Costing Information Assurance
|
|
- Loren Burke
- 5 years ago
- Views:
Transcription
1 Costing Information Assurance Marybeth Panock 30 September 2009 The Aerospace Corporation The Aerospace Corporation
2 Costing Information Assurance or Security Called Security for this exercise to distinguish it from IA&P or Information Architecture & Processing the hardware 2
3 Information needed to cost Security With any cost model 1. A basic understanding of the future system architecture 2. Security requirements How they are satisfied Who is responsible for satisfying them Security tool pricing model 3. Cost Model that will be used 4. How to use the cost model to capture the security costs 3
4 Architecture for a Satellite Ground System Cost Study SOC Mission Planning Center Teleport Remote Ground Site Command Uplink Workstations KG-175 Circuit Terminating Equipment Circuit Terminating Equipment KG-175 Workstations Customer Network Database Analysis Center SOC Circuit Terminating Equipment KG-175 Workstations Teleport Command Uplink KG-175 Circuit Terminating Equipment Telemetry & Control Center Remote Ground Site Workstations Circuit Terminating Equipment KG-175 Workstations 4
5 2. Security Requirements DoDI IA Controls Continuity Enclave and Computing Environment Enclave Boundary Defense Identification & Authentication Personnel Physical & Environmental Security Design & Configuration Vulnerability & Incident Management NIST Security Controls Access Control Audit and Accountability Awareness and Training Certification, Accreditation, & Security Assessments Configuration Management Contingency Planning Identification and Authentication Incident Response Media Protection Personnel Security Physical and Environmental Protection Risk Assessment Security Planning System and Communications Protection System and Information Integrity System and Services Acquisition System Maintenance 5
6 Security Requirements continued Some requirements are satisfied by the Program Office, some by the Development Contractor, and some by the Operating Command What is included Hardware, Software, and Facilities obtained/provided by the Development Contractor during the Engineering Manufacturing & Development (EMD) Contract Development Contractor Effort Staffing provided by the Operating Command during Operations / Sustainment Sometimes included Certification effort to support Accreditation depending on phase 6
7 What is Cost Analysis from The Aerospace Institute Cost Analysis Course 7
8 Cost Estimates from The Aerospace Institute Cost Analysis Course 8
9 4. Cost Models There are many costs models COCOMO, COSYSMO, COSECMO Constructive Cost Model and derivatives SEER SEM software application to estimate software development PRICE NFA COM NASA Air Force Cost Model USCM Universal Spacecraft Cost Model SSCM Small Satellite Cost Model The Aerospace Corporation s Concept Design Center (CDC) Cost Model CDC Studies use models that are a combination of other models CDC Cost Studies are informal independent cost assessments not exactly ICEs but close 9
10 Sample Cost Model COSYSMO Operational Concept # Requirements # Interfaces # Scenarios # Algorithms + 3 Adj. Factors Size Drivers Effort Multipliers COSYSMO Effort - Application factors -8 factors - Team factors -6 factors Calibration Towards COSYSMO 2.0 Future Directions and Priorities CSSE Annual Research Review Los Angeles, CA March 17, Garry Roedler Gan Wang Jared Fortune Ricardo Valerdi 10
11 Cost Models: Size Drivers vs. Effort Multipliers Information System (including satellite systems) cost models are composed of Size Drivers and Effort Multipliers Size Drivers are Additive and Incremental Requirements Interfaces Algorithms Scenarios Effort Multipliers are Multiplicative and can be system-wide Per cost area, e.g., Hardware, Software, Telecommunications Integration Assembly and Test Design Engineering Effort System Wide, possible examples System Engineering Effort Documentation / CDRL delivery Fees 11
12 Size Drivers vs. Effort Multipliers Size Drivers vs. Effort Multipliers Security should be treated as a Size Driver not an Effort Multiplier Size Drivers: Additive, Incremental Impact of adding a new item inversely proportional to current size 10 -> 11 rqts = 10% increase 100 -> 101 rqts = 1% increase Effort Multipliers: Multiplicative, system-wide Impact of adding a new item independent of current size 10 rqts + high security = 40% increase 100 rqts + high security = 40% increase Towards COSYSMO 2.0 Future Directions and Priorities CSSE Annual Research Review Los Angeles, CA March 17, Garry Roedler Gan Wang Jared Fortune Ricardo Valerdi 12
13 CDC Cost Modeling Diagram Node Functions (Master Function Li st) Staffing Number of Offices Estimate of staffed Workstations Software S/W Arch Information Architecture/ Processing WANs HW Comm Architecture HW Facilities Cost 13
14 CDC Cost Modeling Diagram with Security Added Security Node Functions (Master Function Li st) Staffing Number of Offices Estimate of staffed Workstations Software S/W Arch Information Architecture/ Processing WANs HW Comm Architecture HW Facilities Cost 14
