MIS Week 9 Host Hardening

Similar documents
READ ME for the Agency ATO Review Template

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

FedRAMP Security Assessment Plan (SAP) Training

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Guide to Understanding FedRAMP. Version 2.0

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

INFORMATION ASSURANCE DIRECTORATE

Meeting RMF Requirements around Compliance Monitoring

FISMAand the Risk Management Framework

Exhibit A1-1. Risk Management Framework

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

The Common Controls Framework BY ADOBE

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Agency Guide for FedRAMP Authorizations

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

Job Aid: Introduction to the RMF for Special Access Programs (SAPs)

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

American Association for Laboratory Accreditation

Secure Development Lifecycle

FedRAMP Security Assessment Framework. Version 2.0

Certification Exam Outline Effective Date: September 2013

QuickBooks Online Security White Paper July 2017

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

INFORMATION ASSURANCE DIRECTORATE

FedRAMP Penetration Test Guidance. Version 1.0.1

FedRAMP Security Assessment Framework. Version 2.1

How AlienVault ICS SIEM Supports Compliance with CFATS

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

FedRAMP Initial Review Standard Operating Procedure. Version 1.3

Standard Development Timeline

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Streamlined FISMA Compliance For Hosted Information Systems

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Executive Order 13556

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 2. 3 June 2013

ISO/IEC TR TECHNICAL REPORT. Information technology Security techniques Guidelines for auditors on information security controls

Information Technology Branch Organization of Cyber Security Technical Standard

locuz.com SOC Services

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

INFORMATION ASSURANCE DIRECTORATE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

NIST Compliance Controls

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

TEL2813/IS2820 Security Management

Solutions Technology, Inc. (STI) Corporate Capability Brief

DoDI IA Control Checklist - MAC 1-Classified. Version 1, Release March 2008

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Security Management Models And Practices Feb 5, 2008

CloudCheckr NIST Matrix

FedRAMP Digital Identity Requirements. Version 1.0

INFORMATION ASSURANCE DIRECTORATE

NEN The Education Network

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

SAC PA Security Frameworks - FISMA and NIST

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

New Guidance on Privacy Controls for the Federal Government

Objectives of the Security Policy Project for the University of Cyprus

FedRAMP Training - Continuous Monitoring (ConMon) Overview

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Assessing Security Requirements for Controlled Unclassified Information

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

INFORMATION ASSURANCE DIRECTORATE

Information Security Continuous Monitoring (ISCM) Program Evaluation

Device Discovery for Vulnerability Assessment: Automating the Handoff

Security Standards for Electric Market Participants

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

01.0 Policy Responsibilities and Oversight

CIP Cyber Security Systems Security Management

RiskSense Attack Surface Validation for IoT Systems

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions

Information Technology Procedure IT 3.4 IT Configuration Management

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Chapter 5: Vulnerability Analysis

Ensuring System Protection throughout the Operational Lifecycle

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

Appendix 12 Risk Assessment Plan

Carbon Black PCI Compliance Mapping Checklist

K12 Cybersecurity Roadmap

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP

Implementing NIST Cybersecurity Framework Standards with BeyondTrust Solutions

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

AUTHORITY FOR ELECTRICITY REGULATION

Fiscal Year 2013 Federal Information Security Management Act Report

Information Systems Security Requirements for Federal GIS Initiatives

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Twilio cloud communications SECURITY

Transcription:

MIS 5214 Week 9 Host Hardening

Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts

NIST Risk Management Framework

NIST Risk Management Framework

NIST Risk Management Framework

NIST Risk Management Framework

NIST Risk Management Framework

Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts

A security configuration checklist is a document containing instructions or procedures for: Configuring an information technology (IT) product to an operational environment Verifying that the product has been configured properly Identifying unauthorized changes to the product Checklists can help you: Minimize the attack surface Reduce vulnerabilities Lessen the impact of successful attacks Identify changes that might otherwise go undetected

Security Technical Implementation Guides (STIGs) Defense Information Systems Agency (DISA) Creates configuration documents and implementation guidelines which include recommended information security administrative processes that span an application system s lifecycle DISA s Security Technical Implementation Guides (STIGs) help standardize: Secure installations of computer software and hardware Security maintenance of computer software and hardware Information security audits to analyze risk and identify configuration vulnerabilities

