Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

NIST

VIEWS: 5 PAGES: 37

									Integrated Enterprise-wide Risk Management
  Organization, Mission, and Information Systems View

  2009 Workshop on Cyber Security and Global Affairs
                      Oxford University, United Kingdom

                                       August 5, 2009


                                      Dr. Ron Ross
                            Computer Security Division
                        Information Technology Laboratory


    NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY          1
                        The Threat Situation
Continuing serious cyber attacks on federal information
systems, large and small; targeting key federal operations
and assets…
 Attacks are organized, disciplined, aggressive, and well
  resourced; many are extremely sophisticated.
 Adversaries are nation states, terrorist groups, criminals, hackers,
  and individuals or groups with intentions of compromising federal
  information systems.
 Effective deployment of malicious software causing significant
  exfiltration of sensitive information (including intellectual property)
  and potential for disruption of critical information systems/services.

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY               2
Unconventional Threats to Security
  Connectivity




                                                  Complexity

 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                3
        Asymmetry of Cyber Warfare
The weapons of choice are—
   Laptop computers, hand-held devices, cell phones.
   Sophisticated attack tools and techniques
    downloadable from the Internet.
   World-wide telecommunication networks including
    telephone networks, radio, and microwave.

  Resulting in low-cost, highly destructive attack potential.

     NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY             4
                              What is at Risk?
 Federal information systems supporting Defense, Civil, and
  Intelligence agencies within the federal government.
 Private sector information systems supporting U.S. industry
  and businesses (intellectual capital).
 Information systems supporting critical infrastructures within
  the United States (public and private sector) including:
       Energy (electrical, nuclear, gas and oil, dams)
       Transportation (air, road, rail, port, waterways)
       Public Health Systems / Emergency Services
       Information and Telecommunications
       Defense Industry
       Banking and Finance
       Postal and Shipping
       Agriculture / Food / Water / Chemical

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY            5
                  Unconventional Wisdom
NEW RULE: Boundary protection is no longer sufficient
against high-end threats capable of launching sophisticated
cyber attacks...
 Complexity of IT products and information systems.
 Insufficient penetration resistance (trustworthiness)
  in commercial IT products.
 Insufficient application of information system and
  security engineering practices.
 Undisciplined behavior and use of information
  technology and systems by individuals.


        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY    6
                           The Fundamentals
Fighting and winning a 21st century cyber war requires
21st century strategies, tactics, training, and technologies…
 Integration of information security into enterprise architectures and system life
  cycle processes.
 Common, shared information security standards for unified cyber command.
 Enterprise-wide, risk-based protection strategies.
 Flexible and agile selection / deployment of safeguards and countermeasures
  (maximum tactical advantage based on missions / environments of operation).
 More resilient, penetration-resistant information systems.
 Competent, capable cyber warriors.



         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                          7
   Information Security Transformation
 Establishing a common approach to risk management.
    Converging parallel efforts across U.S. Intelligence Community,
     Defense Department, and federal civil agencies.
    Leveraging partnerships with NIST and the national security
     community.
 Benefiting the federal government and its partners.
      Facilitating information sharing and reciprocity.
      Achieving process efficiencies.
      Improving communication and increasing decision advantage.
      Promoting outreach to state and local governments and private
       sector (including contracting base).

        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY           8
                    Transformation Goals
 Establish a common approach to risk management.
 Define a common set of trust (impact) levels; adopt and
  apply those levels across the federal government.
 Adopt reciprocity as the norm, enabling organizations to
  accept the approvals by others without retesting or
  reviewing.
 Define, document, and adopt common security controls.
 Adopt a common security lexicon—providing a common
  language and common understanding.
      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY    9
                     Transformation Goals
 Institute a senior risk executive function, which bases
  decisions on an “enterprise” view of risk considering all
  factors, including mission, IT, budget, and security.
 Incorporate information security into Enterprise
  Architectures and deliver security as common enterprise
  service across the federal government.
 Enable a common process that incorporates information
  security within the “life cycle” processes and eliminate
  security-specific processes.

