Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Similar documents
Certified Information Security Manager (CISM) Course Overview

Risk Analysis Guide for HITRUST Organizations & Assessors

Streamlined FISMA Compliance For Hosted Information Systems

Threat and Vulnerability Assessment Tool

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

TEL2813/IS2820 Security Management

SAC PA Security Frameworks - FISMA and NIST

David Missouri VP- Governance ISACA

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Agency Guide for FedRAMP Authorizations

Security Management Models And Practices Feb 5, 2008

Information Security Continuous Monitoring (ISCM) Program Evaluation

Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.

CSAM Support for C&A Transformation

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details

ISC2. Exam Questions CAP. ISC2 CAP Certified Authorization Professional. Version:Demo

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

ISA99 - Industrial Automation and Controls Systems Security

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Federal PKI Management so Authority

NIST Security Certification and Accreditation Project

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 1 OF 3

NCSF Foundation Certification

INFORMATION ASSURANCE DIRECTORATE

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

NIST Special Publication

_isms_27001_fnd_en_sample_set01_v2, Group A

Altius IT Policy Collection Compliance and Standards Matrix

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Appendix 12 Risk Assessment Plan

ManTech Advanced Systems International 2018 Security Training Schedule

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

FedRAMP Security Assessment Plan (SAP) Training

Altius IT Policy Collection Compliance and Standards Matrix

MNsure Privacy Program Strategic Plan FY

Appendix 12 Risk Assessment Plan

CISM Certified Information Security Manager

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

The NIST Cybersecurity Framework

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

INFORMATION ASSURANCE DIRECTORATE

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

The next generation of knowledge and expertise

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

RISK MANAGEMENT FRAMEWORK COURSE

Consolidation Committee Final Report

CIP Cyber Security Personnel & Training

ISO27001:2013 The New Standard Revised Edition

ISA99 - Industrial Automation and Controls Systems Security

Information Systems Security Requirements for Federal GIS Initiatives

FISMAand the Risk Management Framework

NW NATURAL CYBER SECURITY 2016.JUNE.16

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Practitioner Certificate in Business Continuity Management (PCBCM) Course Description. 10 th December, 2015 Version 2.0

Certification Exam Outline Effective Date: September 2013

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Executive Order 13556

SECURITY & PRIVACY DOCUMENTATION

3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act

Cybersecurity & Privacy Enhancements

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

Framework for Improving Critical Infrastructure Cybersecurity

Twilio cloud communications SECURITY

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Structuring Security for Success

ISMS Essentials. Version 1.1

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Synergies of the Common Criteria with Other Standards

Ohio Supercomputer Center

Ensuring System Protection throughout the Operational Lifecycle

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Crown Jewels Risk Assessment: Cost- Effective Risk Identification

NIST RISK ASSESSMENT TEMPLATE

Security Awareness Compliance Requirements. Updated: 11 October, 2017

NCSF Foundation Certification

Frameworks and Standards

HITRUST CSF: One Framework

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

01.0 Policy Responsibilities and Oversight

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

Advanced IT Risk, Security management and Cybercrime Prevention

National Information Assurance (IA) Policy on Wireless Capabilities

Federal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity

Compliance: How to Manage (Lame) Audit Recommendations

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education

Fiscal Year 2013 Federal Information Security Management Act Report

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Information Security Program Audit Introduction and Survival Guide

Transcription:

Program Review for Information Security Management Assistance Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Disclaimer and Purpose PRISMA, FISMA, and NIST, oh my! PRISMA versus an Assessment Topic Areas Maturity Levels Review Options

Federal Information Security Management Act of 2002 (FISMA; 44 U.S.C. 3541, et seq.) Requires Agencies, Contractors to develop, document, implement an infosec program to protect information and information systems risk- based policy for cost- effective security NIST and OMB assigned responsibilities

National Institute of Science and Technology The CSD publishes Special Publications, Interagency Reports, Federal Information Processing Standards, etc FISMA requires NIST to develop standards, guidelines, methods, techniques to assist agencies in meeting requirements Created the FISMA Implementation Project

Risk- based approach to implementation Risk Management Framework (RMF) Independent review of information security maturity PRISMA

Program Review for Information Security Management Assistance Uses maturity levels based on SEI s Capability Maturity Model (CMM) Provides a methodology for conducting a review Has the same issues as a standard assessment

Looks like an assessment NIST SP- 800-30, section 3 Uses maturity levels to evaluate No High, Medium, Low levels (not qualitative) No 65%, 0.65 measures (not quantitative) Still a snapshot in time Uses information provided by system owners, interviews, limited samples Management level review, not technical

Topic Areas Focus of review efforts Maturity Levels Measurement of sophistication of security controls Higher level attained only if previous level attained Preparation Usual scope definition, planning, kickoff Execution Usual interviews, doc review, report draft, final

1. Information Security Management and Culture 2. Information Security Planning 3. Security Awareness, Training, and Education 4. Budget and Resources 5. Life Cycle Management 6. Certification and Accreditation 7. Critical Infrastructure Protection 8. Incident and Emergency Response, and 9. Security Controls

1. Policies 2. Procedures 3. Implementation 4. Test 5. Integration

Formal, up- to- date, documented policies Continuous risk management Cover all facilities, operations, assets Proper approvals Define information security management structure, assign responsibilities Identify penalties and disciplinary actions

Formal, up- to- date, documented procedures Clarify where, how, when, by whom, and on what the procedure is to be performed Define responsibilities for asset owners/users, IS management, management, infosec Lists appropriate contacts Document implementation and rigor of the control

Procedures communicated Implementation of controls is consistent and reinforced with training Ad hoc approaches are discouraged Initial testing of controls

Tests routinely conducted Ensure policies, procedures, controls ensure appropriate security level Effective corrective actions are performed Self- assessments are used Independent audits are used Security incidents/alerts used in test creation Evaluation requirements are documented Frequency and rigor of tests are risk- based

Implementation of controls is second nature Improvements made to controls, policies, etc. Security integrated into budgeting, planning Comprehensive information security part of the culture of the organization; pervasive Decision- making based on cost, risk, mission Program achieves cost- effective security Vulnerabilities understood and managed Threats continually re- evaluated; controls adapted Additional or more cost- effective alternatives identified Metrics for program and investments are met

Compliant Noncompliant Partially Compliant Overall Maturity Scores All Maturity Levels Compliant: Complaint Some Maturity Levels Compliant: Partially Compliant All Maturity Levels Noncompliant: Non- compliant

A database is available from NIST Series of templates and a MS Access Database Contains most documents needed for standard assessment methodology Automates collection and report creation Provides questions to be asked during document review and interviews

PRISMA has multiple review options Option 1 Strategic aspects of the information security program Option 2 Strategic and technical aspects of the program

Information Security Management and Culture Information Security Planning Security Awareness, Training, and Education Budget and Resources Life Cycle Management Certification and Accreditation Critical Infrastructure Protection Incident Response

Same list from Option 1 Also includes Security Controls Physical and Environmental Program Hardware and Software Maintenance System and Information Integrity Media Protection Identification and Authentication Logical Access Control Accountability (including Audit Trails) System and Communications Protection

PRISMA is for FISMA but useful assessment framework Is aligned with most risk assessment methodologies The toolkit may be useful as a source for standard assessments with customization

NIST Interagency Report 7358 http://csrc.nist.gov/groups/sma/prisma/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback