Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance. Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization’s information and information systems, along with organizational resilience given known threat information. This necessitates:
• Maintaining situational awareness of all systems across the organization;
• Maintaining an understanding of threats and threat activities;
• Assessing all security controls;
• Collecting, correlating, and analyzing security-related information;
• Providing actionable communication of security status across all tiers of the organization;
• Active management of risk by organizational officials.
The purpose of this guideline is to assist organizations in the development of an ISCM strategy and the implementation of an ISCM program that provides awareness of threats and vulnerabilities, visibility into organizational assets, and the effectiveness of deployed security controls. The ISCM strategy and program support ongoing assurance that planned and implemented security controls are aligned with organizational risk tolerance, as well as the ability to provide the information needed to respond to risk in a timely manner. Senior management at Defense Logistics Information Service has decided that the risk management plan for the organization is out of date. Because of the importance of risk management a new plan needs to be developed. The risk management plan is for the organization’s use only. This new risk management plan will not only minimize the amount of risk for future endeavors, but will also be in compliance with regulations such as the Federal Information Security Management Act (FISMA), Department of Defense (DOD), Department of Homeland Security (DHS), National Institute of Standards and Technology (NIST), Control Objects for Information and Technology (COBIT), and Information Assurance Certification and Accreditation Process (DAICAP).
This risk management plan is for the organizations use only and its network including remote access. Any outside sources from the scope and risk management plan may cause the network infrastructure to fail or will make it a high risk structure due to outside sources that are not protected to interact with other outside sources allowing hackers to infiltrate the system is steal important files. The scope of this project will include the planning, scheduling, budgeting, and consultation needed to perform an in depth risk assessment and research to determine which compliance laws this organization must follow. We must identify all the risks and vulnerabilities associated with this organization and create viable solutions that may mitigate these risks as quickly and as inexpensively as possible without compromising the integrity and confidentiality of any business assets. A cost benefit analysis should also be conducted prior to the planning phase of this project as well. Implementing and executing these policies and procedures in order to mitigate these risks is a critical part of this projects process. Security features such as controls, auditing logs, applying patches, etc. will be implemented, monitored, reported, and documented. Other risks such as natural disasters and accidental fires/floods may also be considered risks and should be accommodated accordingly to include a backup and disaster recovery plan.
Risk Management Procedure
The Risk management procedure will start by obtaining senior management support and involvement, designating focal points, defining procedures, creating a schedule with milestones and deadlines, involving business and technical experts as consultants, and controlling, maintaining, monitoring, reporting, analyzing, and documenting results. This procedure will identify risks, threats, vulnerabilities, and the likelihood of those risks materializing, identify and rank critical issues and operations, estimate potential damage, identify cost effective mitigating controls, and document assessment findings. All policies and procedures will support or be in compliance to the FISMA, COBIT, DIACAP, and PCI standards.
Risks may vary greatly from natural disasters, operational errors, software vulnerabilities, financial hardships, or even human interactions such as; attackers, buffer overflow attacks, syn flood attacks, etc. Network and Server crashes, loss of connectivity, broken or damaged equipment/hardware including workstations, employees calling in sick, hard deadlines not being met, costs, no IDs, and open ports on the firewall can all be considered risks. Not having any anti-virus software, not updating the operating systems, running unneeded services and protocols, and not having any backups of your business assets such as files and applications are some of the risks that should be considered critical to an organization. The severity of the loss/impact will depend greatly on the risk associated with it.
