1 / 75

Important acronyms

Important acronyms. AO = authorizing official ISO = information system owner CA = certification agent. NIST 800-37. National Institute of Standards and Technology, US Department of Commerce Guide for the Security Certification and Accreditation of Federal Information Systems.

harlan
Download Presentation

Important acronyms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Important acronyms AO = authorizing official ISO = information system owner CA = certification agent

  2. NIST 800-37 National Institute of Standards and Technology, US Department of Commerce Guide for the Security Certification and Accreditation of Federal Information Systems

  3. National Policy Office of Management and Budget Circular A-130, Management of Federal Information Resources requires federal agencies to:

  4. National Policy Office of Management and Budget Circular A-130, Management of Federal Information Resources requires federal agencies to: • Plan for security

  5. National Policy Office of Management and Budget Circular A-130, Management of Federal Information Resources requires federal agencies to: • Plan for security • Ensure that appropriate officials are assigned security responsibility

  6. National Policy Office of Management and Budget Circular A-130, Management of Federal Information Resources requires federal agencies to: • Plan for security • Ensure that appropriate officials are assigned security responsibility • Review security controls

  7. Security Controls • The countermeasures used to protect assets and manage the confidentiality, integrity, and availability of assets. • Anti-virus software • Network Firewall • User awareness training • Access controls

  8. 800-37 Purpose • Provide guidelines for the security certification and accreditation of information systems supporting executive agencies of the US federal government.

  9. 800-37 Purpose • Enable consistent and repeatable assessments of information systems

  10. 800-37 Purpose • Enable consistent and repeatable assessments of information systems • Promote an understanding of risks involved in operating information systems

  11. 800-37 Purpose • Enable consistent and repeatable assessments of information systems • Promote an understanding of risks involved in operating information systems • Create complete and reliable information used by professionals to make an informed certification/accreditation decision.

  12. 800-37 Purpose • Enable consistent and repeatable assessments of information systems • Promote an understanding of risks involved in operating information systems • Create complete and reliable information used by professionals to make an informed certification/accreditation decision. • Assignment of responsibility and accountability to the individuals overseeing the information system.

  13. Risk Management Links in the Security Chain: Management, Operational, and Technical Controls • Risk assessment • Security planning • Security policies and procedures • Contingency planning • Incident response planning • Physical security • Personnel security • Security assessments • Security accreditation • Access control mechanisms • Identification & authentication mechanisms (Biometrics, tokens, passwords) • Audit mechanisms • Encryption mechanisms • Firewalls and network security mechanisms • Intrusion detection systems • Anti-malware • Smart cards Adversaries attack the weakest link…where is yours?

  14. Managing Agency Risk Key activities in managing agency-level risk—risk resulting from the operation of an information system: • Select a set of security controls • Document security controls in the system security plan • Implement the security controls in the information system • Assess the security controls • Determine risk acceptability • Authorize information system operation • Monitor security controls on a continuous basis

  15. Certification vs Accreditation

  16. Certification Definition • Certification occurs when security controls in the information system are: • implemented correctly,

  17. Certification Definition • Certification occurs when security controls in the information system are • implemented correctly, • operate as intended, and

  18. Certification Definition • Certification occurs when security controls in the information system are • implemented correctly, • operate as intended, and • produce the desired outcome

  19. Accreditation Definition • An acknowledgment of risk acceptance. • Accreditation occurs when the agency has determined that an accepted level of risk to assets and operations has been achieved.

  20. The Primary Officials’ Titles • With regard to the Certification and Accreditation process, … • There are titles assigned to individuals within an agency undergoing Cert-Acc. Many of the titles can be artificially assigned to meet the suggested requirements. • These titles come with a well defined group of responsibilities.

  21. The Primary Officials and Their Titles • Authorizing Official, The AO • Information System Owner, the ISO. • AKA System Owner • Certification Agent, The CA

  22. Authorizing Official • Senior management position • Formally assumes responsibility for operating an information system at an acceptable level of risk to an agency’s assets and operations. (primary role) • Is accountable for the risks associated with operating an information system. • Oversees the budget and business operations of the information system

  23. Authorizing Official • The industry equivalent could include job titles like VP of Information Technology. • The AO would report to the CIO

  24. Information System Owner • Procures, develops, integrates, modifies, operates or maintains an information system (primary role)

  25. Information System Owner • Procures, develops, integrates, modifies, operates or maintains an information system (primary role) • Responsible for development and maintenance of the system security plan.

  26. Information System Owner • Procures, develops, integrates, modifies, operates or maintains an information system (primary role) • Responsible for development and maintenance of the system security plan. • Ensures the system is deployed and operated according to the agreed upon security requirements.

