SITE Course Intro - softwareAB

SITE Course Intro - softwareAB

FITSP-A Module 4 Gap Analysis Leadership For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations

The National Strategy for Cyberspace Operations Office of the Chairman, Joint Chiefs Of Staff, U.S. Department Of Defense FITSP-A Exam Objectives Data Security Review controls that facilitate the necessary levels of confidentiality of information found within the organizations information system Evaluate safeguards in the system that facilitate the necessary levels of integrity of information found within information systems Audit controls that facilitate the necessary levels of availability of information and information systems

[Security Control] Planning Audit security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems Assess processes to handle the implementation of security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems Gap Analysis Module Overview

Section A: Security Categorization FIPS 199: Security Categorization Standards SP 800-60: Mapping Types to Categories Subsection A.1: Special Types of Information SP 800-59 National Security SP 800-66 Health Information SP 800-122 Personally Identifiable Information Section B: Documentation System Security Plan Section C: Security Control Baseline

Subsection C1 FIPS 200: Minimum Security Requirements Subsection C2 SP 800-53: The Fundamentals Subsection C3 Selecting Controls from 800-53 Subsection C4 Implementing Controls Section A SECURITY CATEGORIZATION

RMF Step 1 Categorize Information System Security Categorization Information System Description Information System Registration FIPS 199 Feb. 2004 Federal Information Processing Standards First step in Security Authorization Process Security Standards for Categorization of Federal Information & Systems Requires Solid Inventory of All Systems on Your

Networks Mandated by FISMA Security Categories Based on Potential Impact Security Objectives under FISMA Levels of Potential Impact Impact Impacton onorganizations, organizations,operations, operations,assets,

assets,or orindividuals individuals Low - Limited adverse effect Effectiveness reduced Minor damage/loss/harm Moderate - Serious adverse effect Financial loss Harm to individuals High - Severe or catastrophic adverse effect Loss of life, mission capability

Assignment of Impact Levels and Security Categorization Knowledge Check Name the 3 tasks of the RMF Categorization step. Security categories are to be used in conjunction with what other information in assessing the risk to an organization? What is the first step to assigning impact levels for security categorization? What are the key words associated with the following

impact levels: Impact Key Word(s) Low Moderate High 1 - Identifying Information Types OMBs Business Reference Model Basis for Identifying Information types Four Business Areas/ 39 Lines of Business

Mission Based Information Types Service for Citizens (Purpose of Govt) Mode of Delivery (to Achieve Purpose) Management & Support Information Types Support Delivery of Services (Necessary Operational Support) Management of Government Resources (Resource Management Functions) day-to-day activities necessary to provide the critical policy, programmatic, and managerial foundation that

support Federal government operations back office support activities enabling the Federal government to operate effectively 2 - Select Provisional Impact Level Information Types & Impact Management & Support Information Types & Impact

Mission Specific 3 - Review Provisional Impact, Adjust/Finalize Impact Levels Review Adjust (based on special guidance from 800-60) Guidelines for Adjusting System Categorization

Aggregation Critical System Functionality Extenuating Circumstances

Public Information Integrity Catastrophic Loss of System Availability Large Supporting and Interconnecting Systems Critical Infrastructures and Key Resources Trade Secrets Overall Information System Impact Privacy Information 4 - Assign System Security Category

Review for Aggregate Information Types Identifying High Water Mark Based on Aggregate Adjust High Water, as Necessary Assign Overall Information System Impact Level Document All Security Categorization Determinations and Decisions Subsection A.1

SPECIAL TYPES OF INFORMATION Special Types of information National Security (NS) Health Information (e-PHI) (Electronic Protected Health Information) Personally Identifiable Information (PII) National Security Systems SP 800-59 Guideline for Identifying an Information

System as a National Security System Involves Intelligence Activities Involves Cryptologic Activities Related to National Security Involves Command and Control of Military Forces Involves Equipment That is Part of a Weapon System Is Critical to Military or Intelligence Missions

CNSS1253 Security Categorization and Control Selection for National Security Systems Derives Authority from National Security Directive 42 , and CNSS Policy No. 22 (IARMP) Companion Document to NIST SP 800-53 Distinctions of CNSS 1253 High Water Mark Not Used Categorizations Tailored Through Risk-based Adjustment Supplements Use of Impact-level Determinations with Control Profiles

Member Organizations Practice Reciprocity with Respect to System Certification Retention of CIA Impact NSS Organization-defined Parameters Supporting Reciprocity SP 800-66r1 Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Applicable to Covered Entities

Covered Healthcare Providers Health Plans Healthcare Clearinghouses Medicare Prescription Drug Card Sponsors Six Sections of the HIPAA Security Rule

Security standards Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedures and Documentation Requirements

Security Rule Standards and Implementation Specifications HIPAA Security Rule HIPAA Security Rule Standard Implementation Specification Addressable

Accountability (A): Maintain a record of the CM-8, MP-5, movements of hardware and electronic PS-6 media and any person responsible therefore 164.310(d)(2)(iii) 164.310(d)(2)(iv) 164.312(a)(1)

800-53r3 Control Publication Crosswalk Data Backup and Storage (A): Create a CP-9, MP-4 retrievable exact copy of electronic protected health information, when needed, before movement of equipment. Access Control: Implement technical

policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a) (4). AC-1, AC-3, AC-5, AC-6 Required

164.312(a)(2)(i) Unique User Identification (R): Assign a unique name and/or number for identifying and tracking user identity. AC-2, AC-3, IA-2, IA-3, IA-4 164.312(a)(2)(ii)

Emergency Access Procedure (R): Establish AC-2, AC-3, (and implement as needed) procedures for CP-2 obtaining necessary electronic protected health information during an emergency. NIST SP 800-12 NIST SP 800-14 NIST SP 800-21 NIST SP 800-34 NIST SP 800-53 NIST SP 800-63

FIPS 140-2 Security Rules that Do Not Map to NIST Security Controls HIPAA Security Rule HIPAA Security Rule Standard 164.314(b)(1) Requirements for Group Health Plans:

Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as authorized under 164.508. Implementation Specification 800-53r3 Publication Control Crosswalk Does not map

164.314(b)(2)(i) Group Heath Plan Implementation Specification Does not (R): The plan documents of the group health map plan must be amended to incorporate provisions to require the plan sponsor to-- (i) Implement safeguards that reasonably protect the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan.

164.314(b)(2)(ii) Group Heath Plan Implementation Specification Does not (R): The plan documents of the group health map plan must be amended to incorporate provisions to require the plan sponsor to-- (ii) Ensure that the adequate separation required by 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures

NIST SP 800-35 NIST SP 800-39 NIST SP 800-47 NIST SP 800-61 NIST SP 800-64 NIST SP 800-100 Categorizing Privacy Information New Guidance SP800-122 Organizations should identify all PII residing in their environment Organizations should minimize the use, collection, and retention of PII to what is strictly necessary to accomplish their business

purpose and mission Organizations should categorize their PII by the PII confidentiality impact level Each organization should decide which factors it will use for determining impact levels and then create and implement the appropriate policy, procedures, and controls. Factors for Categorizing PII

Ability to Identify Quantity of PII Data Field Sensitivity Context of Use Obligations to Protect Confidentiality Access to and Location of PII

Security Controls for PII Creating Policies and Procedures Conducting Training De-Identifying PII

Using Access Enforcement Implementing Access Control for Mobile Devices Providing Transmission Confidentiality Auditing Events Windows Server 2008 R2 Knowledge Check What is the basis for defining information types? The BRM describes [how many] business areas containing [how many] FEA lines of business. Which NIST document lists information types, and their

associated provisional impact level? List reasons for adjusting a systems provisional impact level. Which NIST Special Publication provides guidance for protecting PII? Lab Activity 2 Categorizing Information Systems Step 6 Monitor Controls

Step 5 Authorize Information System Step 1 Categorize Information System Step 2 Select Controls Step 3

Implement Controls Step 4 Assess Controls Logical Connection External Network HGAs Local Area Network Washington, DC Time & Attendance Input Workstation

Externally Owned System Boundaries HGA System Boundaries Financial Distribution Service Provider Kansas City Payroll Application Financial Distribution Application IRS

Tax Payments Various Banking Institutions for Employee Direct Deposits FW&A Web Portal Fraud, Waste & Abuse Reporting Database Employee Payroll

Database Terremark Data Center Culpeper, VA Section B DOCUMENTATION Documenting the Security Categorization Process

Categorization Determination Research Key Decisions Approvals Supporting Rationale System Security Plan

System Name and Identifier System Categorization Rules of Behavior System Boundary Security Control Selection SSP Reference Enhancements

Business Area Legislative Mandates Time-critical Information Provisional Impact Review

Information Type Aggregate Special Factors & Circumstances Justification for Elevated Impact Reuse of Categorization Information Business Impact Analysis Capital Planning and Investment Control & Enterprise Architecture System Design Contingency and Disaster Recovery Planning Information Sharing and System Interconnection Agreements

Section C SECURITY CONTROL BASELINE Role in the RMF Process RMF STEP 2 & 3: Select & Implement Security Controls RMF Step 2 Select Controls

Common Control Identification Security Control Selection Monitoring Strategy Security Plan Approval RMF Step 3 Implement Controls Security Control Implementation Security Control Documentation

Security Controls Standards and Guidelines FIPS 200 Purpose Information System Impact Levels Minimum Security Requirements Security Control Selection

SP 800-53r3 Security Control Organization and Structure Security Control Baselines

Common Controls Security Controls In External Environments Security Control Assurance Revisions And Extensions Selecting Security Controls Subsection C.1 FIPS 200 FIPS 200 Minimum Security Requirements

Purpose Information System Impact Levels Minimum Security Requirements Security Control Selection Specifications for Minimum Security Requirements

FIPS 200: Selecting Security Controls Using SP 800-53 Achieve Adequate Security Control Selection Based on FIP 199 Impact Level For low-impact information systems, organizations must employ appropriate controls from the low baseline of controls defined in NIST Special Publication 800-53. For moderate-impact information systems, moderate baseline For high-impact information systems, high baseline Knowledge Check

What is the most significant change, regarding security control selection, in the revision of the SP 800-37? What are the factors that drive the level of effort for the selection and implementation of security controls? Security controls are organized by _________ and ___________. Identify the class for the following security controls: Control Access Control Personnel Security Planning

Class Subsection C.2 SP 800-53 FUNDAMENTALS SP 800-53r3 Control Catalog The Fundamentals

Security Control Organization and Structure Security Control Baselines Common Controls Security Controls In External Environments Security Control Assurance Revisions And Extensions Selecting Security Controls Selecting

Tailoring Supplementing Security Control Organization and Structure Security Control Baselines Starting Point for the Security Control Selection Process Three Sets of Baseline Controls Based on Information Impact Low Moderate High

Supplements to the Tailored Baseline will Likely be Necessary Common Controls Inheritable Organization-wide Exercise Common Control Candidates

Contingency Planning Incident Response Security Training And Awareness Personnel Security Physical And Environmental Protection Intrusion Detection System-specific Controls Hybrid Controls

Security Controls In External Environments Used by, but Not Part of, Organizational Information Systems May Completely Replace Functionality of Internal Information Systems Information System Security Challenges Defining Services Securing Services Obtaining Assurances of Acceptable Risk Trust Relationships & Chain of Trust

Applying Gap Analyses to External Service Providers Security Control Assurance Revisions And Extensions of the Control Catalog

Experience Gained from Using Controls Changing Security Requirements Emerging Threats, Vulnerabilities, and Attack Methods Availability of New Technologies Subsection C.3 SP 800-53 SELECTING SECURITY CONTROLS Selecting Security Controls Selecting the Initial Set Of Baseline Security Controls

Tailoring the Baseline Security Controls Supplementing the Tailored Baseline Tailoring Security Controls Scoping Guidance Compensating Security Controls Organization-defined Parameters Scoping Guidance Considerations

Common Control-related Security Objective-related Technology-related Physical Infrastructure-related Policy/Regulatory-related Operational/Environmental-related

Scalability-related Public Access-related Implementing only those controls that are essential to providing the appropriate level of protection. Compensating Security Controls

Used in Lieu of Recommended Control Control Not Available Provides Supporting Rationale Risk Accepted with Compensating Control Supplementing Security Controls

Advanced Persistent Threat Cross-domain Services Mobility Highly Sensitive Information and Information Sharing Application-layer Security Knowledge Check There are three levels of baseline controls that are defined by the _____________ of the information system. What are security controls that are inheritable by one or

more organizational information systems? What are the Two key components of information security affecting the trustworthiness of information systems ? What kind of security control is a management, operational, or technical control is employed by an organization in lieu of a recommended security control.? Subsection C.4 IMPLEMENTING CONTROLS

