Costing Information Assurance

Transcription

1 Costing Information Assurance Marybeth Panock 30 September 2009 The Aerospace Corporation The Aerospace Corporation

2 Costing Information Assurance or Security Called Security for this exercise to distinguish it from IA&P or Information Architecture & Processing the hardware 2

3 Information needed to cost Security With any cost model 1. A basic understanding of the future system architecture 2. Security requirements How they are satisfied Who is responsible for satisfying them Security tool pricing model 3. Cost Model that will be used 4. How to use the cost model to capture the security costs 3

4 Architecture for a Satellite Ground System Cost Study SOC Mission Planning Center Teleport Remote Ground Site Command Uplink Workstations KG-175 Circuit Terminating Equipment Circuit Terminating Equipment KG-175 Workstations Customer Network Database Analysis Center SOC Circuit Terminating Equipment KG-175 Workstations Teleport Command Uplink KG-175 Circuit Terminating Equipment Telemetry & Control Center Remote Ground Site Workstations Circuit Terminating Equipment KG-175 Workstations 4

5 2. Security Requirements DoDI IA Controls Continuity Enclave and Computing Environment Enclave Boundary Defense Identification & Authentication Personnel Physical & Environmental Security Design & Configuration Vulnerability & Incident Management NIST Security Controls Access Control Audit and Accountability Awareness and Training Certification, Accreditation, & Security Assessments Configuration Management Contingency Planning Identification and Authentication Incident Response Media Protection Personnel Security Physical and Environmental Protection Risk Assessment Security Planning System and Communications Protection System and Information Integrity System and Services Acquisition System Maintenance 5

6 Security Requirements continued Some requirements are satisfied by the Program Office, some by the Development Contractor, and some by the Operating Command What is included Hardware, Software, and Facilities obtained/provided by the Development Contractor during the Engineering Manufacturing & Development (EMD) Contract Development Contractor Effort Staffing provided by the Operating Command during Operations / Sustainment Sometimes included Certification effort to support Accreditation depending on phase 6

7 What is Cost Analysis from The Aerospace Institute Cost Analysis Course 7

8 Cost Estimates from The Aerospace Institute Cost Analysis Course 8

9 4. Cost Models There are many costs models COCOMO, COSYSMO, COSECMO Constructive Cost Model and derivatives SEER SEM software application to estimate software development PRICE NFA COM NASA Air Force Cost Model USCM Universal Spacecraft Cost Model SSCM Small Satellite Cost Model The Aerospace Corporation s Concept Design Center (CDC) Cost Model CDC Studies use models that are a combination of other models CDC Cost Studies are informal independent cost assessments not exactly ICEs but close 9

10 Sample Cost Model COSYSMO Operational Concept # Requirements # Interfaces # Scenarios # Algorithms + 3 Adj. Factors Size Drivers Effort Multipliers COSYSMO Effort - Application factors -8 factors - Team factors -6 factors Calibration Towards COSYSMO 2.0 Future Directions and Priorities CSSE Annual Research Review Los Angeles, CA March 17, Garry Roedler Gan Wang Jared Fortune Ricardo Valerdi 10

11 Cost Models: Size Drivers vs. Effort Multipliers Information System (including satellite systems) cost models are composed of Size Drivers and Effort Multipliers Size Drivers are Additive and Incremental Requirements Interfaces Algorithms Scenarios Effort Multipliers are Multiplicative and can be system-wide Per cost area, e.g., Hardware, Software, Telecommunications Integration Assembly and Test Design Engineering Effort System Wide, possible examples System Engineering Effort Documentation / CDRL delivery Fees 11

12 Size Drivers vs. Effort Multipliers Size Drivers vs. Effort Multipliers Security should be treated as a Size Driver not an Effort Multiplier Size Drivers: Additive, Incremental Impact of adding a new item inversely proportional to current size 10 -> 11 rqts = 10% increase 100 -> 101 rqts = 1% increase Effort Multipliers: Multiplicative, system-wide Impact of adding a new item independent of current size 10 rqts + high security = 40% increase 100 rqts + high security = 40% increase Towards COSYSMO 2.0 Future Directions and Priorities CSSE Annual Research Review Los Angeles, CA March 17, Garry Roedler Gan Wang Jared Fortune Ricardo Valerdi 12

13 CDC Cost Modeling Diagram Node Functions (Master Function Li st) Staffing Number of Offices Estimate of staffed Workstations Software S/W Arch Information Architecture/ Processing WANs HW Comm Architecture HW Facilities Cost 13

14 CDC Cost Modeling Diagram with Security Added Security Node Functions (Master Function Li st) Staffing Number of Offices Estimate of staffed Workstations Software S/W Arch Information Architecture/ Processing WANs HW Comm Architecture HW Facilities Cost 14

