Transcription
Information TechnologyCriminal Investigation (CI) CybersecurityCybersecurity Dashboardon a Shoestring BudgetMay 16, 2017
Metrics Quote"Most consumers don't have a good metric fordeciding on whether the dictionary they want to use isa good one. so they flip the book over, then go to theback, and it says, 'Over 250,000 entries.' And they go,'Great, this dictionary must be awesome!'“—Erin McKean2PRESENTATION TITLE BOD
Briefing Agenda What is the CI Cybersecurity Dashboard? Data is key, tools are just tools Requirements development & stakeholderparticipation is a must Great program management is the glue3PRESENTATION TITLE BOD
What is the CI CybersecurityDashboard: Purpose The CI Cybersecurity Dashboard was developed to displaythe status of Criminal Investigation’s (CI) CybersecurityFISMA reports, continuous monitoring, Risk Based Decision(RBD), and Plan Of Action & Milestones (POA&M) efforts inone snapshot at the lowest cost possible. The dashboard was designed to educate and provide CIleadership, the CI Technical Operations Center (TOC) andProgram/Project Managers a high-level view of their Cyberrisk areas in one snapshot. It provides management with guided, educated mitigationdecisions based on the dashboard snapshot beforeContinuous Diagnostics & Mitigation (CDM) was operational.4
What is the CI CybersecurityDashboard: SourceThe source data of the dashboard will originate from the output ofseveral cyber monitoring tools. The addition of new out files into data repository in SharePoint Intranet will triggeran event that will invoke Extract Transform & Load (ETL) packages in SQL Server The data will be extracted from the source output files and transported to respectivetables in SQL. SQL Report Builder will transform the data in tables to organizedvisualization using charts and graphs The dashboard will use charts and graphs built from the SQL Report Builder tooland implemented using SharePoint Performance Point. The dashboard is a 50% customized application based on data driven customcharts and components of Performance Point.5
What is the CI CybersecurityDashboard: Charts Tripwire (Vulnerabilities Compliance)SharePoint will display in two charts—the average number ofvulnerabilities by host and per count SCAP (Workstation Compliance)SharePoint will display in two charts—the total number ofworkstation compliance Windows Policy Checker (Server Compliance)SharePoint will display from WPC data—a percentage passingscore based on the server devices listed contained in monthlyreporting HPNA (Network Device Compliance)SharePoint will display in two charts—the percentage passingscore on routers and switches6
What is the CI CybersecurityDashboard: Charts Guardium (Data Base Compliance)SharePoint will display from Guardium data—a percentagepassing score based on previously selected categories. Plan of Action & Milestones (POA&M)’sSharePoint will display in 2 charts—the total number ofopen, closed, and overage POA&Ms, for each month for 5years. Archer (Incident Response)SharePoint will display Archer data—SharePoint will openan Archer .csv file and manipulate the .csv file to displaygraphically CI incidents for the year.7
What is the CI CybersecurityDashboard: Files for UploadFiles for certain tools must follow certain naming andformatting conventions. Below are file format references: Archer - .csvGuardium - .xlsHPNA - .xlsxPOAM - .csvSCAP - .xlsTripwire - .csvWPC - .xlsx8
What is the CI CybersecurityDashboard: Picture9PRESENTATION TITLE BOD
What is the CI CybersecurityDashboard: Results Finished product met requirements Project finished 9 months before schedule Project finished significantly under budget Currently the status of the dashboard is red oron hold due to lack of O&M funding10PRESENTATION TITLE BOD
