cybersecurity: engineering a secure information technology organization, 1st edition

Cybersecurity: Engineering a Secure Information Technology

Organization, 1st Edition

Chapter 12Aligning the ICT Organization with

Regulatory Requirements

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

2© Cengage Learning 2015

Objectives

• Understand the role of government regulatory requirements in shaping ICT security

• Understand how the Federal Information Security Management Act (FISMA) shapes ICT security

• Understand the implementation process for FISMA compliance

• Understand the specific purpose of NIST 800-53 categories


Overview of Regulatory Models for ICT Organizations

• Regulatory models - an unconventional method for structuring an ICT organization

• Compliance with a regulatory model is mandated in several important ICT venues– Health care and government

• Regulatory models dictate the way particular types of organizations should perform their ICT work



Overview of Regulatory Models for ICT Organizations

• Examples of frameworks at the federal level:– Sarbanes-Oxley Act (SOX)– Health Information Portability and Accountability Act

(HIPAA)– Federal Information Security Management Act

(FISMA)• FISMA is comprehensive legislation that dictates

every aspect of correct security practice for large-scale information system environments– This chapter focuses on FISMA



The Federal Information Security Act of 2002

• FISMA is an element of the E-Government Act– Formerly known as Title III-Section 301 Information

Security• FISMA may apply to more than just federal

information systems– Private industries that serve as government

contractors and their private-sector supply chains• FISMA is implemented by two federal information

processing standards publications (FIPS PUBS)• Standards are issued by the National Institute of

Standards and Technology (NIST)Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


FIPS 199

• FIPS 199 serves as the basis for selecting appropriate security controls depending on the security needs of the information being protected

• Information and information systems are categorized by FIPS 199 based on three levels of risk:– High, medium, and low

• Sensitivity of the information in each system must be categorized at its highest level of potential impact on security– Concept known as the high water mark



FIPS 199

• The high water mark concept is used to value the overall impact level of the information in the system

• Using the high water mark rule:– A low-impact information system is one in which all

three security objectives (confidentiality, integrity, and availability) are categorized as low

– A moderate-impact information system is one in which at least one of the security objectives is moderate and none are greater than moderate

– A high-impact information system is one in which at least one security objective is high



FIPS 200

• FIPS 200 guides the implementation of security controls for the information and information systems in each of the FIPS 199 categories

• FIPS 200 specifies minimum security requirements in 17 security-related domains

• Federal agencies must meet these requirements by using security controls specified in NIST 800-53, “Recommended Security Controls for Federal Information Systems Implementation”



FIPS 200

• FIPS 200 adopts a risk-based approach to the selection of security controls needed to satisfy minimum requirements of FIPS 199

• FIPS 200 is meant to promote the development, implementation, and operation of more secure information system within the federal government

• It establishes minimum levels of due diligence for security– Helps agencies use a more consistent, comparable,

and repeatable approach for specifying security controls



FIPS 200

• The following security-related areas are specified in FIPS 200:– Access control– Audit and accountability– Awareness and training– Certification, accreditation, & security assessments– Configuration management– Contingency planning– Identification and authentication– Incident response– Maintenance



FIPS 200

• The following security-related areas are specified in FIPS 200 (cont’d):– Media protection– Personnel security– Physical and environmental protection– Planning– Risk assessment– System and communication protection– System and information integrity– Systems and services acquisition



NIST 800-53 and General Implementation for FIPS 200

• Minimum security requirements of FIPS 200 are met by selecting the appropriate controls and assurance requirements from NIST 800-53

• After categorizing security for its system– The organization selects a set of security controls

from NIST 800-53 that satisfy minimum security requirements for the 17 areas in FIPS 200

• Low-impact systems must employ security controls from the low baseline defined in NIST 800-53– Moderate-impact from moderate baseline and high-

impact from the high baseline in NIST 800-53Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


NIST 800-53 and General Implementation for FIPS 200

• Unless exceptions are granted, organizations must employ all security controls specified for their respective baselines

• The process of security categorization should involve senior decision makers, including:– Chief information officers, senior officers for

information security, accrediting authorities, information system owners, and information stakeholders

• The set of security controls should be documented in the security plan for the information system



Generic Security Controls

• Security controls: specific management, operating, and technical behaviors designed to protect information security in an organization

