NIST Special Publication 800-100 PDF - Information Security Handbook

NIST Special Publication 800-100 Information Security Handbook: A Guide for Managers Recommendations of the National Institu...

NIST Special Publication 800-100 Information Security Handbook: A Guide for Managers Recommendations of the National Institute of Standards and Technology Pauline Bowen Joan Hash Mark Wilson INFORMATION SECURITY Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 October 2006 U.S. Department of Commerce Carlos M. Gutierrez, Secretary Technology Administration Robert Cresanti, Under Secretary of Commerce for Technology National Institute of Standards and Technology William Jeffrey, Director Reports on Information Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof-of-concept implementations, and technical analyses to advance the development and productive use of information technology. ITL's responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of nonnational-security-related information in federal information systems. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in information system security and its collaborative activities with industry, government, and academic organizations. iii Authority This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, and for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided A-130, Appendix III. This guideline has been prepared for use by federal agencies. It may also be used by nongovernmental organizations on a voluntary basis and is not subject to copyright regulations. (Attribution would be appreciated by NIST.) Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. Acknowledgements NIST would like to thank the many people who assisted with the development of this handbook. NIST management officials who supported this effort include: Joan Hash, William C. Barker, Elizabeth Chew, and Matthew Scholl. The authors would like to thank Elizabeth Lennon, Alicia Clay, Elizabeth Chew, Richard Kissel, Carol Schmidt, Matthew Scholl, and Patricia Toth who assisted with reviewing this Handbook and provided comments and suggestions for improvement. Additional drafters of Handbook chapters include: Ron Ross, Tim Grance, and Marianne Swanson, NIST. Nadya Bartol, Joe Nusbaum, Laura Prause, Will Robinson, Karen Kent, and Randy Ewell, BAH, In addition, special thanks are due those contractors who helped craft the Handbook, prepare drafts, and review materials: Nadya Bartol of Booz, Allen, Hamiliton (BAH), served as Project Manager for BAH on this project. In addition, many BAH employees contributed to the Handbook, including: Anthony Brown, Linda Duncan, Gina Jamaldinian, Sedar Labarre, Ines Murphy, Steven Peck, Mike Kapetanovic, Michael Rohde, Jacob Tsizis, Aderonke Adeniji, and Marge Spanninger. The authors also gratefully acknowledge and appreciate the many contributions from individuals in the public and private sectors whose thoughtful and constructive comments improved the quality and usefulness of this publication. v Errata The following changes have been incorporated into Special Publication 800-100. 1. Chapter 10 Risk Management, Figure 10-1. Risk Management in the System Security Life Cycle diagram has been modified to remove numbers from diagram and to show the steps clearly in the risk management process in the system security life cycle. 2. Chapter 10 Risk Management, Table 10-1. Risk Level Matrix has been modified to correct the math in the diagram. vi Table of Contents Table of Contents 1. Introduction.................................................................................................... 1 1.1 Purpose and Applicability............................................................................................ 1 1.2 Relationship to Existing Guidance............................................................................... 1 1.3 Audience..................................................................................................................... 1 2. Information Security Governance.................................................................... 2 2.1 Information Security Governance Requirements........................................................ 2 2.2 Information Security Governance Components.......................................................... 5 2.2.1 Information Security Strategic Planning............................................. 6 2.2.2 Information Security Governance Structures...................................... 7 2.2.3 Key Governance Roles and Responsibilities........................................ 8 2.2.3.1 Agency Head...................................................................... 9 2.2.3.2 Chief Information Officer...................................................... 9 2.2.3.3 Senior Agency Information Security Officer............................. 9 2.2.3.4 Chief Enterprise Architect................................................... 10 2.2.3.5 Related Roles................................................................... 11 2.2.4 Federal Enterprise Architecture (FEA).............................................. 12 2.2.5 Information Security Policy and Guidance........................................ 14 2.2.6 Ongoing Monitoring...................................................................... 14 2.3 Information Security Governance Challenges and Keys to Success........................ 17 3. System Development Life Cycle..................................................................... 19 3.1 Initiation Phase.......................................................................................................... 19 3.2 Development/Acquisition Phase................................................................................ 20 3.3 Implementation Phase............................................................................................... 20 3.4 Operations/Maintenance Phase................................................................................ 21 3.5 Disposal Phase......................................................................................................... 21 3.6 Security Activities within the SDLC........................................................................... 22 4. Awareness and Training................................................................................ 26 4.1 Awareness and Training Policy................................................................................. 27 4.2 Components: Awareness, Training, Education, and Certification............................. 28 4.2.1 Awareness.................................................................................. 28 4.2.2 Training...................................................................................... 29 4.2.3 Education.................................................................................... 29 4.2.4 Certification................................................................................. 29 4.3 Designing, Developing, and Implementing an Awareness and Training Program.... 30 4.3.1 Designing an Awareness and Training Program................................. 31 4.3.2 Developing an Awareness and Training Program............................... 31 4.3.3 Implementing an Awareness and Training Program........................... 31 4.4 Post-Implementation................................................................................................. 32 4.4.1 Monitoring Compliance.................................................................. 32 4.4.2 Evaluation and Feedback............................................................... 33 4.5 Managing Change..................................................................................................... 33 4.6 Program Success Indicators..................................................................................... 33 5. Capital Planning and Investment Control...................................................... 35 5.1 Legislative Overview................................................................................................. 35 5.2 Integrating Information Security into the CPIC Process............................................ 37 5.3 Capital Planning and Investment Control Roles and Responsibilities....................... 38 5.4 Identify Baseline........................................................................................................ 39 vii Table of Contents 5.5 Identify Prioritization Criteria..................................................................................... 40 5.6 Conduct System- and Enterprise-Level Prioritization................................................ 40 5.7 Develop Supporting Materials................................................................................... 44 5.8 IRB and Portfolio Management................................................................................. 44 5.9 Exhibits 53 and 300 and Program Management....................................................... 44 6. Interconnecting Systems............................................................................... 46 6.1 Managing System Interconnections.......................................................................... 47 6.2 Life-Cycle Management Approach............................................................................ 48 6.2.1 Phase 1: Planning the Interconnection............................................ 48 6.2.2 Phase 2: Establishing the Interconnection........................................ 50 6.2.3 Phase 3: Maintaining the Interconnection........................................ 51 6.2.4 Phase 4: Disconnecting the Interconnection..................................... 52 6.3 Terminating Interconnection...................................................................................... 52 6.3.1 Emergency Disconnection.............................................................. 52 6.3.2 Restoration of Interconnection....................................................... 52 7. Performance Measures.................................................................................. 