Resource Attribute Management

Resource Attribute/Metadata Management, as defined in the ICAM Services Framework, is the process for establishing and maintaining data (such as rules for access, credential requirements, etc.) for a resource/asset. This data defines the access, protection, and handling controls for a resource. Resources may be both physical (campus sites, buildings, individual offices/areas, etc.) or logical (IT applications, data, services, etc.). The information and guidance presented in this section is intended to assist agencies in providing answers to several common resource management questions, including:

 Where might I find information about the resources within my agency that must be protected?

 Where can I find lists of these resources and information about them?

 How can resources be organized or grouped to streamline access control for users that require access to a set of common resources?

FAQ

Isn’t resource management the management of supplies, hardware, software, and other personal property?

No, not in the context of ICAM. Agencies are responsible for managing numerous types of resources, assets, and property under their custody. Within the context of ICAM, however, resource management refers specifically to managing information about resources that require access control. Some agencies also call this process asset management.



When implementing access control solutions, many agencies find it challenging to determine a complete inventory of the resources that need to be protected (both physical and logical) because the processes to identify, track, and catalog resources are distributed across multiple programs and systems. Each program or system typically collects and manages information about a subset

of the agency‟s resources in order to support a specific business function. For example, agencies are required under FISMA to have a complete, current inventory of IT systems. ICAM implementers must be able to retrieve information about these resources quickly and efficiently in order to effectively manage access to them in a coordinated fashion. Additionally, physical and logical resources typically are managed separately from each other within an agency.

Terminology

Metadata – Structured information that describes, explains, locates, or otherwise makes it easier to retrieve, use, or manage an information resource. Metadata is often called data about data or information about information.30

Physical and logical access control systems often rely on metadata to accurately and reliably grant user access to protected resources.



For many existing resources, an agency should likely have already determined which resources require protection and the level of protection (LOP) required. Information systems, devices, and infrastructure protection requirements are outlined in existing policy guidance,31 and are the responsibility of the resource owner to determine. Guidance for determining levels of protection for facilities and work sites which require electronic security systems is provided by the Interagency Security Committee (ISC). 32 It can be expected that an agency‟s physical security group will have previously evaluated all existing facilities and sites within the agency‟s custody and determined physical protection requirements, however, for geographically dispersed organizations, this information may be managed locally. Figure 13 discusses several common programs and functions that collect and manage this information, and may therefore provide a starting point for ICAM implementers.

Agency Function Information Available Resource Type

Facility Management Group / Physical Security Group

Information regarding resources that must be secured using PACS.

Physical Real Property Group Information regarding land, building, and improvements

that are owned or leased by a federal agency.

Physical Capital Planning and

Investment Control (CPIC) Program

Investment information for capital assets submitted by a federal agency to OMB for funding.

Physical Logical Helpdesk/Trouble Ticket

Solutions and Records

Often contain lists of resources and/or targets of privilege/access management requests, as they are frequently sources of problems and issues for users.

Physical Logical Enterprise Data Warehouse

(EDW)

EA repository of electronically stored data about an organization’s resources and data, commonly maintained to facilitate reporting and analysis.

Physical Logical Information Resources Catalog

(IRC)

Some agencies may have an existing IRC, which is a comprehensive catalog of resources and resource information.

Physical Logical IT System Inventory Inventory of IT applications and security compliance

and reporting information.

Logical

30 _{Understanding Metadata, National Information Standards Organization (NISO), 2004.}

31 _{OMB M-04-04, E-Authentication Guidance for Federal Agencies, Office of Management and Budget, December 23, 2003.}

FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004. OMB Memorandum M-06-16, Protection of Sensitive Agency Information, July 2006.

Agency Function Information Available Resource Type

Change Control Board (CCB) and/or Change Management System

Maintains the software, hardware, and application baselines for resources within the enterprise as a means of supporting change/upgrade efforts.

Logical

Figure 13: Resource Information Sources

Developing a comprehensive view of all agency resources (physical and logical) is reliant upon locating and reconciling existing sources of information. Several agencies have taken steps to create consolidated resource tracking solutions for the purpose of gathering the information necessary to make informed access management decisions in a timely manner. While this is not a requirement of ICAM, it is an example of a centralized repository of resource information to help ICAM implementers streamline the development and deployment process.

Implementation Tip

Don’t wait until a complete agency inventory is in an automated system to begin developing access policies and tying resources into enterprise access control capabilities. Developing a complete inventory is a time-consuming process, and

efficiency benefits and return on investment (ROI) can be realized by integrating even a small number of resources with automated ICAM capabilities once a representative sampling of major resource types has been identified.