Security Technical Implementation Guides (STIGs) STIGs contain technical guidance to harden and "lock down" information systems and software that might otherwise be vulnerable to a malicious computer attack

Downloading the STIG Viewer

Launching the STIG Viewer

The STIG Viewer

SRG-STIG Library SRG = Security Requirements Guide STIG = Security Technical Implementation Guide FOUO = For Official Use Only

Severity Category Code (CAT) Levels Classification of computer and network configuration settings. The DISA STIG assigns a Severity Code to each system IA security weakness to indicate the risk level associated with the IA security weakness and the urgency with which the corrective action must be completed CAT I Severity Code is assigned to findings that allow primary security protections to be bypassed, allowing immediate access by unauthorized personnel or unauthorized assumption of super-user privileges CAT I weaknesses must be corrected before an Authorization to Operate (ATO) is granted CAT II Severity Code is assigned to findings that have a potential to lead to unauthorized system access or activity. CAT II findings shall be corrected or satisfactorily mitigated before an Authorization to Operate will be granted. A system with a CAT II weakness can be granted an ATO only when there is clear evidence that the CAT II weakness can be corrected or satisfactorily mitigated within 180 days of the accreditation decision. CAT III Severity Code is assigned to recommendations that will improve IA posture but are not required for an authorization to operate

STIG Guidance

The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. CCI bridges the gap between high-level policy expressions and low-level technical implementations

Which controls aid in Host Hardening?

NIST Risk Management Framework

Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts

Assessment Methods 3 assessment methods can be used by assessors during security and privacy control assessments: 1. Examine 2. Interview 3. Test

Assessment Methods 3 assessment methods can be used by assessors during security and privacy control assessments: 1. Examine 2. Interview 3. Test Budget and schedule determine depth and coverage (breadth) of assessment Depth 1. Basic 2. Focused 3. Comprehensive Coverage (breadth) 1. Basic 2. Focused 3. Comprehensive

Examine security and privacy controls Definition: Process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects Facilitates understanding, achieves clarification, or obtains evidence Results used to support determining security and privacy control Existence Functionality Correctness Completeness Potential for improvement over time

Examine security and privacy controls Assessment Objects: 1. Specifications Policies, plans, procedures, system requirements, and designs 2. Mechanisms Functionality implemented in hardware, software or firmware 3. Activities System operations, administration, management, and exercises

Examine security and privacy controls Supplemental guidance: Typical assessor actions may include, for example: Reviewing information security policies, plans, and procedures Analyzing system design documentation and interface specifications Observing system backup operations Reviewing the results of contingency plan exercises Observing incident response activities Studying technical manuals and user/administration guides Checking, studying or observing the operation of an information technology mechanism in the information system hardware/software Checking, studying, or observing physical security measures related to the operation of an information system

Interview security and privacy controls Assessment Objects: 1. Individuals 2. Groups of individuals Definition: Process of conducting discussions with individuals or groups within an organization Facilitates understanding, achieves clarification, or leads to location of evidence, Results used to determine security and privacy control Existence Functionality Correctness Completeness Potential for improvement over time

Examine Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the examination process 3 Depths: 1. Basic examination 2. Focused examination 3. Comprehensive examination 3 Coverages: 1. Basic examination 2. Focused examination 3. Comprehensive examination

Examine Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the examination process 3 Depths: 1. Basic examination Provides understanding of security and privacy controls Determines whether controls are implemented and free of obvious errors Consists of high-level reviews, checks, observations, or inspections using a limited body of evidence or documentation E.g. Functional-level descriptions for mechanisms; high-level process descriptions for activities; actual documents for specifications

Examine Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the examination process 3 Depths: 1. Basic examination 2. Focused examination Provides understanding of security and privacy controls Determines whether controls are implemented and free of obvious errors Determines whether there are increased grounds for confidence that controls are implemented correctly and operating as intended Consists of high-level reviews, checks, observations, or inspections and more-in-depth studies/analyses Conducted using a substantial body of evidence or documentation e.g. functional-level descriptions, high-level design information for mechanisms, high-level process descriptions and implementation procedures for activities; and actual specification documents

