DATABASE SECURITY

CERTIFICATION & ACCREDITATION

PLAN PITWG -

PROMONSTERMEDIA IT WORKING GROUP

Presented by John M. KennedyOctober 30, 2007 ProMonsterMedia, LLP

ProMonsterMedia Working Group

AGENDA

Incident Response Plan

Security Requirements

Information System Security Policy

Contingency Plan

Security Education, Training and Awareness Program [SETA]

PROMONSTERMEDIA DATABASE

INCIDENT RESPONSE

PLAN

PURPOSE How do I deal with this? What impact does it have? Who needs to know?

LAWS & REGULATIONS DITSCAP HIPAA Sarbanes-Oxley

CONTENT Phone Contact List Check List Goals and Objectives Attack Impact Matrix Notification Matrix Evidence Guidance Actual Procedures Guides

(appendix)

DEVELOPMENT TEAM Senior Management

Provides Support, Authority to Act

Provides FundingProvides Approval

DEVELOPMENT TEAM

Steering CommitteeOverall direction of IRPFrequent review of draft

plansOne member from each

impacted department

DEVELOPMENT TEAM

Development TeamProject Officer Support Staff (each

department)

DEVELOPMENT MILESTONE Create Steering Committee

Establish Team Lead Identifying Critical Systems

and Data Identifying Disasters Draft Plan According to Matrix Plan Review Plan Approval

DITSCAP STEP RELATIONSHIP Developed after the initial

design of system Step 1 - Definition

Used after system has been put into place.Step 4 – Post Accreditation

DEVELOPMENT ESTIMATES No Simple Answer No “Canned” Solution Time to Prepare

(depends…)How Prepared (documented)How Skilled (development

team)Level of Support

(departments) Size of Plan (manual size)

Identify Members Identify Critical Systems Identify Critical Data Identify Appropriate Response

TARGET USERS Incident Response Team

Members

(Maiwald, 2002)

Database Management Systems Security Requirements

DBMS SECURITY REQUIREMENTS Security Policy

PurposeAudience

Security MeasuresOngoing MonitoringDeployment of necessary

security measures tools.

SYSTEM DEVELOPMENT LIFE CYCLE Initiation

Phase Developme

nt Phase Implementa

tion Phase Operations

Phase Disposal

Phase

System-Level Prioritization

Enterprise-Level Prioritization

Database Security

Mechanism

DATABASE SECURITY DIAGRAM EXAMPLE

Security Feature

Protection Objective

SECURITY CONCEPTS

• Security Features

Security Features the system-to-be must have (e.g. Privacy)• Protection Objectives

Principles that contribute towards the security features (e.g. Access Control)• Security Mechanisms

Mechanisms to achieve the protection objectives (e.g. Authentication)

SECURITY CONTROLS Awareness and Training

Awareness TrainingEducationCertification

DATABASE SECURITY MEASURES Vulnerabilities assessment Access control

PasswordsPhysical securityAccess cardsBiometric AuthenticationWireless security

Network securityTCP/IP StandardsThe internet protocol

DATABASE PERIMETER SECURITY MEASURES

Firewalls and Anti-virusTypes of protectionFirewall architecture

Host securityServers hardeningPatchingClients Hardening

SECURITY MEASURES Cryptography

Symmetric vs. Asymmetric encryption

Public key infrastructure (PKI) encryption

Digital certificates E-Mail security Intrusion detection system

(IDS) Penetration testing Logging and Traffic

monitoring

DATABASE DISASTER & RECOVERY SECURITY MEASURES Audit Risk Assessment Disaster and Recovery

SECURITY MEASURES Vulnerabilities assessment

Defining the scope of vulnerability management

Asset inventory Information managementToolsReporting and remediationResponse planning

DATABASE SECURITY MEASURES Access controls

Reusable passwords Passwords must be changed

periodicallyPassword policies

Good passwordPhysical security

To buildings and infrastructureAccess cardsBiometric authenticationWireless security

DATABASE SECURITY MEASURES Network security TCP/IP Standards

Internet protocolHTTPS ProtocolSecure Socket Layer (SSL)

SECURITY MEASURES Firewall

Types of protection Packet inspection Application inspection Denial of service inspection Authentication of users

Types of firewallsRouter screeningComputer basedHost firewallsStateful, ACLS, and application

firewalls

SECURITY MEASURES Host security

Hardening serversHardening clientsHosting servers in a separate

secure buildingsPatching installationManaging permissionsTesting for vulnerabilities

