Building A Modern Security Policy For Social Media and Government

http://www.potomacforum.org/

Building a Modern Security Policy for Social Media

Page 1


Who is Michael Smith?• 8 years active duty army• Graduate of Russian basic course, Defense

Language Institute, Monterey, CA• DotCom survivor• Infantryman, deployed to Afghanistan (2004)• CISSP #50247 (2003), ISSEP (2005)• Former CISO, Unisys Federal Service Delivery

Center• Currently a Manager in a Big Four Firm


Who is Dan Philpott?• Lifelong technologist ocused on FISMA,

cybersecurity, risk management, cloud computing, and social Media

• CISSP (2007), CAP (2007)• Federal Information Security Architect for

Tantus Technology• Founder of FISMApedia.org and FISMA arts


Goals• Understand the tradeoff between Security,

Transparency, and Engagement• Provide an understanding of the frameworks

social media policy must inhabit• Describe models of social media policy• Detail security goals and controls social media

policy should address or include

Page 4


A Quick Poll

Page 5

• Are you using service provider hosting?• Are you using Government-owned hosting?• Do you don’t know how/where you’re being

hosted?• Have you ever ignored the IT Security Staff

because they just “get in the way”?


Not a Real CISO But It Could Be

Page 6

“I’ve spent my entire 30-year career keeping information from getting into the public

domain and keeping your desktop safe from all the malware on social media sites. Now you want to take everything and put it there

intentionally?”

The problem for social media practitioners is based on the nature of our security culture.


NIST Risk Management Framework

Page 7

Step 1

CATEGORIZEInformation System Step 2

SELECTSecurity Controls

Step 3

IMPLEMENTSecurity ControlsStep 4

ASSESSSecurity Controls

Step 6

MonitorSecurity Controls

Step 5

AUTHORIZEInformation System

RISKMANAGEMENTFRAMEWORK

Organizational InputsLaws, Directives, Policy, Guidance

Strategic Goals and ObjectivesPriorities and Resource Availability

Supply Chain Considerations

Architectural DescriptionArchitecture Reference Models

Segment and Solution ArchitecturesMission and Business ProcessesInformation System Boundaries


Defining the Problem Space: SDLC

Initiation to O&M is a minimum of 120 days with 6 months being typical. How does this fit into your plans for social media?

Page 8

2 3 4 5

1 - 1

1 - 1

· Security Categorization

· Preliminary Risk Assessment

· Perception of a need

· Linkage to mission and performance objectives

· Assessment of alternatives to capital assets

· Preparing for investment review and budgeting

Needs Determination

SD

LC

Sec

uri

ty C

on

sid

erat

ion

s

2 - 3

1 - 3 3 - 3 4 - 4 5 - 5

3 - 3 4 - 4 5 - 5

· Fun. Stmt of Need· Market Research· Feasibility Study· Req. Analysis· Alt. Analysis· Cost Ben. Analysis· Software

Conversion Study· Cost Analysis· RM Plan· Acquisition

Planning

· Risk Assessment· Sec. Funct. Req.

Analysis· Sec. Assurance

Req. Analysis· Cost

Considerations and Reporting

· Sec. Control Dev.· Dev. ST&E· Other Planning

· Inspection and Acceptance

· System Integration· Security

Authorization

· Configuration Management and Control

· Continuous Monitoring

· Information Preservation

· Media Sanitization· Hardware and

Software Disposal

· Installation· Inspection· Acceptance Testing· Initial User Training· Documentation

· Appropriateness of Disposal

· Exchange and sale· Internal

Organization screening

· Transfer and Donation

· Contract Closeout

· Performance Measurement

· Contract Modification

· Operations· Maintenance

InitiationAcquisition/Development Implementation

Operations/ Maintenance Disposition


Understanding Your Objectives

Page 9

• Tone: Official v/s comfortable• Hosting: CO-CO v/s GO-GO• Security: Enabler v/s Roadblock• Simplicity: Engagement v/s “Shiny Objects”

• Be willing to negotiate with the security staff


Four-Quadrant Government Social Software Framework1

Inward Inbound

Outward Outbound

Page 10

More Guidance Exists

Less Guidance Exists

Internal

GroupIndividual

External

SharingDirection

InteractionLevel

1 Social Software and National Security: An Initial Net Assessment, M. Drapeau and L. Wells via Federal CIO Council Guidelines for the Use of Social Media


Threat Landscape• Government to Government:

