Compliance Program Guidance Manual: Inspection of Medical ...
Information Systems Compliance and Inspection Trends in IS Inspections.pdf · Information Systems...
Transcript of Information Systems Compliance and Inspection Trends in IS Inspections.pdf · Information Systems...
UNCLASSIFIED
Information Systems Compliance and Inspection Trends
2012 Joint Security Awareness
Council Seminar
By: Tim Chancellor
Robert Huth, Speaker
UNCLASSIFIED
IS Compliance Requirements
1-206 Security Reviews
Contractor Reviews. Contractors shall review their security
system on a continuing basis and shall also conduct a formal
self-inspection at intervals consistent with risk management
principles.
8-103. IS Security Manager (ISSM). The ISSM:
Ensures that periodic self-inspections of the facility's IS
Program are conducted as part of the overall facility self-
inspection program and that corrective action is taken for all
identified findings and vulnerabilities. Self-inspections are to
ensure that the IS is operating as accredited and that
accreditation conditions have not changed.
Are Self Inspections enough?
Compliance Program
UNCLASSIFIED
What is Compliance
Compliance simply means meeting the requirements of a
regulation or standard
What are these regulations or standards
NISPOM Chapter 8
IFSO Manual
Baseline Security Configurations
ISSPs
Other ODAA documents
NIST 800 series
DISA STIGS
UNCLASSIFIED
Compliant Program
Systems in place include
Means to Identify requirements
Putting in place procedures to prevent non-compliance
Testing the procedures to ensure they work
Fixing any issues discovered
Ensuring the issues don’t repeat
Documenting the procedures, test controls and results
(Tracking)
You say what you do and do what you say
UNCLASSIFIED
ODAA Metrics
ODAA is keeping metrics
On plan submittal
Number of errors ISSMs make
Will report ISSMs to Corporate FSO as unsuitable
ODAA Manual
The ISSM will be given two opportunities for resubmission. If after
the second resubmission (or third submission) the plan is still
rejected, the plan will be archived, and appropriate corporate
management will be notified
UNCLASSIFIED
Trends in Compliance
ISSP’s are testing ISSM and ISSO competence during ATO
reviews and annual inspections
DSS is now nearly or fully staffed
Conducting a more in-depth look during inspections
ISSP’s are trained and knowledgeable on all operating systems
Approvals and oversight by the ISSP’s come down to trust. Do
they trust you? Without a structured program that’s repeatable –
Trust will be hard to build.
ODAA expects ISSMs and ISSOs to understand and to implement
risk management practices based on standards
Master System Security Plans (MSSP) getting more attention
Strict adherence to ISFO Process Manual
MSSP for MUSA test sets and multiple type test sets must be
delineated on separate profiles
UNCLASSIFIED
Trends in IS Inspections
We’re seeing more technical findings related to OS and
Applications
ISSPs are paying particular attention to hardware baselines and
configuration diagrams for accuracy
What’s going to get me in trouble with DSS?