15 Security Cost Drives input to CDC Seats Security Node Functions (Master Function Li st) Security Functions, Tools Sec Admins, IT Security, ISSOs Estimate of staffed Workstations Staffing Number of Offices KGs Software Servers / Security Tools, Routers, Firewalls, Guards S/W Arch Information Architecture/ Processing WANs HW Comm Architecture HW Facilities SCIFs/ Backup Cost 15
16 Typical representation of Ground System Functions showing IT Security Ground Command & Control Acquisition & Tracking Command & Control Telemetry Processing Orbit & Attitude Determination Mission Management Mission Planning & Scheduling Schedule Optimization Constraint Analysis Space & Ground Resource Monitoring Mission Assessment Task Satisfaction Analysis Mission Processing Mission Data Capture Mission Data Processing Report Dissemination User Interface Optical Data Processing Ground System Management Communication Connectivity Interface LAN/WAN Management Ground Terminal Control Timing Services Misc. Functions Launch and Early Orbit Support Anomaly Resolution Operations Management Support Functions Telemetry Storage and and retrieval Training Data Base Management & System Administration Data Security Vehicle Simulation Development Environment 16
17 Sample Cost Matrix with DoDI IT Security Costs* 17 * Notional as costs are allocated by the actual relevant controls not the Category
18 Sample Cost Matrix with NIST SP IT Security Costs* 18 * Notional as costs are allocated by the actual relevant controls not the Category
19 TYPICAL STUDY SECURITY CHARTS Security Requirements allocated to Functions 19
20 Typical Security Summary for a Cost Study Security requirements from NIST SP were allocated to Functions Staffing Information Architecture & Processing Software Security requirements were considered by each of these areas Staffing added 1 IT Security position at Customer s request IA&P included server capacity to host identified security tools IA&P included firewalls and guards included to provide required segregation protection Software included effort to augment security functions in COTS products Software included security tools in COTS estimates 20
21 Typical Security Conclusions for a Cost Study Staffing for Security Additional positions may be required to install, implement, and run the large number of security tools identified Information Architecture & Processing for Security Data storage requirements for tool output results not explicitly added but planned capability should be adequate Software Security Security requirements from NIST SP and SRD are numerous and complex; actual assessment of required augmentation can only be completed when COTS mission software product is selected Only security functional requirements were considered in COTS product review, code protections such as user input data validation, error handling, failing safely will need to be addressed in the RFP Security tools identified will require consulting services and process engineering to implement successfully 21
22 BACK UP CHARTS Security Requirements allocated to Functions 22
23 Selection of Security Controls Impacting Staffing Name Baseline Configuration Configuration Change Control Monitoring Configuration Changes Access Restrictions for Change Configuration Settings Least Functionality Information System Component Inventory Information System Recovery and Reconstitution Contingency Plan Alternate Storage Site Alternate Processing Site Telecommunications Services Information System Backup Incident Response Testing and Exercises Access Agreements Vulnerability Scanning Control Text The organization develops, documents, and maintains a current baseline configuration of the information system. The organization authorizes, documents, and controls changes to the information system. The organization monitors changes to the information system conducting security impact analyses to determine the effects of the changes The organization: (i) approves individual access privileges and enforces physical and logical access restrictions associated with changes to the information system; and (ii) generates, retains, and reviews records reflecting all such changes The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent The organization reviews the information system [Assignment: organization-defined frequency], to identify and eliminate unnecessary functions, ports, protocols, and/or services. The organization updates the inventory of information system components as an integral part of component installations. The organization includes a full recovery and reconstitution of the information system as part of contingency plan testing. The organization develops and implements a contingency plan for the information system addressing contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the system after a disruption or The organization identifies an alternate storage site and initiates necessary agreements to permit the storage of information system backup information. The organization identifies an alternate processing site and initiates necessary agreements