Four Deadly Traps of Using Frameworks NIST 800-53 Examples ISACA Feb. 2015 Meeting Doug Landoll dlandoll@lantego.com (512) 633-8405
Session Agenda Framework Definition & Uses NIST 800-53 Framework Intro & Uses Four Traps of Frameworks Conclusion
Framework Definition Framework skeletal structure designed to support something. Security Frameworks structure to help organize and prioritize information security programs.
Security Framework Uses Structure Organization for the creation or review of an information security program Reference Connection with other frameworks, standards, and requirements. Completeness Thorough treatment of security controls
NIST 800-53 Intro: FISMA Five FIPS Pub 199: Security Categorization System: Low, Moderate, or High How to audit controls NIST 800-53A: Techniques for Verifying Effectiveness FIPS Pub 200: Minimum Security Controls 18 Control Families 800+ security controls NIST 800-53: Recommended Security Controls NIST 800-37: Guide for C&A Certification & Accreditation Process
SP 800-53 Catalog of Controls Organized and structured set of security controls 18 Security Control Families ID FAMILY ID FAMILY AC Access Control MP Media Protection AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment an Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management*
Control Ref. # and Name Control Section Supplemental Guidance SP 800-53 Control Structure Security Control Structure Control Enhancements References Priority & Baseline Allocation
Control Reference & Name Within each security control family are a number of security controls. These security controls are numbered. Ref. AU-1 AU-2 AU-3 AU-4 AU-5 AU-6 AU-7 AU-8 AU-9 Audit and Accountability Policy and Procedures Audit Events Content of Audit Records Audit Storage Capacity Response to Audit Processing Failures Audit Review, Analysis, and Reporting Audit Reduction and Report Generation Time Stamps Protection of Audit Information
Control Section Each security control is describes as a requirement. Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
Supplemental Guidance Supplemental guidance provides non-prescriptive additional information to guide the definition, development, and implementation of the security control. Operational considerations Mission/business considerations Risk assessment information. Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI- 11.
Control Enhancements Control enhancements provide statements of security capability to: Add function/specificity to the control, or Increase the strength of the control. Control Enhancements: (1) CONTENT OF AUDIT RECORDS ADDITIONAL AUDIT INFORMATION The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (2) CONTENT OF AUDIT RECORDS CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
References References section includes a list of applicable documents relevant to the security control: federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines
Priority & Baseline Allocation Priority provides guidance for sequencing decisions Baseline Allocation starting point for the security control selection process based on system categorization (Low, Moderate, High) LOW MOD HIGH
Control Assignment Controls may be augmented through assignment and selection options within control statements. Assignment: Organizationally defined AU-2 AUDIT EVENTS 800-53 The organization: (3) AUDIT EVENT REVIEWS AND UPDATES The organization reviews and updates the audited events [Assignment: organization-defined frequency]. Example
Control Selection Controls may be augmented through assignment and selection options within control statements. Selection: Organizationally defined IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION 800-53 Control: The information system uniquely identifies and authenticates [Assignment: organizational defined specific and/or types of devices] before establishing a [Selection (one or more): local, remote, network] connection. Example
NIST: Security Controls: Risk-based Process An organizational risk assessment validates the initial security control selection and determines if additional controls are needed. Example: System categorization (Standard Protected) determines initial security control selection. Organizational System risk assessment provides rationale for additional, compensating, or deleted security controls from initial selection.
Framework Uses: NIST 800-53 Example Structure 18 Security Control Families Reference Includes crosswalks to ISO27001 & CC CC -> 800-53; 800-53 -> CC ISO 27001 -> 800-53; 800-53 -> ISO 27001 Completeness Organizational, Management and Technical Controls
Example Policies Based on 800-53 Framework Policy # Policy Name Policy # Policy Name P8110 Data Classification P8310 Account Management P8120 Information Security Program P8320 Access Control P8130 System Security Acquisition P8330 System Security Audit P8210 Security Awareness Training and Education P8340 Identification and Authentication P8220 System Security Maintenance P8350 System and Communication Protection P8230 Contingency Planning P8410 System Privacy P8240 P8250 P8260 P8270 P9280 Incident Response Planning Media Protection Physical Protections Personnel Security Control Acceptable Use
Four Framework Traps 1. False Frameworks 2. Compliance via Assertion 3. Tailoring by Judgment 4. One and Done
False Frameworks Regulations and Standards not Frameworks: Incomplete and focus solely on specific data and security policies HIPAA PCI DSS Industry Best Practices No available references, not industry recognized, likely incomplete and not structured. AKA: Our own secret sauce Smoke and Mirrors
Compliance via Assertion Embracing a Framework is step one. Next Steps Interpret Apply Assess Address gaps
Tailoring by Judgment Frameworks are tailorable through an exception process or a risk based process. Tailoring based on gaps, judgment, and cost limits the benefits of a framework
One and Done A security program based on a framework will require maintenance Frameworks get updates ISO 27001/2: Updated Sept 2013 NIST 800-53: Updated April 2013 COBIT 5: Updated 2012 Other Updates References, Mappings, Business & Customer Requirements Reassess regularly
Conclusions Determine appropriate framework for the business Add requirements (these are not frameworks) Embrace the framework and its tailoring process Beware framework traps It s just a framework there is a lot more work to do.