Synergies of the Common Criteria with Other Standards
|
|
- Jerome Horn
- 5 years ago
- Views:
Transcription
1 Synergies of the Common Criteria with Other Standards Mark Gauvreau EWA-Canada 26 September 2007 Presenter: Mark Gauvreau
2 Overview Purpose Acknowledgements Security Standards & References Common Criteria Body Of Knowledge (CCBoK) Background Material 2
3 Purpose The purpose of this presentation is to: Discuss the application of synergies in standards-based best practices pertaining to security for supporting the implementation of departmental/ divisional and enterprise-wide security process improvements, management and appraisal; Assist developers, who have implemented CC security processes/ procedures for their organization and wish to further extend these processes/procedures to include other related and synergistic standards and standards-based best practices pertaining to Information Technology security. Spread awareness of other essential security practices defined by other national and international standards within the CC community and to encourage their use by means of the development of a Common Criteria Body of Knowledge (CCBoK) (How to Do Guide). 3
4 Acknowledgements An important reference upon which this presentation is based is the State-of-the-Art Report (SOAR) on Software Security Assurance, 31 July 2007 Information Assurance Technology Analysis Center (IATAC) & Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS. provides an overview of the current state of the environment in which software must operate and surveys current and emerging activities and organizations involved in promoting various aspects of software security assurance. presents observations about noteworthy trends in software security assurance as a discipline. represents an output of collaborative efforts of organizations and individuals in the Software Assurance Forum and Working Groups. ( 4
5 Acknowledgements (cont d) Other important references: Software Assurance Series, Software Assurance, A Guide to the Common Body of Knowledge to Produce, Acquire, and Sustain Secure Software, September Version 1, DRAFT, Software Assurance, Workforce Education and Training Working Group, US Departments of Homeland Security and Defense Safety and Security Extensions For Integrated Capability Maturity Models, September
6 Security Standards & References There are already polices, standards and processes in place to review practices and evaluate products or processes for security: Common Criteria, Carnegie Mellon Software Institute s Capability Maturity Model (CMM), ISO 9000 series, ISO 17799, SAS 70, FISMA NSTISSP 11 6
7 Security Standards & References Some of the other security guides,reports and standards examined for synergies with the CC v3.1 include: ISO/IEC 21827:2002 Systems Security Engineering Capability Model NIST SP Risk Management Guide for Information Technology Systems FIPS 140-2, Security Requirements for Cryptographic Modules general national and international Systems Engineering standards (ISO, IEEE, EIA) 7
8 Security Standards & References National Cyber Security Partnership Taskforce Report on Processes to Produce Secure Software [Redwine 2004] National Cyber Security Partnership, Technical Standards and Common Criteria Task Force, Recommendations Report, April Safety and Security Extensions for Integrated Capability Maturity Models [Ibrahim et al, 2004] IEEE Software and Systems Engineering Standards Committee (S2ESC) collection of IEEE standards ISO/IEC JTC1/SC7 WG9 Redefined its terms of reference to software and system assurance (part of Systems Engineering System Life Cycle Processes) 8
9 Security Standards & References ISO/IEC to address management of risk and assurance of safety, security, & dependability within context of system and software life cycles [ISO 15026] National Institute of Standards and Technology (NIST) FISMA Implementation Project The Common Criteria for evaluating the security of software including the new version 3.0 issued in July 2005 [CC 2005] The SafSec effort in the UK7 combining concern for safety and security [SafSec Introduction], [SafSec Standard], and [SafSec Guidance] 9
10 Security Standards & References International Standard ISO/IEC 17799:2005 Code of Practice for Information Security Management As a code of practice, it offers guidelines and voluntary directions for information security management. It does not provide enough information to support an in-depth organizational information security review, or to support a certification program like the ISO 9000 process quality certification program. [International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management, Frequently Asked Questions] 10
