Information Assurance Information Assurance

Awareness, Training and EducationAwareness, Training and Education

2

PresentedPresented

to to

University of PhoenixUniversity of Phoenix By: Francine C. HammondBy: Francine C. Hammond

04/19/2304/19/23

Agenda Agenda

and and

BackgroundBackground

4

IA Background

Why IA?

IA Mission and Strategied

IA Capabilities

IA Strategies

Summary

Summary

5

In response to the terrorist attack against the Pentagon on September 11, 2001, the Department of Defense established the Pentagon Force Protection Agency (PFPA).

The new agency absorbed the Pentagon’s police force, formerly known as the Defense Protective Service (DPS) and its role of providing basic law enforcement and security for the Pentagon and DOD interests in the National Capitol Region (NCR).

PFPA expanded that mission to provide force protection against the full spectrum of potential threats through robust prevention, preparedness, detection, and response measures.

BackgroundBackground

6

Mr. Bush Supports

Information Security

Mr. Bush Supports

Information Security

7

Why Information Assurance?

Publicity of attacks on information systems is increasing and Identity Thieves Prosper in Information Age.

Identity thieves assume the identities of other individuals and use these identities to obtain credit cards, loans and other things of value.

The old methods used to obtain information still apply: stealing credit card statements, bank checks, and other personal information from mailboxes.

However, the openness of the Internet has given identity thieves access to a wealth of personal information stored in the databases of online data brokers, who collect and sell personal information.

A secure information system provides three properties

8Integrity

Ava

ilabi

lity C

onfidentialityInformation Assurance

Awareness, Training , and Education

9

CIA

Confidentiality ensures that people who don't have the appropriate clearance, access level and "need to know" do not access the information.

Integrity ensures that information cannot be modified or destroyed.

Availability means that information services are there when you need them. 

10

What would happen if someone changed your data?

11

Waht wuold hppaen if someone chagned your adat?

12

Wtah wuold henapp if sooneme chagend yrou adat?

13

Is Your Organization Secure?Is Your Organization Secure?Is Your Organization Secure?Is Your Organization Secure?

14

Implement IA Program…

15

IA MissionIA Mission and and

StrategiesStrategies

16

Strengthen risk mitigation policies by

successfully implementing sound Information Assurance and Information Technology practices to…

Protect the integrity, confidentiality, and availability of IT systems, ensuring that all personnel who use the IT systems are trained to understand their responsibilities, both individual position requirements and those concerning the security of systems.

MissionMissionMissionMission

Risk

Management

Strategies

18

Manage and mitigate the risks of threats and vulnerabilities by implementing the following controls:

Policies and Regulations;

Certification and Accreditation (C&A);

Computer Incident Response Team (CIRT); and

IA Awareness Program.

Risk Management StrategiesRisk Management Strategies

19

Policies and

Regulations

20

Implement policies, standards and procedures which are consistent with statutory, Federal, and DOD policies and procedures for securing information systems and networks that include the following controls:

Assign responsibility for security;

Maintain a security plan for all systems and major applications;

Provide for the review of security controls; and

Require authorization before processing.

Certification and

Accreditation

22

Implement the DOD established standard process to identify, implement, and validate IA controls for:

Authorizing the operation of DOD information systems and;

Managing IA posture across DOD information systems consistent with the Federal Information Security Management Act (FISMA).

Computer

Incident

Response

Team

24

CIRT security analysts provide support in:

Day-to-day intrusion detection operations

Remote vulnerability detection

On-line system survey

Information protection support

Tool design and integration

Technical support

IA

Awareness Program

26

“Literacy, Awareness, Training and Education

Because there is no patch for ignorance”

National Information Assurance Training and

Education Center

27

Implement the IA Awareness Program by focusing on the following learning components:

Awarenesso Focus attention on security

Trainingo Produce relevant and needed security skills and competency

Educationo Integrate all (security skills and competencies) into a common body of knowledge,

adding a multidisciplinary study of concepts, issues, and principles 

Professional Developmento Imply a guarantee as meeting a standard by applying evaluation or measurement criteria

28

IA Awareness Program Objectives

Enhance understanding of IA issues among all system users;

Encourage meaningful behavioral change;

Provide coherent accessible technical training;

Deliver flexible content for different audience groups; and…

Keep training current and relative.

