Red Hat Enterprise Linux (RHEL) 5.3 Certified Linux Integration Platform (CLIP) Security Requirements Analysis
|
|
- Shavonne Edwards
- 6 years ago
- Views:
Transcription
1 Red Hat Enterprise Linux (RHEL) 5.3 Certified Linux Integration Platform (CLIP) Security Requirements Analysis Prepared By: Tresys Technology, LLC March 17, 2009
2 Table of Contents 1 Introduction Security Requirement Set Selection Analysis Overview Document Organization Requirement Set Analysis NSSI-1253v4 Mapping and Analysis NSSI-1253v4 Mapping Tables NSSI-1253v4 Analysis Access Control Awareness and Training Audit and Accountability Certification, Accreditation and Security Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Risk Assessment System and Services Acquisition System and Communications Protection System and Information Integrity Overview of the CLIP Toolkit Installation Backups Auditing Authentication Object Labeling Additional Information Summary of Analysis Acronyms Bibliography Table of Tables Table 1 NSSI-1253v4 Security Control Classes, Families, and Identifiers... 2 Table 2 The CLIP Toolkit v3.1.0 for RHEL 5.3 Coverage of the NSSI-1253v4 Requirements... 4 Tresys Technology i
3 Tresys Technology ii
4 1 Introduction Tresys Certifiable Linux Integration Platform (CLIP) is designed to provide a solid foundation for building secure solutions and to facilitate and expedite the certification and accreditation (C&A) of those solutions. This document describes the prototype CLIP toolkit v3.1.0 that targets Red Hat Enterprise Linux 5.3 (RHEL 5.3) to create a system that is compliant for the Security Control Catalog for National Security Systems Instruction 1253 (NSSI-1253v4) 1 High Impact requirement set. For the security analysis of RHEL 5.3, Tresys has mapped each applicable requirement to operating system functionality. In areas where the operating system requires additional configuration or security policy updates to meet the requirement, the analysis provides details of these changes. The changes include modification of configuration files, tightening of security policy implementation, turning on or off features of the operating system, installation of new packages, and utilization of a kickstart file to assist in secure installation. These changes are the basis for the CLIP toolkit. The CLIP toolkit v3.1.0 for RHEL 5.3 builds on previous toolkit releases and provides an updated SELinux Reference Policy and updated SELinux toolchain. It includes initial infrastructure for full Security Content Automation Protocol (SCAP) support. With CLIP versionv3.1.0 for RHEL 5.3, RHEL meets the majority of requirements, allowing developers to make only minor changes to the platform and instead focus their efforts on creating innovative and secure applications Security Requirement Set Selection Tresys focused on the requirement set that represents the most comprehensive and precise requirements relevant for a wide range of cross domain and perimeter defense solutions: The Security Control Catalog for National Security Systems NSSI-1253v4 Previous versions of the CLIP toolkit included other security requirement sets, including the Department of Defense (DoD) Instruction Number Information Assurance (IA) Implementation MAC I Classified requirements, but the NSSI-1253v4 encompasses the requirements and as such is sufficient on its own Analysis Overview The analysis examined the default configuration for the CLIP toolkit v3.1.0 for RHEL 5.3 against the selected security requirements. For each requirement, the analysis describes the operating system's ability to fulfill the requirement as configured, as well as whether or not the operating system has the capability of fulfilling the requirement. To have the capability means that the system may need, for instance, configuration changes or additional security policy to fulfill a requirement but that the operating system is capable of supporting these changes. If the CLIP toolkit for RHEL 5.3 includes the modifications to satisfy the requirement (i.e. configuration changes, security policychanges), that requirement is deemed to be satisfied for the purposes of this analysis. 1 Security Control Catalog for National Security Systems, NSS Instruction No (ODNI/CIO) Draft Version 4, December 2007 Tresys Technology 1
5 This analysis uses the baseline requirements and controls defined in the NSSI-1253v4. It should be noted that the Designated Approval Authority (DAA) determines the requirements and controls that should be applied to a specific system and may take into account many factors including the environment in which the system will be placed Document Organization The remainder of this document is comprised of the following sections: REQUIREMENT SET ANALYSIS o NSSI-1253v4 Mapping and Analysis SUMMARY OF ANALYSIS ACRONYMS BIBLIOGRAPHY 2 Requirement Set Analysis 2.1. NSSI-1253v4 Mapping and Analysis The Security Control Catalog for Committee on National Security Systems 1253 (NSSI-1253v4) contains requirements broken up into seventeen families and categorized into three classes: technical, operational and management. These families are closely related to the seventeen security areas found in the Federal Information Processing Standard 200 (FIPS 200) document, which is used to secure federal information and information systems NSSI-1253v4 Mapping Tables Table 1 lists the identifier and class for each of the families used in the NSSI-1253v4 requirements. A family s class represents the dominant characteristic of that family, but may not represent its only characteristic. Therefore, for example, a family labeled as operational also may have management characteristics. The CLIP toolkit generally addresses the requirements for families in the technical class, which usually are specific to operating system security. Requirements for families in the operational or management classes frequently contain procedural requirements and therefore are outside the scope of the toolkit. However, the CLIP toolkit may also fulfill some of the requirements within families labeled as operational or management that have technical characteristics. Table 1 NSSI-1253v4 Security Control Classes, Families, and Identifiers Identifier Family Class AC Access Control Technical AT Awareness and Training Operational AU Audit and Accountability Technical CA Certification, Accreditation, and Security Assessments Management Tresys Technology 2
6 Identifier Family Class CM Configuration Management Operational CP Contingency Planning Operational IA Identification and Authentication Technical IR Incident Response Operational MA Maintenance Operational MP Media Protection Operational PE Physical and Environmental Protection Operational PL Planning Management PS Personnel Security Operational RA Risk Assessment Management SA System and Service Acquisition Management SC System and Communications Protection Technical SI System and Information Integrity Operational Table 2 summarizes the coverage of the NSSI-1253v4 requirements. Each row represents an area of responsibility for meeting a specific requirement, including a Requirement Control of the operating system and optionally a Control Enhancement, represented parenthetically. The Requirement Control is the core requirement for a particular area and may have additional associated requirements. These additional associated requirements are called Control Enhancements and enhance the security of the core control. The core control and its enhancements are associated with three impact levels: low, moderate, and high. For each impact level, a control or enhancement is selected if it is required at that impact level; not-selected controls and enhancements may be required on an per-instance basis according to the security needs of that instance. In Table 2 each row represents a unique control and enhancement pair, and the three columns display information about the impact levels for that pair. These results are discussed in detail in the sections following the table. Table 2 uses the following conventions: Selected Not Selected Meets Partially Meets Does Not Meet Tresys Technology 3
