1 Info Sec+Risk Mgmt

CISSP® Common Body of Knowledge
Review
Information Security & Risk
Management Domain

Version: 5.9

CISSP Common Body of Knowledge Review by Alfred Ouyang is licensed under the Creative Commons
Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-sa/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite
900, Mountain View, California, 94041, USA.

Learning Objectives

Information Security & Risk Management Domain ...1/3
The Information Security Governance and Risk Management
domain entails the identification of an organization’s information
assets and the development, documentation, implementation, and
updating of policies, standards, procedures, and guidelines that
ensure confidentiality, integrity, and availability. Management tools
such as data classification, risk assessment, and risk analysis are
used to identify threats, classify assets, and to rate their
vulnerabilities so that effective security measures and controls can
be implemented.

Reference: CISSP CIB, January 2012 (Rev. 2)
-2-

Learning Objectives

The candidate is expected to understand the planning,
organization, roles, and responsibilities of individuals in identifying
and securing organization’s information assets; the development
and use of policies stating management’s views and position on
particular topics and the use of guidelines, standards, and
procedures to support the policies; security training to make
employees aware of the importance of information security, its
significance, and the specific security-related requirements relative
to their position; the importance of confidentiality, proprietary, and
private information; third party management and service level
agreements related to information security; employment
agreements, employee hiring and termination practices, and risk
management practices, and tools to identify, rate, and reduce the
risk to specific resources.

-3-

Learning Objectives

New knowledge requirement for 2012:
• Project management knowledge in budget, metrics, and
resources.
• Privacy requirements compliance. (Will this topic in the Legal,
Regulations, Investigations and Compliance domain.)

-4-

Topics

Information Security & Risk Management Domain
• Information Security Concepts
• Information Security Management
• Information Security Governance
• Information Classification
• System Life Cycle (SLC) and System Development
Life Cycle (SDLC)
• Risk Management
• Certification & Accreditation
• Security Assessment
• Configuration Management
• Personnel Security
• Security Education, Training, and Awareness
• Project Management -5-

Information Security Concepts

Security Objectives
• Confidentiality
– “Preserving authorized restriction on information access and
disclosure, including means for protecting personal privacy
and proprietary information.” (44 USC Sec. 3542)

• Integrity
– “Guarding against improper information modification or
destruction, and includes ensuring information non-
repudiation and authenticity.” (44 USC Sec. 3542)

• Availability
– “Ensuring timely and reliable access and use of information.”
(44 USC Sec. 3542)

-6-

Information Security Concepts Law, Regulations, and Policies:
Security Implementation Principles FISMA, SOX, GBL, National Security Act,
USA PATRIOT ACT, etc.
OMB A-130, A-11, etc.
• Confidentiality, Integrity, Availability E.O. 13292, 12968, etc.
DoD 5200.1-R, etc.
• Need-to-know Security Objectives:
– Users should only have access to Confidentiality
Integrity
information (or systems) that enable Availability
them to perform their assigned job
functions. Standards and Best Practices
NIST FIPS, SP 800-x, etc.
• Least privilege COBIT, ITIL, Common Criteria
ISO/IEC 27001, 21827, etc.
– Users should only have sufficient DoDI 8500.2, 8510.01
access privilege that allow them to Security Implementation
perform their assigned work. Principles:
Confidentiality, Integrity,
• Separation of duties Availability
Need-to-Know
– No person should be responsible for Least Privilege
Separation of Duties
completing a task involving sensitive,
valuable or critical information from the Benchmarks and Guidelines:
beginning to end. NIST National Checklist, DISA STIGs, CIS
Benchmarks, etc.
– No single person should be responsible
for approving his/her own work.
-7-


Security Best Practices
• Confidentiality
• Integrity
• Availability
• Need-to-know
• Least privilege
• Separation of duties
• Job rotation
– To reduce risk of collusion
– To ensure no single point of failure
• Mandatory vacation
– To allow auditors to review records

-8-


Dimensions of Information Security Practice
• Governance & Management
– Policies, standards, procedures,
and guidelines
• Breadth of Disciplines
– Families of security controls,
security technologies, best- Breadth of discipline
practices, etc. (e.g., CISSP, CISM,

Depth of Knowledge
CISA)
• Depth of Knowledge
– Systems/ software/ network
engineering, cryptography, IT
governance, vulnerability
assessment, security certification
& accreditation, etc.

-9-


Relationship between Threat, Risk, and Countermeasure
• Threat Agent. An entity that
may act on a vulnerability. Give rise to
• Threat. Any potential danger Threat Agent

to information life cycle. Exploits
• Vulnerability. A weakness or Threat

flaw that may provide an Leads to
opportunity to a threat agent. Vulnerability

• Risk. The likelihood of a

Indirectly affects
threat agent exploits a Risk

discovered vulnerability. Reduces/
Eliminates

• Exposure. An instance of Asset
Can damage
being compromised by a
threat agent. Exposure

• Countermeasure / safeguard.
And causes an

An administrative, Counter
measure
operational, or logical Can be countered by a

mitigation against potential
risk(s).
- 10 -


Security Controls
“Security controls are the management, operational,
and technical safeguards or countermeasures
prescribed for an information system to protect the
confidentiality, integrity, and availability of the system
and its information.”
– What security controls are needed to adequately protect the
information system that support the operations and assets of
an organization?
– Have the selected controls been implemented?
– What is the desired or required level of assurance (i.e.,
grounds for confidence) that the selected security controls,
as implemented are effective in their application?

Reference: NIST SP 800-53, Rev. 3, Recommended Security Controls for Federal Information Systems.

- 11 -


Categories of Security Controls …(1/4)
• Management (Administrative) Controls.
– Policies, Standards, Processes, Procedures, & Guidelines
• Administrative Entities: Executive-Level, Mid.-Level
Management
• Operational (and Physical) Controls.
– Operational Security (Execution of Policies, Standards &
Process, Education & Awareness)
• Service Providers: IA, Program Security, Personnel Security,
Document Controls (or CM), HR, Finance, etc
– Physical Security (Facility or Infrastructure Protection)
• Locks, Doors, Walls, Fence, Curtain, etc.
• Service Providers: FSO, Guards, Dogs
• Technical (Logical) Controls.
– Access Controls, Identification & Authorization,
Confidentiality, Integrity, Availability, Non-Repudiation.
• Service Providers: Enterprise Architect, Security Engineer,
CERT, NOSC, Helpdesk.
- 12 -


CLASS FAMILY IDENTIFIER

Reference: NIST SP800-53, Rev 3, Recommended Security Controls for
Risk Assessment RA
Planning PL
Management System and Services Acquisition SA
Security Assessment and Authorization CA
Program Management PM
Personnel Security PS
Physical and Environmental Protection PE
Contingency Planning CP
Configuration Management CM
Operational Maintenance MA

Federal Information Systems
System and Information Integrity SI
Media Protection MP
Incident Response IR
Awareness and Training AT
Identification and Authentication IA
Access Control AC
Technical
Audit and Accountability AU
System and Communications Protection SC

- 13 -


• Committee for National Security System (CNSS)
Instruction No. 1253
– Harmonize definition of security controls by leveraging NIST
SP 800-53, Rev. 3.
• Facilitate reciprocity of system certifications between National
Security Community.
– Selection of security controls are based on risks in meeting
security objectives, rather than FIPS 199 high-water mark
(HWM) approach.
• Provides “control profiles” to facilitate selection of security
controls.

SC (post-RA) NSS = {(confidentiality, impact), (integrity, impact),
(availability, impact)}, where the acceptable values for potential impact
are low, moderate, or high.

- 14 -


ISO/IEC 27001:2005, Information Technology – Security
Techniques – Security Management System – Requirements
CONTROL CATEGORY SUB-CATEGORY OF CONTROLS
Security Policy Information security policy
Organization of Information Security Internal organization; External parties
Asset Management Responsibility for assets; Information classification
Human Resource Security Prior to employment; During employment; Termination or change of employment
Physical and Environmental Security Secure areas; Equipment security
Operational procedures and responsibilities; Third party service delivery management; System planning and
Communications and Operations
acceptance; Protection against malicious and mobile code; Back-up; Network security management; Media
Management
handling; Exchange of information; Electronic commerce services; Monitoring
Business requirement for access control; User access management; User responsibilities; Network access
Access Control control; Operating system access control; Application and information access control; Mobile computing and
teleworking
Information Systems Acquisition, Security requirements of information systems; Correct processing in applications; Cryptographic controls;
Development, and Maintenance Security of system files; Security in development and support processes; Technical vulnerability management
Information Security Incident Reporting information security events and weaknesses; Management of information security incidents and
Management improvements
Business Continuity Management Information security aspects of business continuity management
Compliance with legal requirements; Compliance with security policies and standards, and technical
Compliance
compliance; Information system audit considerations
- 15 -


System Requirements
• Functional requirements
– Example:
The information system shall support
the FISMA reporting, mandated by
System Requirements
OMB, in the following format:
• The number of information systems
by FIPS 199 security categories.
• The number of systems for which
security controls have been tested
and evaluated in the past year.
Performance
Functional
Requirements
Requirements
For defining
For establishing • Performance requirements
functions or behavior
confidence that the
specified function
– Example:
of the IT product or
system.
will perform as What extent the agency-wide security
intended. configuration policy (i.e., NIST
Checklist Program [a.k.a. National
Checklist Program]) has been
implemented.

