WIXLIB

Integrated Enterprise-wide Risk ManagementOrganization, Mission, and Information Systems ViewInformation System Security AssociationJune 16, 2009Dr. Ron RossComputer Security DivisionInformation Technology LaboratoryNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY1

The Threat SituationContinuing serious cyber attacks on federal informationsystems, large and small; targeting key federal operationsand assets Attacks are organized, disciplined, aggressive, and wellresourced; many are extremely sophisticated. Adversaries are nation states, terrorist groups, criminals, hackers,and individuals or groups with intentions of compromising federalinformation systems. Effective deployment of malicious software causing significantexfiltration of sensitive information (including intellectual property)and potential for disruption of critical information systems/services.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY2

Asymmetry of Cyber WarfareThe weapons of choice are— Laptop computers, hand-held devices, cell phones. Sophisticated attack tools and techniquesdownloadable from the Internet. World-wide telecommunication networks includingtelephone networks, radio, and microwave.Resulting in low-cost, highly destructive attack potential.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY3

Unconventional WisdomNEW RULE: Boundary protection is no longer sufficientagainst high-end threats capable of launching sophisticatedcyber attacks. Complexity of IT products and information systems. Insufficient penetration resistance (trustworthiness)in commercial IT products. Insufficient application of information system andsecurity engineering practices. Undisciplined behavior and use of informationtechnology and systems by individuals.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY4

The FundamentalsFighting and winning a 21st century cyber war requires21st century strategies, tactics, training, and technologies Integration of information security into enterprise architectures and system lifecycle processes. Common, shared information security standards for unified cyber command. Enterprise-wide, risk-based protection strategies. Flexible and agile selection / deployment of safeguards and countermeasures(maximum tactical advantage based on missions / environments of operation). More resilient, penetration-resistant information systems. Competent, capable cyber warriors.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY5

Compliance vs. Risk-based Protection“We should not be consumed with countingthe number of dead bolts on the front doorwhen the back door is wide open.”-- AnonymousNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY6

Risk-Based Protection Enterprise missions and business processes drive securityrequirements and associated safeguards and countermeasuresfor organizational information systems. Highly flexible implementation; recognizing diversity inmissions/business processes and operational environments. Senior leaders take ownership of their security plans includingthe safeguards/countermeasures for the information systems. Senior leaders are both responsible and accountable for theirinformation security decisions; understanding, acknowledging,and explicitly accepting resulting mission/business risk.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY7

Strategic InitiativesThe Long-term View Build a unified information security framework for thefederal government and support contractors. Integrate information security and privacy requirementsinto enterprise architectures. Employ systems and security engineering techniquesto develop more secure (penetration-resistant)information systems.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY8

Tactical InitiativesThe Short-term View Update security controls catalog and baselines. Delivery vehicle: NIST Special Publication 800-53, Revision 3 Develop enterprise-wide risk management guidance. Delivery vehicle: NIST Special Publication 800-39 Restructure the current certification and accreditationprocess for information systems. Delivery vehicle: NIST Special Publication 800-37, Revision 1 Provide more targeted guidance on risk assessments. Delivery vehicle: NIST Special Publication 800-30, Revision 1NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY9

Change the Culture Strong, top-level senior leadership commitment. Understand adversary capabilities, types of threats and attacks. Recognize information security is essential for mission success. Employ more discipline and structure in how information systemsare implemented and used. Implement least privilege, least functionality. Require corporate and individual responsibility and accountability. Develop a cyber warrior mentality. Obtain situational awareness during day-to-day agency operations. Require ongoing monitoring of people, processes, and technologies.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY10

Risk Management Hierarchy Multi-tiered Risk Management ApproachImplemented by the Risk Executive FunctionEnterprise Architecture and SDLC FocusFlexible and Agile ImplementationSTRATEGIC RISKFOCUSLEVEL 1OrganizationNISTSP 800-39LEVEL 2Mission / Business ProcessLEVEL 3TACTICAL RISKFOCUSInformation SystemNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY11

Risk Management Hierarchy Risk Executive Function(Oversight and Governance)Risk Management StrategyLEVEL 1Organization Risk Assessment MethodologiesRisk Mitigation ApproachesRisk ToleranceRisk Monitoring ApproachesLinkage to ISO/IEC 27001NISTSP 800-39LEVEL 2Mission / Business ProcessLEVEL 3Information SystemNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY12

Risk Management HierarchyNISTSP 800-39LEVEL 1OrganizationRisk Management StrategyLEVEL 2Mission / Business Process Mission / Business ProcessesInformation FlowsInformation CategorizationInformation Protection StrategyInformation Security RequirementsLinkage to Enterprise ArchitectureLEVEL 3Information SystemNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY13

Risk Management HierarchyLEVEL 1OrganizationNISTSP 800-37LEVEL 2Mission / Business ProcessRisk Management FrameworkLEVEL 3Information SystemNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGYLinkage to SDLCInformation System CategorizationSelection of Security ControlsSecurity Control Allocationand Implementation Security Control Assessment Risk Acceptance Continuous Monitoring 14

The Central QuestionFrom Two Perspectives Security Capability PerspectiveWhat security capability is needed to defend against aspecific class of cyber threat, avoid adverse impacts,and achieve mission success? (REQUIREMENTS DEFINITION) Threat Capability PerspectiveGiven a certain level of security capability, what class ofcyber threat can be addressed and is that capabilitysufficient to avoid adverse impacts and achieve missionsuccess? (GAP ANALYSIS)NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY15

Risk Management FrameworkStarting PointFIPS 199 / SP 800-60CATEGORIZEInformation SystemSP 800-37 / SP 800-53AMONITORSecurity StateContinuously track changes to theinformation system that may affectsecurity controls and reassesscontrol effectiveness.SP 800-37Define criticality/sensitivity ofinformation system according topotential worst-case, adverseimpact to mission/business.FIPS 200 / SP 800-53SELECTSecurity ControlsSecurity Life CycleSelect baseline security controls;apply tailoring guidance andsupplement controls as neededbased on risk assessment.SP 800-39SP 800-70AUTHORIZEIMPLEMENTInformation SystemSecurity ControlsDetermine risk to organizationaloperations and assets, individuals,other organizations, and the Nation;if acceptable, authorize operation.SP 800-53AASSESSSecurity ControlsImplement security controls withinenterprise architecture using soundsystems engineering practices; applysecurity configuration settings.Determine security control effectiveness(i.e., controls implemented correctly,operating as intended, meeting securityrequirements for information system).NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY16

Security Control Selection STEP 1: Select Baseline Security Controls(NECESSARY TO COUNTER THREATS) STEP 2: Tailor Baseline Security Controls(NECESSARY TO COUNTER THREATS) STEP 3: Supplement Tailored Baseline(SUFFICIENT TO COUNTER ecurity ControlsSecurity ControlsRisk ManagementFrameworkAUTHORIZEIMPLEMENTInformation SystemSecurity ControlsASSESSSecurity ControlsNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY17

Cyber LOWTHREAT LEVEL 5CYBER PREP LEVEL 5THREAT LEVEL 4CYBER PREP LEVEL 4THREAT LEVEL 3CYBER PREP LEVEL 3THREAT LEVEL 2CYBER PREP LEVEL 2THREAT LEVEL 1CYBER PREP LEVEL 1HIGHDefenderSecurityCapabilityLOWAn increasingly sophisticated and motivatedthreat requires increasing preparedness NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY18

Dual Protection Strategies Boundary ProtectionPrimary Consideration: Penetration ResistanceAdversary Location: Outside the Defensive PerimeterObjective: Repelling the Attack Agile DefensePrimary Consideration: Information System ResilienceAdversary Location: Inside the Defensive PerimeterObjective: Operating while under AttackNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY19

Agile Defense Boundary protection is a necessary but not sufficientcondition for Agile Defense Examples of Agile Defense measures: Compartmentalization and segregation of critical assetsTargeted allocation of security controlsVirtualization and obfuscation techniquesEncryption of data at restLimiting of privilegesRoutine reconstitution to known secure stateBottom Line: Limit damage of hostile attack while operating in a (potentially)degraded mode NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY20

RISK EXECUTIVE FUNCTIONEnterprise-wide Oversight, Monitoring, and Risk Management StrategyArchitecture DescriptionOrganizational InputsArchitecture Reference ModelsSegment and Solution ArchitecturesMission and Business ProcessesInformation System BoundariesLaws, Directives, Policy GuidanceStrategic Goals and ObjectivesPriorities and Resource AvailabilitySupply Chain POAMCommon Controls(Inherited by Information Systems)POAMNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGYSPSARAuthorizationDecisionPOAMSP: Security PlanSAR: Security Assessment ReportPOAM: Plan of Action and Milestones21

A Unified FrameworkFor Information SecurityThe Generalized enceCommunityDepartmentof DefenseFederal Civil AgenciesThe undational Set of Information Security Standards and Guidance Standardized risk management processStandardized security categorization (criticality/sensitivity)Standardized security controls (safeguards/countermeasures)Standardized security assessment proceduresStandardized security authorization processNational security and non national security information systemsNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY22

Key Risk Management Publication NIST Special Publication 800-53, Revision 3 (Final Public Draft)Recommended Security Controls for Federal Information SystemsProjected: May 2009 Updating all material from NIST Special Publication 800-53, Revision 2Incorporating lessons learned from interagency assessment case projectIncorporating material from Draft CNSS Instruction 1253Incorporating new security controls for advanced cyber threatsIncorporating information security program-level controlsIncorporating threat appendix for cyber preparedness(Separately vetted and added to SP 800-53, Revision 3 when completed)NISTSP 800-53NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY23