Proactive Lifecycle Security Proactive Lifecycle Security ManagementManagement

OWASP Minneapolis St Paul Local Chapter

February 16th, 2009

SurveySurvey Which of the following is the responsibility of IT?Which of the following is the responsibility of IT?

System ownerSystem owner Data ownerData owner System custodianSystem custodian All of the aboveAll of the above

True or False – The CIO/IT Director is responsible True or False – The CIO/IT Director is responsible for accepting information and system security for accepting information and system security risks on behalf of the organization?risks on behalf of the organization?

True or False – The individual in charge of True or False – The individual in charge of information security is responsible for:information security is responsible for: Defining security controlsDefining security controls Implementing security controlsImplementing security controls Managing security controlsManaging security controls All of the aboveAll of the above

Setting the StageSetting the Stage

In the last four years, approximately 250 million records containing In the last four years, approximately 250 million records containing personal identifiable information of United States residents stored in personal identifiable information of United States residents stored in government and corporate databases was either lost or stolen.  Since government and corporate databases was either lost or stolen.  Since little attention was given to database breaches prior to 2005, little attention was given to database breaches prior to 2005, it is safe it is safe to assume that every man, woman and child has had their personal to assume that every man, woman and child has had their personal information exposed at least once statistically. information exposed at least once statistically. Quote from InsideIDTheft.infoQuote from InsideIDTheft.info

Data theft and breaches from cybercrime may have cost businesses as Data theft and breaches from cybercrime may have cost businesses as much as much as $1 trillion globally$1 trillion globally in lost intellectual property and expenditures in lost intellectual property and expenditures for repairing the damage last year, according to a survey of more than for repairing the damage last year, according to a survey of more than 800 chief information officers in the U.S., United Kingdom, Germany, 800 chief information officers in the U.S., United Kingdom, Germany, Japan, China, India, Brazil, and Dubai. The respondents estimated that Japan, China, India, Brazil, and Dubai. The respondents estimated that they lost data worth a total of $4.6 billion and spent about $600 million they lost data worth a total of $4.6 billion and spent about $600 million cleaning up after breachescleaning up after breachesMcAfee Report - "Unsecured Economies: Protecting Vital Information"McAfee Report - "Unsecured Economies: Protecting Vital Information"

According to the “Open Security Foundation's DATALOSSdb” this pie chart represents events involving the loss, theft, or exposure of personally identifiable information (PII) for 2008.

No Lack of Publicity or VictimsNo Lack of Publicity or Victims

Customer loss following data Customer loss following data breachbreach

PGP Corporation and the Ponemon Institute annual report - U.S. Cost of a Data

Breach Study

Cost of Data BreachCost of Data Breach

PGP Corporation and the Ponemon Institute annual report - U.S. Cost of a Data Breach Study

Cost of a Security BugCost of a Security Bug

Courtesy of SecurityCompass – presented at 2008 Minnesota Government IT Symposium

Non-Technical Costs = breach reporting, regulatory violation (penalties), legal fees

What is the reputational cost: ??????

Phase Non-Technical Cost Technical Cost to Fix Total Cost

Production $166,272 for 1000 records

$8,500 $174,772

Test $1,500/vulnerability(prevent approx. 20 bugs)

$2,125 (man-power, computer, testing, configuration management)

$3,625

Code $600 $920 (dev, test) $1,520

Design $150/vulnerability (prevent approx. 100 bugs)

$142 (developer, architect time)

$292

Security Authorization Process Security Authorization Process SummarySummary

Security authorization (formerly called Security authorization (formerly called certification and accreditation) ensures that certification and accreditation) ensures that on a near real-time basis, the organization’s on a near real-time basis, the organization’s senior leaders senior leaders understand the security state of the information system and explicitly accept the resulting risk to organizational operations and assets, individuals, and other organizations.

““An information system is authorized for operation at a specific point in time An information system is authorized for operation at a specific point in time based on the risk associated with the current security state of the system.”based on the risk associated with the current security state of the system.”

Who is this process targeted at?Who is this process targeted at?

