Proactive Lifecycle Security Management

1
Proactive Lifecycle Security Management
OWASP Minneapolis St Paul Local Chapter
February 16th, 2009
2
Survey

• Which of the following is the responsibility of
  IT?
• System owner
• Data owner
• System custodian
• All of the above
• True or False The CIO/IT Director is
  responsible for accepting information and system
  security risks on behalf of the organization?
• True or False The individual in charge of
  information security is responsible for
• Defining security controls
• Implementing security controls
• Managing security controls
• All of the above

3
Setting the Stage

• In the last four years, approximately 250 million
  records containing personal identifiable
  information of United States residents stored in
  government and corporate databases was either
  lost or stolen.  Since little attention was given
  to database breaches prior to 2005, it is safe to
  assume that every man, woman and child has had
  their personal information exposed at least once
  statistically. 
• Quote from InsideIDTheft.info
• Data theft and breaches from cybercrime may have
  cost businesses as much as 1 trillion globally
  in lost intellectual property and expenditures
  for repairing the damage last year, according to
  a survey of more than 800 chief information
  officers in the U.S., United Kingdom, Germany,
  Japan, China, India, Brazil, and Dubai. The
  respondents estimated that they lost data worth a
  total of 4.6 billion and spent about 600
  million cleaning up after breaches
• McAfee Report - "Unsecured Economies Protecting
  Vital Information"

4

• According to the Open Security Foundation's
  DATALOSSdb this pie chart represents events
  involving the loss, theft, or exposure of
  personally identifiable information (PII) for
  2008.

5
No Lack of Publicity or Victims
6
Customer loss following data breach
PGP Corporation and the Ponemon Institute annual
report - U.S. Cost of a Data Breach Study
7
Cost of Data Breach
PGP Corporation and the Ponemon Institute annual
report - U.S. Cost of a Data Breach Study
8
Cost of a Security Bug
Courtesy of SecurityCompass presented at 2008
Minnesota Government IT Symposium Non-Technical
Costs breach reporting, regulatory violation
(penalties), legal fees What is the reputational
cost ??????
9
Security Authorization Process Summary

• Security authorization (formerly called
  certification and accreditation) ensures that on
  a near real-time basis, the organizations senior
  leaders understand the security state of the
  information system and explicitly accept the
  resulting risk to organizational operations and
  assets, individuals, and other organizations.
• An information system is authorized for
  operation at a specific point in time based on
  the risk associated with the current security
  state of the system.

10
Who is this process targeted at?

• Business owners
• Data owners
• Personnel responsible for
• Development, acquisition and integration
• System security
• Auditors/assessors
• Security implementation and operations

11
Security Authorization History

• Roots go back to 1983 Federal Information
  Processing Standard (FIPS) 102
• Known by many different names
• Certification Accreditation (CA)
• National Information Assurance
• Certification Accreditation Process
  (NIACAP)
• Defense Information Technology Security
  Certification and Accreditation Process (DITSCAP)
• DOD Information Assurance Certification and
  Accreditation Process (DIACAP)
• Director of Central Intelligence Directive (DCID)
  6/3

12
Key Definitions

• Information System A discrete set of
  information resources organized for the
  collection, processing, maintenance, use,
  sharing, dissemination, or disposition of
  information
• Security Authorization The testing and/or
  evaluation of management, operational, and
  technical security controls in an information
  system to determine the extent to which the
  controls are implemented correctly, operating as
  intended and producing the desired outcome with
  respect to meeting security requirements for the
  system
• Security Control Assessment The testing and/or
  evaluation of the management, operational, and
  technical security controls in an information
  system to determine the extent to which the
  controls are implemented correctly, operating as
  intended, and producing the desired outcome with
  respect to meeting the security requirements for
  the system
• Security Authorization Boundary All components
  of an information system to be authorized for
  operation by an authorizing official and excludes
  separately authorized systems, to which the
  information system is connected
• Plan of Action and Milestones A document that
  identifies tasks needing to be accomplished,
  resources required to accomplish the elements of
  the plan, any milestones in meeting the tasks,
  and scheduled completion dates for the
  milestones.
• Security Plan - Formal document that provides an
  overview of the security requirements for the
  information system and describes the security
  controls in place or planned for meeting those
  requirements
• List not all inclusive See NIST SP 800-37,
  Appendix B for more detailed list

13
Key Process Players

• Authorizing Official A senior official or
  executive with the authority to formally assume
  responsibility for operating an information
  system at an acceptable level of risk to
  organizational operations, assets, individuals,
  and other organizations
• Information (data) Owner Official with
  statutory or operational authority for specified
  information and responsibility for establishing
  the controls for its generation, collection,
  processing, dissemination, and disposal
• Information System Owner Official responsible
  for the overall procurement, development,
  integration, modification, operation and
  maintenance of an information system
• Information System Security Officer Individual
  assigned responsibility for maintaining the
  appropriate operational security posture for an
  information system or program
• Security Control Assessor The individual, group
  or organization responsible for conducting a
  security control assessment
• !!! Discussion Point Conflicts of interest !!!

14
Other Process Roles

• Common Control Provider
• Information System Security Engineer
• Chief/Corporate Security Officer
• Risk Executive Function

15
Regulatory Industry Requirements
16
Standards
17
Additional Benefits

• Direct business participation
• Pre-production security authorization avings
• Risk acceptance at the appropriate level of
  management
• Risks are documented and mitigated
• Business explicitly accept residual risk and
  recommended security controls
• Standardization
• Assessment, documentation and acceptance of
  security risks
• Architecture and configuration documentation
• Documentation (i.e. BCP/DR, policies, asset
  inventory, etc.)
• Unbiased security controls assessment

18
Relationship to System Lifecycle

• Dark gray Acquisition Lifecycle Phases
• Light gray Development Lifecycle Phases

19
Risk Management Framework
Security Authorization is part of a dynamic risk
management process
20
Security Authorization Process
RMF Risk Management Function
21
Preparation Phase

• Categorize Information System
• Task 1 Describe the information system
• Define system boundary
• Document system in security plan
• Task 2 Register system in organization asset
  inventory
• Task 3 Determine security category and document
  in security plan
• Organizational/business criticality
• Relationship/impact to other systems
• Classification of data processed by system
• Security Control Selection
• Task Select security controls and document in
  security plan
• System specific (implemented), common (inherited)
  and/or hybrid controls
• Controls used to manage system risk (i.e.
  management controls)
• Automated system safeguards and countermeasures
  (i.e. technical controls)
• Policy, standards, and procedural measures
• (i.e. operational controls)
• Security Plan Approval
• Task Review and approve the security plan

22
Authorization Boundary

• Purpose Reduce cost and complexity, and
  facilitate more targeted application of security
  controls
• Must be done before system categorization and
  security plan development
• Separate of large and complex systems into
  multiple components or sub-systems. Sub-systems
• include data, technology and personnel
• should generally be under the same direct
  management control
• have same function or mission/business objective
• have the same operating characteristics and
  information security needs
• that reside in the same general operating
  environment
• that reside in different locations with similar
  operating systems
• Software applications do not require a separate
  security authorization but rather include them in
  the authorization boundary of the host system
• Use commonsense

23
System Security Plan

• Prepared and maintained by the information system
  owner
• Living document
• Provides overview of security requirements and
  description of security controls
• Should contain supporting appendices or reference
  appropriate sources
• Risk assessments
• System interconnection diagrams
• Service level agreements
• Data flow diagrams
• Disaster recovery and contingency plans
• Security configurations
• Configuration management plan
• Incident response plan
• Applicable policies and procedures
• Hardware and software inventories
• Should be updated whenever events impact agreed
  upon security controls
• Vulnerability scan
• New threat to system
• Redefinition of business priorities/objectives
• Addition of new hardware, software or firmware

24
Preparation Phase

• Implement Security Controls
• Task 1 Implement security controls specified in
  security plan
• Task 2 Document implemented security controls
  in security plan
• Functional description
• Planned inputs
• Expected behavior and outputs
• Security Controls Assessment (examination,
  interview and test)
• Task 1 Select an assessor
• Task 2 Develop a plan to assess all security
  controls
• Task 3 Review and approve assessment plan
• Task 4 Obtain appropriate documentation needed
  to assess security controls
• Task 5 Perform assessment
• Task 6 Prepare preliminary assessment report
• Task 7 Review preliminary assessment report with
  system owner
• Task 8 Perform remediation actions
• Task 9 Assess remediated security controls
• Task 10 Update security assessment report and
  prepare executive summary
• Task 11 Update security plan
• Task 12 Prepare Plan of Action Milestones

25
Authorization - Execution Phase

• Authorize Information System
• Task 1 Assemble authorization package to submit
  to authorizing official for approval
• Task 2 Determine the risk to the organization
• Task 3 Formally accept risk (authorization
  decision)
• Compensating controls
• Risk mitigation strategy
• Residual risk
• Task 4 Prepare the security authorization
  decision and document
• Authorization decision
• Terms and conditions for the authorization
• Authorization termination date

26
Authorization Package
Security Plan
Authorization Package
Security Assessment Report
Plan of Action Milestones
27
Continuous Monitoring - Maintenance Phase

