nys forum joint initiative security, project management & business continuity workgroups manage...
TRANSCRIPT
NYS Forum Joint InitiativeSecurity, Project Management & Business Continuity Workgroups
Manage Risk by Building Information Security into Your Projects
Addendum to the NYS Project Management Guidebook
May 26, 2010
Mark Spreitzer, CBCPCGI Group [email protected]
Deborah Snyder, CISSP, GIAC GSLC, PMPNYS Office of Temporary & Disability Assistance(518) [email protected]
2
Agenda
• Welcome and Announcements• Chuck Weiss
• Project Management, Information Security & Business Continuity Work Groups
– Introductions– PM lifecycle & the Secure SDLC– Risk Management – Relationship to PM processes – 5-Phase Secure SDLC Process– Framework for applying Security & BC considerations to each Phase– Benefits– Resources
• Q & A
3
3
Introduction
Project Management Work Group
• Co-Chairs• Brenda Breslin, (NYS Department of Health), • Vivian Conboy, (Dept. of Tax & Finance), • Chris Foster, (CGI Technologies and Solutions Inc.), • Jon Haverly, (Keane Inc.)
• Overview• Support government entities and their PMs
• as they adopt PM standards and practices, • establish PMOs, • implement program and portfolio management within their organizations
• PM Community of Practice provides interactive exchange of ideas, practices, and lessons learned
• PMO Roundtable to support PM implementation methods
4
4
Introduction
Security Work Group
• Co-Chairs• Deb Snyder (NYS OTDA), Bob Spina (CISCO), Joe Lynch
(ORACLE) & Ted Phelps (SUNY)
• Overview• Work in collaboration with state & local agencies to
develop education/training opportunities & tools that address information security issues
• Support the Information Security Community of Practice • Strong working relationships with NYS OFT/CIO & the
Office of Cyber Security & Critical Infrastructure Coordination (CSCIC)
• International MS-ISAC Security Webcasts • Educational workshops, seminars & events
5
5
Introduction
Business Continuity (BC) Work Group
• Co-Chairs:• David DeMatteo (SEMO)• Ken Mason (SED)• Mark Spreitzer, CBCP (CGI)
• Overview:• Primary focus is on the ”how to” of business continuity planning• Intended to help facilitate “best practice” development amongst state
and local resources & representatives of the IT Corporate Roundtable• Provide education & training opportunities• Collaborate on tools that address BC planning needs• Work to emphasize the importance of BC planning in NYS
Government, in lieu of an explicit requirement
6
From an Operational Perspective…
Project Management Life Cycle
• Focus on Implementation
• Management roles & responsibilities
• Framework for planning & managing work
• Develop & manage project plan (scope, schedule)
• Distinguish PM effort from SD effort
System Development Life Cycle
• Focus on Operations• Technical roles &
responsibilities• Framework for solving
business needs with technology
• Design & construct system components (modules, databases)
• Distinguish SD effort from PM effort
6
Origination
Initiation
Planning
ExecutionImplementation/
Assessment
Acquisition/Development
Disposal
Initiation
Operations &Maintenance
Closeout Production
Phase Relationships
Secure SDLC (High Level)
PM Life Cycle SDLC
7
Focuses on Information Security & Business Continuity
Preparation
Origination
Initiation
Planning
Initiation Risk Level & Security Planning
Execution
ExecutionImplementation/
Assessment
Acquisition/Development
Security Requirements & Controls
Security TestingDocumentation, C&A
SSDLC
MaintenanceOperations &MaintenanceCloseout
Acceptance & Change Management
Disposition / TransitionDisposal
8
Secure System Development Life Cycle (SSDLC) Principles
• To be effective, information security must be integrated from inception of the project and ensured adequate consideration throughout the SDLC.
• Information security controls applied to a particular information system must be commensurate with its criticality and sensitivity.