– Internal social media services within or between agencies

• Government (internally hosted) to Public:– Social media services on government sites

• Government (externally hosted) to Public:– External social media services used by the government

• Government users in public:– Social media services used by government users

Page 11


Getting to a Good SocMed Policy• Engage early, engage often• Policy should focus on risk, not technology

– Social media technology changes constantly– Data protection requirement is constant– Consider the business case– Consider the risks to organizational operations,

organizational assets, individuals, other organizations, and the Nation

– Make risk-based decisions goals

Page 12


Primary Resources• CIO Council

– Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0

• http://www.cio.gov/library/library_category2.cfm?structure=Information%20Technology&category=IT%20Security%20/%20Privacy

• GSA– Terms of Service Agreements with New Media Providers

• http://www.usa.gov/webcontent/resources/tools/TOSagreements.shtml

• NARA– Records Management Policy and Guidance

• http://archives.gov/records-mgmt/policy/

Page 13

http://www.cio.gov/library/library_category2.cfm?structure=Information%20Technology&category=IT%20Security%20/%20Privacy

http://www.cio.gov/library/library_category2.cfm?structure=Information%20Technology&category=IT%20Security%20/%20Privacy

http://www.usa.gov/webcontent/resources/tools/TOSagreements.shtml


http://archives.gov/records-mgmt/policy/


Primary Resources - FISMA• NIST SP 800-37 Rev. 1

– DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

• NIST SP 800-39– DRAFT Managing Risk from Information Systems: An

Organizational Perspective

• SP 800-53 Rev. 3– Recommended Security Controls for Federal Information

Systems and Organizations

http://csrc.nist.gov/publications/PubsSPs.html

Page 14

http://csrc.nist.gov/publications/PubsSPs.html


Related Requirements• Communications Policy• 508 Compliance Policy• Federal Records Management Policy

Page 15


Risk Management Hierarchy

Page 16

NISTSP 800-39

Risk Management Strategy

TIER 3Information System

TIER 2Mission / Business Process

TIER 1Organization

Risk Executive Function (Oversight and Governance)

Risk Assessment Methodologies

Risk Mitigation Approaches Risk Tolerance Risk Monitoring Approaches Linkage to ISO/IEC 27001



Page 17

NISTSP 800-39

Risk Management Strategy

TIER 3Information System

TIER 2Mission / Business Process

TIER 1Organization

Mission / Business Processes Information Flows Information Categorization Information Protection Strategy Information Security

Requirements Linkage to Enterprise

Architecture



Page 18

• NIST• SP

800-37

• TIER 3• Information System

• TIER 2• Mission / Business Process

• TIER 1• Organization

Linkage to SDLC Information System

Categorization Selection of Security Controls Security Control Allocation and Implementation Security Control Assessment Risk Acceptance Continuous Monitoring

• Risk Managem

ent Framewor

k


Policy Controls• Social Media Communications Strategy• Acceptable Use Policies (AUP)• Content Filtering and Monitoring• Privacy and Security Support• Integration with NIST SP 800-39 and NIST SP

800-37 Risk Management

Page 19


Policy Controls – NIST Guidance• AC-20 Use of External Information Systems• AC-22 Publicly Accessible Content• IA-2 Identification and Authentication

(Organizational Users)• IA-5 Authenticator Management• IA-7 Cryptographic Module Authentication• IA-8 Identification and Authentication (Non-

Organizational Users)

Page 20


Policy Controls – NIST Guidance• IR-5 Incident Monitoring• IR-6 Incident Reporting• IR-7 Incident Response Assistance• IR-8 Incident Response Plan• PL-4 Rules of Behavior• PL-5 Privacy Impact Assessment• RA-1 Risk Assessment Policy and Procedures• SI-12 Information Output Handling and

RetentionPage 21


Acquisition Controls• Strong Authentication• Social Media services security practice• Comment moderation and monitoring social

media• Ensure federal security requirements are met

by using dedicated resources from vendors• Modify user’s public profiles from .gov or .mil

email addresses to provide stronger security

Page 22


Acquisition Controls• Partner with social media services to:

– Provide traceability to federal employee accounts– Improve communications between providers and

Security Operations Centers (SOC)– Allow independent monitoring of social media

service providers• Encourage use of validated and signed code• Ensure social media provider maintains

appropriate configuration, patch and technology refresh levels

Page 23


Acquisition Controls• Ensure an independent risk assessment• Records management in accordance with

