Thursday, September 11, 2008

NIST 800-30


1. What is the National Institute for Standards and Technology(NIST)?

NIST is the National Institute of Standards and Technology, a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards.

  1. What role does NIST play in information assurance?

The NIST Information Assurance Framework consists of the standards and guidelines for federal information systems that are not designated as national security systems. The guidelines are not mandatory and binding standards.

  1. What is the purpose of NIST Special Publication 800-30?

The purpose is to provide a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems.

  1. What is the principle goal of an organization’s risk management process?

The principle goals of an organization’s risk management process are:

(1)Securing the IT systems that store, process, or transmit organizational Information

(2)Enabling management to make well-informed risk management decisions to

justify the expenditures that are part of an IT budget

(3) Assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management.

  1. According to NIST, what three processes compose risk management?

Risk management encompasses three processes:

(1)Risk Assessment,

(2)Risk Mitigation,

(3)Evaluation and Assessment.

  1. How does risk management relate to the System Development Life Cycle(SDLC)?

SDLC Phases

Phase Characteristics

Support from Risk

Management Activities

Phase 1—Initiation

The need for an IT system is

expressed and the purpose and scope of the IT system is

documented

Identified risks are used to

support the development of the system requirements, including security requirements, and a

security concept of operations(strategy)

Phase 2—Development or

Acquisition

The IT system is designed,

purchased, programmed,

developed, or otherwise

constructed

The risks identified during this

phase can be used to support

the security analyses of the IT

system that may lead to

architecture and design tradeoffs

during system development

Phase 3—Implementation

The system security features

should be configured, enabled,

tested, and verified

The risk management process

supports the assessment of the

system implementation against

its requirements and within its

modeled operational

environment. Decisions

regarding risks identified must be made prior to system operation

Phase 4—Operation or

Maintenance

The system performs its

functions. Typically the system is

being modified on an ongoing

basis through the addition of

hardware and software and by

changes to organizational

processes, policies, and procedures

Risk management activities are

performed for periodic system

reauthorization (or

reaccreditation) or whenever

major changes are made to an

IT system in its operational,

production environment (e.g.,

new system interfaces)

Phase 5—Disposal

This phase may involve the

disposition of information,

hardware, and software.

Activities may include moving,

archiving, discarding, or

destroying information and

sanitizing the hardware and

software

Risk management activities

are performed for system

components that will be

disposed of or replaced to

ensure that the hardware and

software are properly disposed

of, that residual data is

appropriately handled, and that

system migration is conducted

in a secure and systematic manner

  1. NIST 800-30 defines seven IA “key roles”. Name and briefly describe them.

Senior Management. Senior management, under the standard of due care and

ultimate responsibility for mission accomplishment, must ensure that the necessary resources are effectively applied to develop the capabilities needed to accomplish the mission. They must also assess and incorporate results of the risk assessment activity into the decision making process. An effective risk management program that assesses and mitigates IT-related mission risks requires the support and involvement of senior management.

Chief Information Officer (CIO). The CIO is responsible for the agency’s IT

planning, budgeting, and performance including its information security components. Decisions made in these areas should be based on an effective risk management program.

System and Information Owners. The system and information owners are

responsible for ensuring that proper controls are in place to address integrity,

confidentiality, and availability of the IT systems and data they own. Typically the system and information owners are responsible for changes to their IT systems. Thus, they usually have to approve and sign off on changes to their IT systems (e.g., system enhancement, major changes to the software and hardware). The system and information owners must therefore understand their role in the risk management process and fully support this process.

Business and Functional Managers. The managers responsible for business

operations and IT procurement process must take an active role in the risk

management process. These managers are the individuals with the authority and

responsibility for making the trade-off decisions essential to mission accomplishment. Their involvement in the risk management process enables the achievement of proper security for the IT systems, which, if managed properly, will provide mission effectiveness with a minimal expenditure of resources.

ISSO. IT security program managers and computer security officers are responsible for their organizations’ security programs, including risk management. Therefore, they play a leading role in introducing an appropriate, structured methodology to help identify, evaluate, and minimize risks to the IT systems that support their organizations’ missions. ISSOs also act as major consultants in support of senior management to ensure that this activity takes place on an ongoing basis.

IT Security Practitioners. IT security practitioners (e.g., network, system,

application, and database administrators; computer specialists; security analysts;

security consultants) are responsible for proper implementation of security

requirements in their IT systems. As changes occur in the existing IT system

environment (e.g., expansion in network connectivity, changes to the existing

infrastructure and organizational policies, introduction of new technologies), the IT security practitioners must support or use the risk management process to identify and assess new potential risks and implement new security controls as needed to safeguard their IT systems.

Security Awareness Trainers (Security/Subject Matter Professionals). The

organization’s personnel are the users of the IT systems. Use of the IT systems and data according to an organization’s policies, guidelines, and rules of behavior is critical to mitigating risk and protecting the organization’s IT resources. To minimize risk to the IT systems, it is essential that system and application users be provided with security awareness training. Therefore, the IT security trainers or

security/subject matter professionals must understand the risk management process so that they can develop appropriate training materials and incorporate risk assessment into training programs to educate the end users.

