MIS Week 9 Host Hardening
|
|
- Allen Townsend
- 5 years ago
- Views:
Transcription
1 MIS 5214 Week 9 Host Hardening
2 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts
3 NIST Risk Management Framework
4 NIST Risk Management Framework
5 NIST Risk Management Framework
6 NIST Risk Management Framework
7 NIST Risk Management Framework
8 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts
9 A security configuration checklist is a document containing instructions or procedures for: Configuring an information technology (IT) product to an operational environment Verifying that the product has been configured properly Identifying unauthorized changes to the product Checklists can help you: Minimize the attack surface Reduce vulnerabilities Lessen the impact of successful attacks Identify changes that might otherwise go undetected
10 Security Technical Implementation Guides (STIGs) Defense Information Systems Agency (DISA) Creates configuration documents and implementation guidelines which include recommended information security administrative processes that span an application system s lifecycle DISA s Security Technical Implementation Guides (STIGs) help standardize: Secure installations of computer software and hardware Security maintenance of computer software and hardware Information security audits to analyze risk and identify configuration vulnerabilities
11 Security Technical Implementation Guides (STIGs) STIGs contain technical guidance to harden and "lock down" information systems and software that might otherwise be vulnerable to a malicious computer attack
12 Downloading the STIG Viewer
13 Launching the STIG Viewer
14 The STIG Viewer
15 SRG-STIG Library SRG = Security Requirements Guide STIG = Security Technical Implementation Guide FOUO = For Official Use Only
16
17
18 Severity Category Code (CAT) Levels Classification of computer and network configuration settings. The DISA STIG assigns a Severity Code to each system IA security weakness to indicate the risk level associated with the IA security weakness and the urgency with which the corrective action must be completed CAT I Severity Code is assigned to findings that allow primary security protections to be bypassed, allowing immediate access by unauthorized personnel or unauthorized assumption of super-user privileges CAT I weaknesses must be corrected before an Authorization to Operate (ATO) is granted CAT II Severity Code is assigned to findings that have a potential to lead to unauthorized system access or activity. CAT II findings shall be corrected or satisfactorily mitigated before an Authorization to Operate will be granted. A system with a CAT II weakness can be granted an ATO only when there is clear evidence that the CAT II weakness can be corrected or satisfactorily mitigated within 180 days of the accreditation decision. CAT III Severity Code is assigned to recommendations that will improve IA posture but are not required for an authorization to operate
19
20
21
22
23
24 STIG Guidance
25
26
27 The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. CCI bridges the gap between high-level policy expressions and low-level technical implementations
28 Which controls aid in Host Hardening?
29
30 NIST Risk Management Framework
31 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts
32 Assessment Methods 3 assessment methods can be used by assessors during security and privacy control assessments: 1. Examine 2. Interview 3. Test
33 Assessment Methods 3 assessment methods can be used by assessors during security and privacy control assessments: 1. Examine 2. Interview 3. Test Budget and schedule determine depth and coverage (breadth) of assessment Depth 1. Basic 2. Focused 3. Comprehensive Coverage (breadth) 1. Basic 2. Focused 3. Comprehensive
34 Examine security and privacy controls Definition: Process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects Facilitates understanding, achieves clarification, or obtains evidence Results used to support determining security and privacy control Existence Functionality Correctness Completeness Potential for improvement over time
35 Examine security and privacy controls Assessment Objects: 1. Specifications Policies, plans, procedures, system requirements, and designs 2. Mechanisms Functionality implemented in hardware, software or firmware 3. Activities System operations, administration, management, and exercises
36 Examine security and privacy controls Supplemental guidance: Typical assessor actions may include, for example: Reviewing information security policies, plans, and procedures Analyzing system design documentation and interface specifications Observing system backup operations Reviewing the results of contingency plan exercises Observing incident response activities Studying technical manuals and user/administration guides Checking, studying or observing the operation of an information technology mechanism in the information system hardware/software Checking, studying, or observing physical security measures related to the operation of an information system
37 Interview security and privacy controls Assessment Objects: 1. Individuals 2. Groups of individuals Definition: Process of conducting discussions with individuals or groups within an organization Facilitates understanding, achieves clarification, or leads to location of evidence, Results used to determine security and privacy control Existence Functionality Correctness Completeness Potential for improvement over time
38 Examine Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the examination process 3 Depths: 1. Basic examination 2. Focused examination 3. Comprehensive examination 3 Coverages: 1. Basic examination 2. Focused examination 3. Comprehensive examination
39 Examine Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the examination process 3 Depths: 1. Basic examination Provides understanding of security and privacy controls Determines whether controls are implemented and free of obvious errors Consists of high-level reviews, checks, observations, or inspections using a limited body of evidence or documentation E.g. Functional-level descriptions for mechanisms; high-level process descriptions for activities; actual documents for specifications
