Information Security and Risk Management A Plan for Success.

Information Security Information Security and Risk and Risk ManagementManagement

A Plan for SuccessA Plan for Success

Is Your Information Security Model a Is Your Information Security Model a

House of Cards or a Fortress?House of Cards or a Fortress?

Copyright 2007 Stevens Technologies, Inc.Copyright 2007 Stevens Technologies, Inc.

House of CardsHouse of Cards

Information security implementation is “Ad-Information security implementation is “Ad-Hoc”Hoc”

Latest media buzz is focus of information Latest media buzz is focus of information security implementation.security implementation.

Information system characterization not Information system characterization not complete.complete.

Full hardware, software, system interfaces, Full hardware, software, system interfaces, people, and data processed may not have people, and data processed may not have been identified or may not be known.been identified or may not be known.

No prior risk assessment has been No prior risk assessment has been completed.completed.


FortressFortress

System boundaries are clearly documented.System boundaries are clearly documented. Data processed by the system has been characterized Data processed by the system has been characterized

by criticality in terms of confidentiality, integrity, and by criticality in terms of confidentiality, integrity, and availability.availability.

A list of potential vulnerabilities has been assembled A list of potential vulnerabilities has been assembled from previous risk assessments.from previous risk assessments.

A list of current and planned controls has been A list of current and planned controls has been identified and documented.identified and documented.

A likelihood rating has been assigned to each threat A likelihood rating has been assigned to each threat source/vulnerability pair.source/vulnerability pair.

A business impact assessment has been conducted.A business impact assessment has been conducted. Risk and associated risk levels are pre-curser of Risk and associated risk levels are pre-curser of

control implementation.control implementation. Control effectiveness is monitored for continued Control effectiveness is monitored for continued

applicability and organizational compliance.applicability and organizational compliance.


Organizations are Organizations are implementing implementing information security information security without a planwithout a plan Risk – Do you really know your Risk – Do you really know your

vulnerabilities?vulnerabilities?– Does it matter that you don’t have Does it matter that you don’t have

full disk encryption on a laptop used full disk encryption on a laptop used for field work?for field work?

– Is a password protection mechanism Is a password protection mechanism needed for a wireless network where needed for a wireless network where the password is posted on all the the password is posted on all the walls?walls?


How are you doing How are you doing without a plan?without a plan? Many organizations say that they Many organizations say that they

don’t want to waste money on don’t want to waste money on C&A, they want to implement real C&A, they want to implement real security.security.

““We don’t have money to develop We don’t have money to develop a plan.”a plan.”


Reason for Information Reason for Information SecuritySecurity Everyone else is doing it.Everyone else is doing it. Industry best practices.Industry best practices. Compliance.Compliance.

Justification of the cost of a new Justification of the cost of a new $100,000.00 technology toy may $100,000.00 technology toy may emerge from an information emerge from an information system risk assessment.system risk assessment.


Building a FoundationBuilding a Foundation

Risk Assessment is the cornerstone Risk Assessment is the cornerstone of a strong information security of a strong information security foundation.foundation.

assessment

assessment

riskrisk


Questions to ConsiderQuestions to Consider

Who are valid users?Who are valid users? What is the mission of the user organization?What is the mission of the user organization? What is the purpose of the system in relation to the mission?What is the purpose of the system in relation to the mission? How important is the system to the user organization’s mission?How important is the system to the user organization’s mission? What is the system availability requirement?What is the system availability requirement? What information is required by the organization?What information is required by the organization? What information is generated by, consumed by, processed on, stored in, and retrieved by What information is generated by, consumed by, processed on, stored in, and retrieved by

the system?the system? How important is the information to the user organization’s mission?How important is the information to the user organization’s mission? What are the paths of information flow?What are the paths of information flow? What types of information are processed by and stored on the system?What types of information are processed by and stored on the system? What is the sensitivity level of the information?What is the sensitivity level of the information? What information handled by or about the system should not be disclosed and to whom?What information handled by or about the system should not be disclosed and to whom? Where specifically is the information processed and stored?Where specifically is the information processed and stored? What are the types of information storage?What are the types of information storage? What is the potential impact on the organization if the information is disclosed to What is the potential impact on the organization if the information is disclosed to

unauthorized personnel?unauthorized personnel? What are the requirements for information integrity and availability?What are the requirements for information integrity and availability? What is the effect on the organization’s mission if the system or information is not reliable?What is the effect on the organization’s mission if the system or information is not reliable? How much system downtime can the organization tolerate? How does this compare to How much system downtime can the organization tolerate? How does this compare to

mean repair/recovery time? What other processing or communication options can the user mean repair/recovery time? What other processing or communication options can the user access?access?

