Information Systems Self-Inspection

Transcription

1 Information Systems Self-Inspection Raytheon 084T3 Regina M. Saunders, FSO, NCS ISSM Copyright 2007 Raytheon Company. All rights reserved. Customer Success Is Our Mission is a trademark of Raytheon Company.

2 Agenda Why and when to self-inspect Who performs the inspection? How to approach a system you have reviewed forever Trusted Download/Sanitization Suggestions on obtaining outside assistance OS and Setting Reviews Making corrections Maintaining compliance Re-inspecting and education Some prior findings across the country Handouts Page 2

3 Why and When to self-inspect Why? Program modifications System modifications New ISSOs/AISSOs New MSSP or Profile Older MSSP or Profile No changes in a long time When? IAW MSSP or SSP filed with DSS/ODAA Security Violation/Discrepancy Odd questions from program or ISSO Have not looked at in a while New contract or security class guide Page 3

4 Why and When to self-inspect (continued) My MSSPs state:» Self-Inspections The ISSM or designee will conduct self-inspections of the IS Program as part of the overall facility self-inspection program. Corrective action shall be taken for all identified findings and vulnerabilities. Selfinspections are to ensure that the IS is operating as accredited and that accreditation conditions have not changed. Self-inspections will be conducted annually. The following events are examples of situations that may warrant additional inspections: 1) a suspected compromise, 2) multiple security violations on the system, or 3) following significant changes in system security requirements. Page 4

5 Why and When to self-inspect (continued) MSSP states Self-Inspections (continued) At a minimum the following will be verified during a self-inspection: Authorized Users and Briefing Records Configuration Management (i.e., is the Profile current and certified?) Automated Auditing logs and Archived Audit Records Procedural Security Features; Manual Logs Hardware and Software baselines Media and Hardware Marking Sanitization System justification User processes Trusted Download activity Deliverable receipt and shipping processes Document Control Review of contract status and contractually imposed security requirements for current compliance Page 5

6 Why and When to self-inspect (continued) Who should perform the self-inspections? ISSOs and AISSOs ISSM and IS Support Staff Offsite ISSMs Must have experience level commensurate with tasking request Who should not perform the self-inspections? System Administrators unless they are assigned as ISSOs or AISSOs Users DSS (as theirs is not considered a self-inspection) ISSOs or AISSOs that could have been involved in the Security breach (if applicable) Page 6

7 How to approach a system you have reviewed forever What is at risk? Hold discussion with the Program Manager on changes to the contract and security classification guide or deliverable (e.g. phase approach). Determine that the SSP/Profile currently approved is still adequate to safeguard classified based on current contract guidance. Review test procedures, including the delivery and receipt of hardware and software. Talk with the calibration team or any support group that assists the program with the classified portion of the contract to determine if their processes have changed. Remember, the support groups do not always consider the procedural changes that may impact your SSP. Interview Engineers and Test Technicians that use the system. Most frequent users to least frequent users Interview software developers on system usage. Page 7

8 How to approach a system you have reviewed forever (continued) Is your SSP/MSSP/Profile being followed? Ask the ISSO or AISSO to demonstrate how they perform the weekly audit. Is anything missing? Ask the ISSO or AISSO to show you the audit logs from a previous month. Remember: We owe DSS 12 months plus one of audits. Do not archive solely on the hard drives - they crash. Protect your archived audit data from compromise. While sitting at the system, let your eyes walk through the room. Watch activities at the doors. Look at media leaving and coming into the area. If the area does not have personnel officed within its walls, ask how the information is coming and going through the area. Look for supporting hardware and software on your SSP. Page 8

9 How to approach a system you have reviewed forever (continued) What s been added/removed? Review Maintenance Logs for nonworking equipment entries. Review calibration stickers for dates. Check the corners and back of closed areas for surplus items. Review the Security Container for new security relevant software and upgrades. Review tamper seal logs and maintenance logs for new seals. Hack your system Are your settings adequate to protect and record? Run Joe User tests. Review area and track cables to switches. Ensure cabling is complete and accurately reflected in configuration diagram. Disconnect or remove cables that go nowhere. Tamper seal unused ports, if applicable. Page 9