• SSDLC - conceptual framework to ensure this occurs… • Structured process and core set of analysis steps and planning
considerations to integrate info-security into the SDLC• Helps identify, evaluate & minimize info-security risk• Defines info-security requirements, appropriate security level &
measures/controls to adequately protect the asset• Produces clear, well-documented information security plan• Based on industry standards, well-established practices, fundamental
security principles and concepts
Secure SDLC
9
SSDLC “Roadmap” example…
Source: NYS OTDA ISO, Secure SDLC Roadmap
Information Security considerations, checkpoints & deliverables across the SDLC
10
NIST Special Publications
NIST = National Institute of Standards & Technology• Chartered to promote & protect economy & public welfare; collaborated with industry, government
& academic organizations; used by FEMA for framework development• Defines Security to include Business Continuity and Contingency Planning (CP)• Integrates Security activities into system development life-cycle (SDLC)• Outlines key security roles and responsibilities • Defines Security/BC components as control objectives (Control Gates - permission to proceed)
NIST Special Publication 800 series Guidance http://csrc.nist.gov/publications/PubsSPs.html• SP 800-12, The Introduction to Computer Security; NIST Handbook• SP 800-18, Guide for Developing Security Plans for Information Technology Systems• SP 800-27, Engineering Principles for Information Technology Security• SP 800-30, Risk Management Guide for IT Systems• SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems:
A Security Life Cycle Approach• SP 800-39, Managing Risk from Information Systems: An Organizational Perspective• SP 800-34, Contingency Planning• SP 800-53, Recommended Security Controls & Annexes 1, 2, 3 • SP 800-60, Mapping Types of information & Information Systems to Security Categorization Levels• SP 800-64, Security Considerations in the System Development Life Cycle• SP-800-84. Testing, Training and Exercising• NIST SDLC Brochure, August 2004, Information Security in the SDLC http://csrc.nist.gov/SDLCinfosec
• Federal Information Processing Standards (FIPS) http://csrc.nist.gov/publications/PubsFIPS.html• FIPS 199, Standards for Security Categorization• FIPS 140-2, Security Requirements for Cryptographic Modules
• FEMA Continuity Guidance Circular 1 (CGC1) www.fema.gov/pdf/about/org/ncp/cont_guidance1.pdf
11
NIST’s Security in the SDLC
Source: NIST SDLC Brochure (Aug. 2004, Information Security in the SDLC.
12
Risk Management
Relationship to All Other PM Functions
ProjectRisk
Management
Expectations, Feasibility
Time Objectives, Restraints
Requirements, Standards
Availability, Productivity
Life Cycle & Environment
Variables
Services, Plant, Materials: Performance
Cost Objectives, Restraints
Ideas, Directives,
Data Exchange Accuracy
Source: Project & Program Risk Management, A Guide to Managing Project Risks & Opportunities, p. II-2.
Integration
Communications
Human Resources
Cost
Procurement
Scope
Time
Quality
Integrated Risk Management
• RM can be viewed as a holistic activity that is fully integrated into every aspect of the organization
• RM is driven by organization (mission) risk
13
Source: NIST SP 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission and Information System View.
Risk Management Framework
14
Source: NIST Risk Mnanagement Framework http://csrc.nist.gov/groups/SMA/fisma/framework.html & http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework/index.html
Some Key Terms… (see handout)
• After Action Review• Artifact• Business Continuity (Contingency Planning)• Business Impact Analysis (BIA)• Controls, Safeguards & Countermeasures• Control Gates• Information Resources • Information Security (Confidentiality, Integrity, Availability)• Information System• Plan of Action and Milestones (POA&M)• Recovery Time Objective (RTO)• Recovery Point Objective (RPO)• Risk & Residual Risk• Risk Management
15
Phase 1: InitiationResources, Expectations, LOE & Schedule
PM Life Cycle SDLC
16
Focuses on Information Security & Business Continuity
SSDLC
Preparation
Origination
Initiation
Planning
Initiation Risk Level & Security Planning
KEY PROCESSES• Initial Security Planning• Categorize System• Privacy Impact Analysis• Ensure Secure SDLC• Preliminary Risk Assessment• Business Impact Assessment• Availability requirements analysis• Vital Records Analysis
• Data and documentation
ARTIFACTS•Awareness Training •Security Categorization•High Level Security Requirements•Development/Coding Standards•QA Plans•Draft Privacy Impact Assessment•Linkages to Business Drivers •Core System Components •Draft Business Impact Analysis
• Initial RTO/RPO
Phase 2: Acquisition / Development Requirements & Control Selection
PM Life Cycle SDLC
18
Focuses on Information Security & Business Continuity
Execution
ExecutionImplementation/
Assessment
Acquisition/Development
Security Requirements & Controls
Security TestingDocumentation, C&A
SSDLC
KEY PROCESSES• Update Prelim. Risk Assessment• Select & Document Security Controls• Design Security Architecture• Engineer Security in – Develop Controls
• Recovery Strategy• Draft Contingency Plan• COOP, BC, DR• Vital records analysis
• Test, Train & Exercise (TT&E)
