pureFISMA Expanded

triangledriprockInternet and Web Development

Aug 7, 2012 (5 years and 3 months ago)

378 views

FISMA Certification Workflow, Communication & Management Framework

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Overview


Solving for Security Compliance


Business Case / Requirements


Design


Architecture


Approach


User Interface


Functional Highlights


Functional Details


Value Added / ROI


Company Profile


2

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

3

FISMA / PRISMA
Methodology


Overall Focus

Review
the
strategic and technical aspects of
the
logical/physical security
program. The review identifies the
level of maturity of the
security
program and the
customers
and/or
corporate ability to comply with existing requirements
in (9) topic areas (TA).


Assessment Model

Analyze five
levels of
compliance maturity
: policy, procedures,
implementation, test, and
integration that employs
a
standardized approach to review and measure the information
security posture of an information security program.

We believe that
a logical and physical security
program should be implemented on an agency
enterprise
level to
provide information security for the information and information systems that support the operations and assets
of the organization,
including those provided or managed by another agency, contractor, or other
sources
.
We assist agencies in doing this through the ...
A PRISMA


Methodology
(
Program
Review for
Information Security
Management Assessment).


Policy Mapping

Procedures Analysis
& Documentation

Tests Verification &
STE Case Analysis

Implementation

Security Control

Alignment

Integration into
FISMA Lifecycle

TA

Management, Operational, and Technical
Areas

1

Security Management & Culture

2

Security Planning

3

Security Awareness, Training,

and Education

4

Budget and Resources

5

Life Cycle Management

6

Certification and Accreditation

7

Critical Infrastructure Protection

8

Incident

and Emergency Response

9

Security Controls

Solving for Security Compliance

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Modern Information Security Oversight Presents Several Challenges…




Distributed Risks



Lack of Visibility / Tracking



Complex Compliance Frameworks (FISMA, HIPAA, etc.)



Timeliness



Certification & Accreditation (C&A) Requirements



Increasing and hard to manage costs

Business Case / Requirements

…That Can Be Overcome By Leveraging A Proven Methodology And A Modern,
Purpose
-
Built Tool

pure
FISMA

enables effective risk management by:



Providing insight into organizational Risks, distributed or local


Guiding information gathering & management workflows,

from system initiation through continuous monitoring


Streamlining the review & approval of submitted

information systems


Tracking Events and Notifying in Real
-
Time


Delivering high
-
level compliance metrics for

organizational oversight


4

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Application Capability

Customizable Application Framework



Highly Scalable


No account or seat limitations


Easily adapts to increases in
user/data volume


Interoperable


Can run on multiple platforms


Open Architecture


Allows for future functionality &
features to address changes in
organizational requirements


Simplified Enhancement /
Version Deployment


New features are available to all
users instantly, eliminates time and
effort of distributed, independent
upgrading


User Functionality



Stakeholder/Responsible
Party/User Management &
Tracking


Customizable Authentication &
Authorization for Users


Pre
-
Populated Security Control
Definitions


NIST SP 800
-
53 / SP 800
-
53(A)


Input/Edit Security Control
Implementation Statements


Statements mapped to controls,
history and audit trail, and Policy
Management


One click, detailed reporting


Scope filters, full search capability


Linking to POA&M, C&A
Documentation, and Continuous
Monitoring


5

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

The

pure
FISMA

tool is made up of a
data model
and
business logic layer
designed to support a compliance workflow management system having a particular
set of generalized core features.



These core features are delivered via a User Interface tailored to Client
specifications after requirements have been gathered:


Role/Group
-
Based User permissions


Integration with various Directory Servers for authentication


Task Management


Scheduling / Event Triggering


Subscription
-
Based Notifications / Reminders


Notification Center


Reporting


Versioning


Data Import Engine (for importing scan data from 3
rd

party vulnerability
scanning tools)



Application Overview

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

7

Application Architecture

Application
Layer

User
Interface

Data Storage

Architecture


Tomcat


JBoss


WebSphere


WebLogic


Apache


IIS

l
MySQL

l
Oracle


l
SQL

Server

Environment

Hibernate

Java

Spring

Adobe Flex

SQL Database

Technology

BlazeDS

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

pure
FISMA

was designed around 3 distinct audiences or ‘perspectives’, each
presenting a particular functional emphasis*:



Organization

(e.g., Study Center / Information System)


Information Input


Continuous Monitoring


Asset Management


Compliance

(e.g., Mission Assurance Team / Information Security Dept)


Input Approval/Rejection


Commenting


Executive

(e.g., Program Office / Department Head)


Aggregation


Insight


Communication


*The perspective presented is determined at login based on the authenticated user’s role


Application Approach

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Functional Highlights

Real
-
Time FISMA Compliance Monitoring



C&A Workflow Management


Track/Update C&A progress, Documentation package, and ATO Status


Document repository with Built
-
in Revision Tracking and Restore


POA&M items and Continuous Monitoring tasks


Configuration Management


Hardware inventory


Vulnerability scan files and tracking


In
-
place control verification and tracking


Automatic Event Notification System


Unified Notification Center


Subscription
-
Based Email alerts, including:


Missing/upcoming control requirements


Continuous Monitoring Defects


POA&M Tracking System


Sort by issue type; control family


Map to security control; responsible party


Author (user or accreditation source)


Scheduled completion date


Full resolution history


9

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

User Interface

Advanced

Search & Filtering

Customized,

Real
-
Time
Dashboard

High
-
Level Aggregate
Compliance Metrics

pure
FISMA
features
robust
and
modern

user interface using the latest open source technology
to provide highly customizable features.

