_experience the commitment TM

NIST Guidance on Security and Business Continuity Planning in the SDLC11th Annual New York State Cyber Security Conference

June 2008

© CGI GROUP INC. All rights reserved

James Hewitt, CISSP PMP617.501.7908james.hewitt@cgi.com

Mark Spreitzer, CBCP917.304.1966mark.spreitzer@cgi.com

2

Confidential

Presentation Outline

•Review the NIST SDLC & Security Resources

•SDLC Policy & Architecture•5-Phase Breakdown•Overlaps & Iterations

3

Confidential

NIST & Special Publications

• NIST = National Institute of Standards and Technology• Technology standards and guidelines

• ITL = Information Technology Laboratory• Technical leadership for measurement and standards• Publishes Special Publications (SP)

• tests, test methods, reference data, proof of concept implementations, and technical analyses

• collaborated with industry, government, and academic organizations

• Special Publication 800 series focused on Computer Security• Guidance and support on Security and Business Continuity• SP 800-64, Security Considerations in the System Development Lifecycle• NIST SDLC Brochure August 2004, Information Security in the SDLC

• http://csrc.nist.gov/SDLCinfosec

4

Confidential

Walkthrough of NIST SP 800-64

• Security integration with SDLC• Guide agencies to integrate security activities into system

development life-cycles (SDLC)• Defines information security components of the SDLC• Key security roles and responsibilities • Translate security activities into IT projects and initiatives

that don’t have a SDLC

5

Confidential

NIST’s Security in the SDLC

6

Confidential

SDLC Policy & Architecture

• Integrate at the enterprise level• Include security activities in SDLC policy• Include risk management• Implement early in every project

• NIST SP 800-53 on security controls• NIST SP 800-39 on enterprise-level risk management

• Concentrate on business requirements & security requirements

7

Confidential

Benefits of Integrating security into the SDLC

• Early identification and mitigation of vulnerabilities and misconfigurations• Lower cost of control implementation and vulnerability mitigation• Identification of shared security services• Reuse of strategies and tools to reduce cost and schedule• Improvement of security through proven methods and techniques• Informed decision making through comprehensive risk management• Documenting security decisions made during development• Improved organization and customer confidence to facilitate adoption and

usage• Improved systems interoperability and integration that would otherwise be

hampered by securing systems at various system levels

8

Confidential

Security in the Project Lifecycle

9

Confidential

SDLC Phase Structure

• Phase 1: Initiation• Phase 2: Development / Acquisition • Phase 3: Implementation / Assessment• Phase 4: Operations / Maintenance• Phase 5: Sunset (Disposition)

10

Confidential

Phase 1: Initiation

• Key tasks:• Business partner engagement• Document enterprise architecture• Identify / specify applicable policies and laws• Develop confidentiality, integrity and availability objectives• Information and information system security categorization

(repeat 4 & 5)• Procurement specification development• Preliminary risk assessment

11

Confidential

Phase 1: Initiation

• Inputs to Security Planning inputs:• Decision to initiate system

• Outputs from Security Planning:• Security expectations• Schedule of security activities & decisions

• Categorize system outputs:• Security category • High-level security requirements• Level of effort

• …act as inputs to: • Business Impact Analysis (BIA), Disaster Recovery, Contingency Planning,

Continuity of Operations Planning decisions• Use results of BIA to develop requirements for business partner SLAs

12

Confidential

Phase 1: Initiation

• Control gates:• Categorization and impact levels

• See SP 800-53 on minimal security controls• See SP 800-60, companion to FIPS-199

• Architecture alignment, standards• Initial design review against requirements• Risk management review• Financial review, balancing cost with risk management

• Major tasks:• Identify security roles, stakeholders, milestones

• Apply to one system or multiple systems

13

Confidential

Phase 1: Initiation Relating security considerations

14

Confidential

Phase 2: Acquisition / Development

1. Risk assessment

2. Select initial baseline of security controls

3. Refinement – security control baseline

4. Security control design

5. Cost analysis & reporting[repeat with 1. risk assessment]

6. Security planning

7. Unit / integration security testing & evaluation

15

Confidential

Phase 2: Acquisition / Development

• Control gates:• Architecture / design review

• e.g. evaluate design for disaster recovery• Performance, functional reviews• Financial review, review cost-benefit ratios• Re-visit risk management decisions

• Major tasks:• Assess risks & security categorization vs security controls• Re-visit business impact analysis• Create baseline security requirements, security architecture and security

controls• Include common controls

• Start to build and integrate controls• Start writing security tests• Review additional functionality in terms of added risk

16

Confidential

Phase 2: Acquisition / Development

Relating security considerations

17

Confidential

Phase 3: Implementation / Assessment

1. Product / component inspection & acceptance

2. Security control integration

3. User / administrative guidance

4. System security test & evaluation plan(repeat #3)

5. System certification(repeat #2 & #3)

6. Statement of residual risk

7. Security accreditation

18

Confidential

Phase 3: Implementation / Acquisition

• Control Gates:• Reviews for test readiness, deployment readiness,

deployment approval, certification & accreditation• Final financial review – where did the money and effort go?

• Major Tasks:• Integrate with existing environment controls• Test controls• Set priorities for continuous monitoring• Define final, deployable state, and certify it

19

Confidential

Phase 3: Implementation / Acquisition

Relating security considerations

20

Confidential

Phase 4: Operations / Maintenance

1. Configuration management, change control and auditing

2. Continuous monitoring

3. Recertification (repeat #1)

4. Reaccreditation

5. Incident handling (repeat #1)

6. Auditing (repeat #2)

7. Intrusion detection and monitoring

8. Contingency plan testing (including continuity of operations plan)

21

Confidential

Phase 4: Operations / Maintenance

• Control Gates:• Operational readiness review• Change control board, procedures• Decision to accredit

• Major Tasks:• Review operational readiness, before and after a major change• Manage security configuration control• Other configuration management, with an eye to effect on system

security• Monitor security controls• Periodic re-certification

22

Confidential

Phase 4: Operations / Maintenance

Relating security considerations

23

Confidential

Phase 5: Sunset (Disposition)

1. Transition planninga. Migration to new system

2. Component disposal

3. Media sanitizationa. NIST SP 800-88 Guidelines for Media Sanitization

4. Information archiving (repeat #1)a. Ensure information preservation

24

Confidential

Phase 5: Sunset (Disposition)

Relating security considerations

25

Confidential

Phase Overlaps & Task Iterations

• Phase 2: Development / Acquisition• Cost analysis & reporting• Security planning

• Phase 1: Initiation• Business partner engagement

26

Confidential

Phase Overlaps & Task Iterations

• Phase 3: Implementation / Assessment• Security control integration

• Phase 2: Acquisition / Development• Security control design

27

Confidential

Phase Overlaps & Task Iterations

• Phase 4: Operations / Maintenance• Monitoring• Recertification

• Phase 1: Initiation• Develop confidentiality, integrity and

availability objectives

28

Confidential

Additional Considerations

• Supply Chain and Software Assurance• Service Oriented Architecture• Specific Accreditation of Security Modules for Reuse• Cross-Organizational Solutions• Technology Advancement & Major Migrations• Data Center or IT Facility development• Virtualization

Confidential

Mark Spreitzer, CBCPExecutive ConsultantEnterprise Security Practice

7 Hanover Square, 7th FloorNew York, NY 10004

Tel: (212) 612-3611 Mobile: (917) 304-1966 mark.spreitzer@cgi.com

James Hewitt, CISSP, PMPSenior ConsultantEnterprise Security Practice

12 Corporate Woods Blvd.Albany, NY 12211

Tel: (617) 501.7908james.hewitt@cgi.com

Questions?

_experience the commitment TM

our commitment to youWe approach every engagement with one objective in mind:to help clients win and grow.