building a modern security policy for social media and government
DESCRIPTION
In this presentation, we discuss the considerations for an effective social media policy in Government.TRANSCRIPT
http://www.potomacforum.org/
Building a Modern Security Policy for Social Media
Page 1
http://www.potomacforum.org/
Who is Michael Smith?• 8 years active duty army• Graduate of Russian basic course, Defense
Language Institute, Monterey, CA• DotCom survivor• Infantryman, deployed to Afghanistan (2004)• CISSP #50247 (2003), ISSEP (2005)• Former CISO, Unisys Federal Service Delivery
Center• Currently a Manager in a Big Four Firm
http://www.potomacforum.org/
Who is Dan Philpott?• Lifelong technologist ocused on FISMA,
cybersecurity, risk management, cloud computing, and social Media
• CISSP (2007), CAP (2007)• Federal Information Security Architect for
Tantus Technology• Founder of FISMApedia.org and FISMA arts
http://www.potomacforum.org/
Goals• Understand the tradeoff between Security,
Transparency, and Engagement• Provide an understanding of the frameworks
social media policy must inhabit• Describe models of social media policy• Detail security goals and controls social media
policy should address or include
Page 4
http://www.potomacforum.org/
A Quick Poll
Page 5
• Are you using service provider hosting?• Are you using Government-owned hosting?• Do you don’t know how/where you’re being
hosted?• Have you ever ignored the IT Security Staff
because they just “get in the way”?
http://www.potomacforum.org/
Not a Real CISO But It Could Be
Page 6
“I’ve spent my entire 30-year career keeping information from getting into the public
domain and keeping your desktop safe from all the malware on social media sites. Now you want to take everything and put it there
intentionally?”
The problem for social media practitioners is based on the nature of our security culture.
http://www.potomacforum.org/
NIST Risk Management Framework
Page 7
Step 1
CATEGORIZEInformation System Step 2
SELECTSecurity Controls
Step 3
IMPLEMENTSecurity ControlsStep 4
ASSESSSecurity Controls
Step 6
MonitorSecurity Controls
Step 5
AUTHORIZEInformation System
RISKMANAGEMENTFRAMEWORK
Organizational InputsLaws, Directives, Policy, Guidance
Strategic Goals and ObjectivesPriorities and Resource Availability
Supply Chain Considerations
Architectural DescriptionArchitecture Reference Models
Segment and Solution ArchitecturesMission and Business ProcessesInformation System Boundaries
http://www.potomacforum.org/
Defining the Problem Space: SDLC
Initiation to O&M is a minimum of 120 days with 6 months being typical. How does this fit into your plans for social media?
Page 8
2 3 4 5
1 - 1
1 - 1
· Security Categorization
· Preliminary Risk Assessment
· Perception of a need
· Linkage to mission and performance objectives
· Assessment of alternatives to capital assets
· Preparing for investment review and budgeting
Needs Determination
SD
LC
Sec
uri
ty C
on
sid
erat
ion
s
2 - 3
1 - 3 3 - 3 4 - 4 5 - 5
3 - 3 4 - 4 5 - 5
· Fun. Stmt of Need· Market Research· Feasibility Study· Req. Analysis· Alt. Analysis· Cost Ben. Analysis· Software
Conversion Study· Cost Analysis· RM Plan· Acquisition
Planning
· Risk Assessment· Sec. Funct. Req.