NARA record schedules, FOIA requests and e-discovery litigation holds

• Ensure hosted federal content is accessible at any time and stored in editable and non-proprietary formats

Page 24


Acquisition Controls – NIST Guidance

• SA-1 System and Services Acquisition Policy and Procedures

• SA-2 Allocation of Resources• SA-3 Life Cycle Support• SA-4 Acquisitions• SA-5 Information System Documentation• SA-9 External Information System Services

Page 25


Acquisition Controls – GSA Guidance

• Terms of Service Agreements– Social media services standard Terms of Service

(TOS) Agreements present legal problems– Many services are free, making it hard to

encourage services to negotiate new TOS– On behalf of the government, GSA has negotiated

new TOS for many social media services


Page 26




Training Controls• Provide awareness, guidance and training on:

– Information to that can be shared, can not be shared and with whom it can be shared

– Social media policies and guidelines including AUP– Blurring of personal and professional life as

appropriate– For Operations Security (OPSEC) on risks of social

media– Federal employees self-identification on social

media sites, depending on roles

Page 27


Training Controls• Provide awareness, guidance and training on:

– Privacy Act requirements and restrictions– Specific social media threats before granting

access to social media sites– Possible negative outcomes of information

leakage, social media misuse and password reuse– Possible impact on security clearance

Page 28


Training Controls – NIST Guidance• AT-2 Security Awareness:

– Add social media usage related awareness training• AT-3 Security Training:

– Create specific role-based training for those with social media responsibility

• AT-5 Contacts with Security Groups and Associations:– Establish contacts with security groups addressing

web application and social media security

Page 29


Host Controls• Require use of a hardened Common Operating

Environment (COE):– Federal Desktop Core Configuration (FDCC)– Security Content Automation Protocol (SCAP)

• Encourage use of strong authentication for greater assurance of a user’s identity:– Two-factor authentication (e.g., HSPD-12 & PIN)

Page 30


Host Controls• Ensure strong change management, patch

management, configuration management:– Includes applications and Operating Systems– Enforces strong logging– Reports to SOC

• Desktop virtualization technologies:– Allows safer viewing of potentially malicious

websites– Virtual sandbox protects base operating system

Page 31


Host Controls• Browser versioning:

– Ensure use latest browsers which include additional security measures

• Encourage use of signed code or white listing:– Provides higher level of assurance software comes

from approved vendor or is approved software

Page 32


Host Controls – NIST Guidance• Audit and Accountability (AU) Family of

controls, as applicable• AC-1 Access Control Policy and Procedures• AC-7 System Use Notification• CM-1 Configuration Management Policy and

Procedures• CM-2 Baseline Configuration• CM-6 Configuration Settings• CM-7 Least Functionality

Page 33


Host Controls – NIST Guidance• SA-7 User-Installed Software • SI-1 System and Information Integrity Policy

and Procedures• SI-2 Flaw Remediation• SI-3 Malicious Code Protection• SI-5 Security Alerts, Advisories, and Directives

Page 34


Network Controls• Federal Trusted Internet Connection (TIC)

program protections:– Reduced number of internet connections– Einstein traffic inspection

• Security Operations Center (SOC) and Network Operations Center (NOC):– Visibility and centralized control for incident

response and risk reduction• These should all be provided to you as

“infrastructure”Page 35


Network Controls• Web content filtering:

– Beyond Einstein protections– Granular control of web applications, data and

protocols• Trust Zones dependent on security assurance

requirements• DNSSEC to better ensure website name

resolution integrity

Page 36


Network Controls• Focus on data-centric protection• URL Shortening:

– http://go.usa.gov/

Page 37

http://go.usa.gov/


Network Controls – NIST Guidance• SC-1 System and Communications Protection

Policy and Procedures• SC-7 Boundary Protection• SC-13 Use of Cryptography• SC-14 Public Access Protections• SC-15 Collaborative Computing Devices• SC-20 Secure Name /Address Resolution

Service (Authoritative Source)

Page 38

http://www.potomacforum.org/ 39

Questions, Comments, or War Stories?http://www.potomacforum.org/

Michael Smith: rybolov(a)ryzhe.ath.cxhttp://www.guerilla-ciso.com/

Dan Philpott: danphilpott(a)gmail.comhttp://www.fismapedia.org/


http://www.guerilla-ciso.com/

http://www.fismapedia.org/

Date post:	17-May-2015
Category:	Technology
Upload:	michael-smith
View:	2,883 times
Download:	2 times