  1. How does NIST 800-30 define a risk?

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

  1. How does NIST 800-30 define a threat?

Threat is defined as the potential for a threat-source to exercise(accidentally trigger or intentionally exploit) a specific vulnerability.

  1. How is a threat source defined? In your answer, name three common threat sources.

Threat source is defined as either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.

The three common threat sources are,

􀂃 Natural Threats—Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.

􀂃 Human Threats—Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network

based attacks, malicious software upload, unauthorized access to confidential information).

􀂃 Environmental Threats—Long-term power failure, pollution, chemicals, liquid leakage.

  1. How does NIST 800-30 define vulnerability?

A flaw or weakness in system security procedures, design, implementation, or

internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

  1. According to NIST, whose responsibility is IT Security?(technical or management)

IT Security is the responsibility of the management as they have to take care of who is assigned what and is responsible for how secure an organization is.

  1. Used appropriately, what does a security control accomplish?

Security controls can be used to mitigate risk for the better protection of mission-critical information and the IT systems that process, store, and carry this information. Security controls, when used appropriately, can prevent, limit, or deter threat-source damage to an organization’s mission.

  1. Define, compare, and contrast technical controls, management controls, and operational controls.

Technical Security Controls

Technical security controls for risk mitigation can be configured to protect against given types of threats. These controls may range from simple to complex measures and usually involve system architectures; engineering disciplines; and security packages with a mix of hardware, software, and firmware. All of these measures should work together to secure critical and sensitive data, information, and IT system functions. Technical controls can be grouped into the following major categories, according to primary purpose:

Support: Supporting controls are generic and underlie most IT

security capabilities. These controls must be in place in order to implement other

controls.

Prevent: Preventive controls focus on preventing security breaches from occurring in the first place.

Detect and Recover: These controls focus on detecting and recovering from a security breach.

Management Security Controls

Management security controls, in conjunction with technical and operational controls, are implemented to manage and reduce the risk of loss and to protect an organization’s mission. Management controls focus on the stipulation of information protection policy, guidelines, and standards, which are carried out through operational procedures to fulfill the organization’s goals and missions.

Management security controls—preventive, detection, and recovery—that are implemented to reduce risk.

Operational Security Controls

An organization’s security standards should establish a set of controls and guidelines to ensure that security procedures governing the use of the organization’s IT assets and resources are properly enforced and implemented in accordance with the organization’s goals and mission. Management plays a vital role in overseeing policy implementation and in ensuring the establishment of appropriate operational controls. Operational controls, implemented in accordance with a base set of requirements (e.g., technical controls) and good industry practices, are used to correct operational deficiencies that could be exercised by potential threat-sources. To ensure consistency and uniformity in security

operations, step-by-step procedures and methods for implementing operational controls must be clearly defined, documented, and maintained.

  1. How can the adverse impact of a security event be described?

The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of the following three security goals: integrity, availability, and confidentiality.

  1. Describe the difference between quantitative and qualitative assessment?

The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. The disadvantage of the qualitative analysis is that it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of any recommended controls difficult.

The major advantage of a quantitative impact analysis is that it provides a measurement of the impacts’ magnitude, which can be used in the cost-benefit analysis of recommended controls. The disadvantage is that, depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear, requiring the result to be

interpreted in a qualitative manner.

  1. Name and describe six risk mitigation options.

Risk mitigation is a systematic methodology used by senior management to reduce mission risk.

Risk mitigation can be achieved through any of the following risk mitigation options:

Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level

Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified)

Risk Limitation. To limit the risk by implementing controls that minimize the

adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting,

preventive, detective controls)

Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls

Research and Acknowledgment. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability

Risk Transference. To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.

  1. Name and describe the three control categories.

Technical Security Controls

Technical security controls for risk mitigation can be configured to protect against given types of threats. These controls may range from simple to complex measures and usually involve system architectures; engineering disciplines; and security packages with a mix of hardware, software, and firmware. All of these measures should work together to secure critical and sensitive data, information, and IT system functions.

Management Security Controls

Management security controls, in conjunction with technical and operational controls, are implemented to manage and reduce the risk of loss and to protect an organization’s mission. Management controls focus on the stipulation of information protection policy, guidelines, and standards, which are carried out through operational procedures to fulfill the organization’s goals

and missions.

Operational Security Controls

An organization’s security standards should establish a set of controls and guidelines to ensure that security procedures governing the use of the organization’s IT assets and resources are properly enforced and implemented in accordance with the organization’s goals and mission. Management plays a vital role in overseeing policy implementation and in ensuring the

establishment of appropriate operational controls.

  1. Define residual risk.

Implementation of new or enhanced controls can mitigate risk by

Eliminating some of the system’s vulnerabilities (flaws and weakness), thereby

reducing the number of possible threat-source/vulnerability pairs

Adding a targeted control to reduce the capacity and motivation of a threat-source

Reducing the magnitude of the adverse impact

The risk remaining after the implementation of new or enhanced controls is the residual risk.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)