7 Outside Scope 2 For partially met or non-capability controls/enhancements, the following letter codes indicate the type of effort required to supplement the base system to satisfy the requirements of that control/enhancement: P Procedural Organizational procedure is needed to satisfy the requirements. This is used for requirements that deal with the network structure to which the system is attached or the system hardware configuration. C Configuration The system needs additional configuration changes to fully satisfy the requirement. D Development Additional applications must be developed and/or installed to satisfy the requirements. Table 2 The CLIP Toolkit v3.1.0 for RHEL 5.3 Coverage of the NSSI-1253v4 Requirements Requirement Control Number Low Moderate High Access Control AC-1 P P P AC-2 P P P AC-2(1) P P P AC-2(2) C C C AC-2(3) D D D AC-2(4) P P P AC-2(5) P P P AC-3 D D D AC-3(1) AC-3(2) AC-3(3) 2 All or part of the requirement falls outside of features that can be provided by the base operating system, and therefore cannot be addressed by the CLIP toolkit. Tresys Technology 4
8 Requirement Control Number Low Moderate High AC-3(4) AC-3(5) AC-3(6) AC-3(7) AC-4 AC-4(1) AC-4(2) AC-4(3) AC-4(4) P P P AC-4(5) P P P AC-4(6) P P P AC-4(7) P P P AC-5 P P P AC-6 AC-6(1) P P P AC-7 C C C AC-7(1) C C C AC-7(2) AC-8 AC-9 AC-9(1) D D D AC-10 C C C AC-11 D D D AC-11(1) D D D Tresys Technology 5
9 Requirement Control Number Low Moderate High AC-12 C C C AC-12(1) AC-12(2) AC-13 P P P AC-13(1) P P P AC-14 P P P AC-14(1) P P P AC-15 C C C AC-15(1) C C C AC-16 C C C AC-17 P P P AC-17(1) AC-17(2) D D D AC-17(3) P P P AC-17(4) P P P AC-17(5) C C C AC-17(6) P P P AC-17(7) C C C AC-18 P P P AC-18(1) P P P AC-18(2) P P P AC-18(3) P P P AC-18(4) P P P AC-18(5) C C C Tresys Technology 6
10 Requirement Control Number Low Moderate High AC-19 P P P AC-19(1) P P P AC-20 P P P AC-20(1) P P P AC-21 AC-22 P P P AC-23 P P P AC-23(1) P P P AC-23(2) AC-23(3) AC-23(4) Awareness and Training AT-1 P P P AT-2 P P P AT-3 P P P AT-4 P P P AT-5 P P P AT-6 P P P Audit and Accountability AU-1 P P P AU-1(1) C C C AU-2 C C C AU-2(1) C C C AU-2(2) Tresys Technology 7
11 Requirement Control Number Low Moderate High AU-2(3) P P P AU-2(4) C C C AU-2(5) AU-2(6) C C C AU-2(7) C C C AU-2(8) D D D AU-2(9) D D D AU-2(10) AU-3 AU-3(1) AU-3(2) AU-3(3) AU-3(4) AU-3(5) AU-4 P P P AU-5 C C C AU-5(1) C C C AU-5(2) D D D AU-5(3) C C C AU-6 P P P AU-6(1) D D D AU-6(2) D D D AU-6(3) P P P AU-6(4) D D D Tresys Technology 8
12 Requirement Control Number Low Moderate High AU-6(5) D D D AU-7 AU-7(1) AU-7(2) D D D AU-8 AU-8(1) D D D AU-8(2) D D D AU-9 AU-9(1) C C C AU-9(2) C C C AU-10 C C C AU-10(1) C C C AU-10(2) AU-10(3) AU-10(4) AU-11 P P P AU-11(1) P P P AU-11(2) P P P AU-11(3) P P P AU-11(4) P P P AU-12 AU-12(1) AU-12(2) Certification, Accreditation, and Security Assessments Tresys Technology 9
13 Requirement Control Number Low Moderate High CA-1 P P P CA-2 P P P CA-3 P P P CA-4 P P P CA-4(1) P P P CA-4(2) P P P CA-4(3) P P P CA-5 P P P CA-6 P P P CA-7 P P P CA-7(1) P P P CA-7(2) P P P Configuration Management CM-1 P P P CM-2 P P P CM-2(1) P P P CM-2(2) P P P CM-2(3) P P P CM-2(4) P P P CM-3 C C C CM-3(1) P P P CM-3(2) P P P CM-3(3) P P P CM-4 P P P Tresys Technology 10
14 Requirement Control Number Low Moderate High CM-5 P P P CM-5(1) P P P CM-5(2) P P P CM-5(3) P P P CM-5(4) CM-6 P P P CM-6(1) P P P CM-6(2) P P P CM-7 P P P CM-7(1) P P P CM-7(2) C C C CM-8 P P P CM-8(1) P P P CM-8(2) P P P Contingency Planning CP-1 P P P CP-1(1) P P P CP-2 P P P CP-2(1) P P P CP-2(2) P P P CP-2(3) P P P CP-2(4) P P P CP-2(5) P P P CP-2(6) P P P Tresys Technology 11
15 Requirement Control Number Low Moderate High CP-2(7) P P P CP-3 P P P CP-3(1) P P P CP-3(2) P P P CP-4 P P P CP-4(1) P P P CP-4(2) P P P CP-4(3) P P P CP-4(4) P P P CP-5 P P P CP-6 P P P CP-6(1) P P P CP-6(2) P P P CP-6(3) P P P CP-6(4) P P P CP-6(5) P P P CP-6(6) P P P CP-7 P P P CP-7(1) P P P CP-7(2) P P P CP-7(3) P P P CP-7(4) P P P CP-7(5) P P P CP-7(6) P P P Tresys Technology 12
16 Requirement Control Number Low Moderate High CP-8 P P P CP-8(1) P P P CP-8(2) P P P CP-8(3) P P P CP-8(4) P P P CP-9 P P P CP-9(1) P P P CP-9(2) P P P CP-9(3) P P P CP-9(4) P P P CP-10 P P P CP-10(1) P P P CP-10(2) P P P CP-10(3) P P P Identification and Authentication IA-1 P P P IA-2 IA-2(1) C C C IA-2(2) C C C IA-2(3) C C C IA-2(4) C C C IA-2(5) D D D IA-2(6) D D D IA-2(7) C C C Tresys Technology 13
17 Requirement Control Number Low Moderate High IA-2(8) C C C IA-2(9) P P P IA-3 IA-3(1) C C C IA-3(2) C C C IA-4 P P P IA-4(1) P P P IA-4(2) P P P IA-4(3) P P P IA-4(4) P P P IA-5 P P P IA-5(1) IA-5(2) P P P IA-5(3) P P P IA-5(4) C C C IA-5(5) C C C IA-6 IA-7 D D D Incident Response IR-1 P P P IR-1(1) P P P IR-2 P P P IR-2(1) P P P IR-2(2) P P P Tresys Technology 14
18 Requirement Control Number Low Moderate High IR-3 P P P IR-3(1) P P P IR-3(2) P P P IR-4 P P P IR-4(1) P P P IR-5 P P P IR-5(1) P P P IR-6 P P P IR-6(1) P P P IR-7 P P P IR-7(1) P P P Maintenance MA-1 P P P MA-2 P P P MA-2(1) P P P MA-2(2) P P P MA-3 P P P MA-3(1) P P P MA-3(2) P P P MA-3(3) P P P MA-3(4) P P P MA-4 P P P MA-4(1) P P P MA-4(2) P P P Tresys Technology 15
19 Requirement Control Number Low Moderate High MA-4(3) P P P MA-4(4) P P P MA-4(5) P P P MA-4(6) P P P MA-5 P P P MA-5(1) P P P MA-5(2) P P P MA-5(3) P P P MA-5(4) P P P MA-5(5) P P P MA-6 P P P MA-6(1) P P P MA-6(2) P P P Media Protection MP-1 P P P MP-2 P P P MP-2(1) P P P MP-3 P P P MP-3(1) D D D MP-4 P P P MP-4(1) P P P MP-4(2) P P P MP-5 P P P MP-5(1) P P P Tresys Technology 16
20 Requirement Control Number Low Moderate High MP-5(2) P P P MP-5(3) P P P MP-5(4) P P P MP-6 P P P MP-6(1) P P P MP-6(2) P P P MP-6(3) P P P MP-6(4) P P P Physical and Environmental Protection PE-1 P P P PE-2 P P P PE-2(1) P P P PE-2(2) P P P PE-3 P P P PE-3(1) P P P PE-3(2) P P P PE-3(3) P P P PE-3(4) D D D PE-4 P P P PE-5 P P P PE-6 P P P PE-6(1) P P P PE-6(2) P P P PE-7 P P P Tresys Technology 17
21 Requirement Control Number Low Moderate High PE-7(1) P P P PE-7(2) P P P PE-8 P P P PE-8(1) P P P PE-8(2) P P P PE-9 P P P PE-9(1) P P P PE-9(2) P P P PE-10 P P P PE-10(1) P P P PE-11 P P P PE-11(1) P P P PE-11(2) P P P PE-12 P P P PE-12(1) P P P PE-13 P P P PE-13(1) P P P PE-13(2) P P P PE-13(3) P P P PE-13(4) P P P PE-14 P P P PE-14(1) P P P PE-15 P P P PE-15(1) P P P Tresys Technology 18
22 Requirement Control Number Low Moderate High PE-16 P P P PE-17 P P P PE-18 P P P PE-18(1) P P P PE-19 P P P PE-19(1) P P P PE-20 P P P PE-20(1) P P P PE-20(2) P P P PE-20(3) P P P PE-21 P P P Planning PL-1 P P P PL-2 P P P PL-2(1) P P P PL-2(2) P P P PL-2(3) P P P PL-3 P P P PL-4 P P P PL-5 P P P PL-6 P P P Personnel Security PS-1 P P P PS-2 P P P Tresys Technology 19
23 Requirement Control Number Low Moderate High PS-3 P P P PS-3(1) P P P PS-3(2) P P P PS-4 P P P PS-5 P P P PS-6 P P P PS-6(1) P P P PS-6(2) P P P PS-7 P P P PS-7(1) P P P PS-8 P P P Risk Assessment RA-1 P P P RA-2 P P P RA-3 P P P RA-4 P P P RA-5 P P P RA-5(1) P P P RA-5(2) P P P RA-5(3) P P P RA-5(4) P P P RA-5(5) P P P System and Services Acquisition SA-1 P P P Tresys Technology 20
24 Requirement Control Number Low Moderate High SA-2 P P P SA-3 P P P SA-4 P P P SA-4(1) P P P SA-4(2) P P P SA-4(3) P P P SA-4(4) P P P SA-4(5) P P P SA-4(6) P P P SA-4(7) P P P SA-4(8) P P P SA-5 P P P SA-5(1) P P P SA-5(2) P P P SA-5(3) P P P SA-5(4) P P P SA-5(5) P P P SA-5(6) P P P SA-5(7) P P P SA-6 P P P SA-6(1) P P P SA-6(2) P P P SA-7 C C C SA-8 P P P Tresys Technology 21