ThreatVulnerabilityHarmful event/lossMitigationProbability of occurrence UsersLack of access controlsLoss of production data and confidentialityImplement both authentication and access controls High
Workstations/ Equipment FailureData not backed upLoss of data availability (impact of loss determined by value of data)Backup data regularly, keep copies of backup off-site
Malware and virusesLack of anti-virus software, outdated definitionsInfection (impact of loss determined by payload of malware)Install antivirus software, update definitions at least weekly Medium
Denial of Service (DoS) or distributed denial of service (DDoS) attackPublic facing servers not protected with firewalls and intrusion detection systemsLoss of service availabilityImplement firewalls, implement intrusion detection systems
Stolen dataAccess controls not properly implementedLoss of confidentiality of dataImplement both authentication and access controls, use principle of ‘need to know’
Social engineeringLack of security awarenessLoss depends on the goals and success of attackerProvide training, raise awareness through posters, occasional e-mails, and mini-presentations
Fire and FloodLack of fire detection and suppression equipmentCan be total loss of businessInstall fire detection and suppression equipment. Purchase insurance
Hurricane, earthquake, tornadoLocationCan be total loss of businessPurchase insurance, designate alternate backup sites Low
Compliance Laws and Regulation:
Federal Information Security Management (FISMA) compliance is required for federal agencies to protect their important information. Their other organizations in which standards are given for risk management projects, including: National Institute of Standards and Technology (NIST), Department of Defense (DOD), Information Assurance Certification and Accreditation Process (DAICAP), and Control Objects for Information and related Technology (COBIT) and also the Department of Homeland Security (DHS) compliance is required for the protection of the United States against terrorists. Department of Homeland Security compliance is also required for the protection of the United States against terrorists. The DLIS security and safety risk management program also encompasses many operational departments and services throughout the organization including the buildings and grounds, DOD regulatory compliance, disaster preparation and management, employee health, accident reporting and investigation, budget, information technology, and human resources.
Roles and Responsibilities:
•Head of Agency. The agency head is likely to participate in the organization’s ISCM program within the context of the risk executive (function). Risk Executive (Function). •The risk executive (function) oversees the organization’s ISCM strategy and program. The risk executive (function) reviews status reports from the ISCM process as input to information security risk posture and risk tolerance decisions and provides input to mission/business process and information systems tier entities on ISCM strategy and requirements; promotes collaboration and cooperation among organizational entities; facilitates sharing of security-related information; provides an organization-wide forum to consider all sources of risk; and ensures that risk information is considered for continuous monitoring decisions.
•Chief Information Officer (CIO). The CIO leads the organization’s ISCM program. The CIO ensures that an effective ISCM program is established and implemented for the organization by establishing expectations and requirements for the organization’s ISCM program; working closely with authorizing officials to provide funding, personnel, and other resources to support ISCM; and maintaining high-level communications and working group relationships among organizational entities.
• Senior Information Security Officer (SISO). The SISO establishes, implements, and maintains the organization’s ISCM program; develops organizational program guidance (i.e., policies/procedures) for continuous monitoring of the security program and information systems; develops configuration management guidance for the organization; consolidates and analyzes POA&Ms to determine organizational security weaknesses and deficiencies; acquires or develops and maintains automated tools to support ISCM and ongoing authorizations; provides training on the organization’s ISCM program and process; and provides support to information owners/information system owners and common control providers on how to implement ISCM for their information systems.
• Authorizing Official (AO). The AO assumes responsibility for ensuring the organization’s ISCM program is applied with respect to a given information system. The AO ensures the security posture of the information system is maintained, reviews security status reports and critical security documents and determines if the risk to the organization from operation of the information system remains acceptable. The AO also determines whether significant information system changes require reauthorization actions and reauthorizes the information system when required.
• Information System Owner (ISO)/Information Owner/Steward. The ISO establishes processes and procedures in support of system-level implementation of the organization’s ISCM program. This includes developing and documenting an ISCM strategy for the information system; participating in the organization’s configuration management process; establishing and maintaining an inventory of components associated with the information system; conducting security impact analyses on changes to the information system; conducting, or ensuring conduct of, assessment of security controls according to the ISCM strategy; preparing and submitting security status reports in accordance with organizational policy and procedures; conducting remediation activities as necessary to maintain system authorization; revising the system-level security control monitoring process as required; reviewing ISCM reports from common control providers to verify that the common controls continue to provide adequate protection for the information system; and updating critical security documents based on the results of ISCM.
•Information System Security Officer (ISSO). The ISSO supports the organization’s ISCM program by assisting the ISO in completing ISCM responsibilities and by participating in the configuration management process. •The common control provider establishes processes and procedures in support of ongoing monitoring of common controls. The common control provider develops and documents an ISCM strategy for assigned common controls; participates in the organization’s configuration management process; establishes and maintains an inventory of components associated with the common controls; conducts security impact analyses on changes that affect the common controls; ensures security controls are assessed according to the ISCM strategy; prepares and submits security status reports in accordance with organizational policy/procedures; conducts remediation activities as necessary to maintain common control authorization; updates/revises the common security control monitoring process as required; updates critical security documents as changes occur; and distributes critical security documents to individual information owners/information system owners, and other senior leaders in accordance with organizational policy/procedures.
