database development and security certification and accreditation plan pitwg
DESCRIPTION
Information Systems Development and Database Development Management Meeting Security legal security requirementsTRANSCRIPT
DATABASE SECURITY
CERTIFICATION & ACCREDITATION
PLAN PITWG -
PROMONSTERMEDIA IT WORKING GROUP
Presented by John M. KennedyOctober 30, 2007 ProMonsterMedia, LLP
ProMonsterMedia Working Group
AGENDA
Incident Response Plan
Security Requirements
Information System Security Policy
Contingency Plan
Security Education, Training and Awareness Program [SETA]
CONTENT Phone Contact List Check List Goals and Objectives Attack Impact Matrix Notification Matrix Evidence Guidance Actual Procedures Guides
(appendix)
DEVELOPMENT TEAM Senior Management
Provides Support, Authority to Act
Provides FundingProvides Approval
DEVELOPMENT TEAM
Steering CommitteeOverall direction of IRPFrequent review of draft
plansOne member from each
impacted department
DEVELOPMENT MILESTONE Create Steering Committee
Establish Team Lead Identifying Critical Systems
and Data Identifying Disasters Draft Plan According to Matrix Plan Review Plan Approval
DITSCAP STEP RELATIONSHIP Developed after the initial
design of system Step 1 - Definition
Used after system has been put into place.Step 4 – Post Accreditation
DEVELOPMENT ESTIMATES No Simple Answer No “Canned” Solution Time to Prepare
(depends…)How Prepared (documented)How Skilled (development
team)Level of Support
(departments) Size of Plan (manual size)
Identify Members Identify Critical Systems Identify Critical Data Identify Appropriate Response
DBMS SECURITY REQUIREMENTS Security Policy
PurposeAudience
Security MeasuresOngoing MonitoringDeployment of necessary
security measures tools.
SYSTEM DEVELOPMENT LIFE CYCLE Initiation
Phase Developme
nt Phase Implementa
tion Phase Operations
Phase Disposal
Phase
System-Level Prioritization
Enterprise-Level Prioritization
SECURITY CONCEPTS
• Security Features
Security Features the system-to-be must have (e.g. Privacy)• Protection Objectives
Principles that contribute towards the security features (e.g. Access Control)• Security Mechanisms
Mechanisms to achieve the protection objectives (e.g. Authentication)
DATABASE SECURITY MEASURES Vulnerabilities assessment Access control
PasswordsPhysical securityAccess cardsBiometric AuthenticationWireless security
Network securityTCP/IP StandardsThe internet protocol
DATABASE PERIMETER SECURITY MEASURES
Firewalls and Anti-virusTypes of protectionFirewall architecture
Host securityServers hardeningPatchingClients Hardening
SECURITY MEASURES Cryptography
Symmetric vs. Asymmetric encryption
Public key infrastructure (PKI) encryption
Digital certificates E-Mail security Intrusion detection system
(IDS) Penetration testing Logging and Traffic
monitoring
SECURITY MEASURES Vulnerabilities assessment
Defining the scope of vulnerability management
Asset inventory Information managementToolsReporting and remediationResponse planning
DATABASE SECURITY MEASURES Access controls
Reusable passwords Passwords must be changed
periodicallyPassword policies
Good passwordPhysical security
To buildings and infrastructureAccess cardsBiometric authenticationWireless security
DATABASE SECURITY MEASURES Network security TCP/IP Standards
Internet protocolHTTPS ProtocolSecure Socket Layer (SSL)
SECURITY MEASURES Firewall
Types of protection Packet inspection Application inspection Denial of service inspection Authentication of users
Types of firewallsRouter screeningComputer basedHost firewallsStateful, ACLS, and application
firewalls
SECURITY MEASURES Host security
Hardening serversHardening clientsHosting servers in a separate
secure buildingsPatching installationManaging permissionsTesting for vulnerabilities
SECURITY MEASURES Cryptography
Symmetric vs. Asymmetric encryption
Public key infrastructure (PKI) encryption
Digital certificates E-Mail security Intrusion detection system
(IDS) Penetration testing Logging and Traffic
monitoring
SECURITY MEASURES Auditing
Audit trailsPurpose of audit mechanismAspects of effective auditing
Risk assessmentPeriodically assess risksThreat, vulnerability and asset
identification Disaster and recovery
SUMMARY SECURITY MEASURES System milestones
The development process will start at the beginning of the project and will be an ongoing process
Estimated number of hours to complete appendix-F = 10 Hours
Estimated number of pages = 17
5 IT personnel x ($35/hr) = $175
$175x17(pages)x10(hrs/page)= $ 29,750 total cost for
appendix-F
TOPICS OF DISCUSSION
Policy Content Identify Roles and Responsibilities Access Control & External Access User Characteristics Sensitivity of Processed Data
Tasks and Estimates
PURPOSE OF THE INFORMATION DATABASE MANAGEMENT SYSTEM SECURITY POLICY
Informs all users of the goals and constraints of using the system.
Explains how the security program is structured.
Provides scope and direction for all security activities within the organization.
Recognizes the system’s sensitive assets.
Characteristics of a well developed security policy:CoverageDurabilityRealismUsefulness
Comply with applicable laws and regulations
PURPOSE OF THE INFORMATION DATABASE MANAGEMENT SYSTEM SECURITY POLICY
TARGET INFORMATION SYSTEM: PROMONSTERMEDIA DATABASE
System Description
Distributed Database
Queried by telecommuting employees and clients
System Capabilities Stores and
distributes information to clients
Sensitive data processed Malpractice
Lawsuits Disciplinary
Actions
DATA BASE POLICY CONTENT
Roles & Responsibilities
Designated Approving Authority (DAA)
Information System Security Officer (ISSO)
User Representatives
Database Administrator
Access Control & External Access
Auditing
Public Key Infrastructure & E-mail
Internet Security
Virus Definition Updates
DATA BASE POLICY CONTENT
User Characteristics
Discretionary Access Control
Password Management
Sensitivity of Processed Data
Data Classification
Data Markings
Printed Data
TASKS AND ESTIMATES Tasks
1st : Draft of document
2nd : Release of document
3rd : Baseline document If approved
TASKS AND ESTIMATES
Estimate based off NWA 50193/0002 for completion of 100 pages. 8 man hours per page @ 1FTE =105
USD 13 pgs x 105 USD = 10,500 USD
Estimate 10 pgs x 8 hrs = 80 hours 80hr x 105 USD = 8,400 USD
FTE (Full Time Engineer $13.13)
USD (United States Dollars)
QUESTIONS “What do we do when we can
not use our facility?”
“What can we do now to better prepare our business unit to respond when our facility is unavailable?”
PREVENTION The best way to
prepare for a disaster is to avoid the disaster. Therefore, look for any potential problems you can find and correct them.
Observe physical security procedures in your facility, and encourage increased security when appropriate.
Observe information security procedures regarding computers in your facility, and encourage increased security when appropriate.
Consider encouraging security-training sessions where appropriate.
VALIDATION REQUIRED (NO LESS THAN ANNUALLY)
IT System Contingency PlansMust be tested annually
Table Top exercise Functional exercise
CONGRESSIONAL & DOD REQUIREMENTS Public Law 107-347, also known
as Federal Information Security Management Act of 2002 (FISMA)
Require agencies to identify and provide information security protections commensurate with risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems
CONTINGENCY PLANNING Contingency planning is the
task that develops a plan for emergency response, backup operations, and post-disaster recovery.
CONTINGENCY PLAN EVALUATION The contingency plan
evaluation task analyzes the contingency, back-up, and continuity of service plans to ensure the plans are consistent with the requirements identified in the SSAA.
PLAN ORIENTATION
The team plan has been developed by the ProMonsterMedia IT Working Group
Team Leaders are responsible for part of the plan development process.
PLAN CHECKLIST The form is to chart the
progress in developing your business resumption plan
Each plan segment/module is listed with the development responsibility.
LIFE-CYCLE MANAGEMENT ANALYSIS This certification task that
ensures that change control and configuration management practices are, or will be, in place and are sufficient to preserve the integrity of the security relevant software and hardware.
CONTINGENCY CERTIFICATION (PHASE 3) Inspections of operational
sites to ensure their compliance with the physical security, procedural security, TEMPEST, and COMSEC requirements.
