Docstoc

Risk Management Framework Implementation - PowerPoint

Document Sample
Risk Management Framework Implementation - PowerPoint Powered By Docstoc
					Risk Management Framework




                                                   1
    U.S. Department of Health and Human Services
   Agenda

• Brief history of computers, connectivity, and threats
• Federal and legislative responses prior to the Federal Information
  Security Management Act (FISMA) of 2002
• FISMA of 2002
• The New Risk Management Framework
• Changes in federal guidelines
• Questions




                                                                       2
                    U.S. Department of Health and Human Services
A Brief History of Computers and
Networks




                                                        3
         U.S. Department of Health and Human Services
      Up Side, Down Side
                                                                    Jobs and Wozniak




Original “Hackers”




                                                                           The 414s




                                                                                       4
                     U.S. Department of Health and Human Services
Data Breaches




                                                       Source: Privacy Rights Clearinghouse
                                                              www.privacyrights.org

                                                                                      5
        U.S. Department of Health and Human Services
  Federal and Legislative Responses
  Before 2002
• Comprehensive Crime Control Act of 1984
• Computer Fraud and Abuse Act of 1984
• Computer Security Act of 1987
• Computer Emergency Response Team (CERT) was
  created in 1988 by the Defense Advanced Research
  Projects Agency (DARPA)
• Domain Name System Security Extensions (DNSSEC)
  proposed in 1998 by Internet Software Consortium




                                                              6
               U.S. Department of Health and Human Services
   Federal Information Security
   Management Act of 2002 (FISMA)
• Requires each federal agency to develop, document,
  and implement an agency-wide program to provide
  information security for the information and information
  systems that support the operations and assets of the
  agency
• Emphasizes a risk-based policy for cost-effective
  security
• Requires annual reviews and reporting to the Office of
  Management and Budget (OMB)



                                                               7
                U.S. Department of Health and Human Services
   The National Institute of Standards and Training
   (NIST) is Tasked by FISMA to Develop:

• Standards to be used by all federal agencies to categorize all
  information and information systems collected or maintained by or
  on behalf of each agency based on the objectives of providing
  appropriate levels of information security according to a range of
  risk levels
• Guidelines recommending the types of information and
  information systems to be included in each such category
• Minimum information security requirements (i.e.,
  management, operational, and technical security controls), for
  information and information systems in each such category




                                                                       8
                   U.S. Department of Health and Human Services
   A New Unified Framework For
   Information Security

                    New Emphasis on Standardization
Unique
Information
Security       Intelligence         Department          Federal Civil      Private Sector
Requirements   Community            of Defense           Agencies       State and Local Govt



Common           Foundational Set of Information Security Standards and Guidance
Information        •    Standardized risk management process
Security           •    Standardized security categorization (criticality/sensitivity)
Requirements       •    Standardized security controls (safeguards/countermeasures)
                   •    Standardized security assessment procedures
                   •    Standardized security authorization process



                 National security and non-national security information systems


                                                                                               9
                       U.S. Department of Health and Human Services
           Enterprise-Wide Risk Management

   Multi-tiered Risk Management Approach                                          STRATEGIC RISK
   Implemented by the Risk Executive (Function)                                       FOCUS
   Enterprise Architecture and SDLC Focus
                                                         TIER 1
   Flexible and Agile Implementation
                                                    Organization
                                                     (Governance)

                                                         TIER 2
                                        Mission / Business Process
                                   (Information Assets and Information Flows)

                                                                                   TACTICAL RISK
                                                                                      FOCUS
                                                         TIER 3
                                              Information System
                                             (Environment of Operation)




                                                                                            10
                                    U.S. Department of Health and Human Services
Risk Management Hierarchy

                                                                Risk Executive (Function)
                                                                   (Oversight and Governance)
   Risk Management Strategy                                       Risk Assessment Methodologies
                                                                  Risk Mitigation Approaches
                                    TIER 1                        Risk Tolerance
                               Organization                       Risk Monitoring Approaches



                                    TIER 2
                    Mission / Business Process


                                    TIER 3
                          Information System




                                                                                                11
                U.S. Department of Health and Human Services
    Risk Management Hierarchy


                                                                             Mission / Business Processes
                                                                             Information Flows
                                               TIER 1                        Information Categorization
                                          Organization                       Information Protection Strategy
                                                                             Information Security Requirements
Risk Management Strategy                                                     Linkage to Enterprise Architecture
                                               TIER 2
                              Mission / Business Process


                                               TIER 3
                                     Information System




                                                                                                        12
                           U.S. Department of Health and Human Services
       Risk Management Hierarchy

                                                                            Linkage to Systems Development
                                                                             Life Cycle (SDLC)
                                                                            Information System Categorization
                                                                            Selection of Security Controls
                                                TIER 1                      Security Control Allocation
                                           Organization                      and Implementation
                                                                            Security Control Assessment
                                                                            Risk Acceptance/Authorization
                                                                            Continuous Monitoring
                                                TIER 2
                               Mission / Business Process


