1 / 19

NIST Computer Security Framework and Grids

NIST Computer Security Framework and Grids. Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007. Required NIST documents. C&A Documentation Suite. Risk Mitigation Plan. ATO. CSPP. Threat Statement. ST&E Plan.

mildredreader
Télécharger la présentation

NIST Computer Security Framework and Grids

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007

  2. Required NIST documents C&A Documentation Suite Risk Mitigation Plan ATO CSPP Threat Statement ST&E Plan Security Controls System Security Categorization Business IT Systems People Bob Cowles - JSPG

  3. FIPS 199 / SP 800-60 SP 800-37 SP 800-53 / FIPS 200 SP 800-37 Security Categorization Security Control Monitoring Security Control Selection System Authorization Defines category of information system according to potential impact of loss Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness SP 800-53 / FIPS 200 / SP 800-30 Security Control Refinement Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing SP 800-18 SP 800-70 SP 800-53A / SP 800-37 Security Control Documentation Security Control Implementation Security Control Assessment In system security plan, provides an overview of the security requirements for the information system and documents the security controls planned or in place Implements security controls in new or legacy information systems; implements security configuration checklists Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements NIST Process Bob Cowles - JSPG

  4. Grid Connection • Grids are virtual sites in a sense, and will be examined and perhaps even audited using same criteria • And all the US labs that have resources used by grids must live by NIST guidelines, so perhaps it is useful build on the NIST framework for documenting grid computing security requirements Bob Cowles - JSPG

  5. NIST Process Details • Each system needs: • Functional description • Hardware and software description (especially description of boundaries) • Risk assessment • Security plan (showing controls to mitigate the greater impact or likelihood risks) • System Sensitivity Categorization (low/moderate/high sensitivity) • Contingency plan • Security control testing and evaluation • Process for certification and accreditation Bob Cowles - JSPG

  6. Risk Assessment • In general terms, a risk assessment is: • what could go wrong, • countermeasures to prevent some of these things from happening, and • you will live with the rest (residual risks) • Threat: who is knocking on the door • Vulnerability: improperly secured door; no risk without both a threat and a vulnerability • Likelihood: probability of occurrence • Impact: what is the damage if the risk occurs • Security controls: mitigations against risks Bob Cowles - JSPG

  7. Security Plan • Fully describe each control mentioned in your risk assessment • Controls organized into management, operational and technical controls • Show how each control will be assessed (Interview, Examination, Test) Bob Cowles - JSPG

  8. NIST Control families • Management • Management Risk Assessment RA • Management Planning PL • Management System and Services Acquisition SA • Management Certification, Accreditation, and Security Assessments CA • Operational • Operational Personnel Security PS • Operational Physical and Environmental Protection PE • Operational Contingency Planning CP • Operational Configuration Management CM • Operational Maintenance MA • Operational System and Information Integrity SI • Operational Media Protection MP • Operational Incident Response IR • Operational Awareness and Training AT • Technical • Technical Identification and Authentication IA • Technical Access Control AC • Technical Audit and Accountability AU • Technical System and Communications Protection SC Bob Cowles - JSPG

  9. Sensitivity Categorization • Must evaluate the sensitivity of the information system and the information contained therein on the basis of: • Confidentiality: the unauthorized disclosure of information. • Integrity: the unauthorized modification or destruction of information. • Availability: the disruption of access to or use of information or an information system. • Low/moderate/high categorization • The potential impact is LOW if: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. • Moderate: The potential impact is MODERATE if: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. • High: The potential impact is HIGH if: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Bob Cowles - JSPG

  10. Security Sensitivity • Low Impact • Affects individual users or small VOs • Medium Impact • Affects large VO or significant infrastructure impact • High Impact • Takes down Grid infrastructure or large VO Bob Cowles - JSPG

  11. Grid Participants • Identity Provider – runs an identity vetting service as a CA or IdM • Authorization Provider – provides authorization information • Software Provider – provides software used by other participants • Service Provider – provides computational, data storage or higher level services Bob Cowles - JSPG

  12. Relationship to Grid VOs • VOs assemble software stacks using VDT Components and other software. • Grids for compute and data intensive science are open, evolving. • In general VOs run services, and/or supervise the services others run for them. • An example is VOMS (people, roles) Bob Cowles - JSPG

  13. All Participants (+Authz) • Management – C&A, Risk Assessment • Operational – Training, Config Mgmt, Contingency Planning, Incident Response, Maintenance, Media Protection, Personnel Security, Integrity • Technical – Access Controls (Authz), Audit, Ident and Authn, Integrity Bob Cowles - JSPG

  14. Additional Protections • Software – Maintenance activities monitored • Identity Providers – Authenticator content, additional Incident Response, Physical Environment, Security Plan, DoS protection Bob Cowles - JSPG

  15. Additional Protections-2 • Service Providers • Additional access and authentication controls • Physical Environment • Security Plan • Lifecycle planning and documentation ensuring adequate resources for security • Monitoring of key communication boundaries • Malicious code protection Bob Cowles - JSPG

  16. ST&E Plans (assessment of security controls) • All controls must have procedures for testing and evaluation (it is not enough merely to be secure, you must be able to prove that you are secure) • Can be an ongoing process (eg, we continually monitor the logs of all user access to our system) • Can be an annual (at a minimum) special test (eg, once per year we attempt to penetrate our firewall from the outside) • Can be statistical sampling (interviewing or examining some randomly chosen subset of managers or systems) • In either case must provide documentation that the test were performed and their result • Provide some central location for these test results Bob Cowles - JSPG

  17. Types of assessments • The three types of assessment mechanisms used for security controls are Interview (I), Examine (E), and Test (T). • As explained in NIST publication 800-53A “Guide for Assessing the Security Controls in Federal Information Systems”, these types of assessment mechanisms can be described as follows: • Interview: this involves asking a selected set of individuals, based on their roles, specific questions about configurations, their actions, etc. • Examine: this involves doing an analysis of some existing data sample and recording the results of the analysis. • Test: this involves performing some specific test of the security control to verify that it is performing as expected. Bob Cowles - JSPG

  18. Challenge • Use the framework to “tell a story” • Describe the expectations for participants at different levels of impact • VOs and other organizations are likely to have a combination of the expectations • Expectations would become policy statements referenced directly or indirectly by “AUP” for VOs, service providers, etc. Bob Cowles - JSPG

  19. What’s next for JSPG? • Validate the list of grid participants • Define criteria for the levels of sensitivity appropriate for low, medium and high • Determine appropriate controls for each participant type at various sensitivity levels • Propose how risk assessments and security plans will be developed • Propose how certification will be performed Bob Cowles - JSPG

More Related