- 16 -


Information Security Requirements
• Assurance requirements
Example:
SC-3: Security Function Isolation. The
Information Security Requirements information system isolates security
functions from non-security functions.

• Functional requirements
Assurance
Example:
Functional
Requirements
Requirements • VLAN technology shall be created
For establishing
For defining security
confidence that the to partition the network into multiple
behavior of the IT
product or system.
security function will mission-specific security domains.
perform as intended.
• The integrity of the internetworking
architecture shall be preserved by
the access control list (ACL).

- 17 -


Types of Security Controls
• Directive Controls. Often called administrative controls, these are
intended to advise employees of the behavior expected of them
during their interfaces with or use the organization’s information
systems.
• Preventive Controls. Included in preventive controls are physical,
administrative, and technical measures intended to preclude
actions violating policy or increasing risk to system resources.
• Detective Controls. Detective controls involve the use of practices,
processes, and tools that identify and possibly react to security
violations.
• Corrective Controls. Corrective controls also involve physical,
administrative, and technical measures designed to react to
detection of an incident in order to reduce or eliminate the
opportunity for the unwanted event to recur.
• Recovery Controls. Once an incident occurs that results in the
compromise of integrity or availability, the implementation of
recovery controls is necessary to restore the system or operation
to a normal operating state.
Reference: CISM Review Manual – 2007, ISACA.
- 18 -


Due Care vs. Due Diligence
• Due Care
– Policies and implemented actions that an organization has
taken to minimize risk to its tangible and intangible assets
(i.e. information assets, customers, employees, resources
and reputation.)

• Due Diligence
– Continual actions that an organization are doing to protect
and minimize risk to its tangible and intangible assets.

- 19 -


Information Security Models – Defense-in-Depth

Successful Organization Functions

Information Assurance

“Defense-In-Depth” Strategy

People People
Executing
Operations Operations
Technology Supported by
Technology

Information Assurance Technical Framework (IATF)
Overlapping Approaches & Layers of Protection

Defending the Defending the Defending the Supporting
Network & Enclave Computing the
Infrastructure Boundary Environment Infrastructure

References
• NSA IA Solution Directions, Information Assurance Technical Framework, Release 3.1
• ISO/IEC 27002:2005, Code of Practice for Information Security Management

- 20 -

Questions:
• What are the three security objectives?
–
–
–

• What are the six security implementation principles?
–
–
–
–
–
–

- 21 -

Answers:
• What are the three security objectives?
– Confidentiality
– Integrity
– Availability

• What are the six security implementation principles?
– Confidentiality
– Integrity
– Availability
– Need to know
– Least privilege
– Separation of duties

- 22 -

Questions:
• What are the eight security “best practices”?
–
–
–
–
–
–
–
–

• What are the three categories of security controls?
–
–
–
- 23 -

Answers:
• What are the eight security “best practices”?
– Confidentiality
– Integrity
– Availability
– Need to know
– Least privilege
– Separation of duties
– Job rotation
– Mandatory vacation

• What are the three categories of security controls?
– Management (Administrative)
– Operational (and Physical)
– Technical (Logical)
- 24 -

Learning Objectives

Information Security Management Domain
Life Cycle (SDLC)
• Risk Management
• Project Management - 25 -

Information Security Management

Information Security Management Planning
• Systems and Services Acquisition & Development
• Risk Management

Typical Outputs:
– Policies, Standards, and Procedures
– System Security Plan (SSP) or System Security Authorization
Agreement (SSAA)
– ST&E Report, Risk Statement, and POA&M for Risk Mitigation

- 26 -

“All Security Involves Trade-offs”
• Step 1: What assets are you trying to
protect?
• Step 2: What are the risks to these assets?
• Step 3: How well does the security solution
mitigate those risks?
• Step 4: What other risks does the security solution
cause?
• Step 5: What cost and trade-offs does the security
solution impose?

• And looking out for the “black swan”...
Reference:
• Bruce Schneier, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Springer,
2003.
• Nassim Nicholas Taleb, The Black Swan: The Impact of the Highly Improbable, Random House,
2007. - 27 -


DoD Information Assurance Program – Competencies
DoD takes risk management approach to define core
competencies of any DoD IA Programs…
• The ability to assess security needs and capabilities
(Risk Management – Assess, Mitigate & Evaluate)

• The ability to develop a purposeful security design or
configuration that adheres to a common architecture
and maximizes the use of common services (ISSE, IATF)
• The ability to implement required controls and
safeguards (ISSE Process)
• The ability to test and verify (ST&E, CT&E)
• The ability to manage changes to an established
baseline in a secure manner (CM, Continuous Monitoring)

Reference: DoDI 8500.2, Information Assurance (IA) Implementation

- 28 -


Risk Management Framework – Management Process
Objectives:
– To ensure that managing information system-
related security risks is consistent with the
Step 1 Step 2 organization’s mission/business objectives and
CATEGORIZE
Information System
SELECT
Security Controls
overall risk strategy established by the senior
leadership through the risk executive (function);
– To ensure that information security requirements,
including necessary security controls, are
integrated into the organization’s enterprise
Step 6 Step 3
MONITOR IMPLEMENT architecture and system development life cycle
Security Controls Security Controls processes;
– To support consistent, well-informed, and ongoing
security authorization decisions (through
continuous monitoring), transparency of security
Step 5 Step 4 and risk management-related information, and
AUTHORIZE ASSESS
Information System Security Controls
reciprocity; and
– To achieve more secure information and
information systems within the federal government
through the implementation of appropriate risk
mitigation strategies.
Reference: NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal Information
Systems – A Security Life Cycle Approach, Joint Task Force Transformation Initiative, February 2010.
- 29 -

Learning Objectives

Life Cycle (SDLC)
• Risk Management

Information Security Governance
• Policy. Management directives that establish expectations
(goals & objectives), and assign roles & responsibilities
• Standards. Functional specific mandatory activities, actions,
and rules
• Process & Procedure. Step-by-step implementation instructions
• Guideline. General statement, framework, or recommendations
to augment process or procedure

Law, Regulations Law, Regulations

Executive Orders
Organizational
DoD Directives
Policies
Joint Doctrines

Functional DoD Instructions
Implementation DoD Agency
Policies Policies & MOUs

Process:
Guidelines:
Standards: DITSCAP / Procedure:
Standards Process Procedure Guidelines DISA STIGs
DoD Regulations DIACAP DoD Manuals
NSA SNAC SCGs
SIPRNet CAP

- 31 -


Policies
Policies:
• Explain laws, regulations, business/mission needs, and
management expectations (goals & objectives).
• Identify roles and delineate responsibilities.

Examples: Law, Regulations

• Executive Orders, Presidential Directives Organizational
Policies

– E.O. 13526, PDD-67, HSPD-7, etc.
Functional

• Federal (/Civil)
Implementation
Policies

– OMB Circulars: A-11, A-130, etc. Standards Process Procedure Guidelines

• Military
– DoD Directives, Instructions, Manuals, etc.
• Intelligence
– Director, Central Intelligence Directives (DCID).
- 32 -


Policies – Roles & Responsibilities
• In order to have an effective security program, the roles, responsibilities
and authority must be clearly communicated and understood by all.
– Information owner. Executive management are responsible for the
protection of information assets. (Tangible and Intangible)
• C[X]Os
• Functional managers
• Solutions providers
• Configuration Management (CM) /CCB
– Information custodian. Information security professionals are delegated
with responsibilities to provide security services that supports the execution
of business processes within an organization.
• Security managers / officers
• Security administrators (network, systems, databases, etc.)
• Security analysts
• Network, system, database administrators
• Application owner (i.e.
– Information user. End users are responsible for safeguarding & handling of
information. (i.e. marking & labeling, printing, transporting, NdA, etc.)
• Line managers
• Analyst
– Information (systems) auditor. The auditors provide independent
assessment of the security of information and/or information systems.
• Military: White, Blue & Red Teams, IGs
• Commercial: Auditors, Black-hat Teams

- 33 -


Standards
Standards:
• Mandatory activities, actions, and rules for the
execution of management (or administrative)
policies

Examples:
• Federal (/ Civil)
– Federal Information Processing Standards (FIPS)
• Military Law, Regulations

– DoD Regulations, DoD Manuals, etc.
• Intelligence
Organizational
Policies

– Director, Central Intelligence Directives (DCID) Functional
Implementation
Policies

• Commercial (/ Industry)
– ISO/IEC 27001, BS 7799, etc.
Standards Process Procedure Guidelines

- 34 -


Standards
• DoD 5200.28-STD Trusted
Computer System
Evaluation Criteria (TCSEC)
– Evaluates Confidentiality.
Orange Book Canadian Criteria
(TCSEC) 1985 (CTCPEC) 1993

ISO 15408-1999
Common Criteria • Information Technology
UK Confidence Federal Criteria (CC)
Levels 1989 Draft 1993 V1.0 1996
V2.0 1998
V2.1 1999
Security Evaluation Criteria
(ITSEC)
German ITSEC – Evaluates Confidentiality,
Criteria 1991
Integrity and Availability.

