NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

Dr. Ron RossComputer Security Division

Information Technology Laboratory

Enterprise-Wide Risk ManagementOrganization, Mission, and Information Systems View

SC World Congress Data Security Conference

November 10, 2010

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

Information technology is our greatest strength and at the same time, our

greatest weakness…

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

The Perfect Storm Explosive growth and aggressive use of information

technology. Proliferation of information systems and networks with

virtually unlimited connectivity. Increasing sophistication of threat including

exponential growth rate in malware (malicious code).

Resulting in an increasing number of penetrations of information systems in the public and private sectors…

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

The Threat SituationContinuing serious cyber attacks on public and privatesector information systems targeting key operations,assets, and individuals… Attacks are organized, disciplined, aggressive, and well

resourced; many are extremely sophisticated. Adversaries are nation states, terrorist groups, criminals,

hackers, and individuals or groups with hostile intentions. Effective deployment of malware causing significant exfiltration

of sensitive information (e.g., intellectual property). Potential for disruption of critical systems and services.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

Unconventional Threats to SecurityConnectivity

Complexity

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

We have to do business in a dangerous world…

Managing risk as we go.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

Need Broad-Based Security Solutions Over 90% of critical infrastructure

systems/applications owned andoperated by non federal entities.

Key sectors: Energy (electrical, nuclear, gas and oil, dams) Transportation (air, road, rail, port, waterways) Public Health Systems / Emergency Services Information and Telecommunications Defense Industry Banking and Finance Postal and Shipping Agriculture / Food / Water / Chemical

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

Joint Task Force Transformation Initiative

A Broad-Based Partnership — National Institute of Standards and Technology Department of Defense Intelligence Community

Office of the Director of National Intelligence 16 U.S. Intelligence Agencies

Committee on National Security Systems

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

Unified Information Security Framework

The Generalized Model

Common Information Security Requirements

Unique Information Security RequirementsThe “Delta”

National security and non national security information systems

Foundational Set of Information Security Standards and Guidance• Risk management (organization, mission, information system)• Security categorization (information criticality/sensitivity)• Security controls (safeguards and countermeasures)• Security assessment procedures• Security authorization process

Intelligence Community

Department of Defense

Federal Civil Agencies

Private Sector State/Local Govt

CNSS

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

Enterprise-Wide Risk Management

TIER 3Information System(Environment of Operation)

TIER 2Mission / Business Process

(Information and Information Flows)

TIER 1Organization

(Governance)

STRATEGIC RISK FOCUS

TACTICAL RISK FOCUS

Multi-tiered Risk Management Approach Implemented by the Risk Executive

Function Enterprise Architecture and SDLC Focus Flexible and Agile Implementation

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

Characteristics of Risk-Based Approaches(1 of 2)

Integrates information security more closely into the enterprise architecture and system life cycle.

Promotes near real-time risk management and ongoing system authorization through the implementation of robust continuous monitoring processes.

Provides senior leaders with necessary information to make risk-based decisions regarding information systems supporting their core missions and business functions.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

Characteristics of Risk-Based Approaches(2 of 2)

Links risk management activities at the organization, mission, and information system levels through a risk executive (function).

Establishes responsibility and accountability for security controls deployed within information systems.

Encourages the use of automation to increase consistency, effectiveness, and timeliness of security control implementation.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

Risk Management Process

Risk

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

Risk Management Framework

Security Life Cycle

Determine security control effectiveness(i.e., controls implemented correctly,

operating as intended, meeting security requirements for information system).

ASSESSSecurity Controls

Define criticality/sensitivity of information system according to

potential worst-case, adverse impact to mission/business.

CATEGORIZE Information System

Starting Point

Continuously track changes to the information system that may affect

security controls and reassess control effectiveness.

MONITORSecurity Controls

AUTHORIZE Information System

Determine risk to organizational operations and assets, individuals,

other organizations, and the Nation;if acceptable, authorize operation.

Implement security controls within enterprise architecture using sound

systems engineering practices; apply security configuration settings.

IMPLEMENT Security Controls

SELECT Security Controls

Select baseline security controls; apply tailoring guidance and

supplement controls as needed based on risk assessment.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

Defense-in-Depth

Adversaries attack the weakest link…where is yours?

Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments and

authorization Continuous monitoring

Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards

Links in the Security Chain: Management, Operational, and Technical Controls

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

Joint Task Force Transformation InitiativeCore Risk Management Publications

NIST Special Publication 800-53, Revision 3Recommended Security Controls for Federal InformationSystems and Organizations

NIST Special Publication 800-37, Revision 1Applying the Risk Management Framework to FederalInformation Systems: A Security Lifecycle Approach

NIST Special Publication 800-53A, Revision 1Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

Completed

Completed

Completed

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

Joint Task Force Transformation InitiativeCore Risk Management Publications

NIST Special Publication 800-39Enterprise-Wide Risk Management: Organization, Mission, and Information Systems ViewProjected November 2010 (Public Draft)

NIST Special Publication 800-30, Revision 1Guide for Conducting Risk Assessments Projected January 2011 (Public Draft)

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

Contact Information100 Bureau Drive Mailstop 8930

Gaithersburg, MD USA 20899-8930

Project Leader Administrative SupportDr. Ron Ross Peggy Himes(301) 975-5390 (301) 975-2489ron.ross@nist.gov peggy.himes@nist.gov

Senior Information Security Researchers and Technical SupportMarianne Swanson Kelley Dempsey (301) 975-3293 (301) 975-2827marianne.swanson@nist.gov kelley.dempsey@nist.gov

Pat Toth Arnold Johnson(301) 975-5140 (301) 975-3247 patricia.toth@nist.gov arnold.johnson@nist.gov

Web: csrc.nist.gov/sec-cert Comments: sec-cert@nist.gov

IMPLEMENTING ENTERPRISE SECURITY RISK MANAGEMENT POLICY: STANDARDS AND PRACTICE

Dr. Ronald Ross, Project Leader – Computer Security Division, NIST

Kirsten Bay Francissen, Principal, KBF-LTD

The Holistic View of Security Policy and Standards Implementation

Security Policy Implementation

vs. Business Process

Applying broad standards and policy for specific benefit of your business

Utilizing standards to enhance business process

Information security standards and policy can be implemented holistically

Leveraging Standards and Compliance

Which is the weakest link?

People, Process, and Technology

Management, Operational, and Technical Controls:– Develop processes and metrics– Identify opportunities for improvement– Define roles and responsibilities to avoid

duplication of effort– Utilize technology for automating baseline

functions and providing security controls

Defense-in-Depth: Your Links in the Security Chain

What are the key information classifications in the organization?– By business unit– Stakeholders

Classification - Information value:– Low : Limited adverse effect on organizational

operations, assets, and individuals– Moderate : Serious adverse effect– High : Severe adverse effect

Understanding Business Process

Security Enablement of Business Process Process

BusinessProduct Administration

Architecture Infrastructure Infrastructure

Security TechnologySecurity Metrics

Risk Management

Security Awareness

Personnel Security

Security Policy

Regulatory ComplianceAudit

Infrastructure Acquisition

Partner & Third Party Security

Asset ManagementContingency / Disaster

Planning

Incident Handling & Response

Physical Security

Threat Analysis

Vuln Mgmt / Patch Mgmt

Account Provisioning / Identity Mgmt

Media Control & Handling

Logging, Monitoring, & Reporting

Secure Code Development Life Cycle

Back-up, Recovery & Archiving

Secure Network DesignRemote & Extranet

ConnectionsMalicious Code ProtectionPerimeter Security / IDS /

IPSPrivacy

EncryptionSecure Communications

Data IntegrityStorage Security

Availability

Threat AnalysisVuln Mgmt / Patch

MgmtAccount

Provisioning / Identity Mgmt

Media Control & Handling

Logging, Monitoring, & ReportingSecure Code

Development Life Cycle

Back-up, Recovery & Archiving

Secure Network Design

Remote & Extranet Connections

Malicious Code Protection

Security TechnologySecurity Metrics

Risk Management

Security Awareness

Personnel Security

Security Policy

Regulatory ComplianceAudit

Infrastructure Acquisition

Partner & Third Party Security

Asset Management

Contingency / Disaster Planning

Incident Handling & Response

Secure Code Development Life Cycle

Remote & Extranet Connections

Perimeter Security / IDS / IPS

Privacy

Encryption

Secure Communications

Data Integrity

Storage Security

Security Architecture

Security Technology

Security Policy

Configuration Management

Partner & Third Party Security

Secure Network Design

Create the understanding that information security spans the entirety of the business

Implementation Across Business Units

Build the business case

Communicate corporate wide vulnerabilities

Interface across

business units

Create policies versus

procedures

Questions?

Thank You

Kirsten Bay FrancissenKBF-LTD

kbf@kbf-ltd.com+1 312.493.2065