59 7.1 Metric Types.............................................................................................................. 60 7.2 Metrics Development and Implementation Approach................................................ 61 7.3 Metrics Development Process................................................................................... 61 7.4 Metrics Program Implementation.............................................................................. 63 7.4.1 Prepare for Data Collection............................................................ 63 7.4.2 Collect Data and Analyze Results.................................................... 64 7.4.3 Identify Corrective Actions............................................................. 65 7.4.4 Develop Business Case and Obtain Resources.................................. 65 7.4.5 Apply Corrective Actions............................................................... 66 8. Security Planning.......................................................................................... 67 8.1 Major Applications, General Support Systems, and Minor Applications................... 67 8.2 Security Planning Roles and Responsibilities........................................................... 68 8.2.1 Chief Information Officer............................................................... 68 8.2.2 Information System Owner............................................................ 69 8.2.3 Information Owner....................................................................... 69 8.2.4 Senior Agency Information Security Officer...................................... 70 8.2.5 Information System Security Officer............................................... 70 8.3 Rules of Behavior...................................................................................................... 70 8.4 System Security Plan Approval................................................................................. 71 8.4.1 System Boundary Analysis and Security Controls.............................. 71 8.4.2 Security Controls......................................................................... 72 8.4.3 Scoping Guidance........................................................................ 72 8.4.4 Compensating Controls................................................................. 73 8.4.5 Common Security Controls............................................................ 73 8.5 Security Control Selection......................................................................................... 74 8.6 Completion and Approval Dates................................................................................ 75 8.7 Ongoing System Security Plan Maintenance............................................................ 75 9. Information Technology Contingency Planning............................................. 78 9.1 Step 1: Develop Contingency Planning Policy Statement......................................... 79 9.2 Step 2: Conduct Business Impact Analysis............................................................... 79 9.3 Step 3: Identify Preventive Controls.......................................................................... 80 9.4 Step 4: Develop Recovery Strategies....................................................................... 80 9.5 Step 5: Develop IT Contingency Plan....................................................................... 81 viii Table of Contents 9.6 Step 6: Plan Testing, Training, and Exercises.......................................................... 82 9.7 Step 7: Plan Maintenance......................................................................................... 82 10. Risk Management.......................................................................................... 84 10.1 Risk Assessment....................................................................................................... 85 10.1.1 Step 1 – System Characterization................................................... 86 10.1.2 Step 2 – Threat Identification........................................................ 87 10.1.3 Step 3 – Vulnerability Identification................................................ 88 10.1.4 Step 4 – Risk Analysis................................................................... 88 10.1.4.1 Control Analysis................................................................ 88 10.1.4.2 Likelihood Determination.................................................... 89 10.1.4.3 Impact Analysis................................................................ 89 10.1.4.4 Risk Determination............................................................ 89 10.1.5 Step 5 – Control Recommendations................................................ 90 10.1.6 Step 6 – Results Documentation..................................................... 91 10.2 Risk Mitigation........................................................................................................... 92 10.3 Evaluation and Assessment...................................................................................... 93 11. Certification, Accreditation, and Security Assessments................................. 96 11.1 Certification, Accreditation, and Security Assessments Roles and Responsibilities. 97 11.1.1 Chief Information Officer............................................................... 97 11.1.2 Authorizing Official....................................................................... 98 11.1.3 Senior Agency Information Security Officer...................................... 98 11.1.4 Information System Owner............................................................ 98 11.1.5 Information Owner....................................................................... 99 11.1.6 Information System Security Officer............................................... 99 11.1.7 Certification Agent.......................................................................100 11.1.8 User Representatives...................................................................100 11.2 Delegation of Roles................................................................................................. 100 11.3 The Security Certification and Accreditation Process............................................. 100 11.4 Security Certification Documentation...................................................................... 101 11.5 Accreditation Decisions........................................................................................... 102 11.6 Continuous Monitoring............................................................................................ 103 11.7 Program Assessments............................................................................................ 103 12. Security Services and Products Acquisition................................................. 113 12.1 Information Security Services Life Cycle................................................................. 114 12.2 Selecting Information Security Services.................................................................. 115 12.2.1 Selecting Information Security Services Management Tools...............116 12.2.2 Information Security Services Issues.............................................116 12.2.3 General Considerations for Information Security Services..................117 12.3 Selecting Information Security Products................................................................. 119 12.4 Security Checklists for IT Products......................................................................... 122 12.5 Organizational Conflict of Interest........................................................................... 122 13. Incident Response....................................................................................... 124 13.1 Preparation.............................................................................................................. 125 13.1.1 Preparing for Incident Response....................................................125 13.1.2 Preparing to Collect Incident Data.................................................127 13.1.3 Preventing Incidents....................................................................127 13.2 Detection and Analysis............................................................................................ 128 13.3 Containment, Eradication, and Recovery................................................................ 128 13.4 Post-Incident Activity............................................................................................... 129 ix Table of Contents 14. Configuration Management......................................................................... 131 14.1 Configuration Management in the System Development Life Cycle....................... 132 14.2 Configuration Management Roles and Responsibilities.......................................... 134 14.3 Configuration Management Process....................................................................... 135 Appendix A – Acronyms List................................................................................ A-1 Appendix B – Frequently Asked Questions.......................................................... B-1 x CHAPTER 1 Introduction Chapter 1 1. Introduction This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. Typically, the organization looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were selected based on the laws and regulations relevant to information security, including the Clinger- Cohen Act of 1996, the Federal Information Security Management Act (FISMA) of 2002, and Office of Management and Budget (OMB) Circular A-130. The material in this handbook can be referenced for general information on a particular topic or can be used in the decision-making process for developing an information security program. National Institute of Standards and Technology (NISTIR) Interagency Report 7298 provides a summary glossary for the basic security terms used throughout this document. While reading this handbook, please consider that the guidance is not specific to a particular agency. Agencies should tailor this guidance according to their security posture and business requirements. 