USDA Cyber Security Program - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

USDA Cyber Security Program

Description:

... for patch management, anti-virus, authentication, firewalls, ... POA&Ms improve the database to identify and track agencies and department milestones. ... – PowerPoint PPT presentation

Number of Views:191
Avg rating:3.0/5.0
Slides: 18
Provided by: craig113
Category:

less

Transcript and Presenter's Notes

Title: USDA Cyber Security Program


1
  • USDA Cyber Security Program
  • July 2005

2
Cyber Security Program
  • Establishes a standard oversight structure to
    ensure that adequate security is provided for all
    USDA information collected, processed,
    transmitted, stored, or disseminated by USDA
    information technology.

3
Program Goals
  • Comply with applicable laws and guidance
  • Reduce and manage security risks to acceptable
    levels
  • Assure operational continuity

4
Applicable laws and regulatory references
  • Federal Information Security Management Act
  • OMB Circular No A-130 Security of Federal
    Automated Information Resources (Appendix III)
    (11/00)
  • Clinger-Cohen Act
  • DM 3500 Cyber Security Manual
  • DR 3140-001 Information Systems Security Policy
  • Computer Security Act of 1987 (Public Law
    100-235)
  • Privacy Act of 1974

5
Roles and Responsibilities
  • Chief Information Officer (CIO)
  • Associate Chief Information Officer (ACIO for
    Cyber Security)
  • Agency CIO/Designated Approving Authority (DAA)
  • Agency Information System Security Program
    Manager (ISSPM)
  • Agency Information System Security Officer (ISSO)
  • USDA users, contractors, other employees

6
Programs
  • Federal Information Security Management Act
    (FISMA)
  • Contingency Planning
  • Security Awareness and Training
  • Configuration Management
  • Certification and Accreditation
  • Privacy
  • Incident Response

7
Compliance
  • Oversight Security Reviews
  • Risk Assessments
  • Security Plan Review
  • Capital Planning and Investment Control (CPIC)
  • Independent Validation and Verification (IVV)
  • FISMA reporting (Security Metrics)
  • Self-assessments
  • OIG and GAO audits
  • Certification and Accreditation
  • Plans of Action and Milestones (POAMs)
  • Operating System Configurations
  • Scanning
  • Incident Response

8
Compliance Framework
  • Control objective documented in a security policy
  • Controls documented as procedures
  • Procedures have been implemented
  • Procedures and security controls have been tested
    and reviewed
  • Procedures and security controls are fully
    integrated procedures and controls

9
Policy (baseline)
  • Management Controls focus on the management of
    the IT security system and the management of risk
    for a system
  • Operational Controls address security methods
    focusing on mechanisms primarily implemented and
    executed by people. These controls improve the
    security of a particular system
  • Technical Controls focuses on security controls
    that the system executes. The controls can
    provide automated protection for unauthorized
    access or misuse, facilitate detection of
    security violations, and support security
    requirements for applications and data.

10
Management Controls
  • Risk Management
  • Review of Security Controls
  • Life Cycle
  • Authorize Processing (CA)
  • System Security Plan

11
Operational Controls
  • Personnel Security
  • Physical Security
  • Production Input/Output controls
  • Contingency Planning
  • Hardware and Systems Software Maintenance
  • Data Integrity
  • Documentation
  • Security Awareness Training and Education
  • Incident Response Capability

12
Technical Controls
  • Identification and Authentication
  • Logical Access Controls
  • Audit Trails

13
Technical support
  • Technical Security Architecture
  • Mainframe security Tier I
  • Desktops/Laptops security/database security
    Tier II
  • Network Security Tier III
  • Telecommunications
  • Software and Tools products for patch
    management, anti-virus, authentication,
    firewalls, wireless

14
Process Support
  • Waivers
  • CPIC (OMB 300s)
  • Liaisons
  • Statements of Work (SOWs)/Blanket Purchase
    Agreements (BPAs)
  • Technical Working Groups
  • Enterprise Architecture

15
OMB 300
  • Security and Privacy
  • Cost and Funding
  • FISMA
  • Met Security Requirements?
  • CA
  • Security Plan
  • Security Controls Tested?
  • Security Awareness Training
  • Incident Handling
  • Privacy

16
2005 Strategic Plan
  • POAMs improve the database to identify and
    track agencies and department milestones.
  • Certification and Accreditation Complete
    accreditation of remaining systems inventory
  • Incident management develop database to
    automate incident management process
  • Cyber Security Metrics develop performance
    metrics to achieve cyber security requirements
  • Security Architecture standardize products and
    product selection
  • Wireless evaluate wireless controls in USDA

17
Questions and Answers
Kelvin Fairfax 202-720-2362
Kelvin.Fairfax_at_usda.gov
Write a Comment
User Comments (0)
About PowerShow.com