Risk Management Framework                       TIER 3
                                      Information System




                                                                                                      13
                            U.S. Department of Health and Human Services
New NIST Special Publications (SPs)
Transform the Risk Management Framework

                                     CATEGORIZE
                                   Information System
     MONITOR                                                            SELECT
  Security Controls                      FIPS 199                    Security Controls
                                         SP 800-60
      SP 800-37                                                         FIPS 200
     SP 800-53A                                                         SP 800-53



   AUTHORIZE                  RISK MANAGEMENT                        SUPPLEMENT
 Information System              FRAMEWORK                           Security Controls
     SP 800-37                                                           SP 800-53
                                                                         SP 800-30
                                Security Life Cycle
     ASSESS                                                           DOCUMENT
  Security Controls                                                  Security Controls
                                      IMPLEMENT
     SP 800-53A                                                          SP 800-18
                                    Security Controls
                                         SP 800-70




                                                                                         14
                      U.S. Department of Health and Human Services
New NIST Special Publications (SPs)
Transform the Risk Management Framework
                                                    Starting Point


                                                 CATEGORIZE
                                               Information System
                                            Define criticality/sensitivity of
                                          information system according to
          MONITOR                           potential worst-case, adverse                    SELECT
       Security Controls                     impact to mission/business.                 Security Controls
Continuously track changes to the                                                 Select baseline security controls;
information system that may affect                                                  apply tailoring guidance and
  security controls and reassess         RISK MANAGEMENT                           supplement controls as needed
      control effectiveness.                                                         based on risk assessment.
                                            FRAMEWORK
        AUTHORIZE
     Information System
                                          Security Life Cycle                              IMPLEMENT
                                                                                         Security Controls
  Determine risk to organizational                                                 Implement security controls within
operations and assets, individuals,                                               enterprise architecture using sound
other organizations, and the U.S.;                   ASSESS                      systems engineering practices; apply
if acceptable, authorize operation.             Security Controls                    security configuration settings.

                                      Determine security control effectiveness
                                        (i.e., controls implemented correctly,
                                      operating as intended, meeting security
                                       requirements for information system).



                                                                                                                        15
                              U.S. Department of Health and Human Services
   Risk Management Framework
   Characteristics
• Near real-time risk management and ongoing information system
  authorization
• Automation-assisted, cost-effective, risk-based decision making
• Integrates information security into the enterprise architecture and
  system development life cycle
• Emphasis on the selection, implementation, assessment, and
  monitoring of security controls
• Risk executive (function)
• Common security controls establish responsibility and
  accountability within organizational information systems




                                                                     16
                    U.S. Department of Health and Human Services
   Risk Management Framework Emphasis

• Building information security capabilities into federal information
  systems through the application of state-of-the-practice
  management, operational, and technical security controls
• Maintaining awareness of the security state of information
  systems on an ongoing basis though enhanced monitoring
  processes
• Providing essential information to senior leaders to facilitate
  decisions regarding the acceptance of risk to organizational
  operations and assets, individuals, other organizations, and the
  U.S. arising from the operation and use of information systems




                                                                        17
                    U.S. Department of Health and Human Services
Categorize Information System

                                            Starting Point


                                         CATEGORIZE
                                       Information System
                                               FIPS 199
                                            NIST SP 800-60
     MONITOR                                                                 SELECT
  Security Controls                                                      Security Controls
  NIST SP 800-37 Rev. 1           RISK MANAGEMENT                              FIPS 200
    NIST SP 800-53A
                                     FRAMEWORK                           NIST SP 800-53 Rev. 3




   AUTHORIZE                        Security Life Cycle                    IMPLEMENT
 Information System                                                      Security Controls
 NIST SP 800-37 Rev. 1                                                   NIST SP 800-37 Rev. 1
                                                                         NIST SP 800-53 Rev. 3
                                             ASSESS                        NIST SP 800-53A
                                        Security Controls
                                        NIST SP 800-37 Rev. 1
                                          NIST SP 800-53A




                                                                                                 18
                          U.S. Department of Health and Human Services
   Categorize Information System

1. Determine the different types of information that are
   processed, stored, or transmitted by the information
   system
2. Using the impact levels in Federal Information
   Processing Standard (FIPS) 199 and the
   recommendations of NIST Special Publication (SP)
   800-60, categorize the confidentiality, integrity, and
   availability of each information type as low, moderate,
   or high impact




                                                               19
                U.S. Department of Health and Human Services
     Security Objectives
Security          FISMA Definition                                     FIPS 199 Definition
Objective
Confidentiality   “Preserving authorized restrictions on               A loss of confidentiality is
                  information access and disclosure,                   the unauthorized
                  including means for protecting                       disclosure of information.
                  personal privacy and proprietary
                  information…”
Integrity         “Guarding against improper                           A loss of integrity is the
                  information modification or                          unauthorized modification
                  destruction, and includes ensuring                   or destruction of
                  information non-repudiation and                      information.
                  authenticity…”

Availability      “Ensuring timely and reliable access                 A loss of availability is the
                  to and use of information…”                          disruption of access to or
                                                                       use of information or an
                                                                       information system.