SECURITY MEASURES Cryptography

Symmetric vs. Asymmetric encryption

Public key infrastructure (PKI) encryption

Digital certificates E-Mail security Intrusion detection system

(IDS) Penetration testing Logging and Traffic

monitoring

SECURITY MEASURES Auditing

Audit trailsPurpose of audit mechanismAspects of effective auditing

Risk assessmentPeriodically assess risksThreat, vulnerability and asset

identification Disaster and recovery

SUMMARY SECURITY MEASURES System milestones

The development process will start at the beginning of the project and will be an ongoing process

Estimated number of hours to complete appendix-F = 10 Hours

Estimated number of pages = 17

5 IT personnel x ($35/hr) = $175

$175x17(pages)x10(hrs/page)= $ 29,750 total cost for

appendix-F

Information System Security Policy

POLICY Purpose of the Information

System Security Policy

Target Information System

TOPICS OF DISCUSSION

Policy Content Identify Roles and Responsibilities Access Control & External Access User Characteristics Sensitivity of Processed Data

Tasks and Estimates

PURPOSE OF THE INFORMATION DATABASE MANAGEMENT SYSTEM SECURITY POLICY

Informs all users of the goals and constraints of using the system.

Explains how the security program is structured.

Provides scope and direction for all security activities within the organization.

Recognizes the system’s sensitive assets.

Characteristics of a well developed security policy:CoverageDurabilityRealismUsefulness

Comply with applicable laws and regulations

PURPOSE OF THE INFORMATION DATABASE MANAGEMENT SYSTEM SECURITY POLICY

TARGET INFORMATION SYSTEM: PROMONSTERMEDIA DATABASE

System Description

Distributed Database

Queried by telecommuting employees and clients

System Capabilities Stores and

distributes information to clients

Sensitive data processed Malpractice

Lawsuits Disciplinary

Actions

DATA BASE POLICY CONTENT

Roles & Responsibilities

Designated Approving Authority (DAA)

Information System Security Officer (ISSO)

User Representatives

Database Administrator

Access Control & External Access

Auditing

Public Key Infrastructure & E-mail

Internet Security

Virus Definition Updates

DATA BASE POLICY CONTENT

User Characteristics

Discretionary Access Control

Password Management

Sensitivity of Processed Data

Data Classification

Data Markings

Printed Data

TASKS AND ESTIMATES Tasks

1st : Draft of document

2nd : Release of document

3rd : Baseline document If approved

TASKS AND ESTIMATES

Estimate based off NWA 50193/0002 for completion of 100 pages. 8 man hours per page @ 1FTE =105

USD 13 pgs x 105 USD = 10,500 USD

Estimate 10 pgs x 8 hrs = 80 hours 80hr x 105 USD = 8,400 USD

FTE (Full Time Engineer $13.13)

USD (United States Dollars)

DATABASE CONTINGENCY PLAN

QUESTIONS “What do we do when we can

not use our facility?”

“What can we do now to better prepare our business unit to respond when our facility is unavailable?”

PREVENTION The best way to

prepare for a disaster is to avoid the disaster. Therefore, look for any potential problems you can find and correct them.

Observe physical security procedures in your facility, and encourage increased security when appropriate.

Observe information security procedures regarding computers in your facility, and encourage increased security when appropriate.

Consider encouraging security-training sessions where appropriate.

OBJECTIVETo maintain an acceptable level of residual risk throughout the lifecycle

VALIDATION REQUIRED (NO LESS THAN ANNUALLY)

IT System Contingency PlansMust be tested annually

Table Top exercise Functional exercise

CONGRESSIONAL & DOD REQUIREMENTS Public Law 107-347, also known

as Federal Information Security Management Act of 2002 (FISMA)

Require agencies to identify and provide information security protections commensurate with risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems

CONTINGENCY PLANNING Contingency planning is the

task that develops a plan for emergency response, backup operations, and post-disaster recovery.

CONTINGENCY PLAN EVALUATION The contingency plan

evaluation task analyzes the contingency, back-up, and continuity of service plans to ensure the plans are consistent with the requirements identified in the SSAA.

PLAN ORIENTATION

The team plan has been developed by the ProMonsterMedia IT Working Group

Team Leaders are responsible for part of the plan development process.

PLAN CHECKLIST The form is to chart the

progress in developing your business resumption plan

Each plan segment/module is listed with the development responsibility.

LIFE-CYCLE MANAGEMENT ANALYSIS This certification task that

ensures that change control and configuration management practices are, or will be, in place and are sufficient to preserve the integrity of the security relevant software and hardware.

CONTINGENCY CERTIFICATION (PHASE 3) Inspections of operational

sites to ensure their compliance with the physical security, procedural security, TEMPEST, and COMSEC requirements.

DBMS GENERAL INFORMATION Review configuration &

security ManagementFollow change mgmt

documented in SSAADetermine if system security

mgmt continues to support mission and architecture

Conduct risk management reviewAssess if risk to CIAA is being

maintained at an acceptable level

Conduct compliance validation if neededEnsure continued compliance

w/SSAA requlations, current threat assessment, and concept of operations

Maintain SSAA

SECURITY EDUCATION,

TRAINING AND AWARENESS

PROGRAM

SECURITY EDUCATION, TRAINING AND AWARENESS PROGRAM

MAIN TOPICS1. Definition2. The Target Audience3. Rationale and Purpose4. System Milestones5. Content Development6. Estimates7. References8. Appendices

Definition

Michael Whitman (2006) stated that a SETA plan is a: “Program designed to provide direct, applied measures to influence employee behavior, increase employee abilities and enable the organization to hold employees accountable for their actions.” (p. 22.).

Now, why educating, training and People awareness is so important for protecting and Securing Critical or sensitive information?

What is Security Education, Training and

Awareness [SETA] Plan?

The Target Audience

The most secure Point of Failure in any

Security program. Security is everyone's

responsibility!

According to Wilson & Hash (2003) the key factor to provide security is not the technology or the state of the art efforts to protect and secure the Information Systems [IS].

To provide adequate information security the people factor is the key factor because they are the system’s weakest link. (p. 1)

SEC_RITY is not complete without U!

The Weakest Link

All people perusing or administering the Database Management System and Information Systems must:

Understand the ProMonsterMedia’s mission and their roles and responsibilities

Follow ProMonsterMedia’s Information System Security Policy, regulations and practices.

Be trained and/or aware of the risks, threats and the methods of controls implemented to protect and secured the Information System assets and resources and critical (Wilson & Hash October 2003).

Database Security SETA PROGRAM RATIONALE

The Rationale and Purpose

ALBERT EINSTEIN USED TO SAY

“Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.”

“Problems cannot be solved at the same level of awareness that created them.”

(Whitman, 2006, p. 30)

Legal Components: Official Sources and Documentation

1. ISO 17799 2. COBIT 4.0 3. HIPAA (Privacy & Security Rules) 4. GLB-A 5. PCI Data Security Standard 6. OMB Circular A-130

7. FISMA Public Law 107-3478. NIST SP 800-16 9. NIST SP 800-50 10. Section 508 of the Rehabilitation

Act

(Addison, 2007)

Best Practices & Guides

THE FUNCTIONS OF THE SETA PROGRAM ACCORDING TO THE NIST

1. By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems

2. By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely

3. By improving awareness of the need to protect system resources (NIST, 1995).

The System Milestones

THE PROMONSTERMEDIA SETA PROGRAM IS A LEARNING CONTINUOUS PROCESS

NIST LIFE-CYCLE MODEL FOR SETA

These are the following phases of this life cycle development process for SETA described by Wilson and Hash (2003) in the NIST SP800-50:

1.Awareness and Training Program Design (Wilson & Hash, 2003, Section 3)

2.Awareness and Training Material Development (Wilson & Hash, 2003, Section 4)

3.Program Implementation (Wilson & Hash, 2003, Section 5)

4. Post-Implementation (Wilson & Hash, 2003, Section 6)

Specific Content Development

SECURITY BODY OF KNOWLEDGE TOPICS AND CONCEPTS ACCORDING TO NIST SP800-16()

Laws And Regulations It Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Acquisition/Development/

Installation/ Implementation Controls Operational Controls Awareness, Training, And

Education Controls Technical Controls

(Wilson, Zafra de, Tressler, & Ippolito, April 1998)

SETA MANAGING MODELS

Three models:

1. Centralized

2. Partially Decentralized

3. Fully Decentralized

(Wilson & Hash, 2003)

Figure 2 Model 1 – Centralized Program Management (Wilson & Hash, 2003, p. 23, figure 3-1)

LEARNING IS A CONTINUUM

“Awareness is not training or education, is bringing the attention on the importance of Security Issues.” (Wilson, Zafra, Tressler et al, 1998)Figure 2 is Depicting the continuum (Wilson & Hash, 2003, p. 18, figure 2-1 )

Wilson & Hash (2003) indicated that “Training strives to produce relevant and needed security skills and competencies.” (p. 9)

The NIST SP800.16 states: “Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response.” (Wilson, Zafra, Tressler et al, 1998)

UNDERSTANDING OUR NEEDS

Figure 3 Need assessment (Wilson & Hash, 2003, p. 29, figure 3-5 ).