Analysis· Sec. Assurance
Req. Analysis· Cost
Considerations and Reporting
· Sec. Control Dev.· Dev. ST&E· Other Planning
· Inspection and Acceptance
· System Integration· Security
Authorization
· Configuration Management and Control
· Continuous Monitoring
· Information Preservation
· Media Sanitization· Hardware and
Software Disposal
· Installation· Inspection· Acceptance Testing· Initial User Training· Documentation
· Appropriateness of Disposal
· Exchange and sale· Internal
Organization screening
· Transfer and Donation
· Contract Closeout
· Performance Measurement
· Contract Modification
· Operations· Maintenance
InitiationAcquisition/Development Implementation
Operations/ Maintenance Disposition
http://www.potomacforum.org/
Understanding Your Objectives
Page 9
• Tone: Official v/s comfortable• Hosting: CO-CO v/s GO-GO• Security: Enabler v/s Roadblock• Simplicity: Engagement v/s “Shiny Objects”
• Be willing to negotiate with the security staff
http://www.potomacforum.org/
Four-Quadrant Government Social Software Framework1
Inward Inbound
Outward Outbound
Page 10
More Guidance Exists
Less Guidance Exists
Internal
GroupIndividual
External
SharingDirection
InteractionLevel
1 Social Software and National Security: An Initial Net Assessment, M. Drapeau and L. Wells via Federal CIO Council Guidelines for the Use of Social Media
http://www.potomacforum.org/
Threat Landscape• Government to Government:
– Internal social media services within or between agencies
• Government (internally hosted) to Public:– Social media services on government sites
• Government (externally hosted) to Public:– External social media services used by the government
• Government users in public:– Social media services used by government users
Page 11
http://www.potomacforum.org/
Getting to a Good SocMed Policy• Engage early, engage often• Policy should focus on risk, not technology
– Social media technology changes constantly– Data protection requirement is constant– Consider the business case– Consider the risks to organizational operations,
organizational assets, individuals, other organizations, and the Nation
– Make risk-based decisions goals
Page 12
http://www.potomacforum.org/
Primary Resources• CIO Council
– Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0
• http://www.cio.gov/library/library_category2.cfm?structure=Information%20Technology&category=IT%20Security%20/%20Privacy
• GSA– Terms of Service Agreements with New Media Providers
• http://www.usa.gov/webcontent/resources/tools/TOSagreements.shtml
• NARA– Records Management Policy and Guidance
• http://archives.gov/records-mgmt/policy/
Page 13
http://www.potomacforum.org/
Primary Resources - FISMA• NIST SP 800-37 Rev. 1
– DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST SP 800-39– DRAFT Managing Risk from Information Systems: An
Organizational Perspective
• SP 800-53 Rev. 3– Recommended Security Controls for Federal Information
Systems and Organizations
http://csrc.nist.gov/publications/PubsSPs.html
Page 14
http://www.potomacforum.org/
Related Requirements• Communications Policy• 508 Compliance Policy• Federal Records Management Policy
Page 15
http://www.potomacforum.org/
Risk Management Hierarchy
Page 16
NISTSP 800-39
Risk Management Strategy
TIER 3Information System
TIER 2Mission / Business Process
TIER 1Organization
Risk Executive Function (Oversight and Governance)
Risk Assessment Methodologies
Risk Mitigation Approaches Risk Tolerance Risk Monitoring Approaches Linkage to ISO/IEC 27001
http://www.potomacforum.org/
Risk Management Hierarchy
Page 17
NISTSP 800-39
Risk Management Strategy
TIER 3Information System
TIER 2Mission / Business Process
TIER 1Organization
Mission / Business Processes Information Flows Information Categorization Information Protection Strategy Information Security
Requirements Linkage to Enterprise
Architecture
http://www.potomacforum.org/
Risk Management Hierarchy
Page 18
• NIST• SP
800-37
• TIER 3• Information System
• TIER 2• Mission / Business Process
• TIER 1• Organization
Linkage to SDLC Information System
Categorization Selection of Security Controls Security Control Allocation and Implementation Security Control Assessment Risk Acceptance Continuous Monitoring
• Risk Managem
ent Framewor
k
http://www.potomacforum.org/
Policy Controls• Social Media Communications Strategy• Acceptable Use Policies (AUP)• Content Filtering and Monitoring• Privacy and Security Support• Integration with NIST SP 800-39 and NIST SP
800-37 Risk Management
Page 19
http://www.potomacforum.org/
Policy Controls – NIST Guidance• AC-20 Use of External Information Systems• AC-22 Publicly Accessible Content• IA-2 Identification and Authentication
(Organizational Users)• IA-5 Authenticator Management• IA-7 Cryptographic Module Authentication• IA-8 Identification and Authentication (Non-
Organizational Users)
Page 20
http://www.potomacforum.org/
Policy Controls – NIST Guidance• IR-5 Incident Monitoring• IR-6 Incident Reporting• IR-7 Incident Response Assistance• IR-8 Incident Response Plan• PL-4 Rules of Behavior• PL-5 Privacy Impact Assessment• RA-1 Risk Assessment Policy and Procedures• SI-12 Information Output Handling and
RetentionPage 21
http://www.potomacforum.org/
Acquisition Controls• Strong Authentication• Social Media services security practice• Comment moderation and monitoring social
media• Ensure federal security requirements are met
by using dedicated resources from vendors• Modify user’s public profiles from .gov or .mil
email addresses to provide stronger security
Page 22
http://www.potomacforum.org/
Acquisition Controls• Partner with social media services to:
– Provide traceability to federal employee accounts– Improve communications between providers and
Security Operations Centers (SOC)– Allow independent monitoring of social media
service providers• Encourage use of validated and signed code• Ensure social media provider maintains
appropriate configuration, patch and technology refresh levels
Page 23
http://www.potomacforum.org/
Acquisition Controls• Ensure an independent risk assessment• Records management in accordance with
NARA record schedules, FOIA requests and e-discovery litigation holds
• Ensure hosted federal content is accessible at any time and stored in editable and non-proprietary formats
Page 24
http://www.potomacforum.org/
Acquisition Controls – NIST Guidance
• SA-1 System and Services Acquisition Policy and Procedures
• SA-2 Allocation of Resources• SA-3 Life Cycle Support• SA-4 Acquisitions• SA-5 Information System Documentation• SA-9 External Information System Services
Page 25
http://www.potomacforum.org/
Acquisition Controls – GSA Guidance
• Terms of Service Agreements– Social media services standard Terms of Service
(TOS) Agreements present legal problems– Many services are free, making it hard to
encourage services to negotiate new TOS– On behalf of the government, GSA has negotiated
new TOS for many social media services
http://www.usa.gov/webcontent/resources/tools/TOSagreements.shtml
Page 26
http://www.potomacforum.org/
Training Controls• Provide awareness, guidance and training on:
– Information to that can be shared, can not be shared and with whom it can be shared
– Social media policies and guidelines including AUP– Blurring of personal and professional life as
appropriate– For Operations Security (OPSEC) on risks of social
media– Federal employees self-identification on social
media sites, depending on roles
Page 27
http://www.potomacforum.org/
Training Controls• Provide awareness, guidance and training on:
– Privacy Act requirements and restrictions– Specific social media threats before granting
access to social media sites– Possible negative outcomes of information
leakage, social media misuse and password reuse– Possible impact on security clearance
Page 28
http://www.potomacforum.org/
Training Controls – NIST Guidance• AT-2 Security Awareness:
– Add social media usage related awareness training• AT-3 Security Training:
– Create specific role-based training for those with social media responsibility
• AT-5 Contacts with Security Groups and Associations:– Establish contacts with security groups addressing
web application and social media security
Page 29
http://www.potomacforum.org/
Host Controls• Require use of a hardened Common Operating
Environment (COE):– Federal Desktop Core Configuration (FDCC)– Security Content Automation Protocol (SCAP)
• Encourage use of strong authentication for greater assurance of a user’s identity:– Two-factor authentication (e.g., HSPD-12 & PIN)
Page 30
http://www.potomacforum.org/
Host Controls• Ensure strong change management, patch
management, configuration management:– Includes applications and Operating Systems– Enforces strong logging– Reports to SOC
• Desktop virtualization technologies:– Allows safer viewing of potentially malicious
websites– Virtual sandbox protects base operating system
Page 31
http://www.potomacforum.org/
Host Controls• Browser versioning:
– Ensure use latest browsers which include additional security measures
• Encourage use of signed code or white listing:– Provides higher level of assurance software comes
from approved vendor or is approved software
Page 32
http://www.potomacforum.org/
Host Controls – NIST Guidance• Audit and Accountability (AU) Family of
controls, as applicable• AC-1 Access Control Policy and Procedures• AC-7 System Use Notification• CM-1 Configuration Management Policy and
Procedures• CM-2 Baseline Configuration• CM-6 Configuration Settings• CM-7 Least Functionality
Page 33
http://www.potomacforum.org/
Host Controls – NIST Guidance• SA-7 User-Installed Software • SI-1 System and Information Integrity Policy
and Procedures• SI-2 Flaw Remediation• SI-3 Malicious Code Protection• SI-5 Security Alerts, Advisories, and Directives
Page 34
http://www.potomacforum.org/
Network Controls• Federal Trusted Internet Connection (TIC)
program protections:– Reduced number of internet connections– Einstein traffic inspection
• Security Operations Center (SOC) and Network Operations Center (NOC):– Visibility and centralized control for incident
response and risk reduction• These should all be provided to you as
“infrastructure”Page 35
http://www.potomacforum.org/
Network Controls• Web content filtering:
– Beyond Einstein protections– Granular control of web applications, data and
protocols• Trust Zones dependent on security assurance
requirements• DNSSEC to better ensure website name
resolution integrity
Page 36
http://www.potomacforum.org/
Network Controls• Focus on data-centric protection• URL Shortening:
– http://go.usa.gov/
Page 37
http://www.potomacforum.org/
Network Controls – NIST Guidance• SC-1 System and Communications Protection
Policy and Procedures• SC-7 Boundary Protection• SC-13 Use of Cryptography• SC-14 Public Access Protections• SC-15 Collaborative Computing Devices• SC-20 Secure Name /Address Resolution
Service (Authoritative Source)
Page 38
http://www.potomacforum.org/ 39
Questions, Comments, or War Stories?http://www.potomacforum.org/
Michael Smith: rybolov(a)ryzhe.ath.cxhttp://www.guerilla-ciso.com/
Dan Philpott: danphilpott(a)gmail.comhttp://www.fismapedia.org/