Read the attached Information System Continous Monitoring strategy and give your feedback

Description

Read the attached Information System Continous Monitoring strategy document and give your feedback on what you think is missing and needed to be added. Please write out bullets point in a word doc.

Unformatted Attachment Preview

Information Security Continuous
Monitoring and Ongoing Authorization
Strategy
ISCM and OA Strategy
DOCUMENT CHANGE HISTORY
Issue
Date
Description
Version 1.0
27 October 2020
Initial version
Version 1.1
10 January 2024
Document review and update
2
ISCM and OA Strategy
TABLE OF CONTENTS
1.
Introduction ………………………………………………………………………………………………. 4
1.1.
Background ………………………………………………………………………………………………….. 4
1.2.
Purpose ……………………………………………………………………………………………………….. 5
2.
Roles & Responsibilities ……………………………………………………………………………. 5
3.
ISCM Program Implementation Approach …………………………………………………… 8
4.
ISCM Process ……………………………………………………………………………………………. 9
5.
4.1.
Step 1: ISCM Enrollment ………………………………………………………………………………… 9
4.2.
Step 2: ISCM Pre-Assessment ………………………………………………………………………… 9
4.3.
Step 3: ISCM Assessment ………………………………………………………………………………. 9
4.4.
Step 4: Metrics and Reporting ………………………………………………………………………. 10
4.5.
Step 5: OA Decisions …………………………………………………………………………………… 10
ISCM Maturity ………………………………………………………………………………………….. 10
Appendix A: Responsible, Accountable, Consulted, Informed (RACI) Chart ……… 11
Appendix B: Acronyms ………………………………………………………………………………….. 12
3
ISCM and OA Strategy
1. Introduction
1.1. Background
This document describes the Information Security Continuous Monitoring (ISCM) and
Ongoing Authorization (OA) Strategy for the U.S. Department of Housing and Urban
Development’s (OOO)’s Federal Information Security Modernization Act (FISMA)
reportable operational information systems. The proposed ISCM Program is designed
as per the National Institute of Standards and Technology (NIST) Special Publication
(SP) 800-137, “Information Security Continuous Monitoring for Federal Information
Systems and Organizations”, and related NIST SPs and federal standards. The
foundation for an effective ISCM Program is a well-established Risk Management
Framework (RMF) process, in accordance with NIST SP 800-37, Revision 2, “Risk
Management Framework for Information Systems and Organizations: A System Life
Cycle Approach for Security and Privacy”.
The Department of Homeland Security’s (DHS) Continuous Diagnostic and Mitigation
(CDM) program has the objective of automating ISCM functions, providing agencies
insight into the current state of their networks and systems at any time. The CDM
program, and its tools implemented by agencies, was established to produce the
following benefits:
•
•
•
•
•
Services to implement sensors and dashboards;
Delivery of near-real time results;
Prioritization of the worst problems within minutes, versus quarterly or annually;
Enables defenders to identify and mitigate flaws at network speed; and
Lower operational risk and exploitation of government IT systems and networks.
Figure 1, from DHS, Guidance Regarding Improving Continuous Diagnostics and
Mitigation Effectiveness Through Cybersecurity Governance and Management, shows
the relationship between risk management, ISCM, and CDM.
Figure 1: Relationship of Risk Management, ISCM, and CDM
4
ISCM and OA Strategy
As stated in NIST 800-137, implementing an effective ISCM strategy and program
provides a means to help establish several security-related outcomes, including but not
limited to:
•
•
•
•
Security metrics monitored frequently across all organizational tiers to provide
evidence for decision-making.
Security controls monitored for effectiveness and changed to respond to the
evolving threat environment and new operational needs.
Enhanced understanding of IT vulnerabilities to adapt security controls over time.
Continued alignment with the mission and the agency’s risk tolerance.
1.2. Purpose
The ISCM Program aims to achieve visibility into security of OOO’s Information
Technology (IT) assets, awareness of cybersecurity risk, and insight into the
effectiveness of deployed security and privacy controls. An effective ISCM Program,
which is routinely reviewed and revised to increase visibility into assets and awareness
of vulnerabilities, enables data-driven control of the security of an organization’s
information infrastructure, and increase organizational resilience. As the program
matures, it also aids in improving organization’s security architecture, operational
security capabilities and monitoring processes to better respond to dynamic threats
and vulnerability landscape.
