nci-cbiit security in the system/services development life cycle presenter: braulio j. cabral cbiit...
TRANSCRIPT
NCI-CBIITSecurity in the
System/Services Development Life
Cycle
Presenter: Braulio J. CabralCBIIT Enterprise Security Coordinator
• The Path to Security and Compliance
• Security and Compliance through the SDLC
• Software Security Requirements
• ECCF
• Validating Security (Certification and Accreditation)
• Roles and Responsibilities
• Current caBIG Security Infrastructure
• Future Security as Service
Content
The Path to a Secure/Compliant System
Security Requirements
• Software security requirements• Leverage certification tools for security
requirements gathering.• Prepare for FISMA certification through the
SDLC phases.• Let’s get the security requirements.
• Application security requirements (ECCF templates, security
conformance statements, security assertions (QA)
• PIA, E-Auth. Assessment, System Categorization (C&A process)
• System Security Plan
CIM (CFSS) Conformance Example
Conformance No. AE-CP2Security Pre-Conditions [M]
Access control mechanism needs to be in place to ensure that the user is logged in and has valid privileges of a Study Administrator to initiate an Adverse Event
Compliance & Conformance Statements
Name Type Viewpoint Description Test MethodSecured Access Obligation Engineering The AE service should 1. Design review
have access control 2. Security test case
mechanism in place to
restricts access to
sensitive data
Platform Independent Model (PIM) andService Specification
Operation Behavior Description
Security Conditions• Describe in detail the security constraints which the user needs to fulfill
in order to successful execute this operation.
• Provide the following details
• List all the Group / Role / Attribute which the user need to have in order to execute the operation
• List any specific access control which the user needs to have on the particular instance of the input parameter in order to gain access (Eg. User needs to be a study co-ordinator for the Study id passed)
• Any additional security requirements (eg. Authentication Required or Anonymous call allowed for the operation )
PIM Conformance Statements
• Security Conformance Statements• Security as conformance statements• Security as mandatory constrains or pre-
conditions• Security as a full conformance profile• Deployment considerations• Jurisdictional Domains
Platform Specific Model and Service Specification (PSM)
• Security Standards and Technology• Assumptions and Dependencies for Security• Operations Details
• Security Controls• Implementation Considerations
• Access Control• Application (service) Security (Access Policy)• Cryptography
Platform Specific Model and Service Specification (PSM)
• Information Security and Risk Management
• Legal, Regulations, Compliance and Investigations
• Telecommunications and Network Security
• Auditing
• Privacy
Conformance Assertions
• Quality Control
• Test Cases
Validating Security
• FISMA Certification Process• PIA
• e-Authentication assessment
• System Categorization
• Appscan
• Request C&A through security team (ISSO: Bruce Woodcock, Blaise
Czkalski, coordinator Braulio J. Cabral
• Security Plan, Contingency plan, etc.
Security roles & responsibilities
• Who does what?• System Owner: PIA, E-Authentication
Assessment, System Categorization, system diagram, request appscan, etc.
• ISSO: C&A process, appscan• CIO: Authorization letter• NCI Privacy Office (PIA)
• POC: Suzanne Millard ([email protected])
Current caBIG Security Infrastructure
• The Grid Authentication and Authorization with Reliably Distributed Services (GAARDS)
Authentication
• Dorian Authentication Service (SAML and Grid Certificate)
• CSM Authentication (user name/password)
• CSM authentication with NCI-LDAP
• Single Sign on (SSO)
Authorization
• CSM Authorization (Application Level) (moving towards Service Level)
• CSM Authorization (Service Level)
• GRID Grouper Authorization
• Combined CSM/GRID Grouper
Authorization Service Level with CSM Example (CCTS Suite)
•C3PR•CSM
•API
•caAERS•CSM
•API
•PSC
•CSM
•CSM
•API
•Lab Viewer
•C3D Connecto
r •CSM
•API
Future Security As Services Infrastructure
Useful Links
• Enterprise Security Program : https://wiki.nci.nih.gov/pages/viewpage.action?pageId=24276546
• System Categorization form (FIPS-199) - http://ocio.nih.gov/nihsecurity/InventoryandCategorization/NIH_System_Categorization_form.doc
• Authentication Risk Assessment Report - http://ocio.nih.gov/nihsecurity/HHS_E-Authentication_Report_Template.doc
Useful Links
• System Security Plan - http://ocio.nih.gov/nihsecurity/FIPS-200-SSP-Basic-Outline.doc
• Contingency plan (if available, part of the system security plan) - http://ocio.nih.gov/nihsecurity/NIH-CP-Template.doc
• ECCF Templates: http://gforge.nci.nih.gov/svnroot/candc/trunk/documents/artifact_templates/