Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | edgar-hawkins |
View: | 221 times |
Download: | 1 times |
Security Control Families
Management Class
Security Controls OverviewID Class Family # of R4(!p0)CA Management Security Assessment and Authorization 6 6PL Management Planning 5 3 (sig
changes)PM Management Program Management 11 16RA Management Risk Assessment 4 4SA Management System and Services Acquisition 14/40 14AT Operational Awareness and Training 5 5CM Operational Configuration Management 9 11 (2 from SA)CP Operational Contingency Planning 10 10IR Operational Incident Response 8 8MA Operational Maintenance 6 6MP Operational Media Protection 6 7PE Operational Physical and Environmental Protection 19 17PS Operational Personnel Security 8 8SI Operational System and Information Integrity 13/84 12AC Technical Access Control 19 16AU Technical Audit and Accountability 14 12IA Technical Identification and Authentication 8 8SC Technical System and Communications Protection 34/75 24
NIST Doc Review Strategy
Bulleted Summaries Executive Summaries,
Overviews, Introductions
Table Summaries
Graphic Summaries
8
(PM) Program ManagementPM-2 Senior Information Security Officer FISMA
PM-3 Information Security Resources
Clinger-Cohen, M-00-07, M-02-01, Circular A-11 SP 800-65
PM-4 Plan of Action and Milestones Process M-02-01 SP 800-37r1PM-5 Information System Inventory FISMA
PM-6Information Security Measures of Performance
SP 800-55, SP 800-137
PM-7 Enterprise Architecture Clinger-Cohen, OMB FEA, SP 800-39
PM-8 Critical Infrastructure Plan HSPD 7SP 800-53r3 Appendix I
PM-9 Risk Management StrategySP 800-39, SP 800-30
PM-10 Security Authorization Process A-130 III
SP 800-39, SP 800-37r1 Appendix F
PM-11 Mission/Business Process Definition FIPS 199 SP 800-60
(PM) Program Management (Cont.)PM-12 Insider Threat Program Executive Order 13587PM-13 Information Security Workforce
PM-14 Testing, Training, and Monitoring
800-16800-37800-53A800-137
PM-15Contacts with Security Groups and Associations
PM-16 Threat Awareness Program
XX-1 Policy & Procedures
SP 800-12The Handbook
SP 800-100Manager’s Handbook
AC-1 Access Control AT-1 Security Awareness and TrainingAU-1 Audit and AccountabilityCA-1 Security Assessment and AuthorizationCM-1 Configuration ManagementCP-1 Contingency Planning IA-1 Identification and Authentication IR-1 Incident Response MA-1 System Maintenance MP-1 Media Protection PE-1 Physical and Environmental Protection PL-1 Security Planning PM-1 Information Security Program PlanPS-1 Personnel Security RA-1 Risk Assessment SA-1 System and Services Acquisition SC-1 System and Communications Protection SI-1 System and Information Integrity
(CA) Security Assessment & Authorization
CA-2 Security AssessmentsSP 800-53a, SP 800-115
CA-3 Information System Connections SP 800-47CA-5 Plan of Action and Milestones OMB M-02-01 SP 800-37r1
CA-6 Security AuthorizationOMB A-130 Appendix III
SP 800-37r1 Appendix F
CA-7 Continuous Monitoring SP 800-137
* This control family is the RMF
(PL) Planning Family & Family Plans
PL-2 System Security Plan OMB A-130 SP 800-18r1PL-4 Rules of Behavior OMB A-130 SP 800-18r1
PL-5 Privacy Impact AssessmentE-gov Sec. 208 OMB M-03-22
PL-6 Security-Related Activity PlanningPL-8 Information Security Hardware
(PL) Planning Family & Family Plans (Cont.)
CA-5 Plan of Action and Milestones OMB M-02-01 SP 800-37CA-9 Internal Systems Connections SP 800-53CP-2 Contingency Plan FCD-1 SP 800-34CM-9 Configuration Management Plan SP 800-128IR-8 Incident Response Plan SP 800-61
PM-1Information Security Program Plan SP 800-18r1
PM-8 Critical Infrastructure Plan HSPD 7
RMF- 4.1 Security Assessment Plan SP 800-53a
Privacy Controls OverviewID Class FamilyAP Privacy Authority and PurposeAR Privacy Accountability, Audit, and Risk ManagementDI Privacy Data Quality and IntegrityDM Privacy Data Minimization and RetentionIP Privacy Individual Participation and RedressSE Privacy SecurityTR Privacy TransparencyUL Privacy Use Limitation
Appendix J, Privacy Control Catalog, is a new addition to NIST Special Publication 800-53. It is intended to address the privacy needs of federal agencies.