Examine Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the examination process 3 Depths: 1. Basic examination 2. Focused examination 3. Comprehensive examination Provides understanding of security and privacy controls Determines whether controls are implemented and free of obvious errors Determines whether there are further increased grounds for confidence that controls are implemented correctly and operating as intended on an ongoing and consistent basis, Determines that there is support for continuous improvement in the effectiveness of the controls Consists of high-level reviews, checks, observations, or inspections and more-in-depth, detailed, and thorough Conducted using an extensive body of evidence or documentation e.g. functional-level descriptions, high-level design information, low-level design information and implementation information for mechanisms, high-level process descriptions and detailed implementation procedures for activities; and specification documents

Examine Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the examination process and includes types of assessment objects to be examined, the number of objects to be examined by type, and specific objects to be examined The organization considers a variety of factors (e.g. available resources, importance of the assessment, overall goals and objectives of the assessment) and confers with assessors and provides direction on the type, number, and specific objects to be examined for the particular level of coverage desired 3 Coverages: 1. Basic examination Uses a representative sample of assessment objects (by type and number within type) to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors

Examine Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the examination and includes types of assessment objects to be examined, the number of objects to be examined by type, and specific objects to be examined The organization considers a variety of factors (e.g. available resources, importance of the assessment, overall goals and objectives of the assessment) and confers with assessors and provides direction on the type, number, and specific objects to be examined for the particular level of coverage desired 3 Coverages: 1. Basic examination 2. Focused examination Uses a representative sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective To provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors whether there are increased grounds for confidence that controls are implemented correctly and operating as intended

Examine Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the examination process and includes types of assessment objects to be examined, the number of objects to be examined by type, and specific objects to be examined The organization considers a variety of factors (e.g. available resources, importance of the assessment, overall goals and objectives of the assessment) and confers with assessors and provides direction on the type, number, and specific objects to be examined for the particular level of coverage desired 3 Coverages: 1. Basic examination 2. Focused examination 3. Comprehensive examination Uses a sufficiently large sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective To provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors and To determine whether there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and To determine there is support for continuous improvement in the effectiveness of the controls

Assessment Methods 3 assessment methods can be used by assessors during security and privacy control assessments: 1. Examine 2. Interview 3. Test

Interview security and privacy controls Supplemental guidance: Typical assessor actions may include, for example: Interviewing agency heads, chief information officers, senior agency information security officers, authorizing officials, information owners, information system and mission owners, information system security officers, information system security managers, personnel officers, human resource managers, facilities managers, training officers, information system operators, network and system administrators, site managers, physical security officers, and users

Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Depths: 1. Basic interview 2. Focused interview 3. Comprehensive interview 3 Coverages: 1. Basic interview 2. Focused interview 3. Comprehensive interview

Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Depths: 1. Basic interview Interview that consists of broad-based, high-level discussions with individuals or groups of individuals Conducted using a set of generalized, high-level questions Provide a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors 2. Focused interview 3. Comprehensive interview

Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Depths: 1. Basic interview 2. Focused interview Interview that consists of broad-based, high-level discussions and more in-depth discussions in specific areas with individuals or groups of individuals. This type of interview is conducted using a set of generalized, high-level questions and more in-depth questions in specific areas where responses indicate a need for more in-depth investigation. Focused interviews provide a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors and whether there are increased grounds for confidence that the controls are implemented correctly and operating as intended. 3. Comprehensive interview

Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Levels of Depth: 1. Basic interview 2. Focused interview 3. Comprehensive interview Interview that consists of broad-based, high-level discussions and more in-depth, probing discussions in specific areas with individuals or groups of individuals. This type of interview is conducted using a set of generalized, high-level questions and more in-depth, probing questions in specific areas where responses indicate a need for more in-depth investigation. Comprehensive interviews provide a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors and whether there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the controls.

