Author name: Bruce

Information Assurance technology is in growing demand as security takes center stage for information technology. According to U.S. Bureau of Labor statistics, Information Security Analyst was among the fastest growing industries in the U.S. in 2012 and projected to grow another 30% by 2022 (bls.gov).  Information Security Analysts work with information assurance technology.  Assurance technology includes technologies like firewalls, intrusion prevention systems, security information & event management systems, web proxies, encryption systems, encryption software, authentication devices, vulnerability scanners, protocol analyzers, and many other devices specifically made to protect the confidentiality, integrity and availability of information.  In defense these systems are known collectively as security products. Information systems with security features built in are known as security-enabled devices.  Examples would be operating systems, storage devices, internetworking devices such as switches and routers and any other device that can be locked down, secured and hardened with built in information assurance technology. Assurance technology is evaluated to make sure the security features perform as the manufacturers intended.  Typically, agencies, departments and organizations that maintain critical infrastructure make sure that the information assurance technologies that they choose are in the Common Criteria Evaluation database: http://www.commoncriteriaportal.org/products/ https://www.niap-ccevs.org/ These are systems that have been vetted in a lab under very specific conditions.  So under specified settings, and under specific conditions, an organization can operate these assured technologies with a high level of confidence. Protection Profiles have a set of criteria to conduct security evaluation to determine the validity of vendors’ claims.  The product is given a Evaluation Assurance Level (EAL) which is an assurance level between 1 and 7. Choosing the right information assurance technology is covered in NIST 800-23, Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products.  Assurance for U.S. defense technology used to be done with a policy called, Trusted Computer System Evaluation Criteria (TCSEC), DoDD 5200.28-STD (aka the Orange Book, AKA DITSCAP).  It eventually got replaced with DoDD 8500.1 on October 24, 2002 and branched in DIACAP, which is NOW DIARMF!  So you see DIARMF is all about not only assurance technology but how those technologies are used. Works Cited: U.S. Bureau of Labor Statistics. Fastest growing occupations. U.S. Bureau of Labor Statistics, http://www.bls.gov/emp/ep_table_103.htm date: Accessed: February 03, 2014  

I will post an alternate version of some of my old risk management framework ppt slides.  I used to teach FISMA, NIST, and DIACAP to DIARMF.   I have a lot of content and know a lot about this subject.  For now here is some other public works: risk management framework ISACA (RiskIT)-Overview risk management frame work ppt  

information awareness training army Army information awareness training is covered in the following regulation: AR 25-2, Information Assurance Army Regulation 25-2 is the Army Information Assurance Program (AIAP) which covers information awareness by talking about protecting the confidentiality, integrity and availability of unclassified, sensitive, or classified information stored, processed, accessed, or transmitted by Army Information Systems.  AIAP is the Army’s implementation of DODD 8500.1, DODI 8500.2, and Chairman of the Joint Chiefs of Staff Manual (CJCSM) 6510.01 to align Information Assurance goals. Like all of the others branches of the US Armed Forces, the Army certification & Accreditation part of the IA program will have to change to a more risk management framework as the DoD changes to a more NIST back Risk Management Frame work. But most of the main best practice system security items won’t change. information assurance army Army Information Assurance program describes the responsibilities offices: Chief Information Officer Principal Headquarters, Department of the Army officials and staff Administrative Assistant to the Secretary of the Army Assistant Secretary of the Army for Acquisition, Logistics, and Technology The Deputy Chief of Staff, G-2 The Deputy Chief of Staff, G-3 The Deputy Chief of Staff, G-4 Commanders of Army Commands; Army Service Component Commands; Direct Reporting Units; U.S. Army Reserve; Army National Guard; program executive officers; direct reporting program managers; Regional Chief Information Officers; Functional Chief Information Officers; and the Administrative Assistant to the Secretary of the Army Commander, 1st Information Operations Command Commanding General, Network Enterprise Technology Command/9th Signal Command (Army) Commanding General, U.S. Army Training and Doctrine Command Commanding General, U.S. Army Materiel Command Commanding General, U.S. Army Intelligence and Security Command Commanding General, U.S. Army Criminal Investigation Command Chief, Army National Guard Chief, Army Reserve U.S. Army Reserve Command Chief of Staff U.S. Army Corps of Engineers Chief of Engineers U.S. Army Corps of Engineers Chief Information Officer Commanding General, Eighth Army Commanding General, U.S. Army Europe Commanding General, U.S. Army Medical Command Program executive officers and direct reporting program/project managers Commanders, directors, and managers Garrison commanders U.S. Army Reserve major subordinate command Army National Guard state DOIM/J6/CIO Regional Chief Information Officer Army Reserve command/unit/activity G–6 Director of Information Management AR 25-2 also explains the Army Information Assurance Program Personnel Structure including Information assurance support personnel where contractor fit in the structure. AR 25-2 is the Information Assurance Policy which includes funding and Information Assurance training.   Mission assurance category, levels of confidentiality, and levels of robustness are explained. The topics of the Army Information Assurance include: Software Security Security Controls Database management Design and test Hardware, Firmware, and Physical Security Hardware–based security controls Maintenance personnel Security objectives and safeguards Procedural Security Password control Release of information regarding information system infrastructure architecture Personnel Security Personnel security standards Foreign access to information systems Information Systems Media Protection requirements Labeling, marking, and controlling media Clearing, purging (sanitizing), destroying, or disposing of media Network Security Cross-domain security interoperability Network security Incident and Intrusion Reporting Information system incident and intrusion reporting Reporting responsibilities Compromised information systems guidance Information Assurance Vulnerability Management Information assurance vulnerability management reporting process Compliance reporting Compliance verification Operating non-compliant information system Certification & Accreditation Communication Security Risk Management  

