NYS Forum Joint InitiativeSecurity, Project Management & Business Continuity Workgroups

Manage Risk by Building Information Security into Your Projects

Addendum to the NYS Project Management Guidebook

May 26, 2010

Mark Spreitzer, CBCPCGI Group Inc.917.304.1966mark.spreitzer@cgi.com

Deborah Snyder, CISSP, GIAC GSLC, PMPNYS Office of Temporary & Disability Assistance(518) 473-3195Deborah.Snyder@otda.state.ny.us

2

Agenda

• Welcome and Announcements• Chuck Weiss

• Project Management, Information Security & Business Continuity Work Groups

– Introductions– PM lifecycle & the Secure SDLC– Risk Management – Relationship to PM processes – 5-Phase Secure SDLC Process– Framework for applying Security & BC considerations to each Phase– Benefits– Resources

• Q & A

3

3

Introduction

Project Management Work Group

• Co-Chairs• Brenda Breslin, (NYS Department of Health), • Vivian Conboy, (Dept. of Tax & Finance), • Chris Foster, (CGI Technologies and Solutions Inc.), • Jon Haverly, (Keane Inc.)

• Overview• Support government entities and their PMs

• as they adopt PM standards and practices, • establish PMOs, • implement program and portfolio management within their organizations

• PM Community of Practice provides interactive exchange of ideas, practices, and lessons learned

• PMO Roundtable to support PM implementation methods

4

4

Introduction

Security Work Group

• Co-Chairs• Deb Snyder (NYS OTDA), Bob Spina (CISCO), Joe Lynch

(ORACLE) & Ted Phelps (SUNY)

• Overview• Work in collaboration with state & local agencies to

develop education/training opportunities & tools that address information security issues

• Support the Information Security Community of Practice • Strong working relationships with NYS OFT/CIO & the

Office of Cyber Security & Critical Infrastructure Coordination (CSCIC)

• International MS-ISAC Security Webcasts • Educational workshops, seminars & events

5

5

Introduction

Business Continuity (BC) Work Group

• Co-Chairs:• David DeMatteo (SEMO)• Ken Mason (SED)• Mark Spreitzer, CBCP (CGI)

• Overview:• Primary focus is on the ”how to” of business continuity planning• Intended to help facilitate “best practice” development amongst state

and local resources & representatives of the IT Corporate Roundtable• Provide education & training opportunities• Collaborate on tools that address BC planning needs• Work to emphasize the importance of BC planning in NYS

Government, in lieu of an explicit requirement

6

From an Operational Perspective…

Project Management Life Cycle

• Focus on Implementation

• Management roles & responsibilities

• Framework for planning & managing work

• Develop & manage project plan (scope, schedule)

• Distinguish PM effort from SD effort

System Development Life Cycle

• Focus on Operations• Technical roles &

responsibilities• Framework for solving

business needs with technology

• Design & construct system components (modules, databases)

• Distinguish SD effort from PM effort

6

Origination

Initiation

Planning

ExecutionImplementation/

Assessment

Acquisition/Development

Disposal

Initiation

Operations &Maintenance

Closeout Production

Phase Relationships

Secure SDLC (High Level)

PM Life Cycle SDLC

7

Focuses on Information Security & Business Continuity

Preparation

Origination

Initiation

Planning

Initiation Risk Level & Security Planning

Execution

ExecutionImplementation/

Assessment

Acquisition/Development

Security Requirements & Controls

Security TestingDocumentation, C&A

SSDLC

MaintenanceOperations &MaintenanceCloseout

Acceptance & Change Management

Disposition / TransitionDisposal

8

Secure System Development Life Cycle (SSDLC) Principles

• To be effective, information security must be integrated from inception of the project and ensured adequate consideration throughout the SDLC.

• Information security controls applied to a particular information system must be commensurate with its criticality and sensitivity.

• SSDLC - conceptual framework to ensure this occurs… • Structured process and core set of analysis steps and planning

considerations to integrate info-security into the SDLC• Helps identify, evaluate & minimize info-security risk• Defines info-security requirements, appropriate security level &

measures/controls to adequately protect the asset• Produces clear, well-documented information security plan• Based on industry standards, well-established practices, fundamental

security principles and concepts

Secure SDLC

9

SSDLC “Roadmap” example…

Source: NYS OTDA ISO, Secure SDLC Roadmap

Information Security considerations, checkpoints & deliverables across the SDLC

10

NIST Special Publications

NIST = National Institute of Standards & Technology• Chartered to promote & protect economy & public welfare; collaborated with industry, government

& academic organizations; used by FEMA for framework development• Defines Security to include Business Continuity and Contingency Planning (CP)• Integrates Security activities into system development life-cycle (SDLC)• Outlines key security roles and responsibilities • Defines Security/BC components as control objectives (Control Gates - permission to proceed)