The ISCM Program is designed to strengthen the situational awareness and bring near
real-time risk management through continuous security and privacy control
assessments for OOO’s operational systems. This enables Authorizing Officials (AOs)
to make OA decisions by assessing risks on a monthly basis rather than providing an
Authorization to Operate (ATO) decision on a three-year cycle.
1.3. Scope and Applicability
This document outlines the basis for the ISCM Program, identifies roles and responsibilities for
executing and maintaining network and system continuous monitoring activities, and aligns to
the Risk Management Framework (RMF) continuous monitoring tasks.
This information applies to all OOO employees and contractors with significant cybersecurity
responsibilities, and information systems, including cloud information systems. These
responsibilities apply to those personnel who are involved in implementing and maintaining
continuous monitoring activities.
1.4. Deviations
Information systems that require an exception to security and privacy control requirements,
due to adverse impact on mission, business, or operations must submit a documented Risk
Based Decision (RBD) request approved by the Department CISO and Authorizing Official
(AO). All RBDs must be submitted to OCISO for review, processing, and concurrence from the
OOO CISO, in accordance with the RBD processes and procedures documented in the RBD
process.
5
ISCM and OA Strategy
Risk Based Decisions formalize the Department’s risk acceptance of identified security and
privacy control gaps that cannot be mitigated, in whole or in part, where the residual risk must
be monitored and managed to reduce adverse impact to OOO mission and operations. Types
of acceptable risk for consideration are based upon OOO and Department priorities and tradeoffs between: (i) near-term mission/business needs and potential for longer-term
mission/business impacts; and (ii) the Department’s interests and the potential impacts on
individuals, other organizations, and the Nation.
2. Roles & Responsibilities
Using NIST SP 800-37 as a guideline, roles have been outlined in a governance
structure shown in Figure 2. Further details about roles and responsibilities can be
found in Table 1.
6
ISCM and OA Strategy
STRATEGIC RISK
Tier 1
Chief Information Officer (CIO), AOs
Organization
Tier 2
Chief Information Security Officer (CISO), Senior Agency
Official for Privacy (SAOP), Deputy CIO Infrastructure and
Operations Office (IOO), Chief Privacy Officer (CPO),
Governance, Risk, and Compliance (GRC) Lead
Mission/Business Process
Tier 3
System Owner (SO), Information System
Security Officer (ISSO), Privacy Liaison
Officer (PLO), Control Assessor (CA)
Information System
TACTICAL RISK
Figure 2: Governance Structure
Table 1 below describes the responsibilities of each role as outlined within the
governance structure, as well as additional roles within the ISCM Program.
Roles
Responsibilities
Tier 1: Organization
Chief Information Officer
(CIO)
•
•
•
•
•
•
Authorizing Official (AO)
•
Designate a senior agency information security officer.
Establish and maintain security policies, procedures, and control
techniques to address security requirements.
Sets and maintains ISCM Program risk tolerance.
Oversee personnel with significant responsibilities for security and
ensure that the personnel are adequately trained.
Assist senior organizational officials concerning their security
responsibilities.
Report to the head of the agency on the effectiveness of the
organization’s security program, including the progress of remedial
actions.
Assumes responsibilities for operating an information system at an
acceptable level of risk to operations, assets, or individuals by issuing
a re-authorization decision as well as terms/conditions for the
authorization, as defined in Risk Management Framework for
Information Systems and Organizations – A System Life Cycle
Approach for Security and Privacy (NIST SP 800-37 Rev 2).
Tier 2: Mission/Business Process
Chief Information Security
Officer (CISO)
•
Responsible for carrying out the CIO security responsibilities under
FISMA of 2014 and serve as the primary liaison for the CIO to the
7
ISCM and OA Strategy
Roles
Responsibilities
•
Senior Agency Official for
Privacy (SAOP)
•
•
•
Deputy CIO (DCIO) for
Infrastructure and
Operations Office (IOO)
•
•
•
Chief Privacy Officer (CPO) •
organization’s AOs, SOs, common control providers, and system
security officers.
Responsible for coordinating with the SAOP to ensure coordination
between privacy and information security programs.
Leads OOO Privacy Program and is OOO’s senior policy authority
for privacy.
Responsible and accountable for ensuring compliance with applicable
privacy requirements and managing privacy risk.
Collaborates with OOO CISO to assess the privacy impacts of
information systems and data.
Responsible for the IT infrastructure (e.g., GSS) that provides shared
services across OOO and ensuring the implementation of security
components to secure these information system assets.