French
Criteria • Common Criteria (CC)
– Provided a common
structure and language.
– It’s an International standard
(ISO 15408).
- 35 -


Standards – ISO/IEC 27001:2005
• ISO/IEC 27001 is an
Information Security
Management System
Standard.

• Commercially, the systems
are certified based on
meeting ISO/IEC 27001 (not
ISO/IEC 27002!)

• ISO/IEC 27002:2005 is a
“Code of practice” for
information security
management

- 36 -


Process & Procedure
Process & Procedure:
• Step-by-step explanation of how to implement or
execute security instructions.
Examples:
• System Development Life Cycle (SDLC) System & Services
Acquisition Process
– Project Planning and Management Process
– Change Control Process
– Risk Management Process
– Certification & Accreditation Process Law, Regulations

• Standard Operations Procedure (SOP) Organizational
Policies

• Incident Management Process Functional
Implementation

•
Policies

Contingency Planning Process
• Security Assessment Process Standards Process Procedure Guidelines

- 37 -


Guidelines
Guidelines:
• Frameworks or recommendations that facilitate
implementation of policies, standards, processes,
and procedures.
Examples:
• Federal (/ Civil)
– NIST Special Publications (NIST SP 800 series).
• Military
– NSA-IATF, NSA-IAM, NSA-IEM. Law, Regulations

– NSA SNAC SCGs, DISA FSO STIGs. Organizational
Policies

• Commercial Functional
Implementation
Policies

– ISO/IEC 17799: 2005.
– CIS Benchmarks. Standards Process Procedure Guidelines

- 38 -

Question:
• What are the four types of documents that provide
governance to IT security?
–
–
–
–

- 39 -

Answer:
• What are the four types of documents that provide
governance to IT security?
– Policy
– Standard
– Procedure (or Manual)
– Guideline

- 40 -

Learning Objectives

Life Cycle (SDLC)
• Risk Management
• Security Education, Training & Awareness
- 41 -

Information Classification
• Identifies and characterizes the critical information
assets (i.e. sensitivity)
• Explains the level of safeguard (protection level) or
how the information assets should be handled
(sensitivity and confidentiality)

Commercial Military and Civil Gov.
• Public • Unclassified
• Private / Sensitive • Sensitive But Unclassified (SBU)
• Confidential / Proprietary • Confidential
• Secret
• Top Secret

- 42 -

Information Classification
• Who can best determine the sensitivity of information?
– Information owner
• Example: E.O. 13526, Classified National Security
Information, Dec. 29, 2009
– President, VP, agency heads, official designated by the
President, and delegated USG officials
– It specifically identifies what information shall be classified
a) military plans, weapons systems, or operations;
b) foreign government information;
c) intelligence activities (including special activities), intelligence sources or methods,
or cryptology;
d) foreign relations or foreign activities of the United States, including confidential
sources;
e) scientific, technological, or economic matters relating to the national security;
f) United States Government programs for safeguarding nuclear materials or
facilities;
g) vulnerabilities or capabilities of systems, installations, infrastructures, projects,
plans, or protection services relating to the national security; or
h) the development, production, or use of weapons of mass destruction.
- 43 -

Learning Objectives

Life Cycle (SDLC)
• Risk Management

System Life Cycle (SLC) and System Development Life Cycle (SDLC)

System Development Life Cycle (SDLC) Models
• Waterfall Development Models
– Waterfall: DoD-STD-2167A (replaced by MIL-STD-498 on
11/1994).
– Modified Waterfall: MIL-STD-498 (cancelled on 5/1998)
– ISO/IEC 12207, Software Life Cycle Processes (IEEE/EIA
12207 US implementation) (based on MIL-STD-499B)
– ISO/IEC 15288, Systems Engineering – System Life Cycle
Processes (IEEE std 1220 – 2005, US implementation)

• Iterative Development Models
– Boehm’s Spiral Model.
– Rapid Application Development (RAD) & Joint Application
Development (JAD)

- 45 -


Waterfall Development Models

• Classic Waterfall: • Modified Waterfall:
DoD-STD-2167A MIL-STD-498

Requirements Requirements

Design Design

Implementation Implementation

Verification Verification

Maintenance Maintenance

- 46 -


Boehm’s Spiral Model

- 47 -


Rapid Application Development (RAD) Model
• Iterative, but spiral cycles are much smaller.
• Risk-based approach, but focus on “good enough”

- S. McConnel, Rapid Development: Taming Wild Software Schedules
outcome.
• SDLC fundamentals still apply…
– Requirements, configuration, and quality management,

- http://www.cs.bgsu.edu/maner/domains/RAD.htm
design process, coding, test & integration, technical and
project reviews etc.

Reference:
- 48 -


History of Systems/Software Engineering Process
Standards

Reference: http://en.wikipedia.org/wiki/Systems_engineering_process - 49 -


Software & System Engineering Management Processes
• There are more and more “software-intensive”
systems…
– Systems are getting more complex. Hardware problems are
often addressed through software;
– Operating environments are stochastic. Software are more
flexible than hardware.

• As SDLC models evolves, management processes
are evolving too…
– DoD-STD-2167A: Waterfall SDLC + SE Process
– MIL-STD-498: Modified Waterfall SDLC + SE Process
– IEEE 1220: System Engineering Process
– ISO 12207: Software + System Engineering Mgmt Process
– ISO 15288: System Engineering Mgmt Process
- 50 -


DoD-STD-2167A – System Engineering Process

Software
Process Software
Acceptance
Implementation Installation
Support

Project

System System System
System
Requirements Architecture Qualification
Integration
Analysis Design Testing

System
Software Software
Requirements Qualification
Analysis Testing

Software
Software
Architectural
Integration
Design

Software Detailed Software Coding
Design & Testing

Software

Reference: DoD-STD-2167A, Defense System Software Development, February 29, 1988

- 51 -


ISO/IEC 15288:2008, System Life Cycle Processes
• ISO/IEC 15288* Agreement Processes Project Processes Technical Processes

Stakeholder
Project Planning
encompasses: Acquisition Process
Process
Requirements
Definition Process

– Systems/software Supply Process
Project Assessment
and Control Process
Requirements Analysis
Process

engineering processes Decision Management Architecture Design
Process Process
(Technical Processes) Organizational
Risk Management Implementation
– Project management Project-Enabling
Processes
Process Process

processes Life Cycle Model
Management Process
Configuration
Management Process
Integration Process

– Project support Infrastructure Information
Verification Process
Management Process Management Process
infrastructure
(Organizational Project- Project Portfolio
Management Process
Management Process Transition Process

Enabling Processes) Human Resource
Validation Process
Management Process
– Contract/business
Quality Management
Operation Process
management processes Process

(Agreement Processes) Maintenance Process

Disposal Process
* Note: ISO/IEC 15288 is identical to IEEE Std 15288

- 52 -


ISO/IEC 12207:2008, Software Life Cycle Processes
System Context Processes Software Specific Processes

Reference: IEEE/IEC 12207:2008, Information Technology Software Life Cycle Processes
Agreement Processes Project Processes Technical Processes SW Implementation SW Support
Processes Processes
Stakeholder Software Software
Project Planning
Acquisition Process Requirements Implementation Documentation
Process
* Note: ISO/IEC 12207is identical to IEEE Std 12207

Definition Process Process Process

Project Assessment Requirements Analysis Software Requirements Software Configuration
Supply Process
and Control Process Process Analysis Process Management Process

Decision Management Architecture Design Software Architectural Software Quality
Process Process Design Process Assurance Process

