Certification and Accreditation Process: Last Phase
October 22, 2010
Remediation plan
A remediation plan is also included in the test plan to correct any weaknesses identified through the certification testing. A remediation of the controls must be carried out according to the remediation plan. This will ensure any identified vulnerabilities are fixed and the system is more secure than before.
Certification and accreditation documentation
According to Howard the approving authority needs to see only documentation describing the system, its environment, identified controls that protect the system and the status of those controls. So the approving authority needs to see a certification package that includes a system security plan, risk assessment, certification test plan and result, remediation plan and a certification statement.
A certification statement is a document prepared by a certifying agent showing the system has been properly certified. It shows tasks carried out during the certification process, findings, remediation recommendations and residual risk for which acceptance is recommended. The certification package is given to the approving authority for review and approval.
Documenting the accreditation decision
An accreditation decision allows the system to operate in its current security posture. This is done by signing the accreditation letter done by the approving authority indicating that they have considered all the risks and have decided to let the system operate.
The approving authority must receive the certification package with a signature from the certifying agent and also a review done by system owners and their staff. The package should then be reviewed and comments posted by interested parties such as the CISO, CFO, legal consul etc. the system owner develops an accreditation letter for the approving authority to sign.
The system owner must then indicate the next schedule for re-certification and should keep track of any corrective actions that are taken, any changes to the system environment and their impact on the controls should be assessed periodically.
Certification and Accreditation Process:Certification testing
October 22, 2010
Certification testing involves developing a test plan. The plan should be a point of reference to individual testers and those supporting the testing process. It should also include the purpose and objectives of the testing process. Any assumptions applicable to the testing process must be documented. Assumptions can include issues such as availability of personnel in testing etc.
The scope of the test plan is driven by the range of control requirements applicable to the system. test requirements focuses on the type of controls to be tested. Testing approach defines in general how testing will be done i.e. the methodology to be used. Test plan also describes the specific tests to be used to test each control, the schedule when the testing will begin and end and also describes the test team.
The test plan must be approved and carried out and the results should indicate each control and rank it as either pass or fail and if there were any deviation from the test plan it must be documented.
Certification and Accreditation Process:Minimum security baseline & best practices
October 22, 2010
Minimum security baseline helps an organization to establish a point of reference in terms of establishing compliance with minimum controls. Minimum security baseline can be defined as a “set of standards that are applied enterprise wide to ensure a consistent level of compliance”
Minimum security baselines need to be created in a way that they reflect actual business needs based on risk assessment to an organization. Initial enterprise wide risk assessment can be used to determine the basis for selecting industry accepted minimum security baseline set. Organizations can pick minimum security baseline from international bodies such as ISO, NIST, GASSP etc. these minimum security baseline should include the organization’s policies, management statements, operational rules, laws and regulations. Organizations should adopt a security baseline set which they know they can implement.
Certification and Accreditation Process:System security plans
October 22, 2010
System security plans describe controls planned or put in place to secure a system. It also provides a general view of the system security requirements needed and it also indicates the roles and responsibilities of individuals who get access to the system.
A security plan can be initiated at any point in the certification and accreditation process but concluded before accreditation decision is made. A security plan document should bring together various information gathered from other areas like risk assessment, control data from security test and evaluation etc.
System security plan is a document that needs to be constantly updated. Procedures indicating who is responsible for reviewing the document should be put in place. The certification agent is the one responsible for confirming that the controls documented in the security plan conform to FIPs 199 while the information system owner together with the Information system security officer (ISSO) and the senior agency information security officer (SAISO) are responsible for developing the security plan, maintaining the plan and ensuring users get the necessary training to implement the controls.
The certification agent at the behest of the system owner approves the security plan and then the system owner reviews the document and approves it and forwards it to the system owner to be packaged as part of the certification and accreditation process.
A security plan contents consist of
System description i.e. the business function the system supports, purpose of the system, the environment in which the system operates in terms of hardware, software, system configuration, data flows, interconnection with other systems, user community supported by the system, access to the system, status of the system, whose is responsible for the system and its protection, security levels within the user community interacting with the system etc.
Description of controls i.e. description of all the controls in the system, the control requirements and the implementation status of each control and justification of those controls not implemented.
System security roles and responsibilities indicates the title, name, office, address, phone number, email, of the people responsible for the security of the system i.e. the system owner, security officer, system administrator, security manager, database administrator, approving authority, users community and developer of the system.
Security related business driver i.e. external requirements that drive security controls such as legal operational, contractual, regulatory etc.
Information categories indicate all the kinds of information processed by the system, the sensitivity of the information and the impact to the organization on the confidentiality, integrity and availability of the information is breached.
Interconnectivity is another aspect of the security plan. It deals with how the system is interconnected to other systems, its dependencies, the data input and output flow. If possible they should graphically be depicted. (Howard, 2006)
System certification level indicates what effort needs to be put in place so as to provide the necessary security controls.
Rules of behavior: acts as a basis of user awareness and training and as a way of users accepting their role and responsibility in securing the system. It also indicates the disciplinary actions that might be taken and the proper use of the system. Users sign documents indicating their acceptance of the rules (OMB A-130)
Plan development information: this section talks about the plan, how it was developed, what methodology was used, who developed it, source documentation, authority for developing the plan etc. (Howard, 2006)
Certification and Accreditation Process:Assessing data sensitivity and criticality
October 22, 2010
Data sensitivity is defined by FISMA as “any loss, misuse, unauthorized access to or modification of information that could adversely affect national interest or the conduct of federal programs or the privacy to which individuals are entitled to”. Data sensitivity assessment should be based on 3 aspects i.e. confidentiality, integrity, and availability.
In terms of confidentiality, data should be assessed on the basis of its need for protection against disclosure. the organization needs to assess the nature of information or data being processed, assess the impact of unauthorized disclosure of that information on the organization and that would enable the organization to assess the level of confidentiality that the information requires.
Integrity means that the data must be protected from unauthorized modification. The level of protection placed on data integrity depends on the loss incurred if the data was modified or altered by an unauthorized individual. Also it depends on other security objectives put on that data such as authenticity, accountability and non repudiation e.g. electronic transactions rely a lot on integrity and non repudiation.
Availability means how long an organization will accept the non availability of its data. to determine the appropriate level of security placed on availability of data, one needs to consider issues like timeliness i.e. the need for data to be available to users on a timely basis, period of operation i.e. protection of data needs to be high during the period of operation when systems are most critical to the business function it supports.
Data sensitivity assessment should be done by the system owner. The system owner is responsible for basically defining the sensitivity of data, their system processes and in some cases they might need the assistance of data owners who tend to have a better understanding of what the data means and how it’s applied in combination with other systems. The organization needs to come up with a certain criteria for ranking data sensitivity. It can be ranked according to type of information processed e.g. public, financial, personal etc or according to regulatory requirements e.g. contractual, operational, legal requirements. Data sensitivity can also be ranked using terms such as low, moderate, high or using numeric such as 1, 2, and 3 or color schemes such as red, amber, and green.
Data criticality is used in relation to the system. It defines the importance of the system to the organization i.e. how long can the organization accept the non availability of a system. When assessing the criticality of the system, one needs to define which business activity is considered critical to the overall mission of the organization. The assessment of the system should always be categorized as mission-critical or non mission-critical.
A system can be ranked on its criticality based on the following aspects: financial impact that an organization has to achieve due to the system being at risk, harmed or unavailable, operational importance of the system to the mission of the organization and breadth/scope of impact of the system and also the importance of the system based on health, life and safety consideration.
An organization can use business impact analysis as a tool to quantify or measure the criticality of the system based on the time i.e. how long an organization can tolerate the non availability of the system. It also considers disaster recovery/contingency planning as part of the measure. Critical systems are often expressed as critical or non critical and sometimes in terms of high, moderate and low.
