FISMA Compliance and the Search for Security. Tim Murray NES Associates February 5, 2008

Transcription

1 FISMA Compliance and the Search for Security Tim Murray NES Associates February 5, 2008

2 Agenda What is FISMA? What do I REALLY have to do? How can technology help my organization meet FISMA requirements

3 Federal Information Security Management Act - FISMA FISMA is also known as: Title III of the E- Government Act of 2002 (PL ) Title 44 Chapter 35 Subchapter III (44 U.S.C ) At the highest level FISMA did the following: Made heads of Federal Agencies responsible for Information Security, can be delegated to CIO, can establish CISO Made DOC/NIST responsible for establishing Federal Info Security Standards with OMB oversight Requires every Federal Agency to establish a security program that complies with those NIST standards Requires Agencies to visibly budget for Info Security Annual Reporting Requirement 3

4 FISMA Requirements that affect us Two MANDATORY Standards FIPS 199 Standards for Security Categorization of Federal Information and Information Systems FIPS 200 Minimum Security Requirements for Federal Information and Information Systems Your Agency may have implemented these in an Agency specific policy (e.g. DODI ) Yeah but what does this really mean? 4

5 FISMA Requirements that affect us (cont.) You have to evaluate your systems to determine the relative importance of the information they contain 5 Assign impact level based on CIA model You must create and enforce IS policies and procedures NIST defines 17 security-related areas You must select security controls in those 17 areas based on impact level and Agency policy Most of us do this via System Security Plan and Assessment thereof

6 FISMA Requirements that affect us (cont.) Requirements Imply Some Important Assumptions That you have an accurate inventory of all of your Information Systems (Clinger-Cohen Act) That Agency/Department management has articulated the: Mission of the Agency/Department The information and systems that are key to meeting that mission That Information Owners are identified and understand their FISMA responsibilities Also implies that they perform resource planning sufficient to meet these requirements 6 That there are Agency/Department Information Security Professionals who understand the requirements and policies and are empowered to enforce them You ve got to be kidding we don t do {some, most, any} of that!!!

7 FISMA OK, so what do I do now? Know make/break activities and make them a priority Identify the truly critical systems and information Key to the operation of the government (i.e. mission critical) Compromise to CIA would cause grave damage or embarrassment (e.g. PII) Focus on determining appropriate controls for those systems and assessing the effectiveness of those controls Know what you don t know Tie Systems inventory to Security Plan database Tim s Track security assessments both quantitatively and qualitatively Keep your management informed especially about the bad news 7 POA&Ms

8 FISMA how can technology help? Tim s The obvious stuff duh CND, IAVM, AV, Remote Access When you have a gaping hole that needs to be fixed now Application security Data loss prevention/encryption When a single product can satisfy multiple security control requirements 8

9 FISMA how can technology help? (cont.) Ensure controls TRULY meet the intent of the requirement not just the letter of the requirement e.g Auditing Configuration Control Tim s Reduce the time and effort required to conduct security assessments and reviews Some things can only be done through technology all other decisions should be ROI based A Security Plan is NOT security controls need to truly be implemented 9

10 FISMA Implementation High Level View NIST SP800-53/DODI Processes and Technology Solutions that implement specific controls 10

11 FISMA how can Imperva technology help? Imperva SecureSphere addresses multiple Security Controls in NIST SP and DODI Provide constant risk assessment and analysis for database and application servers in compliance with FISMA 3544(b) Comply with DISA Database Security Technical Implementation Guides (STIG) Comply with NIST Database Security Readiness Review Checklist Provides automated solutions for continues assessment and access control 11

12 FISMA how can Imperva technology help? NIST SP Control AC-3 ACCESS ENFORCEMENT Imperva SecureSphere Implements Control Helps Meet the Control AC-4 INFORMATION FLOW ENFORCEMENT AC-13 SUPERVISION AND REVIEW ACCESS CONTROL AU-5 RESPONSE TO AUDIT PROCESSING FAILURES AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING AU-7 AUDIT REDUCTION AND REPORT GENERATION AU-8 TIME STAMPS AU-9 PROTECTION OF AUDIT INFORMATION AU-10 NON-REPUDIATION AU-11 AUDIT RECORD RETENTION 12

13 FISMA how can Imperva technology help? NIST SP Control CA-2 SECURITY ASSESSMENTS Imperva SecureSphere Implements Control Helps Meet the Control CA-4 SECURITY CERTIFICATION CA-7 CONTINUOUS MONITORING CM-5 ACCESS RESTRICTIONS FOR CHANGE SC-2 APPLICATION PARTITIONING SC-3 SECURITY FUNCTION ISOLATION SC-7 BOUNDARY PROTECTION SC-14 PUBLIC ACCESS PROTECTIONS SC-23 SESSION AUTHENTICITY SI-4 INFORMATION SYSTEM MONITORING TOOLS AND TECHNIQUES 13

14 FISMA how can Imperva technology help? NIST SP Control SI-6 SECURITY FUNCTIONALITY VERIFICATION Imperva SecureSphere Implements Control Helps Meet the Control SI-9 INFORMATION INPUT RESTRICTIONS SI-10 INFORMATION ACCURACY, COMPLETENESS, VALIDITY, AND AUTHENTICITY SI-12 INFORMATION OUTPUT HANDLING AND RETENTION 14

15 FISMA how can Imperva technology help? DOD Control SECURITY DESIGN AND CONFIGURATION PROCEDURAL REVIEW (DCAR-1) Imperva SecureSphere Implements Control Helps meet Control BEST PRACTICES (DCBP-1) COMPLIANCE TESTING (DCCT-1) MOBILE CODE (DCMC-1) PARTITIONING THE APPLICATION (DCPA-1) PORTS, PROTOCOLS, AND SERVICES (DCPP-1) SOFTWARE QUALITY (DCSQ-1) ACQUISITION STANDARDS (DCAS-1) SPECIFIED ROBUSTNESS MEDIUM (DCSR-2) 15

16 FISMA how can Imperva technology help? DOD Control Enclave and Computing Environment AUDIT TRAIL, MONITORING, ANALYSIS (ECAT-2) Imperva SecureSphere Implements Control Helps meet Control CHANGES TO DATA (ECCD-2) AUDIT REDUCTION AND REPORT (ECRG-1) TRANSMISSION INTEGRITY CONTROLS (ECTM-2) ACCESS FOR NEED-TO-KNOW (ECAN-1) AUDIT RECORD CONTENT (ECAR-2) LOGON (ECLO-1) LEAST PRIVILEGE (ECLP-1) ACCOUNT CONTROL (IAAC-1) 16

17 FISMA how can Imperva technology help? DOD Control Enclave and Computing Environment (cont.) BOUNDARY DEFENSE (EBBD-2) Imperva SecureSphere Implements Control Helps meet Control CONFORMANCE MONITORING AND TESTING (ECMT-1) REMOTE ACCESS TO USERS FUNCTIONS (EBRU-1) Vulnerability and Incident Management VULNERABILITY MANAGEMENT (VIVM-1) SOFTWARE QUALITY (DCSQ-1) 17

18 IMPERVA SecureSphere Presentation - how can SecureSphere satisfy controls Data Identification SP Control CA-7 Continuous Monitoring SP Control CM-4 Monitoring Configuration Changes Profiling and Auditing SP Control SI-9 Information Input Restrictions DODI Control ECCD-2 Changes to Data Information Input Restriction SP Control SI-9 Information Input Restrictions 18

19 Imperva Product Demonstration FISMA Compliance and the Search for Security Webinar February 5, 2008 Joe Lareau Senior Security Engineer, Federal Imperva Inc.

20 The Database Security Life Cycle Assess Test database configuration according to standards Evaluate inherent risks Discover who uses the data and what do they do?

21 Assessment Tests: Where Is Your Data?

22 Who Uses The Data, What Do They Do?

23 The Database Security Life Cycle Assess Test database configuration according to standards Evaluate inherent risks Discover who uses the data and what do they do? Set Policies/Controls Set policies automatically and quickly Keep up with changes Configurable policies and controls based on situation

24 Database Users: Set Policies & Controls

25 The Database Security Life Cycle Assess Test database configuration according to standards Evaluate inherent risks Discover who uses the data and what do they do? Set Policies/Controls Set policies automatically and quickly Keep up with changes Configurable policies and controls based on situation Monitor and Enforce Ensure separation of duties Ensure end user accountability Capture full details Provide security at all layers Alert/block in real-time

26 Monitor and Enforce

27 The Database Security Life Cycle Assess Test database configuration according to standards Evaluate inherent risks Discover who uses the data and what do they do? Set Policies/Controls Set policies automatically and quickly Keep up with changes Configurable policies and controls based on situation Measure Built-in compliance reports Roll-up & drill-down of data Security event analysis Custom reporting Multiple report formats Monitor and Enforce Ensure separation of duties Ensure end user accountability Capture full details Provide security at all layers Alert/block in real-time

28 Measure

29 Achieving Data Security & Compliance Imperva Addresses the Entire Life-Cycle Assess Test database configuration according to standards Evaluate inherent risks Discover who uses the data and what do they do? Measure Built-in compliance reports Roll-up & drill-down of data Security event analysis Custom reporting Multiple report formats Set Policies/Controls Set policies automatically and quickly Keep up with changes Configurable policies and controls based on situation Monitor and Enforce Ensure separation of duties Ensure end user accountability Capture full details Provide security at all layers Alert/block in real-time

30 Information Input Restrictions: What Is Acceptable Data? (Web Application)

31 Information Input Restrictions: What Is Acceptable Data? (Database)

32 Changes To Data: Assessments & Reporting

33 Changes To Data: Application User To The Database User

34 Other Imperva Facts FIPS Certified Encryption March 08 Release DODI control DCNR-1: Non-repudiation NIAP Common Criteria: In-Evaluation IDS/IPS EAL-2 profile 34

35 Wrap-up --- Questions FISMA Compliance and the Search for Security Webinar February 5, 2008

36 Wrap-up FISMA is more than just the Scorecard The key to compliance is a good security program A good security program Applies scarce security resources to the information that needs the most security Has a residual risk management process (e.g. POA&M) that all IT personnel support and use Technology can help your security program Selection should be based on bona-fide requirements using a sound business process 36

37 Wrap-up (cont) Useful Web Resources NIST Computer Security Division NIST FISMA Implementation Project NIST Publications DOD Information Assurance Support Environment (IASE)

38 Contacts Linda Billingsley Director, Federal Sales Tim Murray Managing Partner NES Associates LLC Questions? 38