15 Security Cost Drives input to CDC Seats Security Node Functions (Master Function Li st) Security Functions, Tools Sec Admins, IT Security, ISSOs Estimate of staffed Workstations Staffing Number of Offices KGs Software Servers / Security Tools, Routers, Firewalls, Guards S/W Arch Information Architecture/ Processing WANs HW Comm Architecture HW Facilities SCIFs/ Backup Cost 15

16 Typical representation of Ground System Functions showing IT Security Ground Command & Control Acquisition & Tracking Command & Control Telemetry Processing Orbit & Attitude Determination Mission Management Mission Planning & Scheduling Schedule Optimization Constraint Analysis Space & Ground Resource Monitoring Mission Assessment Task Satisfaction Analysis Mission Processing Mission Data Capture Mission Data Processing Report Dissemination User Interface Optical Data Processing Ground System Management Communication Connectivity Interface LAN/WAN Management Ground Terminal Control Timing Services Misc. Functions Launch and Early Orbit Support Anomaly Resolution Operations Management Support Functions Telemetry Storage and and retrieval Training Data Base Management & System Administration Data Security Vehicle Simulation Development Environment 16

17 Sample Cost Matrix with DoDI IT Security Costs* 17 * Notional as costs are allocated by the actual relevant controls not the Category

18 Sample Cost Matrix with NIST SP IT Security Costs* 18 * Notional as costs are allocated by the actual relevant controls not the Category

19 TYPICAL STUDY SECURITY CHARTS Security Requirements allocated to Functions 19

20 Typical Security Summary for a Cost Study Security requirements from NIST SP were allocated to Functions Staffing Information Architecture & Processing Software Security requirements were considered by each of these areas Staffing added 1 IT Security position at Customer s request IA&P included server capacity to host identified security tools IA&P included firewalls and guards included to provide required segregation protection Software included effort to augment security functions in COTS products Software included security tools in COTS estimates 20

21 Typical Security Conclusions for a Cost Study Staffing for Security Additional positions may be required to install, implement, and run the large number of security tools identified Information Architecture & Processing for Security Data storage requirements for tool output results not explicitly added but planned capability should be adequate Software Security Security requirements from NIST SP and SRD are numerous and complex; actual assessment of required augmentation can only be completed when COTS mission software product is selected Only security functional requirements were considered in COTS product review, code protections such as user input data validation, error handling, failing safely will need to be addressed in the RFP Security tools identified will require consulting services and process engineering to implement successfully 21

22 BACK UP CHARTS Security Requirements allocated to Functions 22

23 Selection of Security Controls Impacting Staffing Name Baseline Configuration Configuration Change Control Monitoring Configuration Changes Access Restrictions for Change Configuration Settings Least Functionality Information System Component Inventory Information System Recovery and Reconstitution Contingency Plan Alternate Storage Site Alternate Processing Site Telecommunications Services Information System Backup Incident Response Testing and Exercises Access Agreements Vulnerability Scanning Control Text The organization develops, documents, and maintains a current baseline configuration of the information system. The organization authorizes, documents, and controls changes to the information system. The organization monitors changes to the information system conducting security impact analyses to determine the effects of the changes The organization: (i) approves individual access privileges and enforces physical and logical access restrictions associated with changes to the information system; and (ii) generates, retains, and reviews records reflecting all such changes The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent The organization reviews the information system [Assignment: organization-defined frequency], to identify and eliminate unnecessary functions, ports, protocols, and/or services. The organization updates the inventory of information system components as an integral part of component installations. The organization includes a full recovery and reconstitution of the information system as part of contingency plan testing. The organization develops and implements a contingency plan for the information system addressing contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the system after a disruption or The organization identifies an alternate storage site and initiates necessary agreements to permit the storage of information system backup information. The organization identifies an alternate processing site and initiates necessary agreements to permit the resumption of information system operations for critical mission/business functions within [Assignment: organization-defined time period] when the pr The organization identifies primary and alternate telecommunications services to support the information system and initiates necessary agreements to permit the resumption of system operations for critical mission/business functions within [Assignment: or The organization conducts backups of user-level and system-level information (including system state information) contained in the information system [Assignment: organization-defined frequency] and protects backup information at the storage location. The organization tests and/or exercises the incident response capability for the information system [Assignment: organization-defined frequency, at least annually] using [Assignment: organization-defined tests and/or exercises] to determine the incident r The organization completes appropriate signed access agreements for individuals requiring access to organizational information and information systems before authorizing access and reviews/updates the agreements [Assignment: organization-defined frequency The organization employs vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities scanned. 23

24 Selection of Security Controls Impacting IA & Processing Name Control Text Supervision and Review Access Control The organization employs automated mechanisms to facilitate the review of user activities Account Management The organization employs automated mechanisms to support the management of information system accounts. Account Management The organization employs automated mechanisms to audit account creation, modification, disabling, and termination actions and to notify, as required, appropriate individuals. Audit Monitoring, Analysis, and Reporting The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. Audit Monitoring, Analysis, and Reporting The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined list of inappropriate or unusual activities that are to result in Baseline Configuration The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. Configuration Change Control The organization employs automated mechanisms to: (i) document proposed changes to the information system; (ii) notify appropriate approval authorities; (iii) highlight approvals that have not been received in a timely manner; (iv) inhibit change until ne Access Restrictions for Change The organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions. Configuration Settings The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings. Information System Component The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and Inventory readily available inventory of information system components. Alternate Storage Site The organization configures the alternate storage site to facilitate timely and effective recovery operations. Alternate Processing Site The organization identifies an alternate processing site and initiates necessary agreements to permit the resumption of information system operations for critical mission/business functions within [Assignment: organization-defined time period] when the pr Alternate Processing Site The organization fully configures the alternate processing site so that it is ready to be used as the operational site supporting a minimum required operational capability. 24

25 Selection of Security Controls Impacting Software Name Concurrent Session Control Session Lock Control Text The information system limits the number of concurrent sessions for any user to [Assignment: organization-defined number of sessions]. The information system prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures. The organization employs automated mechanisms to facilitate the review of user activities Supervision and Review Access Control Account Management The organization employs automated mechanisms to support the management of information system accounts. Account Management The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. Account Management The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. Account Management The organization employs automated mechanisms to audit account creation, modification, disabling, and termination actions and to notify, as required, appropriate individuals. Access Enforcement The information system restricts access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel. Separation of Duties The information system enforces separation of duties through assigned access authorizations. Least Privilege The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks. Unsuccessful Login Attempts The information system enforces a limit of [Assignment: organization-defined number] consecutive invalid access attempts by a user during a [Assignment: organization-defined time period] time period. The information system automatically [Selection: locks the account/node for an [Assignment: organization-defined time period], delays next login prompt according to [Assignment: organizationdefined delay algorithm.]] when the maximum number of unsuccessful attempts is exceeded. Auditable Events The information system provides the capability to compile audit records from multiple components throughout the system into a system wide (logical or physical), time-correlated audit trail. Content of Audit The information system provides the capability to include additional, more detailed information in the audit records for audit events Records identified by type, location, or subject. Content of Audit The information system provides the capability to centrally manage the content of audit records generated by individual components Records throughout the system. Audit Monitoring, The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for Analysis, and Reporting investigation and response to suspicious activities. Audit Monitoring, The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with Analysis, and Reporting security implications: [Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts]. Audit Reduction and The information system provides the capability to automatically process audit records for events of interest based upon selectable, event Report Generation criteria. 25

26 BACK UP CHARTS Security estimate review based on cost study worksheets 26

27 IA&P Summary Security Servers and Network Equipment Node Functional Design Data Processing Module Master Function List FunctionPerformed PCs Workstations Servers LO MD LO MD DB INP DB INP DB INP DB INP DB INP Network Firewall Guard Mod INP Mod INP Loc1 Data Security Performed Loc2 Data Security Performed Loc3 Data Security Capability Only - Not Staffed Loc4 Data Security Performed Loc5 Data Security Performed Loc6 Data Security Performed Loc7 Data Security Not Performed Loc8 Data Security Capability Only - Not Staffed

28 Processors for Tool Calculations Processin g Domain PCs Workstation s Total WS Total PCs + WS Servers Total Servers Total PCs, WS, Servers Firewalls Loc1 Total New Loc2 Total New Loc3 Total New Loc4 Total New Loc5 Total New Loc6 Total New Loc7 Total New Loc8 Total New

29 Security Tool Cost Estimates Sample Product Identity Management Virus Protection Security Compliance Manager Affected Units Intrusion LAN Segment: Protection System - FW network Intrusion Protection Systemhost Pricing Model Node 1 Node 2 Node 3 Node 4 Node 5 Node 6 Node 7 Node 8 one per program $400k $400,000 $400,000 PC, WS, $50 / CPU $14,100 $14,100 $19,450 $6,450 $27,550 $4,000 $800 $1,500 $87,950 Server Server $100k + $109,800 $109,800 $130,000 $107,400 $130,200 $102,800 $101,800 $101,800 $893,600 $100/CPU $50K + $500/FW Server $50K +$200 / Server $52,500 $52,500 $52,500 $52,500 $51,000 $51,000 $51,000 $51,000 $414,000 $69,600 $69,600 $110,000 $64,800 $110,400 $55,600 $51,600 $53,600 $585,200 Change Manager Node $100K / Node $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 $800,000 Configuration Manager Node $100K / Node $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 $800,000 $446,000 $446,000 $511,950 $431,150 $919,150 $413,400 $405,200 $407,900 $3,980,750 $3,980,750 29