BACK TO THE BASICS FOR ISSMS/ISSOS. Carol Petty L-3 Aerospace Systems Greenville, TX

Transcription

1 BACK TO THE BASICS FOR ISSMS/ISSOS Carol Petty L-3 Aerospace Systems Greenville, TX

2 TIME HONORED COACHES Vince Lombardi John Wooden Pat Summit Mike Krzyzewski Tom Landry Phil Jackson Joe Torre Geno Auriemma Tony Larussa Bob Knight Red Auerbach Bear Bryant Woody Hayes Darrell K Royal Nick Saban Steve Walsh Joe Gibbs Bill BeliChick Tom Izzo Lou Holtz Pat Riley Alex Ferguson A consistent theme with each of these successful coaches was building a strong foundation and getting the basics right every time.

3 BUILDING A LASTING PROGRAM NOT JUST WINNING ONE CHAMPIONSHIP Moving the focus from enhancements to an IA program grounded in repeatable processes and procedures. Overview: Configuration Management Communication Continuous Monitoring

4 CONFIGURATION MANAGEMENT HOW DO YOU RUN YOUR IA PROGRAM? NISPOM Configuration management (CM) ensures that protection features are implemented and maintained in the system. CM applies a level of discipline and control to the processes of system maintenance and modification. CM provides system users with a measure of assurance that the implemented system represents the approved system. MSSP/SSP 2011 Templates Section 13 Configuration Management Plan ISFO Manual dtd Nov Configuration Management Process What this means to industry: Establish policies, procedures and repeatable processes; these ensure your company implements Chapter 8, baseline security standards, and ISFO requirements in a documented, consistent, reproducible manner. I don t believe in team motivation. I believe in getting a team prepared so it knows it will have the necessary confidence when it steps on a field and be prepared to play a good game. Tom Landry

5 CONFIGURATION MANAGEMENT PLAN MAJOR TOPICS Account Management Auditing & Logging Hardware/Software Management Addition of new IS/Growth of existing IS/Self Certification System Hardening Special Purpose Systems Risk Acceptance Letters Reproduction Systems Incident Response Plan Removable Media Restrictions Trusted Download Marking

6 ACCOUNT MANAGEMENT NISPOM Create a standard general user briefing Establish process to validate user clearance level and need to know Edit User Briefing form to include signatures and dates for verification verification Electronic system Evaluate account usage and establish guidelines to disable accounts after specific non-use period Disable accounts when not used for 60 days Establish common practice for accounts when they are disabled Windows remove from all group membership; add to disabled users group; add disabled users group to deny login locally Linux remove from sudoers; add!! or LK to hash in shadow file; add no login shell to passwd file LDAP/Kerberos remove from group membership; add disallow tix to principal in KAdmin Create annual re-briefing Ensure all briefing statements are signed, dated within one year, and completely filled out Validate user clearance at least once a year

7 AUDITING & LOGGING NISPOM Create a Standard Operating Procedure (SOP) for auditing Create a list of IS nodes for verification List out event codes or audit output for reviewable events What to do when events look suspicious Train your staff to look at paper logs and electronic logs Seal logs Maintenance logs/hardware movement Trusted Download SF 702 logs System logs Evaluate audit reduction tools for electronic logs Ensure you keep raw audit trails if you choose to use audit reduction Must add to your software baseline as security relevant software Educate your users, administrators, and auditors on what they need to be logging Weekly Audit/Weekly Review Antivirus Update Sanitization Addition or Removal of hardware Installation of security relevant software System Administrator activities

8 HARDWARE/SOFTWARE MANAGEMENT NISPOM Create a process to add hardware Establish a standard for volatility statements Vendor statements SME evaluation Technical specifications listing memory types Create a process to track movement of hardware Electronic Change Logs Create a process to sanitize equipment Establish who will be allowed to sanitize equipment Establish how records will kept for this activity Create a process for Software ISFO Manual Nov What types of software are acceptable How to add software to IS Open Source Review Board ISFO Manual Media Destruction: The action of removing media from the IS for destruction must be documented in the Maintenance Log.