Responsible for implementing requests for Continuous Diagnostics
and Mitigation (CDM) and vulnerability scans on the OOO
infrastructure.
Responsible for scan results reports from CDM and vulnerability
scans.
Manages operation of OOO Privacy Office, under the direction of
SAOP.
Office of the Chief
• Establishes and oversees the ISCM Program.
Information Security
• Coordinates with impacted stakeholders to verify responsibilities, track
Officer
progress, and report delays.
(OCISO)/Governance,
• Implements process improvements based on lessons learned.
Risk, and Compliance
(GRC) Lead
Tier 3: Information System
System Owner (SO)
•
•
•
Responsible for the procurement, development, integration,
modification, operation, maintenance, and disposal of a system.
Responsible for addressing the operational interests of the user
community (i.e., users who require access to the system to satisfy
mission, business, or operational requirements) and for ensuring
compliance with security requirements.
In coordination with the system security and privacy officers, the SO is
responsible for the development and maintenance of the security and
ensures that the system is operated by the selected and implemented
controls.
8
ISCM and OA Strategy
Information System Security •
Officer (ISSO)
•
•
•
Responsible for ensuring that the security and privacy posture is
maintained for an organizational system and works in close
collaboration with the SO.
Serves as a principal advisor on all matters, technical and otherwise,
involving the controls for the system.
Has the knowledge and expertise to manage the security or privacy
aspects of an organizational system and, in many organizations, is
assigned responsibility for the day-to-day system security or privacy
operations.
Supports the SO in completion of PIAs, as directed by the SAOP or
CPO, and in coordination with the PLO.
9
ISCM and OA Strategy
Roles
Responsibilities
Privacy Liaison Officer
(PLO)
•
•
Control Assessor (CA)
•
Prepares Privacy Impact Assessment (PIA) and System of Record
Notice (SORN).
Responsible for overseeing compliance with privacy regulations in
their respective business area or Program Office.
Responsible for conducting a comprehensive assessment of
implemented security and privacy controls and control enhancements
to determine the effectiveness of the controls (i.e., the extent to which
the controls are implemented correctly, operating as intended, and
producing the desired outcome to meet the security and privacy
requirements for the system and the organization).
Table 1: ISCM Roles and Responsibilities
Refer to Appendix A for additional details on the roles and responsibilities within the
ISCM Program.
3. ISCM Program Implementation Approach
In order to transition OOO’s existing operational systems to a state of ongoing
assessment, there will be a sequential three process approach: Design, Phase 1: Initial
Enrollment, and Phase 2: Enterprise Enrollment as described below in Figure 3.
Figure 3: Implementation Approach
The Design step will provide a foundation for the ISCM Program by establishing an
updated ISCM and OA Strategy, developing a plan to implement the strategy, and
ensuring existing systems meet cybersecurity requirements. Phase 1 of the approach
helps OOO evaluate the ISCM enrollment criteria and implementation approach, to
uncover issues, and to develop program improvements. Systems designated for Phase
1 will be vetted using criteria that determines readiness with the ISCM Program and will
consist of a small sample size (about three to six systems in total). Once Phase 1 is
complete, the remaining systems will be enrolled into the ISCM Program during Phase
2. Phase 1 and 2 are expected to take a total of 18 months. The activities that occur
across the Design step, Phase 1, and Phase 2 are documented in the ISCM and OA
Implementation Plan.
10
ISCM and OA Strategy
4. ISCM Process
The ISCM process details the four steps, as outlined in Figure 4 to make the ISCM
Program operational. The following sections will provide an overview of each step.
Figure 4: ISCM Process
4.1. Step 1: ISCM Enrollment
The ISCM enrollment begins with a thorough security and privacy assessment of all
General Support Systems (GSS), Minor Applications, Major Applications, and Web
Applications. Every system entering the ISCM Program must meet enrollment criteria
before being onboarded.
Systems will be enrolled in the ISCM program upon successful completion of a full
security and privacy assessment completed by the OCISO Assessment Team and
Privacy Team. Criteria for enrollment is defined in Appendix A of the Information
Security Continuous Monitoring (ISCM) Procedures.
4.2. Step 2: ISCM Pre-Assessment
A Pre-Assessment will be performed on each system that is on schedule to be
11
ISCM and OA Strategy
assessed. The Pre-Assessment consists of an initial Commencement Email which will
inform the system team of the upcoming ISCM assessment. This email will identify the
scope of the ISCM Assessment (Year 1, Year 2, etc) and will also provide the key dates
of the assessment. System teams will be given the opportunity to request a Kickoff
meeting for this assessment. Soon after the commencement email is sent, a Document
Request List (DRL) will be developed and sent to the system team identifying required
evidence/artifacts to be provided for the assessment.
4.3. Step 3: ISCM Assessment
The ISCM Assessments provide frequent security and privacy control assessments to
OOO’s information systems to provide near real time visibility into the agency’s risks.
Assessments will be a combination of automated and manual security and privacy
12
ISCM and OA Strategy
control assessments. Automated assessments will leverage results from automated
scanning tools such as CDM. The ISCM Program will prioritize assessments based on
critical systems and controls. ISCM assessment results and findings will be analyzed
and assessed in accordance with OCIO’s Risk Management Strategy to determine
impact to mission and business operations.
4.4. tep 4: OA Decisions
Using the reports provided on a system’s performance with the program, the AO can
determine if a system’s ATO should be maintained, thus leading to OA. An OA decision
will be recommended by the CISO and SAOP to the AO based upon the outcome of the
assessments. The AO will provide the OA decision, but the CIO is responsible for
setting the risk tolerance of the ISCM Program and can make a requested change to the
AO’s decision. If the AO decides to maintain the system’s ATO and it is acceptable to
the CIO, the process starts again at Step 2: Pre-Assessment.
5. ISCM Maturity
The ISCM and OA Strategy and Program will be evaluated and updated on an annual
basis to incorporate lessons learned and process improvements. Additionally, the
program will mature as OCIO pursues the implementation of an Integrated Risk
Management (IRM) solution. The ISCM Program and results will feed into the IRM
solution to provide security and privacy risks on a continual basis. This will allow for a
more comprehensive view of OCIO risks and the opportunity to mature risk aggregation
and analyses to support executives with making informed risk-based decisions.
13
ISCM and OA Strategy
Appendix A: Responsible, Accountable, Consulted,
Informed (RACI) Chart
The following RACI chart describes how various roles in OOO participate in ISCM tasks.
A role is marked as:
•
•
•
•
R: Responsible for performing the work
A: Accountable for approving the work for the task
C: Consulted about the work; feedback is solicited and accepted or not accepted
I: Informed about the work with no expected feedback
Develop and
maintain the
OOO ISCM
& OA
Implementation
Plan
Execute
ISCM &
OA
Program
Review ISCM &
OA
performance,
analyze & make
a
recommendation
Update
ISCM and
OA
Strategy
and
Capabilities
Role
Identify
Risk
Elements
Identify
ISCM
input
elements
CIO
A
A
C
C
A
A
AO
C
C
C
A
C
C
CISO
A
A
A
A
R
R
SAOP
C
C
C
R
C
C
DCIO for IOO
I
I
I
R
C
I
CPO
C
C
C
C
C
C
OCISO/GRC
Lead
R
R
R
R
R
R
SO
R
R
R
R
R
C
ISSO
R
R
R
R
R
C
PLO
I
I
I
R
C
C
CA
C
C
R
R
R
R
Table 2: RACI Chart for ISCM Roles and Responsibilities
14
ISCM and OA Strategy
Appendix B: Acronyms
AO
Authorizing Official
ATO
Authorization to Operate
CA
Control Assessor
CDM
Continuous Diagnostics and Mitigation
CIO
Chief Information Officer
CISO
Chief Information Security Officer
CPO
Chief Privacy Officer
CISO
Chief Information Security Officer
DCIOO
Deputy CIO for Infrastructure and Operations Office
DLP
Data Loss Prevention
FISMA
Federal Information Security Modernization Act
GRC
Governance, Risk, and Compliance
GSS
General Support System
OOO
U.S. Department of Housing and Urban Development
IOO
Infrastructure and Operations Office
IRM
Integrated Risk Management
ISCM
Information Security Continuous Monitoring
ISSO
Information System Security Officer
IT
Information Technology
NIST
National Institute of Standards and Technology
OA
Ongoing Authorization
OCIO
Office of the Chief Information Officer
OCISO
Office of the Chief Information Security Officer
PIA
Privacy Impact Assessment
PLO
Privacy Liaison Officer
POA&Ms
Plan of Action and Milestones
RACI
Responsible, Accountable, Consulted, Informed
RMF
Risk Management Framework
SAOP
Senior Agency Official for Privacy
SO
System Owner
SORN
System of Records Notice
15
ISCM and OA Strategy
SP
Special Publication
16

Purchase answer to see full
attachment