Sandra Patton - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

Sandra Patton

Description:

How much do I tailor? ... Purpose Tailor to include company name and reference to ... Contractor Management Tailor to include actual names and titles. ... – PowerPoint PPT presentation

Number of Views:76
Avg rating:3.0/5.0
Slides: 40
Provided by: spat5
Category:
Tags: patton | sandra

less

Transcript and Presenter's Notes

Title: Sandra Patton


1
Central Florida ISAC July 25, 2001
NISPOM Chapter 8
(Yet Another Presentation on the Not so New
Chapter 8)
  • Sandra Patton

2
Topics
  • What you wont Hear Today
  • FAISSR SSP, Latest and Greatest
  • Tailoring the FAISSR SSP
  • Chapter 8 Challenges
  • Questions?

3
NOT TODAY . . .
4
Already Done
  • Chapter 8 in Viewgraph Form
  • San Diego ISAC http//www.sdisac.com
  • Chapter 8 Old to New
  • DSS http//ww.dss.mil
  • Overview of FAISSR Plan
  • CFISAC website http//www.cfisac.org
  • Chapter 8 Technical Implementations
  • CFISAC website http//www.cfisac.org
  • Chapter 8 Briefing (ISSO User)
  • CFISAC website http//www.cfisac.org

5
Disclaimer
  • Just because I said it doesnt mean its the
    right way or the best way
  • I am not a DSS representative
  • There are many right ways to do things
  • Suggestions and Helpful Hints

6
FAISSR PLAN
LATEST GREATEST
7
FAISSR Plans 101
  • FAISSR Plan consists of two parts
  • Master SSP One Per Facility/System Type
  • Protection Profile One Per IS
  • Two FAISSR Plans
  • Master SSP for Non-Standalones
  • SSP for Standalones Special Purpose ISs
  • Changes made in the Master will flow into the
    Standalone Special Purpose (if applicable)

8
FAISSR Plans History
  • Version 1.0 2/12/2001
  • Unpublished
  • Version 1.B 2/13/2001
  • Updates prior to Release Published
  • Version 2.0.1 5/23/2001
  • Incorporated comments from DSS
  • Version 3.0 7/5/2001
  • The latest and greatest

9
Version 3.0
  • Incorporates comments from
  • California IS Security Organization (CISSO)
  • North East Region ISSM Association (NERISSMA)
  • Adds a separate Network Security Plan
  • Contractor to Contractor NSP
  • Government to Contractor MOU NSP
  • Separate files in one Zipped file

10
Version 3.0
  • Zipped File Contents
  • Readme File
  • Master SSP
  • Protection Profile
  • Contractor to Contractor NSP
  • Government to Contractor MOU NSP
  • Trusted Downloading Procedures
  • Concordance file for updating index

- Use ONLY until DSS provides on website
11
Version 3.0
  • OOPS, Not Yet Published .
  • Watch the CFISAC website
  • Most likely by August 3rd
  • No requirement to update your master plan to
    latest FAISSR plan
  • Review changes to FAISSR plan for applicability
    to your facility

12
TAILORING THE
FAISSR PLAN
13
Helpful Hints
  • The PRIMARY purpose of the Master SSP is for
    certification accreditation of the IS
  • Dont use the plan as your sole source of ISSO
    User training material
  • Dont make too many changes
  • DSS is familiar with the FAISSR plan
  • Dont make too few changes
  • DO NOT submit it with no changes
  • Take ownership make some decisions
  • Change optional and instructive statements to
    active have done or shall statements

14
Helpful Hints
  • How much do I tailor?
  • Large facility with many varied systems,
    programs, and physical area types
  • General Master Plan Specifics in the individual
    IS Profiles and in Training materials
  • Smaller facility with fewer programs, IS types
    and physical security options .
  • More Specific Master Plan

15
The Mechanics
  • Accept all changes, then verify track changes
    while editing is enabled
  • After tailoring, document all of your changes in
    the Revision Log
  • Provide to DSS
  • Softcopy
  • Hardcopy with tracked changes printed
  • Hardcopy without tracked changes printed

16
Section by Section
  • Cover Page
  • Company Name Logo
  • Table of Contents
  • Update after tailoring
  • Forward
  • Remove completely or replace with
  • Promulgated Security Policy
  • Other general IS security information

17
Section by Section
  • Revision Log
  • Remove FAISSR changes and start by stating the
    FAISSR version that you are tailoring your plan
    from.
  • Add your changes
  • 1.0 Introduction
  • Purpose Tailor to include company name and
    reference to company security manual. If
    applicable, modify listed attachments.

18
Section by Section
  • For example
  • This document serves as a Master SSP for all
    Protection Level 1 ISs accredited by the DSS
    within a contractor facility. It supplements the
    Contractors Facility Manual and provides
    instructions for the safeguarding of classified
    information while resident within or being
    processed by an Information System (IS).
  • This document, which supplements the Acme
    Corporation Facility Security Manual, provides
    instructions for the safeguarding of classified
    information while resident within a Protection
    Level 1 accredited Information System (IS).

19
Section by Section
  • 2.0 Personnel Responsibilities
  • Contractor Management Tailor to include actual
    names and titles.
  • ISSM ISSO Provide names contact
    information. Consider adding a separate ISSO
    section with specific written duties.
  • Users Privileged Users OK as is. If you have
    specific rules or requirements place them here.
    Consider re-wording or removing optional
    statements.
  • Although not required by the NISPOM, following
    are some guidelines .

