Editor's note

Recommendations

Info

National Institute of Standards and Technology Special Publication 800-53 [8] (NIST SP800-53) covers control selection in 18 different areas: • Access Control • Awareness and Training • Audit and Accountability • Security Assessment and Authorization • Configuration Management • Contingency Planning • Identification and Authentication • Incident Response • Maintenance, Media Protection • Physical and Environmental Protection • Planning, Personnel Security • Risk Assessment • System and Services Acquisition • System and Communications Protection • System and Information Integrity • Program Management For each control objective listed, there is a corresponding set of recommended controls for each of the impact levels. Since there are so many controls to consider, controls are assigned a priority code that assists when planning an implementation sequence. Controls can be implemented as either a common control that applies to multiple systems or as a system-specific control that apply to individual systems. Compensating controls, should be evaluated if a primary control cannot be implemented due to technical or other reasons. NIST SP 800-18 [9] defines compensating controls as the management, operational, or technical controls employed by an agency in lieu of prescribed controls in the low, moderate, or high security control baselines, which provide equivalent or comparable protection for an information system. For each system, a system security plan should be prepared using the business impact analysis and the selected security controls. After the system security plan has been completed, it should be presented to the system owner for approval. NIST SP 800-18 defines the items to document in a system security plan: • System Name and Identifier • System Categorization • System Owner • Authorizing Official • Other Designated Contacts • Assignment of Security Responsibility • System Operational Status • Information System Type starterkit 02/2011(2) SOLUTIONS • General Description/Purpose • System Environment • System Interconnection/Information Sharing • Law, Regulations, and Policies Affecting the System • Security Control Selection • Minimum Security Controls • Completion and Approval Dates Once the system security plan has been approved by the authorizing official, control implementation can begin. NIST SP800-70 [10] and the other documents in the NIST SP800 series provide guidance on control implementation. Configuration checklists published at the National Checklist Program Repository [11] provide detailed configuration guidance with recommended settings. The checklists are provided in different formats for use. Tier I checklists are human readable, Tier II are machine readable non-SCAP, Tier III should work in a SCAP validated tool, and Tier IV will work in a SCAP validated tool. Implementing controls is only a portion of the actual work. The controls need to be tested to verify they have been implemented correctly, operating as intended, and producing the desired security outcomes with respect to meeting the security requirements of the system. NIST SP800-53A [12] provides guidance on assessing system security controls. The recommended process begins with preparing for the security controls assessment. The preparation process includes gathering the information needed by the assessors, setting the expectations of affected parties regarding scope, depth, time schedule, gathering supporting documentation, etc. Resources will need to be obtained and assessor/auditors selected. Ideally, the assessors should have independence from the business and technology groups so they can provide an unbiased review. The second step of the assessment process is to create an assessment plan. The plan should determine the scope of the assessment and which controls will be tested. Specific test procedures and assessment depth should be determined. Three types of assessment procedures are defined: controls examination, interview personnel, and controls testing. Three assessment procedure depths are defined progressing from the basic examination to the focused examination and leading to the comprehensive examination. Specific tests may need to be created to assess items not sufficiently covered by NIST SP800- 53A or to meet organizational requirements. After the plan has been completed, it will need to be approved prior to testing. Page 38 http://pentestmag.com
Resource • http://www.iso.org/iso/home.html [1] • http://www.iec.ch/ [2] • http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42103 [3] • https://www.isaca.org/Pages/default.aspx [4] • http://www.isaca.org/Knowledge-Center/cobit/Pages/Downloads.aspx [5] • http://csrc.nist.gov/ [6] • http://csrc.nist.gov/publications/ps/ps199/FIPS-PUB-199-nal.pdf [7] • http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-nal_updated-errata_05-01-2010.pdf [8] • http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-nal.pdf [9] • http://csrc.nist.gov/publications/nistpubs/800-70-rev2/SP800-70-rev2.pdf [10] • http://web.nvd.nist.gov/view/ncp/repository [11] • http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-nal.pdf [12] The actual assessment begins with a set of determination statements that related to the security controls implemented from the catalog in NIST SP800- 53. An individual control listed in NIST SP800-53 may have multiple assessment objectives listed for the control in NIST SP800-53A. For example, NIST SP800-53 provides control AC- 1 Access Control Policies and Procedures. NIST SP800-53A has two control objectives listed: AC-1.1 and AC-1.2. NIST SP800-53A assessment objective AC-1.1 determines if the policy and procedures exist, contain certain key items, distributes the policy, develops procedures, and distributes the procedures to the appropriate staff. Control objective AC-1.2 determines if the policies and procedures have a defined update schedule and the organization actually updates the policies and procedures according to the schedule. The output of the security control assessment is the security assessment report. The security assessment report details the items tested and documents the results to provide evidence for each finding. For each item a rating of either satisfied (S) or other than satisfied (O). The organization may wish to have a summary report that provides the highlights of the report, a synopsis of key findings, and recommendations for addressing the deficiencies. The security assessment report will need to be reviewed by senior management. Management may determine that certain items present a lower or higher risk than indicated in the controls assessments and risk assessments based on the organization mission and the operational environment. Items that should be addressed are used to create a plan of actions and milestones (POAM) that management can use to direct remediation efforts. After management review, the system security plan and risk assessment should be updated accordingly. It should be <strong>note</strong>d that some risk will remain after the implementation of controls. This residual risk may be accepted by management starterkit 02/2011(2) or transferred to others through actions such as obtaining insurance policies. The risk management cycle is a continuous process. After these steps have been completed, the results should be used as a starting point for a new risk management cycle. The risk management framework can be adapted to the individual requirements of the organization. Since technologies and threats evolve over time, the risk management cycle should be repeated at regular intervals. The process can be used for new systems under development to ensure proper control selection or it can be applied to existing system to perform a gap analysis to evaluate current controls with the desired state. BART HOPPER Bart Hopper has earned numerous certications during his 18 years as an information technology professional. His certications cover the areas of information security, Windows administration, Unix administration, and database administration. He lives in Nashville, Tennessee. Page 39 http://pentestmag.com
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5 and 6: SOCIAL FRAUD 24 Social Engineering
Page 7 and 8: QRjacking A malicious sticker can b
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17 and 18: you need to get stuck in at the tec
Page 19 and 20: password and then end up having to
Page 21 and 22: user has an increased opportunity o
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31 and 32: who are responsible for IT service
Page 33 and 34: analysis that should not be made by
Page 35 and 36: If we have made an in-depth risk an
Page 37: several security standards in wides
Page 41 and 42: etc., and create mayhem. And all of
Page 43 and 44: your business managers do not appro

Editor's note

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?