Data is Key, tools are just toolsVisionSimplify management decision making àUnderstanding & involvement àQuick decisions àSupportMetrics to support the vision Never focus on a toolFunding Development O&M11PRESENTATION TITLE BOD
Requirements Development & StakeholderParticipation: RequirementsRequirements Traceability Requirements, Design, & Test – Science Non ELC Security deliverables & SSP - Art Base lining Change Management Test must be based on the requirements Deliverables must be delivered12PRESENTATION TITLE BOD
Requirements Development & StakeholderParticipation: TraceabilityA relationship between two items“A traceability relationship reflects the source,derivation, dependency, or other relationship betweentwo traceability items”BSR à DSR à STP SSPRequirements Repository Management Guide, Version 1.0“A discernable association among two or more logicalentities such as requirements, system elements,verifications, or tasks”Capability Maturity Model Integration (CMMI) for Development,Version 1.213
Requirements Development & StakeholderParticipation: Base liningNumber Req # Requirement14Ability to export to .csv1.R-01Control Impact Chart for GSS-1 and GSS-2 Derived2.R-02Application vulnerability score per each tool Derived3.R-03RBD – manualYes4.R-04POAM – manualYes5.R-05Project Milestones – ManualNo6.R-06Archer MetricsNot UsedPRESENTATION TITLE BOD
Requirements Development & StakeholderParticipation: Base liningNumber Req # Requirement15Ability to export to .csv7.R-07Tripwire MetricsYes8.R-08Guardium MetricsYes9.R-09Windows Policy Checker (WPC)Yes10.R-10Unix Policy Checker (UPC)Yes11.R-11Hewlett Packard Network Automation (HPNA) Yes12.R-12Application Scanner (Appscan)Not Used13.R-13Web Scanner (Webscan)Not Used14.R-14AirwatchNot UsedPRESENTATION TITLE BOD
Requirements Development & StakeholderParticipation: Change Management1) Tripwire2) Network Patch Status3) WPC4) UPC5) SCAP6) SCCM7) Guardium8) AirWatch9) RBDs10) POA&Ms11) Control Impact Chart12) Application Vulnerability Chart13) Web Scan14) App Scan15) HPNA16) Archer16PRESENTATION TITLE BOD
Requirements Development & StakeholderParticipation: Deliverables Must be DeliveredCI Dashboard –User GuideInternal Revenue Service CriminalInvestigationT HIS GUIDE IS INTENDED FOR USERS WHO HAVE ACCESS TOTHE CI D ASHBOARD .
Good Program ManagementProgram Managemento Roles & Responsibilitieso Dashboard Development Set rhythm Stakeholder involvement Shared Engineering and Design Software Development SharePoint PM Metric Development Teams OT&E Lessons Learned18PRESENTATION TITLE BOD
Roles & ResponsibilitiesSharePoint Business System Development (BSD)19 Robert WarrenCI – Project Manager, BSD Terry LeeCI – IT Specialist, BSD Tim WhittleCI – MS SharePoint Administrator, TOCPRESENTATION TITLE BOD
Roles & ResponsibilitiesBooze Allen Hamilton (BAH) Developers20 Anureet SinghBAH – Project Manager Myo SithuBAH – Development Manager Mayura SolowBAH – Developer Michael WuBAH – Developer Tina AristaBAH – Functional Manager Michael DalyBAH – Test Manager Justin WatanabeBAH – Functional AnalystPRESENTATION TITLE BOD
Roles & ResponsibilitiesCI-Cybersecurity User Stakeholders 21Brett ManningKevin ColinCI - Director CybersecurityIT/C – Supervisory IT Specialist,Cybersecurity Security EngineerJanine HeardIT/C – IT Security Specialist,Cybersecurity Dashboard Program Manager, RBD& POAM SMEPaul HusmanIT/C – IT Security Specialist, CybersecurityHPNA SMESamuel BuhligIT/C – IT Security Specialist, CybersecurityIncidence Response SMERandy Christoffersen IT/C – IT Security Specialist, CybersecurityTripwire SMEPRESENTATION TITLE BOD
Questions/Comments22PRESENTATION TITLE BOD
Program/Project Managers a high-level view of their Cyber risk areas in one snapshot. It provides management with guided, educatedmitigation decisions based on the dashboard snapshot before Continu