       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY     10
                          A Unified Framework
                                     For Information Security

                                        The Generalized Model
Unique
Information
Security             Intelligence         Department             Federal Civil Agencies
Requirements         Community            of Defense

The “Delta”

Common                  Foundational Set of Information Security Standards and Guidance
Information                •   Standardized risk management process
Security                   •   Standardized security categorization (criticality/sensitivity)
Requirements               •   Standardized security controls (safeguards/countermeasures)
                           •   Standardized security assessment procedures
                           •   Standardized security authorization process



                         National security and non national security information systems

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                         11
Compliance vs. Risk-based Protection

“We should not be consumed with counting
the number of dead bolts on the front door
when the back door is wide open...”
                                                     -- Anonymous




    NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                  12
                    Risk-Based Protection
 Enterprise missions and business processes drive security
  requirements and associated safeguards and countermeasures
  for organizational information systems.
 Highly flexible implementation; recognizing diversity in
  missions/business processes and operational environments.
 Senior leaders take ownership of their security plans including
  the safeguards/countermeasures for the information systems.
 Senior leaders are both responsible and accountable for their
  information security decisions; understanding, acknowledging,
  and explicitly accepting resulting mission/business risk.

       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY               13
              Information Security Programs

     Links in the Security Chain: Management, Operational, and Technical Controls
 Risk assessment                                     Access control mechanisms
 Security planning, policies, procedures             Identification & authentication mechanisms
 Configuration management and control                  (Biometrics, tokens, passwords)
 Contingency planning                                Audit mechanisms
 Incident response planning                          Encryption mechanisms
 Security awareness and training                     Boundary and network protection devices
 Security in acquisitions                              (Firewalls, guards, routers, gateways)
 Physical security                                   Intrusion protection/detection systems
 Personnel security                                  Security configuration settings
 Security assessments                                Anti-viral, anti-spyware, anti-spam software
 Certification and accreditation                     Smart cards

         Adversaries attack the weakest link…where is yours?
             NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                           14
                        Strategic Initiatives
                                    The Long-term View

 Build a unified information security framework for the
  federal government and support contractors.
 Integrate information security and privacy requirements
  into enterprise architectures.
 Employ systems and security engineering techniques
  to develop more secure (penetration-resistant)
  information systems.


      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY       15
                          Tactical Initiatives
                                    The Short-term View

 Update security controls catalog and baselines.
    Delivery vehicle: NIST Special Publication 800-53, Revision 3

 Develop enterprise-wide risk management guidance.
    Delivery vehicle: NIST Special Publication 800-39

 Restructure the current certification and accreditation
  process for information systems.
    Delivery vehicle: NIST Special Publication 800-37, Revision 1

 Provide more targeted guidance on risk assessments.
    Delivery vehicle: NIST Special Publication 800-30, Revision 1

       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                16
                          Risk Management Hierarchy
   Multi-tiered Risk Management Approach                                 STRATEGIC RISK
   Implemented by the Risk Executive Function                                FOCUS
   Enterprise Architecture and SDLC Focus
   Flexible and Agile Implementation                        LEVEL 1
                                                         Organization


            NIST                                             LEVEL 2
          SP 800-39
                                             Mission / Business Process
                                                                          TACTICAL RISK
                                                                             FOCUS
                                                             LEVEL 3
                                                    Information System



                      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY             17
                Risk Management Hierarchy
                                                                 Risk Executive Function
                                                                    (Oversight and Governance)
              Risk Management Strategy                             Risk Assessment Methodologies
                                                                   Risk Mitigation Approaches
                                                   LEVEL 1         Risk Tolerance
                                               Organization        Risk Monitoring Approaches
                                                                   Linkage to ISO/IEC 27001
  NIST
SP 800-39
                                                   LEVEL 2
                                   Mission / Business Process


                                                   LEVEL 3
                                          Information System



            NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                       18
               Risk Management Hierarchy

               NIST
             SP 800-39
                                                  LEVEL 1
                                              Organization
                                                                  Mission / Business Processes
                                                                  Information Flows
Risk Management Strategy
                                                                  Information Categorization
                                                  LEVEL 2         Information Protection Strategy
                                  Mission / Business Process      Information Security Requirements
                                                                  Linkage to Enterprise Architecture