25 Requirement Control Number Low Moderate High SA-9 P P P SA-9(1) P P P SA-10 P P P SA-10(1) SA-11 P P P SA-11(1) P P P SA-11(2) P P P SA-11(3) P P P SA-12 P P P SA-12(1) P P P SA-12(2) P P P SA-12(3) P P P SA-12(4) P P P SA-12(5) P P P System and Communications Protection SC-1 P P P SC-1(1) P P P SC-2 SC-3 SC-3(1) SC-3(2) SC-3(3) SC-3(4) SC-3(5) Tresys Technology 22
26 Requirement Control Number Low Moderate High SC-4 SC-5 D D D SC-5(1) D D D SC-5(2) D D D SC-5(3) D D D SC-6 SC 7 C C C SC 7(1) P P P SC 7(2) P P P SC 7(3) P P P SC 7(4) P P P SC 7(5) SC 7(6) P P P SC-7(7) P P P SC-7(8) P P P SC-7(9) C C C SC-8 C C C SC-8(1) P P P SC-8(2) C C C SC-9 C C C SC-9(1) P P P SC-9(2) SC-9(3) C C C SC-9(4) Tresys Technology 23
27 Requirement Control Number Low Moderate High SC-9(5) C C C SC-10 D D D SC-11 D D D SC-12 P P P SC-12(1) P P P SC-12(2) P P P SC-12(3) P P P SC-12(4) P P P SC-13 SC-14 SC-15 SC-15(1) P P P SC-15(2) C C C SC-15(3) P P P SC-16 SC-16(1) C C C SC-16(2) D D D SC-17 P P P SC-18 P P P SC-18(1) P P P SC-18(2) D D D SC-19 P P P SC-20 D D D SC-20(1) C C C Tresys Technology 24
28 Requirement Control Number Low Moderate High SC-21 D D D SC-21(1) D D D SC-22 C C C SC-23 System and Information Integrity Policy and Procedures SI-1 P P P SI-2 P P P SI-2(1) P P P SI-2(2) P P P SI-2(3) P P P SI-3 D D D SI-3(1) P P P SI-3(2) D D D SI-3(3) P P P SI-3(4) P P P SI-3(5) P P P SI-3(6) C C C SI-3(7) P P P SI-3(8) D D D SI-4 P P P SI-4(1) P P P SI-4(2) P P P SI-4(3) P P P SI-4(4) D D D Tresys Technology 25
29 Requirement Control Number Low Moderate High SI-4(5) D D D SI-4(6) D D D SI-4(7) C C C SI-4(8) P P P SI-5 P P P SI-5(1) P P P SI-6 C C C SI-6(1) P P P SI-6(2) P P P SI-7 C C C SI-7(1) P P P SI-7(2) P P P SI-7(3) P P P SI-8 D D D SI-8(1) P P P SI-8(2) D D D SI-8(3) P P P SI-8(4) P P P SI-8(5) P P P SI-8(6) D D D SI-9 SI-10 D D D SI-11 D D D SI-12 P P P Tresys Technology 26
30 NSSI-1253v4 Analysis This section examines each of the NSSI-1253v4 security requirements. The analysis is divided into 17 sections, one for each family: 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Certification, Accreditation and Security 5. Configuration Management 6. Contigency Planning 7. Identification and Authentication 8. Incident Response 9. Maintenance 10. Media Protection 11. Physical and Environmental Protection 12. Planning 13. Personnel Security 14. Risk Assessment 15. System and Services Acquisition 16. System and Communications Protection 17. System and Information Integrity Each individual requirement is presented, followed by an analysis of the capability of RHEL 5.3 and the CLIP toolkit to meet the requirement, provided in the shaded boxed text. Each requirement explains how the requirement is met, partially met, cannot be met, or is outside the scope of the base platform Access Control AC-1 Access Control Policies and Procedures LOW: AC-1 MODERATE: AC-1 HIGH: AC-1 Control: The organization develops, disseminates, and periodically reviews/updates: a) a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Tresys Technology 27
31 b) formal, documented procedures to facilitate the implementation of the access control policy and associated access controls. Supplemental Guidance: The access control policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards and guidance. The access control policy can be included as part of the general information security policy for the organization. Access control procedures can be developed for the security program in general, and for a particular information system when required. None Control - Outside Scope Procedural AC-2 Account Management LOW: AC-2(5) MODERATE: AC-2 (1)(2)(3)(4)(5) HIGH: AC-2 (1)(2)(3)(4)(5) Control: The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization will: a) Reviews information system accounts [Assignment organization defined frequency], or at least annually. b) Identifies authorized users of the information system accounts and specifies access rights/privileges. c) Requires proper identification for requests to establish information system accounts and approves all such requests. d) Authorizes and monitors the use of guest/anonymous accounts and removes, disables or otherwise secures unnecessary accounts. e) Notify account managers when information system users are terminated or transferred and associated accounts are removed, disabled or otherwise secured. f) Notify account managers when users information system usage or need-toknow/need to share changes. Supplemental Guidance: Account management includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations. The organization should consider the following aspects when granting access to the information and information systems: (i) A valid access authorization that is determined by assigned official duties and satisfying all personnel security criteria and (ii) Intended system usage. 1) The organization employs automated mechanisms to support the management of information system accounts. Tresys Technology 28
32 2) The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account], not to exceed 72 hours. 3) The information system automatically disables inactive accounts after [Assignment: organization-defined time period], not to exceed 30 days. 4) The organization employs automated mechanisms to audit account creation, modification, disabling, and termination actions and to notify, as required, appropriate individuals. 5) The organization establishes and administers all privileged user accounts in accordance with a role based access scheme that organizes all system and network privileges into roles (e.g., key management, network, system administration, database administration, web administration). The Information System Security Manager (ISSM), Information Assurance Manager (IAM) tracks privileged role assignments Control - Outside Scope Procedural Control Enhancement 1 - Outside Scope Procedural Control Enhancement 2 - Partially Meets Requirement Configuration Linux user management allows an expiration date to be set for an account. This could be used when creating temporary or emergency accounts to terminate them after some period of time. Control Enhancement 3 Partially Meets Requirement Development Linux user management tools could be updated to monitor account inactivity (i.e., last login) and disable an account after the given period of inactivity. Control Enhancement 4 Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform. Control Enhancement 5 Partially Meets Requirement Procedural Standard Linux DAC with SELinux policy separates user roles for privileged and non-privileged accounts. AC-3 Access Enforcement LOW: AC- 3 MODERATE: AC- 3 (1) (2) HIGH: AC- 3 (1) (2) Control: The information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy. Supplemental Guidance: Access Control policies (e.g., identity-based policies, role-based policies, rule-based policies) and associated access enforcement mechanisms (access control Tresys Technology 29