29

IA Awareness Program Deliverables

Training Programso General Awareness Training

• Briefings, Distributed Security Tips, Newsletters

o Technical Training• System Administrators, Help Desk personnel, Directors

Training Materialso Handbooks, Reference Guides, Presentations

IA Intraweb/Intraneto ‘One-stop shop’ portal for awareness training

30

IA Strategy

Program Category and Life Cycle StatusIdentify

Identify the Acquisition Category (Acquisition Category) of the program. Identify current acquisition life cycle phase and next milestone decision. Identify whether the system has been designated "Mission Critica" or "Mission Essentia" in accordance with DoD Instruction 5000.2. Include a graphic representation of the program's schedule.

   Mission Assurance Category (MAC) and Confidentiality Level

Provide a high-level overview of the specific system being acquired. Provide a graphic (block diagram) that shows the major elements/subsystems that make up the system or service being acquired, and how they fit together. Describe the system's function, and summarize significant information exchange requirements (IER) and interfaces with other IT or systems, as well as primary databases supported. Describe, at a high level, the IA technical approach that will secure the system, including any protection to be provided by external systems or infrastructure. PMs should engage National Security Agency (NSA) early in the acquisition process for assistance in developing an IA approach, and obtaining information systems security engineering (ISSE) services, to include describing information protection needs, defining and designing system security to meet those needs, and assessing the effectiveness of system security.

Threat Assessment Describe the methodology used to determine threats to the system (such as the System Threat Assessment), and whether the IT was included in the overall weapon system assessment. In the case of an AIS application, describe whether there were specific threats unique to this system's IT resources due to mission or area of proposed operation. For MAIS programs, utilization of the "Information Operations Capstone Threat Capabilities Assessment" (DIA Doc # DI-1577-12-03) [1st Edition Aug 03] is required by DoD Instruction 5000.2.

Risk Assessment Describe the program's planned regimen of risk assessments, including a summary of how any completed risk assessments were conducted. For systems where software development abroad is a possible sourcing option, describe how risk was assessed.

Information Assurance Requirements

Describe the program's methodology used for addressing IA requirements early in the acquisition lifecycle. Specify whether any specific IA requirements are identified in the approved governing requirements documents (e.g. Capstone Requirements Document, Initial Capabilities Document, Capabilities Design Document, or Capabilities Production Document). Describe how IA requirements implementation costs (including costs associated with certification and accreditation activities) are included and visible in the overall program budget.

DoD Information Technology Security Certification and Accreditation Process

Provide the name, title, and organization of the Designated Approving Authority (DAA), Certification Authority (CA), and User Representative. If the program is pursuing an evolutionary acquisition approach (spiral or incremental development), describe how each increment will be subjected to the certification and accreditation process. Provide a timeline describing the target completion dates for each phase of certification and accreditation in accordance with DoD Instruction 5200.40. Normally, it is expected that DITSCAP Phase 1 will be completed prior to or soon after Milestone B; Phase 2 and 3 completing prior to Milestone C; and Authority to Operate (ATO) issued prior to operational test and evaluation. If the DITSCAP process has started, identify the latest phase completed, and whether an Authority to Operate (ATO) or Interim Authority to Operate (IATO) was issued. If the system being acquired will process, store or distribute Sensitive Compartmented Information (SCI), compliance with Director of Central Intelligence Directive (DCID) 6/3 "Protecting Sensitive Compartmented Information Within Information System" is required, and approach to compliance should be addressed.

   Policy/Directives List the primary policy guidance employed by the program in preparing and executing the Acquisition IA Strategy, including the DoD 8500 series, and DoD Component, Major Command/Systems Command, or program-specific guidance, as applicable. The Information Assurance Support Environment web site provides an actively maintained list of relevant statutory, Federal/DoD regulatory, and DoD guidance that may be applicable

Summary

32

IA Mission Strengthen the risk mitigation policies and the PFPA defense-in-

depth by successfully implementing sound Information Assurance (IA) and Information Technology (IT) practices.

Risk Management Strategies Policies and Regulations Certification and Accreditation CIRT IA Awareness Program

Q & A

THANK YOU!Obrigado

Gracias

Danke

Merci

Domo Arrigato

Kat Ouen

Diloch

Salamat

Takk

Cheers

Nani

Toda

Mahalo

Do Jeh

M’goy

Thoinks Moite