Risk management (security) has many flavors of processes and standards including (but not limited too): ISO 31000, NIST Risk Management Framework 800-37, DIARMF, ISACA RISK IT Framework, ITSG-33, and PMI Risk Management (just to name a few of the most prominent English variants). ISO 31000:2009 Risk Management Wiki  The International Organization for Standardization (ISO) has developed a standard for Risk management .  Its called ISO 31000:2009, Risk management – Principles and guidelines.   ISO 31000:2009 has created a system of risk management that can be applied universally to most organizations around the world.  This is significant as it allows two organization from different countries to map to different risk management frameworks with 31000 as a reference. NIST Special Publication 800-37,  Guide for Applying the Risk Management Framework to Federal Information Systems Is the defacto Risk Management Framework of the US Federal government.  Developed by National Institute of Standards and Technology (NIST) in collaboration with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS).  It is the center piece for all federal organization security processes.  The NIST also works on mapping the 800-37 to the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001, Information Security Management System (ISMS) and 31000. Defense Information Assurance Risk Management Framework (DIARMF 8510) DIARMF is based on a combination of CNSSI 1253 & NIST SP 800-37.  It Applies to ALL US Defense departments.  This is a big deal because in the past it was based on differing interpretations of DoD IA Certification & Accreditation Program.  Since each agency and department had their own process, it was expensive, time consuming and incredibly inefficient to get critical data from one organization to another.  DIARMF relies on heavy use of continuous monitoring tools pushed by FISMA 2012. ISACA RISK IT Framework ISACA Risk IT Framework provides complete end to end framework for managing information technology security threats exploiting asset vulnerabilities. ITSG – IT Security Risk Management: Life cycle Approach Issued by the Chief, Communications Security Establishment Canada (CSEC) ITSG – 33, is the Government of Canada’s response to emerging cyber threats  within the available resources of the country.  By applying security from the very begining of the sytems lifecycle they deal with risk management in a more intelligent and fiscally responsible way.  ITSG-33 covers roles, responsibilities and activities of the Canadian risk management. PMI Risk Management PMI Risk Management professional is actually a certification for providing risk management.  

NIST risk management framework 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems (revision 1) marked a change from the old NIST 800-37 that was based on Certification & Accreditation.   The adjustment stems from FISMA 2002 and includes the following changes: Revised process emphasizes Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems The DoD has recently adopted the NIST risk management framework 800-37 steps (called the DIARMF process).  There are 6 step: Categorize, Select, Implement, Assess, Authorize and Continuous Monitor. risk management framework steps nist risk management framework 800-37 – Step 1. Categorize The first risk management framework step is categorization.  This step consists of classifying the importance of the information system.   This is done by the system owner with FIPS 199 and NIST 800-60. Categorization is based on how much negative impact the organization will receive if the information system lost is confidentiality, integrity or availability.   nist risk management framework 800-37 – Step 2. Select With FIPS 200 and NIST SP 800-53, the organization responsible for the systems security will select the security controls required to limit the risk to their organization.  The selection of the controls is based on the categorization of your system.  A system security plan is created as a guide to what will be installed and/or configured on the system. More on DIARMF – Select nist risk management framework 800-37 – Step 3. Implement Using the System Security Plan, the organization responsible for the categorized system can begin risk management framework step 3.  This step is implementation which is installation and configuration of security patches, hotfixes and security devices where necessary.   Guidance for actual implantation has to come from technical manuals, system administrators, system engineers and others technically competent enough to do the work. More on DIARMF – Implement nist risk management framework 800-37 – Step 4. Assess The organization has to make sure that the security controls are implemented properly.  This is done in risk management step 4, assess.  Using NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations  is used to determine which controls have been fully implemented to limit the risks to the organization. More on DIARMF – Assess nist risk management framework 800-37 – Step 5. Authorize Even after implementation and assessment of the security controls that limits the over all risk to the organization, there is some remaining (residual) risk.  The organization must have someone who has enough authority of over the system to accept the residual risk.  This person is known as the Authorizing Official. In risk management framework step 5, an Authorizing Official makes a formal, written acceptance of the risks.  The AO makes a decision on whether or not to accept the risk based on the authorization package.  The authorization package consists of the system security plan, plan of action and milestone, security/risk assessment report and any other supporting documents.   More on DIARMF – Authorization nist risk management framework 800-37 – Step 6. Continuous Monitoring After acceptance of risk by the organization, they must develop a program that monitors the ongoing changes to the systems security posture.   They take a proactive approach to watching for advanced persistent threats, configuration changes and new vulnerabilities. Risk management framework step 6 handles all of this. More on DIARMF – Continuous Monitoring  

Information Assurance in the Air Force is probably the most comprehensive of any branch of the US Armed Services.  Air Force Instructions (AFI) 33-210, Air Force Certification & Accreditation (C&A) Program (AFCAP) is the USAF framework for implementing DIACAP.   This includes all information Assurance of the Air Force and has started to incorporated NIST risk management. The Air Force expects Information Assurance Managers (aka Information System Security Managers) and Information Assurance Officers (aka Information System Security Officers) to maintain situation awareness restore IA posture and conduct internal Information Assurance assessments testing information assurance controls when necessary. AFI 33-2xx Information Assurance Air Force The AFI’s are the manuals that cover all rules and regulations of the Air Force.  The AFI 33-xxx series covered all Information Technology rules (I use past tense because the Air Force may change this any day now.. they change everything all the time).  AFI 33-2xx covered Information Assurance, Information Security, and anything dealing with security practices on IT. AFI 33-210, AFCAP references DoD 8570.01-M and eventually DoD 8140 to describe the certification and skill sets necessary for security practitioners conducting Information Assurance in the Air Force.   AFI 33-2xx are based on: DoDI 8500.02, Information Assurance (IA) Implementation NIST SP 800-53 Revision 3, Recommended Security Controls for Federal DoDD 8500.01E, Information Assurance, 24 October 2002  DoDI 8500.2, Information Assurance (IA) Implementation, 6 February 2003 DoD 8570.01-M, Information Assurance Workforce Improvement Program, 19 December 2005 For more info: http://www.e-publishing.af.mil/ http://www.youtube.com/watch?v=cwqn7Ebq94w X

Information Protection means protecting all layers of access to data not just a firewall.  Information protection means having policies in place that protect physical access to data, limits personnel access, controls how data is used, how information is released and when.  The technological safeguards is just one method of protection. Another name for “information protection” is defense in depth.  Its not enough to have a firewall and anti-virus.  The more serious an organization is about their assets, the more serious they must be about information protection.

In the defense industry operational risk is a big deal.  Operation risk is that risk associated with an organizations activities.  That is a broad term that applies to any organization, but in the defense industry operational risk can also be the risk of human life so its a HUGE part of DIARMF & risk management framework. Confidentiality, Integrity and Availability in Operational Risk A big part of operational risk is trusting you people to safeguard the confidentiality, integrity and availability of operational information. When I was in the military, it meant keeping our mouth shut about missions.  In high profile cases, the media was a huge operational risk because they would try to give away the positions of US Armed services in the middle of a war.  For them its important journalism, for the guy on the ground that kind of operational information is life or death.  In defense, to mitigate operational risk they practice they give the people the least amount of information and privileges they need to do there job.  Because if ONE person knows everything there is a great risk that they will intentionally or accidentally release information that can damage or destroy the operations of the organization by leaking it.  Information leakage is very popular these days, as there is less and less  loyalty and more and more access to all information. Operational risk is much harder to manage these days.  People are more likely to keep the secrets of something they are stakeholders in than a pumped up since of pride.  I think its because information is so freely available its improbable to promote a one sided view of any conflict or historical perspective.. but perhaps we are getting to sociological and political. Stakeholders are more interested in hard facts than feel good perspectives of one beliefs.  I think that is why companies like Apple and Google are better at operational risk management than the US government.  But I am sure its also because the US government has an exponentially larger and more critical mission where lives, livelihoods and lifestyle are at stake.  So maybe that is a poor comparison. Operation Risk vs Profit Since operational risk does not MAKE profit it is often overlook and ignored by private organizations.  Larger organizations with LOTS of critical data understand the importance of operational risk especially once they see that critical data walk out the door.  When a private organization sees their competition using their exact information due to leaks in confidentiality they realize they must do a little data loss prevention (DLP) which is directly related to Operational risk management. There are system that are designed to automatically detect data loss such as McAfee Total Protection for Data Loss Prevention.  

Risk manager job description can be pretty broad because it can cover the tasks of a financial risk manager, safety risk manager or physical security risk management. In terms of DIARMF / Risk Management Framework and Information surety we will focus on risk manager job description for Information Technology. IT Risk Management Professionals identify, analyze and document the risks associated with an organizations operations.  Their job is much more effective if they have a continuous monitoring program to help them keep an eye on vulnerabilities and threats in real-time.  risk manager job description Responsibilities for IT Risk Management Professionals include: Continuously monitor emerging threats associated discovered vulnerabilities. Be apart of the configuration management process as it applies to changes to the security posture of the information system and/or network. Encourage and/or participate in implementation of security controls. Create or analyse reports of significant risks and make recommendations Make policies, procedures and control assessments for identified risks Provide information assurance awareness training The risk management function of a company can fall under many different titles, some of which include:  Risk Analyst Risk Manager Risk Management Consultant Risk Control Supervisor Director of Corporate Risk Management Chief Risk Officer More on risk management job descriptions: http://www.acfe.com/career-path-risk-management-professional.aspx  

The physical risk to an information system is perhaps the most important to consider.  You MUST limit physical access to a system or any technical or administrative controls you implement are meaningless because they can be bypassed easily.  With direct physical access ANYONE can boot a server into a Kali Linux Live CD/USB or do a Password Recovery on your Cisco Router PWNAGE!!!!  If you can physically touch a system, then you can own it. Additionally, you should have a contingency plan for the most likely avenue of physical disaster to a system.  This limits the potential of intentional and unintentional harm to the system. To limit the physical risk to an information system the NIST SP 800-53/DIARMF prescribes “Physical and Environmental Protection” Controls: PE-1 Physical and Environmental Protection Policy and Procedures PE-2 Physical Access Authorizations PE-3 Physical Access Control PE-4 Access Control for Transmission Medium PE-5 Access Control for Output Devices PE-6 Monitoring Physical Access PE-7 Visitor Control PE-8 Access Records PE-9 Power Equipment and Power Cabling PE-10 Emergency Shutoff PE-11 Emergency Power PE-12 Emergency Lighting PE-13 Fire Protection PE-14 Temperature and Humidity Controls PE-15 Water Damage Protection PE-16 Delivery and Removal PE-17 Alternate Work Site PE-18 Location of Information System Components PE-19 Information Leakage