33 lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of uses) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. In addition to controlling access at the information system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for the organization. Consideration is given to the implementation of a controlled, audited, and manual override of automated mechanisms in the event of emergencies or other serious events. If encryption of stored information is employed as an access enforcement mechanism, the cryptography used is largely dependent upon the classification level of the information. Related security controls: AC-16, AC- 21, SC-13. 1) The information system restricts access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel. Enhancement Supplemental Guidance: Explicitly authorized personnel include, for example, security administrators, system and network administrators, and other privileged users. Privileged users are individuals who have access to system control, monitoring, or administration functions (e.g., system administrators, information system security officers, maintainers, system programmers). 2) The Discretionary Access Control (DAC), policies of the information system are implemented and configured to ensure only authorized users are able to perform security functions. The enforcement mechanism shall allow users to specify and control sharing by named individuals or groups of individuals, or by both, and shall provide controls to limit propagation of access rights. The DAC mechanism shall, either by explicit user action or by default, provide that information is protected from unauthorized access. These access controls shall be capable of including or excluding access to the granularity of a single user. 3) The information system implements [and configures] and enforces a Role Based Access Control (RBAC) policy over all users and resources that ensures that access rights are grouped by role name, and access to resources is restricted to users who have been authorized to assume the associated role. 4) The information system implements [and configures] and enforces a MAC policy over all subjects and objects under its control to ensure that each user receives only that information to which the user is authorized access based on classification of the information, and user clearance; and need-to-know. The information system assigns labels/security domains/types to subjects and objects, and uses these labels as the basis for MAC decisions. 5) The security policies of the information system are implemented and configured to protect security relevant objects from unauthorized access, modification and deletion. 6) The MAC policies of the information system are implemented and configured to protect security relevant objects from unauthorized access, modification, and deletion. 7) The security policies of the information system are implemented and configured to ensure only authorized user are able to perform security functions. Tresys Technology 30
34 Control Partially Meets Requirement Development Traditional Linux DAC permissions control user, group, and world access. SELinux MAC allows system administrators to create defined access for users within the system. Although CLIP meets this requirement for the base platform, enforcement at the application level is outside scope. Control Enhancement 1 Meets Requirement Traditional Linux DAC permissions combined with CLIP SELinux policy enforce a least privilege model that restricts users to only the information explicitly allowed. Control Enhancement 2 Meets Requirement The default CLIP system is designed to meet the STIGs which addresses this requirement. Control Enhancement 3- Meets Requirement SELinux implements RBAC, thereby meeting this requirement. Control Enhancement 4- Meets Requirement MAC enforcement is provided by the standard CLIP SELinux policy. Control Enhancement 5 Meets Requirement Traditional Linux DAC permissions combined with SELinux policy restricts the access to authorized users for read and/or modification of security related objects. Control Enhancement 6 Meets Requirement The SELinux labels on all objects are check for any access to the object and only the access explicitly granted in the policy is permitted. Control Enhancement 7 Meets Requirement Traditional Linux DAC permissions combined with SELinux policy restricts the execution of applications or tools performing security functions to authorized users. AC-4 Information Flow Enforcement LOW: AC- 4 MODERATE: AC- 4 (2) HIGH: AC-4 (2) Control: The information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and within explicit regard to subsequent access to that information. A few, of many, generalized examples of possible restrictions that are better expressed as flow control that access control are: keeping export controlled information from being transmitted in the clear to the Internet, clocking outside traffic that claims to be from within the organization, and not passing any web requests to the Internet that are not from the Tresys Technology 31
35 internal web proxy. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destination (e.g., networks, individuals, devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/ or the information path. Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services or provide a packet filtering capability. Related security control: SC-7. 1) The information system implements information flow control enforcement using explicit labels on information, source, and destination objects as a basis for flow control decisions. Enhancement Supplemental Guidance: Information flow control enforcement using explicit labels is used, for example, to control the release of certain types of information. The controlled interface (CI) examines the label of all data (data content and data structure) traversing the CI and reacts appropriately (e.g., block, quarantine, send alert to the administrator, etc.) when it encounters data not explicitly allowed by the configured transfer policy. Examples of data content and or data structure transfers that should not be allowed include, but are not limited to: sending a high classification object to low classification domain, sending a high classification object to a user with a low classification clearance, attempting to cut and paste text from a high classification terminal window into a terminal window with a low classification, etc. 2) The information system implements information flow control enforcement using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions. 3) The information system implements information flow control enforcement using dynamic security policy mechanisms as a basis for flow control decisions. 4) The information system implements information flow control enforcement using [Assignment: organization-defined security policy mechanisms] security policy mechanisms as a basis for flow control decisions. Enhancement Supplemental Guidance: Examples of organization-defined security policy mechanisms (i.e., filters) include dirty word filter, file type checking filter, structured data filter, unstructured data filter, metadata content filter, and hidden content filter. Structured data permits the interpretation of its content by virtue of atomic elements that are understandable by an application and indivisible. Unstructured data refers to masses of (usually) computerized information that either (1) do not have a data structure or (2) have a data structure that is not easily readable by a machine. Unstructured data consists of two basic categories: (1) bitmap objects: inherently non-language based, such as image, video, or audio files; (2) textual objects: based on a written or printed language, such as Microsoft Word documents, Microsoft Excel documents, or s. 5) The information system enforces the use of human review for [Assignment: organization-defined security policy mechanisms] security policy mechanisms when it is not capable of making a policy flow control decision. Tresys Technology 32
