• No results found

Security Certification & Accreditation of Federal Information Systems A Tutorial

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security Certification & Accreditation of Federal Information Systems A Tutorial"

Copied!
31
0
0

Loading.... (view fulltext now)

Download now ( 31 Page )

Full text

(1)

Security Certification & Accreditation of

Federal Information Systems ± A Tutorial

(2)

Tutorial Outline

Objectives & Introduction: C&A

Information Security Certification &

Accreditation Foundations (as per NIST

800-37)

C&A Process Flow

Summary

(3)
(4)
(5)

Objectives of Security C&A

To provide consistent, comparable &

repeatable assessments of Security Controls in

Information Systems

To obtain better understanding of

Agency-related mission risks

To obtain complete, reliable & trustworthy

information that will facilitate security analyses

Security Accreditation is an official management

decision to authorize operation of an information

(6)

Basic Values of Security C&A

Acceptance of responsibility and accountability

by the program office for the operation of an

information system.

Difference between Certification &

Accreditation ?

Certification

Information

Accreditation

+ Evidence Risk Thresholds 1. Security Plan 2. C&A Decision 3. Risk Assessments Agency Mission Category

(7)

Security Certification

Security Certification is a comprehensive

assessment of

Management

(Related to Risks/Policies)

Operational

(Related to People)

Technical

(Related to hardware, software,

firmware)

Security Controls in an Information System,

to determine the extent to which controls are

implemented: (

a) correctly, (b) as intended,

and (c) produce desired outcomes

.

(8)

Objectives of Information Security

Information Security is the protection of an

Information System from

Unauthorized access

Unauthorized use

Disclosure

Disruption

Modification

Destruction

}

Confidentiality

Integrity

Availability

Definition: An Information System is a discrete set of information resources organized expressly for collection, processing, maintenance, use, sharing, dissemination and disposition of information.

(9)

Output of C&A Process

Security Plan

Risk Assessments

Contingency Plans

Incident Response Plans

Security Awareness & Training Plans

Information System Rules & Behavior

Configuration Management Plans

Security Configuration Checklists

Privacy Impact Assessments

(10)

Questions during C&A Process

Does the potential risk to the agency operations, assets

or individuals described in the Security Plan (before

C&A) appear to be correct and is the risk acceptable ?

Are the security controls in the information system

effective in achieving the desired level of protection

defined by the requirements ?

What specific actions have been taken (or are planned)

to correct any deficiencies in the security controls to

reduce or eliminate vulnerabilities ? Have adequate

resources and funding been allocated ?

How do the results of the security certification affect

agency risk ?

(11)

How Security Certification is done ?

‡

Interviewing

‡

Inspecting

‡

Studying

‡

Testing

‡

Demonstrating

‡

Analyzing

Security Certification does NOT include analyzing risk to agency operations,

assets or individuals

(12)

What can one say post-C&A ?

We have confidence in the information system

Vulnerabilities have been considered in the risk

assessment

Appropriate plans and funds deployed for

correction

(13)

Types of Accreditation Decisions

Decisions

Authority to Operation (ATO)

Interim Authority to Operate (for a finite duration till

deficiencies are addressed)

Denial of Authorization to Operate

C&A Package

Approved System Security Plan

Security Assessment Report (How Controls have been

implemented)

(14)
(15)

Initiation Phase

(16)
(17)

Initiation Phase (Task 2)

(18)

Initiation Phase (Task 3)

Task 3: SYSTEM SECURITY PLAN

(19)

Initiation Phase (Task 3)

(20)

Security Certification Phase

(21)

Security Certification Phase (Contd)

Task 5: SECURITY CERTIFICATION

DOCUMENTATION

(22)
(23)

Security Accreditation Phase

Task 6: SECURITY ACCREDITATION

DECISION

(24)

Security Accreditation Phase

Task 7: SECURITY ACCREDITATION

DOCUMENTATION

(25)

Continuous Monitoring Phase

Task 8: CONFIGURATION MANAGEMENT &

CONTROL

(26)

Continuous Monitoring Phase

(27)

Continuous Monitoring Phase

Task 10: STATUS REPORTING &

DOCUMENTATION

(28)
(29)

DIACAP Activities (DoD¶s Standard)

(30)

Provided an introduction to Unified Security Certification &

Accreditation Methodology (based on forthcoming NIST 800-37)

Introduced the C&A Process

Described the ³

Ten Tasks

´ within C&A

(31)

References

Download now ( PDF - 31 Page - 2.23 MB )

Related documents

Culture in framing nanotechnology : the effect of cultural dimensions on media frames of nanotechnology in South Korea, Germany, Austria and Japan between 2001 and 2015

Regarding the social acceptance of technologies, the media frame has applied to science communication. It has been extensively supported that the way media frames technology in

National Response Plan/ National Incident Management System. Briefing for Gilmore Commission

– Gathering information related to domestic counter-terrorism preparedness, response, and recovery, and providing information to the public, the private sector, local and State

Lesson study library: A catalyst for incremental instructional improvement

27 In her doctoral dissertation, Gail Siragusa Yamnitzky (2010) studied the connection between lesson study and effective professional development practices, specifically looking

Evaluating Motivational Factors Involved at Different Stages in an IS Outsourcing Decision Process

Request for information and invitation of tender Tender invitation Evaluation of tenders Due diligence and agreement proposals Negotiation Factors seen as motivational

Guide for the Security Certification and Accreditation of Federal Information Systems

The continuous monitoring results should also be considered with respect to any necessary updates to the system security plan and to the plan of action and milestones, since

A novel approach for road runoff sampling

Note that the gully drain sampling campaign provided a set of concentration time-series (including first flush periods) for a number of individual precipitation events at one

Patient Satisfaction in Relation to Nursing Care at Home

Regarding communication and health education, the patients who live in urban areas are more satisfied and with relationship the patients living in rural areas are the most

Chapter 5 Dynamic Portfolio Management for Property and Casualty Insurance

In this chapter we present an asset–liability management (ALM) problem inte- grating the definition of an optimal asset allocation policy over a 10-year planning horizon with