security is not just… 1 a compliance exercise certification and accreditation fisma
TRANSCRIPT
Security is not just…Security is not just…
1
A Compliance Exercise
Certification and Accreditation
FISMA
What is Security?What is Security?
2
Security Architecture
& Models
Cryptography
Security Management
Access Controls &
Methodology
Laws, Investigations,
& Ethics
Applications &Systems
Development
PhysicalSecurity
Operations Security
Telecommunications& Networking
Security
BusinessContinuityPlanning
What is Enterprise Security Architecture?What is Enterprise Security Architecture?
3
Enterprise Security Architecture is…
…the strategic focus that enables the organization to carry out its mission in a secure
manner
What Drives Security Architecture?What Drives Security Architecture?
FISMA
OMB A-130; Appendix III
NIST
Organization Policies and Procedures
Minimum Enterprise Security ArchitectureMinimum Enterprise Security Architecture
4
All agencies must create a Security and Privacy Profile (SPP) that addresses, per OMB A-130; Appendix III:
Encryption
Malware
Access Controls
Identification & Authentication
Audit Trail Creation & Analysis
Intrusion Detection & Prevention
Fraud Detection, Prevention, & Mitigation
Enterprise Security Architecture Answers…Enterprise Security Architecture Answers…
5
The OMB SPP Helps Organize…The OMB SPP Helps Organize…
Is the existing security program effective?
Is risk being managed effectively?
Are there any new laws or policies that need to be implemented?
Planning Efforts for Future Requirements
Current Requirements
Capabilities
Gap Analysis Efforts
Key EA Security GoalsKey EA Security Goals
7
EA Security RequirementsEA Security Requirements
Confidentiality
Integrity
Availability
Enable advanced IT security capabilities
Developed an IT security empowered workforce
Improve IT security situational awareness
Provide DOT-wide IT security services
Where Do These Efforts Fit Within the EA Framework?Where Do These Efforts Fit Within the EA Framework?
8
Priorities For Addressing Integration of EA & SecurityPriorities For Addressing Integration of EA & Security
10
Streamline communication between Business Owners, ISSO’s, and Information Security Office
Implement metrics that will effectively analyze the performance of security within DOT Information Systems
EA Team Members must participate within Information Security working groups and Vice Versa
Coordinate with Business Owners and the Information Security Office to develop the Trust Model Architecture
QUESTIONSQUESTIONS