40 Examine Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the examination process 3 Depths: 1. Basic examination 2. Focused examination Provides understanding of security and privacy controls Determines whether controls are implemented and free of obvious errors Determines whether there are increased grounds for confidence that controls are implemented correctly and operating as intended Consists of high-level reviews, checks, observations, or inspections and more-in-depth studies/analyses Conducted using a substantial body of evidence or documentation e.g. functional-level descriptions, high-level design information for mechanisms, high-level process descriptions and implementation procedures for activities; and actual specification documents
41 Examine Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the examination process 3 Depths: 1. Basic examination 2. Focused examination 3. Comprehensive examination Provides understanding of security and privacy controls Determines whether controls are implemented and free of obvious errors Determines whether there are further increased grounds for confidence that controls are implemented correctly and operating as intended on an ongoing and consistent basis, Determines that there is support for continuous improvement in the effectiveness of the controls Consists of high-level reviews, checks, observations, or inspections and more-in-depth, detailed, and thorough Conducted using an extensive body of evidence or documentation e.g. functional-level descriptions, high-level design information, low-level design information and implementation information for mechanisms, high-level process descriptions and detailed implementation procedures for activities; and specification documents
42 Examine Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the examination process and includes types of assessment objects to be examined, the number of objects to be examined by type, and specific objects to be examined The organization considers a variety of factors (e.g. available resources, importance of the assessment, overall goals and objectives of the assessment) and confers with assessors and provides direction on the type, number, and specific objects to be examined for the particular level of coverage desired 3 Coverages: 1. Basic examination Uses a representative sample of assessment objects (by type and number within type) to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors
43 Examine Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the examination and includes types of assessment objects to be examined, the number of objects to be examined by type, and specific objects to be examined The organization considers a variety of factors (e.g. available resources, importance of the assessment, overall goals and objectives of the assessment) and confers with assessors and provides direction on the type, number, and specific objects to be examined for the particular level of coverage desired 3 Coverages: 1. Basic examination 2. Focused examination Uses a representative sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective To provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors whether there are increased grounds for confidence that controls are implemented correctly and operating as intended
44 Examine Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the examination process and includes types of assessment objects to be examined, the number of objects to be examined by type, and specific objects to be examined The organization considers a variety of factors (e.g. available resources, importance of the assessment, overall goals and objectives of the assessment) and confers with assessors and provides direction on the type, number, and specific objects to be examined for the particular level of coverage desired 3 Coverages: 1. Basic examination 2. Focused examination 3. Comprehensive examination Uses a sufficiently large sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective To provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors and To determine whether there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and To determine there is support for continuous improvement in the effectiveness of the controls
45 Assessment Methods 3 assessment methods can be used by assessors during security and privacy control assessments: 1. Examine 2. Interview 3. Test
46 Interview security and privacy controls Supplemental guidance: Typical assessor actions may include, for example: Interviewing agency heads, chief information officers, senior agency information security officers, authorizing officials, information owners, information system and mission owners, information system security officers, information system security managers, personnel officers, human resource managers, facilities managers, training officers, information system operators, network and system administrators, site managers, physical security officers, and users
47 Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Depths: 1. Basic interview 2. Focused interview 3. Comprehensive interview 3 Coverages: 1. Basic interview 2. Focused interview 3. Comprehensive interview
48 Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Depths: 1. Basic interview Interview that consists of broad-based, high-level discussions with individuals or groups of individuals Conducted using a set of generalized, high-level questions Provide a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors 2. Focused interview 3. Comprehensive interview
49 Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Depths: 1. Basic interview 2. Focused interview Interview that consists of broad-based, high-level discussions and more in-depth discussions in specific areas with individuals or groups of individuals. This type of interview is conducted using a set of generalized, high-level questions and more in-depth questions in specific areas where responses indicate a need for more in-depth investigation. Focused interviews provide a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors and whether there are increased grounds for confidence that the controls are implemented correctly and operating as intended. 3. Comprehensive interview
50 Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Levels of Depth: 1. Basic interview 2. Focused interview 3. Comprehensive interview Interview that consists of broad-based, high-level discussions and more in-depth, probing discussions in specific areas with individuals or groups of individuals. This type of interview is conducted using a set of generalized, high-level questions and more in-depth, probing questions in specific areas where responses indicate a need for more in-depth investigation. Comprehensive interviews provide a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors and whether there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the controls.
