FISMA Charisma: Keeping Compliance in Control (236679777)

8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)

http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 1/39

May 7, 2014

Mark F. Herron

Thomas Siu

FISMA Charisma

Case Western Reserve University



CWRU

At

A

Glance• Research University with 8 schools including a Medical

School

• Student

Population

(Projected

Fall,

2014)

– Undergraduate: 4,730

– Graduate and Professional: 5,600

–

Total (headcount,

all

programs):

10,330

• Faculty and Staff (Fall, 2013)

– Faculty (full‐time): 1,406

–

Staff

(full‐

time

and

part‐

time):

3,097• Information Technology Services

– Staff: 120

• Fiscal Year : July ‐ June



Agenda (“Learning

Objectives”)

• What is FISMA (a “quick” overview)

• Why do

FISMA

(including

examples)

• The NCS story (A New Hope…)

– An example of how FISMA was done

• How to do FISMA in Higher Ed

• ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

• On Risk

&

Institutional

Tolerance

• Take‐Home Points



About the

Presenters*

• Mark Herron, M.A. CISSP, CIPP/US

Information Assurance

Analyst,

ITS,

CWRU

Specializing in FISMA/HIPAA/PCI and Incident

Response

• Thomas Siu

Chief Information Security Officer, ITS, CWRU

Head of

Information

Security

Dept.

(Tom

+ 3 FTEs)

*Quotes

&

Pics

from

Wookiepedia:

http://starwars.wikia.com





FISMA (2002)

‐ 44

U.S.C.

§ 3541

• Federal Information Security Management Act

– Applies to

Agencies

and

Offices

of

the

Federal

Government , plus Federal Contractors (think

defense)

•

Contracts!• Grants? (They’re becoming contract‐like)

– Anyone who agrees to requirements to do it

• Upon dispersal of funds…

– It’s a good framework, but detailed too

• like ISO 27001/17799, etc.



3 Major

Control

Areas

(Like

HIPAA)• Management Controls focus on the management of IT systems,

people/users, and the management of risk for systems. It consists

of techniques

and

concerns

that

are

normally

addressed

by

management (and it includes the PM bits). (Administrative)

• Operational

Controls address security methods and mechanisms

that are primarily implemented and executed to improve the

security of a group, a particular system, or a group of systems.

These controls

require

technical

or

specialized

expertise

and

rely

on

management and technical controls. (Physical)

• Technical

Controls focus on security controls that a computer or telecommunications system executes. It provides automated

protection for unauthorized access or misuse, facilitate detection of security

violations,

and

support

security

requirements

for

applications and data. (Technical)

• Plus

those

PM

bits:

Program Management (controlling the controls)



FISMA Risk

Mgmt

Cycle



FISMA/NIST SP800

‐53

Frameworks

Categorize

Select

(SP800‐53)

Implement

Assess

(SP800‐53A)

Authorize

Monitor

Risk Mgmt Framework Security Controls Framework

C y c l e



FISMA Control

Selection

Process



Security (Re)Assessment

Triggers

– INITIAL and PERIODIC REFRESH: An assessment indicates improvement is needed

–

BREACH or

THREAT:

An

incident

or

a newly

identified,

credible,

information system‐related threat results in a breach to, or suspicion of, the information system, producing a loss of confidence by the organization in the confidentiality, integrity, or availability of information processed, stored, or transmitted by

the system

– OPERATIONS CHANGE: Significant changes to the configuration

of the information system through the removal or addition of new or upgraded hardware, software, or firmware or changes in

the operational environmentpotentially degrade the security

state of the system

or – PURPOSE CHANGE: Significant changes to the organizational risk

management strategy, information security policy, supported

missions and/or business functions, or information being

processed, stored, or transmitted by the information system



(Re)Assessment Actions

(Cycle)

– (RE)CONFIRM: (Re)confirm the security category and impact

level of the information system

– (RE)ASSESS: Assess the current security state of the

information system and the risk to organizational operations

and assets, individuals, other organizations, and the Nation

– CORRECT: Plan for and initiate any necessary corrective

action

and

– (RE)AUTHORIZE: Consider (re)authorizing the information

system

– But how do programs get audited?



205 Controls

in

Moderate

‐Level

Systems



How Does

FISMA

Get

Audited?

• Love of a Thousand Hugs and Kisses

(checks and

X’es)



Checklist

Auditing ‐

Moderate‐

Level

Controls



How Does

FISMA

Get

Audited

2

• A checklist is the easiest method for someone

who

doesn’t

know

the

environment

to

assess

it.