36 6) The information system provides the capability for an appropriately privileged administrator to enable/ disable [Assignment: organization-defined security policy mechanisms]security policy mechanisms. 7) The information system provides the capability for an appropriately privileged administrator to configure the [Assignment: organization-defined security policy mechanisms]security policy mechanisms to support different security policies. Enhancement Supplemental Guidance: For example, to reflect changes in security policy, the administrator will have the capability to change the list of dirty words that organization d-defined dirty word policy mechanism checks against. Control Meets Requirement SELinux MAC assigns labels to all subjects and objects on a system and uses those labels to make access decisions that enforces information flow. Labels are assigned to IP addresses to control information flow between interconnected systems. Control Enhancement 1 Meets Requirement SELinux MAC assigns labels to all subjects and objects on a system and uses those labels to make access decisions. Labels are assigned to network interfaces, IP addresses, and port numbers to control information flow between interconnected systems. Additionally, SELinux supports labeled IPSEC which controls communications between systems. Only systems that have equivalent security labels assigned to security associations can communicate with each other. Another benefit of labeled IPSEC is that all communications are encrypted; this ensures confidentiality and integrity during data transit. Control Enhancement 2 Meets Requirement SELinux MAC assigns labels to all domains on a system and uses those labels to make access decisions. Labels are assigned to network interfaces, IP addresses, and port numbers to control information flow between interconnected systems. Control Enhancement 3 Meets Requirement SELinux features Booleans used to dynamically enable or disable parts of the policy. Control Enhancement 4 Partially Meets Requirement Procedural SELinux assigns labels to all subjects and objects on a system and uses those labels to make access decisions, including flow control decisions. The SELinux policy may need to be configured to meet organizational policy decisions. Control Enhancement 5 Outside Scope Procedural This requirement is procedural in nature and is outside the scope of the base system. Control Enhancement 6 Partially Meets Requirement Procedural SELinux policy and user controls can limit the enabling/disabling of security mechanisms to sufficiently privileged users. Control Enhancement 7 Partially Meets Requirement Procedural Tresys Technology 33
37 SELinux policy and user controls can limit the ability to change security policies to sufficiently privileged users. AC-5 Separation of Duties LOW: AC- 5 MODERATE: AC-5 HIGH: AC-5 Control: The information system enforces separation of duties through assigned access authorizations. The organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals. Access control software resides on the information system that prevents users from having all of the necessary authority or information access to perform fraudulent activity without collusion. Supplemental Guidance: Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, quality assurance/testing, configuration management, and network None Control Partially Meets Requirement Configuration SELinux policy can enforce divisions of responsibility based on roles and type enforcement. The organization can take various divisions or roles within the organization and create a SELinux policy that gives the appropriate privileges to the divisions through the policy. AC-6 Least Privilege LOW: AC- 6 (1) MODERATE: AC-6 (1) HIGH: AC-6 (1) Control: The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks. Supplemental Guidance: The organization employs the concept of least privilege for specific duties and information systems (including specific ports, protocols, and services) in accordance with risk assessments as necessary to adequately mitigate risk to organizational operations, organizational assets, and individuals. Control Enhancement: (1) The organization ensures that privileged accounts are created for users to perform privileged functions only; that is, privileged users use non-privileged accounts for all nonprivileged functions. Control Meets Requirement Security Enhanced Linux (SELinux) denies all interactions between subjects and objects except for those that are permitted by the security policy. The CLIP SELinux policy fulfills this Tresys Technology 34
38 requirement by only allowing the least amount of privileges needed for a user to perform their tasks. The users are also placed into roles such as system, staff and basic user roles. SELinux enforces accesses through these roles and the associated types. Because SELinux implements Mandatory Access Control (MAC) all access is denied unless explicitly allowed and in addition, these denials are logged into the audit subsystem Control Enhancement 1 Partially Meets Requirement Procedural Administrators in SELinux can use the newrole command to switch into a more privileged role (sysadm_r & secadm_r) to perform privileged functions. AC-7 Unsuccessful Logon Attempts LOW: AC-7 MODERATE: AC-7 (2) HIGH: AC-7 (1) Control: The information system enforces a limit of consecutive invalid access attempts [Assignment: organization-defined number, or a maximum of 3] by a user during a [Assignment: organization-defined time period, or at least 15 minutes]. The information system automatically [Selection: locks the account/node for an [Assignment: organization-defined time period at least 10 minutes], delays next login prompt according to [Assignment: organization defined delay algorithm] when the maximum number of unsuccessful attempts is exceeded. This control also applies to remote access logon attempts. Supplemental Guidance: Due to the potential for denial of service, automatic lockouts initiated by the information system are usually temporary and automatically release after a predetermined time period established by the organization. The delay algorithm discussed in the control is dependent upon the Operating System or remote access solution in place at that organization. 1) The information system enforces a limit of 3 consecutive invalid access attempts by a user. The account remains locked until released by an authorized administrator. 2) The information system enforces a limit of 3 consecutive invalid access attempts by a user. The account remains locked for a period of 15 minutes or more. Control- Partially Meets Requirement - Configuration The PAM library and associated modules offer fine grained control over such parameters as timeout value, number of retries, and action to perform on unsuccessful login attempts. The /var/log/messages file contains information about logins to the system as well as information about users that have already logged in and change to different users (e.g., using the su command to become root). Control Enhancement 1 Partially Meets Requirement - Configuration The pam_tally module that is part of the PAM library included in CLIP allows for a user to be denied access after a three failed login attempts and it remains locked for 15 minutes. If 15 minutes have not elapsed, it requires an administrator to reset the account. The configuration can be changed to remove the 15 minute lock so that only an administrator can unlock the account. Control Enhancement 2 Meets Requirement Tresys Technology 35