1.1 Purpose and Applicability The purpose of this publication is to inform members of the information security management team (agency heads; chief information officers [CIOs]; senior agency information security officers [SAISOs], also commonly referred to as Chief Information Security Officers [CISOs]; and security managers) about various aspects of information security that they will be expected to implement and oversee in their respective organizations. In addition, the handbook provides guidance for facilitating a more consistent approach to information security programs across the federal government. Even though the terminology in this document is geared toward the federal sector, the handbook can also be used to provide guidance on a variety of other governmental, organizational, or institutional security requirements. 1.2 Relationship to Existing Guidance This handbook summarizes and augments a number of existing NIST standards and guidance documents and provides additional information on related topics. Such documents are referenced within appropriate subchapters. 1.3 Audience The intended audience includes agency heads, CIOs, SAISOs (also commonly referred to as CISOs), and security managers. The handbook provides information that the audience can use in building their information security program strategy. While there are differences between federal and private sector environments, especially in terms of priorities and legal requirements, the underlying principles of information security are the same. The handbook is therefore useful to any manager who requires a broad overview of information security practices. 1 CHAPTER 2 Information Security Governance Chapter 2 2. Information Security Governance Federal agencies rely heavily on information technology (IT) to run their daily operations and deliver products and services. With an increasing reliability on IT, a growing complexity of federal government IT infrastructure, and a constantly changing information security threat and risk environment, information security has become a mission-essential function. This function must be managed and governed to reduce the risks to federal government operations and to ensure the federal government’s ability to do business and serve the American public. The purpose of information security governance is to ensure that agencies are proactively implementing appropriate information security controls to support their mission in a cost-effective manner, while managing evolving information security risks. As such, information security governance has its own set of requirements, challenges, activities, and types of possible structures. Information security governance also has a defining role in identifying key information security roles and responsibilities, and it influences information security policy development and oversight and ongoing monitoring activities. To ensure an appropriate level of support of agency missions and the proper implementation of current and future information security requirements, each agency should establish a formal information security governance structure. Information security governance can be defined as the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. 2.1 Information Security Governance Requirements The United States (U.S.) Congress and the Office of Management and Budget (OMB) have instituted a number of laws, regulations, and directives that govern establishment and implementation of federal information security practices. These laws, regulations, and directives establish federal- and agency-level responsibilities for information security, define key information security roles and responsibilities, identify minimum information security controls, specify compliance reporting rules and procedures, and provide other essential requirements and guidance. These laws and regulations place responsibility and accountability for information security at all levels within federal agencies, from the agency head to IT users. They also provide an infrastructure for developing and promulgating detailed standards and implementation guidance to federal agencies and overseeing implementation of required practices through NIST and the Government Accountability Office (GAO), respectively. These three entities, the U.S. Congress, OMB, and GAO, define and influence federal agency governance and information security requirements. Congress creates laws and oversight measures to establish objectives, present timely analyses to establish overall governance standards across the federal government, and provide aid in economic and budget decisions, including decisions about public IT assets and 2 CHAPTER 2 Information Security Governance those funds needed to secure them. Agencies must establish clear reporting requirements that meet legislative requirements set by Congress and must also provide Congress with the necessary information and estimates required for the congressional budget process. OMB assists the President in overseeing the preparation of the federal budget and supervises its administration by the executive branch agencies. OMB provides further guidance to the agencies on implementing legislative information requirements in the form of circulars and memoranda. GAO also provides oversight of agency information security activities as a part of its mission “to support the Congress in meeting its constitutional responsibilities and to help improve the performance and ensure the accountability of the federal government for the benefit of the American people.” 1 GAO reviews agency implementation of legislative and regulatory requirements and reports to Congress and the American public on its findings. At a minimum, information security governance in a federal department or agency must meet the requirements as they are detailed in applicable legislation, regulations, and directives. Furthermore, agencies can benefit from identifying overall good governance practices for establishing strong management and oversight. Agencies should tailor their information security governance practices to their organization’s own missions, operations, and needs. The following are a few key legislative acts that define overall federal agency governance requirements: The Government Performance and Results Act (GPRA) of 1993 establishes the foundation for budget decision making to achieve strategic goals in order to meet agency mission objectives. The Paperwork Reduction Act (PRA) of 1995 requires agencies to perform their information resource management activities in an efficient, effective, and economical manner. The Federal Financial Management Improvement Act (FFMIA) of 1996 requires accountability of financial and program managers for financial results of actions taken, control over the federal government's financial resources, and protection of federal assets. The Federal Managers Financial Integrity Act (FMFIA) of 1982 requires ongoing evaluations and reports from each executive on the adequacy of administrative control for internal accounting systems. The Clinger-Cohen Act of 1996 requires agencies to use a disciplined capital planning and investment control (CPIC) process to acquire, use, maintain, and dispose of IT resources, and establishes a role of chief information officer (CIO) within each federal agency. The E-Government Act of 2002 (Public Law 107-347) promotes better use of the Internet and other IT resources to improve government services for citizens and internal government operations, and provide opportunities for citizen participation in government. The Act also requires agencies to: – Comply with FISMA, included as Title III of the E-Government Act; – Support governmentwide e-government initiatives; – Leverage cross-agency opportunities to further e-government through the Federal Enterprise Architecture (FEA) initiative; and 1 GAO, GAO-04-534SP, 'GAO Strategic Plan 2004-2009,' March 2004. 3 CHAPTER 2 Information Security Governance – Conduct and submit to OMB privacy impact assessments for all new IT investments administering information in identifiable form collected from or about members of the public. Supporting these acts, three legislative documents emerge as the foundational sources for specific information security governance requirements: The Federal Information Security Management (FISMA) Act is the primary legislation governing federal information security programs, building upon earlier legislation through added emphasis on the management dimension of information security. – FISMA delegates to the National Institute of Standards and Technology (NIST) the responsibility to develop detailed information security standards and guidance for federal information systems, with the exception of national security systems. – FISMA designates to OMB the oversight of federal agencies’ information security implementation. – FISMA provides a comprehensive framework for securing federal government IT resources, including defining key federal government and agency roles and responsibilities, requiring agencies to integrate information security into their capital planning and enterprise architecture processes, requiring agencies to conduct annual information security reviews of all programs and systems, and reporting the results of those reviews to OMB. 2 OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, establishes a minimum set of controls to be included in federal automated information security programs, assigns federal agency responsibilities for the security of automated information, and links agency automated information security programs and agency management control systems. 3 Homeland Security Presidential Directive 12 (HSPD-12), released in August 2004, specifies a "policy for a common identification standard for all Federal employees and contractors." 