There is a strong similarity in the structure of the privacy controls in Appendix J and the security controls in Appendices F and G.
Privacy Controls Family Overview
AP-1 Authority to Collect OMB A-130
AP-2 Purpose Specification
AR-1 Governance Privacy Program OMB A-130
AR-2 Privacy Impact and Risk Assessment FISMA
AR-3 Privacy Requirements for Contractors and Service Providers OMB A-130
AR-4 Privacy Monitoring and Auditing OMB A-130
AR-5 Privacy Awareness and Training
AR-6 Privacy Reporting OMB A-130, FISMA
AR-7 Privacy-Enhanced System Design and Development
AR-8 Accounting of Disclosures
DI-1 Data Quality
DI-2 Data Integrity and Data Integrity Board OMB A-130
DM-1 Minimization of Personally Identifiable Information
DM-2 Data Retention and Disposal OMB A-130 800-88
DM-3 Minimization of PII Used in Testing, Training, and Research 800-122
Privacy Controls Family Overview
IP-1 Consent OMB
IP-2 Individual Access OMB A-130
IP-3 Redress OMB A-130
IP-4 Complaint Management OMB A-130
SE-1 Inventory of Personally Identifiable Information FIPS 199, OMB A-130800-37800-122
SE-2 Privacy Incident Response FISMA 800-37
TR-1 Privacy Notice
TR-2System of Records Notices and Privacy Act Statements OMB A-130
TR-3 Dissemination of Privacy Program Information
UL-1 Internal Use
UL-2 Information Sharing with Third Parties
(RA) Risk Assessment
RA-2 Security Categorization FIPS 199 SP 800-60, DHS EBK
RA-3 Risk Assessment SP 800-30, SP 800-39
RA-5 Vulnerability Scanning SP 800-40
(SA) System & Services Acquisition
SA-2 Allocation of ResourcesM-00-07, Circular A-11 SP 800-65
SA-3 Life Cycle SupportM-00-07, Circular A-11 SP 800-64
SA-4 AcquisitionsSP 800-23, 800-35, 800-36
SA-5 Information System DocumentationSA-6 Software Usage RestrictionsSA-7 User-Installed SoftwareSA-8 Security Engineering Principles SP 800-27SA-9 External Information System Services FedRAMP SP 800-35SA-10 Developer Configuration Management EBK Application
SecuritySA-11 Developer Security TestingSA-12 Supply Chain ProtectionSA-13 Trustworthiness
(PM) PROGRAM MANAGEMENT
Program Management Guidance
FISMA Information Security Act Clinger-Cohen Act HSPD 7 Critical Infrastructure OMB A-130 III M-00-07 IT Security Funding M-02-01 POAM 800-65 Capital Planning Investment Control 800-37r1 RMF 800-39 Risk Management 800-30 Risk Assessment 800-55 Performance Measurement 800-137 Continuous Monitoring
Knowledge Check
How well do you know your planning (PL) and program management (PM) controls? Take 5 minutes to fill in as many of the following controls as you can.
As review questions are presented, ask yourself two, building-block questions:
1. What is the security control related to this question?
2. What are the mandates, standards, and guidance for the related security control?
Information Security Program Plan
Defines Security Program Requirements Documents Management and Common Controls Defines Roles, Responsibilities, Management
Commitment and Coordination Approved by Senior Official (AO) Appoint Senior Information Security Officer
Critical Infrastructure Plan
HSPD-7 Critical Infrastructure Essential Services That Underpin American Society Industrial Control Systems Characteristics
– Pervasive Throughout Critical Infrastructure– Need for Real-time Response– Extremely High Availability, Predictability, and Reliability
Meet Several and Often Conflicting Requirements– Minimizing Risk to the Safety of the Public– Preventing Serious Damage to Environment– Preventing Serious Production Stoppages or Slowdowns– Protecting Critical Infrastructure from Cyber Attacks and Human Error– Safeguarding Against Compromise of Proprietary Information
Capital Planning & Investment Control
CPIC Defined by– Exhibit 300 Major Investments– Exhibit 53 Major IT Investments– Enterprise Architecture Program
M-00-07 Incorporating and Funding Security in Information Systems Investments
M-02-01 Preparing and Submitting POAMs - Must Be Cross Referenced With Exhibits 300 and 53
Knowledge Check
If the interconnecting systems have the same authorizing official, an Interconnection Security Agreement is not required. True or False?
