Systems Certification and Accreditation
Terms in this set (26)
Classes of security controls
Mechanical, Technical, Operational
controls that provide a security capability for multiple information systems
System specific controls
controls that provide a security capability for a particular information system only
Relationships with external service providers
The growing dependence on external service providers and new relationships being forged with those providers present new and difficult challenges for the organization, especially in the area of information system security. These challenges include:
• Defining the types of external services provided to the organization
• Describing how the external services are protected in accordance with the security requirements of the organization
• Obtaining the necessary assurances that the risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the use of the external services is acceptable.
Compensating security controls
The management, operational, and technical controls (i.e.) safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high baselines described in NIST Special Publication 800-53, that provide equivalent or comparable protection for an information system.
Organization-Defined Security Control Parameters
explicit assignment and selection statements
Supplementing the Tailored Baseline
adding controls and/or control enhancements to address unique organizational needs based on a risk assessment (either formal or informal) and local conditions including environment of operation, organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances; and (iv) specifying minimum assurance requirements, as appropriate.
Monitoring Security Controls
RMF step 6; following security controls, and monitoring strategy
Information security measures
are used to facilitate decision making and improve performance and accountability through the collection, analysis, and reporting of relevant performance-related data
• Can be obtained at different levels within the organization
• Are based on information security performance goals and objectives
• Monitor the accomplishment of goals and objectives
Information security measures
Increase accountability for information security
Improve information security effectiveness
Provide quantifiable inputs for resource allocation decisions
Information security measures
c. types of measures
i. Implementation - Used to demonstrate progress in implementing information security programs, specific security controls, and associated policies and procedures
• Measurement percentages should reach and remain at 100 percent as the information security program matures.
ii. Effectiveness/Efficiency - Used to monitor if program-level processes and system-level security controls are implemented correctly, operating as intended, and meeting the desired outcome.
• Concentrate on the evidence and results of assessments
• Measure the robustness of a result (effectiveness) and the timeliness of a result (efficiency).
• Provide key information for information security decision makers about the results of previous policy and acquisition decisions.
iii. Impact - Used to articulate the impact of information security on an organization's mission. Depending upon the organization's mission, impact measures can be used to quantify:
• Cost savings produced by the information security program or through costs incurred from addressing information security events
• The degree of public trust gained/maintained by the information security program
• Other mission-related impacts of information security
Data Management Concerns with respect to measures
data collection methods and data repositories used for measures data collection and reporting should be standardized to ensure the quality and validity of data. Not all information security data collected will be useful for an information security measurement program at any given point in time.
Information security performance measurement data repositories contain sensitive operational and vulnerability data. Therefore, repositories should be properly protected.
Information Security Measurement Program Scope
The scope of an information security measurement program should be defined based on specific stakeholder needs, strategic goals and objectives, operating environments, risk priorities, and program maturity.
FISMA (Federal Information Security Management Act)
FISMA requires a information security program that is commensurate with the sensitivity of the information it deals with.
It also requires agencies to asses and report their performance in implementing these programs. Its purpose is:
• Provide a framework ensuring effectiveness of security controls.
• Help manage and oversee coordination of information security efforts.
• Support the development of minimum security controls.
• Provide a mechanism for improved oversight.
• Acknowledge commercially developed information security products.
• Recognize some products should be made by individual agencies from among commercially available products.
GPRA (Government Performance Results Act)
The performance planning required by the GPRA culminates an annual report outlining strategic plans and performance measures.
This process includes:
Define long term annual goals and objectives.
Set measurable targets for performance.
Report to the Office of management and budget (OMB)
Federal Enterprise Architecture
The executive branch from time to time will implement initiatives to monitor and improve the effectiveness of federal organizations.
FEA relies on information security measures.
One of its models is the Performance Reference Model (PRM). Which is a standardized framework to measure the performance of major IT investments.
