Upload File

towards the desired state – one step at a timedesired... · •common federal report metrics...

  • Home
  • Documents
  • Towards the desired state – One step at a timedesired... · •Common Federal report metrics (e.g., FISMA metrics) •Compliance with NIST guidance and standards (e.g., Special
12
2019 CGI Federal Towards the desired state – One step at a time Improving security posture and getting closer to the IAM desired state using SailPoint December 2019 1

Upload: others

Post on 01-Aug-2020

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Towards the desired state – One step at a timedesired... · •Common Federal report metrics (e.g., FISMA metrics) •Compliance with NIST guidance and standards (e.g., Special

2019 CGI Federal

Towards the desired state –One step at a timeImproving security posture and getting closer to the IAM desired state using SailPoint

December 2019

1

Page 2: Towards the desired state – One step at a timedesired... · •Common Federal report metrics (e.g., FISMA metrics) •Compliance with NIST guidance and standards (e.g., Special

2019 CGI Federal

CDM Goals

Department of Homeland Cyber Security Mission: • Improve the security posture of the entire civilian .gov network• Identify and prioritize cybersecurity risk on a continuous basis

while enabling agency cybersecurity professionals to manage and mitigate risks to government data and networks

Guiding Principles for CDM Practitioners• Inspect the CDM object level data by observing the “actual

state” of current data• Detect differences between actual state and desired state

data (aka Cybersecurity Posture Gap)• Protect by providing the visibility and/or mechanism to

implement an improvement, usually by remediating cybersecurity posture gaps

Asset Management | Identity and Access Management | Network Security Management | Data Protection Management

2

Page 3: Towards the desired state – One step at a timedesired... · •Common Federal report metrics (e.g., FISMA metrics) •Compliance with NIST guidance and standards (e.g., Special

2019 CGI Federal

Desired State and Security Frameworks for IAM• Desired State is defined, measured and assessed by Agency Specific processes and procedures• Multiple paths to Risk Reduction and Security Posture improvement

• CDM design concepts and principles• CDM Actual State data compared with Desired State data• CDM Policy Decision Point (PDP) Machine-Readable Policies

FISMA | FIPS | OMB | NIST SP | BOD | NISTIR | Laws | Mandates | Standards | Policy

• NIST Cybersecurity Framework• NIST SP 800-37 – Risk Management Framework for Information Systems

and Organizations: A System Life Cycle Approach for Security and Privacy

• NIST SP 800-53 – Security and Privacy Controls for Information Systems and Organizations

• NIST SP 800-63 – Digital Identity Guidelines• Federal Identity, Credential and Access Management (Federal ICAM)• OMB M-19-17 – Enabling Mission Delivery through Improved Identity,

Credential, and Access Management• Agency requirements• And more!

Federal standards and guidelines for IAM help to inform Agency

Policies. CDM can help Agencies achieve their IAM Policy goals.

3

Page 4: Towards the desired state – One step at a timedesired... · •Common Federal report metrics (e.g., FISMA metrics) •Compliance with NIST guidance and standards (e.g., Special

2019 CGI Federal

CDM Data Interrogation• Desired State is defined in “Machine Readable Policies” (MRP)• Data interrogation actions analyze the data to determine desired

state variants (cybersecurity posture gaps) and present the results in dashboards (SailPoint and Agency CDM Dashboard)

• The dashboard normalizes the gap data and provides metrics determined by the “Data Interrogation Actions and Interrogation Specifications” as defined

• The interrogation and the resulting metrics provides visibility into risk and ability to support: • CDM Program requirements• Common Federal report metrics (e.g., FISMA metrics) • Compliance with NIST guidance and standards (e.g., Special

Publications and FIPS documents)• Object level data for Agency operationalization

So what about risk mitigation or cybersecurity posture gap closure?

4

Page 5: Towards the desired state – One step at a timedesired... · •Common Federal report metrics (e.g., FISMA metrics) •Compliance with NIST guidance and standards (e.g., Special

2019 CGI Federal

SailPoint IdentityIQ Policy Administration

• IdentityIQ policies define the access business policies of your Agency• Policies are defined specifically using MUR data and beyond

• Identity Attributes• Privileged Access to systems and applications• Entitlements and Roles

• Detective and preventative• Part of the Unified governance framework of IdentityIQ Compliance

Manager• Responsibility assigned to business owners, supervisors and CORs• Visibility and granular control on variants

• Entitlement SOD

• Role SOD• Application

• Account-based• Activity policies • Risk-based policies

• Advanced policies

Proactively detect and prevent inappropriate access and violations in real-time with point-and-click interfaces

5

Page 6: Towards the desired state – One step at a timedesired... · •Common Federal report metrics (e.g., FISMA metrics) •Compliance with NIST guidance and standards (e.g., Special

2019 CGI Federal

Detect cybersecurity posture gaps

• Detect (Leverage Policies and Reports)• Define Policies and scan for policy violations• Live reports in SailPoint based on MUR attributes

and violations detected• Business-friendly reports and analytics tools• Report on privileged and application access

Added Benefit: Support FISMA and other compliance reporting needs and risk scoring

SailPoint IdentityIQ

6

Page 7: Towards the desired state – One step at a timedesired... · •Common Federal report metrics (e.g., FISMA metrics) •Compliance with NIST guidance and standards (e.g., Special

2019 CGI Federal

Remediate cybersecurity posture gapsRemediate (Leverage Polices and Access Certification)• Notify IT, supervisors or data stewards for corrective

action• Assign the policy violations to supervisors/CORs/data

stewards • Decision to revoke the access or to accept the risk

based on compensatory controls• Periodic access certifications to include Policy

violations • On demand• Scheduled• Risk/event based

Added Benefit: Accurate, automated certifications, complete MUR data and exception management

SailPoint IdentityIQ

7

Page 8: Towards the desired state – One step at a timedesired... · •Common Federal report metrics (e.g., FISMA metrics) •Compliance with NIST guidance and standards (e.g., Special

2019 CGI Federal

Prevent cybersecurity posture gapsPrevent (Leverage LCM)• Automatically disable user accounts or revoke

access when violations are detected or certified• Proactively prevent inappropriate access and

violations • Lifecycle events and workflows to disable/revoke

access• Enforce a closed-loop provisioning process

Added Benefit: Accurate and automated remediation actions and access request management

SailPoint IdentityIQ

8

Page 9: Towards the desired state – One step at a timedesired... · •Common Federal report metrics (e.g., FISMA metrics) •Compliance with NIST guidance and standards (e.g., Special

2019 CGI Federal

CDM Identity and Access Management Desired State

• TRUST• All active users have an authorized trust level • Only users with appropriate security clearances have appropriate access

• CRED• Only authorized users are issued the authorized credentials of the correct type to access facilities, information, and

networks. • All authorized users have their credentials reissued or reset on a periodic basis.• All credential types have appropriate expiration, reissuance, and revocation policies.

9

Page 10: Towards the desired state – One step at a timedesired... · •Common Federal report metrics (e.g., FISMA metrics) •Compliance with NIST guidance and standards (e.g., Special

2019 CGI Federal

CDM Identity and Access Management Desired State

• PRIV• Only authorized users with authorized accounts of the correct type are accessing systems • All employees have only the privileges necessary to do their jobs • All accounts are in compliance with the agencies SOD policies • All authorized users have their accounts and accesses reauthorized on a periodic basis • All account types employ appropriate expiration and disable policies

• BEHAVE• All employees have completed Cyber Security Awareness Training.• All authorized users have completed Role-based Security Training.

10

Page 11: Towards the desired state – One step at a timedesired... · •Common Federal report metrics (e.g., FISMA metrics) •Compliance with NIST guidance and standards (e.g., Special

2019 CGI Federal

One Step at a Time

11

Aggregate BEHAVE, CRED, PRIV and TRUST

attributes

Enable lifecycle and event based

workflows

Enable policy management

workflows

Scan for policy violations

Plan and document policies

Collect and aggregate

Define desired state

Detect Remediate Prevent

Correlate to an instance of MUR

Define policies (MRPs)

Leverage Reports and audit logs

Define Risk scoring

Schedule/run periodic

certifications

Automated provisioning with

closed loop remediation

Self service access requests

with SOD prevention

Aggregate application or system access

Page 12: Towards the desired state – One step at a timedesired... · •Common Federal report metrics (e.g., FISMA metrics) •Compliance with NIST guidance and standards (e.g., Special

2019 CGI Federal

Questions?

