Federal Information Technology Security Resources - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Federal Information Technology Security Resources

Description:

1. Federal Information Technology Security Resources. Marianne Swanson. Computer Security Division ... Federal CIO Council Best Security Practices (BSP) ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 25
Provided by: marianne48
Category:

less

Transcript and Presenter's Notes

Title: Federal Information Technology Security Resources


1
Federal Information Technology Security Resources
  • Marianne Swanson
  • Computer Security Division
  • Information Technology Laboratory
  • National Institute of Standards and Technology

2
Resource Topics
  • U.S. Government web sites
  • U.S. Government security organizations

3
Federal CIO Council Best Security Practices (BSP)
Initiative and Web Site
  • Security Practices Subcommittee (SPS)
  • Pilot program
  • BSPs are components of security programs
  • Demonstrate BSPs on a web repository
  • Demonstrate potential cost savings and results

4
Major Components of BSPs
  • Description of the BSP being used, including
    processes
  • BSP originator contact information
  • Security requirements satisfied by the BSP
  • Lessons learned by other users
  • Links to related BSPs
  • Implementation resource estimates

5
Major Components of BSPs - concluded
  • Methods for measuring results
  • Suggested tools and training
  • Procurement information
  • Artifacts

6
BSPs Work Together
  • Collaborative effort is essential
  • Cost-benefit and the price to reinvent the wheel
  • Get the word out http//bsp.cio.gov

7
NIST Computer Security Resource Center Web Site
  • http//csrc.nist.gov/
  • News/announcements
  • Hot topic areas
  • Advanced Encryption Standard (AES)
  • ICAT
  • Virus Information

8
NIST Computer Security Resource Center Web Site
(continued)
  • Services
  • Research/testing
  • Standards
  • Vulnerabilities
  • Training and education
  • Projects
  • Cryptographic Module Validation Program (CMVP)
  • Common Criteria

9
NIST Computer Security Resource Center Web
Site(concluded)
  • Library
  • Events

10
What is ICAT?
ICAT is a fine-grained searchable index of over
2300 vulnerabilities that provides links to
vulnerability and patch information
Vulnerability Archive 1
Vulnerability Archive 2
ICAT Search Engine
Vulnerability Snapshots
Vulnerability Archive 3
http//icat.nist.gov
11
Features of ICAT
  • Based on the CVE vulnerability naming standard
  • Links from each vulnerability snapshot to
    vulnerability and patch information
  • Non-competitive with public vulnerability
    databases
  • Commonly indexed sources CERT, Security Focus,
    ISS X-Force, Bugtraq, and NT Bugtraq

http//icat.nist.gov
12
Uses of ICAT
  • Securing a network or host
  • tell ICAT what software is running and discover
    the known vulnerabilities and how to fix them
  • Auditing
  • Ask organizations if they have fixed the known
    vulnerabilities in their software
  • Hacker Insurance
  • Public Vulnerability database
  • Forensics activities
  • determine how a hacker have entered a computer or
    network
  • Search engine for popular archives
  • Vulnerability research
  • Software evaluations
  • test known vulnerabilities
  • CVE Browser
  • Software purchasing
  • determine if software has a history of serious
    vulnerabilities

http//icat.nist.gov
13
ICAT Contact Information
http//icat.nist.gov
E-mail icat_at_nist.gov for more information
Technical Lead Peter Mell peter.mell_at_nist.gov
http//icat.nist.gov
14
Federal IT Security Organizations
  • Federal Computer Security Program Mangers Forum
  • CIO Council Subcommittee on Security, Privacy,
    and Critical Infrastructure Protection

15
Federal Computer Security Program Managers Forum
  • Federal employees only
  • Computer security program managers
  • Meet bi-monthly
  • E-mail list
  • Annual two-day meeting

16
CIO Council Committee
  • Security, Privacy, and Critical Infrastructure
    Protection Committee
  • Three subcommittees
  • Meet bi-monthly
  • Web site http//cio.gov

17
Major Initiatives - Security Subcommittee
  • Joint government effort with ITAA
  • Security practices for common electronic services
  • Public web sites
  • Financial transactions
  • Procurement transactions
  • Risk management guide for executives
  • IT security assessment framework

18
Federal Information Technology Security
Assessment Framework and the Draft NIST
Special Publication, Self-Assessment Guide for
Information Technology Systems
  • Overview
  • Description
  • Benefits

19
Framework and NIST Guide Overview
  • Determines the current performance of security
    programs relative to existing requirements
  • Establishes a target for improvement, if
    necessary
  • Assesses the performance of security controls of
    an asset or collection of assets

20
Framework and NIST Guide Overview - concluded
  • Produces a security performance picture
  • Built on existing Federal guidelines and
    legislative mandates
  • Framework provides groundwork for standardizing
    and measuring IT security
  • Assessment guide builds on the Framework

21
Framework and NIST Guide Description
  • Five levels of IT security program effectiveness
  • Each level contains criteria to determine whether
    the level is adequately implemented
  • NIST Guide contains detailed questions that can
    be measured using the same five levels
  • Asset owner determines whether the measurement
    criteria are being met

22
Framework and NIST Guide Five Levels
  • Level 1 - Documented policy
  • Level 2 - Documented procedures
  • Level 3 - Implemented procedures and controls
  • Level 4 - Tested and reviewed procedures and
    controls
  • Level 5 - Fully integrated procedures and controls

23
Framework and NIST Guide Benefits
  • Standard way of performing self assessments
  • Assessment flexibility based on the size and
    complexity of the asset
  • Data collection is basis for developing an
    overall security rating
  • Informed judgments and investments determine
    security status
  • Resulting action plan addresses gaps

24
Contact Information
  • Marianne Swansonmarianne.swanson_at_nist.gov301-975
    -3293
Write a Comment
User Comments (0)
About PowerShow.com