Implementing Controls NO SI-3 SI-3 CNTL NAME Malicious Code Protection

CC Provider Systems Integrity Division CNTL_Implementation Symnantec Endpoint Protection v.11 - The AntiVirus Program provides anti-virus software support to Domestic Bureaus, Consular

and Executive Offices, IRM Systems Managers, Overseas Posts and Tenant Organizations Department-wide. Malicious Systems Fortinet FortiMail, FortiGate, Code Integrity Micro ScanMail. To protect Protection Division the network backbone infrastructure, i.e., e-mail gateways and Windows Exchange Servers from

penetration by hostile hacker software tools, the Department implemented network "on the fly" anti-virus software support. Platforms The contract with the Symantec Corporation for Symantec Endpoint Protection (SEP) supports the following operating system

platforms: Windows File and Exchange Servers, and client workstations, Current Operating Systems (Windows NT, 2000, XP, 2003, Vista) Implemented network antivirus software support using: Fortinet FortiMail - SMTP, Spam, Phishing,Fortinet FortiGate - SMTP, FTP and HTTP Scanning, Trend Micro ScanMail for Microsoft

Exchange Servers - SMTP, Spam, Content Filtering. Monitoring Strategy Anti-Virus signature file age detection is provided by SMS. The date on the signature file is compared to the current date. There is no score until a grace period of 6 days has

elapsed. Beginning on day 7, a score of 6.0 is assigned for each day since the last update of the signature file. In particular, on day 7 the score is 42.0. Gap Analysis Key Concepts & Vocabulary Security Categorization

FIPS 199: Security Categorization Standards SP 800-60: Mapping Types to Categories Categorizing Privacy Information SP 800-122 Protecting PII Documentation System Security Plan Security Control Baseline

FIPS 200: Minimum Security Requirements SP 800-53: The Fundamentals Selecting Controls from 800-53 Implementing Controls Lab Activity 3 Selecting and Implementing Baseline Controls

Step 6 Monitor Controls Step 5 Authorize Information System Step 1 Categorize Information System Step 2

Select Controls Step 3 Implement Controls Step 4 Assess Controls Questions? Next Module: Control Assessment

Recently Viewed Presentations

  • Evaluation of Peripheral Nerve Syndromes

    Evaluation of Peripheral Nerve Syndromes

    Dilated capillary loops at the base of the fingernails are also characteristic. The cuticles may be irregular, thickened, and distorted, and the lateral and palmar areas of the fingers may become rough and cracked, with irregular, "dirty" horizontal lines, resembling...
  • Challenges of Non Functional Testing

    Challenges of Non Functional Testing

    Risk asses the areas as applied to your business Consider the investment in people and infrastructure that you will require Consider external resourcing Non Functional Testing Stevan Zivanovic Senior Consultant Probatur Ltd 01223 744778 / 07748 902659 [email protected] www.probatur.com *...
  • Effective Conflict Management Vikrant Joshi Understanding  A situation

    Effective Conflict Management Vikrant Joshi Understanding A situation

    Understanding conflicts….. "Conflict itself is neither good nor bad… What matters about conflict, in the end, is how we respond to it" Brian Muldoon, The Heart of Conflict
  • The Second and Third Crusades - Weebly

    The Second and Third Crusades - Weebly

    ALL OF US will be able to describe the key events of the Second and Third Crusades. (3B-4B) EVEN BETTER IF you can explain the reasons why the Second and Third Crusades happened. (4A-5A) EXCELLENT IF you can make a...
  • Removal of DSA and Region from Kidney and

    Removal of DSA and Region from Kidney and

    150 NM/300 NM Fixed Concentric Circles. One potential solution considered by the committees replaces DSA and region with two fixed distance circles from the donor hospital.
  • Quantifiers Quiz - photocopiables

    Quantifiers Quiz - photocopiables

    Present Perfect vsPast Simple QuizSchool DaysTheme. www. photocopiables.com. Start the Quiz
  • ETP420 Grade 3CF Applying developmental principals to practice

    ETP420 Grade 3CF Applying developmental principals to practice

    Mathematical terms were modelled with open questioning from the NAPLAN test. ... explanation of the addition test was then given and children were given the role of the teacher to find the incorrect answers. We looked at answering the first...
  • DISEASES OF THE RESPIRATORY SYSTEM CHAPTER 21 1

    DISEASES OF THE RESPIRATORY SYSTEM CHAPTER 21 1

    DISEASES OF THE RESPIRATORY SYSTEM CHAPTER 21 Anatomy Review Upper Respiratory Tract (URT) Lower Respiratory Tract (LRT) Anatomy Review Ears URT Bacterial Diseases Streptococcal Pharyngitis - strep throat URT Bacterial Diseases Laryngitis/Epiglottitis Haemophilus influenzae Steptococcus pneumoniae Sinusitis above + Moraxella...