pureFISMA Framework

Report
FISMA Certification Workflow, Communication & Management Framework
Overview
 Solving for Security Compliance
 Business Case / Requirements
 Design
 Architecture
 Approach
 User Interface
 Functional Highlights
 Functional Details
 Value Added / ROI
 Company Profile
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
2
Solving for Security Compliance
We believe that a logical and physical security program should be implemented on an agency enterprise level to
provide information security for the information and information systems that support the operations and assets
of the organization, including those provided or managed by another agency, contractor, or other
sources. We assist agencies in doing this through the ...A PRISMA Methodology (Program Review for
Information Security Management Assessment).
FISMA / PRISMA Methodology
 Overall Focus
Review the strategic and technical aspects of the
logical/physical security program. The review identifies the
level of maturity of the security program and the customers
and/or corporate ability to comply with existing requirements
in (9) topic areas (TA).
 Assessment Model
Analyze five levels of compliance maturity: policy, procedures,
implementation, test, and integration that employs a
standardized approach to review and measure the information
security posture of an information security program.
Policy Mapping
Procedures Analysis
& Documentation
Tests Verification &
STE Case Analysis
Implementation
Security Control
Alignment
Integration into
FISMA Lifecycle
TA
Management, Operational, and Technical
Areas
1
Security Management & Culture
2
Security Planning
3
Security Awareness, Training, and Education
4
Budget and Resources
5
Life Cycle Management
6
Certification and Accreditation
7
Critical Infrastructure Protection
8
Incident and Emergency Response
9
Security Controls
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
3
Business Case / Requirements
Modern Information Security Oversight Presents Several Challenges…
•
•
•
•
•
•
Distributed Risks
Lack of Visibility / Tracking
Complex Compliance Frameworks (FISMA, HIPAA, etc.)
Timeliness
Certification & Accreditation (C&A) Requirements
Increasing and hard to manage costs
…That Can Be Overcome By Leveraging A Proven Methodology And A Modern,
Purpose-Built Tool
pureFISMA enables effective risk management by:
• Providing insight into organizational Risks, distributed or local
• Guiding information gathering & management workflows,
from system initiation through continuous monitoring
• Streamlining the review & approval of submitted
information systems
• Tracking Events and Notifying in Real-Time
• Delivering high-level compliance metrics for
organizational oversight
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
4
Application Capability
Customizable Application Framework
 Highly Scalable
•
•
No account or seat limitations
Easily adapts to increases in
user/data volume
User Functionality
 Stakeholder/Responsible
Party/User Management &
Tracking
•
 Interoperable
•
Can run on multiple platforms
 Open Architecture
•
Allows for future functionality &
features to address changes in
organizational requirements
 Simplified Enhancement /
Version Deployment
•
New features are available to all
users instantly, eliminates time and
effort of distributed, independent
upgrading
Customizable Authentication &
Authorization for Users
 Pre-Populated Security Control
Definitions
•
NIST SP 800-53 / SP 800-53(A)
 Input/Edit Security Control
Implementation Statements
•
Statements mapped to controls,
history and audit trail, and Policy
Management
 One click, detailed reporting
•
•
Scope filters, full search capability
Linking to POA&M, C&A
Documentation, and Continuous
Monitoring
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
5
Application Overview
The pureFISMA tool is made up of a data model and business logic layer
designed to support a compliance workflow management system having a particular
set of generalized core features.
• These core features are delivered via a User Interface tailored to Client
specifications after requirements have been gathered:
–
–
–
–
–
–
–
–
–
Role/Group-Based User permissions
Integration with various Directory Servers for authentication
Task Management
Scheduling / Event Triggering
Subscription-Based Notifications / Reminders
Notification Center
Reporting
Versioning
Data Import Engine (for importing scan data from 3rd party vulnerability
scanning tools)
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
Application Architecture
Architecture
Technology
Environment
User
Interface
Adobe Flex
•Apache
•IIS
Application
Layer
BlazeDS
Java
Spring
Hibernate
Data Storage
SQL Database
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
•Tomcat
•JBoss
•WebSphere
•WebLogic
l
MySQL lOracle
lSQL Server
7
Application Approach
pureFISMA was designed around 3 distinct audiences or ‘perspectives’, each
presenting a particular functional emphasis*:
•
•
•
Organization (e.g., Study Center / Information System)
– Information Input
– Continuous Monitoring
– Asset Management
Compliance (e.g., Mission Assurance Team / Information Security Dept)
– Input Approval/Rejection
– Commenting
Executive (e.g., Program Office / Department Head)
– Aggregation
– Insight
– Communication
*The perspective presented is determined at login based on the authenticated user’s role
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
Functional Highlights
Real-Time FISMA Compliance Monitoring
 C&A Workflow Management
•
•
•
Track/Update C&A progress, Documentation package, and ATO Status
Document repository with Built-in Revision Tracking and Restore
POA&M items and Continuous Monitoring tasks
 Configuration Management
•
•
•
Hardware inventory
Vulnerability scan files and tracking
In-place control verification and tracking
 Automatic Event Notification System
•
•
Unified Notification Center
Subscription-Based Email alerts, including:
–
–
Missing/upcoming control requirements
Continuous Monitoring Defects
 POA&M Tracking System
•
•
•
•
•
Sort by issue type; control family
Map to security control; responsible party
Author (user or accreditation source)
Scheduled completion date
Full resolution history
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
9
User Interface
pureFISMA features robust and modern user interface using the latest open source technology
to provide highly customizable features.