Certification and Accreditation Process: System Inventory process
October 22, 2010
System inventory aims to fully understand the equipment, applications and systems in place so as to be able to fully protect or secure them. System inventory process begins with identifying business functions within the organization after which the automated information resources are identified and categorized as either general support systems or major applications.
General support systems (GSS) are defined as “interconnected set of information resources under the same direct management control that shares common functionality. This includes hardware, software, information, data, applications and people.” (OMB A-130, 2000)
After identification a determination is then made as to the sensitivity of information they process. Sensitivity of data relates to its integrity, confidentiality and availability (CIA). After determining information sensitivity, the next thing is to determine importance of the mission of the system and this relates to the availability aspect of CIA i.e. how long can an organization accept the non availability of the system? (Howard, 2006)
After determining information sensitivity and critical mission, major applications are identified by looking at all applications and determining which qualifying as major applications and non major applications. Non major applications are then mapped to general support systems.
Major applications are defined as “an application that requires special attention to its security due to the risk and magnitude of harm resulting from loss, misuse or unauthorized access to or modification of the information in the application.” (OMB A-130, 2000)
All this information is documented and presented to the chief information officer for review by the business unit executive and the chief information officer .after which the inventory is then published.
Major applications and general support systems are identified and categorized into separate assets so as not to place security emphasis where it’s not needed e.g. investing in expensive controls for general support systems like Ms Word, Spreadsheets etc. it is important when collecting system inventory to minimize the amount of information collected. Emphasis should be placed on name of system, description of the system, status of the system (operation or in development), list of systems its connected to , data sensitivity impacts, mission criticality ranking and identification of the system’s point of contact (owner, approving authority, ISSO) and name of individual authorizing submission.
Three tools are used in managing the system inventory program. These are inventory form, an inventory change form and an organization inventory summary. These three tools can be combined into one through an automation tool. Inventory form is used to collect system inventory information while inventory change form indicates updates to the inventory and the organization inventory summary indicates the current accurate assessment of what is the organization’s system inventory i.e. general support system and major applications.
Certification and Accreditation Process: Scope definition
October 22, 2010
The project scope is affected by many things and the project manager needs to analyze these things before defining the scope. Some of these issues are what types of systems are involved, how complex are the systems, location of the systems, certification level, people involved, time constraints etc.
The project manager needs to develop a work plan that will be used to develop a schedule, project activities, milestones and deliverables. The project manager must also make assumptions in situations where some issues are not well defined. These assumptions should be included in the work plan and sorted out by management to turn them into known planning factors. Assumptions can include sufficient manpower, time, scope changes, money etc.
The project manager also needs to draft a project agreement that outlines expectations of the project team, their mission, scope, team composition, deliverables, approach, project activities and schedule. He also needs to develop a standard reporting format and procedures so as to improve communication between team members and also between the project manager and management.
Accurate and constant reporting helps improve support and cooperation from management because they feel as part of the process and they are in the loop about what is going on, what is required and problems encountered.
Certification and Accreditation Process
October 22, 2010
Certification and accreditation project planning needs to be carried out carefully so as to be able to accurately plan for the various resources needed e.g. people, money, time, effort etc. it’s crucial for the certification and accreditation process to select a project manager who will lead the process, the project manager needs to be knowledgeable about the certification and accreditation process, needs to be a good coordinator and communicator and have good interpersonal skills.
One of the tasks of the certification and accreditation project planning is selecting team members. The team needs to have both technical and non technical skills, have experience in the certification and accreditation process and have good people skills.
The project team includes:
Chief information officer: his role is to ensure that the organization has an information security program including a certification and accreditation program in place and that those programs are successfully implemented. The chief information officer works with the approving authority to ensure that the certification and accreditation program has the budget and resources it needs. He is ultimately responsible for the certification and accreditation program success or failure depending on the grade the organization’s certification and accreditation program receives from the Federal computer security report card.