Organizational
Risk Management Implementation Software Detailed Software Verification
Project-Enabling Process Process Design Process Process
Processes
Life Cycle Model Configuration Software Construction Software Validation
Integration Process
Management Process Management Process Process Process

Infrastructure Information Software Integration Software Review
Verification Process
Management Process Management Process Process Process

Project Portfolio Software Qualification
Management Process Transition Process Software Audit Process
Management Process Testing Process

Human Resource Software Problem
Validation Process Validation Process
Management Process Resolution Process

Quality Management
Process
Operation Process Software Reuse Processes

Domain Engineering Reuse Program
Maintenance Process
Process Management Process

Reuse Asset
Disposal Process
Management Process

- 53 -


Program Management: Incremental Commitment Model

Reference: B. Boehm, J.A. Lane, Using the Incremental Commitment Model to Integrate System Acquisition,
Systems Engineering, and Software Engineering, CrossTalk, October 2007.
- 54 -


IEEE std 1220, System Engineering Process

IEEE 1220: System Life Cycle (SLC)

Development Production Disposal
Concept Stage Support Stage
Stage Stage Stage

Fabrication
Assembly,
System Preliminary Detailed
Integration
Definition Design Design
& Test
(FAIT)

- 55 -


System Life Cycle (SLC)
1. Initiation Phase (IEEE 1220: Concept Stage)
– Survey & understand the policies, standards, and guidelines.
– Identify information assets (tangible & intangible).
– Define information security categorization & protection level.
– Conduct business impact analysis (BIA) (a.k.a. risk
assessment).
– Define rules of behavior & security CONOPS.

2. Acquisition / Development Phase (IEEE 1220: Development Stage)
– Define security requirements and select security controls.
– Assess system risk.
– Perform cost/benefit analysis (CBA).
– Security planning (based on risks & CBA).
– Practice Information Systems Security Engineering (ISSE)
Process to develop security controls.
– Develop security test & evaluation (ST&E) plan.
Reference: NIST SP 800-64, Rev 2,Security Considerations in the Information
System Development Life Cycle. - 56 -


Systems Life Cycle (SLC)
3. Implementation Phase (IEEE 1220: Production Stage)
– Implement security controls in accordance with baseline
system design and update system security plan (SSP).
– Integrate system
– Perform Security Certification & Accreditation of target system.

4. Operations / Maintenance Phase (IEEE 1220: Support Stage)
– Review operational readiness.
– Configuration management & perform change control.
– Continuous monitoring of security posture
– Perform periodic security assessment.

5. Disposition Phase (IEEE 1220: Disposal Stage)
– Preserve information. archive and store electronic information
– Sanitize media. Ensure the electronic data stored in the
disposed media are deleted, erased, and over-written
– Dispose hardware. Ensure all electronic data resident in
hardware are deleted, erased, and over-written (i.e. EPROM,
BIOS, etc.
Reference: NIST SP 800-64, Rev 2,Security Considerations in the Information
System Development Life Cycle. - 57 -


Information System Security Engineering (ISSE) Process
• Phase 1: Discover Information Protection Needs
– Ascertain the system purpose.
– Identify information asset needs protection.
• Phase 2: Define System Security Requirements
– Define requirements based on the protection needs.
• Phase 3: Design System Security Architecture
– Design system architecture to meet on
security requirements. PHASE 1:
DISCOVER

• Phase 4: Develop Detailed Security Design
NEEDS

PHASE 6:
PHASE 2:

– Based on security architecture, design
ASSESS EFFECTIVENESS
DEFINE
SYSTEM
REQUIREMENTS
security functions and features for the PHASE 3:
system. DESIGN
SYSTEM
ARCHITECTURE

• Phase 5: Implement System Security PHASE 4:
DEVELOP

– Implement designed security functions DETAILED
DESIGN
USERS/USERS’
and features into the system. REPRESENTATIVES
PHASE 5:
IMPLEMENT

• Phase 6: Assess Security Effectiveness SYSTEM

– Assess effectiveness of ISSE activities.

Reference: Information Assurance Technical Framework (IATF), Release 3.1
- 58 -


Examples of SDLC and Systems Engineering Activities
IEEE 1220, Application and Management of the Systems Engineering Process
Operations &
Concept Stage Development Stage Production Stage
Maintenance
Defense Acquisition Life Cycle (DoD 5000)
User needs &
Concept Technology Production and Operations &
Technology System Development & Demonstration
Refinement Development Deployment Support
Opportunities
IRS Enterprise Life Cycle (ELC)
Vision & Project Domain Preliminary Detailed System System Operations &
Strategy Initiation Architecture Design Design Development Deployment Maintenance
FBI Information Technology Life Cycle Management Directive (IT LCMD)
Requirements Acq. Source Implementation & Operations &
Concept Exploration Design Develop & Test
Development Planning Select’n. Integration Maintenance
Systems Engineering (SE) Tasks
Discover Mission/Business Define System Design System Develop Detailed System Implement System
Sustainment
Needs Requirements Architecture Design Design
Information Systems Security Engineering (ISSE) Tasks
Discover Information Protection Define Security Design System Develop Detailed System Implement Continuous
Needs Requirements Security Architecture Security Controls Security Controls Monitoring

We need to do more on understanding the mission/business needs and align to EA

59

It starts at the beginning of a SDLC…
DoD
IEEE 1220 Acquisition Key System Engineering Tasks Key Security Engineering Tasks*
SDLC
User Needs & Task 1: Discover Mission/Business Needs Task 1: Discover Information Protection Needs
Technology • Understand customer’s mission/business goals (i.e., initial • Understand customer’s information protection needs (i.e.,
Opportunities capability, project risk assessment) infosec. risk assessment)
• Understand operating environment (i.e., sensitivity of
• Understand system concept of operations (CONOPS)
information assets, mode of operations)
Concept • Create high-level entity-data relations model (i.e., system
Stage Concept • Create information management model (IMM)
context diagram)
Refinement
• Define engineering project strategy and integrate into the • Define information protection policy (IPP) and integrate into
overall project strategy the project strategy
• Create system engineering management plan (SEMP) • Create system security plan (SSP) and integrate into SEMP
Milestone A Task 6: Assess project performance in meeting mission/business needs

* Reference: Information Assurance Technical Framework (IATF), Release 3.1

TASK 1: • Key Deliverables
DISCOVER
NEEDS – Mission Needs Statement / Project Goal(s) and
TASK 6:
TASK 2:
DEFINE
ASSESS EFFECTIVENESS Objectives
SYSTEM
REQUIREMENTS – System Capabilities
TASK 3:
DESIGN
SYSTEM
– Preliminary CONOPS
ARCHITECTURE
TASK 4:
– Preliminary System Context Descriptions
DEVELOP
DETAILED – Project Risk Assessment
DESIGN
USERS/USERS’
REPRESENTATIVES TASK 5:
– Draft System Engineering Management Plan
IMPLEMENT
SYSTEM (SEMP)
60

DoD
IEEE 1220 Acquisition Key System Engineering Tasks Key Security Engineering Tasks
SDLC
Task 2: Define System Requirements Task 2: Define Security Requirements
• Refine system context (e.g., functional components)
Technology • Define system requirements (e.g., functional, performance, • Select assurance requirements and define security
Development operational, support, etc.) functional requirements
• Refine CONOPS • Refine IMM and SSP
• Baseline system requirements
Milestone B Task 6: Assess project performance in meeting mission/business needs
Task 3: Design System Architecture Task 3: Design System Security Architecture
• Determine & select architecture framework
Development
• Design system architecture and allocate system • Allocate system security requirements to subsystems and
Stage
requirements to subsystems and components (i.e., RTM) service components (i.e., RTM)
System
• Analyze gaps (i.e., risk assessment)
Development
Task 4: Develop Detailed System Design (Logical & Task 4: Develop Detailed System Security Design (Logical
&
Physical) & Physical)
Demonstration
• Refine entity-data relations model (i.e., UML diagrams, • Refine IMM, embed security controls into system design
data-flow, network, etc.) products (i.e., UML, data-flow, network, etc.)
• Perform system synthesis analysis to assure system integration (i.e., system design, system architecture, system
requirements, and project mission/business needs)
Milestone C Task 6: Assess project performance in meeting mission/business needs

DISCOVER
NEEDS – System Requirements
TASK 6:
TASK 2:
DEFINE
– Functional Definitions (+ allocation of system
SYSTEM
REQUIREMENTS requirements)
TASK 3:
DESIGN
SYSTEM
– System Architecture (Contextual + Logical)
ARCHITECTURE
TASK 4:
– Detailed System Design (Logical + Physical)
DEVELOP
DETAILED – Requirements Traceability Matrix (RTM)
DESIGN
USERS/USERS’
REPRESENTATIVES TASK 5:
IMPLEMENT
SYSTEM
61

DoD
IEEE 1220 Acquisition Key System Engineering Tasks Key Security Engineering Tasks
SDLC
Task 5: Implement System Design Task 5: Implement Security Controls
• Procure system components / construct system
• Code/ customize/ configure system functional components
• Conduct code inspection/ walk-through/ unit test
• Perform system integration
Production • Conduct system test • Conduct security test & evaluation (ST&E)
Production
and Task 6: Assess project performance in meeting mission/business needs
Stage
Deployment • Generate system operations procedure (SOP) and users • Generate SOP (a.k.a. trusted facility manual (TFM)),
guide/ manual Incident response plan, business continuity plan (BCP)
• Conduct system readiness review • Obtain system certification
• Deploy system
• Conduct system acceptance test • Assess security effectiveness
• Obtain approval to operate (ATO)

DISCOVER
NEEDS – Implement detailed system design
TASK 6:
TASK 2:
DEFINE
– Perform test & evaluations (unit, system, security
SYSTEM
REQUIREMENTS tests)
TASK 3:
DESIGN
SYSTEM
– Test reports
ARCHITECTURE
TASK 4:
– Standard Operating Procedure (SOP) + User
DEVELOP
DETAILED
Manuals
DESIGN
USERS/USERS’
REPRESENTATIVES
– Deploy system
TASK 5:
IMPLEMENT
SYSTEM – Conduct acceptance tests
62

Questions:
• What is the importance of information classification?
–

• When should the sensitivity and the protection level
should be determined in the system life cycle?
–

• What is the importance of FIPS 199?
–

- 63 -

Answers:
• What is the importance of information classification?
– Explains the sensitivity of the information, and the level of
protection required to meet the security objectives

• When should the sensitivity and the protection level
should be determined in the system life cycle?
– At the Initial Phase. It is a part of system characterization
activity

• What is the importance of FIPS 199?
– Explains the sensitivity of the information in terms of impact
in meeting the security objectives

- 64 -

Questions:
• What classic system development life cycle (SDLC)
model allows system engineers go back to the
previous step?
–

• What iterative SDLC model allows system engineers
to evaluate, refine, plan and construct an information
system utilizing a series of prototypes ?
–

• Which SDLC model requires formal verification and
validation of requirements at the unit-level, system-
level, and operational-level?
–

- 65 -

Questions:
• What classic system development life cycle (SDLC)
model allows system engineers go back to the
previous step?
– Modified Waterfall

• What iterative SDLC model allows system engineers
to evaluate, refine, plan and construct an information
system utilizing a series of prototypes ?
– Spiral Model

• Which SDLC model requires formal verification and
validation of requirements at the unit-level, system-
level, and operational-level?
– The V-Model, IEEE 12207 or ISO/IEC 12207

- 66 -

Learning Objectives

Life Cycle (SDLC)
• Risk Management

Risk Management Processes

Step 1 Step 2 Step 3
CATEGORIZE SELECT IMPLEMENT
If there is a major change, Information System Security Controls Security Controls
then re-establish the baseline

MONITOR AUTHORIZE ASSESS
Security Controls Information System Security Controls

SECURITY AUTHORIZATION = SECURITY POSTURE BASELINE

MONITOR RE-AUTHORIZE ASSESS

Communicate the established
baseline for continuous monitoring
ONGOING SECURITY AUTHORIZATION =
MAINTAINING THE ESTABLISHED SECURITY POSTURE BASELINE

Reference:
• NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life
Cycle Approach, Sept. 2011
• Draft NIST SP 800-30, Rev. 1, Guide for Conducting Risk Assessment, September 2011 - 68 -

Risk Management

Current State of Insecurity in Federal Agencies
• “The 25 major agencies of Federal government
continue to improve information security performance
relative to C&A rate and testing of contingency plans
and security controls.” – OMB FY 2008 Report to Congress on Implementation of FISMA.
% of System with a: FY 2005 FY 2006 FY 2007 FY 2008
Certification and Accreditation (C&A) 85% 88% 92% 96%
Tested Contingency Plan 61% 77% 86% 92%
Tested Security Controls 72% 88% 95% 93%
Total Systems Reported 10,289 10,595 10,304 10,679

• # of security incidents keeps growing*…
Incident Categories FY 2005 FY 2006 FY 2007 FY2008 FY2009
1. Unauthorized Access 304 706 2,321 3,214 4,848
2. Denial of Service 31 37 36 26 48
3. Malicious Code 1,806 1,465 1,607 2,274 6,977
4. Improper Usage 370 638 3,305 3,762 6,148
5. Scans/Probes/Attempted Access 976 1,388 1,661 1,272 1,152
6. Under Investigation 82 912 4,056 7,502 10,826
Total Incidents Reported 3,569 5,146 12,986 18,050 29,999
* Source: OMB and US-CERT 69

Risk Management

Relationship between Threat, Risk, and Countermeasure
• Threat Agent. An entity that may
act on a vulnerability. Threat agent
Give rise to

• Threat. Any potential danger to
information life cycle. Threat
Exploits

• Vulnerability. A weakness or
Leads to
flaw that may provide an Vulnerability

opportunity to a threat agent.

Indirectly affects
• Risk. The likelihood of a threat Reduces/
Risk

agent exploits a discovered Eliminates

Asset
vulnerability. Can damage

• Exposure. An instance of being
Exposure
compromised by a threat agent. And causes an

• Countermeasure / safeguard. Counter
measure
An administrative, operational, or Can be countered by a

logical mitigation against
potential risk(s).
- 70 -

Risk Management

What is a Risk?
• The likelihood of a threat agent systemically
exploiting vulnerability of a system (of people,
process, and technology) , and
• The potential impact of a successful attack on an
organization’s information operations
12000
23 23
10000 21

8000 17
14
6000

4000

2000

0

Weakness in Weakness in Weakness in Weakness in Weakness in
Access Control Segregation of Configuration Service Enterprise-wide
Duties Management Continuity Security
Program

FY’05 FY’06 FY’07 FY’08 FY’09
Source: US-CERT & GAO-09-546
- 71 -

Risk Management

Risk Assessment Process
Input Risk Assessment Activities Output

- NIST SP 800-30, Rev. 1, Guide for Conducting Risk Assessments, Sept. 2011
Hardware CIs System Boundary
Software CIs Preparing for Risk System Functions
System I/Fs System & Data Criticality
Data & Info. Assessment System & Data Sensitivity
People (System Characterization) Information Management
Mission Model (IMM)

History of system attack Identify Threat
Data from intelligence Threat Statement
agencies, US-CERT, OIG, etc. Sources and Events
Communications and Information Sharing

Reports from prior risk
assessments Identify Vulnerabilities
List of Potential
Any audit comments Predisposing Vulnerabilities

Maintaining Risk Assessment
Security requirements
Security test result Conditions

Threat-source motivation
Threat capacity Determine Likeliehood
Likelihood Rating
Nature of vulnerability of Occurrence
Current controls

Mission impact analysis
Asset criticality assessment
Data criticality Determine Impact Impact Rating (FIPS 199)
Data sensitivity

Reference:
Risks & Associated Risk
Likelihood of threat
Levels
exploitation
Information Protection Plan
Magnitude of impact Determine Risk (IPP)
Adequacy of planned or
Plan of Actions & Milestones
current controls
(POA&M)

- 72 -

Risk Management

Risk Assessment Methods
Quantitative Qualitative
ALE = SLE x ARO • Likelihood Determination
– Threat agent motivation & capability
SLE = AV x EF
– Nature of the vulnerability
– Existence and effectiveness of
• Annualized Lost Expectance (ALE). current controls.
• Single Loss Expectance (SLE). • Impact Analysis (Confidentiality,
Monetary loss (impact) for each Integrity & Availability)
occurrence of a threatened event – System mission (e.g., the processes
performed by the IT system)
• Annualized Rate of Occurrence (ARO). – System and data criticality (e.g., the
The frequency which a threat is system’s value or importance to an
expected to occur on an annualized organization)
basis – System and data sensitivity.
• Asset Value (AV). Monetary value of Likelihood Level
Low Medium High
the information asset
Significant
• 2 3 3
Magnitude
Exposure Factor (EF). An instance of
of Impact
(High)

being exposed to losses from a specific Serious
(Moderate) 1 2 3
threat.
Mild (Low) 1 1 2
SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are low, medium, or high.

