Nov. 6 2006 Notes

1
Nov. 6 2006 Notes

• Youll need to take your own notes too!

2
Todays Plan

• Chat about projects
• Chat about deliverables
• WordPress.com
• FISMA 17 Areas of Security Controls
• Maybe some HacMe Bank

3
Exam next week

• Covers
• Steve Nugens windows lectures
• First four chapters of Security Usability plus
  Why Johnny Cant Encrypt chapter
• Carnegies How to Win Friends and Influence
  People
• Todays Notes on FISMA and the 17 areas of
  Security Controls
• Nothing on HacMe Bank
• Closed book, notes, and people

4
FISMA

• The U.S. Congress enacted the Federal
  Information Security Management Act (FISMA) of
  2002 to provide a comprehensive framework for
  ensuring the effectiveness of information
  security controls over information resources that
  support Federal operations and assets.
• FISMA established minimum information security
  standards for all civilian agencies, and for
  organizations using or administering federal data
  and funds.

5
Many Government Agencies are like small business

• E.g. NEA has a very small amount of IT
  infrastructure
• Yet they are audited by the same rules and the
  same organizations as big government agencies
• E.g. Departments can be like small business too.
• Effectiveness Profit

6
Areas of Security Controls

• FISMA boils down to the 17 security control areas
  found in National Institute of Standards and
  Technology (NIST) Special Publication 800-53
  Minimum Security Controls for Federal Information
  Systems.
• Each control area contains numerous requirements,
  based on the sensitivity level of the system.

7
Control Types

• Management
• Operational (procedural)
• Technical

8
Technical Controls

• IA Identification and Authentication
• AC Access Control
• AU Audit and Accountability
• SC System and Communications
• Protection

9
Operational Controls (aka Procedural)

• PS Personnel Security
• PE Physical and Environmental Protection
• CP Contingency Planning
• CM Configuration Management
• MA Maintenance
• SI System and Information Integrity
• MP Media Protection
• IR Incident Response
• AT Awareness and Training

10
Management Controls

• RA -Risk Management
• PL -Planning
• SA -System and Services Acquisition
• CA -Certification, Accreditation, and Security
  Assessments

11
Bake Assurance In

• It is critical to build a security program,
  containing repeatable processes, that is
  integrated into the day-to-day business processes
  of the organization.
• Governance
• Operations
• Training
• Assessment
• Monitoring Remediation
• Trust but verify -- Ronald Regan
  http//tinyurl.com/ygy6ow

12
Government Documents

• government documents from NIST1, the STIGs2,
  and SNAC3. Connecting your investigation to
  these government documents will improve your
  project and improve your chances of getting a
  government jobs.
• 1 http//csrc.nist.gov/publications/nistpubs/
• 2 http//iase.disa.mil/stigs/stig/
• 3 http//www.nsa.gov/snac/
• You'll of course want to do your own searches for
  government docs

13
NIST 800-100

• NIST 800-100 is 174 pages long.
• This Information Security Handbook provides a
  broad overview of information security program
  elements to assist managers in understanding how
  to establish and implement an information
  security program.
• The purpose of this publication is to inform
  members of the information security management
  team agency heads, chief information officers
  (CIO), senior agency information security
  officers (SAISO), and security managers about
  various aspects of information security that they
  will be expected to implement and oversee in
  their respective organizations. This handbook
  summarizes and augments a number of existing
  National Institute of Standards and Technology
  (NIST) standard and guidance documents and
  provides additional information on related
  topics.
• http//tinyurl.com/y4tog6

14
Areas Relevant to IA

• Info Security Governance
• System Development Lifestyle
• Awareness and Training
• Capital Planning
• Interconnecting Systems
• Performance Measures
• Security Planning
• Contingency Planning
• Risk Management

15
(No Transcript)