51 Interview Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the interview process and includes the types of individuals to be interviewed (by organizational role and associated responsibility), the number of individuals to be interviewed (by type) and specific individuals to be interviewed The organization, considering a variety of factors (e.g., available resources, importance of the assessment, the organization s overall assessment goals and objectives), confers with assessors and provides direction on the type, number, and specific individuals to be interviewed for the particular attribute value described 3 Levels of Coverage: 1. Basic interview 2. Focused interview 3. Comprehensive interview
52 Interview Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the interview process and includes the types of individuals to be interviewed (by organizational role and associated responsibility), the number of individuals to be interviewed (by type) and specific individuals to be interviewed 3 Levels of Coverage: 1. Basic interview Interview that uses a representative sample of individuals in key organizational roles to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors 2. Focused interview 3. Comprehensive interview
53 Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Levels of Coverage: 1. Basic interview 2. Focused interview Interview that uses a representative sample of individuals in key organizational roles and other specific individuals deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors and whether there are increased grounds for confidence that the controls are implemented correctly and operating as intended. 3. Comprehensive interview
54 Interview Attributes: Depth, Coverage Coverage: addresses the scope and breadth of the interview process 3 Levels of Coverage: 1. Basic interview 2. Focused interview 3. Comprehensive interview Interview that uses a sufficiently large sample of individuals in key organizational roles and other specific individuals deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors and whether there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the controls
55 Assessment Methods 3 assessment methods can be used by assessors during security and privacy control assessments: 1. Examine 2. Interview 3. Test
56 Test security and privacy controls Assessment Objects: 1. Mechanisms (e.g. hardware, software, firmware) 2. Activities (e.g. system operations, administration, management; exercises) Definition: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior, the results of which are used to support the determination of security and privacy control existence, functionality, correctness, completeness, and potential for improvement over time. Testing is typically used to determine if mechanisms or activities meet a set of predefined specifications. Testing can also be performed to determine characteristics of a security or privacy control that are not commonly associated with predefined specifications (e.g. penetration testing).
57 Test security and privacy controls Supplemental guidance: Typical assessor actions may include, for example: Testing access control, identification and authentication, and audit mechanisms; Testing security configuration settings; Testing physical access control devices; Conducting penetration testing of key information system components; Testing information system backup operations; Testing incident response capability; Exercising contingency planning capability
58 Test: Depth, Coverage Depth: addresses the types of testing to be conducted 3 Depths of testing: 1. Basic testing 2. Focused testing 3. Comprehensive testing 3 Coverages: 1. Basic testing 2. Focused testing 3. Comprehensive testing
59 Test Attributes: Depth, Coverage Depth: addresses the types of testing to be conducted 3 Depths of testing: 1. Basic testing Test methodology (also known as black box testing) that assumes no knowledge of the internal structure and implementation detail of the assessment object. This type of testing is conducted using a functional specification for mechanisms and a high-level process description for activities. Basic testing provides a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors. 2. Focused testing 3. Comprehensive testing
60 Test Attributes: Depth, Coverage Depth: addresses the types of testing to be conducted 3 Depths of testing: 1. Basic testing 2. Focused testing Test methodology (gray box testing) that assumes some knowledge of the internal structure and implementation detail of the assessment object Conducted using A functional specification Limited system architectural information (e.g., high-level design) for mechanisms and a High-level process description and high-level description of integration into operational environment Determines if controls are implemented and free of obvious errors Determines if controls are implemented correctly and operating as intended 3. Comprehensive testing
61 Test Attributes: Depth, Coverage Depth: addresses the types of testing to be conducted 3 Depths of testing: 1. Basic testing 2. Focused testing 3. Comprehensive testing Test methodology (also known as white box testing) based on explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Conducted using Functional specification Extensive system architecture information (e.g., high-level design, low-level design) and implementation representation (e.g., source code, schematics) for mechanisms and a High-level process description Detailed description of integration into the operational environment for activities Determines if Controls are implemented and free of obvious errors Controls are implemented correctly and operating as intended on an ongoing and consistent basis There is support for continuous improvement in the effectiveness of the controls.