4 HSPD-12 intends to increase identification security and interoperability by standardizing the process to issue a Federal employee or contractor an identification credential, and also by specifying the electronic and physical properties of the credential itself. The HSPD-12 credential is known as the Personal Identity Verification card. Figure 2-1 illustrates key roles of legislative, regulatory, and oversight bodies in establishing governance and information security governance requirements for the federal enterprise. 2 FISMA, H.R. 2458–48, ‘Federal Information Security Management Act,’ 2002. 3 OMB, ‘Office of Management and Budget Circular A-130, Appendix III,’ 1996. 4 OMB, M-05-24, ‘Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors.’ 4 CHAPTER 2 Information Security Governance Figure 2-1. Key Legislative, Regulatory, and Oversight Roles The need to identify and implement appropriate federal government and agency- specific information security governance practices can be daunting. Agencies should identify applicable requirements based on relevant legislation, regulations, federal directives, and agency-level directives. Agencies should also ensure that information security governance structures are implemented in a manner that best supports their unique missions and operations. 2.2 Information Security Governance Components Agencies should integrate their information security governance activities with the overall agency structure and activities by ensuring appropriate participation of agency officials in overseeing implementation of information security controls throughout the agency. The key activities that facilitate such integration are strategic planning, organizational design and development, establishment of roles and responsibilities, integration with the enterprise architecture, and documentation of security objectives in policies and guidance. Figure 2-2 illustrates the relative relationship of these various components. 5 CHAPTER 2 Information Security Governance External Oversight Executive & Legislative (Orders and Laws) OMB & GAO (Circulars and Directives) Goverance Strategic Planning Roles and Enterprise Architecture Organizational Structure Responsibilities Policies & Guidance On-going Monitoring Implementation Figure 2-2. Information Security Governance Components 2.2.1 Information Security Strategic Planning “Strategic plans, annual performance plans, and annual program performance reports are the main elements of GPRA. Together these elements create a recurring cycle of reporting, planning, and execution.” 5 GPRA requires federal agencies to develop and submit to OMB and Congress a “strategic plan for program activities” and “prepare an annual performance plan covering each program activity set forth in the budget of such agency.“6 Agencies are required to refresh their strategic plans within three years of submitting their previous strategic plans, while submitting performance plans is required annually. Agencies should integrate information security into the agency strategic planning processes by establishing and documenting information security strategies that directly support agency strategic and performance planning activities. The organization’s information security strategy should establish a comprehensive framework to enable the development, institutionalization, assessment, and improvement of the agency’s information security program. The information security strategy should support the overall agency strategic and performance plans and IT strategic plan (if applicable) with its content clearly traceable to these higher-level sources. Each agency should define the following for its information security program: 5 OMB, ‘Office of Management and Budget Circular A-130 Appendix III,’ 1996. 6 OMB, Section 306, ‘Government Performance and Results Act’ (GPRA), 1993. 6 CHAPTER 2 Information Security Governance Clear and comprehensive mission, vision, goals, and objectives and how they relate to agency mission; High-level plan for achieving information security goals and objectives, including short- and mid-term objectives and performance targets, specific for each goal and objective, to be used throughout the life of this plan to manage progress toward successfully fulfilling the identified objectives; and Performance measures to continuously monitor accomplishment of identified goals and objectives and their progress toward stated targets. Agencies should document their information security strategy in an information security strategic plan or another document, if appropriate. Regardless of how the information security strategy is documented, its contents should be aligned with the overall agency strategic planning activities. The document should be revisited when a major change in the agency information security environment occurs, including: Change in applicable legislation, regulations, or directives; Change in agency mission priorities; and Emerging information security issues, such as changes in threat and vulnerability environment or the introduction of new technologies. 2.2.2 Information Security Governance Structures Information security governance structures can be characterized in a number of ways. There are two basic models of information security governance structures: centralized and decentralized. While agency heads are ultimately responsible for managing and governing their respective agency, the authority and responsibility over information security differs in the two types of structures. Key characteristics of the two structures are: Centralized. Departmental CIO or, in some instances, the SAISO has line-item budget control over all information security activities throughout the department. All information security practitioners within the department report to the departmental SAISO, who is responsible for ensuring implementation and monitoring of information security controls throughout the entire department. Decentralized. Departmental SAISOs have policy development and oversight responsibilities. Departmental SAISOs have budget responsibilities over the departmental information security program, but not over the operating units’ information security programs. Operating unit SAISOs report to the unit head, not to the departmental SAISO. Operating unit SAISOs are responsible for implementing and monitoring information security practices within their respective operating units. Completely centralized or decentralized information security governance implementations are quite rare. In reality, the variety of implemented information security governance structures spans the continuum from a centralized structure at one end to a decentralized structure at the other. Agencies usually adopt hybrid structures that include some characteristics of both centralized and decentralized types of structures, and they adopt the particular mix of these characteristics to fit their agency mission, size, homogeneity of their components, and existing governance structure. 7 CHAPTER 2 Information Security Governance Agencies in the process of establishing or changing their information security governance structure should consider the following key factors to determine the optimal extent of the centralization or decentralization: Agency size; Agency mission and its level of diversification or homogeneity; Existing agency IT infrastructure; Existing federal and internal governance requirements; Size of agency budget; Agency information security capabilities; Number of, and distance between, physical locations; and Decision-making practices and desired rate of change in information security practices. To the degree that these factors are limited or varied, an organization’s hybrid information security governance structure will fall somewhere between the extremes of a completely centralized or decentralized structure, as depicted in Figure 2-3. An organization’s placement on this continuum may also shift over time in response to changing internal factors or external requirements. Since information security governance structure is highly dependent on the overall organizational structure, organizations are often limited in their choices about how to organize their information security governance activities. Agencies should be cognizant of the characteristics and challenges that a centralized or decentralized structure presents and work within their respective organizations to ensure the best use of information security resources within the boundaries of their own structure. 2.2.3 Key Governance Roles and Responsibilities 7 There are several governance stakeholders common to most organizations that span the organization. These stakeholders include senior leadership, a CIO, information security personnel, and a chief financial officer (CFO), among others. The specific requirements of each role may differ with the degree of information security governance centralization or in response to the specific missions and needs of an organization. Figure 2-3. Information Security Governance Structures 7 See Chapter 5, Capital Planning; Chapter 8, Security Planning; Chapter 11, Certification, Accreditation, and Security Assessments; and Chapter 14, Configuration Management; of this guide for additional guidance on system-specific security roles and responsibilities. 8 CHAPTER 2 Information Security Governance 2.2.3.1 Agency Head The Clinger-Cohen Act assigns the responsibility for ensuring “that the information security policies, procedures, and practices of the executive agency are adequate.” 