12


FISMA and Metrics

NASA Cybersecurity Program...Federal compliance metrics (e.g. FISMA) IT Security Training compliance data AITRM Implementation Plan submitted to BSA Team for approval by April 2016

INFO 610 FISMA Presentation

FY15 CIO Annual FISMA Metrics Version 1 - Homepage | CISA › sites › default › files...2.10.3 many configuration exceptions are granted by the enterprise? 2.10.4 What is organization’s

Inspector General FISMA Metrics V1.0 - CISA › sites › default › files › publications › Final FY 20… · FY 2018 Inspector General FISMA Reporting Metrics v1.0 Page . 6

DODIG-2015-180.pdf - United States Department of Defense · • Plan of Action & Milestones, • Remote Access Management, ... cited weaknesses in the FISMA reporting metrics of risk

FY 2018 CIO FISMA Metrics v1 2018 CIO... · 3 conduct regular risk management assessments established in Executive Order (EO) 13800 “Strengthening the Cybersecurity of Federal Networks

Addressing FISMA Compliance through Centralized …docs.govinfosecurity.com/files/whitepapers/pdf/...fisma_compliance.pdf · CENTRIFY WHITE PAPER, ... Addressing FISMA Compliance

How to Defend Against FISMA Gus Fritschie and Andrew Du June 1st, 2013 FISMA Compliance

FY 2019 FISMA CIO Metrics 2019 FISMA CIO... · 3 The 24 Chief Financial Officer (CFO) Act agencies must report on the status of all metrics on a quarterly basis, at a minimum, in

Software Quality Metrics Overview. Types of Software Metrics Product metrics – e.g., size, complexity, design features, performance, quality level

FISMA and MetricsInformation Security Metrics, when done well: • Enables better decision making • Indicates program performance, both good and bad • Justifies resource allocation

EPA’s Information Security Program Is Established, but ... · EPA’s Information Security Program Is ... FY 2017 IG FISMA of 2014 reporting metrics. Identify •Risk ... of the

FISMA Cybersecurity Performance Metrics and Scoring Moses_DOT... · Metrics and Scoring ... Identify – Develop the organizational understanding to manage cybersecurity risk to

FY 2013 Chief Information Officer Federal Information ... CIO FISMA... · FY 2013 . Chief Information Officer . Federal Information Security Management Act . Reporting Metrics . Prepared

FISMA COMPLIANCE—FIRMWARE SECURITY BEST ...1 2019 Eclypsium, Inc FISMA COMPLIANCE—FIRMWARE SECURITY BEST PRACTICES FISMA, and the NIST documents supporting it, repeatedly underscore

Evolution of OIG FISMA Metrics - NIST Computer Security ... · Evolution of OIG FISMA Metrics Information Security ... Agenda • Inspector General (IG) FISMA metrics background •

FISMA report

2011 Annual FISMA Executive Summary Report - SEC.gov · The Office of Information Technology ... FISMA was enacted in 2002 as Title III of the E -Government ... 2011 Annual FISMA

JVM Web Application Metrics & Monitoring · pull /push push server -(process)-> metrics storage gateway e.g. mackerel agent pull server

FY 2017 CIO FISMA Metrics - dhs.gov

FY 2016 CIO FISMA Metrics - Homepage | CISA · 2019-08-08 · FY 2016 FISMA metrics leverage the Cybersecurity Framework as a standard for managing and reducing cybersecurity risks,

FISMA Compliance Handbook - UAB

DojoSec FISMA Presentation

FISMA Corrective action plans

E}{IM · As described in the FY 2018 IG FISMA Reporting Metrics, Version 1.0.1, May 24, 2018, the eight FISMA Metric Domains are: risk management, configuration management, identity

FY 2019 FISMA CIO Metrics 2019 FISMA CIO Metrics_V1...enterprise-level mobile device management that includes, at a minimum, agency defined user authentication requirements on mobile

CYBERSECURITY REGULATORY COMPLIANCE FISMA - Federal

FY 2018 CIO FISMA Metrics V 2.0 · The Fiscal Year (FY) 2018 Chief Information Officer (CIO) FISMA metrics focus on assessing agencies’ progress toward achieving outcomes that strengthen

The Social Security Administration’s Compliance with the ... · responses to the FY 2014 IG FISMA reporting metrics developed by the Department of Homeland Security (DHS), are submitted

(Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance

Rapid7 FISMA Compliance Guide

Adobe Marketing Cloud Importing Paid Search Metrics · Importing Paid Search Metrics Steps to configure Reports & Analytics to track your paid search metrics (e.g., Google AdWords,

Semiannual Report to Congress, No. 80FY 2019 FISMA Review Results . As guided by FY 2019 FISMA Metrics, we found that the Department and FSA were not effective in any of the five security

FY 2020 CIO FISMA Metrics - CISA · The Fiscal Year (FY) 2020 Chief Information Officer (CIO) FISMA metrics focus on assessing agencies’ progress toward achieving outcomes that