DBMS GENERAL INFORMATION Review configuration &
security ManagementFollow change mgmt
documented in SSAADetermine if system security
mgmt continues to support mission and architecture
Conduct risk management reviewAssess if risk to CIAA is being
maintained at an acceptable level
Conduct compliance validation if neededEnsure continued compliance
w/SSAA requlations, current threat assessment, and concept of operations
Maintain SSAA
SECURITY EDUCATION, TRAINING AND AWARENESS PROGRAM
MAIN TOPICS1. Definition2. The Target Audience3. Rationale and Purpose4. System Milestones5. Content Development6. Estimates7. References8. Appendices
Michael Whitman (2006) stated that a SETA plan is a: “Program designed to provide direct, applied measures to influence employee behavior, increase employee abilities and enable the organization to hold employees accountable for their actions.” (p. 22.).
Now, why educating, training and People awareness is so important for protecting and Securing Critical or sensitive information?
What is Security Education, Training and
Awareness [SETA] Plan?
The most secure Point of Failure in any
Security program. Security is everyone's
responsibility!
According to Wilson & Hash (2003) the key factor to provide security is not the technology or the state of the art efforts to protect and secure the Information Systems [IS].
To provide adequate information security the people factor is the key factor because they are the system’s weakest link. (p. 1)
SEC_RITY is not complete without U!
The Weakest Link
All people perusing or administering the Database Management System and Information Systems must:
Understand the ProMonsterMedia’s mission and their roles and responsibilities
Follow ProMonsterMedia’s Information System Security Policy, regulations and practices.
Be trained and/or aware of the risks, threats and the methods of controls implemented to protect and secured the Information System assets and resources and critical (Wilson & Hash October 2003).
Database Security SETA PROGRAM RATIONALE
ALBERT EINSTEIN USED TO SAY
“Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.”
“Problems cannot be solved at the same level of awareness that created them.”
(Whitman, 2006, p. 30)
Legal Components: Official Sources and Documentation
1. ISO 17799 2. COBIT 4.0 3. HIPAA (Privacy & Security Rules) 4. GLB-A 5. PCI Data Security Standard 6. OMB Circular A-130
7. FISMA Public Law 107-3478. NIST SP 800-16 9. NIST SP 800-50 10. Section 508 of the Rehabilitation
Act
(Addison, 2007)
Best Practices & Guides
THE FUNCTIONS OF THE SETA PROGRAM ACCORDING TO THE NIST
1. By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems
2. By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely
3. By improving awareness of the need to protect system resources (NIST, 1995).
The System Milestones
NIST LIFE-CYCLE MODEL FOR SETA
These are the following phases of this life cycle development process for SETA described by Wilson and Hash (2003) in the NIST SP800-50:
1.Awareness and Training Program Design (Wilson & Hash, 2003, Section 3)
2.Awareness and Training Material Development (Wilson & Hash, 2003, Section 4)
3.Program Implementation (Wilson & Hash, 2003, Section 5)
4. Post-Implementation (Wilson & Hash, 2003, Section 6)
SECURITY BODY OF KNOWLEDGE TOPICS AND CONCEPTS ACCORDING TO NIST SP800-16()
Laws And Regulations It Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Acquisition/Development/
Installation/ Implementation Controls Operational Controls Awareness, Training, And
Education Controls Technical Controls
(Wilson, Zafra de, Tressler, & Ippolito, April 1998)
SETA MANAGING MODELS
Three models:
1. Centralized
2. Partially Decentralized
3. Fully Decentralized
(Wilson & Hash, 2003)
Figure 2 Model 1 – Centralized Program Management (Wilson & Hash, 2003, p. 23, figure 3-1)
LEARNING IS A CONTINUUM
“Awareness is not training or education, is bringing the attention on the importance of Security Issues.” (Wilson, Zafra, Tressler et al, 1998)Figure 2 is Depicting the continuum (Wilson & Hash, 2003, p. 18, figure 2-1 )
Wilson & Hash (2003) indicated that “Training strives to produce relevant and needed security skills and competencies.” (p. 9)
The NIST SP800.16 states: “Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response.” (Wilson, Zafra, Tressler et al, 1998)
NEEDS ASSESSMENT KEY QUESTIONSThe NIST SP800-50 (2003) provides the following questions (p. 29):
• What awareness, training, and/or education are needed (i.e., what is required)?
• What is currently being done to meet these needs?