                                                                                                       20
                        U.S. Department of Health and Human Services
   Categorize Information System

3. The information system security categorization is the
   highest impact level for each security objective
   (confidentiality, integrity, availability)
4. The overall impact level of the information system is
   the highest impact level among the three security
   objectives in the system security categorization




                                                               21
                U.S. Department of Health and Human Services
Select Security Controls

                                            Starting Point


                                         CATEGORIZE
                                       Information System
                                               FIPS 199
                                            NIST SP 800-60
     MONITOR                                                                 SELECT
  Security Controls                                                      Security Controls
  NIST SP 800-37 Rev. 1           RISK MANAGEMENT                              FIPS 200
    NIST SP 800-53A
                                     FRAMEWORK                           NIST SP 800-53 Rev. 3




   AUTHORIZE                        Security Life Cycle                    IMPLEMENT
 Information System                                                      Security Controls
 NIST SP 800-37 Rev. 1                                                   NIST SP 800-37 Rev. 1
                                                                         NIST SP 800-53 Rev. 3
                                             ASSESS                        NIST SP 800-53A
                                        Security Controls
                                        NIST SP 800-37 Rev. 1
                                          NIST SP 800-53A




                                                                                                 22
                          U.S. Department of Health and Human Services
   Select Security Controls

• Security controls are the management, operational, and technical
  safeguards or countermeasures to protect the confidentiality,
  integrity, and availability of the information system
• FIPS 200: Minimum Security Requirements for Federal
  Information and Information Systems specifies minimum security
  requirements in 17 areas
• NIST SP 800-53 Rev. 3, Recommended Security Controls for
  Federal Information Systems and Organizations adds one new
  family (Program Management)
• Baseline security controls are assigned based upon the impact
  rating of the information system




                                                                     23
                   U.S. Department of Health and Human Services
   Tailor and Supplement the Baseline Controls

• After selecting the initial set of baseline security
  controls, tailor the controls to appropriately modify and
  more closely align the controls with the specific
  conditions within the organization
• The final determination of the appropriate set of
  security controls is a function of the organization’s risk
  assessment
• In many cases, additional controls/enhancements will
  be needed to address specific threats/vulnerabilities
  and to satisfy the regulatory requirements


                                                                24
                 U.S. Department of Health and Human Services
Implement Security Controls

                                            Starting Point


                                         CATEGORIZE
                                       Information System
                                               FIPS 199
                                            NIST SP 800-60
     MONITOR                                                                 SELECT
  Security Controls                                                      Security Controls
  NIST SP 800-37 Rev. 1           RISK MANAGEMENT                              FIPS 200
    NIST SP 800-53A
                                     FRAMEWORK                           NIST SP 800-53 Rev. 3




   AUTHORIZE                        Security Life Cycle                    IMPLEMENT
 Information System                                                      Security Controls
 NIST SP 800-37 Rev. 1                                                   NIST SP 800-37 Rev. 1
                                                                         NIST SP 800-53 Rev. 3
                                             ASSESS                        NIST SP 800-53A
                                        Security Controls
                                        NIST SP 800-37 Rev. 1
                                          NIST SP 800-53A




                                                                                                 25
                          U.S. Department of Health and Human Services
   Implement Security Controls

• Use best practices and proven products
• Document the security control implementation in the
  system security plan
• The system security plan will be included in the
  security authorization package for authorizing officials




                                                                26
                 U.S. Department of Health and Human Services
Assess Security Controls

                                            Starting Point


                                         CATEGORIZE
                                       Information System
                                               FIPS 199
                                            NIST SP 800-60
     MONITOR                                                                 SELECT
  Security Controls                                                      Security Controls
  NIST SP 800-37 Rev. 1           RISK MANAGEMENT                              FIPS 200
    NIST SP 800-53A
                                     FRAMEWORK                           NIST SP 800-53 Rev. 3




   AUTHORIZE                        Security Life Cycle                    IMPLEMENT
 Information System                                                      Security Controls
 NIST SP 800-37 Rev. 1                                                   NIST SP 800-37 Rev. 1
                                                                         NIST SP 800-53 Rev. 3
                                             ASSESS                        NIST SP 800-53A
                                        Security Controls
                                        NIST SP 800-37 Rev. 1
                                          NIST SP 800-53A