ARTIFACTS•Updated Risk Assessment•Security Plan & list of Variations•List of Shared Services & Risks•Security Integration Schematic•BC & DR Concept of Operations•Contingency Plan (drafts)
• Notification/activation, incident response• Recovery & Reconstitution
•Common Controls •TT&E Results
• Policy & Control Adjustments• Scenarios & Additional Documentation• Test Results (incl. variations)
Phase 3: Implementation / Assessment Documenting Results (Baseline)
PM Life Cycle SDLC
20
Focuses on Information Security & Business Continuity
MaintenanceExecution
Implementation/Assessment
Acquisition/Development
Security Requirements & Controls
Security TestingDocumentation, C&A
SSDLC
KEY PROCESSES• Finalize Detailed Security Plan• Create detailed C&A Plan • Control Integration• System Security Assessment• Product / Component Inspection
• Finalize BC, COOP & DR• Control Integration• Implement Vital Records program
• Certification/Acceptance• TT&E
ARTIFACTS•Verified Operational Security Controls•C&A Work Plan•Completed System Documentation•Security Assessment Report•Security Authorization Decision
•BC, COOP & DR Plans•Updated backup processes•After Action Review
•TT&E Plan & •Statement of residual risk
Phase 4: Operations / Maintenance
PM Life Cycle SDLC
22
Focuses on Information Security & Business Continuity
SSDLC
MaintenanceOperations &MaintenanceCloseout
Acceptance & Change Management
Disposition / TransitionDisposal
KEY PROCESSES• Awareness Campaign• Configuration Management• Continuous Monitoring• TT&E• Change Control• Incident Management
• Recertification/Acceptance
ARTIFACTS•Evaluation/Impact of Changes•Change Control Approvals•Updated Security Documentation•Continuous Monitoring Results•Updated Authorization Pkg.•Authority to Operate (Decision)•Security Evaluations / Audits•POA&M Review•Exercise Schedule•After Action Reviews•Recoverability Statement•BCP Evaluations / Audits
Phase 5: Disposal (Sunset)
PM Life Cycle SDLC
24
Focuses on Information Security & Business Continuity
SSDLC
ContinuousMonitoring
Operations &MaintenanceCloseout
Acceptance & Change Management
Disposition / TransitionDisposal
KEY PROCESSES• Disposal / Transition Planning
(migration to new system)• Ensure Information Preservation • Media Sanitization• Hardware/Software Disposal• Control Catalog review• Close System
• Business Link Analysis• Interdependencies• Enterprise BCP• Impact analysis• Review service agreements
ARTIFACTS•Disposal/Transition Plan•Hardware/Software Disposition• Reallocation/Sanitization Records•System Closure Documentation•Information Archiving•Update SLAs & MOUs•Updated Security Controls
•Enterprise plan updates– Value Chains– BC, COOP & DR plans
•Updated BCP Controls
26
Mapping the Risk Management to the SDLC
• Review Risk• Assess controls
• identify• document• implement• monitor
Compliance
Information Systems
Management
FinancialManagement
RiskManagement
IT Alignment andPlanning IS Architecture
Risk BasedFunding Requests
Enterprise Architecture & SDLC
Capital Planning and
Investment
InformationSecurity
Initiation
Origination
Initiation
Planning
Initiation Risk Level & Security Planning
Certification&
Accreditation
ExecutionImplementation/
Assessment
Acquisition/Development
Security Requirements & Controls
Security TestingDocumentation, C&A
ContinuousMonitoring
Operations &MaintenanceCloseout
Acceptance & Change Management
Disposition / TransitionDisposal
Enterprise RISK Management
27
Further Observations
• All Processes and Artifacts are scalable• Preliminary Risk Assessment defines impact & requirements• “Right Size” for your project• Use common sense
• Business Continuity & Information Security interrelate
• Common Purpose, Artifacts & Goals• Confidentiality• Integrity• Availability
Reflections on SEI | Carnegie Mellon
“The surest way to leave risks undocumented is to make the program risks accessible to all members.”
• An undocumented risk can get lost to everyone -- far better to have risks documented privately than not documented at all.
• Engage a Security team early• Encourages work team agreements on risks and an end-point against which
to identify and analyze• Provides a standard way of capturing (documenting) risks• Positions facilitators practiced and comfortable with writing risks in front of a
group
• Support good risk identification• Encourage documentation of risks privately at the working team level• Integrate risk identification and management into normal project management• Accept any risk identified – don’t “vet them out”• Acknowledge that the program’s decision-makers are the real “risk
managers,” and have the decision-makers step up to the job28
CMMi Capability Maturity Model
29
More Information on CMMI - www.sei.cmu.edu/searchresults.cfm & www.sei.cmu.edu/cmmi/tools/dev/index.cfm
30
Benefits
• Advances Organization along CMM• Informed, Risk Management-based, decisions• Improved organization and customer confidence
• Awareness campaigns• Education, ownership/adoption and usage
• Lower total effort & cost• Improved interoperability and integration • Early identification of controls• Proven methods and techniques• Reuse of strategies and tools • Shared security services
• Improved Security & Compliance Posture
31
Questions
Deborah Snyder, CISSP, GSLC, PMP
NYS Office of Temporary & Disability Assistance
(518) 473-3195
Mark Spreitzer, CBCP
CGI Group Inc.
(917) 304-1966