Interview Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the interview process and includes the types of individuals to be interviewed (by organizational role and associated responsibility), the number of individuals to be interviewed (by type) and specific individuals to be interviewed The organization, considering a variety of factors (e.g., available resources, importance of the assessment, the organization s overall assessment goals and objectives), confers with assessors and provides direction on the type, number, and specific individuals to be interviewed for the particular attribute value described 3 Levels of Coverage: 1. Basic interview 2. Focused interview 3. Comprehensive interview

Interview Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the interview process and includes the types of individuals to be interviewed (by organizational role and associated responsibility), the number of individuals to be interviewed (by type) and specific individuals to be interviewed 3 Levels of Coverage: 1. Basic interview Interview that uses a representative sample of individuals in key organizational roles to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors 2. Focused interview 3. Comprehensive interview

Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Levels of Coverage: 1. Basic interview 2. Focused interview Interview that uses a representative sample of individuals in key organizational roles and other specific individuals deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors and whether there are increased grounds for confidence that the controls are implemented correctly and operating as intended. 3. Comprehensive interview

Interview Attributes: Depth, Coverage Coverage: addresses the scope and breadth of the interview process 3 Levels of Coverage: 1. Basic interview 2. Focused interview 3. Comprehensive interview Interview that uses a sufficiently large sample of individuals in key organizational roles and other specific individuals deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors and whether there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the controls

Assessment Methods 3 assessment methods can be used by assessors during security and privacy control assessments: 1. Examine 2. Interview 3. Test

Test security and privacy controls Assessment Objects: 1. Mechanisms (e.g. hardware, software, firmware) 2. Activities (e.g. system operations, administration, management; exercises) Definition: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior, the results of which are used to support the determination of security and privacy control existence, functionality, correctness, completeness, and potential for improvement over time. Testing is typically used to determine if mechanisms or activities meet a set of predefined specifications. Testing can also be performed to determine characteristics of a security or privacy control that are not commonly associated with predefined specifications (e.g. penetration testing).

Test security and privacy controls Supplemental guidance: Typical assessor actions may include, for example: Testing access control, identification and authentication, and audit mechanisms; Testing security configuration settings; Testing physical access control devices; Conducting penetration testing of key information system components; Testing information system backup operations; Testing incident response capability; Exercising contingency planning capability

Test: Depth, Coverage Depth: addresses the types of testing to be conducted 3 Depths of testing: 1. Basic testing 2. Focused testing 3. Comprehensive testing 3 Coverages: 1. Basic testing 2. Focused testing 3. Comprehensive testing

Test Attributes: Depth, Coverage Depth: addresses the types of testing to be conducted 3 Depths of testing: 1. Basic testing Test methodology (also known as black box testing) that assumes no knowledge of the internal structure and implementation detail of the assessment object. This type of testing is conducted using a functional specification for mechanisms and a high-level process description for activities. Basic testing provides a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors. 2. Focused testing 3. Comprehensive testing

Test Attributes: Depth, Coverage Depth: addresses the types of testing to be conducted 3 Depths of testing: 1. Basic testing 2. Focused testing Test methodology (gray box testing) that assumes some knowledge of the internal structure and implementation detail of the assessment object Conducted using A functional specification Limited system architectural information (e.g., high-level design) for mechanisms and a High-level process description and high-level description of integration into operational environment Determines if controls are implemented and free of obvious errors Determines if controls are implemented correctly and operating as intended 3. Comprehensive testing

Test Attributes: Depth, Coverage Depth: addresses the types of testing to be conducted 3 Depths of testing: 1. Basic testing 2. Focused testing 3. Comprehensive testing Test methodology (also known as white box testing) based on explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Conducted using Functional specification Extensive system architecture information (e.g., high-level design, low-level design) and implementation representation (e.g., source code, schematics) for mechanisms and a High-level process description Detailed description of integration into the operational environment for activities Determines if Controls are implemented and free of obvious errors Controls are implemented correctly and operating as intended on an ongoing and consistent basis There is support for continuous improvement in the effectiveness of the controls.

Test Attributes: Depth, Coverage Coverage: addresses the scope or breadth of testing process and includes: Types of assessment objects to be tested Number of objects to be tested (by type) Specific objects to be tested 3 coverage levels for testing: 1. Basic testing 2. Focused testing 3. Comprehensive testing

Test Attributes: Depth, Coverage 3 Levels of coverage for testing: 1. Basic testing Testing uses a representative sample of assessment objects (by type and number within type) Provides a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors 2. Focused testing 3. Comprehensive testing

Test Attributes: Depth, Coverage 3 Levels of coverage for testing: 1. Basic testing 2. Focused testing Testing uses a representative sample of assessment objects (by type and number within type) Testing other specific assessment objects deemed particularly important to achieving the assessment objective Determines whether security and privacy controls are implemented and free of obvious errors Determines whether there are increased grounds for confidence that the controls are implemented correctly and operating as intended. 3. Comprehensive testing

