Docstoc

No Title Computer Security Resource Center

Document Sample
No Title Computer Security Resource Center Powered By Docstoc
					METRICS AND CONTROLS FOR DEFENSE IN DEPTH

        AN INFORMATION TECHNOLOGY SECURITY
                ASSESSMENT INITIATIVE
                                       Purpose

• Provide an overview of the a DLA Information
  Assurance initiative entitled Metrics and
  Controls for Defense in Depth (McDiD)

• Illustrate how McDiD applies the Federal
  Information Technology Security Assessment
  Framework within the DoD Information
  Technology Security Certification and
  Accreditation Process (DITSCAP)
                                                                        McDiD Impetus
• Department of Defense Mandate
    • DoD Instruction 5200.28, Security Requirements for Automated Information Security Systems
      (AIS), 21 March 1988, mandates the accreditation of all AIS to include stand-alone personal
      computers, connected systems and networks.
    • DoD Instruction 5200.40, DoD Information Technology Security Certification and Accreditation
      Process (DITSCAP), 1 November 1999, established a four-phase process, required activities and
      general certification and accreditation criteria.
    • DoD Chief Information Officer Guidance and Policy Memorandum No. 6-8510, DoD Global
      Information Grid (GIG) Information Assurance (IA), June 16, 2000,directed that DoD develop an
      enterprise-wide IA architectural overlay to implement a strategy of layered defense (defense-in-
      depth).
    • Chairman of the Joint Chiefs of Staff Instruction 6510.04, Information Assurance Metrics, 15
      March 2000, establishes reporting requirements for the Chairman’s Joint Monthly Readiness
      Reports.

• Need for Improved Security
    • Internetworking is increasing the business/mission impact of disruption.
    • Vulnerability is increasing due to the ease of access to cyber weapons and capabilities.
    • Agency security assessment program has revealed systemic security issues.
                                                                   McDiD Objectives
• Leverage an existing mandatory program, DITSCAP, as the “container” and delivery mechanism
  for all information assurance requirements and initiatives
• Shift certification and accreditation focus and resources from documentation & reporting to active
  security management
• Improve quality and consistency of certification and accreditation efforts
• Create an integrated enterprise management view to:
     • Support information assurance oversight
     • Ensure protection across accreditation boundaries
• Distinguish enterprise versus local roles and responsibilities
• Make policy and technical information easily accessible to DLA security professionals
• Facilitate and enable information/best practices exchange and collaboration within the DLA
  security community
• Structure information so as to:
      • Satisfy multiple information assurance reporting requirements
      • Maximize information reuse among related programs and disciplines, e.g., Architecture,
        Program and Budget, Asset Management, Configuration Management, Continuity Planning
• Provide for continuous Information Assurance process improvement
                             Federal Information Technology Security
                                            Assessment Framework

         5



         4
LEVELS




         3
                                                                           Fully
                                                                        Integrated
                                                        Tested and     Procedures
                                                         Reviewed     and Controls
         2                                             Procedures &
                                         Implemented     Controls
                                          Procedures
                          Documented      & Controls
         1                Procedures &
                            Controls
             Documented
               Policy
                                DoD Information Technology Security
                               Certification and Accreditation Process

     Phase 0 [Implicit]                        Phase 3: Validation
• Department and Agency                       • Compliance with controls is
  policies are established                      independently tested
• C&A process is established                  • Authority to Operated is
                                                granted

 Phase 1: Definition
• SSAA is drafted
• Security requirements are                        Phase 4: Post
  identified
• SSAA is negotiated and                           Accreditation
  approved                                    • SSAA is updated to reflect
                                                changes in IT baseline
                                              • Security assessment is
Phase 2: Verification                           updated quarterly
                                              • Compliance with controls is
• Security Procedures and                       periodically independently
  Controls are implemented                      tested
                            Certification & Accreditation Roles & Responsibilities


Phase             Action              Enterprise Program Manager            Network or System Manager

