ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

Introduction

There are occasions when changes to the Information or Pla tform Information Technology {PIT) system or its environment occur.

This lesson will identify a Securi ty Impact Analysis and how we address proposed and ac tual changes that may occur during the li fe cycle of an In formation or PIT system. These changes will serve as inpu ts to our system- level con tinuous moni toring .

...... I P• ge 1of18 I .... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

System and Environment Changes- Secure Configuration Management

As we implement system-level continuous monitoring, we may incur changes to an Information or PIT system or its environment of operation that may affect the authorized security controls already in place ( including system-specific, hybrid, and common controls ) .

This may produce new vulnerabilities in the system or generate requirements for new security controls that were not previously required .

Documenting proposed, or actual, changes to an Information or PIT system (or its environment of operation) is an important aspect of monitoring security controls .

Documentation is fundamental to evaluating and tracking potential impacts the changes may have on the security state of the system or the organization.

Maintaining the security authorization over time is also important to maintaining the security state of the system or the organization.

......ii I Page 2 of 18 , .... Back Iii ) Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

System and Environment Changes- Secure Configuration Management, Cont.

It is important to implement Secure Configuration Management which is the management and control of security configurations for an information system to improve security and the management of risk.

Secure Configura tion Management begins by establishing an initial baseline of hardware, so ftware, and firmware components for the Information or PIT system and subsequently controlling any changes to the sys tem, including additions and deletions, and maintaining an accurate history of those changes .

..... I P• ge 3 of18 I .... 1Back ii Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

System Environment Changes- Security Impact Analysis

The Information System Owner or Program/ System Manager and the Common Control Provider (as applicable) determine the security impact of proposed or actual changes to an Information or PIT system and its environment of operation by conducting a Security Impact Analysis .

The Security Impact Analysis determines the extent to which proposed or actual changes to an Information or PIT system, or its environment of operation, affects the security state of the system. The process for a Security Impact Analysis consists of the following steps:

• Understand the change in a system change request

• Identify vulnerabilities that the proposed change may introduce

• Assess risks to the information system, system users, and the organization's mission/ business functions

• Assess security controls that are affected by the proposed change

• Plan safeguards and countermeasures against any identified negative impacts to those security measures

• Update critical security documentation to reflect the changes made to the information system, such as the Security Plan, Security Assessment Report, Risk Assessment Report, and the Plan of Action and Milestones

..... I Page 4of 18 I ..... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

System Environment Changes- Security Impact Analysis, Cont.

If the results of the Security Impact Analysis indicate the proposed or actual changes to an Information or PIT system affect the security state of the system, action must be taken, including notifying the Information System Owner and the Security Controls Assessor of the proposed, or actual, system or environment of operations changes.

The Security Controls Assessor can determine what further action is necessary. Security-relevant changes cannot be made to an Information or PIT system or its environment of operation without consulting the appropriate organizational officials/ entities (e.g., configuration management or control board, Information System Owner, Component Senior Information Security Officer) .

In addition, the Security Plan, Security Assessment Report, Plans of Action and Milestones, and other system artifacts should be revised and updated as required to reflect any changes to the Information or PIT system or its environment of operation. The Authorizing Official or the Authorizing Official's Designated Representative uses the revised and updated system artifacts to determine if a formal reauthorization action is necessary.

Most routine changes ( routine software updates and patches that do not result in a security-relevant change) to an Information or PIT system or its environment of operation can be handled by the organization's system-level continuous monitoring program, therefore supporting near real-time risk management.

..... I PageSof 18 I ..... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

Knowledge Review 1

The determines the extent to which proposed or actual changes to an Information or Platform Information Technology (PIT) system or its environment of operation affect the security state of the system. (Fill in the blank)

Risk Management Framework

LJ Plan of Action and Milestones

Secure Configura tion Management

~ Security Impact Analysis

Check Answ er

The Sec urity Impact Analysis determines the extent to which proposed or actual changes to an Information or Platform Information Technology (PIT) system or its environment of operation affect the security state of the system.

..... I P• ge 6of18 I ..... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

Ongoing Security Controls Assessment

Ongoing assessment of security controls involves assessing a selected subset of the security controls employed within and inherited by an Information or PIT system, in accordance with the system-level continuous monitoring strategy .

The selection of appropriate security controls to monitor is based on the Continuous Monitoring Strategy developed by the Information System Owner and Program/ System Manager or Common Control Provider and approved by the Authorizing Official as part of the overall System Authorization. Following the Continuous Monitoring Strategy:

• The Security Controls Assessor and Information System Security Manager/ Officer, as appropriate, assess a selected subset of the security controls employed within and inherited by an Information or PIT system

• Organizations can draw upon the assessment results from any of the following sources, including but not limited to :

• Security control assessments conducted as part of an Information or PIT system authorization or reauthorization

• Ongoing monitoring activities

• Testing and evaluation of the Information or PIT system as part of the Acquisition Life Cycle

..... I Page7of 18 I ..... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

Ongoing Assessment of AFS Security Controls

Hello again team. As your Security Controls Assessor, I would like to provide you with a couple of examples of how we would address ongoing monitoring of our AFS security controls . Let's take another look at a subset of our final security controls and address a couple of them.

Identification and Authentication Policy and Procedures ( IA-1 from NIST SP 800-53A, Rev 4) requires the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements within the IA family .

These policies and procedures are maintained by the Fuels Management Program and I must review them on an annual basis to make sure they remain effective and relevant for the Fuels Management Program Network.

Also, since this is an inherited control from our Common Controls Provider, the Fuels Management Program Network, this review will satisfy our AFS Continuous Monitoring Strategy which also requires us to review IA-1 on an annual basis .

..... I Page8of 18 I ..... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

Ongoing Assessment of AFS Security Controls, Cont.

IA-2 requires us to uniquely identi fy and authenticate all of our AFS users (or processes acting on behalf of AFS users) when accessing all AFS resources . In the DoD, we must implement Common Access Cards ( CAC) and individual unique passcodes to access AFS workstations and laptops.

I will coordinate with our Fuels Management Program Network team for CAC use policy, requirements and documentation, but also work with our AFS administrators to make sure everyone on the AFS team has an established AFS account, mandating CAC identification for facility access and authentication for system access and use.

I will coordinate with the Information System Security Manager/ Officer to conduct a monthly review to ensure that all user accounts are properly managed and updated to add/ remove users, as authorized, per our AFS Continuous Monitoring Strategy .

Please select t he magnifying glass icon to view t he securit y cont rol matrix and legend.

..... I Page9of 18 I ..... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

View CR Submit CR Ongoing Assessment of AFS Security Controls, Cont.

Legend: C = Common (or I nheri ted) Cont rols- Many of the security controls needed to protect organizat ional informat ion systems (e.g., contingency planning cont rols, incident response controls, security t raining and awareness cont rols, personnel securi ty cont rols, physical and environmental protection cont rols, and int rusion detection cont rols) are excellent candidates for common control status. Information security program management controls may also be deemed common cont rols by the organization since the cont rols are employed at the organization level and typically serve mult iple informat ion systems. Most organizat ions identi fy " -1" (ex. AC-1) as Common (Inherited) Cont rols . DoD has ident ified specific Common Controls ident ified as " Inherited Cont rols" within the RMF Knowledge Service.

Security controls not designated as common cont rols ar e considered system-specific controls or hybrid cont rols.

S = System-specific Controls- The primary responsibi lit y of information system owners and their respective authorizing officials.

H = Hybrid Cont rols-Organizat ions assign a hybrid status to a security cont rol when one part of the cont rol is deemed to be common and another part of the control is deemed to be system-specific.

The size of the table was selected so that students could see a representation of each type of cont rol (C, S, H) or you may use below:

c c c I I I A A A

ID Title L M H L M H L M H C/ S/ H

1 AC-1 Access Cont rol Policy And Procedures x x x x x x x x x c - " .... -. , . " . . . . .. .. .. .. .. ..

..... I Page 9 of 18 I ..... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

View CR Submit CROngoing Assessment of AFS Security Controls, Cont.

cont rols are employed at the organization level and typ ica lly serve mult iple informat ion systems. Most organizat ions identi fy " -1" (ex. AC-1) as Common (Inherited) Controls. DoD has ident ified specific Common I\ Controls ident ified as " Inherited Cont rols" within the RMF Knowledge Service.

Securi ty controls not designated as common cont rols ar e considered system-speci fic cont rols or hybrid cont rols .

S = System-specific Controls- The primary responsibilit y of information system owners and their respective authorizing officials .

H = Hybrid Cont rols-Organizat ions assign a hybrid staitus to a security control when one part of the cont rol is deemed to be common and another part of the control is deemed to be system-specific.

The size of the table was selected so that students could see a representat ion of each type of cont rol (C, S, H) or you may use below:

c c c I I I A A A

ID Title L M H L M H L M H C/S/H

1 AC-1 Access Control Policy And Procedur·es x x x x x x x x x c

2 AC-2(1) Account Management x x x x x x c 3 AC­2(4) Account Management x x x x x x H

4 AC-2(7) Account Management x x x x x x c

5 AC-3 Access Enforcement x x x x x x s

~ I Page 9 of 18 I ...... Back Next

ISA220 Risk Man agem ent Framework fo r Practition er s Lesson 8.2 - Address Changes to an Information or PIT System RESOUR CES I PRINT I HELP

Ongoing Remediation Actions

Ongoing remediation actions involve conducting remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the Plan of Action & Milestones {POA&M).

Results of ongoing security controls assessments are provided by the:

• Security Controls Assessor {SCA); or

• In formation System Security Manager {ISSM)/Officer to the Information System Owner {ISO); or

• Program/System Manager

The Common Control Provider will initiate remediation actions for the security controls under their responsibility.