Collecting, analyzing, and understanding the information about a resource that leads to determining the necessary LOP is critical to establishing effective access control policies. A core component in determining access control policy is a resource‟s risk profile. Risk profiles are indicators of the potential impact on the organization in terms of the loss of confidentiality, integrity, or availability for logical assets, and the impact of loss due to specific vulnerabilities for physical assets. Risk assessments are commonly performed for many agency resources as part of existing security compliance processes. Risk assessments for physical resources are governed by the Facility Risk Assessment process, outlined in the ISC‟s Physical Security Criteria for Federal Facilities, which is discussed further in Chapter 10. Risk assessments for logical resources are governed by the FISMA process (for overall security risk) OMB M-04-0433 (for authentication risk). The resulting risk profiles can be leveraged for access control purposes without creating an additional burden for resource owners.

Risk profiles provide ICAM implementers with a baseline from which to determine core access control requirements. However, additional information about a resource can be used to develop more granular access controls to further increase the security and realize the efficiencies that can be obtained through deployment of access control systems.

FAQ

Are there any tools available to help determine the level of authentication risk associated with my information systems?

Yes, the eAuthentication Risk and Requirements Assessment (e-RA) tool can be leveraged to assist in determining logical access control risks and appropriate levels of assurance, as defined in OMB M-04-04. e-RA is available on the Federal Government’s identity management website.34 Additional guidance for conducting overall security risk assessments is provided in FIPS 199.35



Contextual information about a resource is often required to support access control decisions. This information can often be obtained by reviewing resource documentation and meeting with resource owners/administrators to discuss how and why access is currently controlled. Chapter 11 also introduces the process for conducting Application Assessments, a best practice for supporting the integration of applications with Logical Access Control Systems (LACS), which can serve as an additional means for gathering contextual information about logical resources. Examples of contextual information that can be used to support access control are provided in Figure 14.

Information Component Description

Time-based access restriction Access to the resource is restricted during particular hours or certain times of the day, week, or year based upon resource requirements.

Certification-based access restriction

Access to the resource requires possession of a particular certification or permit.

Organizational affiliation restriction Resource access requires a particular affiliation with the organization (e.g., IT systems for federal employee access only), or affiliation with a particular bureau/component/office, etc.

Location-based restriction Access to the resource is restricted based on geographical location for both physical and logical resources, and/or IP and MAC location for IT resources and data.

Resource-based restriction Access to certain data or information is dependent upon it being accessed through a particular resource, thereby preventing direct access.

Data sensitivity restriction Certain IT resources or data elements may require that users possess a level of public trust or clearance (NACI, Public Trust, Secret, etc.) before being accessed.

Figure 14: Sample Resource Information Components

The examples in Figure 14 are not intended to be comprehensive; however, they can be used to help implementers as they begin considering the additional information about a resource that is needed to develop access control policies. They also help define the types of entitlement information that an agency might need about its users in order to support access control decisions, discussed further in Section 9.2.1. Developing access control policies is a multi-step process to determine what access controls can be employed to improve security and create added value for the organization. The steps involved in developing robust access control policies are discussed in greater detail in Section 9.3.2.

Resources can be grouped based on common criteria as a means of providing baseline privileges in an automated fashion. This is accomplished by examining the resource attributes, such as the examples provided in Figure 14, that determine how users are granted access and looking for

34_{GSA eAuthentication Risk and Requirements Assessment (e-RA).}

similarities that drive access control decisions. Resources may be grouped in several ways, including:

 Physical Location. Many agencies with multiple offices/buildings in metropolitan areas often grant access to all facilities within that area as a means of ensuring that personnel can easily attend meetings in nearby offices, this may also extend to network/system access associated with a geographic location.

 Project/Program Affiliation. Projects or programs that rely on a small subset of information systems or specified work locations can group those resources and grant access based upon affiliation with the project or program rather than granting each person access to each individual resource.

 Organizational Relationship. Within an agency there may be components or bureaus that grant access to resources based upon organizational affiliation (i.e., a

component/bureau specific information sharing tool).

 Function/Purpose. Similar to Project/Program affiliation, certain resources may support a common function or purpose within an organization (i.e., HR systems, accounting systems, etc.).

In order to manage access control an agency must manage information about the individuals and entities attempting to access its resources. The processes for supporting this are discussed in the following section.

9.2. Privilege Management