O,1     Identify Security             Assess Enterprise Threat          Assess local and network or
        Requirements and Develop  Assess IT Trends                       system level security
        Corresponding Controls                                            governances, IT configuration, and
                                      Assess Existing Department         system/network specific threats
                                       and Agency Governances            Supplement enterprise controls as
                                      Formulate/Update Agency            required
                                       Policy
                                      Develop enterprise level
                                       controls
 2      Implement Controls            Provide resources and             Implement security controls
                                       technical guidance as required
                                      Develop test procedures to
                                       validate implementation
 3      Validate Effectiveness of     Conduct enterprise or agency-     Conduct network or system level
        Controls                       wide validation, e.g.,             testing, e.g., review of plans and
                                       vulnerability assessments,         procedures
                                       penetration testing
 4      Continuously Improve          Assess enterprise security        Repeat Phase 1 quarterly
        Security Posture, Policy and   profile revealed by Phase 3       Repeat Phase 3 annually
        Controls                      Assess process feedback           Provide feedback to HQ
                                       collected during Phases 2-3
                                      Repeat Phase 1quarterly and
                                       as needed
                                      Repeat Phase 3 annually
                     Security Controls - Translate General Requirements into
                      Actionable and Testable Objective Security Conditions



Control Number                  Control Name                 Control Description

            2.1. CONFIGURATION CONTROL BOARD.

            All information systems are under the control of a chartered Configuration
            Control Board (CCB) that meets regularly and reports to the appropriate
            Commander. The CCB membership includes an Information Assurance
            representative. A record of CCB activities is maintained.

                                                        Explain or Justify Your Rating for
                        Metric               Rating
                                                                   this Control
Metrics
            C4: No CCB capability exists.

            C3: A CCB is being planned.

            C2: A CCB exists, but does not
            have a charter signed by the
            Commander. (Does not include
            IA membership.)

            C1: A chartered CCB (including
            IA representation) meets
            regularly and reports to the
            Commander. A record of CCB
            activities is maintained.
                                          Controls are Derived from Many Sources


                                               DLA Program
   National & DoD                                                Vulnerability      IG/GAO/Other
                             DLA Policy           Review
       Policy                                                    Assessments        Audit Findings
                                                 Findings




                                                                             Agency System
             Commercial                                                        / Network
            Best Practices                        Master                      Connection
                                                 list of IA                   Agreements
                                                 Controls

                                                •Number
                                                •Name
                                                •Desc




                                                Information       Local System /
                           Local
Local Security                                    Category           Network           DAA Specified
                        Configuration
   Policy                                     (Sensitivity and     Connection          Requirements
                       Mgmt Practices
                                               Classification)     Agreements

                 DLA Wide
 Legend
           System Specific
                        A COTS Requirements Management System
                                   Maintains Controls Traceablity




• Provides “provenance” or traceability to authority for or origin of each
  control
• Ensures all policy mandates are addressed
• Supports Agency level policy assessment and formulation
• Enables continuous improvement of controls
              A COTS Free Form Database Provides a Repository
                                     for IA Reference Material




• Enables research and analysis with Lexus-Nexus like functionality
• Makes IA reference material widely available via web
                              Standard Tools and Methods Improve the Quality and
                             Consistency of Certification and Accreditation Process



1. Centralized authorship and promulgation of the   2. Narrative translated into “fill in the blank”
enterprise portions
                                                                                                               DATA TYPE AND FLOW
                                                                             Date Last Updated:            2/19/01




Threat Assessment                                                          Functional        Data Type
                                                                         Data Category [Unclassified,
                                                                                                              User
                                                                                                           Clearance
                                                                                                              Level
                                                                          [e.g., e-mail,    Privacy Act,   [Uncleared,                              Transm ission


Security Requirements (Controls)                                             network
                                                                          management
                                                                           traffic, IDS
                                                                         data, financial,
                                                                                            Financially
                                                                                             Sensitive,
                                                                                           Admin/Other,
                                                                                           Confidential,
                                                                                                          No nSensitive,
                                                                                                           No nCritical
                                                                                                            Sensitive,
                                                                                                             Critical
                                                                                                            Sensitive,
                                                                                                                              Data
                                                                                                                             Source
                                                                                                                                                         Mode
                                                                                                                                                       [Intranet,
                                                                                                                                                    Internet, Web,
                                                                                                                                                     FTP, Telnet,   Protection
                                                                                                          Co nfidential,


Security CONOPS
                                                                             contract,      Secret, Top                    (Originating              Stand Alone, Mechanism         C&A
                                                                                                           Secret, To p
                                                                         requirements,        Secret,        Secret,
                                                                                                                             System,    Receiving       Manual      [VPN, SSL, Status of
                                                                          requisitions, Compartmented / Co mpartment       Subsytem or System or      Procedure,   SecureShell, Interfacing
                                                                               etc.]      Special Access]    ed/SA ]         Module)     Module      VAN, Other]      Other]      System



Test & Evaluation Procedures
Risk Assessment




3. Centralized development and                       4. Centralized adminstration of a a web-
promulagation of standard templates for              based COTS Configuration
Authors, Testers, & Reviewers                        Management system for SSAA document
                                                     management and workflow


                                   Better, Cheaper, Faster
                                                                                                      Controls Provide an “Index” for the IA Knowledge-Base


                   Department of Defense
                                                        April 1, 2000
                     DIRECTIVE                       NUMBER xxxx.xx



                           Department of Defense
   Subject: Computer Network Defense (CND)     ASD(C3I)
                                                                      April 1, 2000
                                 DIRECTIVE                         NUMBER xxxx.xx
   References:
         (a) DoD 5025.1-M,
                                    Department of Defense
         (b)Subject: Computer Network Defense (CND)
             DoD Directive S-3600-1                     ASD(C3I)
                                                                                      April 1, 2000
          (c) DoD Directive 5160              DIRECTIVE                      NUMBER xxxx.xx
               References:
                           DoD 5025.1-M,
   1. PURPOSE (a) Subject: Computer Network Defense (CND)                      ASD(C3I)
                       (b) DoD network S-3600-1
   1.1. Establishes computer Directivedefense (CND)
   policy, definition,(c) DoD Directive 5160
                             responsibilities within the
                        andReferences:
   Department of Defense.
               1. PURPOSE (a) DoD 5025.1-M,
               1.1. the publication DoD network S-3600-1
                                   (b) of DoD xxxx.xx-
   1.2. AuthorizesEstablishes computer Directivedefense (CND)
   R/M/I, consistent with DoD (c) DoD Directive 5160
                                    and responsibilities (a)).
               policy, definition,5025.1-M (referencewithin the
               Department of Defense.
   2.APPLICABILITY 1. PURPOSE
                           1.1. the publication of DoD xxxx.xx-
               1.2. AuthorizesEstablishes computer network defense (CND)
               R/M/I, consistent Office of 5025.1-M (referencewithin the
                           policy, definition, and responsibilities (a)).
   This Directive applies to the with DoDthe Secretary of
                           Department of Defense.
   Defense (OSD); the Military Departments; the
               2.APPLICABILITY Staff;
                            Chiefs of             Combatant
   Chairman of the Joint1.2. Authorizes the publication of DoD xxxx.xx-
   Commands; the Inspector General of the Department
                           R/M/I, consistent with DoD 5025.1-M (reference (a)).
                IG,DoD); the applies Agencies and the
   of DefenseThis Directive Defenseto the Office ofDoDSecretary of
               Defense (OSD); the Military Departments;
   field activities (hereafter referred to collectively as the
                           2.APPLICABILITY
               Chairman of the
   "the DoD Components"). Joint Chiefs of Staff; the Combatant
               Commands; the Inspector General of the Department
                            IG,DoD); the applies Agencies and the
               of DefenseThis Directive Defenseto the Office ofDoDSecretary of
                           Defense (OSD); the Military Departments;
               field activities (hereafter referred to collectively as the
               "the DoD Components"). Joint Chiefs of Staff; the Combatant

                                                                                                               McDiD is Administered
                           Chairman of the
                           Commands; the Inspector General of the Department
                           of Defense IG,DoD); the Defense Agencies and DoD
                           field activities (hereafter referred to collectively as
                           "the DoD Components").                                                                                                               CIAK Feeds Defense
                                                                                                                    Through a                                  Operational Readiness
Navigation Aid to                                                                                                Comprehensive IA                                Reporting System
“Trace Back” to                                                                                                Knowledge-Base (CIAK)
    Policy &                                                                                                                             COUNTER     ATTACKS    THREAT    VALUE     SECURIT

                                                                                                                                         EASURE                 LEVEL     OF




 Requirements                                                                                                                            CLASS                            INFORMA