  27. Information System Owner • Procures, develops, integrates, modifies, operates or maintains an information system (primary role) • Responsible for development and maintenance (sustainability cycle) of the system security plan. • Ensures the system is deployed and operated according to the agreed upon security requirements. • Grants access (and their respective privileges) to the information system.

  28. Information System Owner • Procures, develops, integrates, modifies, operates or maintains an information system (primary role) • Responsible for development and maintenance of the system security plan. • Ensures the system is deployed and operated according to the agreed upon security requirements. • Grants access (and their respective privileges) to the information system. • Provide users and support staff with appropriate security training.

  29. Information System Owner • Procures, develops, integrates, modifies, operates or maintains an information system (primary role) • Responsible for development and maintenance of the system security plan. • Ensures the system is deployed and operated according to the agreed upon security requirements. • Grants access (and their respective privileges) to the information system. • Provide users and support staff with appropriate security training. • Ensures the appropriate resources are available for certification and accreditation, and reports this to the AO.

  30. Certification Agent • Provides an independent assessment of the system security plan (primary role)

  31. Certification Agent • Provides an independent assessment of the system security plan (primary role) • Assesses the security controls in the information system to determine the extent to which the controls are: • Implemented correctly; • Operating as intended; and • Producing the desired outcome

  32. Certification Agent • Provides an independent assessment of the system security plan (primary role) • Assesses the security controls in the information system to determine the extent to which the controls are: • Implemented correctly; • Operating as intended; and • Producing the desired outcome with respect to meeting the security requirements • Provides recommended corrective actions to reduce or eliminate vulnerabilities in the information system

  33. Certification Agent • Independent from the persons directly responsible for the development and maintenance of the information system’s operation. • See FIPS-199 to determine an appropriate level of independence.

  34. Other Roles • Authorizing Official Designated Representative, reports to the AO. • Chief Information Officer, appoints the SAISO • Senior Agency Information Security Officer, liason between the CIO and the AO. • Information System Security Officer, reports to the AO or the ISO. • User Representatives, those using the information systems.

  35. Delegation of Roles • At the discretion of senior agency officials, roles may be delegated and appropriately documented. • Officials may appoint qualified individuals including contractors or regular employees. • exceptions Chief Information Officer & Authorizing Official.

  36. Four phases to the security certification and accreditation process 1. Initiation

  37. Four phases to the security certification and accreditation process 1. Initiation 2. Certification

  38. Four phases to the security certification and accreditation process 1. Initiation 2. Certification 3. Accreditation

  39. Four phases to the security certification and accreditation process 1. Initiation 2. Certification 3. Accreditation 4. Monitoring

  40. Four phases to the security certification and accreditation process 1. Initiation 2. Certification 3. Accreditation 4. Monitoring • Each phase is broken up into tasks and each task has a series of sub-tasks

  41. Phases, Tasks, & Sub-Tasks • There are a total of • 4 phases • 10 tasks • 31 sub-tasks

  42. Phase 1: Initiation • The purpose of this phase is to ensure the AO and ISO are in agreement with the contents of the • System security plan • System’s security requirements • The CA begins the assessment of the security controls for the information system after phase 1 is completed.

  43. Phase 1: Initiation Tasks • Three tasks must be completed for the initiation phase: • Preparation The ISO is responsible for all three tasks.

  44. Phase 1: Initiation Tasks • Three tasks must be completed for the initiation phase: • Preparation • Notification and resource identification The ISO is responsible for all three tasks.

  45. Phase 1: Initiation Tasks • Three tasks must be completed for the initiation phase: • Preparation • Notification and resource identification • System security plan analysis update and acceptance The ISO is responsible for all three tasks.

  46. Initiation: Preparation Task 1 Include the following in a security plan: • Describe the system and define the boundary • Determine the security category of the system. • Identify threats • Identify vulnerabilities • Identify the security controls (safeguards to minimize risks) • Determine initial risks

  47. Task 1 Guidance Example • Give the system a unique identification • Status with respect to the development life-cycle. • Location • Contact information • Purpose and function • Hardware and software used • Network topology • Etc.

  48. Initiation: Notification and Resource Identification, Task 2 • ISO Notifies officials that the process of certification and accreditation procedure is progressing. • AO prepares a plan of execution to identify the level of resources required for the certification and accreditation procedure.

  49. Initiation: Analyze, Update and accept System Security Plan, Task-3 • Review of the appropriateness of the security plan by the AO and CA. • Analyze security plan by the AO and CA. • Update security plan by the ISO. Updates are based on recommendations of the CA and AO. • Obtain AO acceptance of the security plan.

  50. Phase 2: Certification Two Tasks of certification: • Assess and evaluate security controls • Document security certification

More Related