Measures development process (phases)
Phase 1 - Stakeholder Interest Identification Phase 2 - Goals and Objectives Definition
Phase 5,6,7 - Measures Development and Selection
Stakeholders in measures development
Stakeholder interests will differ, depending on the information security aspects of their particular role
Interests may be determined through multiple venues such as interviews, brainstorming sessions, and mission statement reviews
In many cases stakeholder's interests are driven by laws and regulations
Stakeholders should be involved in each step of information security measures development to ensure organizational buy-in to the concept of measuring information security performance
The three measurable aspects of information security
Business impact, efficiency/effectiveness, and implementation
Sources that may contain information from which measures data can be generated
a. System Security Plans
b. Plan of Action and Milestones (POA&M) reports
c. Latest GAO and IG findings
d. Tracking of information security-related activities, such as incident handling and reporting, testing, network management, audit logs, and network and information system billing
e. Risk assessments and penetration testing results
f. C&A documentation (e.g., security assessment reports)
g. Continuous monitoring results
h. Contingency plans
i. Configuration management plans
j. Training results and statistics
POA&Ms...spell it out...know what it does
Plan of Action and Milestones
Phases of Information Security Measurement Implementation
1. Prepare for Data Collection
2. Collect Data and Analyze results
3. Identify Corrective actions
4. Develop Business Case
5. Obtain resources
6. Apply corrective actions
i. Then start again at step 2.
SDLC phases and Information Security
Roles and responsibilities regarding C&A
Chief Information Officer
• The Chief Information Officer (CIO) has the following responsibilities related to information security measurement:
• Using information security measures to assist in monitoring compliance with applicable information security requirements;
• Using information security measures in annually reporting on effectiveness of the agency information security program to the agency head;
• Demonstrating management's commitment to information security measures development and implementation through formal leadership;
• Formally communicating the importance of using information security measures to monitor the overall health of the information security program and to comply with applicable regulations;
• Ensuring information security measurement program development and implementation;
• Allocating adequate financial and human resources to the information security measurement program;
• Reviewing information security measures regularly and using information security measures data to support policy, resource allocation, budget decisions, and assessment of the information security program posture and operational risks to agency information systems;
• Ensuring that a process is in place to address issues discovered through measures analysis and taking corrective actions such as revising information security procedures and providing additional information security training to staff; and
• Issuing policy, procedures, and guidelines to officially develop, implement, and institute measures.
Senior Agency Information Security Officer
• Integrating information security measurement into the process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the agency;
• Obtaining adequate financial and human resources to support information security measurement program development and implementation;
• Leading the development of any internal guidelines or policy related to information security measures;
• Using information security measures in support of the agency CIO's annual reporting to the agency head on the effectiveness of the agency's information security program, including progress of remedial actions;
• Conducting information security measures development and implementation;
• Ensuring that a standard process is used throughout the agency for information security measures development, creation, analysis, and reporting; and,
• Using information security measures for policy, resource allocation, and budget decisions.
Program Manager/Information System Owner
• Participating in information security measurement program development and implementation by providing feedback on the feasibility of data collection and identifying data sources and repositories;
• Educating staff on the development, collection, analysis, and reporting of information security measures and how it will affect information security policy, requirements, resource allocation, and budget decisions;
• Ensuring that measurement data is collected consistently and accurately and is provided to designated staff who are analyzing and reporting the data;
• Directing full participation and cooperation of staff, when required;
• Reviewing information security measures data regularly and using it for policy, resource allocation, and budget decisions; and
• Supporting implementation of corrective actions, identified through measuring information security performance.
Information System Security Officer
• Participating in information security measurement program development and implementation by providing feedback on the feasibility of data collection and identifying data sources and repositories; and
• Collecting data or providing measurement data to designated staff that are collecting, analyzing, and reporting the data
Briefly describe the requirements of the Federal Information Systems Management Act (FISMA).
FISMA requires agencies to identify and assess risks to their information systems and define and implement appropriate security controls to protect their information resources. It also requires agencies to report quarterly and annually on the status of their information security programs
List and/or briefly describe the phases of the information security measurement implementation.
1. Prepare for Data Collection
2. Collect Data and Analyze Results
3. Identify Corrective Actions
4. Develop Business Case
5. Obtain Resources
6. Apply Corrective Actions