10

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

pure
FISMA

includes the following 7 pre
-
defined roles, which can be extended /
tailored based on client requirements:

Functional Details


Users & Permissions

User


Default: Read Only


Full Control: As Assigned


Per Control


Control Family


Control Class


Admin


Default: Full Control


Create Org User


Assign Responsible Party


Submit System for Approval

Admin (System Owner)


Same as Admin


User


Default: Read Only (All Orgs)


Approve/Reject: As Assigned


Per Org



Admin


Default: Approve/Reject (All
Orgs)


Create Organization Admin


Create Compliance User


Assign Org


Submit System for ATO

User


Default: Read Only


Limited Reporting




Admin


Default: Full Control


Create Compliance Admin


Create Executive User


Send Broadcast Message


Full Reporting

Organization

Compliance

Executive

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

pure
FISMA
is designed to leverage existing enterprise directory services for
authentication, including
:



Active Directory (Microsoft)


Open Directory (Apple)


eDirectory (Novell)


Oracle Internet Directory


ApacheDS (open source)


OpenDS (open source)


Additionally,
pure
FISMA
can support multifactor authentication schemes, including:


Complex device identification


Mobile (via SMS)


Others (may require additional hardware / software)

Functional Details


Integration

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

pure
FISMA’s
POA&M list:


Automatically adds items based on deficiencies identified during:


Continuous Monitoring


Security Assessment


Manually add items based on deficiencies identified during other assessments:


Privacy Impact Assessment


Risk Assessment

pure
FISMA
provides each user with a personalized task list, including:


User
-
Defined Tasks


Can be manually associated with one or more security controls


Auto
-
Generated Tasks (e.g., expiring control)


Automated Reminders


In
-
Application reminders via Notification Center


Outbound email reminders


Automated POA&M Integration


When a deficiency affecting a particular security control is added to the POA&M list, a task
is automatically created for the party responsible for that control





Functional Details


Task Management

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

pure
FISMA
understands the importance of timeliness in the C&A process as well as
Continuous Monitoring and assists system owners and users by:




Accepting user
-
defined frequencies for security controls requiring regular
review


Allowing users to define the reminder ‘window’


How early the reminder notification is sent


Automatically notifying responsible parties

and system owners when a required review

has not taken place


A task is automatically created when

a required/scheduled review is missed




Functional Details


Schedules & Triggers

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

pure
FISMA
accumulates all notifications, reminders, and messages in a unified
‘Notification Center’.


Items may be added to a user’s notification center based on their:


Organization / System


Role (User, Admin, Admin Owner)


Responsible Party (per control, family, class)


Subscription Preferences


Subscribable events include:


Control Updated


Control Reminder


Control Expiration


System Updated


System Reminder


Asset Added


Broadcast Message


POA&M Added


POA&M Updated


POA&M Reminder


Continuous Monitoring




Functional Details


Notifications & Messaging

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

pure
FISMA
provides robust reporting within all three perspectives, built to detailed
specifications gathered from the client.


Examples include:


Aggregate Stats (Counts,
Avgs
, etc)


ATO Status


Security Posture / FISMA Compliance


Continuous Monitoring Activity


pure
FISMA
usage statistics


Additionally,
pure
FISMA
can use information stored in its database to produce
formatted, downloadable documents for hardcopy archival and distribution


Study Center Security Plan


Study Center Security Assessment


Hardware Inventory


POA&M


ATO Letter

Functional Details


Reporting & Documentation

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved


Inputs


All informational changes made to the system are fully tracked and auditable


Downloadable transaction logs available to Organization Admin user in .csv format


Security Control Implementation Statements are versioned with incremental rollback


All changes to POA&M list are versioned



Asset Repository


Selected file
-
based assets are versioned on upload :


Study Center Security Plan (if provided)


Risk Assessment


Study Center Security Assessment


Privacy Impact Assessment


POA&M


Network Topology Diagram


Policies & Procedure Documents



Functional Details


Versioning

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Currently being designed,
pure
FISMA

will include a data import engine to analyze
the output files of selected vulnerability scanning tools. When in place, the
import engine will allow for increased automation of vulnerability scan
interpretation and remediation tracking, as described below:


1.
Scan file is uploaded and added to the Asset Repository

2.
File is parsed and resulting details stored in database

3.
Discovered devices are compared existing hardware inventory

4.
Vulnerability details evaluated and mapped to security controls

5.
POA&M item created based on vulnerability or device details and impact to
related security control

6.
Notification sent to user assigned to affected control / system owner



Functional Details


Data Import

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Company Profile


Founded in 2004


Service Disabled Veteran Owned Small
Business (SDVOSB)


Retired USAF


Woman Owned Small Business


Performed over $75 million in services


Contract Vehicles:


GSA IT Schedule 70


GSA/OMB MOBIS Schedule 847


Awards:


Named HP BSA Implementation Partner of
the Year in 2010


Designated one of the fastest growing
companies in America by Inc. 500/500 in
2011

Service Disabled
Veteran Owned
Small Business

(SDVOSB)

19