8 FISMA provides the following details on agency head responsibilities for information security: Providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of an agency, and on information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; Ensuring that an information security program is developed, documented, and implemented to provide security for all systems, networks, and data that support the operations of the organization; Ensuring that information security processes are integrated with strategic and operational planning processes to secure the organization’s mission; Ensuring that senior agency officials within the organization are given the necessary authority to secure the operations and assets under their control; Designating a CIO and delegating authority to that individual to ensure compliance with applicable information security requirements; Ensuring that the agency has trained personnel to support compliance with information security policies, processes, standards, and guidelines; and Ensuring that the CIO, in coordination with the other senior agency officials, reports annually to the agency head on the effectiveness of the agency information security program, including the progress of remedial actions. 2.2.3.2 Chief Information Officer FISMA assigns the agency CIO the following responsibilities: Designating a senior agency information security officer (SAISO); Developing and maintaining an agency-wide information security program; Developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements; Ensuring compliance with applicable information security requirements; and Reporting annually, in coordination with the other senior agency officials, to the agency head on the effectiveness of the agency information security program, including progress of remedial actions. 2.2.3.3 Senior Agency Information Security Officer 9 FISMA assigns SAISO the following responsibilities: Performing information security duties as the primary duty; 8 Clinger-Cohen Act, 1996. 9 The SAISO in some agencies is sometimes referred to as the computer information security officer (CISO) or the chief security officer (CSO). 9 CHAPTER 2 Information Security Governance Heading an office with the mission and resources to assist in ensuring agency compliance with information security requirements; Periodically assessing risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency; Developing and maintaining risk-based, cost-effective information security policies, procedures, and control techniques to address all applicable requirements throughout the life cycle of each agency information system to ensure compliance with applicable requirements; Facilitating development of subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems; Ensuring that agency personnel, including contractors, receive appropriate information security awareness training; Training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; Periodically testing and evaluating the effectiveness of information security policies, procedures, and practices; Establishing and maintaining a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; Developing and implementing procedures for detecting, reporting, and responding to security incidents; Ensuring preparation and maintenance of plans and procedures to provide continuity of operations for information systems that support the operations and assets of the agency; and Supporting the agency CIO in annual reporting to the agency head on the effectiveness of the agency information security program, including progress of remedial actions. 2.2.3.4 Chief Enterprise Architect The chief enterprise architect or comparable position in an organization is responsible for: Leading agency enterprise architecture development and implementation efforts; Collaborating with lines of business within the agency to ensure proper integration of lines of business into enterprise architecture; Participating in agency strategic planning and performance planning activities to ensure proper integration of enterprise architecture; Facilitating integration of information security into all layers of enterprise architecture to ensure agency implementation of secure solutions; and Working closely with the program managers, the senior agency information security officer (SAISO), and the business owners to ensure that all technical 10 CHAPTER 2 Information Security Governance architecture requirements are adequately addressed by applying FEA and the Security and Privacy Profile (SPP). 2.2.3.5 Related Roles Many other individuals within an organization have a stake in information security, from top senior management down to individual users. A few of the primary senior management roles and their coinciding responsibilities are listed below. The scope of each role will depend on whether or not these roles should be redundant in the decentralized governance structure. These individuals should work collaboratively to ensure that information security exists within their organizational responsibility. Inspector General (IG). The IG is a statutory office within an organization that, in addition to other responsibilities, works to assess an organization’s information security practices and identifies vulnerabilities and the possible need to modify security measures. The IG completes this task by: Detecting fraud or instances of waste, abuse, or misuse of an organization’s funds; Identifying operational deficiencies within the organization; Ensuring that the underlying problems that permit such failings are rectified; and Offering recommendations for preventing problems in the future. Chief Financial Officer. The CFO is the senior financial advisor to the investment review board (IRB) and the agency head. Information security investments fall within the purview of the CFO and are included in the CFO’s reports. In this capacity, the CFO is responsible for: Reviewing cost goals of each major information security investment; Reporting financial management information to OMB as part of the President’s budget; Complying with legislative and OMB-defined responsibilities as they relate to IT capital investments; Reviewing systems that impact financial management activities; and Forwarding investment assessments to the IRB. Chief Privacy Officer or other designated official with privacy responsibilities. The chief privacy officer is responsible for privacy compliance across an organization, including privacy compliance measures that apply to information security assets and activities. The chief privacy officer works to maintain a balance between security and privacy requirements, and works to ensure that one is not compromised for the sake of the other. To this end, the chief privacy officer serves as the senior official responsible for: Developing, promoting, and supporting the organization’s privacy programs; Encouraging awareness of potential privacy issues and policies; and Reviewing and implementing privacy regulations and legislation. Physical Security Officer or other designated official with physical security responsibilities. The physical security officer is responsible for the overall implementation and management of physical security controls across an organization, to include integration with applicable information security controls. As information security programs are developed, senior agency officials should work to 11 CHAPTER 2 Information Security Governance ensure this coordination of complementary controls. In consideration of information security, the physical security officer serves as the senior official responsible for: Developing, promulgating, implementing, and monitoring the organization’s physical security programs, to include appropriate controls for alternate work sites; Ensuring organizational implementation and monitoring of access controls (i.e., authorization, access, visitor control, transmission medium, display medium, logging) Coordinating organizational environmental controls (i.e., ongoing and emergency power support and backups, fire protection, temperature and humidity controls, water damage); and Overseeing and managing controls for delivery and removal of assets. Personnel Security Officer or other designated official with personnel security responsibilities. This responsibility is often resident within the Human Resources or Human Capital organization. The personnel security officer is responsible for the overall implementation and management of personnel security controls across an organization, to include integration with specific information security controls. As information security programs are developed, senior agency officials should work to ensure this coordination of complementary controls. In consideration of information security, the personnel security officer serves as the senior official responsible for: Developing, promulgating, implementing, and monitoring the organization’s personnel security programs; Developing and implementing position categorization (including third-party controls), access agreements, and personnel screening, termination, and transfers; and Ensuring consistent and appropriate sanctions for personnel violating management, operation, or technical information security controls. Acquisitions/Contracting. The Acquisitions/Contracting function is responsible for managing contracts and overseeing their implementation. Personnel executing this function have the following responsibilities in regards to information security: Collaborating with the agency’s SAISO or other appropriate official to ensure that the agency’s contracting policies adequately address the agency’s information security requirements; Coordinating with the SAISO or other appropriate official as required to ensure that all agency contracts and procurements are compliant with the agency’s information security policy; Ensuring that all personnel with responsibilities in the agency’s procurement process are properly trained in information security; and In concert with the SAISO, facilitating the monitoring of contract performance for compliance with the agency’s information security policy. 2.2.4 Federal Enterprise Architecture (FEA) FEA is a business-based framework for governmentwide improvement. The purpose of FEA is to facilitate cross-agency analyses and identify duplicative 12 CHAPTER 2 Information Security Governance investments, gaps, and opportunities for collaboration within and across federal agencies. 