- 73 -

Risk Assessment

Information Protection Needs – Robustness Level
Mode of Operations: System-High Information
Asset
Threat-Agent Type of Attacks
Potential Harmful Event
(PHE) / Risk Value

Data Sensitivity: SBU/FOUO
Unauthorized

SC (Budget & Finance) = Passive Attacks disclosure
(Confidentiality)
Risk Value = 2

External Threat: Unauthorized

{Conf.(M), Integ.(M), Avail.(L)} Hackers
(Likelihood =
Moderate)
Active Attacks
modification /
destruction
(Integrity)
Risk Value = 2

Threat agent (Likelihood): Loss / Denial of
service Risk Value = 1
(Availability)

– Hackers (Moderate) Unauthorized
Passive Attacks disclosure Risk Value = 2

– Organized Crime (Moderate) External Threat:
(Confidentiality)

Unauthorized

–
Organized Crime modification /
International Press (Moderate) (Likelihood =
Moderate)
Active Attacks
destruction
(Integrity)
Risk Value = 2

– Careless/Poorly Trained Loss / Denial of
service Risk Value = 1
Information Type: (Availability)
Employees (High) Budget & Finance
Information Unauthorized
disclosure Risk Value = 2
(Confidentiality)
External Threat:
Domestic / Unauthorized
International modification /
PHE (Threat Likelihood) Press
Passive Attacks
destruction
Risk Value = 2
(Likelihood = (Integrity)
Severity of HTI Moderate)
Low Moderate High Loss / Denial of
(Impact) service Risk Value = 1
(Availability)
Significant (High) 2 3 3
Unauthorized
Passive Attacks disclosure Risk Value = 3
Serious (Moderate) 1 2 3 (Confidentiality)
Insider: Careless
Unauthorized
Mild (Low) 1 1 2 or Poorly Trained
modification /
Employees Active Attacks Risk Value = 3
destruction
(Likelihood =
(Integrity)
High)
Loss / Denial of
Close-in Attacks service Risk Value = 2
(Availability)

- 74 -

Risk Management

Risk Assessment Methods: Quantitative vs. Qualitative
Quantitative Qualitative
• Pros • Pros
– Assessment & results are based – Calculations are simple and readily
substantially on independently objective understood and executed.
processes & metrics. Thus, meaningful – Not necessary to determine quantitative
statistical analysis is supported. threat frequency & impact data.
– The value of information are expressed in – Not necessary to estimate the cost of
monetary terms with supporting rationale, recommended risk mitigation measures &
is better understood. Thus, the basis for calculate cost/benefit.
expected loss is better understood. – A general indication of significant areas of
– A credible basis for cost/benefit risk that should be addressed is provided.
assessment of risk mitigation measures
is provided. Thus, information security • Cons
budget decision-making is supported. – Risk assessment & results are essentially
• Cons subjective in both process & metrics. Use
of independently objective metrics is
– Calculations are complex. If they are not eschewed.
understood or effectively explained, – No effort is made to develop an objective
management may mistrust the results. monetary basis for the value of targeted
– A substantial amount of information information assets.
about the target information & its IT – No basis is provided for cost/benefit
environment must be gathered analysis of risk mitigation measures. Only
– There is not yet a standard, subjective indication of a problem.
independently developed & maintained – It is not possible to track risk management
threat population & frequency knowledge performance objectively when all
base. measures are subjective.

- 75 -

Risk Management

Risk Actions
• Risk Acceptance
– Establish risk acceptance criteria to determine what is
acceptable.
• Risk Mitigation
– Establish plan of action & milestone (POA&M) for
implementing safeguards and countermeasures.
• Risk Transfer
– Transfer the potential liability to another entity (e.g.,
insurance company.)

• Total Risk = ∑ (Threats x Vulnerability x Asset value)
• Residual Risk = (Total Risk) – (Countermeasures and
Safeguards)

- 76 -

Risk Management

The “Current State” of Cyber Defense Operating Model
• Cyber adversary attacks and cyber defense operation
reacts... Adversary’s offensive operation

Observe
Orient
Decide
Act

Observe
Orient
Decide
Act

Agency’s defensive operation Total # of Incidents Reported
120,000

• Not very effective...* 100,000
80,000
60,000

40,000
20,000
0
Reference: FY’05 FY’06 FY’07 FY’08 FY’09 FY’10 FY’11
* US-CERT.

Page 77

Risk Management

The “Future State” of Cyber Defense Operating Model –
Information Security Continuous Monitoring (ISCM)
• Knowing and fixing problems before our adversaries
discover them – proactive...
Adversary’s offensive operation

Observe
Orient
Decide
Act

Agency’s ISCM operation

Observe
Orient
Decide
Act

Observe
Orient
Decide
Act Reference:
• T. Sanger, Keynote Address, 7th Annual IT Security Automation
Agency’s defensive operation Conference, Oct. 31, 2011.
• T. Keanini, Boyd’s OODA Loop and Continuous Monitoring, 7th
Agency’s security automation-enabled cyber operations Annual IT Security Automation Conference, Oct. 31, 2011.

Page 78

Questions
• What are the two types of risk analysis methods?
–
–

• What type of risk analysis requires the potential
impact be measured in financial terms?
–

impact be adjudicated in terms of “severity of loss”?
–

- 79 -

Answers
• What are the two types of risk analysis methods?
– Qualitative
– Quantitative

impact be measured in financial terms?
– Quantitative

impact be adjudicated in terms of “severity of loss”?
– Qualitative

- 80 -

Learning Objectives

• Policies, Standards, Procedures, and Guidelines
Life Cycle (SDLC)
• Risk Management
• Security Education, Training & Awareness
- 81 -

Certification & Accreditation (C&A)

C&A  Risk Management
• “… seven years after the passage of FISMA and
approximately $40 billion later, I am troubled to learn
that the Office of Management and Budget does not
track how much agencies spend on cyber security or
measure whether those expenditures actually
resulted in improved security.” * – Senator Tom Carper
– For FY08, OMB reported 93% of federal information systems
had their security controls tested.
– Yet, between FY05 and FY09, the total number of reported
security incidents had increased by over 740%.**
35,000
30,000
25,000
20,000
15,000
10,000
Source: 5,000
* Congressional hearing: More Security, Less What Makes Sense for our Federal 0
Cyber Defense, October 29, 2009.
FY’05 FY’06 FY’07 FY’08 FY’09
** US-CERT
Total Incidents Reported - 82 -


We are in a “Transition Period”
• The concept of C&A is still around...
– It’s a cultural thing.
– Most of IG security auditors, and
many agency information assurance (IA) professionals
are not willing to transition into RMF & Ongoing security
authorization

• C&A has a long history...
– Computer Security Act of 1987  FISMA 2002
– The Rainbow Series/DoD 5200.28-STD (TCSEC)  NIST
SP 800-37/DoDI 8500.2  NIST 800-37, Rev. 1/CNSSP-22

• For CISSP, we just need to learn the broad concept
of C&A
- 83 -


Concept
• Certification is a disciplined approach to evaluate
level of conformance to the prescribed security
requirements and the implemented security controls
to a security enclave.
• Accreditation is the official management decision to
operate the certified system(s). It is also a formal
acceptance of the responsibility to the security of the
certified system(s).
• C&A does not guarantee the system(s) free of
vulnerability and risks… hence, the need for periodic
security (or vulnerability) assessments.

- 84 -


Process & Guideline
Standard C&A Processes:
• For Federal Information Systems
– Civil: NIST SP 800-37, Rev. 1, Guide for Applying the Risk
Management Framework to Federal Information Systems: A
Security Life Cycle Approach, February 2010

• For National Security Systems (NSS)
– Civil: CNSSP-22, Information Assurance Risk Management
Policy for National Security Systems, January 2012
– Military: DoDI 8510.01, Department of Defense Information
Assurance Certification and Accreditation Process
(DIACAP)*

* DoDI 8510.1 Department of Defense Information Assurance Certification and Accreditation Process
(DIACAP) has replaced DoDI 5200.40 DITSCAP.