• Strategy
• Maintain the security authorization for the
  system over time in
• highly dynamic operational environment with
  changing threats,
• vulnerabilities, technologies and business
  processes
• Objectives
• Track the security state of a system on a
  continuous basis
• Ensure security controls are checked for
  effectiveness on an ongoing basis
• Address the security impact to systems when
  changes occur to hardware, software, firmware and
  operational environment
• Provide an effective process for updating
  security plans, security assessment reports and
  plans of action and milestones
• Security status reporting to authorizing official

28
Continuous Monitoring

• Program includes
• Configuration management
• Security impact analysis on actual or proposed
  changes
• Assessment of selected controls
• Ongoing status reporting to appropriate levels of
  management
• Active involvement of Information System Owner,
  Security Control Assessor and Authorizing
  Official

29
Continuous Monitoring Continues Until

• Changes to the system have affected security
  controls in the system or introduced new
  vulnerabilities into the system and
• Organizational level risk to the business
  operations, assets or individuals has been
  affected or
• The authorization deadline has passed, then.
• Reauthorization begins!

30
Reauthorization

• Reauthorization occurs at the discretion of the
  authorizing official in accordance with federal
  or organizational policy
• Time Driven
• Authorization termination date has been reached
• Event
• Authorizing official changes
• Routine environment/system changes
• Significant environment/system changes (per NIST
  800-37)
• Installation of a new or upgraded operating
  system, middleware component or application
• Modifications to system ports, protocols or
  services
• Installation of a new or upgraded hardware
  platform or firmware component
• Modifications to cryptographic modules or
  services
• Changes in laws, directives, policies or
  regulations
• NOTE Event driven reauthorization should be
  avoided in situations where the continuous
  monitoring process provides the necessary and
  sufficient information to the authorizing
  official to manage the potential risk arising
  from significant environment or system changes.

31
Process Implementation

• Crawl before you walk, walk before you run
• If you have to comply with FISMA, you must have
  a security authorization process in place
• Based on NIST SP 800-37
• Flexibility
• Even if you dont implement this process,
  consider the value of this process
• Pre-production assessment
• Security plan
• 3rd party assessment
• Business involvement

32
Where to get more information

• I-Assure Forum
• www.i-assure.com/forums/Default.aspx
• NIST SP 800-37
• http//csrc.nist.gov/publications/drafts/800-37-Re
  v1/SP800-37-rev1-IPD.pdf
• Books
• FISMA Certification Accreditation Handbook
• by Laura Taylor (ISBN-10 1597491160)
• Building and Implementing a Security
  Certification and Accreditation Program
• by Patrick D. Howard (ISBN-10 0849320623)

33
2009 Prediction

• More and more private sector companies and
  universities will have to comply with FISMA. Why?
  Many companies that are government contractors
  are being required to comply with FISMA already
  as a stipulation in their contracts with the
  government. Organizations that accept grants from
  the government are increasingly being required to
  comply with FISMA.
• FISMA 2008 will pass and government CISOs will
  become more empowered.
• Laura Taylor, Founder of Relevant Technologies
  and author of the FISMA Certification
  Accreditation
• Handbook

34
Status of FISMA Related NIST Publications

• SP 800-30, Revision 1 Guide for Conducting Risk
  Assessments - FEBRUARY 2010
• SP 800-37, Revision 1 Guide for the Security
  Authorization of Federal Information Systems A
  Security Life Cycle Approach - JUNE 2009
• SP 800-39 Managing Risk from Information
  Systems An Organizational Perspective - JULY
  2009
• SP 800-53A, Revision 1 Guide for Assessing the
  Security Controls in Federal Information Systems
  DECEMBER 2009
• SP 800-CM Guide for Security Configuration
  Management and Control (Publication number TBD)
  NOVEMBER 2009

35
Points to Remember

• Assess a defined environment (authorization
  boundary) not the world
• Security authorization is an ongoing process
• Security control assessors make recommendations,
  they do not accept risk or approve mitigating
  controls on behalf of the organization
• Risk acceptance is the sole responsibility of the
  authorizing official
• Reuse and share of security control development,
  implementation, and assessment-related
  information to reduce cost and time
• An active continuous monitoring program reduces
  time and effort

36
Lets try again!

• Which of the following is the responsibility of
  IT?
• System owner
• Data owner
• System custodian
• All of the above
• True or False The CIO/IT Director is
  responsible for accepting information and system
  security risks on behalf of the organization?
• True or False The individual in charge of
  information security is responsible for
• Defining security controls
• Implementing security controls
• Managing security controls
• All of the above

37
Questions

• Thank You!
• Rick Ensenbach CISSP-ISSMP, CISA, CISM
• Rick.Ensenbach_at_state.mn.us
• 651-201-2790