                                                  LEVEL 3
                                         Information System



           NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                 19
                    Risk Management Hierarchy

                                                      LEVEL 1
                                                  Organization

          NIST
        SP 800-37                                     LEVEL 2
                                      Mission / Business Process
                                                                    Linkage to SDLC
                                                                    Information System Categorization
Risk Management Framework                             LEVEL 3       Selection of Security Controls
                                                                    Security Control Allocation
                                             Information System      and Implementation
                                                                    Security Control Assessment
                                                                    Risk Acceptance
                                                                    Continuous Monitoring
               NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                20
                     The Central Question
                                  From Two Perspectives


 Security Capability Perspective
  What security capability is needed to defend against a
  specific class of cyber threat, avoid adverse impacts,
  and achieve mission success? (REQUIREMENTS DEFINITION)
 Threat Capability Perspective
  Given a certain level of security capability, what class of
  cyber threat can be addressed and is that capability
  sufficient to avoid adverse impacts and achieve mission
  success? (GAP ANALYSIS)

       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY      21
           Risk Management Framework
                                                    Starting Point
                                                 FIPS 199 / SP 800-60

                                                  CATEGORIZE
                                                Information System
       SP 800-37 / SP 800-53A                                                             FIPS 200 / SP 800-53
                                             Define criticality/sensitivity of
                                           information system according to
           MONITOR                           potential worst-case, adverse                    SELECT
         Security State                       impact to mission/business.                 Security Controls
Continuously track changes to the                                                  Select baseline security controls;
information system that may affect                                                   apply tailoring guidance and
  security controls and reassess                                                    supplement controls as needed
      control effectiveness.                Security Life Cycle                       based on risk assessment.

             SP 800-37                                 SP 800-39                               SP 800-70

         AUTHORIZE                                                                          IMPLEMENT
      Information System                                                                  Security Controls
   Determine risk to organizational                   SP 800-53A                    Implement security controls within
 operations and assets, individuals,                                               enterprise architecture using sound
other organizations, and the Nation;                  ASSESS                      systems engineering practices; apply
 if acceptable, authorize operation.             Security Controls                    security configuration settings.

                                       Determine security control effectiveness
                                         (i.e., controls implemented correctly,
                                       operating as intended, meeting security
                                        requirements for information system).

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                                  22
                       RMF Characteristics
 The NIST Risk Management Framework and the
  associated security standards and guidance
  documents provide a process that is:
      Disciplined
      Flexible                   “Building information security into the
      Extensible                 infrastructure of the organization…
      Repeatable                 so that critical enterprise missions and
                                  business cases will be protected.”
      Organized
      Structured

        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                       23
               Security Control Selection
 STEP 1: Select Baseline Security Controls
  (NECESSARY TO COUNTER THREATS)

 STEP 2: Tailor Baseline Security Controls
  (NECESSARY TO COUNTER THREATS)

 STEP 3: Supplement Tailored Baseline
  (SUFFICIENT TO COUNTER THREATS)

                                     CATEGORIZE
                                   Information/System
           MONITOR                                          SELECT
        Security Controls                               Security Controls
                                   Risk Management
                                      Framework
         AUTHORIZE                                       IMPLEMENT
       Information System                               Security Controls
                                        ASSESS
                                    Security Controls



       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                       24
                              Cyber Preparedness
               HIGH            THREAT LEVEL 5                   CYBER PREP LEVEL 5   HIGH


                               THREAT LEVEL 4                   CYBER PREP LEVEL 4
 Adversary                                                                                  Defender
Capabilities                   THREAT LEVEL 3                   CYBER PREP LEVEL 3           Security
     and                                                                                    Capability
 Intentions
                               THREAT LEVEL 2                   CYBER PREP LEVEL 2