39 The pam_tally module that is part of the PAM library included in CLIP allows for a user to be denied access after a three failed login attempts and it remains locked for 15 minutes. If 15 minutes have not elapsed, it requires an administrator to reset the account. The PAM library and associated modules offer fine grained control over such parameters as timeout value, number of retries, and action to perform on unsuccessful login attempts. AC-8 System Use Notification LOW: AC-8 MODERATE: AC-8 HIGH: AC-8 Control: The information system displays an approved, system use notification message before granting system access informing potential users that: a. The user is accessing a U.S. Government information system; b. System usage may be monitored, recorded, and subject to audit; c. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and d. Use of the system indicates consent to monitoring and recording. The system use notification message provides appropriate privacy and security notices (based on associated privacy and security policies or summaries) and remains on the screen until the user takes explicit actions to log on to the information system. Supplemental Guidance: Privacy and security policies are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. For publicly accessible systems: (i) the system use information is available and when appropriate, is displayed before granting access; (ii) any references to monitoring, recording, or auditing are in keeping with privacy accommodations for such systems that generally prohibit those activities; and (iii) the notice given to public users of the information system includes a description of the authorized uses of the system. None. Control Meets Requirement The /etc/issue file can be used to give an unauthenticated user a message before logging into the system. The Message of the Day (MOTD) can be used to give messages to authenticated users. The May 2008 DoD Consent to Monitor banner is provided by the CLIP KickStart file. Tresys Technology 36
40 AC-9 Previous Logon Notification LOW: AC-9 MODERATE: AC-9 HIGH: AC-9 Control: The information system notifies the user, upon successful logon, of the date and time of the last logon.. Supplemental Guidance: None. 1) The information system notifies the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon. Control Meets Requirement This requirement is met by a standard Linux system. The information system notifies the user, upon successful logon, of the date and time of the last logon. Partially Meets Requirement- Development Adding a call to faillog in /etc/profile provides each user a display of the failed login attempts. In addition, pam_tally can be used to display user login counts.. AC-10 Concurrent Session Control LOW: Tailoring MODERATE: AC- 10 HIGH: AC- 10 Control: The information system limits the number of concurrent sessions for any user to [Assignment: organization-defined number, or a maximum of three(3), sessions]. Supplemental Guidance: For purposes of this control, concurrent sessions are defined as when a user is logged onto an information system more than once. None. Control Partially Meets Requirement - Configuration The PAM library and associated modules offer fine grained control over such parameters as maximum number of logins, specifically the pam_limits.so module. AC-11 Session Lock LOW: AC- 11 (1) MODERATE: AC-11 (1) HIGH: AC-11 (1) Control: The information system prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period, not to exceed 30 minutes] of inactivity, and Tresys Technology 37
41 the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures. Supplemental Guidance: Users can directly initiate session lock mechanisms. A session lock is not a substitute for logging out of the information system. Organization-defined time periods of inactivity shall comply with federal policy; for example, in accordance with OMB Memorandum 06-16, the organization-defined time period is no greater than 30 minutes for remote access and portable devices. 1) The information system associates a workstation screen-lock functionality with each workstation. When activated, the screen-lock function places an unclassified pattern onto the entire screen of the workstation, totally hiding what was previously visible on the screen. Such a capability is enabled either by explicit user action or a specified period of workstation inactivity (e.g., 15 minutes). Once the workstation screen-lock software is activated, access to the workstation requires knowledge of a unique authenticator. A screen lock function is not considered a substitute for logging out unless a mechanism actually logs out the user when the user idle time is exceeded. Control Partially Meets Requirement - Development The vlock package can be installed to meet this requirement. Vlock can be configured to lock the user console after a specified period of inactivity. When the predefined period of inactivity has been reached, vlock will blank and lock the console; the console can be unlocked by entering the appropriate password. Control Enhancement 1 Partially Meets Requirement Development The vlock package can be installed to meet this requirement. Vlock can be configured to lock the user console after a specified period of inactivity. When the predefined period of inactivity has been reached, vlock will blank and lock the console; the console can be unlocked by entering the appropriate password. AC-12 Session Termination LOW: AC- 12 (1) MODERATE: AC-12 (1) HIGH: AC-12(1) (2) Control: The information system automatically terminates a remote session after [Assignment: organization- defined time period, not to exceed 60 minutes] of inactivity. Supplemental Guidance: A remote session is initiated whenever an organizational information system is accessed by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet or some other network that is outside the control of the organization that owns/controls the information system). An organization s oncampus inter-building sessions are not considered remote sessions unless part of the session has traverses networks that are no under the control (i.e., authorized by) the organization. Tresys Technology 38
42 1) Automatic session termination applies to local and remote sessions. 2) Time period will not exceed 30 minutes. Control- Partially Meets Requirement- Configuration The Linux subsystem, specifically /etc/profile, sets a default timeout value of 15 minutes for a session. Control Enhancement 1 Meets Requirement The Linux subsystem, specifically /etc/profile, sets a default timeout value for all sessions, local and remote. Control Enhancement 2 Meets Requirement The CLIP KickStart file contains operating system configuration settings that enforce idle session termination after 15 minutes. AC-13 Supervision and review - Access Control LOW: AC-13 MODERATE: AC-13(1) HIGH: AC-13(1) Control: The organization supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls. The organization reviews audit records (e.g., user activity) for inappropriate activities in accordance with organizational policies. The organization investigates any unusual information system-related activities and periodically reviews changes to access authorizations. The organization reviews more frequently the activities of users with significant information system roles and responsibilities. The extent of the audit record reviews is based on the Impact Levels of the information system. Supplemental Guidance: For example, for low-impact systems, it is not intended that security logs be reviewed frequently for every workstation, but rather at central points such as a web proxy or servers and when specific circumstances warrant review of other audit records. Related security control: AU-6. 1) The organization employs automated mechanisms to facilitate the review of user activities. Control Enhancement 1 Partially Meets - Procedural Tresys Technology 39