Could a system or security malfunction or unavailability result in injury or death?Could a system or security malfunction or unavailability result in injury or death?


A System Security Plan A System Security Plan TemplateTemplateThe OverviewThe Overview Information System Name/TitleInformation System Name/Title

Information System TypeInformation System Type– Major Application – Mission EssentialMajor Application – Mission Essential– Major Application – NOT Mission EssentialMajor Application – NOT Mission Essential– General Support SystemGeneral Support System

Information System Security CategorizationInformation System Security Categorization– FIPS 199FIPS 199

Operational StatusOperational Status– Operational, underdevelopment, undergoing a Operational, underdevelopment, undergoing a

modificationmodification


FIPS 199 FIPS 199 CategorizationCategorization LOWLOW

– The loss of confidentiality, integrity, or availability The loss of confidentiality, integrity, or availability could be expected to have a could be expected to have a limited limited adverse adverse effect on organizational operations, organizational effect on organizational operations, organizational assets, or individuals.assets, or individuals.

– A limited adverse effect means that, for example, A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability might: (i) cause a degradation in mission capability to an extent and duration that the organization is to an extent and duration that the organization is able to perform its primary functions, but the able to perform its primary functions, but the effectiveness of the functions is noticeably effectiveness of the functions is noticeably reduced; (ii) result in minor damage to reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. loss; or (iv) result in minor harm to individuals.


FIPS 199 FIPS 199 CategorizationCategorization MODERATEMODERATE

– The loss of confidentiality, integrity, or availability The loss of confidentiality, integrity, or availability could be expected to have a could be expected to have a serious serious adverse adverse effect on organizational operations, organizational effect on organizational operations, organizational assets, or individuals. assets, or individuals.

– A serious adverse effect means that, for example, A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission might: (i) cause a significant degradation in mission capability to an extent and duration that the capability to an extent and duration that the organization is able to perform its primary organization is able to perform its primary functions, but the effectiveness of the functions is functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life harm to individuals that does not involve loss of life or serious life threatening injuries. or serious life threatening injuries.


FIPS 199 FIPS 199 CategorizationCategorization HIGHHIGH

– The loss of confidentiality, integrity, or availability The loss of confidentiality, integrity, or availability could be expected to have a could be expected to have a severe or catastrophic severe or catastrophic adverse effect on organizational operations, adverse effect on organizational operations, organizational assets, or individuals. organizational assets, or individuals.

– A severe or catastrophic adverse effect means that, for A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration loss of mission capability to an extent and duration that the organization is not able to perform one or that the organization is not able to perform one or more of its primary functions; (ii) result in major more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life harm to individuals involving loss of life or serious life threatening injuries. threatening injuries.


A System Security Plan A System Security Plan TemplateTemplateThe OverviewThe Overview Information System Name/TitleInformation System Name/Title

Information System TypeInformation System Type– Major Application – Mission EssentialMajor Application – Mission Essential– Major Application – NOT Mission EssentialMajor Application – NOT Mission Essential– General Support SystemGeneral Support System

Information System Security CategorizationInformation System Security Categorization– FIPS 199FIPS 199

Operational StatusOperational Status– Operational, underdevelopment, undergoing a Operational, underdevelopment, undergoing a

modificationmodification


Information TypesInformation Types

Information Information TypeType

ConfidentialiConfidentialityty

IntegrityIntegrity AvailabilityAvailability

Type of Type of information information (reference to (reference to guidance)guidance)

LOW/MOD/LOW/MOD/HIGHHIGH




Key StakeholdersKey Stakeholders

InformatioInformation System n System OwnerOwner

AuthorizinAuthorizing Officialg Official

Other Other DesignateDesignated Contactd Contact

AssignmenAssignment of t of Security Security ResponsibiResponsibilitylity

NameName

TitleTitle

OrganizatiOrganizationon

AddressAddress

PhonePhone

EmailEmail


System BackgroundSystem Background

General DescriptionGeneral Description

PurposePurpose

FunctionFunction

CapabilitiesCapabilities


User CommunityUser Community

User TypeUser Type PurposePurpose Type of Data AccessedType of Data Accessed


HardwareHardware

Hardware Model Number

Network ID Standard Configuration

Software OS/Application Version Standard Configuration

SoftwareSoftware


InterfacesInterfaces

System Name

Organization Type Agreement ISA/MOA

Date FIPS 199 Category

C&A Status

Authorizing Official


Laws/Regulations/PoliciesLaws/Regulations/Policies

HIPAAHIPAA

Homeland Security Directive #Homeland Security Directive #

Any other applicable Any other applicable laws/regulations/policieslaws/regulations/policies


Control DescriptionsControl Descriptions

Control numberControl number Control nameControl name Control descriptionControl description Implementation detailImplementation detail Reason for not implementing controlReason for not implementing control Entity-level controls versus system Entity-level controls versus system

level controls.level controls.