               LOW             THREAT LEVEL 1                   CYBER PREP LEVEL 1   LOW




        An increasingly sophisticated and motivated
        threat requires increasing preparedness…
               NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                     25
             Dual Protection Strategies
 Boundary Protection
  Primary Consideration: Penetration Resistance
  Adversary Location: Outside the Defensive Perimeter
  Objective: Repelling the Attack

 Agile Defense
  Primary Consideration: Information System Resilience
  Adversary Location: Inside the Defensive Perimeter
  Objective: Operating while under Attack


      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY     26
                                   Agile Defense
 Boundary protection is a necessary but not sufficient
  condition for Agile Defense
 Examples of Agile Defense measures:
        Compartmentalization and segregation of critical assets
        Targeted allocation of security controls
        Virtualization and obfuscation techniques
        Encryption of data at rest
        Limiting of privileges
        Routine reconstitution to known secure state
Bottom Line: Limit damage of hostile attack while operating in a (potentially)
degraded mode…

          NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                         27
                                                RISK EXECUTIVE FUNCTION
                            Enterprise-wide Oversight, Monitoring, and Risk Management Strategy


                          Architecture Description                                 Organizational Inputs
                            Architecture Reference Models                       Laws, Directives, Policy Guidance
                         Segment and Solution Architectures                       Strategic Goals and Objectives
                          Mission and Business Processes                        Priorities and Resource Availability
                           Information System Boundaries                           Supply Chain Considerations


                 SP                                                                                                     SP
Authorization
  Decision      SAR
                                 INFORMATION
                                    SYSTEM
                                                                  RMF                   INFORMATION
                                                                                           SYSTEM
                                                                                                                       SAR         Authorization
                                                                                                                                     Decision

                POAM                                               RISK                                                POAM
                                                                MANAGEMENT
                                                                FRAMEWORK

                 SP                                                                                                     SP
Authorization                    INFORMATION                                            INFORMATION
  Decision      SAR                 SYSTEM                                                                             SAR         Authorization
                                                                                           SYSTEM                                    Decision

                POAM                                                                                                   POAM



                 SP                                                                                                     SP
Authorization                                                 Common Controls
  Decision      SAR                                (Inherited by Information Systems)                                  SAR         Authorization
                                                                                                                                     Decision

                POAM                                                                                                   POAM

                                                                             SP: Security Plan
                NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY               SAR: Security Assessment Report                  28
                                                                             POAM: Plan of Action and Milestones
            Risk Executive Function
                   Managing Risk at the Organizational Level

                                RISK EXECUTIVE FUNCTION
                    Coordinated policy, risk, and security-related activities
                  Supporting organizational missions and business processes


                Mission / Business         Mission / Business      Mission / Business
                    Processes                  Processes               Processes




             Information             Information         Information        Information
               System                  System              System             System

                           Information system-specific considerations


         Establish organizational information security priorities.
         Allocate information security resources across the organization.
         Provide oversight of information system security categorizations.
         Identify and assign responsibility for common security controls.
         Provide guidance on security control selection (tailoring and supplementation).
         Define common security control inheritance relationships for information systems.
         Establish and apply mandatory security configuration settings.
         Identify and correct systemic weaknesses and deficiencies in information systems.


NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                29
                          Trust and Reciprocity
           Organization One                                               Organization Two
                                              Mission / Business
             INFORMATION                       Information Flow            INFORMATION
                SYSTEM                                                        SYSTEM


               Security Plan                                                 Security Plan

       Security Assessment Report             Risk Management         Security Assessment Report
                                                 Information
      Plan of Action and Milestones                                  Plan of Action and Milestones


 Determining risk to the organization’s                         Determining risk to the organization’s
operations and assets, individuals, other                      operations and assets, individuals, other
 organizations, and the Nation; and the                         organizations, and the Nation; and the
       acceptability of such risk.                                    acceptability of such risk.

The objective is to achieve transparency of prospective partner’s information security
programs and processes…establishing trust relationships based on common, shared
risk management principles.

            NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                 30
       Key Risk Management Publication
 NIST Special Publication 800-53, Revision 3
  Recommended Security Controls for Federal Information Systems and
  Organizations
  Published: August 2009
      Updating all material from NIST Special Publication 800-53, Revision 2
      Incorporating security controls from the national security community
      Incorporating new security controls for advanced cyber threats
      Incorporating information security program-level controls          NIST
                                                                        SP 800-53
      Incorporating threat appendix for cyber preparedness
       (Separately vetted and added to SP 800-53, Revision 3 when completed)




        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                              31
       Key Risk Management Publication
 NIST Special Publication 800-37, Revision 1
  Guide for Applying the Risk Management Framework to Federal
  Information Systems
  Projected: October 2009
      Incorporating comments from Initial Public Draft                     NIST
      Implementing guideline for Risk Management Framework               SP 800-37

      Transforming previous certification and accreditation process
      Integrating Risk Management Framework into the SDLC
      Greater emphasis on ongoing monitoring of information system security
      Ongoing security authorizations informed by risk executive function
      Greater accountability and assurances for common (inherited) controls
      Increased use of automated support tools


         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                               32
     Key Risk Management Publication
 NIST Special Publication 800-39
  Integrated Enterprise-wide Risk Management
  Organization, Mission, and Information Systems View
  Projected: December 2009
    Incorporating public comments from NIST Special Publication 800-39,
     Second Public Draft
    Incorporating three-tiered risk management approach: organization,
     mission/business process, and information system views
    Incorporating cyber preparedness information
    Providing ISO/IEC 27001 mapping to risk management           NIST
                                                                SP 800-39
     publications



        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                      33
     Key Risk Management Publication
 NIST Special Publication 800-53A, Revision 1
  Guide for Assessing the Security Controls in Federal Information
  Systems and Organizations
  Projected: January 2010
    Updating all assessment procedures to ensure consistency with NIST
     Special Publication 800-53, Revision 3
    Developing new assessment procedures for information security program
     management controls
    Updating web-based assessment cases for inventory of assessment
     procedures
                                                           NIST
                                                        SP 800-53A




       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                   34
     Key Risk Management Publication
 NIST Special Publication 800-30, Revision 1 (Initial Public Draft)
   Guide for Conducting Risk Assessments
   Projected: January 2010
     Down scoping current publication from risk management focus to risk
      assessment focus
     Providing guidance for conducting risk assessments at each step in the
      Risk Management Framework
     Incorporating threat information for cyber preparedness
                                                                   NIST
                                                                 SP 800-30




        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                         35
          Transformation… Getting There
Current State                                               The Future
 Lack of reciprocity in authorization and                   Enabled reciprocity
  assessment results                                          and information sharing
 Resource intensive                                         Improve security postures
                                                              (architecture and information)
 Redundant and duplicative activities                       Streamline processes and improve
                                                              end-product quality
 Inconsistent policy and process
  implementation                                             Uniform set of policies and practices
 Lack of automation (for both workflow                      Consistent implementation and use
  and testing tools)                                          of automated tools
 Lack of standardized documentation and  More effective resource
  artifacts to facilitate informed decisions allocation; reduce costs

 Three-year “Paperwork Drill”                               Continuous monitoring

           NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                             36
                  Contact Information
                        100 Bureau Drive Mailstop 8930
                        Gaithersburg, MD USA 20899-8930

Project Leader                                     Administrative Support
Dr. Ron Ross                                       Peggy Himes
(301) 975-5390                                     (301) 975-2489
ron.ross@nist.gov                                  peggy.himes@nist.gov

Senior Information Security Researchers and Technical Support
Marianne Swanson                                   Dr. Stu Katzke
(301) 975-3293                                     (301) 975-4768
marianne.swanson@nist.gov                          skatzke@nist.gov
Pat Toth                                           Arnold Johnson
(301) 975-5140                                     (301) 975-3247
patricia.toth@nist.gov                             arnold.johnson@nist.gov
Matt Scholl                                        Kelley Dempsey
(301) 975-2941                                     (301) 975-2827
matthew.scholl@nist.gov                            kelley.dempsey@nist.gov

Web: csrc.nist.gov/sec-cert                        Comments: sec-cert@nist.gov

  NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                 37

								
To top