to permit the resumption of information system operations for critical mission/business functions within [Assignment: organization-defined time period] when the pr The organization identifies primary and alternate telecommunications services to support the information system and initiates necessary agreements to permit the resumption of system operations for critical mission/business functions within [Assignment: or The organization conducts backups of user-level and system-level information (including system state information) contained in the information system [Assignment: organization-defined frequency] and protects backup information at the storage location. The organization tests and/or exercises the incident response capability for the information system [Assignment: organization-defined frequency, at least annually] using [Assignment: organization-defined tests and/or exercises] to determine the incident r The organization completes appropriate signed access agreements for individuals requiring access to organizational information and information systems before authorizing access and reviews/updates the agreements [Assignment: organization-defined frequency The organization employs vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities scanned. 23
24 Selection of Security Controls Impacting IA & Processing Name Control Text Supervision and Review Access Control The organization employs automated mechanisms to facilitate the review of user activities Account Management The organization employs automated mechanisms to support the management of information system accounts. Account Management The organization employs automated mechanisms to audit account creation, modification, disabling, and termination actions and to notify, as required, appropriate individuals. Audit Monitoring, Analysis, and Reporting The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. Audit Monitoring, Analysis, and Reporting The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined list of inappropriate or unusual activities that are to result in Baseline Configuration The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. Configuration Change Control The organization employs automated mechanisms to: (i) document proposed changes to the information system; (ii) notify appropriate approval authorities; (iii) highlight approvals that have not been received in a timely manner; (iv) inhibit change until ne Access Restrictions for Change The organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions. Configuration Settings The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings. Information System Component The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and Inventory readily available inventory of information system components. Alternate Storage Site The organization configures the alternate storage site to facilitate timely and effective recovery operations. Alternate Processing Site The organization identifies an alternate processing site and initiates necessary agreements to permit the resumption of information system operations for critical mission/business functions within [Assignment: organization-defined time period] when the pr Alternate Processing Site The organization fully configures the alternate processing site so that it is ready to be used as the operational site supporting a minimum required operational capability. 24
25 Selection of Security Controls Impacting Software Name Concurrent Session Control Session Lock Control Text The information system limits the number of concurrent sessions for any user to [Assignment: organization-defined number of sessions]. The information system prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures. The organization employs automated mechanisms to facilitate the review of user activities Supervision and Review Access Control Account Management The organization employs automated mechanisms to support the management of information system accounts. Account Management The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. Account Management The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. Account Management The organization employs automated mechanisms to audit account creation, modification, disabling, and termination actions and to notify, as required, appropriate individuals. Access Enforcement The information system restricts access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel. Separation of Duties The information system enforces separation of duties through assigned access authorizations. Least Privilege The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks. Unsuccessful Login Attempts The information system enforces a limit of [Assignment: organization-defined number] consecutive invalid access attempts by a user during a [Assignment: organization-defined time period] time period. The information system automatically [Selection: locks the account/node for an [Assignment: organization-defined time period], delays next login prompt according to [Assignment: organizationdefined delay algorithm.]] when the maximum number of unsuccessful attempts is exceeded. Auditable Events The information system provides the capability to compile audit records from multiple components throughout the system into a system wide (logical or physical), time-correlated audit trail. Content of Audit The information system provides the capability to include additional, more detailed information in the audit records for audit events Records identified by type, location, or subject. Content of Audit The information system provides the capability to centrally manage the content of audit records generated by individual components Records throughout the system. Audit Monitoring, The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for Analysis, and Reporting investigation and response to suspicious activities. Audit Monitoring, The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with Analysis, and Reporting security implications: [Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts]. Audit Reduction and The information system provides the capability to automatically process audit records for events of interest based upon selectable, event Report Generation criteria. 25
26 BACK UP CHARTS Security estimate review based on cost study worksheets 26
27 IA&P Summary Security Servers and Network Equipment Node Functional Design Data Processing Module Master Function List FunctionPerformed PCs Workstations Servers LO MD LO MD DB INP DB INP DB INP DB INP DB INP Network Firewall Guard Mod INP Mod INP Loc1 Data Security Performed Loc2 Data Security Performed Loc3 Data Security Capability Only - Not Staffed Loc4 Data Security Performed Loc5 Data Security Performed Loc6 Data Security Performed Loc7 Data Security Not Performed Loc8 Data Security Capability Only - Not Staffed
28 Processors for Tool Calculations Processin g Domain PCs Workstation s Total WS Total PCs + WS Servers Total Servers Total PCs, WS, Servers Firewalls Loc1 Total New Loc2 Total New Loc3 Total New Loc4 Total New Loc5 Total New Loc6 Total New Loc7 Total New Loc8 Total New
29 Security Tool Cost Estimates Sample Product Identity Management Virus Protection Security Compliance Manager Affected Units Intrusion LAN Segment: Protection System - FW network Intrusion Protection Systemhost Pricing Model Node 1 Node 2 Node 3 Node 4 Node 5 Node 6 Node 7 Node 8 one per program $400k $400,000 $400,000 PC, WS, $50 / CPU $14,100 $14,100 $19,450 $6,450 $27,550 $4,000 $800 $1,500 $87,950 Server Server $100k + $109,800 $109,800 $130,000 $107,400 $130,200 $102,800 $101,800 $101,800 $893,600 $100/CPU $50K + $500/FW Server $50K +$200 / Server $52,500 $52,500 $52,500 $52,500 $51,000 $51,000 $51,000 $51,000 $414,000 $69,600 $69,600 $110,000 $64,800 $110,400 $55,600 $51,600 $53,600 $585,200 Change Manager Node $100K / Node $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 $800,000 Configuration Manager Node $100K / Node $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 $800,000 $446,000 $446,000 $511,950 $431,150 $919,150 $413,400 $405,200 $407,900 $3,980,750 $3,980,750 29
Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline Includes updates through 04-22-2005 AC-1 ACCESS CONTROL
More informationMINIMUM SECURITY CONTROLS SUMMARY
APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationINTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009
More informationAnnex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 1 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls Low Baseline AC-1 ACCESS CONTROL POLICY AND PROCEDURES The organization
More informationRev.1 Solution Brief
FISMA-NIST SP 800-171 Rev.1 Solution Brief New York FISMA Cybersecurity NIST SP 800-171 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationRansomware. How to protect yourself?
Ransomware How to protect yourself? ED DUGUID, CISSP, VCP CONSULTANT, WEST CHESTER CONSULTANTS Ransomware Ransomware is a type of malware that restricts access to the infected computer system in some way,
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationRecommended Security Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53 Revision 3 Excerpt Recommended Security Controls for Federal Information Systems and Organizations JOINT TASK FORCE TRANSFORMATION INITIATIVE HIGH-IMPACT BASELINE I N F
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationNIST Compliance Controls
NIST 800-53 Compliance s The following control families represent a portion of special publication NIST 800-53 revision 4. This guide is intended to aid McAfee, its partners, and its customers, in aligning
More informationHandbook Webinar
800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) NIST MEP 800-171 Assessment Handbook Step-by-step
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationMapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls
Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions
More informationDFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017
DFARS 252.204-7012 Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017 As with most government documents, one often leads to another. And that s the case with DFARS 252.204-7012.
More informationInformation Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events
Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events Location: Need the right URL for this document https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/detect/ndcbf_i
More informationDoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to
DoD Guidance for Reviewing System Security Plans and the s Not Yet Implemented This guidance was developed to facilitate the consistent review and understanding of System Security Plans and Plans of Action,
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationDoDI IA Control Checklist - MAC 1-Classified. Version 1, Release March 2008
DoDI 8500-2 IA Control Checklist - MAC 1-Classified Version 1, Release 1.4 Developed by DISA for the DOD UNTILL FILLED IN CIRCLE ONE FOR OFFICIAL USE ONLY (mark each page) CONFIDENTIAL and SECRET (mark
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationIPM Secure Hardening Guidelines
IPM Secure Hardening Guidelines Introduction Due to rapidly increasing Cyber Threats and cyber warfare on Industrial Control System Devices and applications, Eaton recommends following best practices for
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationAltius IT Policy Collection
Altius IT Policy Collection Complete set of cyber and network security policies Over 100 Policies, Plans, and Forms Fully customizable - fully customizable IT security policies in Microsoft Word No software
More informationSecurity Standards Compliance NIST SP Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1
Security Standards Compliance NIST SP 800-53 Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1 Document TMIC-003-N Version 1.1, 24 August 2012 1 Security and Privacy Controls
More informationPT-BSC. PT-BSC version 0.3. Primechain Technologies Blockchain Security Controls. Version 0.4 dated 21 st October, 2017
PT-BSC Primechain Technologies Blockchain Security Controls Version 0.4 dated 21 st October, 2017 PT-BSC version 0.3 PT-BSC (version 0.4 dated 21 st October, 2017) 1 Blockchain technology has earned the
More informationACHIEVING COMPLIANCE WITH NIST SP REV. 4:
ACHIEVING COMPLIANCE WITH NIST SP 800-53 REV. 4: How Thycotic Helps Implement Access Controls OVERVIEW NIST Special Publication 800-53, Revision 4 (SP 800-53, Rev. 4) reflects the U.S. federal government
More informationCIS 444: Computer. Networking. Courses X X X X X X X X X
4012 Points Courses * = Can include a summary justification for that section. FUNCTION 1 - GRANT FINAL ATO A. Responsibilities 1. Aspects of Security *Explain the importance of SSM role in (IA) 2. Accreditation
More informationCloudCheckr NIST Audit and Accountability
CloudCheckr NIST 800-53 Audit and Accountability FISMA NIST 800-53 (Rev 4) Audit and Accountability: Shared Public Cloud Infrastructure Standards Standard Requirement per NIST 800-53 (Rev. 4) CloudCheckr
More informationVMware vcloud Air SOC 1 Control Matrix
VMware vcloud Air SOC 1 Control Objectives/Activities Matrix VMware vcloud Air goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationANZSCO Descriptions The following list contains example descriptions of ICT units and employment duties for each nominated occupation ANZSCO code. And
ANZSCO Descriptions The following list contains example descriptions of ICT units and employment duties for each nominated occupation ANZSCO code. Content 261311 - Analyst Programmer... 2 135111 - Chief
More informationStreamlined FISMA Compliance For Hosted Information Systems
Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system
More informationRed Hat Enterprise Linux (RHEL) 5.3 Certified Linux Integration Platform (CLIP) Security Requirements Analysis
Red Hat Enterprise Linux (RHEL) 5.3 Certified Linux Integration Platform (CLIP) Security Requirements Analysis Prepared By: Tresys Technology, LLC March 17, 2009 Table of Contents 1 Introduction... 1 1.1.
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationA Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management
A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management D r. J o h n F. M i l l e r T h e M I T R E C o r p o r a t i o n P e t e r D. K e r t z n e r T h
More informationCourses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X
4016 Points * = Can include a summary justification for that section. FUNCTION 1 - INFORMATION SYSTEM LIFE CYCLE ACTIVITIES Life Cycle Duties No Subsection 2. System Disposition/Reutilization *E - Discuss
More informationAttachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan
Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203
More informationNIST Special Publication
NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline WHAT IS INFORMATION SECURITY? Personnel Security
More informationDEFINITIONS AND REFERENCES
DEFINITIONS AND REFERENCES Definitions: Insider. Cleared contractor personnel with authorized access to any Government or contractor resource, including personnel, facilities, information, equipment, networks,
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such
More informationMeeting RMF Requirements around Compliance Monitoring
Meeting RMF Requirements around Compliance Monitoring An EiQ Networks White Paper Meeting RMF Requirements around Compliance Monitoring Purpose The purpose of this paper is to provide some background on
More informationSpecial Publication
Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP What is Information Security? Personnel Security Cybersecurity
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationInformation Technology Procedure IT 3.4 IT Configuration Management
Information Technology Procedure IT Configuration Management Contents Purpose and Scope... 1 Responsibilities... 1 Procedure... 1 Identify and Record Configuration... 2 Document Planned Changes... 3 Evaluating
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationDIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)
DIACAP and the GIG IA Architecture 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) 210-9252417 (C) 210-396-0254 jwierum@cygnacom.com OMB Circular A-130 (1996) OMB A-130 required systems and applications
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationSparta Systems TrackWise Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Port Security Port Security helps to control access to logical and physical ports, protocols, and services. This
More informationNW NATURAL CYBER SECURITY 2016.JUNE.16
NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationIntroduction To IS Auditing
Introduction To IS Auditing Instructor: Bryan McAtee, ASA, CISA Bryan McAtee & Associates - Brisbane, Australia * Course, Presenter and Delegate Introductions * Definition of Information Technology (IT)
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationMEETING ISO STANDARDS
WHITE PAPER MEETING ISO 27002 STANDARDS September 2018 SECURITY GUIDELINE COMPLIANCE Organizations have seen a rapid increase in malicious insider threats, sensitive data exfiltration, and other advanced
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationDIACAP IA CONTROLS. Requirements Document. Sasa Basara University of Missouri-St. Louis
DIACAP IA CONTROLS Requirements Document 10.13.2015 Sasa Basara University of Missouri-St. Louis 1 1 University Blvd St. Louis, MO 63121 Overview This task is creating threshold (shall) requirements for
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationHeavy Vehicle Cyber Security Bulletin
Heavy Vehicle Cyber Security Update National Motor Freight Traffic Association, Inc. 1001 North Fairfax Street, Suite 600 Alexandria, VA 22314 (703) 838-1810 Heavy Vehicle Cyber Security Bulletin Bulletin
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationNIST SP Controls
NIST SP 800-53 Controls and Netwrix Auditor Mapping www.netwrix.com Toll-free: 888-638-9749 About FISMA / NIST The Federal Information Security Management Act of 2002 (commonly abbreviated to FISMA) is
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationRAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures
RAPID7 INFORMATION SECURITY An Overview of Rapid7 s Internal Security Practices and Procedures 060418 TABLE OF CONTENTS Overview...3 Compliance...4 Organizational...6 Infrastructure & Endpoint Security...8
More informationBecause Security Gives Us Freedom
Because Security Gives Us Freedom PANOPTIC CYBERDEFENSE CYBERSECURITY LEADERSHIP Panoptic Cyberdefense is a monitoring and detection service in three levels: Security Management and Reporting Managed Detection
More informationCITY OF MONTEBELLO SYSTEMS MANAGER
CITY OF MONTEBELLO 109A DEFINITION Under general administrative direction of the City Administrator, provides advanced professional support to departments with very complex computer systems, programs and
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationWHITE PAPER- Managed Services Security Practices
WHITE PAPER- Managed Services Security Practices The information security practices outlined below provide standards expected of each staff member, consultant, or customer staff member granted access to
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Physical Enterprise Physical Enterprise Monitoring is the monitoring of the physical and environmental controls that
More informationFour Deadly Traps of Using Frameworks NIST Examples
Four Deadly Traps of Using Frameworks NIST 800-53 Examples ISACA Feb. 2015 Meeting Doug Landoll dlandoll@lantego.com (512) 633-8405 Session Agenda Framework Definition & Uses NIST 800-53 Framework Intro
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationIBM Security Intelligence on Cloud
Service Description IBM Security Intelligence on Cloud This Service Description describes the Cloud Service IBM provides to Client. Client means and includes the company, its authorized users or recipients
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess
More informationBuilding Secure Systems
Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationFederal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity
Federal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity Ronda Henning rhenning@harris.com The Basic Premise of This Presentation Proper preparation
More informationJudiciary Judicial Information Systems
Audit Report Judiciary Judicial Information Systems August 2016 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY For further information concerning this report
More informationCIS Controls Measures and Metrics for Version 7
Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information
More informationApril Appendix 3. IA System Security. Sida 1 (8)
IA System Security Sida 1 (8) Table of Contents 1 Introduction... 3 2 Regulatory documents... 3 3 Organisation... 3 4 Personnel security... 3 5 Asset management... 4 6 Access control... 4 6.1 Within AFA
More informationRADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE
ADIAN6 SECUITY, PIVACY, AND ACHITECTUE Last Updated: May 6, 2016 Salesforce s Corporate Trust Commitment Salesforce is committed to achieving and maintaining the trust of our customers. Integral to this
More informationNIST SP , Revision 1 CNSS Instruction 1253
NIST SP 800-53, Revision 1 CNSS Instruction 1253 Annual Computer Security Applications Conference December 10, 2009 Dr. Ron Ross Computer Security Division Information Technology Laboratory Introduction
More information