•Security Control Assessor. The security control assessor provides input into the types of security- related information gathered as part of ISCM and assesses information system or program management security controls for the organization’s ISCM program. The security control assessor develops a security assessment plan for each security control; submits the security assessment plan for approval prior to conducting assessments; conducts assessments of security controls as defined in the security assessment plan; updates the security assessment report as changes occur during ISCM; and updates/revises the security assessment plan as needed.
Organizations may define other roles (e.g., information system administrator, ISCM program manager) as needed to support the ISCM process. Roles and Responsibilities provided by the National Institute of Standards and Technology (NIST) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, Special Publication 800-137.
•Provide input to the development of the organizational ISCM strategy including establishment of metrics, policy, and procedures, compiling and correlating Tier 3 data into security-related information of use at Tiers 1 and 2, policies on assessment and monitoring frequencies, and provisions for ensuring sufficient depth and coverage when sampling methodologies are utilized.
•Review monitoring results (security-related information) to determine security status in accordance with organizational policy and definitions. •Analyze potential security impact to organization and mission/business process functions resulting from changes to information systems and their environments of operation, along with the security impact to the enterprise architecture resulting from the addition or removal of information systems.
•Make a determination as to whether or not current risk is within organizational risk tolerance levels.
•Take steps to respond to risk as needed (e.g., request new or revised metrics, additional or revised assessments, modifications to existing common or PM security controls, or additional controls) based on the results of ongoing monitoring activities and assessment of risk.
•Update relevant security documentation.
•Review new or modified legislation, directives, policies, etc., for any changes to security requirements.
•Review monitoring results to determine if organizational plans and polices should be adjusted or updated.
•Review monitoring results to identify new information on vulnerabilities.
•Review information on new or emerging threats as evidenced by threat activities present in monitoring results, threat modeling (asset- and attack-based), classified and unclassified threat briefs, USCERT reports, and other information available through trusted sources, interagency sharing, and external government sources.
•Provide input to the development and implementation of the organization-wide ISCM strategy along with development and implementation of the system level ISCM strategy.
•Support planning and implementation of security controls, the deployment of automation tools, and how those tools interface with one another in support of the ISCM strategy.
•Determine the security impact of changes to the information system and its environment of operation, including changes associated with commissioning or decommissioning the system.
•Assess ongoing security control effectiveness.
•Take steps to respond to risk as needed (e.g., request additional or revised assessments, modify existing security controls, implement additional security controls, accept risk, etc.) based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones.
•Provide ongoing input to the security plan, security assessment report, and plan of action and milestones based on the results of the ISCM process.
•Report the security status of the information system including the data needed to inform Tiers 1 and 2 metrics.
•Review the reported security status of the information system to determine whether the risk to the system and the organization remains within organizational risk tolerances.
Risk Management Planning Process:
The Defense Logistics Information Services team will provide detailed documentation that includes mitigation techniques explaining the risks that have been identified, analyzed, and essentially mitigated. Our team will also provide a mechanism for reaching consensus, support for needed controls, and a means for communicating and documenting results. Recommended solutions for the Defense Logistics Agency will be implemented such as creating a firewall policy, configuring, managing, testing, and implementing the firewalls, and also determining what traffic should be allowed. We may also add network and host firewalls, and an added intrusion detection system along with other administrators for separation of duties as well. Regularly updating anti-virus software, the operating system and applications will have a positive effect on this organization. Therefor an update and backup policy, which should include information about a warm site, will also be created for security purposes. Each major risk (those falling in the Red & Yellow zones) will be assigned to a project team member for monitoring purposes to ensure that the risk will not “fall through the cracks”.
For each major risk, one of the following approaches will be selected to address it:
•Avoid – eliminate the threat by eliminating the cause
•Mitigate – Identify ways to reduce the probability or the impact of the risk
•Accept – Nothing will be done
•Transfer – Make another party responsible for the risk (buy insurance, outsourcing, etc.)
