IT Security in the CPIC Process

1
IT Security in the CPIC Process

• Department of the Interior
• Dan Chandler
• April 2003

2
OMB Requirements

• Life cycle funding
• 5 to 10 of total life cycle cost should be
  linked to Security
• Business Case
• Establish milestones, performance measures and
  demonstrate return on investment
• Linkage to OMB Circular A-11
• Costs identified and tracked through Capital
  Planning Process

3
Exhibit 300 Criteria

• DOI OCIO Memo dated March 6, 2003 states that all
  Exhibit 300s must have a score equal to or
  greater than 4 on Security and Privacy (SE)
  Section (Part II, Section II.B)
• (5)-Security and privacy issues for the project
  and all questions are answered, detail is
  provided about the individual project throughout
  the life-cycle to include budgeting for SE.
• (4)-Security and privacy information for the
  project is provided but there are weakness in the
  information that need to be corrected.
• (3)-Security and privacy information for the
  project is provided but fails to answer the
  minimum requirements.
• (2)-Security and privacy information points to an
  overall agency security process with little to
  detail at this project level
• (1)-There is no security or privacy provided for
  the project

4
Lessons Learned

• The DOI OCIOs IT Security Office reviewed 50
  plus Capital Asset Plan and Business Case
  Exhibit 300s in FY 2002
• Only two achieved passing scores in the Security
  section
• Hard dollar figures (not percents) must be
  presented for the systems life cycle
• The dollar level funded with the project-this
  amount as compared to total project funding
  should match the percentage for security
  indicated on the Exhibit 53
• The Bureau IT Security Manager or designee must
  sign-off on submissions
• There must be an individual assigned to each IT
  system to ensure adequate security controls are
  implemented
• Lack of information on risk assessment and
  corrective action plans
• Lack of information on contingency plans
• Assigned risk levels
• Referring to SSPs is not acceptable
• Security requirements included in acquisition or
  development documents
• Configuration management and change control
  policies.

5
Major Components

• The majority of the Exhibit 300s had the same
  weaknesses because they failed to take into
  account a life-cycle approach to risk management
• Security Considerations in Building your Business
  Case
• Risk Management
• Accountability
• Security Documentation
• Reporting
• Authorized Processing
• Interfacing with other organizations

6
IT Security Risk Management

• IT Security is all about managing risks and
  establishing controls that are commensurate with
  the value of the asset
• The Security Section of your 300 should focus on
  the following
• Accountability
• Documentation
• Reporting
• Authorized Processing (Certification
  Accreditation)

7
Accountability

• Tied to the System Owner (SO) acknowledging their
  security responsibilities. Highlight the
  following in your 300
• Fund IT Security across the life-cycle
• Utilize NIST issued standards and guidance
• Assign an IT Security Officer
• Conduct Asset Valuation for the IT system and
  document the results
• Conduct a data sensitivity analysis to establish
  the appropriate levels for confidentiality,
  integrity and availability
• Establish explicit IT Security policies for the
  system (auditing separation of duties clearance
  levels, etc)
• Control selection and effectiveness based on Risk
  Assessments
• Track corrective actions through Plans of Actions
  and Milestones (POAM)
• Carry out IT Security training (rules of
  behavior)
• Monitor, verify, and validate IT security
  compliance for any IT system operated by
  contractors either on-site or at a contractor
  facility?

8
Security Documentation

• IT Systems need to reflect their compliance with
  Federal IT Security regulations
• 300s should convey that the minimal security
  documentation is in place or will be in place
  before full production
• NIST compliant System Security Plan (SSP)
• Current Risk Assessment (including mitigation
  strategy)
• IT System Contingency Plan
• Configuration Management Plan
• Privacy Impact Assessment Statement
• Certification Statement
• Accreditation Authority Letter

9
Reporting

• 300s should show that processes are in place to
  track all aspects of the project and will provide
  status and performance metrics
• Security considerations for reporting should
  focus on
• Incident response capability being in place
• Status reports will be used to measure
  effectiveness of firewalls, intrusion detection
  systems, anti-virus and other security controls
• Statistics for security training
• Spending and return on investment

10
Authorized Processing

• System owners need to demonstrate
• awareness of the security standards to which the
  system subscribes
• understanding of the known vulnerabilities
• plan to track and ensure that these
  vulnerabilities are mitigated
• Certification Accreditation issues to address
• Has an Interim Authorization To Operate (IATO)
  been issued?
• Has the project undergone an approved
  certification and accreditation (CA) process? If
  so, what was the date of the last review?
• Specify the CA methodology used?
• If the system is being developed, is
  accreditation and certification scheduled and
  funded? If no, is there an explanation
• Has an up-to-date CA statement been signed for
  this system?

11
Interfacing with Other Organizations

• Obtain BITSM review and sign-off
• Bureau and Office OCIO Personnel
• Bureau and Office Budget Personnel
• Other Stakeholders
• DOI Office of the Chief Information Officer
• DOI Budget Office

12
(No Transcript)