This is not a risk‐based, but more like PCI

• Unless external teams are required, use an

internal team

‐ exercise

judgment

on

risk,

applicability, acceptance, mitigation, etc. and

scope –

But they

may

not care



NOT

an

Actual

Scorecard



Why Do

FISMA?

• So, why do this?

– “No one wants to do FISMA, they have to.”



Why Do

FISMA?

• Appropriate and/or Acceptable Use

– FISMA and

other

risk

management

activities

apply

appropriate discipline to the conduct (not just in

the findings) of research

• Both Advantage

and

Requirement

– Better, more mature processes

–

When

choosing

whom

to

fund…• A tangible example of applied, appropriate use

– And because a contract/grant says so (we have to)



Some examples

of

“Have

to”

• Examples of real grant or contract language,

from minimal/boilerplate,

to

in

‐depth,

explicit

and detailed

– Do FISMA (boiler plate)

– Do FISMA including these few things (ok)

– Do FISMA turn these things in regularly (uh‐oh)

–

Do

FISMA,

do

not

proceed

without

ATO,

and

be

audited



Do FISMA

(If

It

Applies)

• Congress and the OMB have instituted laws, policies and directives that govern the creation and implementation of federal information security

practices

that

pertain

specifically

to

grants

and

contracts.

The

current

regulations are pursuant to the Federal Information Security Management Act (FISMA), Title III of the E‐Government Act of 2002 Pub. L. No. 107‐347.

• FISMA applies to [X] grantees only when grantees collect, store, process, transmit or use information on behalf of [X] or any of its component organizations.

In

all

other

cases,

FISMA

is

not

applicable

to

recipients

of

grants, including cooperative agreements. Under FISMA, the grantee

retains the original data and intellectual property, and is responsible for the security of this data, subject to all applicable laws protecting security, privacy, and research. If and when information collected by a grantee is

provided to

[X],

responsibility

for

the

protection

of

the

[X]

copy

of

the

information is transferred to [X] and it becomes the agency’s responsibility

to protect that information and any derivative copies as required by

FISMA.



Do FISMA

including

these

few

things

Article [X] Information Security

• The Statement of Work (SOW) requires the contractor to (1) develop, (2) have the

ability

to

access,

or

(3)

host

and/or

maintain

a

Federal

Information

System(s).

Pursuant to

[X]

Information

Security

Program

Policies,

the

contractor

and

any

subcontractor performing under this contract shall comply with the following

requirements: Federal Information Security Management Act of 2002 (FISMA), Title III, E‐Government Act of 2002, Pub. L. No. 107‐347… – Information Type… [Specified]

– Security Categories and Level… [Specified]

– Position Sensitivity Descriptions• Level… [Specified]

• Submission of roster including name, position, responsibility of all staff…any revisions within 15 days

of the calendar change…if suitability investigation required…30 days to be performed.

• All level requirements shall be met prior to performing any work…

– Information Security Training…[Shall be delivered and tracked]

–

Rules of

Behavior…

[Shall

be

communicated

to

personnel]

– Personnel Security Responsibilities… (Termination/Separation Requirements)

– Commitment to Protect Non‐Public Departmental Information Systems and Data…[prior to

performing any work]• Contractor Agreement…

• Contractor‐Employee Non‐Disclosure Agreements…



Do FISMA and turn these things in

regularlyArticle [X] Information Security

– The Statement of Work (SOW) requires the contractor to [do] …

Federal Information

Security

Management

Act

of

2002

(FISMA),

Title

III, E‐Government Act of 2002, Pub. L. No. 107‐347…• Information Type… [Specified]

• Security Categories and Level… [Specified]

• Position Sensitivity Descriptions

•

Information

Security

Training…[Shall

be

delivered

and

tracked]• Rules of Behavior… [Shall be communicated to personnel]

• Personnel Security Responsibilities… (Termination/Separation Requirements)

• Commitment to Protect Non‐Public Departmental Information Systems and

Data…[prior to performing any work]

• Also: – NIST SP 800‐53 Self Assessment… [Annually]

– Information System Security Plan… [Every 3 Years or upon major modification]



Do FISMA, turn these things in by…,

require ATO,

and

be

audited

Article H.17 – Do FISMA including [abridged ‐ not a complete list!] : – Encryption and Key Management…

– Protect the CIA of all “information technology”…

– And secure

all

systems

connecting…

– And adopt these security policies, procedures, controls, and standards…

– And deliver within [XX] days of award• Information Security Plan covering FISMA and OMB Circular A‐130, NIST SP 800‐18, FIPS 200, and NIST

SP 800‐26

• IT Risk Assessment consistent with NIST SP 800‐30

•

FIPS 199

Standards

for

Security

Categorization

– And deliver within [X] months after contract award• IT Security Certification and Accreditation in accordance with checklist NIST SP 800‐37 and NIST 800‐

53

– And for ATO ‐ Resolve any comments on draft plans and receive approval

– And Audit ‐ Perform an annual security control assessment and proof of valid system

accreditation, including an annual test of contingency plan, plus performance of security

control testing

and

evaluation

– And perform and maintain personnel requirements, including identity validation, training, etc.

