FISMA Charisma: Keeping Compliance in Control (236679777)
Transcript of FISMA Charisma: Keeping Compliance in Control (236679777)
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 1/39
May 7, 2014
Mark F. Herron
Thomas Siu
FISMA Charisma
Case Western Reserve University
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 2/39
CWRU
At
A
Glance• Research University with 8 schools including a Medical
School
• Student
Population
(Projected
Fall,
2014)
– Undergraduate: 4,730
– Graduate and Professional: 5,600
–
Total (headcount,
all
programs):
10,330
• Faculty and Staff (Fall, 2013)
– Faculty (full‐time): 1,406
–
Staff
(full‐
time
and
part‐
time):
3,097• Information Technology Services
– Staff: 120
• Fiscal Year : July ‐ June
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 3/39
Agenda (“Learning
Objectives”)
• What is FISMA (a “quick” overview)
• Why do
FISMA
(including
examples)
• The NCS story (A New Hope…)
– An example of how FISMA was done
• How to do FISMA in Higher Ed
• ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
• On Risk
&
Institutional
Tolerance
• Take‐Home Points
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 4/39
About the
Presenters*
• Mark Herron, M.A. CISSP, CIPP/US
Information Assurance
Analyst,
ITS,
CWRU
Specializing in FISMA/HIPAA/PCI and Incident
Response
• Thomas Siu
Chief Information Security Officer, ITS, CWRU
Head of
Information
Security
Dept.
(Tom
+ 3 FTEs)
*Quotes
&
Pics
from
Wookiepedia:
http://starwars.wikia.com
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 5/39
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 6/39
FISMA (2002)
‐ 44
U.S.C.
§ 3541
• Federal Information Security Management Act
– Applies to
Agencies
and
Offices
of
the
Federal
Government , plus Federal Contractors (think
defense)
•
Contracts!• Grants? (They’re becoming contract‐like)
– Anyone who agrees to requirements to do it
• Upon dispersal of funds…
– It’s a good framework, but detailed too
• like ISO 27001/17799, etc.
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 7/39
3 Major
Control
Areas
(Like
HIPAA)• Management Controls focus on the management of IT systems,
people/users, and the management of risk for systems. It consists
of techniques
and
concerns
that
are
normally
addressed
by
management (and it includes the PM bits). (Administrative)
• Operational
Controls address security methods and mechanisms
that are primarily implemented and executed to improve the
security of a group, a particular system, or a group of systems.
These controls
require
technical
or
specialized
expertise
and
rely
on
management and technical controls. (Physical)
• Technical
Controls focus on security controls that a computer or telecommunications system executes. It provides automated
protection for unauthorized access or misuse, facilitate detection of security
violations,
and
support
security
requirements
for
applications and data. (Technical)
• Plus
those
PM
bits:
Program Management (controlling the controls)
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 8/39
FISMA Risk
Mgmt
Cycle
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 9/39
FISMA/NIST SP800
‐53
Frameworks
Categorize
Select
(SP800‐53)
Implement
Assess
(SP800‐53A)
Authorize
Monitor
Risk Mgmt Framework Security Controls Framework
C y c l e
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 10/39
FISMA Control
Selection
Process
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 11/39
Security (Re)Assessment
Triggers
– INITIAL and PERIODIC REFRESH: An assessment indicates improvement is needed
–
BREACH or
THREAT:
An
incident
or
a newly
identified,
credible,
information system‐related threat results in a breach to, or suspicion of, the information system, producing a loss of confidence by the organization in the confidentiality, integrity, or availability of information processed, stored, or transmitted by
the system
– OPERATIONS CHANGE: Significant changes to the configuration
of the information system through the removal or addition of new or upgraded hardware, software, or firmware or changes in
the operational environmentpotentially degrade the security
state of the system
or – PURPOSE CHANGE: Significant changes to the organizational risk
management strategy, information security policy, supported
missions and/or business functions, or information being
processed, stored, or transmitted by the information system
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 12/39
(Re)Assessment Actions
(Cycle)
– (RE)CONFIRM: (Re)confirm the security category and impact
level of the information system
– (RE)ASSESS: Assess the current security state of the
information system and the risk to organizational operations
and assets, individuals, other organizations, and the Nation
– CORRECT: Plan for and initiate any necessary corrective
action
and
– (RE)AUTHORIZE: Consider (re)authorizing the information
system
– But how do programs get audited?
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 13/39
205 Controls
in
Moderate
‐Level
Systems
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 14/39
How Does
FISMA
Get
Audited?
• Love of a Thousand Hugs and Kisses
(checks and
X’es)
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 15/39
Checklist
Auditing ‐
Moderate‐
Level
Controls
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 16/39
How Does
FISMA
Get
Audited
2
• A checklist is the easiest method for someone
who
doesn’t
know
the
environment
to
assess
it.
This is not a risk‐based, but more like PCI
• Unless external teams are required, use an
internal team
‐ exercise
judgment
on
risk,
applicability, acceptance, mitigation, etc. and
scope –
But they
may
not care
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 17/39
NOT
an
Actual
Scorecard
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 18/39
Why Do
FISMA?
• So, why do this?
– “No one wants to do FISMA, they have to.”
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 19/39
Why Do
FISMA?
• Appropriate and/or Acceptable Use
– FISMA and
other
risk
management
activities
apply
appropriate discipline to the conduct (not just in
the findings) of research
• Both Advantage
and
Requirement
– Better, more mature processes
–
When
choosing
whom
to
fund…• A tangible example of applied, appropriate use
– And because a contract/grant says so (we have to)
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 20/39
Some examples
of
“Have
to”
• Examples of real grant or contract language,
from minimal/boilerplate,
to
in
‐depth,
explicit
and detailed
– Do FISMA (boiler plate)
– Do FISMA including these few things (ok)
– Do FISMA turn these things in regularly (uh‐oh)
–
Do
FISMA,
do
not
proceed
without
ATO,
and
be
audited
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 21/39
Do FISMA
(If
It
Applies)
• Congress and the OMB have instituted laws, policies and directives that govern the creation and implementation of federal information security
practices
that
pertain
specifically
to
grants
and
contracts.
The
current
regulations are pursuant to the Federal Information Security Management Act (FISMA), Title III of the E‐Government Act of 2002 Pub. L. No. 107‐347.
• FISMA applies to [X] grantees only when grantees collect, store, process, transmit or use information on behalf of [X] or any of its component organizations.
In
all
other
cases,
FISMA
is
not
applicable
to
recipients
of
grants, including cooperative agreements. Under FISMA, the grantee
retains the original data and intellectual property, and is responsible for the security of this data, subject to all applicable laws protecting security, privacy, and research. If and when information collected by a grantee is
provided to
[X],
responsibility
for
the
protection
of
the
[X]
copy
of
the
information is transferred to [X] and it becomes the agency’s responsibility
to protect that information and any derivative copies as required by
FISMA.
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 22/39
Do FISMA
including
these
few
things
Article [X] Information Security
• The Statement of Work (SOW) requires the contractor to (1) develop, (2) have the
ability
to
access,
or
(3)
host
and/or
maintain
a
Federal
Information
System(s).
Pursuant to
[X]
Information
Security
Program
Policies,
the
contractor
and
any
subcontractor performing under this contract shall comply with the following
requirements: Federal Information Security Management Act of 2002 (FISMA), Title III, E‐Government Act of 2002, Pub. L. No. 107‐347… – Information Type… [Specified]
– Security Categories and Level… [Specified]
– Position Sensitivity Descriptions• Level… [Specified]
• Submission of roster including name, position, responsibility of all staff…any revisions within 15 days
of the calendar change…if suitability investigation required…30 days to be performed.
• All level requirements shall be met prior to performing any work…
– Information Security Training…[Shall be delivered and tracked]
–
Rules of
Behavior…
[Shall
be
communicated
to
personnel]
– Personnel Security Responsibilities… (Termination/Separation Requirements)
– Commitment to Protect Non‐Public Departmental Information Systems and Data…[prior to
performing any work]• Contractor Agreement…
• Contractor‐Employee Non‐Disclosure Agreements…
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 23/39
Do FISMA and turn these things in
regularlyArticle [X] Information Security
– The Statement of Work (SOW) requires the contractor to [do] …
Federal Information
Security
Management
Act
of
2002
(FISMA),
Title
III, E‐Government Act of 2002, Pub. L. No. 107‐347…• Information Type… [Specified]
• Security Categories and Level… [Specified]
• Position Sensitivity Descriptions
•
Information
Security
Training…[Shall
be
delivered
and
tracked]• Rules of Behavior… [Shall be communicated to personnel]
• Personnel Security Responsibilities… (Termination/Separation Requirements)
• Commitment to Protect Non‐Public Departmental Information Systems and
Data…[prior to performing any work]
• Also: – NIST SP 800‐53 Self Assessment… [Annually]
– Information System Security Plan… [Every 3 Years or upon major modification]
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 24/39
Do FISMA, turn these things in by…,
require ATO,
and
be
audited
Article H.17 – Do FISMA including [abridged ‐ not a complete list!] : – Encryption and Key Management…
– Protect the CIA of all “information technology”…
– And secure
all
systems
connecting…
– And adopt these security policies, procedures, controls, and standards…
– And deliver within [XX] days of award• Information Security Plan covering FISMA and OMB Circular A‐130, NIST SP 800‐18, FIPS 200, and NIST
SP 800‐26
• IT Risk Assessment consistent with NIST SP 800‐30
•
FIPS 199
Standards
for
Security
Categorization
– And deliver within [X] months after contract award• IT Security Certification and Accreditation in accordance with checklist NIST SP 800‐37 and NIST 800‐
53
– And for ATO ‐ Resolve any comments on draft plans and receive approval
– And Audit ‐ Perform an annual security control assessment and proof of valid system
accreditation, including an annual test of contingency plan, plus performance of security
control testing
and
evaluation
– And perform and maintain personnel requirements, including identity validation, training, etc.
– And maintain for inspection all facilities, data, contracts, subcontracts, and documentation
– And return all information and resources provided and certify all removal and purge of information after completed/closed
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 25/39
Or Else:
Acceptance of this award including the “Terms
and Conditions”
is
acknowledged
by
the
[grantee/contractee] when funds are drawn
down or otherwise obtained from the grant
payment system…
• Pay
the
money
back
• Forfeit/endanger future awards (blacklisted)
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 26/39
How Do
You
Know
You
Need
FISMA?
• Someone [likes] and tells you about it (Charisma!)
– PI or
Study
Coordinator
• Lucky: Heads up ahead of time, planning, etc.
• Typical: “Hey, we have this thing we’re supposed to do…”
•
Bad:
“Can
you
come
over?
There’s
some
stuff
that
was
due
last (week/month/quarter…) and the auditors are asking to
see it now and threatening to shut us down…”
– A Grantor/Contractor (asking for details)
• Someone (RA?)
has
to
watch
for
FISMA
language
– If onerous, put doing FISMA in the budget!
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 27/39
How Do
You
Watch
For
FISMA+?
• Someone has to watch for FISMA+ language
– Office of
Research
Administration?
• Which one?
– Grants & Contracts, Compliance, Legal?
– InfoSec?
• If onerous, build doing FISMA into the budget!
– Recurring Analysis
– Dedicated Team(s) (Study level or institutional?)
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 28/39
NCS Example
– “A
New
Hope”
• A long time ago… (Children’s Health Act 2000)
• A 20+
year,
multi
‐phase,
longitudinal
study
[Image]
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 29/39
Study Centers
= “Rebel
Bases?”
• Distributed study centers
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 30/39
Federal Oversight
= (Not
Evil)
Empire?
• Program Office, Mission Assurance Team
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 31/39
Lots of
Bureaucracy,
PIs,
&
Ideas
• “Like herding cats” “A goat rodeo” or…
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 32/39
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 33/39
Plus• Ongoing:
–
Monthly
vulnerability
scanning – Scan reports and plan updates, reviewed and
approved
– Change control, de‐identification, etc.
• Incident response and reporting
– 24‐hour time to report!!!!!!!•
Lost
a
cell
phone,
had
a
virus
infection…
(electronic)• Contractor quit and refused to return materials (paper)
• Your times & requirements may vary
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 34/39
So, What
did
we
do?
• Not much choice in the NCS – “do it all or no
ATO.”
(Checklist – added
a year)
• Budgeted for FISMA
– Money for consulting
– Money for
a non
‐data
FTE
(Mark!)
• Some centers built whole new, secure
environments (your tax dollars at work)
– Scope control
is
needed!
– Some people used paper‐only (big data?)
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 35/39
Our General
Approach
• Use NCS efforts as model for future study needs: – Create: PIA, Risk Assessment, Security Plan, and internal
consulting, more
formal
incident
response
• Leverage institutional controls where ever possible, but carve out a more‐controlled environments for additional
requirements
• Build Security into Project Management Process to
start creating
FISMA
‐like
aspects
– See Information Security in the Future IT Organization
(Tomorrow at 8:00AM)
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 36/39
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 37/39
Our Specific
Approach
• FCRE Architecture:
– Deskside (plus instruments
TBD)
– Desktop (RDP/VDI)
– Servers and data: dev/test/prod
– Data transfer controls (DLP air gap)
– 3RD Party Co‐Lo High Security Facility
–
Outsourced
security
monitoring – Charge back costs to studies (Field of Dreams)
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 38/39
Thomas Siu
– CISO,
CWRU
• Let’s talk about risk, compliance, and advantage – HIPAA driven >> Fisma‐recommended controls >>
SANS 20
(We’re
a HIPAA
hybrid
entity
anyway)
– Looming export control requirements
• Take home points:
– Put money
in
the
budget
– Scoping exercise
– Made our own versions for internal use
•
What happened
to
the
NCS?
– Still running nationally, but locally‐run study centers
shut down (a new phase – central control and budget)
8/11/2019 FISMA Charisma: Keeping Compliance in Control (236679777)
http://slidepdf.com/reader/full/fisma-charisma-keeping-compliance-in-control-236679777 39/39
Thank
You!• Any questions?