1 / 36

Security Control Families

Management Class. Security Control Families. Security Controls Overview. XX-1 Policy and Procedures. NIST Doc Review Strategy:. Table Summaries. Graphic Summaries. Bulleted Summaries. Executive Summaries, Overviews, Introductions. XX-1 Policy & Procedures. SP 800-12 The Handbook

isaura
Télécharger la présentation

Security Control Families

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Management Class Security Control Families

  2. Security Controls Overview • XX-1 Policy and Procedures

  3. NIST Doc Review Strategy: Table Summaries Graphic Summaries Bulleted Summaries Executive Summaries, Overviews, Introductions

  4. XX-1 Policy & Procedures • SP 800-12The Handbook • SP 800-100Manager’s Handbook

  5. Security Assessment & Authorization • Core RMF Documents • 800-47 (SLA) • 800-137 (CM)

  6. Planning Family & Family Plans • 800-18 (RMF) • 800-100 (PM) • OMB M-03-22 (Privacy)

  7. Program Management • 800-30 • 800-37 (RMF) • 800-39 (RMF) • 800-100 • 800-55 - Performance • 800-60 • 800-65 - CPIC • FIPS 199 • HSPD 7 – Critical Infrastructure • OMB 02-01 - SSP

  8. Program Management Overview • Information Security Program Plan (PM) • Critical Infrastructure Plan (HSPD 7) • Capital Planning and Investment Control (SP 800-65) • Measures of Performance (SP 800-55) • Enterprise Architecture and Mission/Business Process Definition

  9. Information Security Program Plan • Defines Security Program Requirements • Documents Management and Common Controls • Defines Roles, Responsibilities, Management Commitment and Coordination • Approved by Senior Official (AO) • Appoint Senior Information Security Officer

  10. Critical Infrastructure Plan • HSPD-7 Critical Infrastructure Identification, Prioritization, and Protection • Essential Services That Underpin American Society • Protection from Terrorist Attacks • Prevent Catastrophic Health Effects or Mass Casualties • Maintain Essential Federal Missions • Maintain Order • Ensure Orderly Functioning of Economy • Maintain Public's Morale and Confidence in Economic and Political Institutions • Strategic Improvements in Security

  11. Capital Planning & Investment Control • Investment Life Cycle • Integrating Information Security into the CPIC Process • Roles and Responsibilities • Identify Baseline • Identify Prioritization Criteria • Conduct System- and Enterprise-Level Prioritization • Develop Supporting Materials • IRB and Portfolio Management • Exhibits 53 and 300 and Program Management

  12. Investment Life Cycle

  13. Integrating Information Security into the CPIC Process

  14. Knowledge Check • If the interconnecting systems have the same authorizing official, an Interconnection Security Agreement is not required. True or False? • Which NIST SP, provides a seven-step process for integrating information security into the capital planning process? • This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks. • The corrective action and cost information contained in which document, serve as inputs to the Exhibit 300s and are then rolled into the Exhibit 53?

  15. Measures of Performance • Metric Types • Metrics Development and Implementation Approach • Metrics Development Process • Metrics Program Implementation • Prepare for Data Collection • Collect Data and Analyze Results • Identify Corrective Actions • Develop Business Case and Obtain Resources • Apply Corrective Actions

  16. Metric Types • “Am I implementing the tasks for which I am responsible?” • “How efficiently or effectively am I accomplishing those tasks?” • “What impact are those tasks having on the mission?”

  17. Metrics Development Process

  18. Metrics Program Implementation

  19. Federal Enterprise Architecture Business Service Performance Information Type (SP 800-60) Technical Data

  20. Core Principles of the FEA • Business-driven • Proactive and collaborative across the Federal government • Architecture improves the effectiveness and efficiency of government information resources

  21. Defining Mission/Business Processes • Defines mission/business processes with consideration for information security and the resulting risk to the organization; • Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.

  22. Risk Assessment • 800-30r1 (draft) • 800-37 • 800-40 -Patch Management • 800-70 - Checklists • 800-115 - Assessments

  23. Patch and Vulnerability Management Program • Create a System Inventory • Monitor for Vulnerabilities, Remediations, and Threats • Prioritize Vulnerability Remediation • Create an Organization-Specific Remediation Database • Conduct Generic Testing of Remediations • Deploy Vulnerability Remediations • Distribute Vulnerability and Remediation Information to Local Administrators • Perform Automated Deployment of Patches • Configure Automatic Update of Applications Whenever Possible and Appropriate. • Verify Vulnerability Remediation Through Network and Host Vulnerability Scanning • Vulnerability Remediation Training

  24. National Checklists Program

  25. In which NIST special publication might you find guidance for the performance measurement of information systems? • Which FEA reference model was used to create the guide for mapping information types to security categories, in support of the first step of the Risk Management Framework? • What is the name of the security control, represented by the control ID RA-3, must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework? • Where can information about vulnerabilities be found?

  26. System & Services Acquisition • 800-23 – Acquisition Assurance • 800-35 – Security Services • 800-36 – Security Products • 800-53a • 800-64 - SDLC • 800-65 - CPIC • 800-70 - Checklists

  27. Security Services Life Cycle

  28. General Considerations for Security Services • Strategic/Mission • Budgetary/Funding • Technical/ Architectural • Organizational • Personnel • Policy/Process

  29. Security Product Testing • Identification and Authentication • Access Control • Intrusion Detection • Firewall • Public Key Infrastructure • Malicious Code Protection • Vulnerability Scanners • Forensics • Media Sanitizing • Common Criteria Evaluation and Validation Scheme • NIST Cryptographic Module Validation Program

  30. Considerations for Selecting Information Security Products • Organizational • Product • Vendor • Security Checklists for IT Products • Organizational Conflict of Interest

  31. Management Security Controls Key Concepts & Vocabulary • XX-1 Policy & Procedures • CA - Security Assessment and Authorization • PL – Planning Family & Family Plans • Information Security Program Plan (PM) • Critical Infrastructure Plan (HSPD 7) • PM - Program Management • Capital Planning and Investment Control (SP 800-65) • Measures of Performance (SP 800-55) • Enterprise Architecture (FEA BRM) • RA - Risk Assessment • Security Categorization • Risk & Vulnerability Assessments • SA - System and Services Acquisition

More Related