                                                                                                                                                                          ION
                                                                                                                                                                                    SERVICE




                                                                                                                                         TECHNIC     NONTECH    ROBUSTN             SERVICE

                                                                                                                                         L           ICAL       SS                  ELEMENT

                                                                                                                                         COUNTER     COUNTER

                                                                                                                                         EASURES     EASURES
                   Department of Defense
                                                        April 1, 2000
                     DIRECTIVE

                                                                                                                       Master
                                                     NUMBER xxxx.xx
                                                                                                                                         TECHNOL     TECHNOL              MECHANI

                           Department of Defense
   Subject: Computer Network Defense (CND)     ASD(C3I)                                                                                  GY          GY GAPS              MS
                                                                      April 1, 2000
                                 DIRECTIVE                         NUMBER xxxx.xx
   References:


                                                                                                                      list of IA                    McDiD Implementation
         (a) DoD 5025.1-M,
                                    Department of Defense
         (b)Subject: Computer Network Defense (CND)
             DoD Directive S-3600-1                     ASD(C3I)
                                                                                      April 1, 2000
          (c) DoD Directive 5160              DIRECTIVE                      NUMBER xxxx.xx
               References:
                           DoD 5025.1-M,
   1. PURPOSE (a) Subject: Computer Network Defense (CND)                      ASD(C3I)
                       (b) DoD network S-3600-1
   1.1. Establishes computer Directivedefense (CND)
   policy, definition, andReferences:
   Department of Defense.
               1. PURPOSE (a) DoD 5025.1-M,
   1.2. AuthorizesEstablishes computer Directivedefense (CND)
               1.1.
                       (c) DoD Directive 5160
                             responsibilities within the

                      the publication DoD network S-3600-1
                                   (b) of DoD xxxx.xx-
                                                                                                                      Controls                     Schedules Drive C&A and
   R/M/I, consistent with DoD (c) DoD Directive 5160
                                    and responsibilities (a)).
               policy, definition,5025.1-M (referencewithin the
               Department of Defense.
   2.APPLICABILITY 1. PURPOSE
               1.2. AuthorizesEstablishes computer network defense (CND)
                           1.1. the publication of DoD xxxx.xx-
   This Directive applies to the Office of 5025.1-M (referencewithin the
               R/M/I, consistent with DoDthe Secretary of
                           policy, definition, and responsibilities (a)).
                                                                                                                                                           Budget
                                                                                                                      •Number
                           Department of Defense.
   Defense (OSD); the Military Departments; the
               2.APPLICABILITY Staff;
                            Chiefs of             Combatant
   Chairman of the Joint1.2. Authorizes the publication of DoD xxxx.xx-
   Commands; the Inspector General of the Department
                           R/M/I, consistent with DoD 5025.1-M (reference (a)).
                IG,DoD); the applies Agencies and the
   of DefenseThis Directive Defenseto the Office ofDoDSecretary of
               Defense (OSD); the Military Departments;
   field activities (hereafter referred to collectively as the
                           2.APPLICABILITY
               Chairman of the Joint Chiefs of Staff; the Combatant



                                                                                                                      •Name
   "the DoD Components").
               Commands; the Inspector General of the Department
                            IG,DoD); the applies Agencies and the
               of DefenseThis Directive Defenseto the Office ofDoDSecretary of
                           Defense (OSD); the Military Departments;
               field activities (hereafter referred to collectively as the
                           Chairman of the
               "the DoD Components"). Joint Chiefs of Staff; the Combatant
                           Commands; the Inspector General of the Department



                                                                                                                      •Desc
                           of Defense IG,DoD); the Defense Agencies and DoD
                           field activities (hereafter referred to collectively as
                           "the DoD Components").




Navigation Aid for “Drill
Down” to Supporting                                                                                                                      Each Control is
Engineering Guides and                                                                                                                 Supported by Metrics
Contract Clauses
                                                  Conclusion


The McDiD Information Assurance initiative, while still early
  in its implementation, has:
   – Reduced SSAA preparation costs & time by an order of
      magnitude
   – Improved quality
      • Standard controls & metrics
      • Standard scope & level of effort
      • Infused learning & common understanding
   – Identified additional opportunities for collaboration and
     process improvement

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:10/24/2012
language:Latin
pages:14