Threats and Vulnerabilities

1
(No Transcript)
2
IM Security

• Briefing to AFCEA Ottawa Chapter
• 6 Feb 2007
• Col B.R. Jackson, Dir IM Secur

3
Overview

• Government of Canada context
• International context
• Philosophy
• Future Developments

4
IM Security ProgrammeGovernment of Canada Context

• Government Security Policy
• Establishes requirement for departmental security
  programmes and accountability of Deputy Heads
• Establishes Departmental Security Officer and IT
  Security Coordinator
• Establishes Operational Standards
• Operational Standard on the Management of IT
  Security (MITS)
• Details the responsibilities of ITSC
• Details the minimum requirements of departmental
  IT Security Programmes
• Departments report annually DND is 95 compliant

5
IM Security ProgrammeGovernment of Canada Context

• Auditor Generals involvement
• Report in 2002
• Review of Progress in 2005
• CIO meets the PAC
• TBS work since Feb 2005
• Monitor compliance with MITS
• IT Security Strategy development

6
IM Security ProgrammeInternational Context

• Bilateral agreements on exchange of information
  are diplomatic agreements with the force of
  Treaties
• NATO Security Policy and Directives are also
  Treaty-level agreements
• NATO and CCEB are active in coordination efforts
  MIC is accelerating
• CWID involves other nations security is one of
  the primary goals
• Number of multinational exercises is increasing
  in complexity and scale

7
IM Security ProgrammePhilosophy

• Risk Management
• What is the Threat?
• What are our Vulnerabilities?
• What is the Risk?
• What Security Measures are available to reduce
  the Risk?
• Who owns the Risk?
• Is it acceptable?

8
IM Security Programme DevelopmentVision

• A capability that provides acceptable assurance
  of confidentiality, integrity and availability of
  defence information and
• Anticipates future requirements and adapts
  quickly to the unforeseen
• Is pervasive throughout the institutional
  culture, including collective and individual
  accountability for the security aspects of
  decisions
• Enables, rather than inhibits, CF and
  departmental operations, including those with our
  partners
• Continually improves

9
Capability Elements

• Personnel
• Capability to train and educate according to
  need, including
• General training and awareness for all users
• Specific training for all making risk management
  decisions
• Specific training for IT specialists
• Specific training for those employed in IT
  Security roles
• Career management and professional development
  for IT Security specialists

10
Capability Elements

• Research and Development/Operations Research
• Develop solutions to technical problems
• Reduce the time taken to assess residual risk
• Maintain awareness of technologies, their risks
  and vulnerabilities to assist in developing
  policies, architectures and configurations

11
Capability Elements

• Infrastructure and Organizations
• Governance structure
• Coord the development of IT Security capabilities
• Provide oversight to ensure policies are being
  applied appropriately
• Liaison with OGDs and allies
• Investigation of incidents
• Development of lessons learned
• Appropriate organizational solutions for required
  IT security capabilities

12
Capability Elements

• Concepts, doctrine and collective training
• Develop high-level IT Security concepts, policies
  and doctrine
• Consistent with GoC direction and commitments to
  allies
• Consistent with developing operational concepts
  and technologies
• Develop staff procedures to implement the
  concepts, policies and doctrine

13
Capability Elements

• Information Management
• Ensure commanders have situational awareness of
  IT Security Information Space COP
• Allow IT Security programme to be executed and
  administered efficiently

14
Capability Elements

• Equipment, supplies and services
• Develop IT Security architectures and
  configurations to suit operations
• Bring into service IT Security products to
  implement the approved architectures and
  configurations

15
Questions?
16
ISSO

• Commanders staff officer
• Understand the operation and the culture
• Be credible
• Be trusted
• Be passionate
• In process of establishing Information Protection
  Advisor

17
Releasibility of Information

• Release is governed by international agreements
  at diplomatic level
• Originator determines to whom information can be
  released
• Commanders needing to release information to
  others must
• gain originator authority or
• be prepared to justify their actions

18
Certification and Accreditation

• A risk management mechanism
• Dir IM Secur is DND/CF IS CA Authority some
  delegation for simple systems
• Initiating office produces documentation Dir IM
  Secur staff reviews
• Dir IM Secur certifies system under stated
  conditions operates at specified Residual Risk
• Op Authority for system accepts RR
• Dir IM Secur accredits system

19
Certification and Accreditation

• Required documentationminimum for IAP
• Statement of Sensitivity
• Threat Risk Assessment
• Concept of Ops
• System Description and Block Diagram
• EMSEC Zoning, TEMPEST testing, TCI as required
• Commitment to correct shortcomings during IAP
  period

20
Certification and Accreditation

• Other organizations
• DIMEI Security Engineering
• CSE Technical IT Security and COMSEC standards
  for GoC
• Extension to Accredited Network
• Normally complies with network accreditation
  otherwise requires agreement of Op Authority
• New network
• Limited only by rules imposed by GoC, or others
  as required by info to be processed (e.g., NATO,
  US), and willingness of Op Authority to accept
  risk

21
Certification and Accreditation

• Inspections
• TCI before operating, if TRA warrants
• Verification and Audit in TAV, normally in each
  roto
• Critical Issues
• Maintaining oversight
• Ensuring Op Authority understands Residual Risk
• Maintaining awareness of new Threats, Op Concepts
  and Technologies
• Current Concerns
• Dangers of unrestrained initiative and ad hoc
  solutions