Chief information security officer (CISO): the CISO works under the chief information officer and is delegated the responsibility of overseeing the organization’s information technology security programs. These programs might include risk management, policy development, security awareness programs, incident investigation, contingency planning, and compliance monitoring and certification and accreditation program.
The CISO also works with the authorizing agent to make sure that the security requirements for the information system are agreed. They also agree on the key documents such as the security plan and risk assessment. The CISO also appoints the certification agent and works with him to ensure all the certification package documents are in place and the certification process is well thought out.
System owner: he is responsible for the security of an information system and responsible for administering the information system that the certification and accreditation application runs on. He is also responsible for establishing the basis for the control needed on an information system by establishing sensitivity levels of the information system based on the data it processes. He oversees the implementation of these controls and continues to monitor them on a day to day basis.
Certifying agent (CA): the CA measures the effectiveness and completeness of security controls by making recommendations whether the system should receive a positive accreditation or not. Since there are many documents to analyze the CA might consist of an evaluation team rather than an individual. The team checks compliance to the documented certification and accreditation handbook and makes recommendation to the CISO through a security assessment report that he produces. The CA also develops templates or checklists used to score the controls effectiveness.
Approving Authority or Designated approving authority (DAA): the DAA is a senior management official and in conjunction with the chief information officer ensures that the certification and accreditation process has enough resources. He also decides whether an information system is allowed to operate by declaring that the organization is willing to accept the risks associated with operating the information system.
Information Owner: Information owner is the individual who owns the data that is processed by the information system. He is concerned about the security of the information, the integrity of the data and is responsible for issues related to the security controls for protecting databases and systems that the data resides on.
TCP vs UDP
December 18, 2009
The difference between TCP and UDP that causes UDP to be called unreliable is that TCP establishes a virtual circuit, it establish a permanent connection between two parties and ensures end to end sequenced communication after which it breaks the circuit allowing for other connection requests to develop their own virtual circuits unlike UDP that doesn’t establish any virtual circuit sessions or even sequence or guarantee error free communication.
These circuits allow for an acknowledgement flag. TCP periodically sends an acknowledgement flag or signal which is a hash value of previously sent data from the sender to the receiver. If the receiver’s computed hash value doesn’t match the sender’s hash value then the server asks the sender to resend the last batch of data. This provides for error detection and correction and reliable and error free communication.
UDP can be reliable if one programs it to number the packets it sends over the network. This will allow for the receiver to know when certain packets have not been received and thus request for retransmission i.e. it can provide for error detection and correction and also programming UDP to request for acknowledgment from the receiver is another way of making UDP reliable.
Encapsulation allows TCP to work with IP protocols in the following way; an application may create a message e.g. an email message. This message is then passed to a lower layer the presentation layer, this layer encapsulates the message and adds its own header and footer and then passes to another lower layer. When it reaches the transportation layer, TCP establishes a logical connection between the two communicating devices. It then passes the information to the network layer that has the IP protocol, IP provides for routing information but doesn’t guarantee delivery, it only provides IP addressing and packet fragmentation but doesn’t provide for accuracy checking, all this is the responsibility of the TCP. This information is encapsulated and passed over to the data link layer and finally the physical layer for transmission.
Rootkits
December 18, 2009
A rootkit is software that allows a hacker to gain access to a system using a user account and increase their privileges to the same level as the administrator or sometimes they exploit the vulnerabilities in the operating system to hide the execution of certain processes running in the background. A root kit modifies the system kernel so that it can gain access to the system or evade authentication procedures on the established system, after gain access to the system it can then be able to do what it wants from key logging activities, changing of application system resource priorities to creating backdoors in the system
Rootkits are difficult to detect because they hide these processes and even the task manager cannot see these processes. Even when a network administrator runs netstat, he cannot see the opened connection established by a rootkit. Many root kits are developed or programmed to circumvent the antivirus programs and antispyware programs that don’t have current updates. (Stewart, 2004)
