Panel:Moderator: Michele IversenGuest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell
Adhering to laws, regulations, standards, best practices, and contractual requirements (collectively referred to as “mandates”)• Includes the PROCESS of becoming and remaining compliant• Ongoing state of continuous improvement that requires discipline across
the enterprise, over the business and product lifecycle
• It contributes to achieving Risk Management objectives• Mechanism for controlling and managing risk• Protects nonpublic, sensitive information• Establishes standards for information security• Deters cybercriminals, including insiders• Holds corporate boards and senior executives accountable
Risk management has industry standards that cross industries and geographies; they can be quite complex !
Federal Government• Federal Information Security Management
Act (FISMA)• Federal Risk and Authorization
Management Program (FedRAMP)• FIPS Standards• Common Criteria• Security Technical Implementation Guides
(STIGS)• U.S. Rehabilitation Act & Section 508• Communications Assistance for Law
Enforcement Act (CALEA)
Banking & Finance• Sarbanes-Oxley Act (SOX)• National Automated Clearing House
Association (NACHA ) Electronic Payments Association Electronic Data Interchange (EDI)
• Payment Card Industry Data Security Standard (PCI DSS)
Health Care• Health Insurance Portability and
Accountability Act (HIPAA)• HIGHTECH• Meaningful Use• Health Level Seven International (HL7)
Standards Development Organization
Privacy• New York State Privacy Law • California Privacy and Identity Management
Law• And other States!• Europe and other countries
Federal Information Systems Management Act (FISMA) • Federal law enacted in 2002 as Title III of the E-Government Act, which
recognizes the importance of information security to the economic and national security interests of the U.S.
• Provides a framework for ensuring the effectiveness of information security controls over information resources supporting federal operations.
• Requires that agencies identify and provide information security protections commensurate with the risk and magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems.
• States that the head of each agency is responsible for providing information security protections.
TIER 3Information System
(Environment of Operation)
TIER 2Mission / Business Process
(Information and Information Flows)
TIER 1Organization(Governance)
STRATEGIC RISK FOCUS
TACTICAL RISK FOCUS
Multi-tiered Risk Management Approach Implemented by the Risk Executive Function Enterprise Architecture and SDLC Focus Information Security Architecture
Flexible and Agile Implementation Threat Aware
National Institute of Standards and Technology
Security Life CycleSP 800-39
Determine security control effectiveness(i.e., controls implemented correctly,
operating as intended, meeting security requirements for information system).
SP 800-53A
ASSESSSecurity Controls
Define criticality/sensitivity of information system according to
potential worst-case, adverse impact to mission/business.
FIPS 199 / SP 800-60
CATEGORIZE Information System
Starting Point
Continuously track changes to the information system that may affect
security controls and reassess control effectiveness.
SP 800-137
MONITORSecurity State
SP 800-37
AUTHORIZE Information System
Determine risk to organizational operations and assets, individuals,
other organizations, and the Nation;if acceptable, authorize operation.
Implement security controls within enterprise architecture using sound
systems engineering practices; apply security configuration settings.
IMPLEMENT Security Controls
SP 800-70 / SP 800-160
FIPS 200 / SP 800-53
SELECT Security Controls
Select baseline security controls; apply tailoring guidance and
supplement controls as needed based on risk assessment.
National Institute of Standards and Technology
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27
Strategic Risk Management
Focus
Tactical Risk Management
Focus
Top Level Risk Management
Strategy Informs
Operational Elements
Enterprise-Wide
Security Assessment
Report
SecurityPlan
Plan of Action and Milestones
Security Assessment
Report
Plan of Action and Milestones
SecurityPlan
Core Missions / Business ProcessesSecurity Requirements
Policy Guidance
RISK EXECUTIVE FUNCTIONOrganization-wide Risk Governance and Oversight
Security Assessment
Report
SecurityPlan
Plan of Action and Milestones
INFORMATION SYSTEM
System-specific Controls
Ong
oing
Aut
horiz
atio
n D
ecis
ions
Ong
oing
Aut
horiz
atio
n D
ecis
ions
Ongoing Authorization Decisions
RISK MANAGEMENT FRAMEWORK
(RMF)
COMMON CONTROLSSecurity Controls Inherited by Organizational Information Systems
Hyb
rid
Con
trol
s
INFORMATION SYSTEM
System-specific Controls
Hyb
rid
Con
trol
s
Defense-in-Breadth
The length of the FISMA compliance process is highly variable, depending on several factors such as:
The Security Category (FIPS 199 Low, Moderate, High) The availability of resources with skills and spare time to manage the process The current level of security controls The total number of users in a project The complexity of the computing environment.
8
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRAMP is mandatory for federal agency cloud deployments and service models at low- and moderate-risk impact levels.
To initiate the process, a cloud service provider (CSP) or federal agency submits a completed FedRAMP request form and Federal Information Process Standards (FIPS) 1999 worksheet to FedRAMP.
The FedRAMP Joint Authorization Board reviews the risk posture of cloud systems and provides “provisional authorizations” based on the submitted security package.
FEDRAMP Documentation RequirementsFEDRAMP Documentation Requirements(Authorization Package)(Authorization Package)
Deliverable DescriptionSystem Security Plan This document describes how the controls are implemented within the
cloud information system and its environment of operation. The SSP is also used to describe the system boundaries.
Information Security Policies This document describes the CSP’s Information Security Policy that governs the system described in the SSP.
User Guide This document describes how leveraging agencies use the system.
Rules of Behavior This document is used to define the rules that describe the system user's responsibilities and expected behavior with regard to information and information system usage and access.
IT Contingency Plan This document is used to define and test interim measures to recover information system services after a disruption. The ability to prove that system data can be routinely backed up and restored within agency specified parameters is necessary to limit the effects of any disaster and the subsequent recovery efforts.
Configuration Management Plan This plan describes how changes to the system are managed and tracked. The Configuration Management Plan should be consistent with NIST SP 800-128.
Deliverable DescriptionIncident Response Plan This plan documents how incidents are detected, reported, and escalated
and should include timeframes, points of contact, and how incidents are handled and remediated. The Incident Response Plan should be consistent with NIST Special Publication 800-61.
E-Authentication Workbook This template will be used to indicate if E-Authentication will be used in the cloud system and defines the required authentication level (1-4) in terms of the consequences of the authentication errors and misuse of credentials. Authentication technology is selected based on the required assurance level.
Privacy Threshold Analysis This questionnaire is used to help determine if a Privacy Impact
Assessment is required.Privacy Impact Assessment This document assesses what Personally Identifiable Information (PII) is
captured and if it is being properly safeguarded. This deliverable is not always necessary.
FEDRAMP Documentation Requirements(Authorization Package) 2 of 2
• Understand the mandates: both how your product meets the applicable compliance framework requirements and/or how your product helps your customer meet them.
• Identify and document your baseline state of compliance; develop a requirements traceability matrix as appropriate.
• Validate compliance through third party audits– have documentation that you’re willing to share• Identify gaps and plan for remediation