Transcript
Page 1: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

SECURITY BEYOND A “SYSTEM”Fiscal Service’s Approach to

External Services

Jim McLaughlin, CISSPManager, Security Policy & Risk Management

Ralph JonesSecurity Analyst

Federal Computer Security Program Managers’ Forum August 17, 2016

Page 2: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Overview2

Federal Computer Security Program Managers’ Forum August 17, 2016

• Some operations that are handled by external service providers are NOT “Systems”

• These services still need appropriate security to ensure ongoing operational resiliency

• Fiscal Service (FS) developed an “External Services” process to address security requirements for Services

Page 3: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Key points

Federal Computer Security Program Managers’ Forum August 17, 2016

3

A Service is NOT a System

Look BEFORE you leap

Verify BEFORE you trust (or use) Never trust and then verify

Page 4: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Remember the RMF4

Federal Computer Security Program Managers’ Forum August 17, 2016

Page 5: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

At Treasury, it is all about the money

Federal Computer Security Program Managers’ Forum

$

5

August 17, 2016

Page 6: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Clarify6

Federal Computer Security Program Managers’ Forum August 17, 2016

• Everything business units are doing that touches sensitive information not likely inside a “System” boundary

• With more pressure to reduce costs, more business functions are being outsourced

• Services can get into organizations under the radar bypassing Security unless Security is closely aligned with Procurement and Budget governance processes

Page 7: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

A Service is NOT a System

Federal Computer Security Program Managers’ Forum August 17, 2016

7

Plain English simple definition :

• Something owned & operated by somebody else• Others are using it• Readily available for acquisition• Not customized for FS• Not on the FISMA inventory

Page 8: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Services are

• An existing application or information processing service already used by the private sector and/or government that is operated by an external organization (private company, government organization, nonprofit organization, Federal Reserve, or financial institution)

• Readily available for acquisition and require no significant customization

• By definition, not FISMA systems-----------------------------------------------------------------------• For example: PayPal is a service

Federal Computer Security Program Managers’ Forum August 17, 2016

8

Page 9: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Planning

Federal Computer Security Program Managers’ Forum

9

August 17, 2016

Page 10: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Look BEFORE you leap10

Federal Computer Security Program Managers’ Forum August 17, 2016

Page 11: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Bad Risk Management11

Federal Computer Security Program Managers’ Forum August 17, 2016

Page 12: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Good Risk Management12

Federal Computer Security Program Managers’ Forum August 17, 2016

Page 13: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Use existing processes

• Security Impact Analysis (SIA)

• Classification Determination Memo (CDM)

• FedRAMP for cloud services

• Incorporate standardized security requirements language into Procurements

• Leverage existing third party assessments

13

Federal Computer Security Program Managers’ Forum August 17, 2016

Page 14: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Security Impact Analysis (SIA)

• A form• A process• Documents what doing now and what is planned• Analyzes security impacts of the planned actions• Assigns risk level to planned actions• Prescribes work needed to manage risks

Federal Computer Security Program Managers’ Forum August 17, 2016

14

Page 15: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Classification Determination Memo (CDM)

• A form• A process• Documents what a (thing) is: system vs. service• Describes what information is being processed

Federal Computer Security Program Managers’ Forum August 17, 2016

15

Page 16: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Service review process

Federal Computer Security Program Managers’ Forum August 17, 2016

Phase 1: Identify• FIPS 199 categorization level of the information• Classification and Determination Memo (CDM)• Security Impact Analysis (SIA)

Phase 2: Assessment and Approval• Define security requirements based upon CDM and SIA• Review and document how the service meets those

requirements & who responsible for which controls• Assess the service and determine if risks are acceptable• Obtain CIO approval that it’s acceptable to use the service

16

Page 17: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Clarify17

Federal Computer Security Program Managers’ Forum August 17, 2016

Page 18: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

ATU instead of ATO

An external organization owns and operates a service

Instead of granting an Authorization to Operate (ATO), a service is approved as

Acceptable to Use (ATU)

Federal Computer Security Program Managers’ Forum August 17, 2016

18

Page 19: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

$aving$19

Federal Computer Security Program Managers’ Forum

• Prevent bad procurements

• Avoid need to retrofit security controls

• Ensuring that security is included and working where needed (beyond the “Systems”), helps prevent costly security incidents and operational disruptions

August 17, 2016

Page 20: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Bright new day20

Federal Computer Security Program Managers’ Forum August 17, 2016

Page 21: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Moving on21

Federal Computer Security Program Managers’ Forum August 17, 2016

Page 22: SECURITY BEYOND A “SYSTEM”...Security Beyond a "System" - Fiscal Services's Approach to External Services Author Jim McLaughlin and Ralph Jones, Security Policy & Risk Management,

Contact Information

22Jim McLaughlin, CISSP

Manager, Security Policy & Risk Management304-480-6149

[email protected]

Ralph JonesSecurity Analyst202-874-5057

[email protected]

Federal Computer Security Program Managers’ Forum August 17, 2016


Top Related