                                                                                                 27
                          U.S. Department of Health and Human Services
   Assess Security Controls

• Security control assessment determines the extent to
  which controls are
   – Implemented correctly
   – Operating as intended
   – Producing the desired outcome
• NIST SP 800-53A, Guide for Assessing the Security
  Controls in Federal Information Systems and
  Organizations: Building Effective Security Assessment
  Plans provides guidance
• The security assessment report is a key document
  included in the authorization package
                                                                28
                 U.S. Department of Health and Human Services
  Assessment Methodology

• What we assess (assessment objects)
   – Specifications
   – Mechanisms
   – Activities
   – Individuals
• How we assess (assessment methods)
   – Examine
   – Interview
   – Test



                                                                  29
                   U.S. Department of Health and Human Services
Authorize Information System

                                            Starting Point


                                         CATEGORIZE
                                       Information System
                                               FIPS 199
                                            NIST SP 800-60
     MONITOR                                                                 SELECT
  Security Controls                                                      Security Controls
  NIST SP 800-37 Rev. 1           RISK MANAGEMENT                              FIPS 200
    NIST SP 800-53A
                                     FRAMEWORK                           NIST SP 800-53 Rev. 3




   AUTHORIZE                        Security Life Cycle                    IMPLEMENT
 Information System                                                      Security Controls
 NIST SP 800-37 Rev. 1                                                   NIST SP 800-37 Rev. 1
                                                                         NIST SP 800-53 Rev. 3
                                             ASSESS                        NIST SP 800-53A
                                        Security Controls
                                        NIST SP 800-37 Rev. 1
                                          NIST SP 800-53A




                                                                                                 30
                          U.S. Department of Health and Human Services
 Steps to Authorize Information System




Plan of Action     Security
                                                   Risk            Risk
     and         Authorization
                                               Determination    Acceptance
 Milestones        Package




                                                                             31
                 U.S. Department of Health and Human Services
Monitor Security Controls

                                            Starting Point


                                         CATEGORIZE
                                       Information System
                                               FIPS 199
                                            NIST SP 800-60
     MONITOR                                                                 SELECT
  Security Controls                                                      Security Controls
  NIST SP 800-37 Rev. 1           RISK MANAGEMENT                              FIPS 200
    NIST SP 800-53A
                                     FRAMEWORK                           NIST SP 800-53 Rev. 3




   AUTHORIZE                        Security Life Cycle                    IMPLEMENT
 Information System                                                      Security Controls
 NIST SP 800-37 Rev. 1                                                   NIST SP 800-37 Rev. 1
                                                                         NIST SP 800-53 Rev. 3
                                             ASSESS                        NIST SP 800-53A
                                        Security Controls
                                        NIST SP 800-37 Rev. 1
                                          NIST SP 800-53A




                                                                                                 32
                          U.S. Department of Health and Human Services
   Monitor Security Controls
• An effective continuous monitoring program requires
   – Configuration management and configuration control
     processes
   – Security impact analyses on changes to the information
     system
   – Assessment of selected security controls in the information
     system and security status reporting to appropriate agency
     officials
• A subset of controls should be selected for continuous
  monitoring
• Keep POA&Ms up to date


                                                                   33
                  U.S. Department of Health and Human Services
   Major Changes in SP 800-53, Rev. 3

• Provides a unified catalogue of security controls for
  both national security and non-national security
  systems
• Adds new security controls for advanced threats
• Introduces an 18th family of security controls for the
  organization-wide information security program
  (Program Management Family)
• Establishes priority codes for security controls to assist
  in sequencing decisions for implementation
• Includes revised security control baseline allocations,
  to include low impact systems
                                                                34
                 U.S. Department of Health and Human Services
   Other Changes in SP 800-53, Rev. 3

• CA Family – Renamed Security Assessment and
  Authorization; Certification has been removed
• Continuous Monitoring Role expanded to allow for
  near real time risk management via automated tools
  (i.e., more continuous monitoring, less time-based
  assessment)
• Expanded guidance for selecting security controls for
  new, legacy, and external systems




                                                               35
                U.S. Department of Health and Human Services
  Changes in NIST SP 800-37 Rev. 1

• The old C&A focus
   – A static, procedural activity



• The new focus
   – A more dynamic approach
   – More effectively manage information system-related security
     risks
   – In highly diverse environments of complex and sophisticated
     cyber threats, ever-increasing system vulnerabilities, and
     rapidly changing missions


                                                                   36
                   U.S. Department of Health and Human Services
          Questions?

        Secure One HHS
SecureOne.HHS@hhs.gov
     202-205-9581



                                                37
 U.S. Department of Health and Human Services

				
DOCUMENT INFO
Description: Risk Management Framework Implementation document sample