dr. ron ross computer security division information technology laboratory
DESCRIPTION
Enterprise-Wide Risk Management Organization, Mission, and Information Systems View SC World Congress Data Security Conference November 10, 2010. Dr. Ron Ross Computer Security Division Information Technology Laboratory. - PowerPoint PPT PresentationTRANSCRIPT
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1
Dr. Ron RossComputer Security Division
Information Technology Laboratory
Enterprise-Wide Risk ManagementOrganization, Mission, and Information Systems View
SC World Congress Data Security Conference
November 10, 2010
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
Information technology is our greatest strength and at the same time, our
greatest weakness…
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3
The Perfect Storm Explosive growth and aggressive use of information
technology. Proliferation of information systems and networks with
virtually unlimited connectivity. Increasing sophistication of threat including
exponential growth rate in malware (malicious code).
Resulting in an increasing number of penetrations of information systems in the public and private sectors…
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
The Threat SituationContinuing serious cyber attacks on public and privatesector information systems targeting key operations,assets, and individuals… Attacks are organized, disciplined, aggressive, and well
resourced; many are extremely sophisticated. Adversaries are nation states, terrorist groups, criminals,
hackers, and individuals or groups with hostile intentions. Effective deployment of malware causing significant exfiltration
of sensitive information (e.g., intellectual property). Potential for disruption of critical systems and services.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
Unconventional Threats to SecurityConnectivity
Complexity
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6
We have to do business in a dangerous world…
Managing risk as we go.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7
Need Broad-Based Security Solutions Over 90% of critical infrastructure
systems/applications owned andoperated by non federal entities.
Key sectors: Energy (electrical, nuclear, gas and oil, dams) Transportation (air, road, rail, port, waterways) Public Health Systems / Emergency Services Information and Telecommunications Defense Industry Banking and Finance Postal and Shipping Agriculture / Food / Water / Chemical
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
Joint Task Force Transformation Initiative
A Broad-Based Partnership — National Institute of Standards and Technology Department of Defense Intelligence Community
Office of the Director of National Intelligence 16 U.S. Intelligence Agencies
Committee on National Security Systems
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
Unified Information Security Framework
The Generalized Model
Common Information Security Requirements
Unique Information Security RequirementsThe “Delta”
National security and non national security information systems
Foundational Set of Information Security Standards and Guidance• Risk management (organization, mission, information system)• Security categorization (information criticality/sensitivity)• Security controls (safeguards and countermeasures)• Security assessment procedures• Security authorization process
Intelligence Community
Department of Defense
Federal Civil Agencies
Private Sector State/Local Govt
CNSS
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
Enterprise-Wide Risk Management
TIER 3Information System(Environment of Operation)
TIER 2Mission / Business Process
(Information and Information Flows)
TIER 1Organization
(Governance)
STRATEGIC RISK FOCUS
TACTICAL RISK FOCUS
Multi-tiered Risk Management Approach Implemented by the Risk Executive
Function Enterprise Architecture and SDLC Focus Flexible and Agile Implementation
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
Characteristics of Risk-Based Approaches(1 of 2)
Integrates information security more closely into the enterprise architecture and system life cycle.
Promotes near real-time risk management and ongoing system authorization through the implementation of robust continuous monitoring processes.
Provides senior leaders with necessary information to make risk-based decisions regarding information systems supporting their core missions and business functions.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
Characteristics of Risk-Based Approaches(2 of 2)
Links risk management activities at the organization, mission, and information system levels through a risk executive (function).
Establishes responsibility and accountability for security controls deployed within information systems.
Encourages the use of automation to increase consistency, effectiveness, and timeliness of security control implementation.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
Risk Management Process
Risk
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
Risk Management Framework
Security Life Cycle
Determine security control effectiveness(i.e., controls implemented correctly,
operating as intended, meeting security requirements for information system).
ASSESSSecurity Controls
Define criticality/sensitivity of information system according to
potential worst-case, adverse impact to mission/business.
CATEGORIZE Information System
Starting Point
Continuously track changes to the information system that may affect
security controls and reassess control effectiveness.
MONITORSecurity Controls
AUTHORIZE Information System
Determine risk to organizational operations and assets, individuals,
other organizations, and the Nation;if acceptable, authorize operation.
Implement security controls within enterprise architecture using sound
systems engineering practices; apply security configuration settings.
IMPLEMENT Security Controls
SELECT Security Controls
Select baseline security controls; apply tailoring guidance and
supplement controls as needed based on risk assessment.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
Defense-in-Depth
Adversaries attack the weakest link…where is yours?
Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments and
authorization Continuous monitoring
Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards
Links in the Security Chain: Management, Operational, and Technical Controls
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
Joint Task Force Transformation InitiativeCore Risk Management Publications
NIST Special Publication 800-53, Revision 3Recommended Security Controls for Federal InformationSystems and Organizations
NIST Special Publication 800-37, Revision 1Applying the Risk Management Framework to FederalInformation Systems: A Security Lifecycle Approach
NIST Special Publication 800-53A, Revision 1Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
Completed
Completed
Completed
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
Joint Task Force Transformation InitiativeCore Risk Management Publications
NIST Special Publication 800-39Enterprise-Wide Risk Management: Organization, Mission, and Information Systems ViewProjected November 2010 (Public Draft)
NIST Special Publication 800-30, Revision 1Guide for Conducting Risk Assessments Projected January 2011 (Public Draft)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
Contact Information100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930
Project Leader Administrative SupportDr. Ron Ross Peggy Himes(301) 975-5390 (301) [email protected] [email protected]
Senior Information Security Researchers and Technical SupportMarianne Swanson Kelley Dempsey (301) 975-3293 (301) [email protected] [email protected]
Pat Toth Arnold Johnson(301) 975-5140 (301) 975-3247 [email protected] [email protected]
Web: csrc.nist.gov/sec-cert Comments: [email protected]
IMPLEMENTING ENTERPRISE SECURITY RISK MANAGEMENT POLICY: STANDARDS AND PRACTICE
Dr. Ronald Ross, Project Leader – Computer Security Division, NIST
Kirsten Bay Francissen, Principal, KBF-LTD
The Holistic View of Security Policy and Standards Implementation
Security Policy Implementation
vs. Business Process
Applying broad standards and policy for specific benefit of your business
Utilizing standards to enhance business process
Information security standards and policy can be implemented holistically
Leveraging Standards and Compliance
Which is the weakest link?
People, Process, and Technology
Management, Operational, and Technical Controls:– Develop processes and metrics– Identify opportunities for improvement– Define roles and responsibilities to avoid
duplication of effort– Utilize technology for automating baseline
functions and providing security controls
Defense-in-Depth: Your Links in the Security Chain
What are the key information classifications in the organization?– By business unit– Stakeholders
Classification - Information value:– Low : Limited adverse effect on organizational
operations, assets, and individuals– Moderate : Serious adverse effect– High : Severe adverse effect
Understanding Business Process
Security Enablement of Business Process Process
BusinessProduct Administration
Architecture Infrastructure Infrastructure
Security TechnologySecurity Metrics
Risk Management
Security Awareness
Personnel Security
Security Policy
Regulatory ComplianceAudit
Infrastructure Acquisition
Partner & Third Party Security
Asset ManagementContingency / Disaster
Planning
Incident Handling & Response
Physical Security
Threat Analysis
Vuln Mgmt / Patch Mgmt
Account Provisioning / Identity Mgmt
Media Control & Handling
Logging, Monitoring, & Reporting
Secure Code Development Life Cycle
Back-up, Recovery & Archiving
Secure Network DesignRemote & Extranet
ConnectionsMalicious Code ProtectionPerimeter Security / IDS /
IPSPrivacy
EncryptionSecure Communications
Data IntegrityStorage Security
Availability
Threat AnalysisVuln Mgmt / Patch
MgmtAccount
Provisioning / Identity Mgmt
Media Control & Handling
Logging, Monitoring, & ReportingSecure Code
Development Life Cycle
Back-up, Recovery & Archiving
Secure Network Design
Remote & Extranet Connections
Malicious Code Protection
Security TechnologySecurity Metrics
Risk Management
Security Awareness
Personnel Security
Security Policy
Regulatory ComplianceAudit
Infrastructure Acquisition
Partner & Third Party Security
Asset Management
Contingency / Disaster Planning
Incident Handling & Response
Secure Code Development Life Cycle
Remote & Extranet Connections
Perimeter Security / IDS / IPS
Privacy
Encryption
Secure Communications
Data Integrity
Storage Security
Security Architecture
Security Technology
Security Policy
Configuration Management
Partner & Third Party Security
Secure Network Design
Create the understanding that information security spans the entirety of the business
Implementation Across Business Units
Build the business case
Communicate corporate wide vulnerabilities
Interface across
business units
Create policies versus
procedures
Questions?