10 FEA facilitates identification of duplicative or wasteful investments, areas where investments should be made, and where departments and agencies can collaborate to improve government operations or services. The FEA consists of five reference models: The Performance Reference Model (PRM) is a common framework for performance measurement that can be applied throughout the FEA. The Business Reference Model (BRM) is a function-driven framework for describing the business operations of the federal government independent of the agencies. The Service Component Reference Model (SRM) is a business- and performance-driven functional framework that classifies service components with respect to how they support business and/or performance objectives. The Data and Information Reference Model (DRM) describes, at an aggregate level, the data and information that support program and business line operations. The Technical Reference Model (TRM) is a component-driven technical framework used to identify the standards, specifications, and technologies that support and enable the delivery of service components and capabilities. OMB requires agencies to integrate security into their enterprise architecture development life cycle. 11 In addition to complying with OMB requirements, the integration of information security into the agency enterprise architecture efforts benefits both the agencies and the federal government: Reduction of the reporting burden. The FEA requires agencies to collect and analyze significant amounts of data. The security efforts already under way can provide information relevant to the data, technology, and performance metrics in place throughout a department, such as the information contained in FISMA quarterly and annual reports, accreditation letters, and plan of actions and milestones (POA&M). Integration of security data. Organizations should use existing information security data sources to identify data for their FEA submissions, thus allowing for a continuous and reliable transmission and roll-up of security requirements and controls from initial security certification and accreditation documentation and POA&Ms into the FEA. Preservation of security requirements. Documenting and preserving information about applicable security requirements ensures that it can be used as a part of any higher-level federal management or decision-making process. If, for example, the federal government were to try and implement a large- scale reorganization (such as creating a new department or agency), a security-aware FEA would be able to clearly outline not only the intersections of common business lines but also the corresponding security requirements. In another example, if a department were to mandate using a specific type of technological tool, the FEA would be able to highlight the security and privacy requirements for the technology as well as the requirements for the data that 10 OMB, ‘Federal Enterprise Architecture’ (FEA), 2002. 11 OMB, ‘Office of Management and Budget Circular A-130, Appendix III,’ 1996. 13 CHAPTER 2 Information Security Governance the tool would handle. Since the federal government has numerous IT-related efforts under way, including critical infrastructure protection (CIP) and COOP processes that seek to preserve national resources as well as the ability of departments and agencies to operate in adverse or emergency conditions, a security-enabled FEA will provide support to those other efforts while simultaneously ensuring that information is appropriately protected within these efforts. 2.2.5 Information Security Policy and Guidance Information security policy is an aggregate of directives, rules, and practices that prescribes how an organization manages, protects, and distributes information. 12 Information security policy is an essential component of information security governance—without the policy, governance has no substance and rules to enforce. Information security policy should be based on a combination of appropriate legislation, such as FISMA; applicable standards, such as NIST Federal Information Processing Standards (FIPS) and guidance; and internal agency requirements. Agency information security policy should address the fundamentals of agency information security governance structure, including: Information security roles and responsibilities; Statement of security controls baseline and rules for exceeding the baseline; and Rules of behavior that agency users are expected to follow and minimum repercussions for noncompliance. Supporting guidance and procedures on how to effectively implement specific controls across the enterprise should be developed to augment an agency’s security policy. This subsequent guidance on information security, created by the agency, in consideration of external guidance (e.g. NIST Special Publications and OMB memoranda), should be consistent with the information security policy and may not supersede it, unless the policy itself is being modified. Agencies should ensure that their information security policy is sufficiently current to accommodate the information security environment and agency mission and operational requirements. To ensure that information security does not become obsolete, agencies should implement a policy review and revision cycle. As a part of the periodic review and the initial development of the information security policies, agencies should work to ensure that all internal security policies (i.e., physical and personnel) are sufficiently coordinated to ensure effective implementation of crosscutting and convergent security objectives, such as access control initiatives. 2.2.6 Ongoing Monitoring An effective information security governance program requires constant review. Agencies should monitor the status of their programs to ensure that: Ongoing information security activities are providing appropriate support to the agency mission; Policies and procedures are current and aligned with evolving technologies, if appropriate; and Controls are accomplishing their intended purpose. 12 NIST SP 800-53, Revision 1, ‘Recommended Security Controls for Federal Information Systems,’ 2006. 14 CHAPTER 2 Information Security Governance Over time, policies and procedures may become inadequate because of changes in agency mission and operational requirements, threats, environment, deterioration in the degree of compliance, changes in technology or infrastructure, or business processes. Periodic assessments and reports on activities can be a valuable means of identifying areas of noncompliance, reminding users of their responsibilities and demonstrating management's commitment to the security program. While an organization’s mission does not frequently change, the agency may expand its mission to secure agency programs and assets and, by extension, require modification to its information security requirements and practices. It is important that a change in an organization’s internal requirements is checked against external federal requirements as, for example, a change to an information system’s security posture may alter its subsequent reporting requirements. To facilitate ongoing monitoring, the SAISO and other officials can compare and correlate a variety of real-time and static information available from a number of ongoing activities within and outside of their programs. FISMA requires agencies to perform an annual assessment of their information security programs and report information security performance measures quarterly and annually. The intent of these reporting requirements is to facilitate close to real-time assessment and monitoring of information security program activities. Ongoing monitoring combines the use of existing data to oversee a security program, and typically occurs throughout all phases of the program life cycle. Agencies can use a variety of data originating from the ongoing information security program activities to monitor performance of programs under their purview, including POA&Ms, performance measurements and metrics, continuous assessment, configuration management and control, network monitoring, and incident statistics. Table 2-1 provides a broad overview of key ongoing activities that can assist in monitoring and improving an agency’s information governance activities. Table 2-1. Ongoing Monitoring Activities Activities Description of Activities Supporting Processes and Information Plans of POA&Ms assist in identifying, Agency maintains separate program and system POA&Ms. Action and assessing, prioritizing, and monitoring Weaknesses are listed according to OMB criteria, identified Milestones the progress of corrective efforts for in annual OMB FISMA guidance. (POA&M) 13 security weaknesses found in System POA&Ms are tied to capital planning documents. programs and systems. The POA&M Number of ongoing POA&M actions is either constant or is tracks the measures implemented to increasing, while the number of completed POA&M actions correct deficiencies and to reduce or is increasing and the number of delayed POA&M actions is eliminate known vulnerabilities. decreasing. POA&Ms can also assist in identifying performance gaps, evaluating an Weaknesses do not reappear on the POA&M after being agency’s security performance and rectified and marked complete. efficiency, and conducting oversight. Managers use POA&Ms for their respective systems and programs as management tools for weakness mitigation. POA&M is updated as weaknesses are closed and discovered, and therefore reflects the latest weakness mitigation status for the agency. POA&M can be easily provided to appropriate parties (OMB, IG, GAO) on demand at any point in time. A POA&M summary synopsizing agency POA&M progress is required to be submitted to OMB quarterly. 13 See NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, and Chapter 11, Certification, Accreditation and Security Assessments, of this guide for additional guidance on the POA&M process. 