11 Security Standards & References How does ISO/IEC 17799:2005 relate to the Common Criteria for IT Security Evaluation? ISO/IEC 17799: 2005 is a management standard The Common Criteria for Information Technology Security Evaluation v3.1 is an evaluation standard, and in addition to providing a taxonomy of security functional requirements, specifies 7 predefined assurance packages (EALs). 11
12 Security Standards & References NIST Information Security Documents: Guide to National Institute of Standards and Technology (NIST) Information Security Documents The Federal Information Processing Standards (FIPS) Publication Series. FIPS 140-2, Security Requirements for Cryptographic Modules NVLAP accredited Cryptographic Modules Testing (CMT) laboratories perform validation testing of cryptographic modules against requirements found in FIPS PUB The Special Publication 800-series NIST SP (Risk Management Guide for Information Technology Systems) This guide describes the risk management methodology, how it fits into each phase of the System Development Life Cycle, and how the risk management process is tied to the process of system authorization (or accreditation). 12
13 Common Criteria Body of Knowledge (CCBoK) CCRA, AC CCRA, CC/CEM v3.1, scheme oversight documents, etc. CEM Annex A (General Evaluation Guidance), Site Visits: Example Checklist Supplement the above (the What) with a CCBoK (the How to Do), based on SwA CBK, Software Security Assurance SOAR, etc: [Software Assurance, A Guide to the Common Body of Knowledge to Produce, Acquire, and Sustain Secure Software September Version 1.1 DRAFT] [Information Assurance Technology Analysis Center (IATAC) Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance State-of-the-Art Report (SOAR), July 31, 2007] DHS Build Security In Website The motivation for the CCBoK is to improve consistency in evaluations under the CCRA and participating nations schemes through the issuance of more evaluation guidance. 13
14 CCBoK DHS Build Security In Website 14
15 CCBoK SwA Common Body of Knowledge 15
16 CCBoK SwA Common Body of Knowledge 16
17 CCBoK SwA Common Body of Knowledge PART 1: Introduction Section 1 Introduction PART 2 Security Foundation Section 2 Dangers & Damage Section 3 Fundamental Concepts & Principles Section 4 Ethics, Law & Governance PART 3: Application to Secure Software Section 5 Secure Software Requirements Section 6 Secure Software Design Section 7 Secure Software Construction Section 8 Secure Software Verification, Validation & Evaluation Section 9 Secure Software Tools & Methods Section 10 Secure Software Processes Section 11 Secure Software PM Section 12 Secure Software Sustainment PART 4: Using the SwA CBK 17
18 CCBoK SwA Common Body of Knowledge 5 SECURE SOFTWARE REQUIREMENTS 5.1 SCOPE 5.2 REQUIREMENTS FOR A SOLUTION Traceability Identify Stakeholder Security-related Needs Asset Protection Needs Threat Analysis Interface and Environment Requirements Usability Needs Reliability Needs Availability, Tolerance, and Survivability Needs Sustainability (Maintainability) Needs Deception Needs Validatability, Verifiability, and Evaluatability Needs Certification Needs System Accreditation and Auditing Needs 18
19 CCBoK SwA Common Body of Knowledge 5 SECURE SOFTWARE REQUIREMENTS REQUIREMENTS ANALYSES Risk Analysis Feasibility Analysis Tradeoff Analysis Analysis of Conflicts among Security Needs 5.4 SPECIFICATION Document Assumptions Specify Software-related Security Policy Security Functionality Requirements High-Level Specification 5.5 REQUIREMENTS VALIDATION 5.6 ASSURANCE CASE 19
20 CCBoK SwA Common Body of Knowledge 7 SECURE SOFTWARE CONSTRUCTION 7.1 SCOPE 7.2 COMMON VULNERABILITIES Buffer Overrun Resource Exhaustion Operating Environment Race Conditions Canonical Form Violations of Trust 7.3 CONSTRUCTION OF CODE Language Selection Annotations and Add-ons Using Security Principles in Secure Coding Coding Standards for Secure Software Secure Coding Practices Sound Practices 7.4 CONSTRUCTION OF USER AIDS 7.5 SECURE RELEASE 7.6 CONCLUSION 7.7 APPENDIX A. TAXONOMY OF CODING ERRORS 20
21 CCBoK SwA Common Body of Knowledge 8 SECURE SOFTWARE VERIFICATION, VALIDATION, AND EVALUATION 8.1 SCOPE 8.2 ASSURANCE CASE 8.3 ENSURE PROPER VERSION 8.4 TESTING Test Process Test Techniques 8.5 DYNAMIC ANALYSIS Simulations Prototypes Mental Executions Dynamic Identification of Assertions and Slices 21
