Post on 04-Jan-2016
description
transcript
1
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Federal Government Perspectives on Secure Information Sharing
Technology Leadership Series
August 14, 2007
Dr. Ron Ross
Computer Security DivisionInformation Technology Laboratory
2
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Current State of Affairs Continuing serious attacks on federal information
systems; targeting key federal operations and assets. Adversaries are nation states, terrorist groups,
hackers, criminals, disgruntled employees. Attacks are organized, disciplined, aggressive, and
well resourced; many are extremely sophisticated. Significant exfiltration of critical and sensitive
information and implantation of malicious software.
3
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Threats to SecurityConnectivity
Complexity
4
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Challenges for Agencies Large, complex information technology
infrastructures; many information systems to manage.
Dynamic operational environments with changing threats, vulnerabilities, and technologies.
Obtaining adequate staffing with requisite information security skills and expertise.
5
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Changing Models of Protection
Risk Avoidance Risk Management
Information Protection Information Protection Information Sharing
Confidentiality Confidentiality, Integrity, Availability
6
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
The Desired End StateSecurity Visibility Among Business/Mission Partners
Organization One
Information System
Plan of Action and Milestones
Security Assessment Report
System Security Plan
Determining the risk to the first organization’s operations and assets and
the acceptability of such risk
Business / MissionInformation Flow
The objective is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin…establishing levels of security due diligence and trust.
Determining the risk to the second organization’s operations and assets and
the acceptability of such risk
Organization Two
Information System
Plan of Action and Milestones
Security Assessment Report
System Security Plan
Security Information
7
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Information Security ImperativesFor an Information Sharing Partnership
The need to share depends on a need to trust. Trust cannot be conferred; it must be earned. Trust is earned by understanding the security state of
your partner’s information system. Understanding the security state of an information
system depends on the evidence produced by organizations demonstrating the effective employment of safeguards and countermeasures. Trust but verify…
8
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Information Security Paradigm Shift From: Policy-based compliance
Policy dictates discrete, pre-defined information security requirements and associated safeguards/countermeasures;
Minimal flexibility in implementation; and Little emphasis on explicit acceptance of mission risk.
To: Risk-based mission protection Enterprise missions and business functions drive security
requirements and associated safeguards/countermeasures; Highly flexible in implementation; and Focuses on acknowledgement and acceptance of mission risk.
9
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
FISMA Strategic Vision Building a solid foundation of information security across one of the
largest information technology infrastructures in the world based on comprehensive security standards and guidelines.
Institutionalizing a comprehensive Risk Management Framework that promotes flexible, cost-effective information security programs for federal agencies and contractors.
Establishing a fundamental level of “information security due diligence” for federal agencies based on a common process to determine adequate protection for enterprise missions and business functions.
10
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Risk Management Framework The Risk Management Framework and the
associated security standards and guidelines provide a process that is: Disciplined Structured Flexible Extensible Repeatable
“Building information security into the infrastructure of the organization…so that critical enterprise missions and business functions will be protected.”
11
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Managing Enterprise Risk Key activities in managing enterprise-level risk—risk to the enterprise
and to other organizations resulting from the operation of an information system:
Categorize the information system (criticality/sensitivity)Select and tailor baseline (minimum) security controlsSupplement the security controls based on risk assessmentDocument security controls in system security plan Implement the security controls in the information systemAssess the security controls for effectivenessAuthorize information system operation based on mission riskMonitor security controls on a continuous basis
12
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Risk Management Framework
Determine security control effectiveness (i.e., controls implemented correctly, operating as
intended, meeting security requirements)
SP 800-53A
ASSESSSecurity Controls
Continuously track changes to the information system that may affect security controls and
reassess control effectiveness
SP 800-37 / SP 800-53A
MONITORSecurity Controls
Document in the security plan, the security requirements for the information system and
the security controls planned or in place
SP 800-18
DOCUMENT Security Controls
SP 800-37
AUTHORIZE Information System
Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation
SP 800-53 / SP 800-30
SUPPLEMENT Security Controls
Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence
FIPS 200 / SP 800-53
SELECT Security Controls
Select baseline (minimum) security controls to protect the information system; apply tailoring
guidance as appropriate
Implement security controls; apply security configuration settings
IMPLEMENT Security Controls
SP 800-70
Define criticality /sensitivity of information system according to
potential impact of loss
FIPS 199 / SP 800-60
CATEGORIZE Information System
Starting Point
13
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Information Security Program
Adversaries attack the weakest link…where is yours?
Risk assessment Security planning Security policies and procedures Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation
Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards
Links in the Security Chain: Management, Operational, and Technical Controls
14
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
The Common FoundationFor Managing Enterprise Risk
The Generalized Model
Common Information Security Requirements
Unique Information Security Requirements
The “Delta”
Foundational Set of Information Security Standards and Guidance
• Standardized risk management framework• Standardized security categorization (criticality/sensitivity)• Standardized security controls and control enhancements• Standardized security control assessment procedures
Intelligence Community
Department of Defense
Federal Civil Agencies
National security and non national security information systems
15
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Enterprise-wide Strategy Facilitates enterprise-wide, mission-oriented decisions on
risk mitigation activities based on organizational priorities; Provides global view of systemic weaknesses and
deficiencies occurring in information systems across the organization;
Promotes the development of enterprise-wide solutions to information security problems; and
Increases knowledge base for system owners regarding threats, vulnerabilities, and strategies for more cost-effective solutions to common problems.
16
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Defense-in-Breadth Strategy Diversify information technology assets.
Reduce the information technology target size.
Consider vulnerabilities of new information technologies before deployment.
Apply a balanced set of management, operational, and technical security controls in a defense-in-depth approach.
17
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Key Standards and Guidelines FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication 800-18 (Security Planning) NIST Special Publication 800-30 (Risk Management) NIST Special Publication 800-37 (Certification & Accreditation) NIST Special Publication 800-53 (Recommended Security Controls) NIST Special Publication 800-53A (Security Control Assessment) NIST Special Publication 800-59 (National Security Systems) NIST Special Publication 800-60 (Security Category Mapping)
Many other FIPS and NIST Special Publications provide security standards and guidance supporting the FISMA legislation…
18
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Contact Information100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930
Project Leader Administrative SupportDr. Ron Ross Peggy Himes(301) 975-5390 (301) 975-2489ron.ross@nist.gov peggy.himes@nist.gov
Senior Information Security Researchers and Technical SupportMarianne Swanson Dr. Stu Katzke (301) 975-3293 (301) 975-4768 marianne.swanson@nist.gov skatzke@nist.gov
Pat Toth Arnold Johnson(301) 975-5140 (301) 975-3247 patricia.toth@nist.gov arnold.johnson@nist.gov
Matt Scholl Information and Feedback(301) 975-2941 Web: csrc.nist.gov/sec-certmatthew.scholl@nist.gov Comments: sec-cert@nist.gov