NIST Special Publication 800 series Guidance http://csrc.nist.gov/publications/PubsSPs.html• SP 800-12, The Introduction to Computer Security; NIST Handbook• SP 800-18, Guide for Developing Security Plans for Information Technology Systems• SP 800-27, Engineering Principles for Information Technology Security• SP 800-30, Risk Management Guide for IT Systems• SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems:

A Security Life Cycle Approach• SP 800-39, Managing Risk from Information Systems: An Organizational Perspective• SP 800-34, Contingency Planning• SP 800-53, Recommended Security Controls & Annexes 1, 2, 3 • SP 800-60, Mapping Types of information & Information Systems to Security Categorization Levels• SP 800-64, Security Considerations in the System Development Life Cycle• SP-800-84. Testing, Training and Exercising• NIST SDLC Brochure, August 2004, Information Security in the SDLC http://csrc.nist.gov/SDLCinfosec

• Federal Information Processing Standards (FIPS) http://csrc.nist.gov/publications/PubsFIPS.html• FIPS 199, Standards for Security Categorization• FIPS 140-2, Security Requirements for Cryptographic Modules

• FEMA Continuity Guidance Circular 1 (CGC1) www.fema.gov/pdf/about/org/ncp/cont_guidance1.pdf

11

NIST’s Security in the SDLC

Source: NIST SDLC Brochure (Aug. 2004, Information Security in the SDLC.

12

Risk Management

Relationship to All Other PM Functions

ProjectRisk

Management

Expectations, Feasibility

Time Objectives, Restraints

Requirements, Standards

Availability, Productivity

Life Cycle & Environment

Variables

Services, Plant, Materials: Performance

Cost Objectives, Restraints

Ideas, Directives,

Data Exchange Accuracy

Source: Project & Program Risk Management, A Guide to Managing Project Risks & Opportunities, p. II-2.

Integration

Communications

Human Resources

Cost

Procurement

Scope

Time

Quality

Integrated Risk Management

• RM can be viewed as a holistic activity that is fully integrated into every aspect of the organization

• RM is driven by organization (mission) risk

13

Source: NIST SP 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission and Information System View.

Risk Management Framework

14

Source: NIST Risk Mnanagement Framework http://csrc.nist.gov/groups/SMA/fisma/framework.html & http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework/index.html

Some Key Terms… (see handout)

• After Action Review• Artifact• Business Continuity (Contingency Planning)• Business Impact Analysis (BIA)• Controls, Safeguards & Countermeasures• Control Gates• Information Resources • Information Security (Confidentiality, Integrity, Availability)• Information System• Plan of Action and Milestones (POA&M)• Recovery Time Objective (RTO)• Recovery Point Objective (RPO)• Risk & Residual Risk• Risk Management

15

Phase 1: InitiationResources, Expectations, LOE & Schedule

PM Life Cycle SDLC

16

Focuses on Information Security & Business Continuity

SSDLC

Preparation

Origination

Initiation

Planning

Initiation Risk Level & Security Planning

KEY PROCESSES• Initial Security Planning• Categorize System• Privacy Impact Analysis• Ensure Secure SDLC• Preliminary Risk Assessment• Business Impact Assessment• Availability requirements analysis• Vital Records Analysis

• Data and documentation

ARTIFACTS•Awareness Training •Security Categorization•High Level Security Requirements•Development/Coding Standards•QA Plans•Draft Privacy Impact Assessment•Linkages to Business Drivers •Core System Components •Draft Business Impact Analysis

• Initial RTO/RPO

17

Phase 1: Initiation

Level of Risk - Relating security considerations

Phase 2: Acquisition / Development Requirements & Control Selection

PM Life Cycle SDLC

18

Focuses on Information Security & Business Continuity

Execution

ExecutionImplementation/

Assessment

Acquisition/Development

Security Requirements & Controls

Security TestingDocumentation, C&A

SSDLC

KEY PROCESSES• Update Prelim. Risk Assessment• Select & Document Security Controls• Design Security Architecture• Engineer Security in – Develop Controls

• Recovery Strategy• Draft Contingency Plan• COOP, BC, DR• Vital records analysis

• Test, Train & Exercise (TT&E)

ARTIFACTS•Updated Risk Assessment•Security Plan & list of Variations•List of Shared Services & Risks•Security Integration Schematic•BC & DR Concept of Operations•Contingency Plan (drafts)

• Notification/activation, incident response• Recovery & Reconstitution

•Common Controls •TT&E Results

• Policy & Control Adjustments• Scenarios & Additional Documentation• Test Results (incl. variations)

19

Phase 2: Acquisition / DevelopmentControl Selection - Relating Security Considerations

Phase 3: Implementation / Assessment Documenting Results (Baseline)

PM Life Cycle SDLC

20

Focuses on Information Security & Business Continuity

MaintenanceExecution

Implementation/Assessment

Acquisition/Development

Security Requirements & Controls

Security TestingDocumentation, C&A

SSDLC

KEY PROCESSES• Finalize Detailed Security Plan• Create detailed C&A Plan • Control Integration• System Security Assessment• Product / Component Inspection