Test Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the testing process and includes the types of assessment objects to be tested, the number of objects to be tested (by type), and specific objects to be tested 3 Levels of coverage for testing: 1. Basic testing 2. Focused testing 3. Comprehensive testing Uses a sufficiently large sample of assessment objects (by type and number within type) Users other specific assessment objects deemed particularly important to achieving the assessment objective Determines whether the security and privacy controls are implemented and free of obvious errors and Determines whether there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis Determines if there is support for continuous improvement in the effectiveness of the controls

Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts

SCAP (Security Content Automation Protocol) pronounced ess-cap Purpose: Used for continuously monitoring deployed computer systems and applications for detectable vulnerabilities and assure they incorporate security upgrades to software ( patches ) and deploy updates to configurations SCAP based on a number of open standards, widely used to enumerate software flaws and configuration issues related to security The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP Vendors can get their computer system configuration scanner product validated against SCAP, demonstrating that it will interoperate with other scanners and express the scan results in a standardized way Validated tools for automating collection of assessment objects used in Examine, Inspect and Test activities https://en.wikipedia.org/wiki/security_content_automation_protocol

Examine: SCAP (Security Content Automation Protocol) validated tools may be used to automate collection of assessment objects Common SCAP uses Security configuration verification Compare settings in a checklist to a system s actual configuration Verify configuration before deployment, audit/assess/monitor operational systems Map individual settings to high-level requirements (requirements traceability) Verifying patch installation and identifying missing patches Check systems for signs of compromise Known characteristics of attacks, such as altered files or the presence of a malicious service

SCAP Compliance Scan Results

SCAP: Individual compliance check result for scanned host

SCAP (Security Content Automation Protocol) validated tools may be used to automate collection of assessment objects National Vulnerability Database (NVD) http://nvd.nist.gov/download.cfm National Checklist Program (NCP): http://web.nvd.nist.gov/view/ncp/repository NIST SP 800-117, Guide to Adopting and Using SCAP NIST SP 800-126r2, The Technical Specification for SCAP NIST SP 800-70r2, National Checklist Program for IT Products More documentation and tools: https://scap.nist.gov/revision/1.0/index.html

DISA STIG Tool + SCAP Tool

Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts

SSP Table of Contents 1 INFORMATION SYSTEM NAME/TITLE 2 INFORMATION SYSTEM CATEGORIZATION 2.1 Information Types 2.2 Security Objectives Categorization (FIPS 199) 2.3 E-Authentication Determination 3 INFORMATION SYSTEM OWNER 4 AUTHORIZING OFFICIAL 5 OTHER DESIGNATED CONTACTS 6 ASSIGNMENT OF SECURITY RESPONSIBILITY 7 INFORMATION SYSTEM OPERATIONAL STATUS 8 INFORMATION SYSTEM TYPE 8.1 Cloud Service Models 8.2 Cloud Deployment Models 8.3 Leveraged Authorizations 9 GENERAL SYSTEM DESCRIPTION 9.1 System Function or Purpose 9.2 Information System Components and Boundaries 9.3 Types of Users 9.4 Network Architecture 10 SYSTEM ENVIRONMENT AND INVENTORY 10.1 Data Flow 10.2 Ports, Protocols and Services 11 SYSTEM INTERCONNECTIONS 12 LAWS, REGULATIONS, STANDARDS AND GUIDANCE 12.1 Applicable Laws and Regulations 12.2 Applicable Standards and Guidance 13 MINIMUM SECURITY CONTROLS 14 ACRONYMS 15 ATTACHMENTS ATTACHMENT 1 - Information Security Policies and Procedures ATTACHMENT 2 - User Guide ATTACHMENT 3 e-authentication Worksheet Introduction and Purpose Information System Name/Title E-Authentication Level Definitions Review Maximum Potential Impact Levels E-Authentication Level Selection ATTACHMENT 4 PTA / PIA Privacy Overview and Point of Contact (POC) Applicable Laws and Regulations Applicable Standards and Guidance Personally Identifiable Information (PII) Privacy Threshold Analysis Qualifying Questions Designation ATTACHMENT 5 - Rules of Behavior ATTACHMENT 6 Information System Contingency Plan ATTACHMENT 7 - Configuration Management Plan ATTACHMENT 8 - Incident Response Plan ATTACHMENT 9 - CIS Report and Worksheet ATTACHMENT 10 - FIPS 199 Introduction and Purpose Scope System Description Methodology ATTACHMENT 11 - Separation of Duties Matrix ATTACHMENT 12 FedRAMP Laws and Regulations ATTACHMENT 13 FedRAMP Inventory Workbook

Back to our SSP s Technical Controls: Section 13

Technical Controls

Identification and Authentication (IA) Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Identification and Authentication (IA)

IA-1 Identification and Authentication Policy and Procedures Control: The organization: a. Develops, documents, and disseminates to [Assignment: organizationdefined personnel or roles]: 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and b. Reviews and updates the current: a. Identification and authentication policy [Assignment: organization-defined frequency]; and b. Identification and authentication procedures [Assignment: organization-defined frequency].

IA-1 Identification and Authentication Policy and Procedures

Identification and Authentication (IA)

IA-2 Identification and Authentication (Organizational Users) Control: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)

IA-2 Identification and Authentication SSP

Identity Assurance

Identity Assurance

Authenticator Assurance AAL1 : = 1 Factor AAL2 : = 2 Factors AAL3 : = 2 Factors: Hardware-based authenticator and an authenticator that provides verifier impersonation resistance AAL = Authenticator Assurance Level

IA-2 Identification and Authentication

IA-2 Identification and Authentication Control Enhancement:

IA-2 Identification and Authentication Control Enhancement: (12) Acceptance of PIV Credentials: The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials SP 800-53Ar4

Technical Controls

Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts

SSP Table of Contents 1 INFORMATION SYSTEM NAME/TITLE 2 INFORMATION SYSTEM CATEGORIZATION 2.1 Information Types 2.2 Security Objectives Categorization (FIPS 199) 2.3 E-Authentication Determination 3 INFORMATION SYSTEM OWNER 4 AUTHORIZING OFFICIAL 5 OTHER DESIGNATED CONTACTS 6 ASSIGNMENT OF SECURITY RESPONSIBILITY 7 INFORMATION SYSTEM OPERATIONAL STATUS 8 INFORMATION SYSTEM TYPE 8.1 Cloud Service Models 8.2 Cloud Deployment Models 8.3 Leveraged Authorizations 9 GENERAL SYSTEM DESCRIPTION 9.1 System Function or Purpose 9.2 Information System Components and Boundaries 9.3 Types of Users 9.4 Network Architecture 10 SYSTEM ENVIRONMENT AND INVENTORY 10.1 Data Flow 10.2 Ports, Protocols and Services 11 SYSTEM INTERCONNECTIONS 12 LAWS, REGULATIONS, STANDARDS AND GUIDANCE 12.1 Applicable Laws and Regulations 12.2 Applicable Standards and Guidance 13 MINIMUM SECURITY CONTROLS 14 ACRONYMS 15 ATTACHMENTS ATTACHMENT 1 - Information Security Policies and Procedures ATTACHMENT 2 - User Guide ATTACHMENT 3 e-authentication Worksheet Introduction and Purpose Information System Name/Title E-Authentication Level Definitions Review Maximum Potential Impact Levels E-Authentication Level Selection ATTACHMENT 4 PTA / PIA Privacy Overview and Point of Contact (POC) Applicable Laws and Regulations Applicable Standards and Guidance Personally Identifiable Information (PII) Privacy Threshold Analysis Qualifying Questions Designation ATTACHMENT 5 - Rules of Behavior ATTACHMENT 6 Information System Contingency Plan ATTACHMENT 7 - Configuration Management Plan ATTACHMENT 8 - Incident Response Plan ATTACHMENT 9 - CIS Report and Worksheet ATTACHMENT 10 - FIPS 199 Introduction and Purpose Scope System Description Methodology ATTACHMENT 11 - Separation of Duties Matrix ATTACHMENT 12 FedRAMP Laws and Regulations ATTACHMENT 13 FedRAMP Inventory Workbook

Cloud Service Models: IaaS? PaaS? SaaS?

Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback