security control families
DESCRIPTION
Management Class. Security Control Families. Security Controls Overview. XX-1 Policy and Procedures. NIST Doc Review Strategy:. Table Summaries. Graphic Summaries. Bulleted Summaries. Executive Summaries, Overviews, Introductions. XX-1 Policy & Procedures. SP 800-12 The Handbook - PowerPoint PPT PresentationTRANSCRIPT
Security Control Families
Management Class
ID Class Family # ofCA Management Security Assessment and Authorization 6PL Management Planning 5PM Management Program Management 11RA Management Risk Assessment 4SA Management System and Services Acquisition 14/40AT Operational Awareness and Training 5CM Operational Configuration Management 9CP Operational Contingency Planning 10IR Operational Incident Response 8MA Operational Maintenance 6MP Operational Media Protection 6PE Operational Physical and Environmental Protection 19PS Operational Personnel Security 8SI Operational System and Information Integrity 13/84AC Technical Access Control 19AU Technical Audit and Accountability 14IA Technical Identification and Authentication 8SC Technical System and Communications Protection 34/75
Security Controls Overview
XX-1 Policy and Procedures
NIST Doc Review Strategy:
Bulleted Summaries Executive Summaries,
Overviews, Introductions
Table Summaries
Graphic Summaries
8
XX-1 Policy & Procedures
SP 800-12The Handbook
SP 800-100Manager’s Handbook
AC-1 Access Control AT-1 Security Awareness and TrainingAU-1 Audit and AccountabilityCA-1 Security Assessment and AuthorizationCM-1 Configuration ManagementCP-1 Contingency Planning IA-1 Identification and Authentication IR-1 Incident Response MA-1 System Maintenance MP-1 Media Protection PE-1 Physical and Environmental Protection PL-1 Security Planning PM-1 Information Security Program PlanPS-1 Personnel Security RA-1 Risk Assessment SA-1 System and Services Acquisition SC-1 System and Communications Protection SI-1 System and Information Integrity
Security Assessment & Authorization
Core RMF Documents
800-47 (SLA) 800-137 (CM)
CA-2 Security AssessmentsCA-3 Information System ConnectionsCA-5 Plan of Action and MilestonesCA-6 Security AuthorizationCA-7 Continuous Monitoring
Planning Family & Family PlansPL-2 System Security PlanPL-4 Rules of BehaviorPL-5 Privacy Impact AssessmentPL-6 Security-Related Activity Planning
800-18 (RMF) 800-100 (PM) OMB M-03-22 (Privacy)
CA-5 Plan of Action and Milestones -37
CP-2 Contingency Plan -34
CM-9 Configuration Management Plan-128
IR-8 Incident Response Plan -61
PM-1 Information Security Program Plan
PM-8 Critical Infrastructure PlanRMF 4.1 Security Assessment Plan -53a
Program Management
PM-2 Senior Information Security OfficerPM-3 Information Security ResourcesPM-4 Plan of Action and Milestones ProcessPM-5 Information System Inventory
PM-6Information Security Measures of Performance
PM-7 Enterprise ArchitecturePM-8 Critical Infrastructure PlanPM-9 Risk Management StrategyPM-10 Security Authorization ProcessPM-11 Mission/Business Process Definition
800-30 800-37 (RMF) 800-39 (RMF) 800-100 800-55 - Performance 800-60 800-65 - CPIC
FIPS 199 HSPD 7 – Critical
Infrastructure OMB 02-01 - SSP
Program Management Overview
Information Security Program Plan (PM) Critical Infrastructure Plan (HSPD 7) Capital Planning and Investment Control (SP 800-65) Measures of Performance (SP 800-55) Enterprise Architecture and Mission/Business Process
Definition
Information Security Program Plan
Defines Security Program Requirements Documents Management and Common Controls Defines Roles, Responsibilities, Management
Commitment and Coordination Approved by Senior Official (AO) Appoint Senior Information Security Officer
Critical Infrastructure Plan
HSPD-7 Critical Infrastructure Identification, Prioritization, and Protection
Essential Services That Underpin American Society Protection from Terrorist Attacks
– Prevent Catastrophic Health Effects or Mass Casualties – Maintain Essential Federal Missions– Maintain Order – Ensure Orderly Functioning of Economy – Maintain Public's Morale and Confidence in Economic and
Political Institutions Strategic Improvements in Security
Capital Planning & Investment Control
Investment Life Cycle Integrating Information Security into the CPIC Process Roles and Responsibilities
– Identify Baseline– Identify Prioritization Criteria– Conduct System- and Enterprise-Level Prioritization– Develop Supporting Materials– IRB and Portfolio Management– Exhibits 53 and 300 and Program Management
Investment Life Cycle
Integrating Information Security into the CPIC Process
Knowledge Check
If the interconnecting systems have the same authorizing official, an Interconnection Security Agreement is not required. True or False?