Business ownersBusiness owners Data ownersData owners Personnel responsible for:Personnel responsible for:

Development, acquisition and Development, acquisition and integrationintegration

System securitySystem security Auditors/assessorsAuditors/assessors Security implementation and operationsSecurity implementation and operations

Security Authorization HistorySecurity Authorization History

Roots go back to 1983 Federal Roots go back to 1983 Federal Information Processing Information Processing Standard (FIPS) 102Standard (FIPS) 102

Known by many different names; Known by many different names;

Certification & Accreditation (C&A)Certification & Accreditation (C&A) National Information AssuranceNational Information Assurance Certification & Accreditation Process Certification & Accreditation Process

(NIACAP) (NIACAP) Defense Information Technology Defense Information Technology

Security Certification and Security Certification and Accreditation Process (DITSCAP)Accreditation Process (DITSCAP)

DOD Information Assurance DOD Information Assurance Certification and Accreditation Certification and Accreditation Process (DIACAP)Process (DIACAP)

Director of Central Intelligence Director of Central Intelligence Directive (DCID) 6/3Directive (DCID) 6/3

Key DefinitionsKey DefinitionsInformation System – Information System – A discrete set of information resources organized for the collection, A discrete set of information resources organized for the collection,

processing, maintenance, use, sharing, dissemination, or disposition of informationprocessing, maintenance, use, sharing, dissemination, or disposition of information

Security AuthorizationSecurity Authorization – The testing and/or evaluation of management, operational, and – The testing and/or evaluation of management, operational, and technical security controls in an information system to determine the extent to which the technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting security requirements for the systemoutcome with respect to meeting security requirements for the system

Security Control AssessmentSecurity Control Assessment – The testing and/or evaluation of the management, – The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the systemdesired outcome with respect to meeting the security requirements for the system

Security Authorization BoundarySecurity Authorization Boundary – All components of an information system to be authorized – All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which for operation by an authorizing official and excludes separately authorized systems, to which the information system is connectedthe information system is connected

Plan of Action and MilestonesPlan of Action and Milestones – A document that identifies tasks needing to be accomplished, resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.

Security PlanSecurity Plan - Formal document that provides an overview of the security requirements for the - Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those information system and describes the security controls in place or planned for meeting those requirementsrequirements

List not all inclusive – See NIST SP 800-37, Appendix B for more detailed list

Key Process PlayersKey Process PlayersAuthorizing Official – Authorizing Official – A senior official or executive with the authority to A senior official or executive with the authority to

formally assume responsibility for operating an information system at an formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations, assets, individuals, acceptable level of risk to organizational operations, assets, individuals, and other organizationsand other organizations

Information (data) Owner – Information (data) Owner – Official with statutory or operational authority Official with statutory or operational authority for specified information and responsibility for establishing the controls for for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposalits generation, collection, processing, dissemination, and disposal

Information System Owner – Information System Owner – Official responsible for the overall Official responsible for the overall procurement, development, integration, modification, operation and procurement, development, integration, modification, operation and maintenance of an information systemmaintenance of an information system

Information System Security OfficerInformation System Security Officer – Individual assigned responsibility – Individual assigned responsibility for maintaining the appropriate operational security posture for an for maintaining the appropriate operational security posture for an information system or programinformation system or program

Security Control AssessorSecurity Control Assessor – The individual, group or organization – The individual, group or organization responsible for conducting a security control assessmentresponsible for conducting a security control assessment

!!! !!! Discussion Point: Conflicts of interest Discussion Point: Conflicts of interest !!!!!!

Other Process RolesOther Process Roles

Common Control ProviderCommon Control Provider

Information System Security Information System Security EngineerEngineer

Chief/Corporate Security OfficerChief/Corporate Security Officer

Risk Executive FunctionRisk Executive Function

Regulatory & Industry Requirements

Payment Card Industry (PCI)Requirement # 6 – Develop and maintain secure systems and applicationsRequirement # 6.6 – Application security assessment

Health Insurance Portability and Accountability Act (HIPAA)

§164.308 Administrative Safeguards (a)(1)(ii)(A) Risk Analysis

Gramm-Leach-Bliley Act (GLBA) Manage & Control Risk requirement

Federal Financial Institutions Examination Council (FFIEC)

Information Security Booklet-Information Security Risk Assessment-Systems Development, Acquisition, and Maintenance

Sarbanes-Oxley (SOX)Section 404, Management RequirementsPCAOB Auditing Standard No. 2

Federal Information Security Management Act (FISMA)

§ 3544. Federal agency responsibilities

IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies & Entities

CA -1 Certification, Accreditation, and Security Assessment Policiesand Procedures

Federal Energy Regulatory Commission(FERC) – 18 CFR Part 40, Mandatory Reliability Standards for Critical Infrastructure Protection

CIP-007-1 – Cyber Security – Systems SecurityManagement

Government Accounting Office (GAO)Federal Information System Controls Audit Manual (FISCAM)