- 85 -


Risk Management Framework & System Life Cycle

NIST SP 800-64, SDLC Phase: Initiation
SDLC Phase: Development/ SDLC Phase: Implementation/
SDLC Phase: Operations & Maintenance
Rev 2 Acquisition Assessment

Authorizing Official (AO) reviews,
Preliminary risk assessment
negotiates, and establishes baseline
and define information
protection needs Perform ST&E to validate
Example security implemented security controls ISSOs & Security PMO
activities FIPS 199: Security category and record residual risks tracks baselines and monitor
risks

Select security controls Verify implemented
security controls
Monitor, report, and manage
implemented security controls to
Implement security controls maintain security posture baseline

NIST SP 800-37, Rev. 1, Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Risk Management Framework CATEGORIZE SELECT IMPLEMENT ASSESS AUTHORIZE MONITOR

Ongoing Security Authorization

- 86 -


Risk Management Framework and Ongoing Security
Authorization






- 87 -


DIACAP

Reference: DoDI 8510.1 Department of Defense Information
Assurance Certification and Accreditation Process (DIACAP)
- 88 -

Learning Objectives

Life Cycle (SDLC)
• Risk Management

Security Assessment

NSA Defined Security Assessment Methodology

INFOSEC Enhancements

INFOSEC Enhancements
ASSESSMENTS
(Level I)

EVALUATIONS
(Level II)

RED TEAM
(Level III)

• Cooperative High Level • Security Process Audit / • Non-cooperative Security
Overview Analysis Testing
• Information / Mission • Detailed Inventory Audit – External Penetration
Critical Analysis of Assets Tests
(Compliance Audit) • Cooperative Security • Simulation of Appropriate
• Inventory Audit of Assets Testing / Audit Adversary
• Information / Data Flow – Non-Intrusive Tests
Analysis – Penetration Tests

- 90 -

Questions:
• When should risk assessment be performed in a
typical system life cycle?
–

• What are the three actions, a designated approving
authority may take to address risk?
–
–
–

- 91 -

Answers:
• When should risk assessment be performed in a
typical system life cycle?
– Risk management is a life cycle activity. Risk assessment
should be performed periodically throughout the system life
cycle

• What are the three actions, a designated approving
authority may take to address risk?
– Accept Risk
– Mitigate Risk
– Transfer Risk

- 92 -

Questions:
• In qualitative risk assessment method, what are the
two variables for determining risks?
–

• In quantitative risk assessment method, what are the
variables that determines the annual lost expectance
(ALE)?
–
– Hint: What is the term used to describe the monetary lost for
each occurrence of a threatened event?
– Hint: What is the term used to describe the frequency which
a threat is expected to occur on an annualized basis?

- 93 -

Answers:
• In qualitative risk assessment method, what are the
two variables for determining risks?
– Likelihood and Impact.

• In quantitative risk assessment method, what are the
variables that determines the annual lost expectance
(ALE)?
– ALE = SLE X ARO.
– Hint: What is the term used to describe the monetary lost for
each occurrence of a threatened event?
– Hint: What is the term used to describe the frequency which
a threat is expected to occur on an annualized basis?

- 94 -

Learning Objectives

Life Cycle (SDLC)
• Risk Management

Configuration Management

Change Control & Configuration Management
Request Change

• Change control (or Change
Review & Assign
Change Control
Management) is a organizational
Request (CCR)
business process.
Assess & Test

• Configuration Management (CM)
Change

Check-in Baseline
Change

is a organizational practice that
Request for
Change Control
Board (CCB) Configuration
Management
manages and maintains records
Approval
Database
of system baseline, configuration
Approve Check-out CM
Baseline
changes, and supports the
Perform & Verify
Change(s)
change control process.
Reject

Report Change
Status to CCB

Note: Example of Change control process according to ITIL

Close CCR

- 96 -


Configuration Management and Security Posture Baseline






- 97 -


Configuration Management and Information Security

• We know that 80-90% of known vulnerabilities can be
attributed to misconfigurations and missing patches,
so ...
– Asset inventory data (to know what agencies have?)
– Configuration (to know how are they configured?)

Deviation

benchmark for SWCI-5

Security configuration


Deviation

An IT asset

Page 98


Configuration Management and Information Security

Agency-Level Context and
Perspectives
Agency A
Enterprise Sec. Mgmt
& Oversight
Agency B
Enteprise Sec. Mgmt &
Oversight … Agency Z
Enteprise Sec. Mgmt &
Oversight

Sub-agency security
posture reporting data

Organization
Enterprise Sec. Mgmt
& Oversight
Organizational-Level Context and
Perspectives

Security posture assessment results data
from individual computing assets

Administrative Context and
Perspectives

Organizational IT assets

• The effort started with Federal Desktop Core Configuration
(FDCC, OMB M-07-18)
• Provided implementation guidance on FDCC (OMB M-08-22)
• Attempted using FISMA to drive change (OMB M-09-29, M-10-15
to CyberScope, then M-11-33)
Page 99

Learning Objectives

Life Cycle (SDLC)
• Risk Management

Personnel Security

Personnel Security Principles
• Hiring… Soap box:
– Personnel security interviews. • Personnel security is critical to
– Background investigation. information security.
– Adjudication. • DIA reported 80% of security
– Non-disclosure agreement. incidents are originated from
internal threat agents.
• Operating… – Navy, the Walkers.
– Separation of duties. – FBI, the Hanssen.
– Rotation of jobs. • Security Awareness
– Security awareness briefing. – Protect against social
• Exiting… engineering, dumpster diving,
transmission of virus.
– Debriefing / exit interview. – Kevin Mitnick
– Inventory & close accounts.
– Escort.
References:
• E.O. 13467, Reforming Process to Suitability for Government Employment, Fitness for Contractor Employees,
and Eligibility for Access to Classified National Security Information, June 30, 2008.
• DCID 6/4, Personnel Security Standards and Procedure Governing Eligibility for Access to Sensitive
Compartmented Information
• DoD 5200.2-R, Personnel Security Program - 101 -

Personnel Security

Insider Threats… (1/2)
• Employees, former employees, and business
partners may be the biggest information security
threat to an enterprise...
Source of Incidents* 2007 2008
Unknown N/A 42%
Employees 48% 34%
Hackers 41% 28%
Former employees 21% 16%
Business partners 19% 15%
Customer 9% 8%
Other 20% 8%
Terrorist/ foreign government 6% 4%

References:
* The Global State of Information Security 2008, CSO Online (http://www.csoonline.com/article/print/454939)

- 102 -

Personnel Security

Insider Threats… (2/2)
• Software Engineering Institute (SEI) CERT Program’s
insider threat studies also found that…
– 68% of the insider attack occurred at the workplace
– 73% of crimes were committed during working hours
– Over three-quarters of the insider had authorized access to
information assets
– None of the insider had privileged access (i.e.
system/database administrator.)
– 20% involved in theft of physical properties (e.g., document,
laptops, PC, etc.)

References: Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model, CERT
Program, Software Engineering Institute and CyLab at Carnegie Mellon University, June 2009.

- 103 -

Learning Objectives

Life Cycle (SDLC)
• Risk Management

Security Education, Training and Awareness (SETA)
• Awareness
– Orientation briefs and materials to
inform and remind employees of
their security responsibilities and
management’s expectation.
• Training
– Course and materials to provide
employees the necessary skills to
perform their job functions.
• Education
– Course and materials to provide
employees the necessary decision-
making and management skills to
improve their promotional ability and
mobility.
Reference: NIST SP800-50, Building an IT Security Awareness and Training Program.
- 105 -

Security Education, Training, and Awareness

National Initiative for Cybersecurity Education (NICE) (1/2)
• NICE is a part of Comprehensive National
Cybersecurity Initiative (CNCI) where government
and industry collaborated to create a training &
educational framework for cybersecurity workforce.

Reference: http://csrc.nist.gov/nice/ - 106 -

Security Education, Training, and Awareness

National Initiative for Cybersecurity Education (NICE) (2/2)

Reference: http://csrc.nist.gov/nice/ - 107 -

Learning Objectives

Life Cycle (SDLC)
• Risk Management

Project Management

Terms & Definitions... 1/2
• Project: A planned undertaking to accomplish a
specific business goal/objectives.
• Program: A collection of integrated, networked
projects to accomplish a set of business/mission
goals/objectives.
• Integrated Master Plan (IMP): An “event-based” plan
consists of a hierarchical program events (/tasks)
supported by specific accomplishments.
• Integrated Master Schedule (IMS): An integrated,
networked schedule that contains the detailed
discrete tasks or activities (defined in IMP).

109

Project Management

• Task (/ Activity): An element of work performed
during the course of a project.
• Resources: Budget, people, time, material and tools,
etc.

110

Project Management
Types of Projects:
• Level-of-Effort (LOE): General / supportive
activities typically measured through time
(e.g. PM, CM, Operations, etc.)

Activity
4 x FTE

• Discrete Effort (a.k.a. Activities-based
Costing (ABC)): Purposeful activities Time

related to completion of a specific
product or service that can be
measured in Cost/Schedule 5 x FTE

Activity
(e.g. development of a functional
module, software code, etc.) 3 x FTE

1 x FTE

Time

111

Project Management

Project Management Methodologies & Framework
• Project Management Methodologies
– Critical Path Method (CPM).
– Program Evaluation & Review Technique (PERT).
– Earned-Value Management System (EVMS) / Earned-Value
Technique (EVT).

• Project Management Framework
– Project Management Institute’s (PMI) Project Management
Body of Knowledge (ANSI/PMI 99-001-2004).

112

Project Management

“Scientific” Project Management Methodologies
• The concept of “Scientific Management” started by
Frederick Winslow Taylor in 1911.

• Critical Path Method (CPM):
– Started by DuPont Corporation as a scientific management
method standard for managing projects/product production.

• Program Evaluation & Review Technique (PERT):
– Started by USN in 1958, as a scientific management method
for the Polaris Missile Program.
– In 1958, USA also used PERT for their Minuteman Missile
Program.

Reference:
• The Principle of Scientific Management, by Frederick Winslow Taylor, 1911.
• http://en.wikipedia.org/wiki/Critical_path_method
• http://en.wikipedia.org/wiki/PERT 113

Project Management

“Scientific” Project Management Methodologies
• Earned-Value Management System (EVMS):
– A systematic integration and measurement of cost,
schedule, and accomplishments of an investment that
enables organizations to evaluate project performance
during execution.
– Incorporate CPM, PERT and EVT.
The use of EVMS is required by the Clinger-Cohen Act
of 1996.
Section 5113 Performance-based and Result-based Management.
(a) IN GENERAL – The Director shall encourage the use of
performance-based and results-based management in fulfilling the
responsibilities assigned under section 3504(h), of title 44, United
States Code.
(b)(1) REQUIREMENT – The Director shall evaluate the information
resources to the performance and results of the investment made by
the executive agencies in information technology.

114

Project Management

Critical Paths Method (CPM)
• Critical Path Method (CPM) provides you insights to
sequence of project tasks/activities.

Statement of Work (SOW)
+ Work Breakdown Structure (WBS)
+ Critical Path Method (CPM)

= Integrated Master Plan (IMP)

• However, CPM does not show you: Time, Entry/Exit
Criteria and Resources required.

115

Project Management

Program Evaluation & Review Technique (PERT)
• PERT is CPM with “time vector.”
• Time vector contains: Start time and Finish time.
– Earliest Start time (ES), Latest Start time (LS).
– Earliest Finish time (EF), Latest Finish time (LF).

t = 7 wk
1.3 t = 5 wk

C t = 2 wk
G
E
1.0 A 1.1 B 1.2 F 1.5
t = 3 wk
t = 3 wk t = 4 wk D H
t = 5 wk
t = 8 wk 1.4

116

Management Methodologies

• PERT provides you insights to sequence of tasks/
activities in terms of schedule.

Work Breakdown Structure (WBS)
+ Program Evaluation & Review Technique (PERT)

= Integrated Master Schedule (IMS)

• However, PERT does not show you: Entry/exit
criteria and resources required.

117

Management Methodologies

• This is an actual example!

• What is wrong with this project?
• This PM has never build an system architecture.

118

Some serious facts about the current state of federal IT
projects
• Government Accountability Office (GAO) reported:
– “… for fiscal year 2006, nearly 25% of the funds (IT budget)
requested, totaling about $15 billion, were considered by
OMB to be at risk.”
– “In the case of risk assessment, supporting documentation
for about 75% of the investments did not address OMB’s
required risk categories.”
• Government Computer News (GCN) reported a
survey from 104 Federal IT executives:
– Reasons for program over-run are…
• 65+%: Poor program management.
• 54%: Scope creep.
– Key to reduce number of failed agency IT projects is…
• Training.

Resource:
• GAO-06-250 Information Technology: Agencies Need to Improve the Accuracy and Reliability of Investment Information.
• http://www.gcn.com/online/vol1_no1/42733-1.html 119

Project Management

Earned-Value Management System (EVMS)
• DoD EVMS is based on ANSI/EIA-748-A-1998,
Earned Value Management Systems Standard.

• Implementation of EVMS (i.e. DoD EVMIG) consists
of 32 Guidelines in 5 Categories:
– Organization.
– Planning, Scheduling & Budgeting.
– Accounting Considerations.
– Analysis and Management Reports.
– Revisions and Data Maintenance.

Reference:
• http://www.acq.osd.mil/pm/historical/ansi/ansi_announce.html
• http://www.ndia.org/Content/ContentGroups/Divisions1/Procurement/NDIA_PMSC_EVMS_IntentGuide
_Jan2006U1.pdf 120

Project Management

• Key attributes in EVMS:
– Statement of Work (SOW).
– Work Breakdown Structure (WBS).
– Entry Criteria (i.e. task dependencies, work authorization,
etc.)
– Exit Criteria (i.e. deliverables, PMR, closure, etc.)
– Resources: Time, costs & budget.

121

Project Management

• Project performance value is “earned” through:
– Work performed.
– Product delivery (i.e. milestones).

• Project performance can be analyzed and projected
using Earned-Value Technique (EVT) (a.k.a.
Performance Measurement Analysis).

122

Project Management

EVMS – Earned-Value Technique (EVT)
• Earned Value (EV): Actual work performed.
• Planned Value (PV): Budgeted cost for work
scheduled at a given time.
• Actual Cost (AC): Costs incurred in actual work
performed.
• BCWP: Budgeted cost for work performed.
• BCWS: Budgeted cost for work scheduled.
• ACWP: Actual cost for work performed.

Reference: PMI Project Management Body of Knowledge (ANSI/PMI 99-001-2004) 123

Project Management

• Cost Variance: CV = BCWP – ACWP

• Schedule Variance: SV = BCWP – BCWS

• Cost Performance Index: CPI = BCWP ÷ ACWP

• Schedule Performance Index: SPI = BCWP ÷ BCWS

Reference: PMI Project Management Body of Knowledge (ANSI/PMI 99-001-2004)
124

Project Management


Calculating the Cost Variance…
BCWP ($400k)
– ACWP ($450k)
$$

= CV (-$50k)
Budget at
Completion
$450k ACWP (BAC)

CV
$400k BCWP

BCWP = $400k
ACWP = $450k
CV = - $50k
Actual Costs CPI = .89

t0 Time

125

Project Management


Calculating the Cost Performance Index (CPI)…
BCWP ($400k)
ACWP ($450k) $$

= CPI (.89) Budget at
Completion
$450k ACWP (BAC)

CV
Question: $400k BCWP

If CPI < 1 then how BCWP = $400k
ACWP = $450k

is this project doing? Actual Costs
CV = - $50k
CPI = .89

Answer: t0 Time

Project is not as productive as planned.

126

Project Management


Calculating the Schedule Variance…
BCWP ($400k)
– BCWS ($500k)
$$

$500k BCWS

= SV (- $100k) Budget at
Completion

SV
(BAC)

$400k BCWP

BCWP = $400k
BCWS = $500k
SV = - $100k
SPI = .80

t0 Time

127

Project Management


Calculating the Cost Performance Index (CPI)…
BCWP ($400k)
BCWS ($500k)
$$

= SPI (.80) $500k BCWS

Budget at
Completion

SV
(BAC)

Question:
If SPI < 1 then how $400k BCWP

is this project doing? BCWP = $400k
BCWS = $500k
SV = - $100k

Answer: SPI = .80

It’s is behind schedule.
t0 Time

128

Project Management

Project Recovery

So, project is not doing well… What do you do?

$$

Project
Recovery Budget at
Completion
$450k ACWP (BAC)

$400k CV BCWP

BCWP = $400k
ACWP = $450k
CV = - $50k
Actual Costs CPI = .89

t0 Time

129

Project Management

Project Recovery
• Use CPM to find task dependencies.
• Use PERT to locate effect(s) on schedule.
• Use Cause-Effect (Fishbone) to locate problem.
Major cause category Major cause category

• Re-negotiate project goals or
Cause Cause

milestone (via change-order). Secondary cause
Problem/Effect

• Increase resources, but watch for:
Cause Cause

Secondary cause

Major cause category Major cause category

– Impact of resource re-allocation
to other dependent tasks.
– The “Mythical Man-Month” problem.
• De-scope tasks, but watch for:
– Effects on quality & program dependencies.

130

Validation Time… 

1. Classroom Exercise

2. Review Answers

- 131 -

Exercise #1: Build Security In
• A civilian agency is planning an acquisition of an
information system…
– Please identify key security engineering tasks required.

- 132 -

Exercise #2: Risk Management Process
• A civilian agency is planning an acquisition of an
information system that will assess the security
configuration settings of IT assets in a Secret-System
High operating enclave.
– Please identify the attributes required to enable you to
determine the information protection needs.

• Google is planning to offer its Google Apps service to
biotech research company.
– What is the annual loss expectancy from a service outage?
• Estimated asset value: $14.6B (total revenues in 2009)
• Exposure factor: 0.01%
• Google’s annual rate of service outage occurrence: 1.2%

- 133 -

1 Info Sec+Risk Mgmt

In this document