62 Test Attributes: Depth, Coverage Coverage: addresses the scope or breadth of testing process and includes: Types of assessment objects to be tested Number of objects to be tested (by type) Specific objects to be tested 3 coverage levels for testing: 1. Basic testing 2. Focused testing 3. Comprehensive testing
63 Test Attributes: Depth, Coverage 3 Levels of coverage for testing: 1. Basic testing Testing uses a representative sample of assessment objects (by type and number within type) Provides a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors 2. Focused testing 3. Comprehensive testing
64 Test Attributes: Depth, Coverage 3 Levels of coverage for testing: 1. Basic testing 2. Focused testing Testing uses a representative sample of assessment objects (by type and number within type) Testing other specific assessment objects deemed particularly important to achieving the assessment objective Determines whether security and privacy controls are implemented and free of obvious errors Determines whether there are increased grounds for confidence that the controls are implemented correctly and operating as intended. 3. Comprehensive testing
65 Test Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the testing process and includes the types of assessment objects to be tested, the number of objects to be tested (by type), and specific objects to be tested 3 Levels of coverage for testing: 1. Basic testing 2. Focused testing 3. Comprehensive testing Uses a sufficiently large sample of assessment objects (by type and number within type) Users other specific assessment objects deemed particularly important to achieving the assessment objective Determines whether the security and privacy controls are implemented and free of obvious errors and Determines whether there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis Determines if there is support for continuous improvement in the effectiveness of the controls
66 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts
67 SCAP (Security Content Automation Protocol) pronounced ess-cap Purpose: Used for continuously monitoring deployed computer systems and applications for detectable vulnerabilities and assure they incorporate security upgrades to software ( patches ) and deploy updates to configurations SCAP based on a number of open standards, widely used to enumerate software flaws and configuration issues related to security The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP Vendors can get their computer system configuration scanner product validated against SCAP, demonstrating that it will interoperate with other scanners and express the scan results in a standardized way Validated tools for automating collection of assessment objects used in Examine, Inspect and Test activities
68 Examine: SCAP (Security Content Automation Protocol) validated tools may be used to automate collection of assessment objects Common SCAP uses Security configuration verification Compare settings in a checklist to a system s actual configuration Verify configuration before deployment, audit/assess/monitor operational systems Map individual settings to high-level requirements (requirements traceability) Verifying patch installation and identifying missing patches Check systems for signs of compromise Known characteristics of attacks, such as altered files or the presence of a malicious service
69
70 SCAP Compliance Scan Results
71 SCAP: Individual compliance check result for scanned host
72 SCAP (Security Content Automation Protocol) validated tools may be used to automate collection of assessment objects National Vulnerability Database (NVD) National Checklist Program (NCP): NIST SP , Guide to Adopting and Using SCAP NIST SP r2, The Technical Specification for SCAP NIST SP r2, National Checklist Program for IT Products More documentation and tools:
73 DISA STIG Tool + SCAP Tool
74 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts
75 SSP Table of Contents 1 INFORMATION SYSTEM NAME/TITLE 2 INFORMATION SYSTEM CATEGORIZATION 2.1 Information Types 2.2 Security Objectives Categorization (FIPS 199) 2.3 E-Authentication Determination 3 INFORMATION SYSTEM OWNER 4 AUTHORIZING OFFICIAL 5 OTHER DESIGNATED CONTACTS 6 ASSIGNMENT OF SECURITY RESPONSIBILITY 7 INFORMATION SYSTEM OPERATIONAL STATUS 8 INFORMATION SYSTEM TYPE 8.1 Cloud Service Models 8.2 Cloud Deployment Models 8.3 Leveraged Authorizations 9 GENERAL SYSTEM DESCRIPTION 9.1 System Function or Purpose 9.2 Information System Components and Boundaries 9.3 Types of Users 9.4 Network Architecture 10 SYSTEM ENVIRONMENT AND INVENTORY 10.1 Data Flow 10.2 Ports, Protocols and Services 11 SYSTEM INTERCONNECTIONS 12 LAWS, REGULATIONS, STANDARDS AND GUIDANCE 12.1 Applicable Laws and Regulations 12.2 Applicable Standards and Guidance 13 MINIMUM SECURITY CONTROLS 14 ACRONYMS 15 ATTACHMENTS ATTACHMENT 1 - Information Security Policies and Procedures ATTACHMENT 2 - User Guide ATTACHMENT 3 e-authentication Worksheet Introduction and Purpose Information System Name/Title E-Authentication Level Definitions Review Maximum Potential Impact Levels E-Authentication Level Selection ATTACHMENT 4 PTA / PIA Privacy Overview and Point of Contact (POC) Applicable Laws and Regulations Applicable Standards and Guidance Personally Identifiable Information (PII) Privacy Threshold Analysis Qualifying Questions Designation ATTACHMENT 5 - Rules of Behavior ATTACHMENT 6 Information System Contingency Plan ATTACHMENT 7 - Configuration Management Plan ATTACHMENT 8 - Incident Response Plan ATTACHMENT 9 - CIS Report and Worksheet ATTACHMENT 10 - FIPS 199 Introduction and Purpose Scope System Description Methodology ATTACHMENT 11 - Separation of Duties Matrix ATTACHMENT 12 FedRAMP Laws and Regulations ATTACHMENT 13 FedRAMP Inventory Workbook
76 Back to our SSP s Technical Controls: Section 13
77 Technical Controls
78 Identification and Authentication (IA) Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
79 Identification and Authentication (IA)
80 IA-1 Identification and Authentication Policy and Procedures Control: The organization: a. Develops, documents, and disseminates to [Assignment: organizationdefined personnel or roles]: 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and b. Reviews and updates the current: a. Identification and authentication policy [Assignment: organization-defined frequency]; and b. Identification and authentication procedures [Assignment: organization-defined frequency].
81
82 IA-1 Identification and Authentication Policy and Procedures
83 Identification and Authentication (IA)
84 IA-2 Identification and Authentication (Organizational Users) Control: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)
85 IA-2 Identification and Authentication SSP
86 Identity Assurance
87 Identity Assurance
88 Authenticator Assurance AAL1 : = 1 Factor AAL2 : = 2 Factors AAL3 : = 2 Factors: Hardware-based authenticator and an authenticator that provides verifier impersonation resistance AAL = Authenticator Assurance Level
89 IA-2 Identification and Authentication
90 IA-2 Identification and Authentication Control Enhancement:
91 IA-2 Identification and Authentication Control Enhancement: (12) Acceptance of PIV Credentials: The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials SP Ar4
92 Technical Controls
93 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts
94 SSP Table of Contents 1 INFORMATION SYSTEM NAME/TITLE 2 INFORMATION SYSTEM CATEGORIZATION 2.1 Information Types 2.2 Security Objectives Categorization (FIPS 199) 2.3 E-Authentication Determination 3 INFORMATION SYSTEM OWNER 4 AUTHORIZING OFFICIAL 5 OTHER DESIGNATED CONTACTS 6 ASSIGNMENT OF SECURITY RESPONSIBILITY 7 INFORMATION SYSTEM OPERATIONAL STATUS 8 INFORMATION SYSTEM TYPE 8.1 Cloud Service Models 8.2 Cloud Deployment Models 8.3 Leveraged Authorizations 9 GENERAL SYSTEM DESCRIPTION 9.1 System Function or Purpose 9.2 Information System Components and Boundaries 9.3 Types of Users 9.4 Network Architecture 10 SYSTEM ENVIRONMENT AND INVENTORY 10.1 Data Flow 10.2 Ports, Protocols and Services 11 SYSTEM INTERCONNECTIONS 12 LAWS, REGULATIONS, STANDARDS AND GUIDANCE 12.1 Applicable Laws and Regulations 12.2 Applicable Standards and Guidance 13 MINIMUM SECURITY CONTROLS 14 ACRONYMS 15 ATTACHMENTS ATTACHMENT 1 - Information Security Policies and Procedures ATTACHMENT 2 - User Guide ATTACHMENT 3 e-authentication Worksheet Introduction and Purpose Information System Name/Title E-Authentication Level Definitions Review Maximum Potential Impact Levels E-Authentication Level Selection ATTACHMENT 4 PTA / PIA Privacy Overview and Point of Contact (POC) Applicable Laws and Regulations Applicable Standards and Guidance Personally Identifiable Information (PII) Privacy Threshold Analysis Qualifying Questions Designation ATTACHMENT 5 - Rules of Behavior ATTACHMENT 6 Information System Contingency Plan ATTACHMENT 7 - Configuration Management Plan ATTACHMENT 8 - Incident Response Plan ATTACHMENT 9 - CIS Report and Worksheet ATTACHMENT 10 - FIPS 199 Introduction and Purpose Scope System Description Methodology ATTACHMENT 11 - Separation of Duties Matrix ATTACHMENT 12 FedRAMP Laws and Regulations ATTACHMENT 13 FedRAMP Inventory Workbook
