1 / 10

Information Technology Security Assessment Framework

The Information Technology Security Assessment Framework aims to guide agencies in self-measurement of information systems security. It emphasizes foundational activities and supports evolving to more robust security. Leveraging established guidance from GAO, OMB, and NIST, the framework provides agencies with the opportunity to improve security levels progressively. From Incomplete at Level 1 to Pervasive at Level 5, agencies can measure, implement, and refine their security programs to enhance cost-effective and agile responses to threats.

vshires
Download Presentation

Information Technology Security Assessment Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Technology Security Assessment Framework John Gilligan Chief Information OfficerDepartment of Energy June 13, 2000 Security, Privacy, and Critical Infrastructure Committee

  2. Development of the Information Technology Security Assessment Framework • Recognized need to improve the security of Federal agencies’ information resources and IT systems • Although we have tools, guidelines, and standards for individual application systems, we lack an effective management level metric for security • The CIO Council is developing a measurement framework for determining the maturity of an agency’s IT security program

  3. Objectives of the Framework • Provide guidance to Agencies for self measurement of information systems security • Emphasize priority attention to “foundation” activities • Provide a guide for evolving to more robust and more effective security • Support immediate implementation

  4. Framework Description • Leverages established GAO, OMB, and NIST Guidance (GAO FISCAM, OMB A-130, NIST SP-800-14) • Provides immediate opportunity for agencies to work toward meeting lower levels while higher levels are being refined Level 5 - Pervasive Level 4 - Measured Measured Level 4 - Level 3 - Implemented Implemented Level 3 - Level 2 - Complete Level 1 - Incomplete

  5. Level 1 Incomplete Level 1 - Incomplete • Documented, but an incomplete security program encompassing most major agency components • Includes approved system security plans for most general support systems and major applications

  6. Level 2 – Complete • Well documented, complete security programs that meets all basic requirements of statutory and policy authorities • Encompasses allmajor agency components and includes system security plans for all general support systems and applications Level 2 Complete

  7. Level 3 Implemented Level 3 - Implemented • Is well defined and implemented security program with detailed implementation procedures covering level 2 capability • Has been fully promulgated across all elements of the organization • Encompasses all major agency components

  8. Level 4 Measured Level 4 - Measured • Is a measurable security program • Has the capability of comparing cost of security features to a resulting decrease in security vulnerabilities • Assumes the existence of metrics and a process to analyze the metrics so effectiveness can be evaluated

  9. Level 5 Pervasive Level 5 - Pervasive • Is a pervasive, continuously improving security program that applies the level 4 capabilities to increase security program cost-effectiveness • Is agile, able to respond quickly to changes in threat, system characteristics or organization mission

  10. Future of the Framework • More granularity of existing criteria and expansion and refinement of levels 4 and 5 • Determining effectiveness of processes • Measurement of cost-effectiveness • Development of security checklists to determine what cost-effective activities are being undertaken

More Related