43 AC-14 Permitted actions without identification or authentication LOW: AC-14 MODERATE: AC-14(1) HIGH: AC-14(1) Control: The organization identifies and documents specific user actions that can be performed on the information system without identification or authentication. Supplemental Guidance: The organization allows limited user activity without identification and authentication for public websites or other publicly available information systems (e.g., individuals accessing a federal information system at Another instance where identification and authentication is not required would be individuals already authenticated to the LAN can then do a search on the Web site without additional identification and authentication. Related security control: IA-2. Control Enhancement: 1) The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission objectives (e.g., weapons system). Control Enhancement 1 Outside Scope - Procedural AC-15 Automated Marking LOW: Tailoring MODERATE: AC-15 HIGH: AC-15(1) Control: The information system marks output to identify any special dissemination, handling, or distribution instructions. Supplemental Guidance: Automated marking refers to markings employed on external media (e.g., hardcopy documents output from the information system). The markings used in external marking are distinguished from the labels used on internal data structures described in AC-16. 1) The information system will invoke marking procedures and mechanisms to ensure that either the user or the system marks all data transmitted or stored by the system to reflect the classification and sensitivity of the data (e.g., classification level, classification category, and handling caveats). Markings shall be retained with the data. Control Partially Meets Requirement - Configuration Tresys Technology 40
Recommended Security Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53 Revision 3 Excerpt Recommended Security Controls for Federal Information Systems and Organizations JOINT TASK FORCE TRANSFORMATION INITIATIVE HIGH-IMPACT BASELINE I N F
More informationAnnex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline Includes updates through 04-22-2005 AC-1 ACCESS CONTROL
More informationMINIMUM SECURITY CONTROLS SUMMARY
APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for
More informationMapping of ITSG-33 Security Controls to SP Revision 4 Security Controls
1 April 2013 BD Pro Mapping of ITSG-33 Security Controls to SP 800-53 Revision 4 Security Controls NIST SP 800-53 Revision 4 is replacing the August 2009 Revision 3 version of the security controls catalogue.
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationDoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to
DoD Guidance for Reviewing System Security Plans and the s Not Yet Implemented This guidance was developed to facilitate the consistent review and understanding of System Security Plans and Plans of Action,
More informationINTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009
More informationRev.1 Solution Brief
FISMA-NIST SP 800-171 Rev.1 Solution Brief New York FISMA Cybersecurity NIST SP 800-171 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical
More informationAnnex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 1 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls Low Baseline AC-1 ACCESS CONTROL POLICY AND PROCEDURES The organization
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationMapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls
Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions
More informationNIST Compliance Controls
NIST 800-53 Compliance s The following control families represent a portion of special publication NIST 800-53 revision 4. This guide is intended to aid McAfee, its partners, and its customers, in aligning
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationFour Deadly Traps of Using Frameworks NIST Examples
Four Deadly Traps of Using Frameworks NIST 800-53 Examples ISACA Feb. 2015 Meeting Doug Landoll dlandoll@lantego.com (512) 633-8405 Session Agenda Framework Definition & Uses NIST 800-53 Framework Intro
More informationBecause Security Gives Us Freedom
Because Security Gives Us Freedom PANOPTIC CYBERDEFENSE CYBERSECURITY LEADERSHIP Panoptic Cyberdefense is a monitoring and detection service in three levels: Security Management and Reporting Managed Detection
More informationSecurity Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015
U. S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Security Control Mapping of CJIS Security Policy Version 5.3 s to NIST Special Publication 800-53
More informationTop 10 ICS Cybersecurity Problems Observed in Critical Infrastructure
SESSION ID: SBX1-R07 Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure Bryan Hatton Cyber Security Researcher Idaho National Laboratory In support of DHS ICS-CERT @phaktor 16 Critical
More informationCosting Information Assurance
Costing Information Assurance Marybeth Panock 30 September 2009 The Aerospace Corporation The Aerospace Corporation 2009 1 Costing Information Assurance or Security Called Security for this exercise to
More informationInteragency Advisory Board Meeting Agenda, December 7, 2009
Interagency Advisory Board Meeting Agenda, December 7, 2009 1. Opening Remarks 2. FICAM Segment Architecture & PIV Issuance (Carol Bales, OMB) 3. ABA Working Group on Identity (Tom Smedinghoff) 4. F/ERO
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess
More informationAttachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan
Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationSecurity Standards Compliance NIST SP Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1
Security Standards Compliance NIST SP 800-53 Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1 Document TMIC-003-N Version 1.1, 24 August 2012 1 Security and Privacy Controls
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationACHIEVING COMPLIANCE WITH NIST SP REV. 4:
ACHIEVING COMPLIANCE WITH NIST SP 800-53 REV. 4: How Thycotic Helps Implement Access Controls OVERVIEW NIST Special Publication 800-53, Revision 4 (SP 800-53, Rev. 4) reflects the U.S. federal government
More informationCloudCheckr NIST Audit and Accountability
CloudCheckr NIST 800-53 Audit and Accountability FISMA NIST 800-53 (Rev 4) Audit and Accountability: Shared Public Cloud Infrastructure Standards Standard Requirement per NIST 800-53 (Rev. 4) CloudCheckr
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationWHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3
WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3 ABSTRACT This white paper is Part 2 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring
More informationSecurity and Privacy Controls for Federal Information Systems and Organizations Appendix F
NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations Appendix F NOTE: THIS DOCUMENT PROVIDES A MARKUP OF CHANGES MADE TO SP 800-53,
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationStreamlined FISMA Compliance For Hosted Information Systems
Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationCompliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations
VARONIS COMPLIANCE BRIEF NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) 800-53 FOR FEDERAL INFORMATION SYSTEMS CONTENTS OVERVIEW 3 MAPPING NIST 800-53 CONTROLS TO VARONIS SOLUTIONS 4 2 OVERVIEW
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationNIST SP , Revision 1 CNSS Instruction 1253
NIST SP 800-53, Revision 1 CNSS Instruction 1253 Annual Computer Security Applications Conference December 10, 2009 Dr. Ron Ross Computer Security Division Information Technology Laboratory Introduction
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Port Security Port Security helps to control access to logical and physical ports, protocols, and services. This
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationDFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017
DFARS 252.204-7012 Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017 As with most government documents, one often leads to another. And that s the case with DFARS 252.204-7012.
More informationHandbook Webinar
800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) NIST MEP 800-171 Assessment Handbook Step-by-step
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationThe "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:
Major Enhancements to NIST SP 800-53 Revision 4 BD Pro The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP 800-53 states: "The proposed changes included in Revision 4
More informationDIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)
DIACAP and the GIG IA Architecture 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) 210-9252417 (C) 210-396-0254 jwierum@cygnacom.com OMB Circular A-130 (1996) OMB A-130 required systems and applications
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Mapping The Network Mapping helps visualize the network and understand relationships and connectivity between
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More information<Document Title> INFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY 2018 DOCUMENT HISTORY DATE STATUS VERSION REASON NAME 24.03.2014 Draft 0.1 First draft Pedro Evaristo 25.03.2014 Draft 0.2 Refinement Pedro Evaristo 26.03.2014
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationCatalog of Control Systems Security: Recommendations for Standards Developers. September 2009
Catalog of Control Systems Security: Recommendations for Standards Developers September 2009 2.7.11.2 Supplemental Guidance Electronic signatures are acceptable for use in acknowledging rules of behavior
More informationFISMA Compliance. with O365 Manager Plus.
FISMA Compliance with O365 Manager Plus www.o365managerplus.com About FISMA The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that made it a requirement
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationSafeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)
Page 1 of 7 Section O Attach 2: SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013) 252.204-7012 Safeguarding of Unclassified Controlled Technical Information. As prescribed in 204.7303,
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationCSAM Support for C&A Transformation
CSAM Support for C&A Transformation Cyber Security Assessment and Management (CSAM) 1 2 3 4 5 Five Services, One Complete C&A Solution Mission/Risk-Based Policy & Implementation/Test Guidance Program Management
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationNIST SP Controls
NIST SP 800-53 Controls and Netwrix Auditor Mapping www.netwrix.com Toll-free: 888-638-9749 About FISMA / NIST The Federal Information Security Management Act of 2002 (commonly abbreviated to FISMA) is
More informationW H IT E P A P E R. Salesforce Security for the IT Executive
W HITEPAPER Salesforce Security for the IT Executive Contents Contents...1 Introduction...1 Background...1 Settings Related to Security and Compliance...1 Password Settings... 1 Session Settings... 2 Login
More informationMeeting RMF Requirements around Compliance Monitoring
Meeting RMF Requirements around Compliance Monitoring An EiQ Networks White Paper Meeting RMF Requirements around Compliance Monitoring Purpose The purpose of this paper is to provide some background on
More informationCYBER SECURITY POLICY REVISION: 12
1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred
More informationInformation Security for Mail Processing/Mail Handling Equipment
Information Security for Mail Processing/Mail Handling Equipment Handbook AS-805-G March 2004 Transmittal Letter Explanation Increasing security across all forms of technology is an integral part of the
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationREAD ME for the Agency ATO Review Template
READ ME for the Agency ATO Review Template Below is the template that the FedRAMP Program Management Office (PMO) uses when reviewing an Agency ATO package. Agencies and CSPs should be cautious to not
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationEnsuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard
Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationSparta Systems TrackWise Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationPart 11 Compliance SOP
1.0 Commercial in Confidence 16-Aug-2006 1 of 14 Part 11 Compliance SOP Document No: SOP_0130 Prepared by: David Brown Date: 16-Aug-2006 Version: 1.0 1.0 Commercial in Confidence 16-Aug-2006 2 of 14 Document
More informationEXABEAM HELPS PROTECT INFORMATION SYSTEMS
WHITE PAPER EXABEAM HELPS PROTECT INFORMATION SYSTEMS Meeting the Latest NIST SP 800-53 Revision 4 Guidelines SECURITY GUIDELINE COMPLIANCE There has been a rapid increase in malicious insider threats,
More informationStandard CIP 005 2a Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2a 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Access Management Access management enforces the policies that define the actions that an entity may or may not perform
More informationEvolving Cybersecurity Strategies
Evolving Cybersecurity Strategies NIST Special Publication 800-53, Revision 4 ISSA National Capital Chapter April 17, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationMessage Networking 5.2 Administration print guide
Page 1 of 421 Administration print guide This print guide is a collection of system topics provided in an easy-to-print format for your convenience. Please note that the links shown in this document do
More informationCIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security System Security Management 2. Number: CIP-007-5 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in
More informationDRAFT. NIST MEP CYBERSECURITY Self-Assessment Handbook
NIST MEP CYBERSECURITY Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in response to DFARS Cybersecurity Requirements Table of Contents Disclaimer...8 Acknowledgements...8
More informationNIST Security Certification and Accreditation Project
NIST Security Certification and Accreditation Project An Integrated Strategy Supporting FISMA Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive
More informationENTS 650 Network Security. Dr. Edward Schneider
ENTS 650 Network Security Dr. Edward Schneider http://www.ece.umd.edu/class/ents650/ Schneide@umd.edu Stallings. Cryptography and Network Security, 4e. Prentice-Hall. 2006. NIST Special Pubs: csrc.nist.gov/publications/pubssps.html
More informationThe University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems
The University of Texas at El Paso Information Security Office Minimum Security Standards for Systems 1 Table of Contents 1. Purpose... 3 2. Scope... 3 3. Audience... 3 4. Minimum Standards... 3 5. Security
More informationClient Computing Security Standard (CCSS)
Client Computing Security Standard (CCSS) 1. Background The purpose of the Client Computing Security Standard (CCSS) is to (a) help protect each user s device from harm, (b) to protect other users devices
More informationVMware vcloud Air SOC 1 Control Matrix
VMware vcloud Air SOC 1 Control Objectives/Activities Matrix VMware vcloud Air goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a
More informationPA-DSS Implementation Guide for Sage MAS 90 and 200 ERP. and Sage MAS 90 and 200 Extended Enterprise Suite
for Sage MAS 90 and 200 ERP Versions 4.30.0.18 and 4.40.0.1 and Sage MAS 90 and 200 Extended Enterprise Suite Versions 1.3 with Sage MAS 90 and 200 ERP 4.30.0.18 and 1.4 with Sage MAS 90 and 200 ERP 4.40.0.1
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationFISMA-NIST SP Rev.4 Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD FISMA NIST SP
FISMA-NIST SP 800-53 Rev.4 Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical solutions that transform high-volume cryptic log data into actionable, prioritized intelligence
More informationPOLICY 8200 NETWORK SECURITY
POLICY 8200 NETWORK SECURITY Policy Category: Information Technology Area of Administrative Responsibility: Information Technology Services Board of Trustees Approval Date: April 17, 2018 Effective Date:
More informationGuide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com
: HIPPA Compliance GoToMyPC Corporate HIPAA Compliance Privacy, productivity and remote access 2 The healthcare industry has benefited greatly from the ability to use remote access to view patient data
More informationCybersecurity Risk Management
Cybersecurity Risk Management NIST Guidance DFARS Requirements MEP Assistance David Stieren Division Chief, Programs and Partnerships National Institute of Standards and Technology (NIST) Manufacturing
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationDATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD
DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW Version 2, Release 5 28 October 2016 Developed by for the DoD 28 October 2016 Developed by for the DoD Trademark Information Names, products,
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS IA Policies, Procedures, The Information Assurance (IA) Policies, Procedures, encompasses existing policies, procedures,
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More information