For each risk that will be mitigated, the project team will identify ways to prevent the risk from occurring or reduce its impact or probability of occurring. This may include prototyping, adding tasks to the project schedule, adding resources, etc. For each major risk that is to be mitigated or that is accepted, a course of action will be outlined for the event that the risk does materialize in order to minimize its impact. RISK MONITORING, CONTROLLING, AND REPORTING:
Vulnerabilities are weaknesses in the environment, system architecture, design, or implementation; the organizational policies, procedures, or practices; and the management or administration of hardware, software, data, facility, or personnel resources. Vulnerabilities that are exploited may cause harm to the system or information processed, transported, or stored by the system. In accordance with NIST Recommended Security Controls for Federal Information Systems, SP 800-53, the vulnerability analysis encompasses the following three security control areas:
•Management Controls are safeguards related to the management of security of the system and management of the risk for a system. Examples of management vulnerabilities include lack of risk management, life cycle activities, system security plans, certification and accreditation activities, and security control reviews.
•Operational Controls comprise the operational procedures that are performed with respect to an information system. More often than not, these vulnerabilities stem from the lack of (or an insufficiency in) the various practices and procedures that are critical to the secure operation of a system. Examples of operational vulnerabilities include the lack of (adequate) security awareness and training, security monitoring and detection provisions, personnel and physical security controls and security auditing, and the absence of some or all of the procedural documentation critical to an effectively applied and managed security program.
•Technical Controls are countermeasures related to the protection of hardware, software, system architecture, and modes of communication. Examples of technical vulnerabilities include insufficient security software controls and mechanisms, faulty operating system code, lack of virus controls and procedures, and lack of authentication and access controls. Normally, vulnerabilities are identified during the risk assessment or during security testing and evaluation. In order to gain an understanding of the system vulnerabilities, major security certification activities include:
•Developing a detailed data collection questionnaire.
•Conducting site surveys and visits of representative installation sites. •Interviewing users and maintainers of the system.
After analyzing system management, operational, and technical security controls for the Defense Logistics Agency in its fielded environment, system vulnerabilities are then identified, mitigated, and then monitored and reported. The analysis of the Defense Logistics Agency’s system’s vulnerabilities, the threats associated with them, and the probable impact of that vulnerability exploitation resulted in a risk rating for each missing or partially implemented control. The risk level was determined on the following two factors:
•Likelihood of Occurrence – The likelihood to which the threat can exploit vulnerabilities given the system environment and other mitigating controls that are in place.
• Impact – The impact of the threat exploiting the vulnerability in terms of loss of tangible assets or resources and impact on the organization’s mission, reputation or interest.
To determine overall risk levels, the analyst must first look at how important the availability, integrity, and confidentiality of the system is in relation to it being able to perform its function, and the types of damage that could be caused by the exercise of each threat-vulnerability pair. Exploitation of vulnerability may result in one or more of the following types of damage to a system or its data:
•Loss of Availability/Denial of Service – Access to the system, specific system functionality or data is not available (Asset is not destroyed).
•Loss of Integrity/Destruction and/or Modification – Total loss of the asset either by complete destruction of the asset or irreparable damage, or unauthorized change, repairable damage to the asset, or change to asset functionality.
•Loss of Confidentiality/Disclosure – Release of sensitive data to individuals or to the public who do not have a “need to know.”
The level of risk on a project will be tracked, monitored and reported throughout the project lifecycle. A “Top 10 Risk List” will be maintained by the project team and will be reported as a component of the project status reporting process for this project. All project change requests will be analyzed for their possible impact to the project risks. Management will be notified of important changes to risk status as a component to the Executive Project Status Report.
Risk Assessment- a determination of what the company will need will be made outlining what requires attention first and in what priority if multiple items are at risk or vulnerable. The risk assessment will also determine which threat or risk would cause the most expensive/harmful damage to that business and the time required making those repairs.
Security Controls- will identify how the data and resources housing the data will be protected from unauthorized entry.
Disaster Recovery Plan- will include back-up and redundancy; if something breaks/fails or is damaged due to fire/floods and other natural disasters this plan will outline how to repair it.