• Finalize BC, COOP & DR• Control Integration• Implement Vital Records program

• Certification/Acceptance• TT&E

ARTIFACTS•Verified Operational Security Controls•C&A Work Plan•Completed System Documentation•Security Assessment Report•Security Authorization Decision

•BC, COOP & DR Plans•Updated backup processes•After Action Review

•TT&E Plan & •Statement of residual risk

21

Phase 3: Implementation / Assessment

Documenting Results - Baseline

Phase 4: Operations / Maintenance

PM Life Cycle SDLC

22

Focuses on Information Security & Business Continuity

SSDLC

MaintenanceOperations &MaintenanceCloseout

Acceptance & Change Management

Disposition / TransitionDisposal

KEY PROCESSES• Awareness Campaign• Configuration Management• Continuous Monitoring• TT&E• Change Control• Incident Management

• Recertification/Acceptance

ARTIFACTS•Evaluation/Impact of Changes•Change Control Approvals•Updated Security Documentation•Continuous Monitoring Results•Updated Authorization Pkg.•Authority to Operate (Decision)•Security Evaluations / Audits•POA&M Review•Exercise Schedule•After Action Reviews•Recoverability Statement•BCP Evaluations / Audits

23

Phase 4: Operations / Maintenance

Acceptance & Change Management

Phase 5: Disposal (Sunset)

PM Life Cycle SDLC

24

Focuses on Information Security & Business Continuity

SSDLC

ContinuousMonitoring

Operations &MaintenanceCloseout

Acceptance & Change Management

Disposition / TransitionDisposal

KEY PROCESSES• Disposal / Transition Planning

(migration to new system)• Ensure Information Preservation • Media Sanitization• Hardware/Software Disposal• Control Catalog review• Close System

• Business Link Analysis• Interdependencies• Enterprise BCP• Impact analysis• Review service agreements

ARTIFACTS•Disposal/Transition Plan•Hardware/Software Disposition• Reallocation/Sanitization Records•System Closure Documentation•Information Archiving•Update SLAs & MOUs•Updated Security Controls

•Enterprise plan updates– Value Chains– BC, COOP & DR plans

•Updated BCP Controls

25

Phase 5: Disposal (Sunset)

Data & Partners

26

Mapping the Risk Management to the SDLC

• Review Risk• Assess controls

• identify• document• implement• monitor

Compliance

Information Systems

Management

FinancialManagement

RiskManagement

IT Alignment andPlanning IS Architecture

Risk BasedFunding Requests

Enterprise Architecture & SDLC

Capital Planning and

Investment

InformationSecurity

Initiation

Origination

Initiation

Planning

Initiation Risk Level & Security Planning

Certification&

Accreditation

ExecutionImplementation/

Assessment

Acquisition/Development

Security Requirements & Controls

Security TestingDocumentation, C&A

ContinuousMonitoring

Operations &MaintenanceCloseout

Acceptance & Change Management

Disposition / TransitionDisposal

Enterprise RISK Management

27

Further Observations

• All Processes and Artifacts are scalable• Preliminary Risk Assessment defines impact & requirements• “Right Size” for your project• Use common sense

• Business Continuity & Information Security interrelate

• Common Purpose, Artifacts & Goals• Confidentiality• Integrity• Availability

Reflections on SEI | Carnegie Mellon

“The surest way to leave risks undocumented is to make the program risks accessible to all members.”

• An undocumented risk can get lost to everyone -- far better to have risks documented privately than not documented at all.

• Engage a Security team early• Encourages work team agreements on risks and an end-point against which

to identify and analyze• Provides a standard way of capturing (documenting) risks• Positions facilitators practiced and comfortable with writing risks in front of a

group

• Support good risk identification• Encourage documentation of risks privately at the working team level• Integrate risk identification and management into normal project management• Accept any risk identified – don’t “vet them out”• Acknowledge that the program’s decision-makers are the real “risk

managers,” and have the decision-makers step up to the job28

CMMi Capability Maturity Model

29

More Information on CMMI - www.sei.cmu.edu/searchresults.cfm & www.sei.cmu.edu/cmmi/tools/dev/index.cfm

30

Benefits

• Advances Organization along CMM• Informed, Risk Management-based, decisions• Improved organization and customer confidence

• Awareness campaigns• Education, ownership/adoption and usage

• Lower total effort & cost• Improved interoperability and integration • Early identification of controls• Proven methods and techniques• Reuse of strategies and tools • Shared security services

• Improved Security & Compliance Posture

31

Questions

Deborah Snyder, CISSP, GSLC, PMP

NYS Office of Temporary & Disability Assistance

(518) 473-3195

Deborah.Snyder@otda.state.ny.us

Mark Spreitzer, CBCP

CGI Group Inc.

(917) 304-1966

Mark.Spreitzer@cgi.com