• What is the current status regarding how these needs are being addressed (i.e., how well are current efforts working)?
• Where are the gaps between the needs and what is being done (i.e., what more needs to be done)?
• Which needs are most critical?
Figure 4 shows the required level of training versus the current level of effort (Wilson & Hash, 2003, p. 30, figure 3-7 )
IMPLEMENTATION OF AWARENESS AND TRAINING PROGRAM
Did our team completed a needs assessment?
did our team develop a overall strategy?
Did our team complete an awareness and training Program for implementing the strategy previously developed?
did the security team finally develop the awareness and training material?
Figure 5 Key Steps Leading to Program Implementation (Wilson & Hash, 2003, p. 42, figure 5-1 )
MANAGING CHANGE – ONGOING IMPROVEMENT OR RAISING THE BAR
Figure 7 Evaluation and Feedback Methodology (Wilson & Hash, 2003, p. 48, figure 6-2 )
ASTRONOMICAL NUMBER$ Government Security Classification
Costs Estimate Fiscal Year 2005
Total = $7.7 BillionPersonnel Security = $1.15 BillionPhysical Security = $1 BillionInformation Security = $4 BillionInformation Technology = $3.6 BillionClassification Management = $310 MillionDeclassification = $57 Million
Professional Education and Training = $219 MillionSecurity Management and Planning = $1.2 BillionUnique = $6.6 Million
(ISOO, 2005)
ESTIMATES & PHASES
PHASE Estimating SETA Team
Hours
Estimated Number of
Pages
1s
t
The SETA STRATEGIC PLANNING
5 50
2n
d
Program Design And Development
30 50
3r
d
Delivery, Administration & Post-Implementation
25 80
Total = 60 Estimated SETA Team Hours per 180 Estimated pages.
CALCULATING THE ESTIMATES
Estimate based for completion of 180 pages
1 SETA Security Team hours equals $250.00 US Dollars [USD]
Estimated Total of pages equals 180
Estimated Total amount of SETA Security Team equals 60
Estimate Appendix “O” SETA plan cost 60 SETA
Security TEAM hours x $250.00 per hours = $15,000.00 US Dollars
Other expenses and Misc. = 5,000.00 USD
ESTIMATED TOTAL COST = $20,000.00
CONCLUSIONThank you for your attention and just as a reminder:
Security is about “us” not only about you. We are all in it.
Do you have any questions?
REFERENCES
2007 LandWarNet Conference. (2007, Aug 21) Notes
Addison, S. (July 3, 2007) Best Practices for Security Awareness Training. Security-awareness.com. Retrieved on October 24, 2007, from http://security-awareness-training.com/2007/07/23/best-practices-for-security-awareness-training/
Bowen, p. Hash, J. & Wilson, M.(2006). Information Security Handbook. Retrieved October26, 2007, from http://www.nist.gov
Brackin, C. (2003). Vulnerability Management: Tools, Challenges, & Best Practices. Retrieved October 26, 2007, from http://www.sans.org/reading room
Business Resumption Development Guide (2006, May 5) Buckley King LPA
Canavan, S. & Diver, S. (2007). Information Security Policy- A Development Guide for Large & Small Companies. Retrieved October 26, 2007, from http://www.sans.org/reading room
Department of Defense [DoD]. (July 31, 2000).
Information Technology Security Certification and Accreditation Process (DITSCAP). Application Manual DoD 8510.1-M. Retrieved October 24, 2007, from http://www.dtic.mil/whs/directives/corres/pdf/851001m.pdf
REFERENCESDepartment of Defense (1997, Dec 30). Information
Assurance. Retrieved October 28, 2007, from http://iase.disa.mil/ditscap/DitscapFrame.html
DIACAP and the GIGIA Archicture. (2005, March). Retrieved October 27, 2007, from http://www.afei.org/documents/DIACAPandtheGIGCCRTS_371.pdf
DISA (June 21, 2007). Enclave Security Technical Implementation Guide Version 4, Release 1. DISA Field Security Operations. Developed by DISA for the DoD. Retrieved on October 28, 2007, from http://iase.disa.mil/stigs/stig/enclave-stig-v4r1.pdf
DOD 5200.28-STD. (1985, December 26). Trusted Computer System Evaluation Criteria. Security Functionality Requirements. (1992, January 28). Minimum Security Functionality Requirements For Multi-User Operating Systems. Retrieved October 15, 2007 from http://security.isu.edu/pdf/secfunreq.pdf
dWarNet Conference. (2007, Aug 21) NotesDepartment of Defense Information Assurance. (1997, Dec 30). Retrieved October 28, 2007, from http://iase.disa.mil/ditscap/DitscapFrame.html
Foix, R. (2004, October 4). Expanding responsibility for incident response. Computerworld, 38(40), 28-28. Retrieved October 27, 2007, from Computer Source database.