22 CCBoK SwA Common Body of Knowledge 8 SECURE SOFTWARE VERIFICATION, VALIDATION, AND EVALUATION STATIC ANALYSIS Formal Analysis and Verification Informal Analysis, Verification, and Validation 8.7 USABILITY ANALYSIS 8.8 VERIFICATION AND VALIDATION OF USER AIDS 8.9 SECURE SOFTWARE MEASUREMENT 8.10 THIRD-PARTY VERIFICATION AND VALIDATION AND EVALUATION Independent Verification and Validation Software Certification System Accreditation 8.11 ASSURANCE FOR TOOLS 8.12 SELECTING AMONG VV&E TECHNIQUES 8.13 FURTHER READING 22
23 CCBoK SwA Common Body of Knowledge 9 SECURE SOFTWARE TOOLS AND METHODS 9.1 SCOPE 9.2 FORMAL METHODS 9.3 SEMI-FORMAL METHODS 9.4 COMPILERS 9.5 STATIC ANALYSIS 9.6 DYNAMIC ANALYSIS 9.7 DEVELOPMENT TOOL SUITES 9.8 SELECTING TOOLS 23
24 CCBoK Software Security Assurance SOAR Section 1 Introduction Section 2 Definitions Section 3 - Why is Software at Risk? Section 4 Secure Systems Engineering Section 5 SDLC Processes and Methods and the Security of Software Section 6 Software Assurance Initiatives, Activities, and Organizations Section 7 Resources Section 8 Observations Appendices 24
25 CCBoK Safety and Security Standards Goal 1. An infrastructure for safety and security is established and maintained. Practice 1. Ensure Safety and Security Competency Practice 2. Establish Qualified Work Environment Practice 3. Ensure Integrity of Safety and Security Information Practice 4. Monitor Operations and Report Incidents Practice 5. Ensure Business Continuity INCOSE INSIGHT, April 2007 Special Feature Standards in Systems Engineering: Harmonization of Safety and Security Standards, Linda Ibrahim, The final report by this author and others, Safety and Security Extensions for Integrated Capability Maturity Models (Federal Aviation Administration, 2004), provides full details about this work. 25
26 Summary Purpose Acknowledgements Security Standards & References Common Criteria Body Of Knowledge (CCBoK) Background Material 26
27 Questions? For further information: 27
28 Background Material Build Security In (BSI) is a project of the Software Assurance program of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security. The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative. 28
29 Background Material Software Assurance Common Body of Knowledge The Department of Homeland Security (DHS) Software Assurance Program is seeking review and comment on the Common Body of Knowledge for this version (v.1.1). Software Assurance Series Software Assurance A Guide to the Common Body of Knowledge to Produce, Acquire, and Sustain Secure Software September Version 1.1, DRAFT. The IEEE International Symposium on Secure Software Engineering and the Software Assurance Forum provide opportunities for additional information in this area. 29
30 Background Material (SSE-CMM) The Systems Security Engineering Capability Maturity Model (SSE-CMM) was developed to advance security engineering as a defined, mature, and measurable discipline. Its acceptance as ISO/IEC 21827, makes it the first formal standard of this scale dedicated to security engineering practices. 30
31 Background Material (SSE-CMM) The SSE-CMM addresses security engineering activities that span the entire trusted product or secure system life cycle, including concept definition, requirements analysis, design, development, integration, installation, operations, maintenance, and decommissioning. The SSE-CMM applies secure product developers, secure system developers and integrators, and organizations that provide security services and security engineering. For more information, download the SSE-CMM Model Document: 31
32 Background Material (Safety and Security Extensions for Integrated Capability Maturity Models) FAA integrated Capability Maturity Model (FAAiCMM or icmm) version 2.0 (available at Capability Maturity Model Integration for Systems Engineering, Software Engineering, Integrated Product and Process Development, and Supplier Sourcing (CMMI -SE/SW/IPPD/SS or CMMI) version 1.1 (available at 32
33 Background Material (Safety and Security Extensions for Integrated Capability Maturity Models) Today the need for safe and secure products and services is widely recognized. To be relevant in the global environment, capability maturity models that support process improvement need to include standards-based safety and security practices. Both the CMMI and icmm provide process improvement frameworks in which safety and security activities can take place. However, some practices specific to safety and security are not addressed in these models, nor is there sufficient guidance for interpreting the models practices in a safety and security context. 33
34 Background Material (Safety and Security Extensions for Integrated Capability Maturity Models) The FAA approved a project to address both safety and security in the icmm, and the CMMI Steering Group and CMMI user community have discussed addressing safety and security. Safety and Security Extensions for Integrated Capability Maturity Models, September
35 Background Material (Safety and Security Extensions for Integrated Capability Maturity Models) They also selected these four security standards: ISO/IEC 17799:2000(E (Information technology Code of practice for information security management), International Organization for Standardization, first edition ISO/IEC (Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Requirements), version 2.1, Common Criteria Project Sponsoring Organizations, 1999 ISO/IEC 21827:2002 (Systems Security Engineering Capability Maturity Model), International Organization for Standardization NIST SP (Risk Management Guide for Information Technology Systems), National Institute of Standards and Technology, Special Publication ,
36 Background Material (Safety and Security Extensions for Integrated Capability Maturity Models) Goal 1. An infrastructure for safety and security is established and maintained. Goal 2. Safety and security risks are identified and managed. Goal 3. Safety and security requirements are satisfied. Goal 4. Activities and products are managed to achieve safety and security requirements and objectives. 36
Engineering for System Assurance Legacy, Life Cycle, Leadership
Engineering for System Assurance Legacy, Life Cycle, Leadership Paul R. Croll Computer Sciences Corporation pcroll@csc.com Industry Co-Chair, NDIA Systems Assurance Committee Chair, DHS Software Assurance
More informationISA99 - Industrial Automation and Controls Systems Security
ISA99 - Industrial Automation and Controls Systems Security Committee Summary and Activity Update Standards Certification Education & Training Publishing Conferences & Exhibits September 2016 Copyright
More informationBuilding an Assurance Foundation for 21 st Century Information Systems and Networks
Building an Assurance Foundation for 21 st Century Information Systems and Networks The Role of IT Security Standards, Metrics, and Assessment Programs Dr. Ron Ross National Information Assurance Partnership
More informationEvaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationSoftware & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management
Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management Joe Jarzombek, PMP, CSSLP Director for Software & Supply
More informationIT Security Evaluation and Certification Scheme Document
IT Security Evaluation and Certification Scheme Document June 2015 CCS-01 Information-technology Promotion Agency, Japan (IPA) IT Security Evaluation and Certification Scheme (CCS-01) i / ii Table of Contents
More informationINTEGRITY ASSURANCE: Safety/Security Extensions to CMMI and icmm
INTEGRITY ASSURANCE: Safety/Security Extensions to CMMI and icmm Dr. Linda Ibrahim Chief Engineer for Process Improvement Federal Aviation Administration Capability Maturity Model, CMM, and CMMI are registered
More informationInformation Security Continuous Monitoring (ISCM) Program Evaluation
Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance Agenda
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT CA Privileged Access Manager Version 2.5.5 v1.2 8 August 2016 FOREWORD This certification report is an UNCLASSIFIED publication, issued under the authority of the Chief,
More informationFrequently Asked Questions
December 2001 Introduction International Standard ISO/IEC 17799:2000 Information Security Management, Code of Practice for Information Security Management Frequently Asked Questions The National Institute
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationInternational Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions
November 2002 International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management Introduction Frequently Asked Questions The National Institute of Standards and Technology s
More informationCybersecurity Risk Management:
Cybersecurity Risk Management: Building a Culture of Responsibility G7 ICT and Industry Multistakeholder Conference September 25 2017 Adam Sedgewick asedgewick@doc.gov Cybersecurity in the Department of
More informationIntroduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria
Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria Evaluation: assessing whether a product has the security properties claimed for it. Certification: assessing whether a
More informationISA99 - Industrial Automation and Controls Systems Security
ISA99 - Industrial Automation and Controls Systems Security Committee Summary and Activity Update Standards Certification Education & Training Publishing Conferences & Exhibits February 2018 Copyright
