| |
| |
Security Authorization of Information Systems | |
| |
| |
Introduction | |
| |
| |
Legal and Regulatory Framework for System Authorization | |
| |
| |
External Program Drivers | |
| |
| |
System-Level Security | |
| |
| |
Defining System Authorization | |
| |
| |
Resistance to System Authorization | |
| |
| |
Benefits of System Authorization | |
| |
| |
Key Elements of an Enterprise System Authorization Program | |
| |
| |
The Business Case | |
| |
| |
Goal Setting | |
| |
| |
Tasks and Milestones | |
| |
| |
Program Oversight | |
| |
| |
Visibility | |
| |
| |
Resources | |
| |
| |
Program Guidance | |
| |
| |
Special Issues | |
| |
| |
Program Integration | |
| |
| |
System Authorization Points of Contact | |
| |
| |
Measuring Progress | |
| |
| |
Managing Program Activities | |
| |
| |
Monitoring Compliance | |
| |
| |
Providing Advice and Assistance | |
| |
| |
Responding to Changes | |
| |
| |
Program Awareness, Training, and Education | |
| |
| |
Using Expert Systems | |
| |
| |
Waivers and Exceptions | |
| |
| |
NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems | |
| |
| |
Overview | |
| |
| |
Authority and Scope | |
| |
| |
Purpose and Applicability | |
| |
| |
Target Audience | |
| |
| |
Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1 | |
| |
| |
Guidance on Organization-Wide Risk Management | |
| |
| |
Organization Level (Tier 1) | |
| |
| |
Mission/Business Process Level (Tier 2) | |
| |
| |
Information System Level (Tier 3) | |
| |
| |
Guidance on Risk Management in the System Development Life Cycle | |
| |
| |
NIST's Risk Management Framework | |
| |
| |
Guidance on System Boundary Definition | |
| |
| |
Guidance on Software Application Boundaries | |
| |
| |
Guidance on Complex Systems | |
| |
| |
Guidance on the Impact of Technological Changes on System Boundaries | |
| |
| |
Guidance on Dynamic Subsystems | |
| |
| |
Guidance on External Subsystems | |
| |
| |
Guidance on Security Control Allocation | |
| |
| |
Guidance on Applying the Risk Management Framework | |
| |
| |
Summary of NIST Guidance | |
| |
| |
System Authorization Roles and Responsibilities | |
| |
| |
Primary Roles and Responsibilities | |
| |
| |
Other Roles and Responsibilities | |
| |
| |
Additional Roles and Responsibilities from NIST SP 800-37, Revision 1 | |
| |
| |
Documenting Roles and Responsibilities | |
| |
| |
Job Descriptions | |
| |
| |
Position Sensitivity Designations | |
| |
| |
Personnel Transition | |
| |
| |
Time Requirements | |
| |
| |
Expertise Requirements | |
| |
| |
Using Contractors | |
| |
| |
Routine Duties | |
| |
| |
Organizational Skills | |
| |
| |
Organizational Placement of the System Authorization Function | |
| |
| |
The System Authorization Life Cycle | |
| |
| |
Initiation Phase | |
| |
| |
Acquisition/Development Phase | |
| |
| |
Implementation Phase | |
| |
| |
Operations/Maintenance Phase | |
| |
| |
Disposition Phase | |
| |
| |
Challenges to Implementation | |
| |
| |
Why System Authorization Programs Fail | |
| |
| |
Program Scope | |
| |
| |
Assessment Focus | |
| |
| |
Short-Term Thinking | |
| |
| |
Long-Term Thinking | |
| |
| |
Poor Planning | |
| |
| |
Lack of Responsibility | |
| |
| |
Excessive Paperwork | |
| |
| |
Lack of Enforcement | |
| |
| |
Lack of Foresight | |
| |
| |
Poor Timing | |
| |
| |
Lack of Support | |
| |
| |
System Authorization Project Planning | |
| |
| |
Planning Factors | |
| |
| |
Dealing with People | |
| |
| |
Team Member Selection | |
| |
| |
Scope Definition | |
| |
| |
Assumptions | |
| |
| |
Risks | |
| |
| |
Project Agreements | |
| |
| |
Project Team Guidelines | |
| |
| |
Administrative Requirements | |
| |
| |
Reporting | |
| |
| |
Other Tasks | |
| |
| |
Project Kickoff | |
| |
| |
Wrap-Up | |
| |
| |
Observations | |
| |
| |
The System Inventory Process | |
| |
| |
Responsibility | |
| |
| |
System Identification | |
| |
| |
Small Systems | |
| |
| |
Complex Systems | |
| |
| |
Combining Systems | |
| |
| |
Accreditation Boundaries | |
| |
| |
The Process | |
| |
| |
Validation | |
| |
| |
Inventory Information | |
| |
| |
Inventory Tools | |
| |
| |
Using the Inventory | |
| |
| |
Maintenance | |
| |
| |