REFERENCES
G. (2002). Implementing an Effective IT Security Program. Retrieved October 27, 2007,
from http://www.sans.org/reading room
GadAllah, S. (2003). The Importance of Logging & Traffic Monitoring for Information
Security. Retrieved October 27, 2007, from http://www.sans.org/reading room
Iase.disa.mil. Information Assurance Support Environment Profile: Retrieved October
26, 2007, from http://iase.disa.mil/
Information Security Oversight Office [ISOO]. (2005). Report On Cost Estimates For
Security Classification Activities Background And Methodology. Retrieved on October
28, 2007, from http://www.archives.gov/isoo/reports/2005-cost-report.html
Kyle, S. (2003). Biometrics: An In Depth Examination. Retrieved October 27, 2007, from
http://www.sans.org/reading room
Maiwald, Eric. Security Planning and Disaster Recovery. Blacklick, OH, USA: McGraw-Hill Professional, 2002.
National Computer Security Center (NCSC).(1987). A Guide to Understanding Audit in
Trusted Systems. Retrieved October 27, 2007, from http://csrc,ncsl.nist.gov/publications/secpubs/rainbow/tg001.txt
REFERENCES
Panko, R. (2004). Corporate Computer and Network Security. Upper Saddle River, NJ: Pearson Education Inc.
Pfleeger, C. & Pfleeger, S. (2003). Security In Computing (3rd ed).Upper Saddle River, NJ: Pearson Education Inc.
Pfleeger, Charles, P. & Pfleeger, Shari, L. (2003)
Pratt, M. (2007, May 16). Five tips for building an incident response plan. Retrieved October 27, 2007, from Computerworld Web site: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019558&pageNumber=1
Ross, R. (2004) Guide for the Security Certification and Accreditation of Federal Information Systems. Maryland: Diana Publishing Company Security in Computing (3rd Edition) New Jersey: Prentice Hall
Setty, H. (2001). System Administrator-Security Best Practices. October 26, 2007, from http://www.sans.org/reading room
REFERENCES
Thompson, D. (2005). Implementing a Secure Wireless Network for a Windows Environment. Retrieved October 27, 2007, from http://www.sans.org/reading room
Whitman, M. E. (2006). Assuring the Integrity of Financial Information Systems: Awareness and Responsibility of Employees and Business Partners. Michael E., Ph.D., CISSP. Center for Information Security Education. Kennesaw State University. Retrieved October 24, 2007 from http://www3.uakron.edu/cba/cretisa/2006/whitman_infosec.pdf
Wilson, M., & Hash, J. (October 2003). Building an Information Technology. Security Awareness and Training Program. NIST Special Publication 800-50. Computer Security Division. Information Technology Laboratory. National Institute of Standards and Technology. Gaithersburg, MD 20899-8933.
Wilson, M., & Hash, J. (October, 2003). Information Technology Security Awareness, Training, Education, And Certification. Computer Security Division Information Technology Laboratory, ITL Bulletin. National Institute of Standards and Technology, NIST. Retrieved on October 23, 2007 from http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm.
REFERENCES
Wilson, M., Zafra de, D. E., Tressler, J.D., Ippolito, J.B. (April 1998).Information Technology Security Training Requirements: A Role- and Performance-Based Model. Computer Security. Information Technology Laboratory National Institute of Standards and Technology, NIST Special Publication 800-16 U.S. Supersedes Special Publication 500-172DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards and Technology Performance-Based Model. Gaithersburg, MD 20899-0001. Retrieved October 24, 2007, from http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf
www.dtic.mil (n.d). Retrieved October 22, 2007, from http://www.dtic.mil/whs/directives/corres/text/p85101m.txt