95 Cloud Service Models: IaaS? PaaS? SaaS?
96 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts
READ ME for the Agency ATO Review Template
READ ME for the Agency ATO Review Template Below is the template that the FedRAMP Program Management Office (PMO) uses when reviewing an Agency ATO package. Agencies and CSPs should be cautious to not
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationFedRAMP Security Assessment Plan (SAP) Training
FedRAMP Security Assessment Plan (SAP) Training 1. FedRAMP_Training_SAP_v6_508 1.1 FedRAMP Online Training: SAP Overview Splash Screen Transcript Title of FedRAMP logo. FedRAMP Online Training; Security
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationGuide to Understanding FedRAMP. Version 2.0
Guide to Understanding FedRAMP Version 2.0 June 6, 2014 Executive Summary The Federal Risk and Authorization Management Program (FedRAMP) provides a costeffective, risk-based approach for the adoption
More informationFedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1
FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide Version 1.1 September 3, 2015 FedRAMP Plan of Action & Milestones (POA&M) Template Completion Guide v1.1 September 3, 2015 Document
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationMeeting RMF Requirements around Compliance Monitoring
Meeting RMF Requirements around Compliance Monitoring An EiQ Networks White Paper Meeting RMF Requirements around Compliance Monitoring Purpose The purpose of this paper is to provide some background on
More informationFISMAand the Risk Management Framework
FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON
More informationExhibit A1-1. Risk Management Framework
Appendix B presents the deliverables produced during the execution of the risk management approach to achieve the assessment and authorization process. The steps required by the risk management framework
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationMapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls
Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA
Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA Information Security Policy and Procedures Identify Risk Assessment ID.RA Table of Contents Identify
More informationAgency Guide for FedRAMP Authorizations
How to Functionally Reuse an Existing Authorization Version 1.0 August 5, 2015 Revision History Date Version Page(s) Description Author 08/05/2015 1.0 All Initial Publication FedRAMP PMO 06/06/2017 1.0
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationContemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance
Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance July 2017 Jeff Roth, CISSP-ISSEP, CISA, CGEIT, QSA Regional Director NCC Group Agenda FedRAMP - Foundations/Frameworks Cloud
More informationIntroduction to the Federal Risk and Authorization Management Program (FedRAMP)
Introduction to the Federal Risk and Authorization Management Program (FedRAMP) 8/2/2015 Presented by: FedRAMP PMO 1 Today s Training Welcome! This training session is part one of the FedRAMP Training
More informationJob Aid: Introduction to the RMF for Special Access Programs (SAPs)
Contents Terminology... 2 General Terminology... 2 Documents and Deliverables... 2 Changes in Terminology... 3 Key Concepts... 3 Roles... 4 Cybersecurity for SAPs: Roles... 5 Support/Oversight Roles...
More informationFedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2
FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide Version 1.2 October 21, 2016 FedRAMP POA&M Template Completion Guide v1.1 September 1, 2015 Document Revision History Date Description
More informationCourses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X
4016 Points * = Can include a summary justification for that section. FUNCTION 1 - INFORMATION SYSTEM LIFE CYCLE ACTIVITIES Life Cycle Duties No Subsection 2. System Disposition/Reutilization *E - Discuss
More informationAmerican Association for Laboratory Accreditation
R311 - Specific Requirements: Federal Risk and Authorization Management Program Page 1 of 10 R311 - Specific Requirements: Federal Risk and Authorization Management Program 2017 by A2LA. All rights reserved.
More informationSecure Development Lifecycle
Secure Development Lifecycle Strengthening Cisco Products The Cisco Secure Development Lifecycle (SDL) is a repeatable and measurable process designed to increase Cisco product resiliency and trustworthiness.
