Systems Inventory Key Roles
Management (support)
CISO (execution and implementation)
ISSO (ISO primary security POC)
Systems Managers (primary role)
LOB IT Security Manager (Inventory collection from ISOs)
CEO (approval of policy & procedures)
Qualifications for combining systems
1) Systems can be grouped when all systems in the group fall under the responsibility of the same system owner
2) Each must process in the same operating environment (ex same server)
3) Each must be protected within a common security perimeter (eg same co
System Authorization
Everything must be certified
Accreditation boundaries (best to precede in this order)
1) Business Processes
2) Security Perimeter
3) Ownership
Inventory Process
1) Identify business process
2) Identify supporting Info Technology resources
3) Categorize resources as types of systems
4) Classify systems by determining their needs for protection based on a) disclosure b) destruction c) denial
5) Complete Systems Inv
CIO
Who approves the inventory?
Tools for managing the inventory program
1) inventory form
2) inventory change form
3) organization inventory summary
For interconnecting systems
1) need memorandum of agreement
2) that's then supplemented with a more detailed interconnection security agreement
(Both are critical and must be reviewed in the system authorization process)
Impact analysis
What is categorization based on?
Business requirements =
Requirements
Security controls
Based on sensitivity of data
Categorization is performed for this reason
1) determine the types of information included within the security authorization boundary
2) determine the security requirements for the information types
3) determine the potential impact on the organization resulting from a security compromise
Categorization results are used to:
A) develop the security plan (basis)
B) select security controls
C) determines the risk inherent in operating the system
FISMA
What replaced the computer security act of 1987?
Overall sensitivity level
What can be based on aggregated sensitivity levels?
Overall sensitivity level
FIPS 199 refers to this as the "highest water mark" that is to be used in defining the security category
Data Classification Examples
A) public
B) internal use
C) restricted
FIPS 199 Categorization
Align security categories to recommended initial baseline sets of security controls according to NIST SP 800-53
NIST SP 800-18
Provides examples for describing various sensitivity rankings for a government system (high, moderate, low)
Information taxonomy or catalog (required to comply with FIPS 199)
Persists mapping types of information to security objectives (confidentiality, integrity, availability) & impact levels (high, moderate, low) - NIST SP 800-60 provides more info on this.
Business Reference Model (BRM)
Organized, hierarchical framework for describing the day-to-day business operations of the federal government. Uses a functionality driven approach to represent the business of an organization. Provides a structured approach to classifying system data. Th
E-Government Act of 2002
A) strengthened privacy protections requirements
B) under its terms, federal agency's have specific responsibilities regarding the collection, dissemination, or disclosure of information on individuals
National Information Assurance Certification & Accreditation Process (NIACAP)
Rather than NIST 800-37, how are National security information systems certified and accredited?
National Security Telecommunications & Information Systems Security Committee (NSTISSC)
Developed by the NIACAP. Now replaced by CNSS (Committee on National Security Systems).
System Security Authorization Agreement (SSAA)
Used by NIACAP to document accreditation requirements - similar to the NIST SSP.
NIACAP Methodology
1) definition
2) verification
3) validation
4) post accreditation
Roles & responsibilities for authorizing using NIACAP
Are almost the same as NIST 800-37, however the AO is referred to as the designated approving authority (DAA) and the certifying agent is the certifier.
CI/KR
Critical Information Infrastructure Act of 2002 (Public Law 107-296)
BIA
Methodology normally used to quantify the criticality of systems based on the amount of time that an organization can tolerate the non availability of a system
CISO
Who should perform an annual review of the criticality of the system?
Security Control Baseline
A) established by determining controls required to protect the system based on security categorization of the system
B) tailored & supplemented in accordance with organizational assessment of risk & local parameters (relies on an risk assessment)
C) docum
NIST SP 800-53 three levels of controls pertaining to countering malicious code according to system activity
1) low sensitivity - automatic updates
2) moderate sensitivity - automatic updates + organizational managed virus protection
3) high sensitivity - automatic updates + system automated virus protection
International Organization for Standardization 27002
A method in which minimum security baselines can be developed (just as with NIST SP 800-53 which is government wide)
HIPAA
Health Insurance Portability & Accountability Act
GLBA
Gramm-Leach-Bliley Act
HIPAA & GLBA
Both mandate certain controls that must be taken into consideration when creating your baseline of controls for certain businesses
Minimum baseline controls should take these factors into consideration
A) organization policies
B) management statements & strategies
C) contracts
D) laws
E) operational rules
F) legal obligations
G) privacy needs
H) proprietary & trade secret requirements
I) other governing regulations
Minimum security baselines must address these
A) management controls
B) operational controls
C) technical controls
CISO
Commonly develops common controls & is an agency level official who provides direction to the ISOs regarding which controls will be implemented outside of the ISOs controls
System Owners
Who determines the impact of weaknesses in common controls & can formulate a plan for addressing them?
Hybrid
What controls have characteristics of both common controls and system specific?
Security Plan
This document should specify the category for each control (system specific, common, hybrid)
FRAP
Facilitated risk assessment process - a tool for assessment