Date post: | 22-Nov-2014 |
Category: |
Technology |
Upload: | aamir97 |
View: | 1,236 times |
Download: | 0 times |
_experience the commitment TM
NIST Guidance on Security and Business Continuity Planning in the SDLC11th Annual New York State Cyber Security Conference
June 2008
© CGI GROUP INC. All rights reserved
James Hewitt, CISSP [email protected]
Mark Spreitzer, [email protected]
2
Confidential
Presentation Outline
•Review the NIST SDLC & Security Resources
•SDLC Policy & Architecture•5-Phase Breakdown•Overlaps & Iterations
3
Confidential
NIST & Special Publications
• NIST = National Institute of Standards and Technology• Technology standards and guidelines
• ITL = Information Technology Laboratory• Technical leadership for measurement and standards• Publishes Special Publications (SP)
• tests, test methods, reference data, proof of concept implementations, and technical analyses
• collaborated with industry, government, and academic organizations
• Special Publication 800 series focused on Computer Security• Guidance and support on Security and Business Continuity• SP 800-64, Security Considerations in the System Development Lifecycle• NIST SDLC Brochure August 2004, Information Security in the SDLC
• http://csrc.nist.gov/SDLCinfosec
4
Confidential
Walkthrough of NIST SP 800-64
• Security integration with SDLC• Guide agencies to integrate security activities into system
development life-cycles (SDLC)• Defines information security components of the SDLC• Key security roles and responsibilities • Translate security activities into IT projects and initiatives
that don’t have a SDLC
5
Confidential
NIST’s Security in the SDLC
6
Confidential
SDLC Policy & Architecture
• Integrate at the enterprise level• Include security activities in SDLC policy• Include risk management• Implement early in every project
• NIST SP 800-53 on security controls• NIST SP 800-39 on enterprise-level risk management
• Concentrate on business requirements & security requirements
7
Confidential
Benefits of Integrating security into the SDLC
• Early identification and mitigation of vulnerabilities and misconfigurations• Lower cost of control implementation and vulnerability mitigation• Identification of shared security services• Reuse of strategies and tools to reduce cost and schedule• Improvement of security through proven methods and techniques• Informed decision making through comprehensive risk management• Documenting security decisions made during development• Improved organization and customer confidence to facilitate adoption and
usage• Improved systems interoperability and integration that would otherwise be
hampered by securing systems at various system levels
8
Confidential
Security in the Project Lifecycle
9
Confidential
SDLC Phase Structure
• Phase 1: Initiation• Phase 2: Development / Acquisition • Phase 3: Implementation / Assessment• Phase 4: Operations / Maintenance• Phase 5: Sunset (Disposition)
10
Confidential
Phase 1: Initiation
• Key tasks:• Business partner engagement• Document enterprise architecture• Identify / specify applicable policies and laws• Develop confidentiality, integrity and availability objectives• Information and information system security categorization
(repeat 4 & 5)• Procurement specification development• Preliminary risk assessment
11
Confidential
Phase 1: Initiation
• Inputs to Security Planning inputs:• Decision to initiate system
• Outputs from Security Planning:• Security expectations• Schedule of security activities & decisions
• Categorize system outputs:• Security category • High-level security requirements• Level of effort
• …act as inputs to: • Business Impact Analysis (BIA), Disaster Recovery, Contingency Planning,
Continuity of Operations Planning decisions• Use results of BIA to develop requirements for business partner SLAs
12
Confidential
Phase 1: Initiation
• Control gates:• Categorization and impact levels
• See SP 800-53 on minimal security controls• See SP 800-60, companion to FIPS-199
• Architecture alignment, standards• Initial design review against requirements• Risk management review• Financial review, balancing cost with risk management
• Major tasks:• Identify security roles, stakeholders, milestones
• Apply to one system or multiple systems
13
Confidential
Phase 1: Initiation Relating security considerations