~ I P• ge10of18 I ..... Back Next

----

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

Ongoing Remediation Actions, Cont.

Security controls that are modified, enhanced, or added during the ongoing monitoring process are reassessed by the SCA or ISSM/ISSO to ensure that appropriate corrective actions are taken to eliminate weaknesses or deficiencies or to mitigate the identified risk.

The SCA or ISSM/ ISSO may provide recommendations for appropriate remediation ac tions.

An assessment o f risk (either formal or in formal) in forms organizational decisions with regard to conduc ting ongoing remedia tion actions.

..... I P• ge 11 of 18 I ...... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

Updating the Security Plan, Security Assessment Report, and Plan of Action & Milestones

As part of the ongoing assessment of security controls and remediation to maintain the security state of an Information or PIT system, the Information System Owner or Program/ System Manager and Common Control Provider must update and maintain the Security Plan, Security Assessment Report, and Plans of Action & Milestones based on the results of the system-level continuous monitoring process.

The updated Security Plan should reflect any modifications to security controls based on risk mitigation activities carried out by the Information System Owner or Program/ System Manager and Common Control Provider.

The updated Plans of Action & Milestones reports progress made on current outstanding items listed in the plan; addresses vulnerabilities discovered during the Security Impact Analysis or security control monitoring; and describes how the Information System Owner or Program/ System Manager and Common Control Provider intends to address those vulnerabilities.

The updated Security Assessment Report reflects additional assessment activities carried out to determine security control effectiveness based on modifications to the Security Plan and implemented security controls.

The information provided by these critical updates helps to raise awareness of the current security state of the Information or PIT system (and the common controls inherited by the system) thereby supporting near real-time risk management.

..... I Page12of18 I ..... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

Security Status Reporting

As part of your System's Authorization to Operate and implementation of your Continuous Monitoring Stra tegy, you, as the Information System Owner, or the Program/System Manager along with the Common Control Provider must report the security status of the Information or PIT system.

This includes the effec tiveness o f securi ty controls employed within and inherited by the sys tem.

The security status must be reported to the Authorizing Official and ot her appropriate organizational officials on an ongoing basis in accordance with the Continuous Monitoring Strategy.

..... I P• ge 13 of 18 I ...... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

View CR Subm it CRSecurity Status Reporting, Cont.

Securi ty status reporting can be:

• Event driven: Example: a breach in a securit y control which allowed unauthorized access to informat ion on the system.

• Time driven: Example : the annual review of the system's Identification & Authent icat ion secu rity cont rols was performed. It was found that recent ly terminated users from a program were not removed from the authent icated and authorized users list.

• Both event and time driven: Example: the DoD policy was updated to no longer require Common Access Card (CAC) authentication for users of DoD systems six months prior to your annual review. Simultaneously, the Ident ification and Authent ication securi ty cont rols require a t ransition to an approved mult i-factor authentication and non-person enti ty Public Key I nfrastructur€ within twelve months of a signed policy .

..... I Pagel.4of 18 I ..... Back Next

ISA220 Risk Management Framework for Practition er s Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

Security Status Reporting, Cont.

The goal of ongoing security status reporting is to maintain cost -effective and efficient ongoing communication with senior leaders, conveying the current security state of your Information or PIT system and i ts environment o f operation.

..... I P•ge15of18 I ..... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT Sy stem RESOURCES I PRINT I HELP

Knowledge Review 2

Ongoing assessment of security controls involves assessing a selected subset of the security c ontrols employed within and inherited by an Information or Platform Information Technology (PIT) system in accordance with the system-lev el . (FiD in the blank)

Security Controls Selection

~ Continuous Monitoring Strategy

Securi ty Impact Analysis

Security Assessment Plan

Chedc Answer

Ongoing assessment of security con trols involves assessing a selected subset of the security controls employed within and inherited by an Information or PIT system in accordance with the system-level continuous m o nitoring strategy.

~ I P• ge 16of 18 I .... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

Knowledge Review 3

------------ as appropriate, initiate remediation actions for security controls that are found to be deficient through continuous monitoring activities. (FiH in t he blank)

The Authorizing Official or Common Control Providers

LJ The Common Control Provider or Security Control Assessor

~ The In formation System Owners, Program/System Managers, or Common Control Providers

The Information System Security Engineer and Security Control Assessor

Check Answ er

I nform ation Sy stem Owners, Program/System Managers, o r Common Control Providers as appropriate, initiate remediation actions for security controls that are found to be deficient through continuous monitoring activities.

..... I P• ge 17 of 18 I ..... Back Next

I SA 220 Risk Man agem ent Framework fo r Practition e rs Lesson 8.2 - Address Changes to an Information or PIT System RESOURCES I PRINT I HELP

Lesson Completion

You have completed the content for this lesson.

To continue, select another lesson from the Table o f Contents on the le ft.

If you have closed or hidden the Table of Contents, click the Show TOC button at the top in t he Atlas navigation bar.

..... I P• ge 18of18 I ..... Back Next