– And maintain for inspection all facilities, data, contracts, subcontracts, and documentation

– And return all information and resources provided and certify all removal and purge of information after completed/closed



Or Else:

Acceptance of this award including the “Terms

and Conditions”

is

acknowledged

by

the

[grantee/contractee] when funds are drawn

down or otherwise obtained from the grant

payment system…

• Pay

the

money

back

• Forfeit/endanger future awards (blacklisted)



How Do

You

Know

You

Need

FISMA?

• Someone [likes] and tells you about it (Charisma!)

– PI or

Study

Coordinator

• Lucky: Heads up ahead of time, planning, etc.

• Typical: “Hey, we have this thing we’re supposed to do…”

•

Bad:

“Can

you

come

over?

There’s

some

stuff

that

was

due

last (week/month/quarter…) and the auditors are asking to

see it now and threatening to shut us down…”

– A Grantor/Contractor (asking for details)

• Someone (RA?)

has

to

watch

for

FISMA

language

– If onerous, put doing FISMA in the budget!



How Do

You

Watch

For

FISMA+?

• Someone has to watch for FISMA+ language

– Office of

Research

Administration?

• Which one?

– Grants & Contracts, Compliance, Legal?

– InfoSec?

• If onerous, build doing FISMA into the budget!

– Recurring Analysis

– Dedicated Team(s) (Study level or institutional?)



NCS Example

– “A

New

Hope”

• A long time ago… (Children’s Health Act 2000)

• A 20+

year,

multi

‐phase,

longitudinal

study

[Image]



Study Centers

= “Rebel

Bases?”

• Distributed study centers



Federal Oversight

= (Not

Evil)

Empire?

• Program Office, Mission Assurance Team



Lots of

Bureaucracy,

PIs,

&

Ideas

• “Like herding cats” “A goat rodeo” or…





Plus• Ongoing:

–

Monthly

vulnerability

scanning – Scan reports and plan updates, reviewed and

approved

– Change control, de‐identification, etc.

• Incident response and reporting

– 24‐hour time to report!!!!!!!•

Lost

a

cell

phone,

had

a

virus

infection…

(electronic)• Contractor quit and refused to return materials (paper)

• Your times & requirements may vary



So, What

did

we

do?

• Not much choice in the NCS – “do it all or no

ATO.”

(Checklist – added

a year)

• Budgeted for FISMA

– Money for consulting

– Money for

a non

‐data

FTE

(Mark!)

• Some centers built whole new, secure

environments (your tax dollars at work)

– Scope control

is

needed!

– Some people used paper‐only (big data?)



Our General

Approach

• Use NCS efforts as model for future study needs: – Create: PIA, Risk Assessment, Security Plan, and internal

consulting, more

formal

incident

response

• Leverage institutional controls where ever possible, but carve out a more‐controlled environments for additional

requirements

• Build Security into Project Management Process to

start creating

FISMA

‐like

aspects

– See Information Security in the Future IT Organization

(Tomorrow at 8:00AM)





Our Specific

Approach

• FCRE Architecture:

– Deskside (plus instruments

TBD)

– Desktop (RDP/VDI)

– Servers and data: dev/test/prod

– Data transfer controls (DLP air gap)

– 3RD Party Co‐Lo High Security Facility

–

Outsourced

security

monitoring – Charge back costs to studies (Field of Dreams)



Thomas Siu

– CISO,

CWRU

• Let’s talk about risk, compliance, and advantage – HIPAA driven >> Fisma‐recommended controls >>

SANS 20

(We’re

a HIPAA

hybrid

entity

anyway)

– Looming export control requirements

• Take home points:

– Put money

in

the

budget

– Scoping exercise

– Made our own versions for internal use

•

What happened

to

the

NCS?

– Still running nationally, but locally‐run study centers

shut down (a new phase – central control and budget)



Thank

You!• Any questions?

[email protected]

[email protected]

Date post:	03-Jun-2018
Category:	Documents
Upload:	educause
View:	219 times
Download:	0 times

FISMA Charisma: Keeping Compliance in Control (236679777)

Documents