Observations | |
| |
| |
Interconnected Systems | |
| |
| |
The Solution | |
| |
| |
Agreements in the System Authorization Process | |
| |
| |
Trust Relationships | |
| |
| |
Initiation | |
| |
| |
Time Issues | |
| |
| |
Exceptions | |
| |
| |
Maintaining Agreements | |
| |
| |
Security Authorization of Information Systems: Review Questions | |
| |
| |
Information System Categorization | |
| |
| |
Introduction | |
| |
| |
Defining Sensitivity | |
| |
| |
Data Sensitivity and System Sensitivity | |
| |
| |
Sensitivity Assessment Process | |
| |
| |
Data Classification Approaches | |
| |
| |
Responsibility for Data Sensitivity Assessment | |
| |
| |
Ranking Data Sensitivity | |
| |
| |
National Security Information | |
| |
| |
Criticality | |
| |
| |
Criticality Assessment | |
| |
| |
Criticality in the View of the System Owner | |
| |
| |
Ranking Criticality | |
| |
| |
Changes in Criticality and Sensitivity | |
| |
| |
NIST Guidance on System Categorization | |
| |
| |
Task 1-1: Categorize and Document the Information System | |
| |
| |
Task 1-2: Describe the Information System | |
| |
| |
Task 1-3: Register the Information System | |
| |
| |
Information System Categorization: Review Questions | |
| |
| |
Establishment of the Security Control Baseline | |
| |
| |
Introduction | |
| |
| |
Minimum Security Baselines and Best Practices | |
| |
| |
Security Controls | |
| |
| |
Levels of Controls | |
| |
| |
Selecting Baseline Controls | |
| |
| |
Use of the Minimum Security Baseline Set | |
| |
| |
Common Controls | |
| |
| |
Observations | |
| |
| |
Assessing Risk | |
| |
| |
Background | |
| |
| |
Risk Assessment in System Authorization | |
| |
| |
The Risk Assessment Process | |
| |
| |
Step 1: System Characterization | |
| |
| |
Step 2: Threat Identification | |
| |
| |
Step 3: Vulnerability Identification | |
| |
| |
Step 4: Control Analysis | |
| |
| |
Step 5: Likelihood Determination | |
| |
| |
Step 6: Impact Analysis | |
| |
| |
Step 7: Risk Determination | |
| |
| |
Step 8: Control Recommendations | |
| |
| |
Step 9: Results Documentation | |
| |
| |
Conducting the Risk Assessment | |
| |
| |
Risk Categorization | |
| |
| |
Documenting Risk Assessment Results | |
| |
| |
Using the Risk Assessment | |
| |
| |
Overview of NIST Special Publication 800-30, Revision 1 | |
| |
| |
Observations | |
| |
| |
System Security Plans | |
| |
| |
Applicability | |
| |
| |
Responsibility | |
| |
| |
Plan Contents | |
| |
| |
What a Security Plan Is Not | |
| |
| |
Plan Initiation | |
| |
| |
Information Sources | |
| |
| |
Security Plan Development Tools | |
| |
| |
Plan Format | |
| |
| |
Plan Approval | |
| |
| |
Plan Maintenance | |
| |
| |
Plan Security | |
| |
| |
Plan Metrics | |
| |
| |
Resistance to Security Planning | |
| |
| |
Observations | |
| |
| |
NIST Guidance on Security Controls Selection | |
| |
| |
Task 2-1: Identify Common Controls | |
| |
| |
Task 2-2: Select Security Controls | |
| |
| |
Task 2-3: Develop Monitoring Strategy | |
| |
| |
Task 2-4: Approve Security Plan | |
| |
| |
Establishment of the Security Control Baseline: Review Questions | |
| |
| |
Application of Security Controls | |
| |
| |
Introduction | |
| |
| |
Security Procedures | |
| |
| |
Purpose | |
| |
| |
The Problem with Procedures | |
| |
| |
Responsibility | |
| |
| |
Procedure Templates | |
| |
| |
Process for Developing Procedures | |
| |
| |
Style | |
| |
| |
Formatting | |
| |
| |
Access | |
| |
| |
Maintenance | |
| |
| |
Common Procedures | |
| |
| |
Procedures in the System Authorization Process | |
| |
| |
Observations | |
| |
| |
Remediation Planning | |
| |
| |
Managing Risk | |
| |
| |
Applicability of the Remediation Plan | |
| |
| |
Responsibility for the Plan | |
| |
| |
Risk Remediation Plan Scope | |
| |
| |
Plan Format | |
| |
| |
Using the Plan | |
| |
| |
When to Create the Plan | |
| |
| |
Risk Mitigation Meetings | |
| |
| |
Observations | |
| |
| |
NIST Guidance on Implementation of Security Controls | |
| |
| |
Task 3-1: Implement Security Controls | |
| |
| |
Task 3-2: Document Security Control Implementation | |
| |
| |
Application of Security Controls: Review Questions | |
| |
| |
