presented by: thelma ameyaw security management tel2813 4/18/2008thelma ameyaw tel2813
TRANSCRIPT
Introduction Legislative and Regulatory Environment
Overview Security and Capital Planning Integration Roles
& Responsibilities Integration of Security Into The CPIC Process Implementation Issues Summary
4/18/2008Thelma Ameyaw TEL2813
Background• Federal Information Security Management Act(FISMA)-2002• FISMA, Clinger Cohen Act, other associated guidance and
regulations, and the Office of Management and Budget (OMB) Circulars A-11 and A-130 , charge agencies with integrating IT security and the capital planning and Investment Control (CPIC)process
Purpose & Scope• Assist federal agencies in integrating IT Security into CPIC
processes by providing a systematic approach to selecting, managing, and evaluating IT security investments.
4/18/2008Thelma Ameyaw TEL2813
The implementation of IT security and capital planning practices within the federal government is driven by a combination of legislation, rules, and regulations, and agency-specific policies.To be funded, IT investments must demonstrate compliance with all applicable requirements specified in the guidance
Reporting Requirements FISMA
Charges OBM and NIST to develop security standards and identify tolerable security risk levels
Makes NIST standards compulsory for all agencies - (no waivers) Charges agencies to integrate IT security into capital planning
4/18/2008Thelma Ameyaw TEL2813
FISMA provides overarching requirements for securing federal resources and ensuring that security is incorporated into all phases
of the investment lifecycle.4/18/2008Thelma Ameyaw TEL2813
Select-Control-Evaluate Investment Life Cycle:In concert with OMB capital planning and NIST security requirements agencies are required to adhere to the GAO best practices- the 3 phased investment life cycle model for federal IT investments
• Select : Assessing and prioritizing• Control : Monitor investment• Evaluate : Efficacy of Investment Earned Value Management (EMV)EVM is a systematic integration and measurement of cost, schedule, and
accomplishments of an investment that enables agencies to evaluate investment performance during Development, Modernization, and/or Enhancement (D/M/E). The EVM enables:
• Project managers(PM) estimation of time and cost• PM to determine what work has been accomplished to date for the funds
expanded and how long it will take the investment to reach maturity.
4/18/2008Thelma Ameyaw TEL2813
IT Investment Management(ITIM):The GAO maturity framework can be used to determine the current status of an agency’s ITIM capabilities including recommendations.
Plan of Action and Milestones(POA&M):◦ Through the ILC the POA&M is used to identify security
weaknesses and track mitigation efforts of agency IT investments until the weakness has been successfully mitigated.
Risks: Security Risk Investment Risk
4/18/2008Thelma Ameyaw TEL2813
Integrating IT security into the CP process requires input and collaboration across agencies and functions.
Many different stakeholders from IT security , CP and executive leadership areas play roles and make decisions and ultimately forming a well balanced IT portfolio.• Head of Agency• Senior Agency Officials• Chief information Officer• Senior Agency Information Security Officer• Chief Financial Officer• Investment Review • Project Manager
4/18/2008Thelma Ameyaw TEL2813
NIST recommends a seven-step framework for the process• Enterprise-level investments • System-level investments
The framework provides a systematic approach to selecting, managing, and evaluating IT security investments. The methodology relies on existing data inputs so it can be readily implemented at federal agencies.
Enterprise-Level Information Stakeholder rankings of enterprise-wide initiatives, Enterprise-wide initiative IT security status, Cost of implementing remaining appropriate security controls for enterprise-wide initiatives
System-Level Information
System categorization, Security compliance, Corrective action cost
4/18/2008Thelma Ameyaw TEL2813
Identify the Baseline: Using IT security metrics to determine where security weaknesses exist.
Identify Prioritization Requirements: Corrective actions to mitigate vulnerabilities must be evaluated against the security requirements. Requirements can be CIO-articulated security priorities, enterprise-wide initiatives, or NIST SP 800-26 topic areas.
Conduct Enterprise-Level Prioritization: prioritize potential enterprise-level IT security investments against mission and financial impact of implementing appropriate security controls.
4/18/2008Thelma Ameyaw TEL2813
Conduct System-Level Prioritization:
prioritize potential system-level corrective actions against system category and corrective action impact.
Joint Prioritization The final step in the prioritization process is to combine the enterprise- and system-level prioritizations into one prioritization framework to create a security investment strategy for the agency.
4/18/2008Thelma Ameyaw TEL2813
Develop Supporting Materials: • Enterprise-level investments: Develop concept paper, business
case analysis, and Exhibit 300. • System-level investments: Adjust Exhibit 300 to request
additional funding to mitigate prioritized weaknesses.
Concept Paper: It is developed by the investment owner and submitted to the IRB for review. It contains a high level description of the proposed investment and includes rough order of magnitude, costing estimates, benefits, milestones, and agency impacts
The Exhibit 300 : is the capture mechanism for all of the analyses and activities required for full internal (IRB, OCIO) review. is the document that OMB uses to assess investments and ultimately make funding decisions.
4/18/2008Thelma Ameyaw TEL2813
Implement Investment Review Board (IRB) and Portfolio Management:
• Prioritize agency-wide business cases against requirements and CIO priorities and determine investment portfolio.
Submit Exhibit 300s, Exhibit 53, and Conduct Program Management:
• Ensure approved 300s become part of the agency’s Exhibit 53• Ensure investments are managed through their life cycle
(using EVM for D /M /E investments and operational assessments for steady state investments) and through the GAO’s ITIM maturity framework.
4/18/2008Thelma Ameyaw TEL2813
The agency must implement and monitor these investments. IT security decisions are made based on system security issues and federal budgeting timelines.
• IT Security Organizational Processes • Project Management• Legacy Systems• Time lines
4/18/2008Thelma Ameyaw TEL2813
Traditionally, information technology (IT) security and capital planning and investment control (CPIC) processes have been performed independently by security and capital planning practitioners.
However, the Federal Information Security Management Act (FISMA) of 2002 and other existing federal regulations charge agencies with integrating the two activities.
NIST recommends a seven-step framework for the process Enterprise-level investments System-level investments
4/18/2008Thelma Ameyaw TEL2813