Which NIST SP, provides a seven-step process for integrating information security into the capital planning process?
This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.
The corrective action and cost information contained in which document, serve as inputs to the Exhibit 300s and are then rolled into the Exhibit 53?
Metrics Development Process
Federal Enterprise Architecture
Performance
Data
Business Service
Technical
Information Type (SP 800-60)
Core Principles of the FEA
Business-driven Proactive and collaborative across the Federal
government Architecture improves the effectiveness and efficiency of
government information resources
Defining Mission/Business Processes
Defines mission/business processes with consideration for information security and the resulting risk to the organization;
Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.
(RA) RISK ASSESSMENT
Risk Assessment Guidance
FIPS 199 Categorization Standard EBK Data Security (Security Objectives: CIA) 800-60 Mapping Information Types 800-39 Risk Management 800-30 Risk Assessment 800-40 Patch & Vulnerability Management
Knowledge Check
How well do you know your risk assessment (RA) and security assessment and authorization (CA) controls? Take 2 minutes to fill in as many as you can.
Changing Guidance on Risk Assessment
The Original SP 800-30: Risk Management for IT Systems– Risk Assessment– Risk Mitigation– Risk Evaluation
SP 800-39: Managing Information Security Risk, Organization, Mission, and Information System View
SP 800-30 Rev 1: Guide for Conducting Risk Assessments
Patch and Vulnerability Management Program
Create a System Inventory Monitor for Vulnerabilities, Remediations, and Threats Prioritize Vulnerability Remediation Create an Organization-Specific Remediation Database Conduct Generic Testing of Remediations Deploy Vulnerability Remediations Distribute Vulnerability and Remediation Information to Local
Administrators Perform Automated Deployment of Patches Configure Automatic Update of Applications Whenever Possible and
Appropriate. Verify Vulnerability Remediation Through Network and Host
Vulnerability Scanning Vulnerability Remediation Training
Knowledge Check
In which NIST special publication might you find guidance for the performance measurement of information systems?
Which FEA reference model was used to create the guide for mapping information types to security categories, in support of the first step of the Risk Management Framework?
What is the name of the security control, represented by the control ID RA-3, which must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework?
Where can information about vulnerabilities be found? How well do you know your Systems & Services Acquisition
(SA) controls? [5 minutes… go!]
(SA) SYSTEM & SERVICES ACQUISITION
System & Services Acquisition Guidance
M-00-07 Incorporating and Funding Security in Information Systems Investments
Circular A-11 The Budget– Exhibit 300: Planning, Budgeting, Acquisition, and Management of Information
Technology Capital Assets• 300A Detailed Justifications of Major "IT Investments“• 300B Project Life Cycle Management
– Enterprise Architecture– IT Capital Planning and Control Process (800-65 CPIC)
Development– 800-14 Generally Accepted Principles and Practices for Securing Information
Technology Systems– 800-27 Engineering Principles– 800-64 SDLC
Acquisition– 800-23 Acquisition of Evaluated IT Products– 800-36 Selecting Security Products– 800-35 Selecting Security Services
IT Security Principles
Security Foundation– Establish a sound security policy as the “foundation” for design– Treat security as an integral part of the overall system design– Clearly delineate the physical and logical security boundaries governed by
associated security policies– Ensure that developers are trained in how to develop secure software
Risk Based– Reduce risk to an acceptable level – Assume that external systems are insecure– Identify potential trade-offs between reducing risk and increased costs and
decrease in other aspects of operational effectiveness – Implement tailored system security measures to meet organizational security
goals. – Protect information while being processed, in transit, and in storage. – Consider custom products to achieve adequate security – Protect against all likely classes of “attacks.”
Considerations for Acquiring Information Security Products
Security Product Testing Security Checklists for IT Products
Security Product Testing
Identification and Authentication Access Control Intrusion Detection Firewall Public Key Infrastructure Malicious Code Protection Vulnerability Scanners Forensics Media Sanitizing
1. Common Criteria Evaluation and Validation Scheme
2. NIST Cryptographic Module Validation Program
National Checklists Program
Management Security Controls Key Concepts & Vocabulary
XX-1 Policy & Procedures CA - Security Assessment and Authorization PL – Planning Family & Family Plans
– Information Security Program Plan (PM)– Critical Infrastructure Plan (HSPD 7)
PM - Program Management– Capital Planning and Investment Control (SP 800-65)– Measures of Performance (SP 800-55)– Enterprise Architecture (FEA BRM)
RA - Risk Assessment– Security Categorization– Risk & Vulnerability Assessments
SA - System and Services Acquisition
Questions?