20
Section by Section
  • 3.0 Certification and Accreditation
  • Certification If your users are more familiar
    with DSS, change DAA to DSS.
  • CA of Similar Systems Remove if you do not
    have self-certification. Otherwise,
  • DSS must accredit the first IS under the Acme
    Master SSP. Once the Master Acme SSP has been
    accredited, Joe ISSM may certify additional ISs
    that have similar Profiles.
  • Self Inspections Replace recommendations with
    specifics.

21
Section by Section
  • 4.0 SIRS - OK
  • 5.0 Protection Measures
  • Applicability of Logon Authentication Consider
    removing this section you will be making this
    decision.
  • IA Management If you have a small environment,
    tailor this section to your specific procedures.
  • Virus Detection Tailor to your companys virus
    detection policy.

22
Section by Section
  • 5.0 Protection Measures (continued)
  • Data Transmission Protection Remove if you do
    not anticipate the need.
  • Audit Requirements Specify who will perform
    weekly reviews (ISSM or ISSO) will they be
    documented? If so, add to list of documented
    actions.
  • Clearance Sanitization You may want to remove
    reference to DSS website.

23
Section by Section
  • 6.0 Personnel Security
  • Personnel access to IS OK as is or you can add
    more specifics. For example, the ISSO shall email
    Security to verify users clearance levels.
  • Security Education OK as is or you can modify
    to discuss your specific IS training program.

24
Section by Section
  • 7.0 Physical Security
  • Physical Security OK as is. If you dont have
    or anticipate either Restricted Areas or Closed
    Areas remove the paragraph.
  • 8.0 Maintenance
  • Maintenance Do you want to be notified prior to
    maintenance actions? If so, state it here.

25
Section by Section
  • 9.0 Media Controls
  • Accountability Secret or Top Secret?
  • Media Destruction Modify to your facilities
    procedures (note also tailor media destruction
    portion of Profile)
  • 10.0 Output Procedures
  • Remove reference to Trusted Downloading
    procedures on DSS website.
  • 11.0 Upgrade Downgrade Procedures
  • OK as is

26
Section by Section
  • 12.0 Markings
  • Replace Contractors security manual
  • 13.0 CM Plan and System Configuration
  • OK as is If your approved ISs are part of your
    facility wide CM procedures describe them here.

27
Section by Section
  • 14.0 System Specific Risks Vulnerabilities
  • OK as is
  • 15.0 Network Security
  • OK as is
  • Data Transmission Records - Remove if you do not
    anticipate the need for any remote connections.

28
Tailoring the Profile
  • System Identification and Requirements
    Specification (SIRS)
  • Facility name, address, CAGE Code
  • ISSM name and phone number
  • Highest Classification Level of data
  • Type of Area
  • Media Destruction Methods
  • Fill in static information and remove options
    not applicable to your facility.

29
Tailoring the Profile
  • Forms Audit Records/Logs
  • IS Access Authorization and Briefing Form
  • Hardware and Software Maintenance Log
  • Weekly audit review?

30
Time for a New IS
  • Protection Profile
  • Place an Initial entry in the Profile revision
    Log
  • Complete all information in the SIRS
  • Fill in the Hardware Baseline
  • Insert a Configuration Diagram
  • Fill in the Software Baseline
  • Modify the Upgrade/Downgrade Procedure to the
    specific IS
  • If applicable, Add
  • IS Authorized Users List
  • DSS Form 147
  • Security Seal Log
  • Sanitization Procedures
  • Trusted Downloading Procedures
  • Completed Network Security Plan

31
Chapter 8 Challenges
32
Technical Security Features
  • Required for Non-Standalones . . .
  • . . .When Technically Feasible
  • Logon Authentication (e.g. passwords)
  • Unique logon IDs
  • Password Requirements
  • Session Controls
  • Logon Banner
  • Account lockouts
  • Extensive Auditing

33
Technically Feasible
1 SGI/IRIX ships with no passwords on system
accounts
34
Technically Feasible
SR Security Relevant Files All All Files
Problem, big impact on disk space possibly on
system performance
35
Technical Details
  • Details of how to implement these features can be
    found in system documentation
  • Hints for getting started on CFISAC website
    Engaging Technical Security on AIS page
  • Some Operating Systems do not have these features
    by default
  • NT Must convert from a FAT to NTFS file system
  • HP-UX Must convert to trusted mode
  • Solaris Must enable the Basic Security Module
  • SGI/IRIX Must install the audit sub-system

36
Is it Really Feasible?
  • Conflicts with System Design or Normal System
    Operations
  • Production Systems
  • Very common to find applications based on a
    single group or generic account with NO unique
    IDs
  • Audit may impact performance requirements and
    disk space requirements
  • Engineering Systems
  • During formal Integration Test your testing
    environment needs to mirror what will be used in
    production

37
Is it Really Feasible?
  • System Generated Passwords
  • Very difficult to manage in a network environment
  • NIS (Network Information Service) may be
    incompatible with enhanced security
    configurations (e.g. HP-UX trusted mode)
  • Audit Access to Objects
  • Security Relevant files vs All files
  • Disk space and performance impacts
  • Is it really useful information?

38
Challenges for ISSMs
  • Certification of technical security features
  • New requirement for ISSMs that requires some
    level of familiarity with operating systems
  • Must re-certify for each change or added systems
  • FAISSR Certification Test Guide provides a
    checklist
  • Work with a knowledgeable system administrator
  • Must Certify prior to submitting plan
  • Hurry up wait (for up to 30 days)
  • Classified media Cart before the horse

39
Questions?
Write a Comment
User Comments (0)
About PowerShow.com