14
Confidential
Phase 2: Acquisition / Development
1. Risk assessment
2. Select initial baseline of security controls
3. Refinement – security control baseline
4. Security control design
5. Cost analysis & reporting[repeat with 1. risk assessment]
6. Security planning
7. Unit / integration security testing & evaluation
15
Confidential
Phase 2: Acquisition / Development
• Control gates:• Architecture / design review
• e.g. evaluate design for disaster recovery• Performance, functional reviews• Financial review, review cost-benefit ratios• Re-visit risk management decisions
• Major tasks:• Assess risks & security categorization vs security controls• Re-visit business impact analysis• Create baseline security requirements, security architecture and security
controls• Include common controls
• Start to build and integrate controls• Start writing security tests• Review additional functionality in terms of added risk
16
Confidential
Phase 2: Acquisition / Development
Relating security considerations
17
Confidential
Phase 3: Implementation / Assessment
1. Product / component inspection & acceptance
2. Security control integration
3. User / administrative guidance
4. System security test & evaluation plan(repeat #3)
5. System certification(repeat #2 & #3)
6. Statement of residual risk
7. Security accreditation
18
Confidential
Phase 3: Implementation / Acquisition
• Control Gates:• Reviews for test readiness, deployment readiness,
deployment approval, certification & accreditation• Final financial review – where did the money and effort go?
• Major Tasks:• Integrate with existing environment controls• Test controls• Set priorities for continuous monitoring• Define final, deployable state, and certify it
19
Confidential
Phase 3: Implementation / Acquisition
Relating security considerations
20
Confidential
Phase 4: Operations / Maintenance
1. Configuration management, change control and auditing
2. Continuous monitoring
3. Recertification (repeat #1)
4. Reaccreditation
5. Incident handling (repeat #1)
6. Auditing (repeat #2)
7. Intrusion detection and monitoring
8. Contingency plan testing (including continuity of operations plan)
21
Confidential
Phase 4: Operations / Maintenance
• Control Gates:• Operational readiness review• Change control board, procedures• Decision to accredit
• Major Tasks:• Review operational readiness, before and after a major change• Manage security configuration control• Other configuration management, with an eye to effect on system
security• Monitor security controls• Periodic re-certification
22
Confidential
Phase 4: Operations / Maintenance
Relating security considerations
23
Confidential
Phase 5: Sunset (Disposition)
1. Transition planninga. Migration to new system
2. Component disposal
3. Media sanitizationa. NIST SP 800-88 Guidelines for Media Sanitization
4. Information archiving (repeat #1)a. Ensure information preservation
24
Confidential
Phase 5: Sunset (Disposition)
Relating security considerations
25
Confidential
Phase Overlaps & Task Iterations
• Phase 2: Development / Acquisition• Cost analysis & reporting• Security planning
• Phase 1: Initiation• Business partner engagement
26
Confidential
Phase Overlaps & Task Iterations
• Phase 3: Implementation / Assessment• Security control integration
• Phase 2: Acquisition / Development• Security control design
27
Confidential
Phase Overlaps & Task Iterations
• Phase 4: Operations / Maintenance• Monitoring• Recertification
• Phase 1: Initiation• Develop confidentiality, integrity and
availability objectives
28
Confidential
Additional Considerations
• Supply Chain and Software Assurance• Service Oriented Architecture• Specific Accreditation of Security Modules for Reuse• Cross-Organizational Solutions• Technology Advancement & Major Migrations• Data Center or IT Facility development• Virtualization
Confidential
Mark Spreitzer, CBCPExecutive ConsultantEnterprise Security Practice
7 Hanover Square, 7th FloorNew York, NY 10004
Tel: (212) 612-3611 Mobile: (917) 304-1966 [email protected]
James Hewitt, CISSP, PMPSenior ConsultantEnterprise Security Practice
12 Corporate Woods Blvd.Albany, NY 12211
Tel: (617) [email protected]
Questions?
_experience the commitment TM
our commitment to youWe approach every engagement with one objective in mind:to help clients win and grow.