More informationFedRAMP Security Assessment Framework. Version 2.0
FedRAMP Security Assessment Framework Version 2.0 June 6, 2014 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationCertification Exam Outline Effective Date: September 2013
Certification Exam Outline Effective Date: September 2013 About CAP The Certified Authorization Professional (CAP) is an information security practitioner who champions system security commensurate with
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Mapping The Network Mapping helps visualize the network and understand relationships and connectivity between
More informationFedRAMP Penetration Test Guidance. Version 1.0.1
FedRAMP Penetration Test Guidance Version 1.0.1 July 6, 2015 Revision History Date Version Page(s) Author 06/30/2015 1.0 All First Release FedRAMP PMO 07/06/2015 1.0.1 All Minor corrections and edits FedRAMP
More informationFedRAMP Security Assessment Framework. Version 2.1
FedRAMP Security Assessment Framework Version 2.1 December 4, 2015 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationHow AlienVault ICS SIEM Supports Compliance with CFATS
How AlienVault ICS SIEM Supports Compliance with CFATS (Chemical Facility Anti-Terrorism Standards) The U.S. Department of Homeland Security has released an interim rule that imposes comprehensive federal
More informationTerms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course
Terms, Methodology, Preparation, Obstacles, and Pitfalls Vulnerability Assessment Course All materials are licensed under a Creative Commons Share Alike license. http://creativecommons.org/licenses/by-sa/3.0/
More informationFedRAMP Initial Review Standard Operating Procedure. Version 1.3
FedRAMP Initial Review Standard Operating Procedure Version 1.3 August 27, 2015 Revision History Date Version Page(s) Description Author 08/07/2015 1.0 All Initial Release FedRAMP PMO 08/17/2015 1.1 All
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationAnnex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline Includes updates through 04-22-2005 AC-1 ACCESS CONTROL
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationStreamlined FISMA Compliance For Hosted Information Systems
Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationRED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 2. 3 June 2013
RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 2 3 June 2013 Developed by Red Hat, NSA, and DISA for the DoD Trademark Information Names, products,
More informationISO/IEC TR TECHNICAL REPORT. Information technology Security techniques Guidelines for auditors on information security controls
TECHNICAL REPORT ISO/IEC TR 27008 First edition 2011-10-15 Information technology Security techniques lines for auditors on information security controls Technologies de l'information Techniques de sécurité
More informationInformation Technology Branch Organization of Cyber Security Technical Standard
Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Vulnerability Vulnerability Assessment is the systematic examination of an Enterprise to determine the adequacy of
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationNIST Compliance Controls
NIST 800-53 Compliance s The following control families represent a portion of special publication NIST 800-53 revision 4. This guide is intended to aid McAfee, its partners, and its customers, in aligning
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 3 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationSolutions Technology, Inc. (STI) Corporate Capability Brief
Solutions Technology, Inc. (STI) Corporate Capability Brief STI CORPORATE OVERVIEW Located in the metropolitan area of Washington, District of Columbia (D.C.), Solutions Technology Inc. (STI), women owned
More informationDoDI IA Control Checklist - MAC 1-Classified. Version 1, Release March 2008
DoDI 8500-2 IA Control Checklist - MAC 1-Classified Version 1, Release 1.4 Developed by DISA for the DOD UNTILL FILLED IN CIRCLE ONE FOR OFFICIAL USE ONLY (mark each page) CONFIDENTIAL and SECRET (mark
More informationDFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com
DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationCloudCheckr NIST Matrix
CloudCheckr NIST 800-53 Matrix FISMA NIST 800-53 (Rev 4) Shared Public Cloud Infrastructure Standards NIST CONTROL AC-2 ACCOUNT MANAGEMENT a. Identifies and selects the following types of information system
More informationFedRAMP Digital Identity Requirements. Version 1.0
FedRAMP Digital Identity Requirements Version 1.0 January 31, 2018 DOCUMENT REVISION HISTORY DATE VERSION PAGE(S) DESCRIPTION AUTHOR 1/31/2018 1.0 All Initial document FedRAMP PMO i ABOUT THIS DOCUMENT
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationUSING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES
WHITE PAPER USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES Table of Contents I. Overview II. COSO to CobIT III. CobIT / COSO Objectives met by using QualysGuard 2 3 4 Using QualysGuard
More informationThe HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information
The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,
More informationNew Guidance on Privacy Controls for the Federal Government
New Guidance on Privacy Controls for the Federal Government IAPP Global Privacy Summit 2012 March 9, 2012 Dr. Ron Ross Computer Security Division, NIST Martha Landesberg, J.D., CIPP/US The Privacy Office,
More informationObjectives of the Security Policy Project for the University of Cyprus
Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University
More informationFedRAMP Training - Continuous Monitoring (ConMon) Overview
FedRAMP Training - Continuous Monitoring (ConMon) Overview 1. FedRAMP_Training_ConMon_v3_508 1.1 FedRAMP Continuous Monitoring Online Training Splash Screen Transcript Title of FedRAMP logo. Text
