensure approved 300s become part of the agency’s Exhibit 53 • Ensure investments are managed through their life cycle (using EVM for D /M /E investments and operational assessments for steady state investments) and through the GAO’s ITIM maturity framework. Thelma Ameyaw TEL2813

  16. Implementation Issues The agency must implement and monitor these investments. IT security decisions are made based on system security issues and federal budgeting timelines. • IT Security Organizational Processes • Project Management • Legacy Systems • Time lines Thelma Ameyaw TEL2813

  17. Summary Traditionally, information technology (IT) security and capital planning and investment control (CPIC) processes have been performed independently by security and capital planning practitioners. However, the Federal Information Security Management Act (FISMA) of 2002 and other existing federal regulations charge agencies with integrating the two activities. NIST recommends a seven-step framework for the process • Enterprise-level investments • System-level investments Thelma Ameyaw TEL2813

  18. Layers of Integration of Security into the CPIC Process Thelma Ameyaw TEL2813

  19. That’s it That’s it Thelma Ameyaw TEL2813

  20. Questions ???? Thelma Ameyaw TEL2813

More Related