AC-2 ACCOUNT MANAGEMENT AC-2 ACCOUNT MANAGEMENT – Control: The organization manages information system accounts, including Control: The organization manages information system accounts, including

establishing, activating, modifying, reviewing, disabling, and removing accounts. establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization reviews information system accounts [The organization reviews information system accounts [Assignment: Assignment: organization-defined frequencyorganization-defined frequency]. ].

– Supplemental Guidance: Account management includes the identification of Supplemental Guidance: Account management includes the identification of account types (i.e., individual, group, and system), establishment of conditions account types (i.e., individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations. The for group membership, and assignment of associated authorizations. The organization identifies authorized users of the information system and specifies organization identifies authorized users of the information system and specifies access rights/privileges. The organization grants access to the information access rights/privileges. The organization grants access to the information system based on: (i) a valid need-to-know that is determined by assigned official system based on: (i) a valid need-to-know that is determined by assigned official duties and satisfying all personnel security criteria; and (ii) intended system duties and satisfying all personnel security criteria; and (ii) intended system usage. The organization requires proper identification for requests to establish usage. The organization requires proper identification for requests to establish information system accounts and approves all such requests. The organization information system accounts and approves all such requests. The organization specifically authorizes and monitors the use of guest/anonymous accounts and specifically authorizes and monitors the use of guest/anonymous accounts and removes, disables, or otherwise secures unnecessary accounts. The organization removes, disables, or otherwise secures unnecessary accounts. The organization ensures that account managers are notified when information system users are ensures that account managers are notified when information system users are terminated or transferred and associated accounts are removed, disabled, or terminated or transferred and associated accounts are removed, disabled, or otherwise secured. Account managers are also notified when users’ information otherwise secured. Account managers are also notified when users’ information system usage or need-to-know changes. system usage or need-to-know changes.

– Control Enhancements: Control Enhancements: (1) The organization employs automated mechanisms to support the (1) The organization employs automated mechanisms to support the

management of information system accounts. management of information system accounts. (2) The information system automatically terminates temporary and emergency (2) The information system automatically terminates temporary and emergency

accounts after [accounts after [Assignment: organization-defined time period for each type of Assignment: organization-defined time period for each type of accountaccount]. ].

(3) The information system automatically disables inactive accounts after (3) The information system automatically disables inactive accounts after [[Assignment: organization-defined time periodAssignment: organization-defined time period]. ].

(4) The organization employs automated mechanisms to ensure that account (4) The organization employs automated mechanisms to ensure that account creation, modification, disabling, and termination actions are audited and, as creation, modification, disabling, and termination actions are audited and, as required, appropriate individuals are notified. required, appropriate individuals are notified.

LOW LOW AC-2 AC-2 MOD MOD AC-2 (1) (2) (3) AC-2 (1) (2) (3) HIGH HIGH AC-2 (1) (2) (3) (4) AC-2 (1) (2) (3) (4)


A Complete PackageA Complete Package

Risk AssessmentRisk Assessment

SSPSSP

COOPCOOP

Security Assessment ReportSecurity Assessment Report

POA&MPOA&M


UpdatesUpdates

Controls ChangeControls Change

Application ChangesApplication Changes

Assessment FindingAssessment Finding

Annual ReviewAnnual Review


Risk Management Risk Management CycleCycle

Evaluate

Monitor

Identify


A FortressA Fortress


Questions?Questions?

Sarah StevensSarah StevensPresidentPresident

Stevens Technologies, Inc.Stevens Technologies, Inc.PO Box 691682PO Box 691682

Mint Hill, NC 28227Mint Hill, NC 28227

(704) 625-8842(704) 625-8842

[email protected]@stevens-technologies.com

Information Security and Risk Management A Plan for Success.

Documents

plan risk

information security

risk management

real security

prior risk assessment

associated risk levels

stevens technologies

previous risk assessments