SB69: Managing Risk from Information Systems: An Organizational Perspective

Mark Spreitzer, CBCPCGI Enterprise Security PracticeDirector, Business Continuity/CIP

Office: 212.612.3611mark.spreitzer@cgifederal.com

www.cgi.com

Barry Boyd, CISSP, CISMCGI Enterprise Security Practice

Senior ConsultantOffice: 703.633.9262

barry.boyd@cgifederal.comwww.cgi.com

Agenda• Introduction to NIST 800-39• Discussion of the Fundamentals• Risk Executive Function• The Process• Applying the Framework• Mapping Risk Management Framework to

the SDLC• Questions

NIST & Special Publications• NIST = National Institute of Standards and Technology

• ITL = Information Technology Laboratory– Provides technical leadership for measurement and standards– Chartered to promote and protect the economy and public welfare

• Special Publications (SP) are the published results– tests, test methods, reference data, proof of concept implementations, and

technical analyses– collaborated with industry, government, and academic organizations

• Special Publication 800 series focused on Computer Security– How to guidance and support on Security and Business Continuity

• Compliance is mandatory for Federal Information Security Management Act (FISMA) certification– protection of Nation’s Critical Information Infrastructure– agencies must document exceptions to NIST compliance

Related NIST Publications• Primary Guidance:

– SP 800-18, Guide for Developing Security Plans for Federal Information Systems– SP 800-30, Guide for Conducting Risk Assessments (update pending)– SP 800-37, Guide for the Security Certification and Accreditation of Federal

Information Systems– SP 800-53, Recommended Security Controls for Federal Information Systems– SP 800-53A (Draft), Guide for Assessing the Security Controls in Federal

Information Systems– SP 800-59, Guideline for Identifying an Information System as a National Security

System– SP 800-60, Guide for Mapping Types of Information and Information Systems to

Security Categories• Other Useful Guidance:

– SP 800-64, Security Considerations in the Information System Development Life Cycle

– SP 800-65, Integrating IT Security into the Capitol Planning and Investment Control Process

– SP 800-100, Information Security Handbook: A Guide for Managers

NIST Special Publication 800-39 • Describes the NIST Risk Management Framework

– New flagship in the series – Phase 1 of the redesign of the risk management guidelines

• Revising SP 800-30, Risk Management, to focus exclusively on Risk Assessments

• Provides guidance on:– Organization-wide perspectives on managing risk from systems; – Risk-based protection strategies; – Trustworthiness of systems and trust relationships among organizations; – Managing risk from external providers of services and information; – Strategic considerations for managing risk related to the operation and use

of systems; and – Use of the risk executive function.

• Describes how to apply the framework to the system development life cycle (SDLC)

Fundamentals

Organization-Wide Perspective

• Approach: Prioritize requirements and allocate resources based on impact to the organization– Develop a comprehensive view

• of the business functions and supporting systems

– Share knowledge of operations and use• of processes and data

– Enable key resources through the value chain• to manage the organizational risk

• Objective: Institutionalize security and controls

Fundamentals

Organization-Wide Perspective• Incorporating Security into Enterprise Architecture• Integrating Security into the SDLC• Risk Executive Function

Fundamentals

Risk Executive Function• Ensures goals and objectives of the organization are considered when

making decisions for specific systems• Provides visibility into the individual decisions of executives (mission)• Provides holistic view of risk to the organization

– beyond risk associated with IT operations• Recognizes reliance on external providers to provide IT services• Leading the function:

– C-level official• CIO – challenge is system focus• Department Head – challenge is single services focus• CFO – challenge is financial focus• PMO – able to address cross functional view• Risk Officer – rollup of organization risk financial and operational

– Resource should be independent of services

Fundamentals

Risk-Based Protection Strategies• Balance risks with benefits of services• Select controls to achieve balance• Implement controls• Acknowledge and accept (or transfer)

identified risks– Explicit statements foster trust– Implicit statements hide degree of acceptance

• Be accountable for the results

Fundamentals

Trustworthiness of Systems• Confidentiality, integrity, and availability of data• Defined as point in time and measurable• Factors include

– Functionality (features)– Quality of the system

• always invoked; non-bypassable; tamper resistant

– Assurance of the system • test results, the grounds for confidence

• Outcome: signoff of functionality as designed

Fundamentals

Establishing Trust Relationships• Trust must be earned

– Defining services provided; – Describing how services are protected– Obtaining assurance of compliance

• Trust depends on actions and evidence– Actions is the agreement to provide– Evidence is the implementation

• Joint ventures• Business partnerships• Outsourcing

arrangements• licensing agreements• supply chain

collaborations• Partnerships

Fundamentals

Strategic Planning Considerations• Defense-in-breadth approach

– Diversification of IT assets– Management of complexity– Balanced safeguards and countermeasures– Detection and response to breaches– Consideration of use restrictions

• Technology or resource constraints (explicit)• Controls lack reasonable protection (implied)

– Process reengineering

Process

Applying the Framework

Categorize• Determine organizational missions and business functions

– Conduct organization-wide with full stakeholder participation• Business owners, system owners, officials, CIO, CSO, CFO, risk

executive

• Match priorities then identify measures– map data criticality and sensitivity

• Match control to the potential impact– organizational operations, assets, individuals or partners

• Result– Security Control = {confidentiality impact, integrity impact,

availability impact}

Select & Supplement• Select initial minimum set of controls

– Low, Moderate, High• Catalog and tailor as needed

– Remove non-applicable controls– Add controls based on other requirements

• Mandates, i.e. HIPAA, SOX, etc.,

• Establish as baseline• Publish: Update catalog

Document• Outline roadmap of protection controls• Describe results

– Risk mitigation deemed necessary– Trustworthiness achieved

• Result is security plan – Rationale for control decisions

Implement• Determination responsibility

– Development– Implementation– Assessment

• Allocation of controls to resources – People– Processes– Technologies

• Implementation of controls• Inform assessors of evaluation criteria

– Resources responsible– Capabilities – Controls

Assess• Compile evidence

– security functionality has been achieved– requisite level of quality– agreed-upon level of trustworthiness

• Assess results against industry, national, and international security standards– FISMA, HIPAA, SOX, etc.– ITIL (IT Infrastructure Library) framework for IT Service

Management• Document results

– List of vulnerabilities (Assessment Report)– Plan of action and milestones or;– Remediation plan

Authorize• Establish responsibility and accountability• Review risks and gains

– Operations, assets, individuals, other organizations• Evaluate relationships and impact

– Customer/provider & peer-to-peer relationships– Sourcing (Insourcing or outsourcing)– Service-oriented architectures– Software as a service – Lines of business

• Review assessment results– RA, BIA, security plans, etc.

• Decision to operate • Establish ownership of plans and protection procedures

– Ongoing mitigation of risk– Safeguards and countermeasures

Monitor• Develop policy and procedure framework • Conduct a point in time assessment• Implement aggressive continuous monitoring program• Implement accountability reporting • Implement change control• Review previous results, update and net change • Report status

– Regular schedule– As changes necessitate (volatility)

• Couple with System Development Life Cycle (SDLC)

Process

Activities that result from the framework• Coordination of controls across business processes

Security in the SDLC

Acquisition Cycle and the SDLC• SDLC applies to legacy and acquired services• If no controls exist, a plan is created

– documenting the agreed-upon security controls

• Next, the necessary acquisitions and development activities are carried out to implement these controls

Summary• View risk as a element of the organization’s mission• Rollup risk decisions to the executive function• Select and implement controls to provide value across the enterprise• Implement formal acceptance of accountability and responsibility• Monitor and provide results to the risk executive function

• Results: Enhancement of the value chain– Improvements in reliability, fidelity & quality– Furthers integration of service providers into value chain

• NIST Risk Framework is the first phase in the series update