Systems self-certified but inconsistent with the MSSP
Example
MSSP MUSA reflects system in a closed area but resides in a
restricted area
Policy lockout is set for 5 tries when the policy states a max of
3 tries
UNCLASSIFIED
Trends in IS Inspections (Con’t)
SSP documentation incomplete or inaccurately reflects the
operational requirements
ODAA baseline configurations not implemented
Not doing Weekly Audits
Logs not properly filled out
ODAA is emphasizing both administrative and technical security
requirements
Administrative
Contractual
Technical
Standards
ODAA expects ISSMs and ISSOs to understand and to implement
risk management practices based on standards
UNCLASSIFIED
DSS Audit Trends
Details, details, details
Compliance, compliance, compliance
Audit Logs not protected
BIOS not protected or configured properly
Operating system certification checklists not documented
User revalidations not being conducted
Local system security policies on the system not matching what is identified
in plan
Trusted Download issues
Administrative accounts (PASSWORDS on administrative accounts set to
never expire)
Making sure all classified / unclassified (media) is marked properly
Hardware that is called out in the Profile is not found, AND there is no record
in the hardware removal log indicating when the hardware was removed
When hardware is removed from the baseline it must be documented in the
maintenance log including any clearing or sanitization performed
System not approved for Periods Processing
UNCLASSIFIED
DSS Audit Trends
• Spreadsheet of all IS showing they were ties back to the original MSSP
and ATO letter (family tree concept)
• Strict adherence to the Industrial Security Field Operations (ISFO)
Process Manual Master System Security Plan requirements
• Checked all operating systems (O/S) used on campus to ensure they are
approved under an active MSSP
• All O/S listed on the software baseline were checked for an antivirus
solution. If one is not available you must list actions taken to remediate
the non-compliance
• At least one system with the O/S listed on the software baseline for each
IS was checked for compliance with the associated MSSP
• IP addresses were checked on the LAN’s and WAN’s to determine the
origin and IEEE 803.2 compliance
UNCLASSIFIED
DSS Audit Trends
Review of every MSSP and Profile was conducted for accuracy
Annual revalidation and training requirement was questioned and
process provided
Questioned how often backups of security audit data was done and
if backups were stored at an off-site location
BIOS on each reviewed system checked for boot order and
Bluetooth connection on laptops
Requested documentation on systems that were mobile within the
facility and off-site location. Also wanted explanation of mobile
system process
Ask ISSO to attempt to removed a random Data Link Library file from
the Sys32 directory and then find the action in the Event Viewer Logs
UNCLASSIFIED
DSS Audit Trends
Checked for Telnet on Unix Systems
Checked audit logs for all network encryption devices to ensure
they were being maintained
Looked for current service packs on operating systems
Checked hardware to ensure it was listed on the baseline or
maintenance log
Checked the NIC and network services on all of the standalones
to make sure they were not enabled
Questioned if policy was in place for identifying those use group
accounts e.g. Administrator or Root
Checked 254’s to see if the Level of Concern is really “Basic” and
if we really have a contractual requirement.
UNCLASSIFIED
DSS Audit Trends
Anti-virus definitions out of date. (Max of 30 days for updates)
System configuration no longer conforms to the MSSP to which it
accredited.
Software Baselines not accurately reflecting all security relevant
software.
Privileged users not acknowledging in writing that they
understand their responsibilities.
More hardware nomenclature is being compared to hardware
baselines to include hard drives.
Ensure there is a direct correlation between self-certified systems
and the profile that they were certified under.
Ensure group passwords are set to expire.
UNCLASSIFIED
DSS Audit Changes
Security Rating Matrix (Enhancements)
Primary goals
More quantifiable, less subjective rating process
Standardize and improve consistency
Takes into account all aspects of the contractor facility's security
program
Uses a numerical based rating system that gives credit for items
exceeding the NISPOM, and deducts points in case of
administrative or serious findings
Rating calculation scored based on above and beyond
requirements, isolated, systemic and repeat administrative
findings, and serious findings
UNCLASSIFIED
Security Rating Matrix (Enhancements)
UNCLASSIFIED
New ISFO Process Guide Highlights (May 26th implementation)
Lockout Policy
3 unsuccessful attempts in 15 minutes
60 minute lockout period
Generic and Group Accounts
All generic or group accounts will be deleted or disabled
GCA letter is required if the account is required to stay active
Self-certification lost due to the customer letter
Passwords
14 characters with complexity (uppercase, lowercase, numbers)
Special characters not mentioned
60 day expiration
UNCLASSIFIED
Take Aways
Briefing ISSP inspectors on how things work at your facility.
The “devil is in the details” remains true about plan
documentation
Ensure your logs contain sufficient information to ensure that
someone with no knowledge of your will have the information
required to make proper judgments.
Ensure ODAA baseline configuration requirements are being met
Strict adherence to the Master plan concept and self-certification
requirements specified in the ISFO Process Manual.
Ensure that everything you self certify can be traced back to a
document that authorizes your action.
DSS audits becoming more quantifiable and less subjective
UNCLASSIFIED
Questions?
Questions?