15 CHAPTER 2 Information Security Governance Activities Description of Activities Supporting Processes and Information Measurement Metrics are tools designed to improve Metrics/performance measures are aligned to the agency and Metrics 14 performance and accountability strategy and information security strategy, and therefore through the collection, analysis, and are aligned to mission requirements. reporting of relevant performance- Agency uses metrics/performance measures to quantify related data. Information security and assess its information security performance and to metrics monitor the accomplishment of identify and target corrective actions. goals and objectives by quantifying Agency decision makers use metrics/performance the implementation level of security measures as an input into decision making regarding controls and the efficiency and prioritization of activities and resource and funding effectiveness of the controls, by allocations. analyzing the adequacy of security activities, and by identifying possible Agency uses metrics/performance measures that can be improvement actions. obtained without spending extraordinary resources. Metrics/performance measures provide numerical and empirical data rather than opinions. Metrics/performance measures are regularly verified by third-party reviewers for accuracy and validity. Metrics/performance measures provide meaningful data to assess the impact of changes over time. Agency collects data to calculate metrics/performance measures at the most discrete, unanalyzed level possible. Agency uses well-defined and specified metrics/performance measures. Continuous The continuous assessment process Many agency information systems are certified and Assessment 15 monitors the initial security accredited more frequently than every three years. accreditation of an information system System security plans are updated frequently, as system to track the changes to the information changes occur. system, analyzes the security impact Results of continuous assessment process can be tracked of those changes, makes appropriate throughout system POA&Ms. adjustments to the security controls Appropriate agency officials are aware of the status of and to the system’s security plan, and systems under their purview. reports the security status of the system to appropriate agency officials. System control assessments and security assessment and evaluation occur at least annually. Configuration Configuration management (CM) is an Agency deploys a Configuration Control Board (CCB) or a Management 16 essential component of monitoring the similar body. status of security controls and An information security representative participates in the identifying potential security-related CCB. problems in information systems. This Vendor patches are tested for impact to information information can help security security and system settings. managers understand and monitor the Agencies observe a decrease in incidents caused by evolving nature of vulnerabilities as known vulnerabilities for which patches have been they appear in a system under their distributed to system administrators. responsibility, thus enabling managers to direct appropriate changes as Known vulnerabilities are rarely discovered during various required. assessments. Staff who are responsible for CM receive appropriate information security training and are aware of their security- related responsibilities. Agency drafts and publishes standardized configuration policies, and tracks the number and frequency of implementations of configurations throughout its organization. 14 See NIST SP 800-55, Security Metrics Guide for Information Technology Systems and Chapter 7, Performance Measures, of this guide for additional guidance on measurements and metrics. 15 See NIST SP 800-30, Risk Management Guide for Information Technology Systems, Chapter 10, Risk Management, and Chapter 11, Certification, Accreditation, and Security Assessments, of this guide, for additional guidance on continuous assessment. 16 See Chapter 14, Configuration Management, of this guide for additional guidance on configuration management. 16 CHAPTER 2 Information Security Governance Activities Description of Activities Supporting Processes and Information Network Information about network Network monitoring information is summarized and Monitoring 17 performance and user behavior on the provided to information security program managers. network will help security program Network monitoring information is mined for trends and managers identify areas in need of correlated with other data sources, including incident improvement as well as point out statistics, POA&M, CM, and other available sources. potential performance improvements. Information security managers and system owners are able This information can be correlated to receive and use network monitoring information to with other sources of information, such assess security posture of systems under their purview. as POA&M and CM, to create a comprehensive picture of security program status. Incident and Incident statistics are valuable in Agency collects incident statistics in such a manner that Event determining the effectiveness of they can be used for regular data mining and information Statistics 18 security policies and procedures trending and for improving incident handling and response implementation. Incident statistics processes. provide security program managers Incident statistical information is summarized and provided with further insights into the status of to information security program managers. security programs under their purview, Incident statistics are mined for trends and correlated with observe program activities other data sources, including network monitoring, POA&M, performance trends, and inform CM, training and awareness, and other available sources. program managers about the needs to Information security managers and system owners are able change policies and procedures. to receive and use incident statistics to assess security posture of systems under their purview. 2.3 Information Security Governance Challenges and Keys to Success There are many diverse, and sometimes conflicting, priorities an organization must account for in meeting information security governance requirements. These criteria present challenges an organization is likely to face in its efforts to establish information security governance. Some of the most common challenges include: Balancing extensive requirements originating from multiple governing bodies. Several different governing and oversight bodies establish governance and information security requirements for the federal government. While these requirements are seldom contradictory, they are not always complementary, and organizations may be faced with the challenge of implementing different compliance measures and monitoring these measures for reporting purposes. Balancing legislation and agency-specific policy. Agencies may have more stringent requirements that go beyond those required by information security legislation, regulation, and directives. Maintaining currency. Governance standards and guidance evolve to support different requirements, and new legislation is frequently introduced. Prioritizing available funding according to requirements. Increased competition for limited federal budgets and resources requires that agencies allocate available funding toward their highest-priority information security investments. Information security governance provides a framework for establishing and maintaining an information security program that will evolve with the organization it 17 See NIST 800-42, Guidelines on Network Security Testing, for additional guidance on network monitoring. 18 See NIST SP 800-61, Computer Security Incident Handling Guide, and Chapter 13, Incident Response, of this guide for additional guidance on incident and event statistics. 17 CHAPTER 2 Information Security Governance supports. The following list is a summary of good information security governance practices that are critical for ensuring the security of enterprise information assets: Information security activities should be governed based on relevant requirements, including laws, regulations, and organizational policies. Senior managers should be actively involved in establishing information security governance framework and the act of governing the agency’s implementation of information security. Information security responsibilities must be assigned and carried out by appropriately trained individuals. Individuals responsible for information security within the agency should be held accountable for their actions or lack of actions. Information security priorities should be communicated to stakeholders of all levels within an organization to ensure a successful implementation of an information security program. Information security activities must be integrated into other management activities of the enterprise, including strategic planning, capital planning, and enterprise architecture. Information security organization structure should be appropriate for the organization it supports and should evolve with the organization, if the organization undergoes change. Information security managers should continuously monitor the performance of the security program/effort for which they are responsible, using available tools and information. Information discovered through monitoring should be used as an input into management decisions about priorities and funding allocation to effect the improvement of security posture and the overall performance of the organization. ------------------------------------------------- Websites: www.csrc.nist.gov www.gao.gov www.whitehouse.gov/omb/ References: Public Law 107-347 [H.R. 2458], The E-Government Act of 2002, Title III of this Act is the Federal Information Security Management Act of 2002 (FISMA), December 17, 2002. Office of Management and Budget Circular A-130, Management of Federal Information Resources, November 2000. 