Federal IT Security Professional
Download
Report
Transcript Federal IT Security Professional
FITSP-M
Module 1
Federal IT Security Professional Manager
Leadership
Only through diligence and a well-trained workforce will we
be able to adequately defend the nation’s vital information
resources.
- Michael V. Hayden
CNSS Secretariat
Overview
Section A: Objectives, Expectations, & Introductions
–
–
–
–
FISMA Compliance Defined
Expectation & Goals
Target Audience
Introductions
Section B: Security Certifications Exams
– Federal IT Security Institute
– FITSP – Manager Certification
Section C: FITSP-M Courseware Logistics
– Course Outline
– Course Materials
– Course Evaluation
Section A
OBJECTIVES, EXPECTATIONS,
& INTRODUCTIONS
In Accordance with FISMA…
Secretary of Commerce shall, on the basis of standards
and guidelines developed by NIST, prescribe standards
and guidelines pertaining to federal information systems.
FISMA requires that federal agencies comply with FIPS
standards
Federal agencies must follow NIST Special Publications
mandated in FIPS.
Other security-related publications are mandatory only
when specified by OMB.
Compliance schedules are established by OMB (and
now the DHS - e.g., annual FISMA Reporting Guidance)
Course Expectations & Goals
Clear Understanding of FISMA Compliance, via NIST
Risk Management Framework, based on :
–
–
–
–
–
Governmental Laws and Regulations
OMB/DHS Policies, Directives, Or Memoranda
NIST Special Publications
NIST Federal Information Processing Standards (FIPS)
NIST Interagency Reports
Further Education, Training & Certification
IT Security Workforce Training is Critical to the
FISMA Mandate
Target Audience
[Excerpt from SP 800-37 Guide for Applying the Risk Management
Framework to Federal Information Systems]
Individuals associated with the design, development,
implementation, operation, maintenance, and disposition
of federal information:
Ownership Responsibilities
Development and Integration Responsibilities
Oversight Responsibilities
Assessment and Monitoring Responsibilities
Security Implementation and Operational
Responsibilities
Introductions
Introducing Your
Instructor
Student Information
Experience
– Auditors
– Operators
– Managers
Employer
– DoD, NSA
– Civilian Agency
– Other
Education
– IT/IA Degrees
– MBA
Certifications
–
–
–
–
FITSP/CAP
SANS
CISSP
Security+
Expectations
– Starting from 0?
– What’s New
(800-37r1)
Section B
IT SECURITY TRAINING AND
CERTIFICATION
Federal IT Security Institute
http://www.FITSI.org
"To help secure the Nation's Federal Information Systems by
certifying that Federal Workforce members understand and
can apply appropriate Federal IT security standards.“
- Jim Wiggins,
FITSI Executive Director
2010 FISSEA Educator of the Year
Federal IT Security Professional
Federal IT Security Professional
Domains & Security Topics
Domain 1 – NIST Special Publications
Domain 2 – NIST Federal Information Processing
Standards (FIPS)
Domain 3 – NIST Control Families
Domain 4 – Governmental Laws and Regulations
Domain 5 – NIST Risk Management Framework
Domain 6 – NIST Interagency Reports
Section C
FITSP-M COURSEWARE
LOGISTICS
All About the RMF
Categorize the information system based on a FIPS 199 impact
analysis;
Select an initial set of baseline security controls for the information
system based on system impact level and apply tailoring guidance,
as needed;
Implement the security controls and document the design,
development, and implementation details for the controls;
Assess the security controls to determine the extent to which the
controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the
security requirements for the system;
Authorize information system operation based on a determination of
risk to organizational operations and assets, individuals, other
organizations, and the Nation resulting from the operation and
use of the information system and the decision that this risk is
acceptable; and
Monitor the security controls in the information system and
environment of operation on an ongoing basis…
FITSP–M Course Outline
US Government Laws
Risk Management Framework Overview
Gap Analysis
– Categorization
– Security Control Selection
– Security Control Implementation
Security Control Assessment
Authorization
Continuous Monitoring
Course Material
FITSI Authorized Training Workbook
– http://www.amazon.com
Public Domain Reference Documents
– http://csrc.nist.gov/
– http://www.whitehouse.gov/omb/memoranda_default
– http://www.dhs.gov/files/programs/fns-announcementsresources.shtm
Activity Files and Other Miscellaneous:
– 2011 FISMA Report,
– 2012 Reporting Metrics for
• CIOs/OIGs, /SAOPs/Micro Agencies
– Relative OMB Memos (listed and unlisted)
– FedRAMP ConOps
http://www.federalcybersecurity.org/downloads.html
Course Evaluation
Continuous Monitoring of Student Feedback
– Good – What did you like about today’s session?
– Bad – What would you like to see different in tomorrow’s
session?
– Opportunity – This is your class! Frequent input allows for
corrective action to mitigate the risk of disappointment.
End of Course Survey
Questions?
Next Module: US Government Laws