Transcript Dangers of Peer to Peer

Cybersecurity Summit 2004
Andrea Norris
Deputy Chief Information Officer/
Director of Division of Information Systems
Federal Information Security Act
(FISMA) Overview
“Each Federal agency shall develop, document, and implement an
agency-wide information security program to provide information
security for the information and information systems that support
the operations and assets of the agency, including those provided
or managed by another agency, contractor, or other source…”
-- Federal Information Security Management Act of 2002
Legislation and Policy
 Public Law 107-347 (Title III)
– Federal Information Security Management Act of 2002 (FISMA)
(December 2002) http://www.fedcirc.gov/library/legislation/FISMA.html
 Office of Management and Budget Circular A-130
(Appendix III)
– Security of Federal Automated Information Resources (February
1996) http://www.whitehouse.gov/omb/circulars/a130/appendix_iv.pdf
 National Institute of Standards and Technology
(NIST) Special Publication Guidance
– Special Publications at http://csrc.nist.gov/publications/nistpubs/
 National Science Foundation Information Security
Handbook – Manual 7 (April 2004)
– http://www.inside.nsf.gpv/oirm/dis/itsecur/docs/securityhb.pdf
3
Information Security
Program Elements
Reference: FISMA









Periodic assessments of risk
Security policies and procedures
Security planning for networks and information systems
Security awareness training for employees and
contractors
Periodic testing and evaluation of security practices
annually
Plans for continuity of operations and disaster recovery
Procedures for detecting and reporting security incidents
Process to document and address security weaknesses
Report security status to Congress annually
4
Key Definitions
Reference: OMB A-130 Appendix III
 General Support System (GSS, i.e. LAN)
– An interconnected set of information resources under the
same direct management control which shares common
functionality. A system normally includes hardware,
software, information, data, application, communications,
and people.
 Major Application
– Application that requires special attention to security due
to the risk and magnitude of the harm resulting from the
loss, misuse, or unauthorized access to or modification of
the information in the application.
 Application
– The use of information resources to satisfy a specific set of
user requirements.
5
Key NIST Publications
 800-12 Introduction to Computer
Security: The NIST Handbook
 800-18 Guide for Developing Security
Plans
 800-26 Security Self Assessment
 800-30A Risk Management Guide
 800-34 Contingency Planning Guide
6
NSF Information Security
Handbook
 Management Control Procedures
– Risk Management, Security Control Review, Life
Cycle, Security Planning
 Operational Control Procedures
– Personnel, Physical, Contingency Planning,
HW/SW, Training, Incident Response
 Technical Control Procedures
– Identification and Authentication, Logical Access
Controls, Audit Trails
 Appendices with Report Templates
– Security & Contingency Plans, Risk Assessment
7
NSF Keys to Success
 Top Down Commitment to Security as
a Strategic Priority
 Comprehensive Security Program
 Sustained Levels of Investment
 Performance Goals and Measures
8
NSF IT Security Program
Confidentiality
Integrity Availability
Security
Open
Collaborative
Environment for
Research and
Discovery
Risk Management Approach
Risks are assessed, understood and
appropriately mitigated
9
Security Management
Structure
NSF Director
CIO
Sr. Agency Information
Security Officer
Security Working Group
DIS Security Officer
Program Office Security Liaisons
NSF Employees and Contractors
NSF Customers and Stakeholders
10
NSF IT Security Program
Vulnerability
Assessment
& Penetration
Tests
Intrusion
Detection & CIRT
Policies,
Procedures
& Plans
NSF IT Security
Program
Certification &
Accreditation
Security
Assessments,
Audits & Controls
Security
Awareness
Training
11
Layered Approach
Protecting Critical Assets Requires Layered Proactive Controls,
Monitoring the Environment and Reactive Functions for Effective
Response
Proactive Measures
Protect
Event
Reactive Functions
Detect
React
(Cited only as examples)
Deter
e.g., Warning Banner
Detect
e.g., Intrusion Detection
Delay
e.g., Firewall
Monitoring
Critical
Data,
Informatio
n, &
Systems
CIRT
Forensics
Defend
e.g., Encryption
BCP/COOP
Deny, Defeat
Defense in Depth
Escalation by Severity
12
Management Controls
 Management Structure, Roles and
Responsibilities
 Policy and Procedures
 System Inventory
 Security Reviews, Assessments, and Plans
 Certification and Accreditation
 Agency-Level Plan of Action and Milestones
 Security Awareness and Training
13
Technical and
Operational Controls
 Connectivity Standards
 External and Internal








The Visible and Known
Establishes Confidence
Networks
Firewall Architecture
Intrusion Detection
Vulnerability Scans
Penetration Tests
Patch Management
Laptop Scanning
Anti-Virus Protection
Continuity of Operations,
Contingency, and Disaster
Recovery
14
Lesson Learned – Security
is a Continuous Process
Managed Security Services
Intrusion Detection
Firewall Management
Incident Reporting
Vulnerability Scan
Implement
Product Selection
Product Implementation
Centralized Security Mgt.
Run
Assess
Security is a
continuous
process of
evaluation and
monitoring
Plan
Assessments
Risk – Threats
Privacy
Security Test & Eval.
Compliance
Strategy
Business Continuity
Solution Planning
Resource Allocation
Design
Policy
Standards
Enterprise Architecture
Configuration Standards
15
Challenges
 Changing Threat Environment
 Cultural Change
– Awareness and Education
 Security Investment
16