More informationSecurity Standardization
ISO-ITU ITU Cooperation on Security Standardization Dr. Walter Fumy Chairman ISO/IEC JTC 1/SC 27 Chief Scientist, Bundesdruckerei GmbH, Germany 7th ETSI Security Workshop - Sophia Antipolis, January 2012
More informationThis is to certify that. Chris FitzGerald. has completed the course. Systems Security Engineering _eng 2/10/08
This is to certify that Chris FitzGerald has completed the course Systems Security Engineering - 206760_eng on 2/10/08 Systems Security Engineering About This Course Overview/Description To define the
More informationISSEP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard
Certification Exam Outline Effective Date: March 2018 About CISSP-ISSEP The Information Systems Security Engineering Professional (ISSEP) is a CISSP who specializes in the practical application of systems
More informationISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard
Certification Exam Outline Effective Date: April 2013 About CISSP-ISSMP The Information Systems Security Management Professional (ISSMP) is a CISSP who specializes in establishing, presenting, and governing
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationIntroduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria
Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria Evaluation: assessing whether a product has the security properties claimed for it. Certification: assessing whether a
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationCertification Report
Certification Report EMC NetWorker v8.0.1.4 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada,
More informationTEL2813/IS2621 Security Management
TEL2813/IS2621 Security Management James Joshi Associate Professor Lecture 4 + Feb 12, 2014 NIST Risk Management Risk management concept Goal to establish a relationship between aggregated risks from information
More informationCAPM TRAINING EXAM PREPARATION TRAINING
CAPM TRAINING EXAM PREPARATION TRAINING WHAT IS CAPM? PMI s Certified Associate in Project Management (CAPM) is a valuable entry-level certification for the individual who aspire to become project manager.
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security Establishment,
More informationProgram Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS
Program Review for Information Security Management Assistance Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS Disclaimer and Purpose PRISMA, FISMA, and NIST, oh my! PRISMA versus an Assessment
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationCertification Report
Certification Report Symantec Security Information Manager 4.8.1 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security Establishment,
More informationDefining IT Security Requirements for Federal Systems and Networks
Defining IT Security Requirements for Federal Systems and Networks Employing Common Criteria Profiles in Key Technology Areas Dr. Ron Ross 1 The Fundamentals Building more secure systems depends on the
More informationTexas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13
Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13 I. Vision A highly reliable and secure bulk power system in the Electric Reliability Council of Texas
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT Dell Data Protection Encryption Personal Edition Version 8.14.0 383-4-416 2 October 2017 v1.1 Government of Canada. This document is the property of the Government
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Deployment Deployment is the phase of the system development lifecycle in which solutions are placed into use to
More informationModule 6: Network and Information Security and Privacy. Session 3: Information Security Methodology. Presenter: Freddy Tan
Module 6: Network and Information Security and Privacy Session 3: Information Security Methodology Presenter: Freddy Tan Learning Objectives Understanding the administrative, physical, and technical aspects
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-1 RFP: TQC-JTB-05-0001 December 13, 2006 REVISION HISTORY
More informationGlobal Statement of Business Continuity
Business Continuity Management Version 1.0-2017 Date January 25, 2017 Status Author Business Continuity Management (BCM) Table of Contents 1. Credit Suisse Business Continuity Statement 3 2. BCM Program
More informationDr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt
Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA The African Internet Governance Forum - AfIGF2017 5 Dec 2017, Egypt Agenda Why? Threats Traditional security? What to secure?
More informationNDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly.
NDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly. Dunlap@Raytheon.com This document does not contain technology or Technical Data controlled
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT March 5, 2007 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-i RFP: TQC-JTB-05-0002 March 5, 2007 REVISION HISTORY Revision
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationNIST Security Certification and Accreditation Project
NIST Security Certification and Accreditation Project An Integrated Strategy Supporting FISMA Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive
More informationNational Information Assurance Partnership (NIAP) 2017 Report. PPs Completed in CY2017
National Information Assurance Partnership (NIAP) 2017 Report NIAP continued to grow and make a difference in 2017 from increasing the number of evaluated products available for U.S. National Security
More informationPosition Description IT Auditor
Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership
More informationCHARTER OUR MISSION OUR OBJECTIVES OUR GUIDING PRINCIPLES
OUR MISSION Promote the highest level of safety for the U.S. offshore oil and natural gas industry through effective leadership, communication, teamwork, utilization of disciplined management systems and
More informationCertification Report
Certification Report EAL 4+ Evaluation of WatchGuard and Fireware XTM Operating System v11.5.1 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationNATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium
NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium Securing Cyber Space & America s Cyber Assets: Threats, Strategies & Opportunities September 10, 2009, Crystal Gateway Marriott, Arlington,
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security
More informationISO/IEC JTC 1 N 13145
ISO/IEC JTC 1 N 13145 ISO/IEC JTC 1 Information technology Secretariat: ANSI (United States) Document type: Title: Status: Business Plan BUSINESS PLAN FOR ISO/IEC JTC 1/SC 40, IT SERVICE MANAGEMENT AND
More informationCertification Report
Certification Report EAL 2+ Evaluation of Verdasys Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security Establishment,
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT Lexmark CX920, CX921, CX922, CX923, CX924, XC9235, XC9245, XC9255, and XC9265 Multi-Function Printers 7 February 2018 383-4-434 V1.0 Government of Canada. This document
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT EMC VPLEX v5.5 Version 1.0 11 May 2016 FOREWORD This certification report is an UNCLASSIFIED publication, issued under the authority of the Chief, Communications Security
More informationCertification Report
Certification Report EAL 2+ Evaluation of Tactical Network-layer Gateway (2E2 IA): a GD Canada MESHnet G2 Gateway product Issued by: Communications Security Establishment Canada Certification Body Canadian
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT CA Technologies CA API Gateway v9.2 10 October 2017 383-4-417 V 1.0 Government of Canada. This document is the property of the Government of Canada. It shall not be
More informationCertification Report
Certification Report HP 3PAR StoreServ Storage Systems Version 3.2.1 MU3 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme
More informationExecutive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI
Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI Agenda Executive Order 13636 Presidential Policy Directive 21 Nation Infrastructure Protection Plan Cybersecurity
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationFederal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity
Federal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity Ronda Henning rhenning@harris.com The Basic Premise of This Presentation Proper preparation
More informationThe HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information
The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,
More informationCertification Report
Certification Report EMC VNX OE for Block v05.33 and File v8.1 with Unisphere v1.3 running on VNX Series Hardware Models VNX5200, VNX5400, VNX5600, VNX5800, VNX7600, and VNX8000 Issued by: Communications
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT EMC RecoverPoint v4.4 SP1 19 May 2016 FOREWORD This certification report is an UNCLASSIFIED publication, issued under the authority of the Chief, Communications Security
More informationCertification Report
Certification Report McAfee Enterprise Security Manager with Event Receiver, Enterprise Log Manager, Advanced Correlation Engine, Application Data Monitor and Database Event Monitor 9.1 Issued by: Communications
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT McAfee Policy Auditor 6.4 with epolicy Orchestrator 5.10 5 November 2018 383-4-455 V1.0 Government of Canada. This document is the property of the Government of Canada.
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationISO/ IEC (ITSM) Certification Roadmap
ISO/ IEC 20000 (ITSM) Certification Roadmap Rasheed Adegoke June 2013 Outline About First Bank Motivations Definitions ITIL, ISO/IEC 20000 & DIFFERENCES ISO/ IEC 20000 Certification Roadmap First Bank
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT Dell EMC Elastic Cloud Storage v3.2 15 May 2018 383-4-439 V1.0 Government of Canada. This document is the property of the Government of Canada. It shall not be altered,
More informationCritical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.
Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach. By Christopher Ganizani Banda ICT Development Manager Malawi Communications Regulatory Authority 24-26th July,2016 Khartoum,
More informationMitigating Software Supply Chain Risks
Software Assurance: A Strategic Initiative of the U.S. Department of Homeland Security to Promote Integrity, Security, and Reliability in Software Mitigating Software Supply Chain Risks 11 Dec 2008 Joe
More informationDefining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline
Resiliency Model A Holistic Approach to Risk Management Discussion Outline Defining the Challenges and Solutions The Underlying Concepts of Our Approach Outlining the Resiliency Model (RM) Next Steps The
More informationInformation Technology Branch Organization of Cyber Security Technical Standard
Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:
More informationCertification Report
Certification Report McAfee File and Removable Media Protection 4.3.1 and epolicy Orchestrator 5.1.2 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationOrganization of Scientific Area Committees for Forensic Science (OSAC)
Stetson University College of Law Essentials in Forensic Science and the Law Webinar Series Organization of Scientific Area Committees for Forensic Science (OSAC) Mark D. Stolorow Director for OSAC Affairs
More informationCertification Report
Certification Report Standard Edition v2.8.2 RELEASE Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of
More informationFederal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011
Federal Continuous Monitoring Working Group March 21, 2011 DOJ Cybersecurity Conference 2/8/2011 4/12/2011 Why Continuous Monitoring? Case for Change Strategy Future State Current State Current State Case
More informationCertification Exam Outline Effective Date: September 2013
Certification Exam Outline Effective Date: September 2013 About CAP The Certified Authorization Professional (CAP) is an information security practitioner who champions system security commensurate with
More informationOverview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 PPD-21: CI Security and Resilience On February 12, 2013, President Obama signed Presidential Policy Directive
More informationJoint Federated Assurance Center (JFAC): 2018 Update. What Is the JFAC?
21 st Annual National Defense Industrial Association Systems and Mission Engineering Conference Joint Federated Assurance Center (JFAC): 2018 Update Thomas Hurt Office of the Under Secretary of Defense
More informationCMMI Version 1.2. Josh Silverman Northrop Grumman
CMMI Version 1.2 Josh Silverman Northrop Grumman Topics The Concept of Maturity: Why CMMI? CMMI Overview/Aspects Version 1.2 Changes Sunsetting of Version 1.1 Training Summary The Concept of Maturity:
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Blue Ridge Networks BorderGuard Centrally Managed Embedded PKI Virtual Private Network (VPN)
More informationSummary of Contents LIST OF FIGURES LIST OF TABLES
Summary of Contents LIST OF FIGURES LIST OF TABLES PREFACE xvii xix xxi PART 1 BACKGROUND Chapter 1. Introduction 3 Chapter 2. Standards-Makers 21 Chapter 3. Principles of the S2ESC Collection 45 Chapter
More informationISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006
ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 Information Information is an asset which, like other important business assets, has value
More informationFISMAand the Risk Management Framework
FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT VMware Horizon 6 version 6.2.2 and Horizon Client 3.5.2 12 August 2016 v1.0 File Number 383-4-356 Government of Canada. This document is the property of the Government
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationCertification Report
Certification Report Security Intelligence Platform 4.0.5 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT HP Service Manager v9.41 Patch 3 383-4-395 17 February 2017 v1.0 Government of Canada. This document is the property of the Government of Canada. It shall not be altered,
More informationUpdates to the NIST Cybersecurity Framework
Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016 Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity
More informationInformation Systems and Tech (IST)
Information Systems and Tech (IST) 1 Information Systems and Tech (IST) Courses IST 101. Introduction to Information Technology. 4 Introduction to information technology concepts and skills. Survey of
More informationCertification Report
Certification Report EMC Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security Establishment,
More informationData Security Standards
Data Security Standards Overall guide The bigger picture of where the standards fit in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationFour Deadly Traps of Using Frameworks NIST Examples
Four Deadly Traps of Using Frameworks NIST 800-53 Examples ISACA Feb. 2015 Meeting Doug Landoll dlandoll@lantego.com (512) 633-8405 Session Agenda Framework Definition & Uses NIST 800-53 Framework Intro
More informationProcedure for Network and Network-related devices
Lloyd s Register Type Approval System Type Approval Requirements for components within Cyber Enabled Systems on board Ships Procedure for Network and Network-related devices September 2017 1 Reference:
More informationPIPELINE SECURITY An Overview of TSA Programs
PIPELINE SECURITY An Overview of TSA Programs Jack Fox Pipeline Industry Engagement Manager Surface Division Office of Security Policy & Industry Engagement May 5, 2014 TSA and Pipeline Security As the
More information