Assessment of Security Controls | |
| |
| |
Introduction | |
| |
| |
Scope of Testing | |
| |
| |
Level of Effort | |
| |
| |
Assessor Independence | |
| |
| |
Developing the Test Plan | |
| |
| |
The Role of the Host | |
| |
| |
Test Execution | |
| |
| |
Documenting Test Results | |
| |
| |
NIST Guidance on Assessment of Security Control Effectiveness | |
| |
| |
Task 4-1: Prepare for Controls Assessment | |
| |
| |
Task 4-2: Assess Security Controls | |
| |
| |
Task 4-3: Prepare Security Assessment Report | |
| |
| |
Task 4-4: Conduct Remediation Actions | |
| |
| |
Assessment of Security Controls: Review Questions | |
| |
| |
Information System Authorization | |
| |
| |
Introduction | |
| |
| |
System Authorization Decision Making | |
| |
| |
The System Authorization Authority | |
| |
| |
Authorization Timing | |
| |
| |
The Authorization Letter | |
| |
| |
Authorization Decisions | |
| |
| |
Designation of Approving Authorities | |
| |
| |
Approving Authority Qualifications | |
| |
| |
Authorization Decision Process | |
| |
| |
Actions Following Authorization | |
| |
| |
Observations | |
| |
| |
Essential System Authorization Documentation | |
| |
| |
Authority | |
| |
| |
System Authorization Package Contents | |
| |
| |
Excluded Documentation | |
| |
| |
The Certification Statement | |
| |
| |
Transmittal Letter | |
| |
| |
Administration | |
| |
| |
Observations | |
| |
| |
NIST Guidance on Authorization of Information Systems | |
| |
| |
Task 5-1: Prepare Plan of Action and Milestones | |
| |
| |
Task 5-2: Prepare Security Authorization Package | |
| |
| |
Task 5-3: Conduct Risk Determination | |
| |
| |
Task 5-4: Perform Risk Acceptance | |
| |
| |
Security Controls Monitoring | |
| |
| |
Introduction | |
| |
| |
Continuous Monitoring | |
| |
| |
Configuration Management/Configuration Control | |
| |
| |
Security Controls Monitoring | |
| |
| |
Status Reporting and Documentation | |
| |
| |
Key Roles in Continuous Monitoring | |
| |
| |
Reaccreditation Decision | |
| |
| |
NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System | |
| |
| |
Task 6-1: Analyze Impact of Information System and Environment Changes | |
| |
| |
Task 6-2: Conduct Ongoing Security Control Assessments | |
| |
| |
Task 6-3: Perform Ongoing Remediation Actions | |
| |
| |
Task 6-4: Perform Key Updates | |
| |
| |
Task 6-5: Report Security Status | |
| |
| |
Task 6-6: Perform Ongoing Risk Determination and Acceptance | |
| |
| |
Task 6-7: Information System Removal and Decommissioning | |
| |
| |
Security Controls Monitoring: Review Questions | |
| |
| |
System Authorization Case Study | |
| |
| |
Situation | |
| |
| |
Action Plan | |
| |
| |
Lessons Learned | |
| |
| |
Tools | |
| |
| |
Document Templates | |
| |
| |
Coordination | |
| |
| |
Role of the Inspector General | |
| |
| |
Compliance Monitoring | |
| |
| |
Measuring Success | |
| |
| |
Project Milestones | |
| |
| |
Interim Accreditation | |
| |
| |
Management Support and Focus | |
| |
| |
Results and Future Challenges | |
| |
| |
The Future of Information System Authorization | |
| |
| |
| |
References | |
| |
| |
| |
Glossary | |
| |
| |
| |
Sample Statement of Work | |
| |
| |
| |
Sample Project Work Plan | |
| |
| |
| |
Sample Project Kickoff Presentation Outline | |
| |
| |
| |
Sample Project Wrap-Up Presentation Outline | |
| |
| |
| |
Sample System Inventory Policy | |
| |
| |
| |
Sample Business Impact Assessment | |
| |
| |
| |
Sample Rules of Behavior (General Support System) | |
| |
| |
| |
Sample Rules of Behavior (Major Application) | |
| |
| |
| |
Sample System Security Plan Outline | |
| |
| |
| |
Sample Memorandum of Understanding | |
| |
| |
| |
Sample Interconnection Security Agreement | |
| |
| |
| |
Sample Risk Assessment Outline | |
| |
| |
| |
Sample Security Procedure | |
| |
| |
| |
Sample Certification Test Results Matrix | |
| |
| |
| |
Sample Risk Remediation Plan | |
| |
| |
| |
Sample Certification Statement | |
| |
| |
| |
Sample Accreditation Letter | |
| |
| |
| |
Sample Interim Accreditation Letter | |
| |
| |
| |
Certification and Accreditation Professional (CAP�“) Common Body of Knowledge (CBK�“) | |
| |
| |
| |
Answers to Review Questions | |