Which NIST SP, provides a seven-step process for integrating information security into the capital planning process?
This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.
The corrective action and cost information contained in which document, serve as inputs to the Exhibit 300s and are then rolled into the Exhibit 53?
Measures of Performance
Metric Types Metrics Development and Implementation Approach Metrics Development Process Metrics Program Implementation
– Prepare for Data Collection– Collect Data and Analyze Results– Identify Corrective Actions– Develop Business Case and Obtain Resources– Apply Corrective Actions
Metric Types
“Am I implementing the tasks for which I am responsible?”
“How efficiently or effectively am I accomplishing those tasks?”
“What impact are those tasks having on the mission?”
Metrics Development Process
Metrics Program Implementation
Federal Enterprise Architecture
Performance
Data
Business Service
TechnicalInformation Type
(SP 800-60)
Core Principles of the FEA
Business-driven Proactive and collaborative across the Federal
government Architecture improves the effectiveness and efficiency of
government information resources
Defining Mission/Business Processes
Defines mission/business processes with consideration for information security and the resulting risk to the organization;
Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.
Risk Assessment
RA-2 Security Categorization
RA-3 Risk Assessment
RA-5 Vulnerability Scanning
800-30r1 (draft) 800-37 800-40 -
Patch Management 800-70 - Checklists 800-115 - Assessments
Patch and Vulnerability Management Program
Create a System Inventory Monitor for Vulnerabilities, Remediations, and Threats Prioritize Vulnerability Remediation Create an Organization-Specific Remediation Database Conduct Generic Testing of Remediations Deploy Vulnerability Remediations Distribute Vulnerability and Remediation Information to Local
Administrators Perform Automated Deployment of Patches Configure Automatic Update of Applications Whenever Possible and
Appropriate. Verify Vulnerability Remediation Through Network and Host
Vulnerability Scanning Vulnerability Remediation Training
National Checklists Program
In which NIST special publication might you find guidance for the performance measurement of information systems?
Which FEA reference model was used to create the guide for mapping information types to security categories, in support of the first step of the Risk Management Framework?
What is the name of the security control, represented by the control ID RA-3, must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework?
Where can information about vulnerabilities be found?
System & Services AcquisitionSA-2 Allocation of ResourcesSA-3 Life Cycle SupportSA-4 AcquisitionsSA-5 Information System DocumentationSA-6 Software Usage RestrictionsSA-7 User-Installed SoftwareSA-8 Security Engineering PrinciplesSA-9 External Information System ServicesSA-10 Developer Configuration ManagementSA-11 Developer Security TestingSA-12 Supply Chain ProtectionSA-13 Trustworthiness
800-23 – Acquisition Assurance
800-35 – Security Services
800-36 – Security Products
800-53a 800-64 - SDLC 800-65 - CPIC 800-70 - Checklists
Security Services Life Cycle
General Considerations for Security Services
Strategic/Mission Budgetary/Funding Technical/ Architectural Organizational Personnel Policy/Process
Security Product Testing
Identification and Authentication Access Control Intrusion Detection Firewall Public Key Infrastructure Malicious Code Protection Vulnerability Scanners Forensics Media Sanitizing
Common Criteria Evaluation and Validation Scheme
NIST Cryptographic Module Validation Program
Considerations for Selecting Information Security Products
Organizational Product Vendor Security Checklists for IT Products Organizational Conflict of Interest
Management Security Controls Key Concepts & Vocabulary
XX-1 Policy & Procedures CA - Security Assessment and Authorization PL – Planning Family & Family Plans
– Information Security Program Plan (PM)– Critical Infrastructure Plan (HSPD 7)
PM - Program Management– Capital Planning and Investment Control (SP 800-65)– Measures of Performance (SP 800-55)– Enterprise Architecture (FEA BRM)
RA - Risk Assessment– Security Categorization– Risk & Vulnerability Assessments
SA - System and Services Acquisition