n-wave shareholders meeting may 23, 2012 n-wave security update lisa [email protected]
TRANSCRIPT
For Official Use Only
System is categorized as Low for Confidentiality, Integrity, and Availability
Full ATO received December 7, 2010
2011 Results
2010 Results
For Official Use Only
ContinuallyCommunicate with
Stakeholdersacross the Enterprise
and ContinuallyAssess Risk
ContinuallyCommunicate with
Stakeholdersacross the Enterprise
and ContinuallyAssess Risk
Continually monitorAdversariesThreatsVulnerabilitiesCountermeasuresMission changesPOA&M status
Continually monitorAdversariesThreatsVulnerabilitiesCountermeasuresMission changesPOA&M status
MonitorIdentify mission, business, and information sharing needs
Conduct initial risk assessment
Identify mission, business, and information sharing needs
Conduct initial risk assessment
CategorizeSelect minimum required risk mitigation controls based on impact levels
Refine controls based on updated risk assessment
Select minimum required risk mitigation controls based on impact levels
Refine controls based on updated risk assessment
Select
Ensure risk assessment and countermeasures are documented for required essential information
Ensure risk assessment and countermeasures are documented for required essential information
DocumentImplement countermeasures in developed systems (technical) or environment (admin, physical, operational)
Implement countermeasures in developed systems (technical) or environment (admin, physical, operational)
ImplementConduct assessment to determine effectiveness of countermeasures
Determine residual risk
Conduct assessment to determine effectiveness of countermeasures
Determine residual risk
Assess
Add/Remove countermeasures based on risk assessment
Confirm all countermeasures are selected
Add/Remove countermeasures based on risk assessment
Confirm all countermeasures are selected
SupplementReview residual riskDetermine acceptability of residual risk
Accept risk or require POA&M, or deny
Review residual riskDetermine acceptability of residual risk
Accept risk or require POA&M, or deny
Decide
For Official Use Only
Committed to providing excellent service
Security = boring
For Official Use Only
Proactive versus reactive Based on Strategic, Tactical and Operational Goals
Strategic – Considered Long term (2-3 yrs) Tactical – Mid Term (6 months-2 years) Operational – Short Term (0-6 months)
O&MChange ManagementContinuous Monitoring
New connectionsExtension of BackboneLimited Pen Testing
IPv6Full C&A – 2014Complete Multicast
For Official Use Only
AcquisitionLife cycle
SystemDevelopment
Life cycle
A&ALife cycle
RiskManagement
Life cycle
Mission and Business Plan
BudgetAcquisition
PlanManagement and MeasurementProcurement
Operations and Maintenance DisposalTest and
EvaluationDevelop-ment
DesignConcept Requirements
Decide MonitorAssess Docu-ment
Supple-ment
Categorize Select Implement
Certification Initiation MonitoringAccredi-tation
For Official Use Only
Operational ControlsPhysicalConfiguration ManagementContingency PlanningPersonnel SecuritySystem & Information Integrity
Management ControlsRisk ManagementPolicies and ProceduresPlanningSystem & Services Acquisitions
Technical ControlsBoundary ProtectionsAccess Controls, I&AAuditing
For Official Use Only
Managing Risks is KeyBalancing Risks against cost
AcceptMitigateTransferAvoid
Risk
Cost
For Official Use Only
User GroupUser Group
ERBERB
CCBCCB
NNCNNC
CIO CouncilCIO Council
FundingOversightStrategic PlanningFinancial Mgmt
RequirementsCONOPSSystem ArchitectureSystem DesignChange Mgmt
Configuration MgmtRequirement FulfillmentSystem MonitoringProblem Mgmt
Members Executive Level (CIO’s, CFO’s, etc)
NWave PMNNC RepNWave User Rep
System IT ManagersTechnical Staff (ISSO, SA’s, Network Admins, etc)
System OwnersLO Project ManagementIT Managers
Body Decision Domain
LO RepresentativesCIO Reps LO NOC RepNN System Owner
IT PrinciplesInvestment & Prioritization
IT PrinciplesInvestment & Prioritization
IT Infrastructure StrategyIT Architecture
IT Infrastructure StrategyIT Architecture
Service ManagementService Management
Sub Committee
For Official Use Only
Consists on inputs from the Engineer, COTR, and ISSO.– Other participants are NNC LO’s representatives:
• 4 types of changes which require NNC review– Budget, Operations costs– Security– Peering to other organizations– ERB changes where consensus is not reached
For Official Use Only
For Official Use Only
Changes within CCB scope are:◦ Server configuration changes◦ Network device changes ◦ Patching ◦ User access◦ Other administrative changes required to
maintain the network
For Official Use Only
Performance - tests and demonstrates performance requirements such as bandwidth, latency, etc
Functional - tests and demonstrates usability of system applications and tools
Security - verifies specific NIST 800-53 security controls are implemented satisfactorily