• Implementation of 800-53 is built around periodic assessments of risk and feedback obtained during preventative maintenance inspections of each control

• Within larger strategic management plans, specifically targeted plans are documented to ensure sufficient security for individual networks, facilities, or information systems



Generic Security Controls

• The overall plan should also include:– Periodic testing and reviews to evaluate

effectiveness of all security policies, procedures, practices, and security controls

– Procedures for detecting, reporting, and responding to security incidents to ensure continuity of operations



NIST 800-53 Catalog of Baseline Controls

• The goal of 800-53 is to facilitate a more consistent, comparable, and repeatable approach for selecting and specifying security controls– And to provide a catalog of those controls

• The control catalog provides a complete set of prototype controls to enable a comprehensive security response

• The 800-53 baseline ensures that security controls are defined consistently across the organization



Organizational Risk Management and NIST 800-53

• The standard recommends the following steps for building an effective risk management system:– 1. Understand the impact of risk on each system in

the organization– 2. Select and set a baseline for a satisfactory set of

security controls to address estimated impacts on each system

– 3. Adjust or tailor the initial baseline of security controls after assessing the impacts of identified risk on the system’s operating environment




• Steps for building an effective risk management system (cont’d):– 4. Document the security controls in the system

security plan, including justification for refinements or adjustments to the initial set of controls

– 5. Implement the security controls in the system– 6. Assess the performance of the security controls to

determine that they were implemented correctly, operate correctly, and satisfy security requirements

– 7. Monitor and assess the selected controls continually




• Security risks have to be categorized– To align specific implemented security measures

with the importance of the information they are designed to protect

• After selecting an appropriate security control baseline:– The organization must consult the standard to apply

scoping to the initial baseline• Scoping ensures a proper balance between degree

of protection and the assumed level of threat



Practical Security Control Architectures

• Security controls in NIST 800-53 are organized into classes and families for ease of use

• Three general classes of security controls are:– Management, operational, and technical

• Characterization of security control architecture involves three elements:– A control description section– A supplemental guidance section for application of

the control– A control enhancements section



Part One of the Control Statement: Control Section

• The control section is a concise statement of the security capability that must be implemented to protect a particular aspect of an information system

• The control catalog allows a degree of flexibility in tailoring some of its controls– Lets the organization selectively define how to carry

out any set of actions associated with the control



Part Two of the Control Statement: Supplemental Guidance

• This section provides additional information that might be needed to clarify the control statement

• Example:– The standard suggests that any applicable federal

legislation, executive orders, directives, policies, regulations, standards, and other reference documents might be included in the control documentation



Part Three of the Control Statement: Control Enhancements

• Control enhancement: a security capability that is required to create additional functionality or strength for a basic control

• Control enhancements are numbered sequentially within the document for each control– Each addition to the basic functionality can be easily

identified during an inspection or audit



Real-World Control Formulation and Implementation

• A challenge in formulating and implementing security controls:– Identifying the right set of controls to address the

real-world situation• Using a standard baseline of “must address”

controls as a starting point is helpful• For conventional organizations, assurance

requirements would probably be established based on a comprehensive threat analysis




• For government organizations:– Requirements are dictated by the formal security

categorizations and baseline controls in FIPS 199• NIST 800-53, Appendix D specifies three sets of

minimum security baseline controls that correspond to impact levels in FIPS 199 (low, medium, high)

• The baseline controls provide a point of reference for the organization to select and install necessary countermeasures to achieve security goals for a system’s impact level




• 800-53 control activities are applied one control at a time

• The controls are grouped by security control baseline

• Supplemental guidance is provided to help tailor the final set of controls to the specific application– When an organization’s security needs do not

conform to the assurance provided by the standard baseline



NIST 800-53 Control Baselines

• NIST 800-53 baselines provide the initial point of reference for selecting and implementing controls to achieve security goals

• The baseline is used to design and implement safeguards and countermeasures that mitigate risks to an organization’s operations and assets

• Requirements for security controls within each category of baselines are described by three tables in three annexes to the standard– Annex One, Annex Two, and Annex Three



The Low Baseline

• Assurance requirement for the low baseline:– The organization can demonstrate that the security

control is in place and generally achieves the expressed requirements in the control statement

• Primary outcomes of the low baseline:– All security controls are defined– No obvious errors are likely to exist– Any flaws in the security scheme will be addressed

promptly as they are discovered



The Low Baseline

• The organization provides a description of the control’s functional properties– As well as its design and development requirements

• The organization develops a precise description of all requisite behaviors, technical actions, and activities– To ensure that the control will satisfy all intended

outcomes when implemented properly• The organization must also include a description of

how it will continually assess and improve the effectiveness of the control



The Moderate Baseline

• Organizations must:– Design and document each control so that defects

and anomalies will be detected and corrected– Be able to demonstrate that these security controls

are present and documented– Develop a description of behaviors that the control

must exhibit– Ensure the performance of the people involved in

designing and operating the security controls– Provide a detailed policy description of staff

responsibilities and behaviors



The High Baseline

• Assurance requirements must be trustworthy enough to ensure reliable execution of control and its continual improvement

• The organization must: – Use formal and well-defined processes to design,

develop, and implement its controls– Produce documentation to support audited proof of

compliance with security requirements for high-impact baselines



The High Baseline

• The prior requirements for low and moderate baseline security apply to high-impact baselines

• The organization must provide a description of expected outcomes for each control’s operation

• To ensure a control works properly:– All interactions with hardware, software, vendors,

and other personnel must be described and documented• The description should include relevant contractors

and ancillary stakeholders



Enhancements to Control Baselines

• The need might arise to add unconventional assurance requirements– To enhance protection and supplement the minimum

assurance requirements stipulated for the moderate and high baselines



Six Feasibility Considerations for NIST 800-53

• Influences on how baseline controls are applied:– Technological feasibility - an organization cannot

recommend a control without considering whether the needed technology is in place

– Compatibility of management processes - an organization must be able to say with assurance that a change to operating processes will not harm security

– Denial of service - the addition of a behavioral control that causes a conflict with an everyday business process can lead to a security exposure or harm business operations



Six Feasibility Considerations for NIST 800-53

• Influences on how baseline controls are applied (cont’d):– System evolution - the ability to extend a system

over the long term– Economy of mechanism - the user is less likely to

make a mistake in executing a control if it is intuitively obvious to operate

– Consideration of injected risk - a new risk can be mitigated if it is properly considered at the time the change is made



Compensating Security Controls

• Modifications to baseline recommendations will probably be needed– To achieve the requisite level of assurance

• Modifications are mostly driven by a supplemental risk evaluation– That leads to tailoring decisions and the eventual

controls that are documented in the security plan• Security control baselines in 800-53 should be

viewed as a starting point– The control catalog in Annex D can be used to add

additional controlsCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition



• Determination of the final set of security controls is dictated by the organization’s risk environment– Ongoing assessments of existing security threats

should occur• Controls specified in the NIST 800-53 control

catalog might not be part of a particular low, moderate, or high baseline– The standard states that the organization may

“employ a compensating security control that provides equivalent or comparable protection”




• The organization selects the compensating control from the security control catalog– Then provides a comprehensive justification for how

the compensating control represents an equivalent security capability or level of protection

• Next, the organization assesses and formally accepts the risk associated with employing an alternative control– Use of the control must be reviewed by the

appropriate authority and then documented in the security plan




Summary• Regulatory models are excellent examples of

frameworks for defining processes• FISMA, the Federal Information Security Management

Act, is known officially as Title III of P.L. 107-347, the E-Government Act

• Three standards guide compliance with FISMA• FIPS 200 is further implemented by a third standard

called Special Publication 800-53 from the National Institute of Standards and Technology (NIST)

• FIPS 199 is an organization’s basis for selecting appropriate security controls for information



Summary

• The applications of FISMA’s requirements is dictated by the information’s classification level

• Information and information systems are categorized in FIPS 199 based on three levels of risk: high, medium, and low

• FIPS 200 specifies minimum security requirements for federal agencies in 17 domains

• Federal agencies meet minimum security requirements in each domain by using the security controls specified in NIST 800-53



Summary

• FIPS 200 implements a risk-based process for selecting security controls

• The controls in NIST 800-53 represent a range of safeguards and countermeasures

cybersecurity: engineering a secure information technology organization, 1st edition

Documents

information securityfisma

lowimpact information

security needs

technology nistcybersecurity

ict organizationcompliance

federal level

edition3 cengage learning

edition5 cengage learning