10 Trusted Download/Sanitization Two main ways that classified is subject to compromise on a classified system: Trusted Download and Sanitization. What is the deliverable? How does the program prepare the deliverable? Is software involved? What is approved in your plan? Is everyone following procedures? Interview the users in the room that are not paying attention to you and seem to be in a hurry. (You ll be ready when DSS does this.). Letters of Volatility on file? How was the memory decided? How was the sanitization procedure decided? What was the verification process used to ensure the sanitization occurred (where this can be accomplished)? Have the calibration personnel received and signed IS briefing statements on the systems? If not, how are they briefed to the rules of the system? Page 10

11 Suggestions on obtaining off-site inspection support Who should be invited? Security Professionals with matching technical experience, clearances, etc. SAP/SAR for SAP/SAR and Collateral for Collateral Persons that will provide a non-competitive review of your systems Persons that will provide an honest review of the system and users Preference would be to have persons with facilities that are within the same DSS regions as your facility. Preference would be to have persons with facilities that are in the same phase of the ODAA process. Schedule early and coordinate efforts with remainder of Industrial Security Self-Inspection for your facility. Common findings can have procedural issues (e.g. media marking). Page 11

12 OS and Setting Reviews Look out!!!!! Sometimes non-security relevant software that was added can impact audits and settings. BIOS, BIOS, BIOS Adding and removing hardware can reset BIOS (but not the password) Win2K Builds present problems with logoffs. Scripts are available for some builds. Watch your SSP What did you certify in your SIRS/Profile? Is your system performing those functions as approved in your SSP/Profile? Make sure you drill down in your inspection Check all passwords for change and assignment. Managed Switches, BIOS, Administrator, Root, etc. Question recovery process. Review files that provide networking capabilities. e.g. My Network Places, Host/Hosts files Page 12

13 Making Corrections That Stay Corrected Who s process is it anyway? Determine if the SSP/Profile documentation provides adequate instruction. Determine where documented processes collide. After this identification, corrections need to be made on that documentation and approvals sought for the change. Replace, retrain, rebrief and review. When users just won t follow instructions or procedures. Determine if a contractual change has prompted this and review above. Determine if security violations are warranted and if classified was at risk. Security violations also include not following the MSSP/Profile to which they are briefed or have an account. This situation could eventually put classified at risk and is a direct violation to the SF312. Remove access for those not needed. In either case, determine if you will pull accreditation. Better the ISSM do it than DSS. Page 13

14 Maintaining Compliance Re-inspection Start with issue and implement correction. Ensure that everyone using and auditing the system have been briefed to the change. Spot check the system after deployment to make sure things are working. Re-inspect system after a determined period of time (not too soon or too long). Educate Schedule to send briefings or formally present Inspection Preparation briefings that indicate problems and findings, with corrective actions. Include PMs and Process Managers and System Administrators. Create an ISSO/AISSO e-room to hold correction material (scripts, compliance tests, etc.) and include System Administrators. Visit the ISSOs/AISSOs and users as an informal walk through and see how things are working. Page 14

15 Sharing some prior self-inspection findings from across the U.S.A. User accounts without signed briefing statements Unauthorized configuration changes System not in compliance with SIRS/Profile document Maintenance Log not clearly stating changes Poor identification of hardware/software changed, added, removed Media marked properly, but documents printed from media not marked properly Suggestion: If the document is on the IS, destroy additional copies DD254 and Contract was closed and retention period over Closed Area produced sound vulnerability and STU-III had been delivered for classified calls within the closed area Unmarked hardware, cables, media and systems within the authorized area Violations of trusted download procedures Lack of understanding of Security Classification Guide Page 15

16 Handouts Includes: ISSM/Security Personnel checklists (open ended questions) IS and Closed Areas ISSO/AISSO checklists (more closed ended questions) Periodically and shortly before DSS inspections DSS Contractor Self-Inspection Checklist October 2006 Softcopies are available: DSS website under SETA for DSS checklist Send request to for what you need Page 16