•Create a regularly scheduled maintenance plan and include a backup and updating policy.
•Create redundancy on the servers by using multiple hard drives and raid cards.
•Create a firewall policy and determine what traffic should be allowed into the network then set up these firewalls on network routers for an added layer of security.
•Have extra materials onsite along with a 24 hour on call IT support for emergency calls.
•Create a password policy for the organization to use complex passwords within the network and have employees change their passwords regularly. Security breaches in the network such as user/hacker threats may occur when passwords are stolen because unprotected wireless networks were used.
•Security may be compromised by failing to change employee login information when an employee leaves or is terminated. Not all former employees may be disgruntled and vindictive, but it only takes one. Human resources should be contacted immediately for legal action in these circumstances. •
An intrusion detection system should be put in place and monitored. Hackers may use packet sniffers and password cracking software to gain access into the network and create denial of service attacks. In either case security breaches can lead to serious business damages.
•Identify and correctly implement all system-level preventative security controls (technical, operational, and management controls) and auditing logs to monitor and prevent attacks.
•Use encryption when sending and receiving data across the network. Business and personal information may be compromised, network services could be interrupted, and damage would depend on the type of attack suffered. Anywhere from network/server crashes to stolen information could result in loss of production, and even loss of revenue.
•A fire suppression system should be made available in the building in the event of a fire.
•Create a contingency plan and a policy statement.
•Create testing, training, and exercising manuals.
•Create separation of duties.
Tools and Practices:
A Risk Log will be maintained by the project manager and will be reviewed as a standing agenda item for project team meetings.
Disaster Recovery Plan
An information technology (IT) disaster recovery (DR) plan provides a structured approach for responding to unplanned incidents that threaten an IT infrastructure, which includes hardware, software, networks, processes and people. Protecting the Defense Logistics Information Services’ (DLIS) investment in its technology infrastructure, and protecting their ability to conduct business are the key reasons for implementing an IT disaster recovery plan. We will provide step-by-step procedures for recovering disrupted systems and networks, and help them resume normal operations in a timely manner. The goal of these processes is to minimize any negative impacts such as loss of revenue and loss of data and confidentiality to DLIS operations. The IT disaster recovery process identifies critical IT systems and networks; prioritizes their recovery time objective; and outlines the steps needed to restart, reconfigure, and recover them. A comprehensive IT DR plan also includes all the relevant supplier contacts, sources of expertise for recovering disrupted systems and a logical sequence of action steps to take for a smooth recovery.
•Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan.
•Backup and Recovery warm-sites. Formal Backup and Recovery policies and procedures.
•Conduct the business impact analysis (BIA). The business impact analysis helps to identify and prioritize critical IT systems and components.
•Identify preventive controls. These are measures that reduce the effects of system disruptions and can increase system availability and reduce contingency life cycle costs.
•Develop recovery strategies. Thorough recovery strategies ensure that the system can be recovered quickly and effectively following a disruption.
•Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.
•Plan testing, training and exercising. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
•Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements
Types of Teams
•Senior Management support
•Technical team members
•IT Interns for DLIS
In the Event of a Disaster
The actions taken in the initial minutes of an emergency are critical. A prompt warning to employees to evacuate, shelter or lockdown can save lives. A call for help to public emergency services that provides full and accurate information will help the dispatcher send the right responders and equipment. An employee trained to administer first aid or perform CPR can be lifesaving. Action by employees with knowledge of building and process systems can help control a leak and minimize damage to the facility and the
•Minor Damage Scenarios
•Employee theft or fraud
•Change employee login information when an employee leaves the company. Monitor audit logs and surveillance for more potential employee threats.
•Major Damage Scenarios
•Hurricane and water damages
•Redundancy servers, backups and off-site back-up facilities. Maintain a log of all data stored. Have a temporary or mobile network site available for operations until the site can be brought back online.
DLIS will define roles and responsibilities and where to assemble employees if forced to evacuate the building and lists of key contacts and their contact information, purchased for ease of authorizing and launching the disaster recovery plan.
Risk Management Plan Approval:
The undersigned acknowledge they have reviewed the Risk Management Plan for the project. Changes to this Risk Management Plan will be coordinated with and approved by the undersigned or their designated representatives.