9 ADDITION, GROWTH, AND SELF- CERTIFICATION New IS Package Create a package of prerequisites for an Information System DD254 Classification Guide Operation Area Closed, Restricted, Both Type of Network MUSA, P2P, LAN, WAN Preliminary Network Diagram Purpose/Usage for the System Hardware Baseline Software Baseline External Connections To DSS Systems To Government Systems GCA Letters Classified Storage Growth of IS Create process to grow IS systems Know your MSSPs Establish a process for self certified systems Create a self certification letter for new Accredited Information Systems (AIS) Create a checklist for self certification

10 Configuration Instructions SYSTEM HARDENING Configuration Checklists Evaluate the published baseline standards Create organizational specific standards Create configuration instructions Document deviances from your organizational standards and the published standards List mitigations or alternative methods in your IS Profile Automation is your friend.inf files RPMs Scripts Baseline Security Standards, ISFO Manual, etc Patch Management NISPOM & ISL #32 ISFO dtd Nov Flaw Remediation Establish a patch management procedure for security relevant software Ensure patches are applied within a reasonable, established period following release

11 SPECIAL PURPOSE SYSTEMS NISPOM NISPOM Several categories of systems can be adequately secured without implementation of all the technical features specified this Chapter. These systems are not exceptions or special cases but applying the technical security requirements to these systems by rote results in unnecessary costs and operational impacts. ISFO Manual dtd Nov Special Categories The requirements of NISPOM Chapter 8 are written for the general purpose or office automation systems and personal computers. Implementing the same security requirements for components such as weapons or tactical systems, test stands, simulators, or embedded components that can be integral elements of a larger IS may not always be possible. To apply the general requirements of Chapter 8 in these instances may result in unnecessary costs and adversely impact operations. Create Standard Operating Procedure (SOP) Validate that you are following guidance in the SOP

12 RISK ACCEPTANCE LETTER (RAL) Letter from the Government Contracting Authority (GCA) accepting the level of risk when an information system cannot be configured to meet requirements of the NISPOM based on customer defined requirements. Common Examples of RALs: Systems can not meet NISPOM requirements Legacy systems Alternate Trusted Download Procedures Systems covered under GCA Letters are not eligible for self-certification Validate that you are following guidance in the GCA Letter Examples can be found in the ISFO Manual dtd Nov Alternate Trusted Download RAL

13 REPRODUCTION SYSTEMS ISFO MANUAL COPIERS

14 INCIDENT RESPONSE PLAN ISFO MANUAL 4.5/NISPOM Create a process specific to your organization What type of enterprise backups do you have What is your retention Does your company store backups offsite Who are your enterprise IT Points of Contact After hours contact numbers Reporting requirements Contact your local field office to establish expected reporting time frames Initial report (required fields listed in ISFO page 48) Final report (refer to NISPOM 1-303c or contact your IS Rep for template) Who gets notified IS Rep, ISSP, FSO, ISSM FSO or ISSM notifies other cleared contractors if required Create Checklists for your Security Team Who created it? Who owns the data? What is it? (ie , document, pictures) Where is it and where has it been? (on your local computer, on a network share, on your blackberry, on a printer, sent through system) When did you first see it? Did you view on multiple computers, send s with same content but different subject lines?

15 REMOVABLE MEDIA RESTRICTIONS ISFO NISP systems with requirements to write classified information to removable media will be restricted to personnel designated and briefed by the ISSM. The ISSM will disable the "write" capability for all forms of removable media devices on all information systems as a default setting using any and all feasible means. Removable media is defined as CD/DVD, Secure Digital (SD) cards, Tape, Flash Memory data storage devices, Multi Media Cards (MMC), removable hard drives, etc. The ISSM will establish a program to appoint and account for authorized personnel responsible for conducting data transfers. All media is required to be marked appropriately and in accordance with NISPOM and

16 REMOVABLE MEDIA RESTRICTIONS LOGBOOK Maintain a logbook for any document transferred and make available to DSS during security reviews: Date/time of transfer Document subject Name of individual who conducted transfer Name of individual who authorized transfer Media Classification Serial Number and/or ID Number of removable media

17 DATA TRANSFER LETTER EXAMPLE

18 TRUSTED DOWNLOAD ISFO DSS Approved Create a briefing for Trusted Download Establish a process to evaluate trusted download usage and revoke privilege after period of non-use Keep records of those revoked Government Contracting Authority (GCA) Approved Ensure included in a current RAL Update paperwork accordingly Have users sign a GCA specific briefing statement Remember to create a specific briefing for GCA Approved Procedures

19 MARKING NISPOM CHAPTER 4 & Ensure your areas have posted cable marking standards Create procedures or work instructions for marking media and hardware Classification Authority Block Media stored within containers Blank media in closed areas Hard copy documentation Working papers Equipment Markings Co-located equipment Create templates for ease of use

20 HOW CONFIGURATION MANAGEMENT CAN WORK FOR YOU Easier to implement changes Cuts down on transition time for new hires Eliminates questions about when it happened and who approved it Eliminates tribal knowledge and the dangers associated Answers are in writing, no one has to remember verbal or guidance

21 COMMUNICATION WHAT TYPE OF RELATIONSHIPS ARE YOU BUILDING? Communication within your organization Inside your ISSO team Inside your Security department With your system users With other departments With upper management Communication outside your organization Within the IA community With your local field office With your local ISSP Individual commitment to a group effort that is what makes a team work, a company work, a society work, a civilization work. Vince Lombardi

22 COMMUNICATION WITHIN YOUR ORGANIZATION Inside your ISSO team Team meetings Documented processes Inside your Security team Staff meetings Self Inspections With system Users User Briefings Required training/refreshers Documented procedures With outside organizations Working Group meetings Newsletters/Flashes Intranet site (Website, SharePoint, etc) Documented processes With upper management Weekly status Positive feedback Successful assessments Documented processes

23 COMMUNICATION OUTSIDE YOUR ORGANIZATION Within the IA community Join local NCMS Chapters Attend local events Get to know your fellow ISSMs/ISSOs Reach out within your own parent company to other business sites With your local field office Get to know your local IS Reps and other Reps in the field office With your local ISSP Relationship, Relationship, Relationship Always ask permission, forgiveness is not the way to go Keep them in the loop, not in the dark Invite out for Security Assistance Visits (SAVs)

24 CONSISTENCY & CONTINUOUS MONITORING HOW DO YOU VALIDATE YOUR IA PROGRAM? Self Inspection NISPOM Security Reviews Rotating Inspections Implement rotating inspections to focus on specific areas, (e.g. safes, AIS, Physical Protection, SETA, Closed Areas) Outside Eyes Corporate ISSM A sister company ISSM Another security team member inside your department; a security engineer; an IT security specialist Test your systems SCAP tools Test your ISSOs/System Administrators Auditors are show me kind of people Sit though a weekly audit Ask questions

25 CONSISTENCY Make your decisions and stick with them Keep your team informed so everyone is on the same page Avoid employees who shop for answers Refer to your processes Be able to show your processes and evidence of them in work Nine tenths of discipline is having the patience to do things right. There is no better example of this than shot selection. You don t just jack up the ball. Pat Summitt

26 FREEBIES FOR YOUR AUDIT Emergency Response Plan ISFO Contractors will develop procedures for safeguarding classified material in emergency situations. The procedures will be as simple and practical as possible and should be adaptable to any type of emergency that may reasonably arise. SETA by ISSM ISFO The ISSM will develop and implement an ongoing IS security education program. Security training and awareness will be provided prior to authorizing an individual access to an IS and updated as needed. Letters of delegation Create letters of delegation to identify security roles and responsibilities given to employees

27 TEAM HUDDLE Bringing it all back together: Configuration Management Communication Continuous Monitoring The willingness to experiment with change may be the most essential ingredient to success at anything. Pat Summitt