Chapter 4 - Evaluating and Testing Business Process Application Controls

Standards

ISO 27001 – Information Technology – Security Techniques – Information Security Management Systems - Requirements

Control Objectives and Controls – InternalOrganization

• A.6.1.4 – Authorization process for information processing facilities

• A.10.4 – System Acceptance

Information Security Forum (ISF) – The Standard of Good Practice for Information Security

SD - Systems Development

Control Objectives for Information and related Technology (COBIT)

AI2 – Acquire and Maintain Application Software

AI4 – Enable Operation and UseAI6 – Manage ChangesAI7 – Install and Accredit Solutions and Changes

Additional BenefitsAdditional Benefits

““Direct” business participationDirect” business participation Pre-production security authorization = Pre-production security authorization = $avings Risk acceptance at the appropriate level of Risk acceptance at the appropriate level of

managementmanagement Risks are documented and mitigatedRisks are documented and mitigated Business explicitly accept residual risk and Business explicitly accept residual risk and

recommended security controlsrecommended security controls StandardizationStandardization

Assessment, documentation and acceptance of security Assessment, documentation and acceptance of security risksrisks

Architecture and configuration documentationArchitecture and configuration documentation Documentation (i.e. BCP/DR, policies, asset inventory, Documentation (i.e. BCP/DR, policies, asset inventory,

etc.)etc.) Unbiased security controls assessmentUnbiased security controls assessment

Relationship to System Relationship to System LifecycleLifecycle

Dark gray = Acquisition Lifecycle PhasesDark gray = Acquisition Lifecycle PhasesLight gray = Development Lifecycle PhasesLight gray = Development Lifecycle Phases

Risk Management FrameworkRisk Management Framework

Security Authorization is part of a dynamic risk management process

Security Authorization ProcessSecurity Authorization Process

RMF = Risk Management Function

Preparation PhasePreparation PhaseCategorize Information System

• Task 1: Describe the information system Define system boundary Document system in security plan

• Task 2: Register system in organization asset inventory• Task 3: Determine security category and document in security plan

Organizational/business criticality Relationship/impact to other systems Classification of data processed by system

Security Control Selection• Task: Select security controls and document in security plan

System specific (implemented), common (inherited) and/or hybrid controls

Controls used to manage system risk (i.e. management controls) Automated system safeguards and countermeasures (i.e. technical

controls) Policy, standards, and procedural measures (i.e. operational controls)

Security Plan Approval• Task: Review and approve the security plan

Authorization BoundaryAuthorization Boundary• Purpose = Reduce cost and complexity, and facilitate more Purpose = Reduce cost and complexity, and facilitate more

targeted application of security controlstargeted application of security controls

• Must be done before system categorization and security plan Must be done before system categorization and security plan developmentdevelopment

• Separate of large and complex systems into multiple components Separate of large and complex systems into multiple components or sub-systems. Sub-systems…or sub-systems. Sub-systems…

• include data, technology and personnelinclude data, technology and personnel• should generally be under the same direct management controlshould generally be under the same direct management control• have same function or mission/business objectivehave same function or mission/business objective• have the same operating characteristics and information security have the same operating characteristics and information security

needsneeds• that reside in the same general operating environmentthat reside in the same general operating environment• that reside in different locations with similar operating systemsthat reside in different locations with similar operating systems

• Software applications do not require a separate security Software applications do not require a separate security authorization but rather include them in the authorization authorization but rather include them in the authorization boundary of the host system boundary of the host system

• Use commonsenseUse commonsense

System Security PlanSystem Security Plan• Prepared and maintained by the information system ownerPrepared and maintained by the information system owner• Living documentLiving document• Provides overview of security requirements and description of security Provides overview of security requirements and description of security

controlscontrols• Should contain supporting appendices or reference appropriate sourcesShould contain supporting appendices or reference appropriate sources

• Risk assessmentsRisk assessments• System interconnection diagramsSystem interconnection diagrams• Service level agreementsService level agreements• Data flow diagramsData flow diagrams• Disaster recovery and contingency plansDisaster recovery and contingency plans• Security configurationsSecurity configurations• Configuration management planConfiguration management plan• Incident response planIncident response plan• Applicable policies and proceduresApplicable policies and procedures• Hardware and software inventoriesHardware and software inventories