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationAssessing Security Requirements for Controlled Unclassified Information
Draft NIST Special Publication 800-171A Assessing Security Requirements for Controlled Unclassified Information RON ROSS KELLEY DEMPSEY VICTORIA PILLITTERI This publication contains procedures to assess
More informationAnnex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 1 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls Low Baseline AC-1 ACCESS CONTROL POLICY AND PROCEDURES The organization
More informationInternet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin
Internet of Things Internet of Everything Presented By: Louis McNeil Tom Costin Agenda Session Topics What is the IoT (Internet of Things) Key characteristics & components of the IoT Top 10 IoT Risks OWASP
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess
More informationInformation Security Continuous Monitoring (ISCM) Program Evaluation
Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance Agenda
More informationDevice Discovery for Vulnerability Assessment: Automating the Handoff
Device Discovery for Vulnerability Assessment: Automating the Handoff O V E R V I E W While vulnerability assessment tools are widely believed to be very mature and approaching commodity status, they are
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationWHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3
WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3 ABSTRACT This white paper is Part 2 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationCIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security System Security Management 2. Number: CIP-007-5 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in
More informationRiskSense Attack Surface Validation for IoT Systems
RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc. Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing
More informationThe "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:
Major Enhancements to NIST SP 800-53 Revision 4 BD Pro The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP 800-53 states: "The proposed changes included in Revision 4
More informationInternational Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions
November 2002 International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management Introduction Frequently Asked Questions The National Institute of Standards and Technology s
More informationInformation Technology Procedure IT 3.4 IT Configuration Management
Information Technology Procedure IT Configuration Management Contents Purpose and Scope... 1 Responsibilities... 1 Procedure... 1 Identify and Record Configuration... 2 Document Planned Changes... 3 Evaluating
More informationCloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com
Cloud Computing Faculty of Information Systems Duc.NHM nhmduc.wordpress.com Evaluating Cloud Security: An Information Security Framework Chapter 6 Cloud Computing Duc.NHM 2 1 Evaluating Cloud Security
More informationINTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009
More informationChapter 5: Vulnerability Analysis
Chapter 5: Vulnerability Analysis Technology Brief Vulnerability analysis is a part of the scanning phase. In the Hacking cycle, vulnerability analysis is a major and important part. In this chapter, we
More informationEnsuring System Protection throughout the Operational Lifecycle
Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service
More informationContinuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER
Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER Continuous Monitoring & Security Authorization >> TOTAL COST OF OWNERSHIP Xacta IA Manager
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT March 5, 2007 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-i RFP: TQC-JTB-05-0002 March 5, 2007 REVISION HISTORY Revision
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationK12 Cybersecurity Roadmap
K12 Cybersecurity Roadmap Introduction Jason Brown, CISSP Chief Information Security Officer Merit Network, Inc jbrown@merit.edu @jasonbrown17 https://linkedin.com/in/jasonbrown17 2 Agenda 3 Why Use the
More informationDoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP April 14, 2004 Current Macro Security Context within the Federal Government
More informationImplementing NIST Cybersecurity Framework Standards with BeyondTrust Solutions
TECH BRIEF Implementing NIST Cybersecurity Framework Standards with BeyondTrust Solutions Privileged Access Management & Vulnerability Management 0 Contents Cybersecurity Framework Overview... 2 The Role
More informationCompliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations
VARONIS COMPLIANCE BRIEF NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) 800-53 FOR FEDERAL INFORMATION SYSTEMS CONTENTS OVERVIEW 3 MAPPING NIST 800-53 CONTROLS TO VARONIS SOLUTIONS 4 2 OVERVIEW
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationFiscal Year 2013 Federal Information Security Management Act Report
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Fiscal Year 2013 Federal Information Security Management Act Report Status of EPA s Computer Security Program Report. 14-P-0033 vember 26,
More informationInformation Systems Security Requirements for Federal GIS Initiatives
Requirements for Federal GIS Initiatives Alan R. Butler, CDP Senior Project Manager Penobscot Bay Media, LLC 32 Washington Street, Suite 230 Camden, ME 04841 1 Federal GIS "We are at risk," advises the
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationTwilio cloud communications SECURITY
WHITEPAPER Twilio cloud communications SECURITY From the world s largest public companies to early-stage startups, people rely on Twilio s cloud communications platform to exchange millions of calls and
More information