18 CHAPTER 3 System Development Life Cycle Chapter 3 3. System Development Life Cycle The system development life cycle (SDLC) is the overall process of developing, implementing, and retiring information systems through a multistep process from initiation, analysis, design, implementation, and maintenance to disposal. There are many different SDLC models and methodologies, but each generally consists of a series of defined steps or phases. Various SDLC methodologies have been developed to guide the processes involved, and some methods work better than others for specific types of projects. Regardless of the type of the life cycle used by an organization, information security must be integrated into the SDLC to ensure appropriate protection for the information that the system is intended to transmit, process, and store. Security is most useful and cost-effective when such integration begins with a system development or integration project initiation, and is continued throughout the SDLC through system disposal. A number of federal laws and directives require integrating security into the SDLC, including the Federal Information Security Management Act (FISMA) and Office of Management and Budget (OMB) Circular A-130, Appendix III. This section provides a general overview of security integration into the SDLC and is not intended to prescribe any particular model or methodology. Each phase of the SDLC includes a minimum set of information security-related activities required to effectively incorporate security into a system. An organization can either use a generic SDLC as described in this section or develop a tailored SDLC that meets its specific needs. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-64 Rev. 1, Security Considerations in the Information System Development Life Cycle, presents a framework for incorporating security into all phases of the SDLC, depicted in Figure 3-1, to ensure the selection, acquisition, and use of appropriate and cost-effective security controls. 19 3.1 Initiation Phase All information technology (IT) projects have a starting point, what is commonly referred to as the initiation phase. During the initiation phase, the organization establishes the need for a particular system and documents its purpose. The information to be processed, transmitted, or stored is typically evaluated, as well as who is required access to such information and how (in high-level terms). In addition, it is often determined whether the project will be an independent information system or a component of an already-defined system. A preliminary risk assessment is typically conducted in this phase, and security planning documents are initiated (system security plan). 19 See NIST Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems; NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories; and NIST 800-37, (Guide for the Security Certification and Accreditation of Federal Information Systems); for additional guidance on security and the SDLC process. 19 CHAPTER 3 System Development Life Cycle Figure 3-1. System Development Life Cycle Once these tasks have been completed and a need has been recognized for a new or enhanced IT product or service, several processes must take place before the project is approved, to include clearly defining project goals and defining high-level information security requirements. Typically, during this phase, the organization defines high-level information security policy requirements as well as the enterprise security system architecture. 3.2 Development/Acquisition Phase During this phase, the system is designed, purchased, programmed, developed, or otherwise constructed. This phase often consists of other defined cycles, such as the system development cycle or the acquisition cycle. During the first part of the development/acquisition phase, the organization should simultaneously define the system’s security and functional requirements. These requirements can be expressed as technical features (e.g., access control), assurances (e.g., background checks for system developers), or operational practices (e.g., awareness and training). During the last part of this phase, the organization should perform developmental testing of the technical and security features/functions to ensure that they perform as intended prior to launching the implementation and integration phase. 3.3 Implementation Phase In the implementation phase, the organization configures and enables system security features, tests the functionality of these features, installs or implements the system, and finally, obtains a formal authorization to operate the system. Design reviews and system tests should be performed before placing the system into 20 CHAPTER 3 System Development Life Cycle operation to ensure that it meets all required security specifications. In addition, if new controls are added to the application or the support system, additional acceptance tests of those new controls must be performed. This approach ensures that new controls meet security specifications and do not conflict with or invalidate existing controls. The results of the design reviews and system tests should be fully documented, updated as new reviews or tests are performed, and maintained in the official organization records. 3.4 Operations/Maintenance Phase An effective security program demands comprehensive and continuous understanding of program and system weaknesses. In the operation and maintenance phase, systems and products are in place and operating, enhancements and/or modifications to the system are developed and tested, and hardware and/or software is added or replaced. During this phase, the organization should continuously monitor performance of the system to ensure that it is consistent with preestablished user and security requirements, and needed system modifications are incorporated. For configuration management (CM) and control, it is important to document the proposed or actual changes in the security plan of the system. Information systems are typically in a constant state of evolution with upgrades to hardware, software, firmware, and possible modifications to the surrounding environment where the system resides. Documenting information system changes and assessing the potential impact of these changes on the security of a system is an essential part of continuous monitoring, and key to avoiding a lapse in the system security accreditation. 20 Monitoring security controls helps to identify potential security-related problems in the information system that are not identified during the security impact analysis, which is conducted as part of the CM and control process. 3.5 Disposal Phase The disposal phase of the system life cycle refers to the process of preserving (if applicable) and discarding system information, hardware, and software. This step is extremely important because during this phase, information, hardware, and software are moved to another system, archived, discarded, or destroyed. If performed improperly, the disposal phase can result in the unauthorized disclosure of sensitive data. When archiving information, organizations should consider the need and methods for future retrieval. While electronic information is relatively easy to store and retrieve, problems can arise if the technology used to create the records is no longer available in the future as a result of obsolescence or incompatibility with new technologies. Additionally, the organization should consider what measures must be taken for the future use of data that has been encrypted, such as taking appropriate steps to ensure the secure long-term storage of cryptographic keys. It is equally important to consider legal requirements for records retention when disposing of information systems. For federal systems, system management officials should consult with their office responsible for retaining and archiving federal records. The removal of information from a storage medium, such as a hard disk or tape, is called sanitization. There are four categories of media sanitization: disposal, 20 See Chapter 14, Configuration Management, of this guide for additional guidance on configuration management. 21 CHAPTER 3 System Development Life Cycle clearing, purging, and destroying. 21 Because different kinds of sanitization provide different levels of information protection, organizations should use information security requirements as a guide for selecting the sanitization method that best suits their needs. 3.6 Security Activities within the SDLC Security activities must be integrated into the SDLC to ensure proper identification, design, integration, and maintenance of applicable security controls throughout an information system’s life cycle as summarized in Table 3-1. Table 3-1. Security Activities in the SDLC SDLC Activities Security Activities and Definitions A. Initiation Phase Needs Define a problem that might be solved through product acquisition. Traditional components Determination of needs determination are establishing a basic system idea, defining preliminary requirements, assessing feasibility, assessing technology, and identifying a form of approval to further investigate the problem. Establish and document need and purpose of the system. Security Identify information that will be transmitted, processed, or stored by the system and define Categorization applicable levels of information categorization according to NIST SP 800-60 and FIPS 199. 22 The handling and safeguarding of personally identifiable information should be considered. Preliminary Risk Establish an initial description of the basic security needs of the system. A preliminary risk Assessment 23 assessment should define the threat environment in which the system or product will operate. B. Development/Acquisition Phase Requirements Conduct a more in-depth study of the need that draws on and further develops the work Analysis/ performed during the initiation phase. Development Develop and incorporate security requirements into specifications. Analyze functional requirements that may include system security environment (e.g., enterprise

NIST Special Publication 800-100 PDF - Information Security Handbook

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue