Transcription
IJSRD - International Journal for Scientific Research & Development Vol. 1, Issue 4, 2013 ISSN (online): 2321-0613A Monitor System in Data Redundancy in Information SystemVarsha Soni1M. Tech (C.S.)Research Scholar1Mewar University, Chittorgarh.1Abstract—The structure of a few of the InformationAssurance (IA) processes currently being used in the UnitedStates government. In this paper, the general structure of theprocesses that are uncovered and used to create aContinuous Monitoring Process that can be used to create atool to incorporate any process of similar structure. Thepaper defines a concept of continuous monitoring thatattempts to create a process from the similar structure ofseveral existing IA processes. The specific documents andprocedures that differ among the processes can beincorporated to reuse scan results and manual checks thathave already been conducted on an IS A proof-of-conceptapplication is drafted to demonstrate the main aspects of theproposed tool. The possibilities and implications of theproof-of-concept application are explored, to develop a fullyfunctional and automated version of the proposedContinuous Monitoring tool.Keywords: DIACAP, commonContinuous monitoring process.structureprocesses,I. INTRODUCTIONIn International relations, offensive advantage “means that itis easier to destroy the other’s army and take its territorythan it is to defend one’s own” [1]. This can be translated interms of cyber security to mean that it is easier to destroythe availability of the other’s information infrastructure andtake its confidential information than it is to defend one’sown information infrastructure. Due to the fact that there is aclear offensive advantage in cyber warfare, it is important toensure the security of information systems by havinginformation assurance security controls in place and up-todate. Information Assurance (IA) consists of the “measuresthat protect and defend information and information systemsby ensuring their availability, integrity, authentication,confidentiality, and non-repudiation” [2]. Security controlsare “the management, operational and technical controls(e.g., safeguards or countermeasures) prescribed for aninformation system to protect the confidentiality, integrity,and availability of the system and its information” [2]. TheFederal Information Security Management Act (FISMA),include developing, documenting, and implementing aninformation security program and developing andmaintaining an inventory of information systems under thecontrol of the organization. The key requirements are toprovide information security protections commensurate withthe assessed risk and to compose annual reports on theeffectiveness of the organization’s information securityprogram [3].The OMB Circular A-130, to review the securitycontrols of their information systems to ensure that changesdo not have a significant impact on security, IA controlscontinue to perform as intended, and security plans remaineffective.Department of Defense (DoD) InformationAssurance Certification and Accreditation Process(DIACAP) is how the OMB and FISMA requirements aremet. The DIACAP ensures the risks associated with theinformation system (IS) are acceptable. It checks forcompliance against the IA controls in the DoD Instruction8500.2 Information Assurance (IA) Implementation. Thereare several IA Processes currently being used throughout theUnited States Government. Each department, such as theDepartment of Defense (DoD) and Department of State, hasits own processes and internal standard operating procedures(SOPs). As a result, the same IA controls are checked inseveral processes, creating redundant work and wastingcritical time. This redundancy can be reduced throughcontinuous monitoring and reuse of automated scans andmanual checks of the IA controls. Vulnerabilities to the IScan occur if IA controls are not performing as intended ornew weaknesses to the system are not addressed. Withoutcontinuous monitoring, these vulnerabilities may gounnoticed until DIACAP re-certification which may beyears away.A. DIACAPThe DoDI 8510.01 establishes a process for DoD IACertification and Accreditation that will authorize theoperation of DoD information systems in accordance withFISMA [3], DoDD 8500.01 Information Assurance [7],DoDI 8500.2 Information Assurance Implementation, andDoDD 8100.1 Global Information Grid (GIG) OverarchingPolicy [8]. The process, shown in Figure 1 [9], consists offive activities that manage the implementation of IAcontrols and provide visibility of accreditation decisionsregarding the operation of DoD information systems.Fig. 1: DIACAP ActivitiesB. Initiate and Plan IA C&AIt consists of preparatory actions for IA Certification andAccreditation. The baseline controls are adjusted to accountfor inherited, not applicable, and system-specific controls,All rights reserved by www.ijsrd.com989
A Monitor System in Data Redundancy in Information System(IJSRD/Vol. 1/Issue 4/2013/0042)and then compiled in the IA Control Implementation Plan.The Certification and Accreditation (C&A) Plan is formedFrom the IA Control Implementation Plan, and ValidationPlan and Procedures. The DIACAP team is assembled toinitiate the C&A Plan and the DIP.In second step is to Select Security Controls. The SystemSecurity Plan and system categorization are used to selectStep one is Categorize Information System. The informationsystem is categorized and the System Security Plan iscreated in this step.C. Implement and Validate Assigned IA ControlsIn the second activity, the DIP is executed and the assignedIA controls are implemented. Other systems are alsochecked in order to verify inherited controls. Theimplementation is documented and the DIP is updated.Validation activities are conducted to assess theeffectiveness of the IA controls. The compliance status fromthe Validation Report is recorded in the DIACAP Scorecard,and, if corrective actions are necessary, the Plan of Actionsand Milestones (POA&M) is prepared and/or updated.D. Make Certification Determination and AccreditationDecisionThe certification determination and accreditation decisiontakes place in activity three. The Certification Authority(CA) makes the certification determination based on theactual validation results, the impact codes and severitycategories of non-compliant controls, expected exposuretime, and costs of mitigation. The CA forwards either theExecutive or Comprehensive Package to the DesignatedAccrediting Authority (DAA) to issue an accreditationdecision. The DAA reviews the package and assesses theresidual risk. If it is acceptable, the DAA issues theaccreditation decision (i.e. Authorization to Operate (ATO),Interim Authorization to Operate (IATO), or InterimAuthorization to Test (IATT)) and assigns an AuthorizationTermination Date on the DIACAP Scorecard. If the risk isunacceptable, a Denial of Authorization to Operate (DATO)will be issued.E. Maintain Authorization to Operate and ConductReviewsIn this activity, the DIACAP team works to maintain theAuthorization to Operate (ATO) through the sustainment ofan acceptable IA posture. This activity initiates and updatesa Life cycle Implementation Plan for the IA controls thatcontinuously monitors the system and assesses the quality ofthe IA controls.F. DecommissionThis activity reviews inheritance relationships to ensure thesystem’s removal from operation does not negatively affectthe operation of associated systems. The DIACAPregistration information and system-related data aredisposed of or updated to reflect the retiring of the system.The IS is then uninstalled or disconnected. A Denial ofAuthorization to operate is issued by the DAA and thesystem may no longer operate.II. PROCESSESA. Department Of State Continuous Certification AndAccreditation ProcessThe Department of State has developed a process forcontinuous Certification and Accreditation (see Figure 2).Fig. 2: Department of State Continuous C&A ProcessThe security controls. System specific controls are alsoselected as appropriate. The selected controls areimplemented in the third step: Implement Security Controls.Significant Change Analysis is the fourth step in theprocess. The fifth step, Continuous Monitoring, combinesthe fourth and sixth steps of the RMF which involve testingat two stages of the process: during certification and duringmonitoring. The final step is to Prepare AuthorizationReport. With the opportunity to catch errors early due tocontinuous monitoring testing, reaching Do Not Operatestatus should be extremely rare [18].B. Navy Transformational Certification And AccreditationProcessThe Navy conducted a mapping between the DoDI 8500.2and NIST SP 800–53 IA controls in order to combine theDIACAP and RMF processes into the NavyTransformational C&A Process. This process grew from theidea that “significant efficiencies can be gained throughjoint evaluations, and documentation, or overlappingsecurity controls”. This process consists of six events:Categorize Information System, Select Security Controls,Implement Security Controls, Assess Security Controls,Authorize Information System, and Monitor SecurityControls. The tasks in each event are the combination of theDIACAP activities and RMF tasks.C. Redundancy In The IA ProcessesDISA has developed a mapping of the activities of theDIACAP to the steps in the RMF. The steps of theaforementioned processes have been represented in Table 1.The common structure is added as the last row of the tableto highlight the extent of the redundancy between theprocesses. The concept proposed in this paper is to turn thecommon structure into a continuous monitoring process andreduce redundancy and time. This process can beimplemented in a tool that can incorporate process-specificdocuments and tasks to combine the various IA processesand reuse common data such as assessment results. In thismanner, conducting the continuous monitoring process willAll rights reserved by www.ijsrd.com990
A Monitor System in Data Redundancy in Information System(IJSRD/Vol. 1/Issue 4/2013/0042)in effect perform all processes it encompasses. Furtherredundancy can be reduced by synchronizing inspection andcertification dates so that the results of one are still valid andapplicable to the others.Table (1): Steps of Various IA ProcessesD. Continuous Monitoring ProcessBuilding upon the common structure discovered in Table 1,a continuous monitoring process has been developed. Figure3 illustrates the process as a dynamic and flexible cycle withsix activitiesFig 3: Continuous Monitoring ProcessThe first activity in this cycle is to register or update theinformation system. If the information system (IS) is new,registration will describe the system, the responsible entityand organization, the location, and other information thatwill be used to generate the required documents. Secondactivity uses the categorization information from activityone to assign the applicable base controls to the IS, asdescribed in DODI 8500.2. Each of these controls will beidentified as applicable, inherited, or not applicable, and allapplicable controls will be determined to be eitherimplemented or not implemented. Third activity is theimplementation of the relevant security controls in theImplementation Plan created in activity two. These controlsare put into place and documented, as appropriate. Allapplicable controls should be implemented when activityfour begins. In activity five, the risk to organizationaloperations (including mission, functions, image orreputation), organizational assets, individuals, otherorganizations, or the nation is determined and documentedin the Risk Assessment. At the end of the system’s lifecycle, the system is decommissioned. The systemregistration information and system-related data are updatedto reflect the system’s removal from active status.E. Other Ia ProcessesOther IA processes include the Connection ApprovalProcess (CAP) and Command Cyber Readiness Inspection(CCRI). The CJCSI 6211.02C, Defense Information SystemNetwork (DISN): Policy, Responsibilities and Processes,requires security controls to be in place in order for an IS toconnect to the DISN and compliance inspections to beconducted to ensure the continuing effectiveness of thesecontrols. The CAP ensures the IS is secure and has an ATObefore allowing it to connect to the DISN. The CCRIprovides a “quick look” assessment of the network securityconfiguration of an IS and its compliance with DoD IA andcomputer network defense (CND) policies.III. CONTINUOUS MONITORING CONCEPTThe Continuous Monitoring process is the underlyingstructure of most IA processes. If a tool is created with thisunderlying structure, it can be used to conduct the variousIA processes and house the process artifacts. The proof-ofconcept is designed as a three tiered web application thatuses Java in order to connect the HTML pages with thePostgreSQL database. The database management systemused is pgAdmin Version 1.12.3. The database is configuredwith constant tables, constant views, and user-specifictables. Constant tables are initialized in the development ofthe application but not changed by any user. The databasecontains constant views that are created in the developmentof the application but not changed by any user. The viewsshow the controls for the nine possible combinations ofMAC and CL. Duplicate controls are removed and if thereare two levels for the same control, the more secure level ischosen. The views are:1) MAC I Public This view shows only the controls for aMAC I Public system.2) MAC I Sensitive This view shows only the controls fora MAC I Sensitive system.3) MAC I Classified This view shows only the controls fora MAC I Classified system.4) MAC II Public This view shows only the controls for aMAC II Public system.5) MAC II Sensitive This view shows only the controls fora MAC II Sensitive system.6) MAC II Classified This view shows only the controlsfor a MAC II Classified system.7) MAC III Public This view shows only the controls for aMAC III Public system.8) MAC III Sensitive This view shows only the controlsfor a MAC III Sensitive system.9) MAC III Classified This view shows only the controlsfor a MAC III Classified system.A. Register Or Update The SystemThe environment the application uses is Apache TomcatVersion 6.0.28. It contains Catalina which is Tomcat’sservlet container. The HTML pages are generated from theAll rights reserved by www.ijsrd.com991
A Monitor System in Data Redundancy in Information System(IJSRD/Vol. 1/Issue 4/2013/0042)Java classes in the apache folder when Catalina is initiated.The pages are then viewed via Internet Explorer Version 8[9].The pages are organized to implement the activitiesof the Continuous Monitoring Process.changes. not want the changes to be saved, the “Cancel”button will return them to the IS Home page without makingFig. 6: Register System PageFig. 4: User Home PageB. Information System HomeThe ISHome page displays the details of the selected IS.From here the user can:1) Edit or update the details of the IS (EditSystem page)2) View the scans conducted on that particular IS (ISScanspage)3) Upload a scan of that IS (UploadScan page)4) Retire the IS (RetireSystem page)5) Edit the IA Controls for the IS (ISControls page)6) View the IA Controls for the IS (ISControls page)7) Assess the IS (AssessSystem page)8) View/Accept the Risk of the IS (SystemRisk page)any changes.E. Identify Security ControlsActivity Two of the Continuous Monitoring Process isconducted in the IS Controls page. The application generatesthe base controls based on the MAC and CL of the IS. SeeFigure 7,8 for a screenshot of the IS Controls page. The usercan then add or remove system-specific controls.Fig 7:IS Control PagesFig 5: Information System Home PageC. Register a SystemThe Register System page implements the Register part ofActivity One of the Continuous Monitoring Process. Itrequests information from the user in order to register a newinformation system with the application. The informationrequested depends on the IA process or process step beingcarried out. See Figure 6 for a screenshot of the RegisterSystem page.D. Edit a SystemThe Update part of Activity One of the ContinuousMonitoring Process is implemented in the Edit System page.This page displays the same information that was requestedin the Register System page but allows the user to edit thedetails. The user can save the changes and return to ISHome to view the updated details of the IS. If the user doesnot want the changes to be saved, the “Cancel” button willreturn them to the IS Home page without making anyFig. 8: IS Controls PageF. Implement Security ControlsThe user takes the Implementation Plan generated in the ISControls page and implements the security controls. TheImplementation Results are used to manually update theImpStatus page, changing Not Implemented to Implementedon appropriate controls. Activity Three does not have itsown page but makes use of the ImpStatus page.All rights reserved by www.ijsrd.com992
A Monitor System in Data Redundancy in Information System(IJSRD/Vol. 1/Issue 4/2013/0042)G. Assess And Mitigate Security ControlsThis includes Viewing the Scans page which displays all thescans conducted on the user’s registered informationsystems, Upload Scan page requests information about thescan being uploaded and adds it to the table of scans; Assessthe System page generates a Plan of Action and Milestone(POA&M) document from the results of the most recentscan of the IS, Mitigate Controls; there is no page for this inthe proof-of-concept application because the user must dothis outside of the application.[8][9]September 2011, rer/products/ie/home.United States Department of Defense,(2002, October24). Directive 8500.01E, Information Assurance rectives/corres/pdf/850001p.pdf.98Internet Explorer, “Internet Explorer – Web Browserfor Microsoft Windows,” Microsoft Corporation,September 2011, rer/products/ie/home.IV. RESULTThe proof-of-concept demonstrates the similar structure ofthe four IA processes as discussed. If the details of eachprocess are removed, such as the tools used and documentsgenerated, the construction of the process will look similarto this:1) Register or Update the System2) Identify Security Controls3) Implement Security Controls4) Assess and Mitigate Security Controls5) Determine and Accept Risk6) Retire or Monitor the SystemThe proof-of-concept takes the Continuous MonitoringProcess presents it as an application. The application can bemodified to turn the information on a particular IS into aprocess-specific document based on a template. In thismanner, a larger tool can be developed that incorporates allrelevant IA processes. Information can be shared and scanscan be reused in order to avoid redundancy betweensubmitting an IS through more than one process. If theprocesses are conducted around the same time, theinformation and scans will still be valid. This will reducetime as the user will not have to conduct another scan on theIS.52REFERENCES[1]Richard K. Betts, Conflict after the Cold War:Arguments on Causes of War and Peace, 3rd Edition.San Francisco: Pearson Education Inc., 2008, page430.[2] Committee on National Security Systems (CNSS),(2010, April 26). Instruction 4009, NationalInformation Assurance Glossary. [Online]. Available:http://www.cnss.gov/Assets/pdf/cnssi 4009.pdf.[3] United States Department of Justice, Office ofPrograms, (2002, December 17). Public Law 107–347,E-Government Act [includes Federal informationSecurity Management Act (FISMA)]. area privacy&page 1287#contentTop.[4] United States Department of Defense,(2002, October24). Directive 8500.01E, Information Assurance rectives/corres/pdf/850001p.pdf.98[7] Internet Explorer, “Internet Explorer – Web Browserfor Microsoft Windows,” Microsoft Corporation,All rights reserved by www.ijsrd.com993
unnoticed until DIACAP re-certification which may be years away. A. DIACAP . The DoDI 8510.01 establishes a process for DoD IA Certification and Accreditation that will authorize the operation of DoD information systems in accordance with FISMA [3], DoDD 8500.01 Information Assurance [7],