• Should be updated whenever events impact agreed upon security controlsShould be updated whenever events impact agreed upon security controls• Vulnerability scanVulnerability scan• New threat to systemNew threat to system• Redefinition of business priorities/objectivesRedefinition of business priorities/objectives• Addition of new hardware, software or firmwareAddition of new hardware, software or firmware• Change to operating environmentChange to operating environment• Addition of new connectionsAddition of new connections• Weaknesses or deficiencies discovered (before or after a breach)Weaknesses or deficiencies discovered (before or after a breach)

• Classify accordinglyClassify accordingly

Preparation PhasePreparation PhaseImplement Security Controls

• Task 1: Implement security controls specified in security plan• Task 2: Document “implemented” security controls in security

plan Functional description Planned inputs Expected behavior and outputs

Security Controls Assessment (examination, interview and test)• Task 1: Select an assessor• Task 2: Develop a plan to assess “all” security controls• Task 3: Review and approve assessment plan• Task 4: Obtain appropriate documentation needed to assess

security controls• Task 5: Perform assessment• Task 6: Prepare preliminary assessment report• Task 7: Review preliminary assessment report with system owner• Task 8: Perform remediation actions• Task 9: Assess remediated security controls• Task 10: Update security assessment report and prepare

executive summary• Task 11: Update security plan• Task 12: Prepare Plan of Action & Milestones

Authorization - Execution PhaseAuthorization - Execution PhaseAuthorize Information System

• Task 1: Assemble authorization package to submit to authorizing official for approval

• Task 2: Determine the risk to the organization• Task 3: Formally accept risk (authorization decision)

Compensating controls Risk mitigation strategy Residual risk

• Task 4: Prepare the security authorization decision and document

Authorization decision Terms and conditions for the authorization Authorization termination date

Authorization PackageAuthorization Package

AUTHORIZATION PROCESS

Authorization Package

Security Assessment Report

Security Plan

Plan of Action & Milestones

Continuous Monitoring - Continuous Monitoring - Maintenance PhaseMaintenance Phase

Strategy:Strategy:Maintain the security authorization for the system over time inMaintain the security authorization for the system over time inhighly dynamic operational environment with changing threats,highly dynamic operational environment with changing threats,vulnerabilities, technologies and business processesvulnerabilities, technologies and business processes

Objectives:Objectives:• Track the security “state” of a system on a continuous basisTrack the security “state” of a system on a continuous basis• Ensure security controls are checked for effectiveness on an Ensure security controls are checked for effectiveness on an

ongoing basisongoing basis• Address the security impact to systems when changes occur to Address the security impact to systems when changes occur to

hardware, software, firmware and operational environmenthardware, software, firmware and operational environment• Provide an effective process for updating security plans, Provide an effective process for updating security plans,

security assessment reports and plans of action and security assessment reports and plans of action and milestonesmilestones

• Security status reporting to authorizing officialSecurity status reporting to authorizing official

Continuous MonitoringContinuous Monitoring

Program includes:Program includes:• Configuration managementConfiguration management• Security impact analysis on actual or Security impact analysis on actual or

proposed changesproposed changes• Assessment of selected controlsAssessment of selected controls• Ongoing status reporting to appropriate Ongoing status reporting to appropriate

levels of managementlevels of management• Active involvement of Active involvement of Information System

Owner, Security Control Assessor and Authorizing Official

Continuous Monitoring Continues Continuous Monitoring Continues Until…Until…

• Changes to the system have Changes to the system have affected security controls in the affected security controls in the system or introduced new system or introduced new vulnerabilities into the system and;vulnerabilities into the system and;

• Organizational level risk to the Organizational level risk to the business operations, assets or business operations, assets or individuals has been affected or;individuals has been affected or;

• The authorization deadline has The authorization deadline has passed, then….passed, then….

“Reauthorization begins!”

Reauthorization Reauthorization Reauthorization occurs at the discretion of the authorizing official in accordance with federal or organizational policy

Time Driven Authorization termination date has been reached

Event Authorizing official changes Routine environment/system changes Significant environment/system changes (per NIST 800-

37) Installation of a new or upgraded operating system,

middleware component or application Modifications to system ports, protocols or services Installation of a new or upgraded hardware platform or

firmware component Modifications to cryptographic modules or services Changes in laws, directives, policies or regulations

NOTE: Event driven reauthorization should be avoided in situations where the continuous monitoring process provides the necessary and sufficient information to the authorizing official to manage the potential risk arising from significant environment or system changes.

Process ImplementationProcess Implementation

““Crawl before you walk, walk before you Crawl before you walk, walk before you run”run”

If you have to comply with FISMA, you must have a security authorization process in place

Based on NIST SP 800-37 Flexibility

Even if you don’t implement this process, consider the value of this process

Pre-production assessment Security plan 3rd party assessment Business involvement

Where to get more informationWhere to get more information I-Assure ForumI-Assure Forum

www.i-assure.com/forums/Default.aspxwww.i-assure.com/forums/Default.aspx

NIST SP 800-37NIST SP 800-37http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdfhttp://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdf

BooksBooksFISMA Certification & Accreditation Handbook FISMA Certification & Accreditation Handbook

by Laura Taylor (ISBN-10: 1597491160)by Laura Taylor (ISBN-10: 1597491160)

Building and Implementing a Security Certification and Accreditation Building and Implementing a Security Certification and Accreditation ProgramProgram

by Patrick D. Howard (ISBN-10: 0849320623) by Patrick D. Howard (ISBN-10: 0849320623)

2009 Prediction2009 Prediction

““More and more private sector companies and universities More and more private sector companies and universities will have to comply with FISMA. Why? Many companies will have to comply with FISMA. Why? Many companies that are government contractors are being required to that are government contractors are being required to comply with FISMA already as a stipulation in their comply with FISMA already as a stipulation in their contracts with the government. Organizations that accept contracts with the government. Organizations that accept grants from the government are increasingly being required grants from the government are increasingly being required to comply with FISMA.”to comply with FISMA.”

““FISMA 2008 will pass and government CISOs will become FISMA 2008 will pass and government CISOs will become more empowered.”more empowered.”

Laura Taylor, Founder of Relevant Technologies and author of the Laura Taylor, Founder of Relevant Technologies and author of the “FISMA Certification & Accreditation“FISMA Certification & AccreditationHandbook”Handbook”

Status of FISMA Related NIST Status of FISMA Related NIST PublicationsPublications

SP 800-30, Revision 1: Guide for Conducting Risk Assessments - SP 800-30, Revision 1: Guide for Conducting Risk Assessments - FEBRUARY 2010FEBRUARY 2010

SP 800-37, Revision 1: Guide for the Security Authorization of Federal SP 800-37, Revision 1: Guide for the Security Authorization of Federal Information Systems: A Security Life Cycle Approach - Information Systems: A Security Life Cycle Approach - JUNE 2009JUNE 2009

SP 800-39: Managing Risk from Information Systems: An Organizational SP 800-39: Managing Risk from Information Systems: An Organizational Perspective - Perspective - JULY 2009JULY 2009

SP 800-53A, Revision 1: Guide for Assessing the Security Controls in SP 800-53A, Revision 1: Guide for Assessing the Security Controls in Federal Information Systems – Federal Information Systems – DECEMBER 2009DECEMBER 2009

SP 800-CM: Guide for Security Configuration Management and Control SP 800-CM: Guide for Security Configuration Management and Control (Publication number TBD) – (Publication number TBD) – NOVEMBER 2009NOVEMBER 2009

Points to RememberPoints to Remember

Assess a defined environment (authorization boundary) not the Assess a defined environment (authorization boundary) not the worldworld

Security authorization is an ongoing processSecurity authorization is an ongoing process

Security control assessors make recommendations, they do not Security control assessors make recommendations, they do not accept risk or approve mitigating controls on behalf of the accept risk or approve mitigating controls on behalf of the organizationorganization

Risk acceptance is the sole responsibility of the authorizing officialRisk acceptance is the sole responsibility of the authorizing official

Reuse and share of security control development, implementation, Reuse and share of security control development, implementation, and assessment-related information to reduce cost and timeand assessment-related information to reduce cost and time

An active continuous monitoring program reduces time and effort An active continuous monitoring program reduces time and effort

Lets try again!Lets try again! Which of the following is the responsibility of IT?Which of the following is the responsibility of IT?

System ownerSystem owner Data ownerData owner System custodianSystem custodian All of the aboveAll of the above

True or False – The CIO/IT Director is responsible True or False – The CIO/IT Director is responsible for accepting information and system security for accepting information and system security risks on behalf of the organization?risks on behalf of the organization?

True or False – The individual in charge of True or False – The individual in charge of information security is responsible for:information security is responsible for: Defining security controlsDefining security controls Implementing security controlsImplementing security controls Managing security controlsManaging security controls All of the aboveAll of the above

QuestionsQuestions

Thank You!Thank You!

Rick Ensenbach CISSP-ISSMP, CISA, CISMRick Ensenbach CISSP-ISSMP, CISA, CISM

Rick.Ensenbach@state.mn.usRick.Ensenbach@state.mn.us

651-201-2790651-201-2790