Customized,
Real-Time
Dashboard
Advanced
Search & Filtering
High-Level Aggregate
Compliance Metrics
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
10
Functional Details – Users & Permissions
pureFISMA includes the following 7 pre-defined roles, which can be extended /
tailored based on client requirements:
Organization
Compliance
User
•Default: Read Only
•Full Control: As Assigned
•Per Control
•Control Family
•Control Class
Admin
•Default: Full Control
•Create Org User
•Assign Responsible Party
•Submit System for Approval
Admin (System Owner)
•Same as Admin
Executive
User
User
•Default: Read Only (All Orgs)
•Approve/Reject: As Assigned
•Per Org
•Default: Read Only
•Limited Reporting
Admin
Admin
•Default: Approve/Reject (All
Orgs)
•Create Organization Admin
•Create Compliance User
•Assign Org
•Submit System for ATO
•Default: Full Control
•Create Compliance Admin
•Create Executive User
•Send Broadcast Message
•Full Reporting
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
Functional Details – Integration
pureFISMA is designed to leverage existing enterprise directory services for
authentication, including:
–
–
–
–
–
–
Active Directory (Microsoft)
Open Directory (Apple)
eDirectory (Novell)
Oracle Internet Directory
ApacheDS (open source)
OpenDS (open source)
Additionally, pureFISMA can support multifactor authentication schemes, including:
– Complex device identification
– Mobile (via SMS)
– Others (may require additional hardware / software)
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
Functional Details – Task Management
pureFISMA’s POA&M list:
– Automatically adds items based on deficiencies identified during:
• Continuous Monitoring
• Security Assessment
– Manually add items based on deficiencies identified during other assessments:
• Privacy Impact Assessment
• Risk Assessment
pureFISMA provides each user with a personalized task list, including:
– User-Defined Tasks
• Can be manually associated with one or more security controls
– Auto-Generated Tasks (e.g., expiring control)
– Automated Reminders
• In-Application reminders via Notification Center
• Outbound email reminders
– Automated POA&M Integration
•
When a deficiency affecting a particular security control is added to the POA&M list, a task
is automatically created for the party responsible for that control
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
Functional Details – Schedules & Triggers
pureFISMA understands the importance of timeliness in the C&A process as well as
Continuous Monitoring and assists system owners and users by:
– Accepting user-defined frequencies for security controls requiring regular
review
– Allowing users to define the reminder ‘window’
• How early the reminder notification is sent
– Automatically notifying responsible parties
and system owners when a required review
has not taken place
• A task is automatically created when
a required/scheduled review is missed
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
Functional Details – Notifications & Messaging
pureFISMA accumulates all notifications, reminders, and messages in a unified
‘Notification Center’.
• Items may be added to a user’s notification center based on their:
–
–
–
–
Organization / System
Role (User, Admin, Admin Owner)
Responsible Party (per control, family, class)
Subscription Preferences
• Subscribable events include:
–
–
–
–
–
–
–
–
–
–
–
Control Updated
Control Reminder
Control Expiration
System Updated
System Reminder
Asset Added
Broadcast Message
POA&M Added
POA&M Updated
POA&M Reminder
Continuous Monitoring
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
Functional Details– Reporting & Documentation
pureFISMA provides robust reporting within all three perspectives, built to detailed
specifications gathered from the client.
• Examples include:
– Aggregate Stats (Counts, Avgs, etc)
– ATO Status
– Security Posture / FISMA Compliance
– Continuous Monitoring Activity
– pureFISMA usage statistics
Additionally, pureFISMA can use information stored in its database to produce
formatted, downloadable documents for hardcopy archival and distribution
– Study Center Security Plan
– Study Center Security Assessment
– Hardware Inventory
– POA&M
– ATO Letter
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
Functional Details – Versioning
•
Inputs
– All informational changes made to the system are fully tracked and auditable
• Downloadable transaction logs available to Organization Admin user in .csv format
– Security Control Implementation Statements are versioned with incremental rollback
– All changes to POA&M list are versioned
•
Asset Repository
– Selected file-based assets are versioned on upload :
•
•
•
•
•
•
•
Study Center Security Plan (if provided)
Risk Assessment
Study Center Security Assessment
Privacy Impact Assessment
POA&M
Network Topology Diagram
Policies & Procedure Documents
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
Functional Details – Data Import
Currently being designed, pureFISMA will include a data import engine to analyze
the output files of selected vulnerability scanning tools. When in place, the
import engine will allow for increased automation of vulnerability scan
interpretation and remediation tracking, as described below:
1.
2.
3.
4.
5.
6.
Scan file is uploaded and added to the Asset Repository
File is parsed and resulting details stored in database
Discovered devices are compared existing hardware inventory
Vulnerability details evaluated and mapped to security controls
POA&M item created based on vulnerability or device details and impact to
related security control
Notification sent to user assigned to affected control / system owner
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
Company Profile
 Founded in 2004
 Service Disabled Veteran Owned Small
Business (SDVOSB) – Retired USAF
 Woman Owned Small Business
 Performed over $75 million in services
 Contract Vehicles:
– GSA IT Schedule 70
– GSA/OMB MOBIS Schedule 847
 Awards:
– Named HP BSA Implementation Partner of
the Year in 2010
– Designated one of the fastest growing
companies in America by Inc. 500/500 in
2011
Service Disabled
Veteran Owned
Small Business
(SDVOSB)
Pure Integration, LLC Confidential & Proprietary, All Rights Reserved
19

similar documents