NCI-CBIITSecurity in the

System/Services Development Life

Cycle

Presenter: Braulio J. CabralCBIIT Enterprise Security Coordinator

• The Path to Security and Compliance

• Security and Compliance through the SDLC

• Software Security Requirements

• ECCF

• Validating Security (Certification and Accreditation)

• Roles and Responsibilities

• Current caBIG Security Infrastructure

• Future Security as Service

Content

The Path to a Secure/Compliant System

Security Requirements

• Software security requirements• Leverage certification tools for security

requirements gathering.• Prepare for FISMA certification through the

SDLC phases.• Let’s get the security requirements.

• Application security requirements (ECCF templates, security

conformance statements, security assertions (QA)

• PIA, E-Auth. Assessment, System Categorization (C&A process)

• System Security Plan

CIM (CFSS) Conformance Example

Conformance No. AE-CP2Security Pre-Conditions [M]

Access control mechanism needs to be in place to ensure that the user is logged in and has valid privileges of a Study Administrator to initiate an Adverse Event

Compliance & Conformance Statements

Name Type Viewpoint Description Test MethodSecured Access Obligation Engineering The AE service should 1. Design review

have access control 2. Security test case

mechanism in place to

restricts access to

sensitive data

Platform Independent Model (PIM) andService Specification

Operation Behavior Description

Security Conditions• Describe in detail the security constraints which the user needs to fulfill

in order to successful execute this operation.

• Provide the following details

• List all the Group / Role / Attribute which the user need to have in order to execute the operation

• List any specific access control which the user needs to have on the particular instance of the input parameter in order to gain access (Eg. User needs to be a study co-ordinator for the Study id passed)

• Any additional security requirements (eg. Authentication Required or Anonymous call allowed for the operation )

PIM Conformance Statements

• Security Conformance Statements• Security as conformance statements• Security as mandatory constrains or pre-

conditions• Security as a full conformance profile• Deployment considerations• Jurisdictional Domains

Platform Specific Model and Service Specification (PSM)

• Security Standards and Technology• Assumptions and Dependencies for Security• Operations Details

• Security Controls• Implementation Considerations

• Access Control• Application (service) Security (Access Policy)• Cryptography

Platform Specific Model and Service Specification (PSM)

• Information Security and Risk Management

• Legal, Regulations, Compliance and Investigations

• Telecommunications and Network Security

• Auditing

• Privacy

Conformance Assertions

• Quality Control

• Test Cases

Validating Security

• FISMA Certification Process• PIA

• e-Authentication assessment

• System Categorization

• Appscan

• Request C&A through security team (ISSO: Bruce Woodcock, Blaise

Czkalski, coordinator Braulio J. Cabral

• Security Plan, Contingency plan, etc.

Security roles & responsibilities

• Who does what?• System Owner: PIA, E-Authentication

Assessment, System Categorization, system diagram, request appscan, etc.

• ISSO: C&A process, appscan• CIO: Authorization letter• NCI Privacy Office (PIA)

• POC: Suzanne Millard (suzanne.millard@nih.gov)

Current caBIG Security Infrastructure

• The Grid Authentication and Authorization with Reliably Distributed Services (GAARDS)

Authentication

• Dorian Authentication Service (SAML and Grid Certificate)

• CSM Authentication (user name/password)

• CSM authentication with NCI-LDAP

• Single Sign on (SSO)

Authorization

• CSM Authorization (Application Level) (moving towards Service Level)

• CSM Authorization (Service Level)

• GRID Grouper Authorization

• Combined CSM/GRID Grouper

Authorization Service Level with CSM Example (CCTS Suite)

•C3PR•CSM

•API

•caAERS•CSM

•API

•PSC

•CSM

•CSM

•API

•Lab Viewer

•C3D Connecto

r •CSM

•API

Future Security As Services Infrastructure

Useful Links

• Enterprise Security Program : https://wiki.nci.nih.gov/pages/viewpage.action?pageId=24276546

• System Categorization form (FIPS-199) - http://ocio.nih.gov/nihsecurity/InventoryandCategorization/NIH_System_Categorization_form.doc

• Authentication Risk Assessment Report - http://ocio.nih.gov/nihsecurity/HHS_E-Authentication_Report_Template.doc

Useful Links

• System Security Plan - http://ocio.nih.gov/nihsecurity/FIPS-200-SSP-Basic-Outline.doc

• Contingency plan (if available, part of the system security plan) - http://ocio.nih.gov/nihsecurity/NIH-CP-Template.doc

• ECCF Templates: http://gforge.nci.nih.gov/svnroot/candc/trunk/documents/artifact_templates/