17. Defining the Problem Space: SDLC Initiation to O&M is a minimum of 120 days with 6 months being typical. How does this fit into your plans for social media? Page 8
23. Threat Landscape Government to Government: Internal social media services within or between agencies Government (internally hosted) to Public: Social media services on government sites Government (externally hosted) to Public: External social media services used by the government Government users in public: Social media services used by government users Page 11
24. Getting to a Good SocMed Policy Engage early, engage often Policy should focus on risk, not technology Social media technology changes constantly Data protection requirement is constant Consider the business case Consider the risks to organizational operations, organizational assets, individuals, other organizations, and the Nation Make risk-based decisions goals Page 12
25. Primary Resources CIO Council Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0 http://www.cio.gov/library/library_category2.cfm?structure=Information%20Technology&category=IT%20Security%20/%20Privacy GSA Terms of Service Agreements with New Media Providers http://www.usa.gov/webcontent/resources/tools/TOSagreements.shtml NARA Records Management Policy and Guidance http://archives.gov/records-mgmt/policy/ Page 13
26. Primary Resources - FISMA NIST SP 800-37 Rev. 1 DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP 800-39 DRAFT Managing Risk from Information Systems: An Organizational Perspective SP 800-53 Rev. 3 Recommended Security Controls for Federal Information Systems and Organizations http://csrc.nist.gov/publications/PubsSPs.html Page 14
43. Continuous MonitoringTIER 1 Organization NIST SP 800-37 TIER 2 Mission / Business Process Risk Management Framework TIER 3 Information System
44. Policy Controls Social Media Communications Strategy Acceptable Use Policies (AUP) Content Filtering and Monitoring Privacy and Security Support Integration with NIST SP 800-39 and NIST SP 800-37 Risk Management Page 19
45. Policy Controls – NIST Guidance AC-20 Use of External Information Systems AC-22 Publicly Accessible Content IA-2 Identification and Authentication (Organizational Users) IA-5 Authenticator Management IA-7 Cryptographic Module Authentication IA-8 Identification and Authentication (Non-Organizational Users) Page 20
46. Policy Controls – NIST Guidance IR-5 Incident Monitoring IR-6 Incident Reporting IR-7 Incident Response Assistance IR-8 Incident Response Plan PL-4 Rules of Behavior PL-5 Privacy Impact Assessment RA-1 Risk Assessment Policy and Procedures SI-12 Information Output Handling and Retention Page 21
47. Acquisition Controls Strong Authentication Social Media services security practice Comment moderation and monitoring social media Ensure federal security requirements are met by using dedicated resources from vendors Modify user’s public profiles from .gov or .mil email addresses to provide stronger security Page 22
48. Acquisition Controls Partner with social media services to: Provide traceability to federal employee accounts Improve communications between providers and Security Operations Centers (SOC) Allow independent monitoring of social media service providers Encourage use of validated and signed code Ensure social media provider maintains appropriate configuration, patch and technology refresh levels Page 23
49. Acquisition Controls Ensure an independent risk assessment Records management in accordance with NARA record schedules, FOIA requests and e-discovery litigation holds Ensure hosted federal content is accessible at any time and stored in editable and non-proprietary formats Page 24
50. Acquisition Controls – NIST Guidance SA-1 System and Services Acquisition Policy and Procedures SA-2 Allocation of Resources SA-3 Life Cycle Support SA-4 Acquisitions SA-5 Information System Documentation SA-9 External Information System Services Page 25
51. Acquisition Controls – GSA Guidance Terms of Service Agreements Social media services standard Terms of Service (TOS) Agreements present legal problems Many services are free, making it hard to encourage services to negotiate new TOS On behalf of the government, GSA has negotiated new TOS for many social media services http://www.usa.gov/webcontent/resources/tools/TOSagreements.shtml Page 26
52. Training Controls Provide awareness, guidance and training on: Information to that can be shared, can not be shared and with whom it can be shared Social media policies and guidelines including AUP Blurring of personal and professional life as appropriate For Operations Security (OPSEC) on risks of social media Federal employees self-identification on social media sites, depending on roles Page 27
53. Training Controls Provide awareness, guidance and training on: Privacy Act requirements and restrictions Specific social media threats before granting access to social media sites Possible negative outcomes of information leakage, social media misuse and password reuse Possible impact on security clearance Page 28
54. Training Controls – NIST Guidance AT-2 Security Awareness: Add social media usage related awareness training AT-3 Security Training: Create specific role-based training for those with social media responsibility AT-5 Contacts with Security Groups and Associations: Establish contacts with security groups addressing web application and social media security Page 29
55. Host Controls Require use of a hardened Common Operating Environment (COE): Federal Desktop Core Configuration (FDCC) Security Content Automation Protocol (SCAP) Encourage use of strong authentication for greater assurance of a user’s identity: Two-factor authentication (e.g., HSPD-12 & PIN) Page 30
56. Host Controls Ensure strong change management, patch management, configuration management: Includes applications and Operating Systems Enforces strong logging Reports to SOC Desktop virtualization technologies: Allows safer viewing of potentially malicious websites Virtual sandbox protects base operating system Page 31
57. Host Controls Browser versioning: Ensure use latest browsers which include additional security measures Encourage use of signed code or white listing: Provides higher level of assurance software comes from approved vendor or is approved software Page 32
58. Host Controls – NIST Guidance Audit and Accountability (AU) Family of controls, as applicable AC-1 Access Control Policy and Procedures AC-7 System Use Notification CM-1 Configuration Management Policy and Procedures CM-2 Baseline Configuration CM-6 Configuration Settings CM-7 Least Functionality Page 33
59.
60. Network Controls Federal Trusted Internet Connection (TIC) program protections: Reduced number of internet connections Einstein traffic inspection Security Operations Center (SOC) and Network Operations Center (NOC): Visibility and centralized control for incident response and risk reduction These should all be provided to you as “infrastructure” Page 35
61. Network Controls Web content filtering: Beyond Einstein protections Granular control of web applications, data and protocols Trust Zones dependent on security assurance requirements DNSSEC to better ensure website name resolution integrity Page 36
63. Network Controls – NIST Guidance SC-1 System and Communications Protection Policy and Procedures SC-7 Boundary Protection SC-13 Use of Cryptography SC-14 Public Access Protections SC-15 Collaborative Computing Devices SC-20 Secure Name /Address Resolution Service (Authoritative Source) Page 38
64. Questions, Comments, or War Stories? http://www.potomacforum.org/ Michael Smith: rybolov(a)ryzhe.ath.cx http://www.guerilla-ciso.com/ Dan Philpott: danphilpott(a)gmail.com http://www.fismapedia.org/ 39
Notes de l'éditeur
Mike’s blog is at http://www.guerilla-ciso.com/Mike teaches for Potomac Forum http://www.potomacforum.org/Contact information for Mike is at the end of this presentation.
Dan is the founder of http://www.FISMApedia.org/Dan blogs at http://www.guerilla-ciso.com/ and http://ArielSilverstone.comDan teaches for Potomac Forum http://www.potomacforum.org/