NEEDS ASSESSMENT KEY QUESTIONSThe NIST SP800-50 (2003) provides the following questions (p. 29):

• What awareness, training, and/or education are needed (i.e., what is required)?

• What is currently being done to meet these needs?

• What is the current status regarding how these needs are being addressed (i.e., how well are current efforts working)?

• Where are the gaps between the needs and what is being done (i.e., what more needs to be done)?

• Which needs are most critical?

Figure 4 shows the required level of training versus the current level of effort (Wilson & Hash, 2003, p. 30, figure 3-7 )

IMPLEMENTATION OF AWARENESS AND TRAINING PROGRAM

Did our team completed a needs assessment?

did our team develop a overall strategy?

Did our team complete an awareness and training Program for implementing the strategy previously developed?

did the security team finally develop the awareness and training material?

Figure 5 Key Steps Leading to Program Implementation (Wilson & Hash, 2003, p. 42, figure 5-1 )

POST-IMPLEMENTATION

Figure 6 The Post-implementation (Wilson & Hash, 2003, p. 46, figure 6-1 )

MANAGING CHANGE – ONGOING IMPROVEMENT OR RAISING THE BAR

Figure 7 Evaluation and Feedback Methodology (Wilson & Hash, 2003, p. 48, figure 6-2 )

Estimates

ASTRONOMICAL NUMBER$ Government Security Classification

Costs Estimate Fiscal Year 2005

Total = $7.7 BillionPersonnel Security = $1.15 BillionPhysical Security = $1 BillionInformation Security = $4 BillionInformation Technology = $3.6 BillionClassification Management = $310 MillionDeclassification = $57 Million

Professional Education and Training = $219 MillionSecurity Management and Planning = $1.2 BillionUnique = $6.6 Million

(ISOO, 2005)

ESTIMATES & PHASES

PHASE Estimating SETA Team

Hours

Estimated Number of

Pages

1s

t

The SETA STRATEGIC PLANNING

5 50

2n

d

Program Design And Development

30 50

3r

d

Delivery, Administration & Post-Implementation

25 80

Total = 60 Estimated SETA Team Hours per 180 Estimated pages.

CALCULATING THE ESTIMATES

Estimate based for completion of 180 pages

1 SETA Security Team hours equals $250.00 US Dollars [USD]

Estimated Total of pages equals 180

Estimated Total amount of SETA Security Team equals 60

Estimate Appendix “O” SETA plan cost 60 SETA

Security TEAM hours x $250.00 per hours = $15,000.00 US Dollars

Other expenses and Misc. = 5,000.00 USD

ESTIMATED TOTAL COST = $20,000.00

CONCLUSIONThank you for your attention and just as a reminder:

Security is about “us” not only about you. We are all in it.

Do you have any questions?

SETA Appendices

APPENDIX A AWARENESS POSTERS I

APPENDIX B AWARENESS POSTERS II

APPENDIX C AWARENESS POSTERS III

APPENDIX D AWARENESS POSTERS IV

REFERENCES

2007 LandWarNet Conference. (2007, Aug 21) Notes

Addison, S. (July 3, 2007) Best Practices for Security Awareness Training. Security-awareness.com. Retrieved on October 24, 2007, from http://security-awareness-training.com/2007/07/23/best-practices-for-security-awareness-training/

Bowen, p. Hash, J. & Wilson, M.(2006). Information Security Handbook. Retrieved October26, 2007, from http://www.nist.gov

Brackin, C. (2003). Vulnerability Management: Tools, Challenges, & Best Practices. Retrieved October 26, 2007, from http://www.sans.org/reading room

Business Resumption Development Guide (2006, May 5) Buckley King LPA

Canavan, S. & Diver, S. (2007). Information Security Policy- A Development Guide for Large & Small Companies. Retrieved October 26, 2007, from http://www.sans.org/reading room

Department of Defense [DoD]. (July 31, 2000).

Information Technology Security Certification and Accreditation Process (DITSCAP). Application Manual DoD 8510.1-M. Retrieved October 24, 2007, from http://www.dtic.mil/whs/directives/corres/pdf/851001m.pdf

REFERENCESDepartment of Defense (1997, Dec 30). Information

Assurance. Retrieved October 28, 2007, from http://iase.disa.mil/ditscap/DitscapFrame.html

DIACAP and the GIGIA Archicture. (2005, March). Retrieved October 27, 2007, from http://www.afei.org/documents/DIACAPandtheGIGCCRTS_371.pdf

DISA (June 21, 2007). Enclave Security Technical Implementation Guide Version 4, Release 1. DISA Field Security Operations. Developed by DISA for the DoD. Retrieved on October 28, 2007, from http://iase.disa.mil/stigs/stig/enclave-stig-v4r1.pdf

DOD 5200.28-STD. (1985, December 26). Trusted Computer System Evaluation Criteria. Security Functionality Requirements. (1992, January 28). Minimum Security Functionality Requirements For Multi-User Operating Systems. Retrieved October 15, 2007 from http://security.isu.edu/pdf/secfunreq.pdf

dWarNet Conference. (2007, Aug 21) NotesDepartment of Defense Information Assurance. (1997, Dec 30). Retrieved October 28, 2007, from http://iase.disa.mil/ditscap/DitscapFrame.html

Foix, R. (2004, October 4). Expanding responsibility for incident response. Computerworld, 38(40), 28-28. Retrieved October 27, 2007, from Computer Source database.

REFERENCES

G. (2002). Implementing an Effective IT Security Program. Retrieved October 27, 2007,

from http://www.sans.org/reading room

GadAllah, S. (2003). The Importance of Logging & Traffic Monitoring for Information

Security. Retrieved October 27, 2007, from http://www.sans.org/reading room

Iase.disa.mil. Information Assurance Support Environment Profile: Retrieved October

26, 2007, from http://iase.disa.mil/

Information Security Oversight Office [ISOO]. (2005). Report On Cost Estimates For

Security Classification Activities Background And Methodology. Retrieved on October

28, 2007, from http://www.archives.gov/isoo/reports/2005-cost-report.html

Kyle, S. (2003). Biometrics: An In Depth Examination. Retrieved October 27, 2007, from

http://www.sans.org/reading room

Maiwald, Eric. Security Planning and Disaster Recovery. Blacklick, OH, USA: McGraw-Hill Professional, 2002.

National Computer Security Center (NCSC).(1987). A Guide to Understanding Audit in

Trusted Systems. Retrieved October 27, 2007, from http://csrc,ncsl.nist.gov/publications/secpubs/rainbow/tg001.txt

REFERENCES

Panko, R. (2004). Corporate Computer and Network Security. Upper Saddle River, NJ: Pearson Education Inc.

Pfleeger, C. & Pfleeger, S. (2003). Security In Computing (3rd ed).Upper Saddle River, NJ: Pearson Education Inc.

Pfleeger, Charles, P. & Pfleeger, Shari, L. (2003)

Pratt, M. (2007, May 16). Five tips for building an incident response plan. Retrieved October 27, 2007, from Computerworld Web site: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019558&pageNumber=1

Ross, R. (2004) Guide for the Security Certification and Accreditation of Federal Information Systems. Maryland: Diana Publishing Company Security in Computing (3rd Edition) New Jersey: Prentice Hall

Setty, H. (2001). System Administrator-Security Best Practices. October 26, 2007, from http://www.sans.org/reading room

REFERENCES

Thompson, D. (2005). Implementing a Secure Wireless Network for a Windows Environment. Retrieved October 27, 2007, from http://www.sans.org/reading room

Whitman, M. E. (2006). Assuring the Integrity of Financial Information Systems: Awareness and Responsibility of Employees and Business Partners. Michael E., Ph.D., CISSP. Center for Information Security Education. Kennesaw State University. Retrieved October 24, 2007 from http://www3.uakron.edu/cba/cretisa/2006/whitman_infosec.pdf

Wilson, M., & Hash, J. (October 2003). Building an Information Technology. Security Awareness and Training Program. NIST Special Publication 800-50. Computer Security Division. Information Technology Laboratory. National Institute of Standards and Technology. Gaithersburg, MD 20899-8933.

Wilson, M., & Hash, J. (October, 2003). Information Technology Security Awareness, Training, Education, And Certification. Computer Security Division Information Technology Laboratory, ITL Bulletin. National Institute of Standards and Technology, NIST. Retrieved on October 23, 2007 from http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm.

REFERENCES

Wilson, M., Zafra de, D. E., Tressler, J.D., Ippolito, J.B. (April 1998).Information Technology Security Training Requirements: A Role- and Performance-Based Model. Computer Security. Information Technology Laboratory National Institute of Standards and Technology, NIST Special Publication 800-16 U.S. Supersedes Special Publication 500-172DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards and Technology Performance-Based Model. Gaithersburg, MD 20899-0001. Retrieved October 24, 2007, from http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf

www.dtic.mil (n.d). Retrieved October 22, 2007, from http://www.dtic.mil/whs/directives/corres/text/p85101m.txt