The Security Plan: Effectively Teaching How To Write One

Similar documents
Panel 12 - Issues In Outsourcing Reuben S. Pitts III, NSWCDL

Improving the Quality of Patient Care Utilizing Tracer Methodology

White Space and Other Emerging Issues. Conservation Conference 23 August 2004 Savannah, Georgia

Information Technology

The Fully-Burdened Cost of Waste in Contingency Operations

Report Documentation Page

Shadow 200 TUAV Schoolhouse Training

DDESB Seminar Explosives Safety Training

Integrated Comprehensive Planning for Range Sustainability

Opportunities to Streamline DOD s Milestone Review Process

Mission Assurance Analysis Protocol (MAAP)

terns Planning and E ik DeBolt ~nts Softwar~ RS) DMSMS Plan Buildt! August 2011 SYSPARS

Independent Auditor's Report on the Attestation of the Existence, Completeness, and Rights of the Department of the Navy's Aircraft

Report No. D May 14, Selected Controls for Information Assurance at the Defense Threat Reduction Agency

DOD Native American Regional Consultations in the Southeastern United States. John Cordray NAVFAC, Southern Division Charleston, SC

For the Period June 1, 2014 to June 30, 2014 Submitted: 15 July 2014

DOING BUSINESS WITH THE OFFICE OF NAVAL RESEARCH. Ms. Vera M. Carroll Acquisition Branch Head ONR BD 251

Fiscal Year 2011 Department of Homeland Security Assistance to States and Localities

Wildland Fire Assistance

ASAP-X, Automated Safety Assessment Protocol - Explosives. Mark Peterson Department of Defense Explosives Safety Board

Defense Health Care Issues and Data

Engineered Resilient Systems - DoD Science and Technology Priority

Biometrics in US Army Accessions Command

Mission Task Analysis for the NATO Defence Requirements Review

Integrity Assessment of E1-E3 Sailors at Naval Submarine School: FY2007 FY2011

Cerberus Partnership with Industry. Distribution authorized to Public Release

Make or Buy: Cost Impacts of Additive Manufacturing, 3D Laser Scanning Technology, and Collaborative Product Lifecycle Management on Ship Maintenance

Report No. DODIG December 5, TRICARE Managed Care Support Contractor Program Integrity Units Met Contract Requirements

Contemporary Issues Paper EWS Submitted by K. D. Stevenson to

712CD. Phone: Fax: Comparison of combat casualty statistics among US Armed Forces during OEF/OIF

World-Wide Satellite Systems Program

Engineering, Operations & Technology Phantom Works. Mark A. Rivera. Huntington Beach, CA Boeing Phantom Works, SD&A

Required PME for Promotion to Captain in the Infantry EWS Contemporary Issue Paper Submitted by Captain MC Danner to Major CJ Bronzi, CG 12 19

Electronic Attack/GPS EA Process

Office of Inspector General Department of Defense FY 2012 FY 2017 Strategic Plan

Social Science Research on Sensitive Topics and the Exemptions. Caroline Miner

INSIDER THREATS. DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems

DoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process

Report No. D September 25, Controls Over Information Contained in BlackBerry Devices Used Within DoD

Financial Management

Army Aviation and Missile Command (AMCOM) Corrosion Program Update. Steven F. Carr Corrosion Program Manager

The Coalition Warfare Program (CWP) OUSD(AT&L)/International Cooperation

United States Army Aviation Technology Center of Excellence (ATCoE) NASA/Army Systems and Software Engineering Forum

Laboratory Accreditation Bureau (L-A-B)

Office of the Assistant Secretary of Defense (Homeland Defense and Americas Security Affairs)

2011 USN-USMC SPECTRUM MANAGEMENT CONFERENCE COMPACFLT

User Manual and Source Code for a LAMMPS Implementation of Constant Energy Dissipative Particle Dynamics (DPD-E)

ý Award Number: MIPR 3GD3DT3083 Total Eye Examination Automated Module (TEAM) PRINCIPAL INVESTIGATOR: Colonel Francis L.

Dynamic Training Environments of the Future

Systems Engineering Capstone Marketplace Pilot

Munitions Response Site Prioritization Protocol (MRSPP) Online Training Overview. Environmental, Energy, and Sustainability Symposium Wednesday, 6 May

Afloat Electromagnetic Spectrum Operations Program (AESOP) Spectrum Management Challenges for the 21st Century

Military Health System Conference. Putting it All Together: The DoD/VA Integrated Mental Health Strategy (IMHS)

Development of a Hover Test Bed at the National Hover Test Facility

The Need for NMCI. N Bukovac CG February 2009

New Tactics for a New Enemy By John C. Decker

The Effects of Outsourcing on C2

CRS prepared this memorandum for distribution to more than one congressional office.

Army Modeling and Simulation Past, Present and Future Executive Forum for Modeling and Simulation

Concept Development & Experimentation. COM as Shooter Operational Planning using C2 for Confronting and Collaborating.

ALLEGED MISCONDUCT: GENERAL T. MICHAEL MOSELEY FORMER CHIEF OF STAFF, U.S. AIR FORCE

Cyber Attack: The Department Of Defense s Inability To Provide Cyber Indications And Warning

Research to advance the Development of River Information Services (RIS) Technologies

ASNE Combat Systems Symposium. Balancing Capability and Capacity

The Air Force's Evolved Expendable Launch Vehicle Competitive Procurement

WEATHER. User's Manual. January 1986 CPD-52. Generalized Computer Program. US Army Corps of Engineers Hydrologic Engineering Center

Software Intensive Acquisition Programs: Productivity and Policy

The Army Executes New Network Modernization Strategy

US Coast Guard Corrosion Program Office

Environmental Trends Course Cultural Resources

TITLE: The impact of surgical timing in acute traumatic spinal cord injury

GAO AIR FORCE WORKING CAPITAL FUND. Budgeting and Management of Carryover Work and Funding Could Be Improved

USAF TECHNICAL TRAINING NAS Pensacola Florida Develop America's Airmen Today --- for Tomorrow

AFCEA TECHNET LAND FORCES EAST

Report No. DODIG Department of Defense AUGUST 26, 2013

Acquisition. Air Force Procurement of 60K Tunner Cargo Loader Contractor Logistics Support (D ) March 3, 2006

Harnessing the Power of MHS Information Systems to Achieve Meaningful Use of Health Information

Defense Acquisition: Use of Lead System Integrators (LSIs) Background, Oversight Issues, and Options for Congress

February 8, The Honorable Carl Levin Chairman The Honorable James Inhofe Ranking Member Committee on Armed Services United States Senate

at the Missile Defense Agency

Report No. D-2011-RAM-004 November 29, American Recovery and Reinvestment Act Projects--Georgia Army National Guard

Test and Evaluation of Highly Complex Systems

The Military Health System How Might It Be Reorganized?

Incomplete Contract Files for Southwest Asia Task Orders on the Warfighter Field Operations Customer Support Contract

Battle Captain Revisited. Contemporary Issues Paper Submitted by Captain T. E. Mahar to Major S. D. Griffin, CG 11 December 2005

DoD Scientific & Technical Information Program (STIP) 18 November Shari Pitts

Lessons Learned From Product Manager (PM) Infantry Combat Vehicle (ICV) Using Soldier Evaluation in the Design Phase

Aviation Logistics Officers: Combining Supply and Maintenance Responsibilities. Captain WA Elliott

Unclassified/FOUO RAMP. UNCLASSIFIED: Dist A. Approved for public release

Defense Acquisition Review Journal

SPECIAL REPORT Unsurfaced Road Maintenance Management. Robert A. Eaton and Ronald E. Beaucham December 1992

SIMULATOR SYSTEMS GROUP

Unexploded Ordnance Safety on Ranges a Draft DoD Instruction

THE GUARDIA CIVIL AND ETA

Evolutionary Acquisition an Spiral Development in Programs : Policy Issues for Congress

Promoting Data Integrity for the Department of Defense

2010 Fall/Winter 2011 Edition A army Space Journal

Infantry Companies Need Intelligence Cells. Submitted by Captain E.G. Koob

MSG-079 C-BML Workshop Farnborough UK, Feb Coalition Battle Management Language 2009 Experimentation

Acquisition. Diamond Jewelry Procurement Practices at the Army and Air Force Exchange Service (D ) June 4, 2003

Transcription:

The Security Plan: Effectively Teaching How To Write One Paul C. Clark Naval Postgraduate School 833 Dyer Rd., Code CS/Cp Monterey, CA 93943-5118 E-mail: pcclark@nps.edu Abstract The United States government requires all federal systems to have a customized security plan. In addition, the National Training Standard for Information Systems Security (INFOSEC) Professionals requires programs that meet this standard to produce students capable of developing a security plan. The Naval Postgraduate School (NPS) teaches courses that comply with several CNSS standards, and therefore requires students to develop a security plan for a hypothetical scenario. Experience in these courses has shown that the same strategies for teaching high school students how to write a research report can successfully be used to teach university students how to write a security plan that is compliant with NIST guidelines. KEYWORDS: Education, Information assurance, Computer security, Security Plan Introduction The purpose of the security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. [1] In order to ensure security in Information Systems, the Office of Management and Budget (OMB) has declared that all United States (U.S.) federal agencies must incorporate a security plan that is consistent with NIST guidance on security planning. [2] To further emphasize its importance, the Computer Security Act of 1987 makes it a legal requirement for federal systems to have a security plan. [3] It would therefore be desirable for all college graduates with a desire to work in Information Assurance (IA) careers in the U.S. Government to be able to read, understand, and execute the policies and standards of a security plan. In addition, at some point, IA professionals may need to write or modify a security plan, so there is a benefit to teaching students how to formulate a security plan. Of course, this education would also benefit those who intend to work in the private sector, where security plans may not be required, but are considered a good foundation to an effective computer security program. In addition to the hard requirement to maintain a security plan, the Committee for National Security Systems (CNSS), formerly known as the National Security Telecommunications and Information Security Committee (NSTISSC), has issued educational standards for Information-Assurance-related positions, many of which require some level of ability 1

Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE MAR 2005 2. REPORT TYPE N/A 3. DATES COVERED - 4. TITLE AND SUBTITLE The Security Plan: Effectively Teaching How To Write One 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Naval Postgraduate School 833 Dyer Rd., Code CS/Cp Monterey, CA 93943-5118 8. PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR S ACRONYM(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release, distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 11. SPONSOR/MONITOR S REPORT NUMBER(S) 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT UU a. REPORT unclassified b. ABSTRACT unclassified c. THIS PAGE unclassified 18. NUMBER OF PAGES 5 19a. NAME OF RESPONSIBLE PERSON Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

with respect to security plans. For example, Issuance No. 4011, National Training Standard for Information Systems Security (INFOSEC) Professionals, expects graduates of compliant courses to be able to build a security plan. [4] The Naval Postgraduate School (NPS) Center for Information Systems Security Studies and Research (CISR) supports the teaching of many courses in the Computer Science department that are dedicated to Information Assurance education. [5] One of these courses, Secure Management of Systems, is the capstone of a series of courses that meet the educational requirements of three CNSS training standards, including No. 4011. Therefore, one of the projects in this course is the development of a security plan. This paper describes our experience and lessons learned from requiring students to write a security plan as part of Secure Management of Systems. Educational Expectations and Roadmap A project as big as a security plan should be started early in the term, which at NPS is a 12- week quarter. Starting such a project in the first or second week of class would not be possible if the students did not already have some IA education or background. For Secure Management of Systems, the following courses are prerequisites: Computer Architecture Computer Communications and Networks Introduction to Information Assurance The purpose, scope, and content of a security plan are covered in the first week of lecture. Several outlines for a security plan are shown from the following sources: OMB Circular A-130 [2] NIST Special Publication 800-18 [1] Director of Central Intelligence Directive (DCID) 6/3 [6] This provides a framework for the remainder of the course. Lectures cover material not addressed in prerequisite courses, filling in the gaps not covered, such as contingency planning and physical security. The Scenario Secure Management of Systems has been taught for many years, but the security plan assignment has been in place since the Spring quarter of 2003. Over 200 students have completed the course since then, providing a wealth of experience, for both the students and their instructor. In order to write a security plan, one needs a site to study. This can be done at an operational facility close to the school, but this is difficult to manage when many students are enrolled in the course, and can be timeintensive for the employees of the site. There is also the site s concern about the compromise of real data, and the impact on its reputation if the site does not have very good security to begin with. Therefore, it is often easier to develop a hypothetical written scenario, or an anonymized written description of a real site. The current method of choice for the instructors at NPS is to use a hypothetical scenario. The students prefer the live site. Developing a hypothetical scenario is no small feat. It requires a written description that has sufficient detail to allow the students to analyze the security of the site without constantly sending the instructor questions via email, or taking up too much time in class. The scenario minimally requires the following details: Agency name. 2

Agency mission. High-level network diagram. A description of hardware and software assets. A description of the physical and logical security currently in place. Floor diagram(s). Organization chart(s). Some recent bad experiences. The description that was used most recently at NPS was nearly 1,400 words long. It produced a manageable number of student questions during the quarter. It was written from the point of view that the student has been hired as a contractor to write the required security plan. For debugging purposes, it was helpful for the instructor to actually sketch out a security plan for the draft scenario to see where the holes were in the description that might prevent the student from completing each part of the plan. An unintended benefit of the scenario is the ability to reference the hypothetical site while discussing security topics throughout the quarter. Template The first time the security plan was assigned, no particular outline for the completed project was made mandatory. That was a mistake. First, some students could not handle that much leeway and required more guidance to get started. Second, it made grading much more difficult and time consuming because each plan was unique. For example, it was much harder to determine if all aspects of the security plan were covered adequately. The second time the security plan was assigned, a template was provided to the students. It contained a mandatory outline, constructed by the instructor, to be followed by all students. This resulted in a big improvement, but there were still too many questions from the students about details of the security plan s structure. For the fourth iteration of the assignment, the outline from the NIST Guide [1] was used as the mandatory format. This not only provided the students with a standard format that they may encounter in their careers, but it came with a textbook on what needed to go in each section. It still required some interpretation from time to time, but it allowed the students to work independently from the instructor, which reduced stress for both sides. However, to make sure that there was a consistent look and feel across all submissions, a template of the NIST outline was still provided by the instructor. Assignments Another lesson learned through the first two installments of the security plan assignment was that, left on their own, most students waited until the end of the quarter to do any significant work on the quarter-long project, despite constant urgings and warnings. This resulted in lower quality work from the students, and therefore lower grades than they were otherwise capable of earning. In addition, it lessened the learning experience. Therefore, in the fourth iteration, the project was divided into seven smaller units, with established due dates. This forced the procrastinators to work on the project throughout the quarter, and it gave them feedback as they were going. The drawback to the instructor was an increase in work that had to be graded, recorded and returned. However, this is an approach that is used to teach high school students how to write a research paper: it breaks down the problem until it is manageable, and requires intermediate work along the way. 3

With respect to grading, the intermediate assignments were not assigned large point values, nor were they heavily scrutinized. They were treated as low value homework assignments because, otherwise, the security plans would have been graded twice: once for each intermediate deliverable, and once for the final complete version. With a smaller number of students it might have been possible to assign grades to the intermediate work that were more indicative of the quality of work. With respect to the NIST Guide and the standard security plan outline, the following is a short description of the seven intermediate assignments: 1. Read the scenario description, look over the template, and read the Executive summary and Section 1 of the NIST Guide. The students were then required to turn in answers to several questions relative to the above reading. 2. Read Section 2 of the NIST Guide. Determine whether the system described in the scenario is a Major Application or a General Support System. How this question is answered determines which NIST outline is used. 3. Read Section 3 of the NIST Guide. Complete section 1 (System Identification) of the security plan. 4. Read Section 4 of the NIST Guide. While referring to appendix C of the Guide, complete the following sections of the security plan: 2.2, Review of Security Controls; 2.3, Rules of Behavior; and 2.5, Authorize Processing. 5. Read Sections 5 and 6 of the NIST Guide. For only those controls currently in place, complete the following sections of the security plan: Section 3, Operational Controls; 4.1, Identification and Authentication; and 4.2, Logical Access Controls. 6. Complete the following sections of the security plan: Section 2.1, Risk Assessment and Management; and 2.4, Planning for Security in the Life Cycle. 7. Complete any subsections that were not already assigned, and add in all other controls necessary for secure operation of the site. The 7 th assignment produces a completed security plan. For the students to be able to identify the controls that need to be added to the system in assignment 7, they need to be taught some kind of risk management methodology. The methodology used by the student to decide what controls to add, and what to leave out, is described in section 2.1 (assignment 6) of the security plan. One approach to use is a checklist-based method, such as that provided by the combination of Department of Defense Directive 8500.1 [7] and Department of Defense Instruction 8500.2 [8]. This is an easy approach for the students, but it does not require any real analysis or critical thinking on their part. The security plan may end up with all the controls the site might need, but it may not address current bad practices that need to be eliminated. The descriptions of the seven student assignments required some occasional interpretation of the NIST Guide, and other hints or requirements to help them succeed. 4

Summary The security plan has become a required and important part of the U.S. federal government toolset for improving security. Prospective IA professionals can be given a good education about how to write a security plan if they have the appropriate educational background. In addition, the learning experience can be improved with a little careful planning about how the security plan assignment is handled. NPS has had positive experiences, and the students have produced professional-quality security plans. By following the NIST Guide, the workload on the instructor is reduced, and the student is given additional tools for success. 7. Information Assurance (IA), Department of Defense Directive Number 8500.1, October 24, 2002. 8. Information Assurance (IA) Implementation, Department of Defense Instruction Number 8500.2, February 6, 2003. References 1. Swanson, M., Guide for Developing Security Plans for Information Technology Systems, NIST Special Publication 800-18, December 1998. 2. Circular No. A-130, Revised, Office of Management and Budget, November 28, 2000. 3. 100 th Congress, Computer Security Act, Public Law 100-235, 1987. 4. National Training Standard for Information Systems Security (INFOSEC) Professionals, NSTISSI No. 4011, National Security Telecommunications and Information Security Committee, June 20, 1994. 5. Irvine, C., Warren, D., Clark, P., The NPS CISR Graduate Program in INFOSEC: Six Years of Experience, National Information Systems Security Conference, NIST / NCSC, Volume 1, pp. 22-29, October 1997. 6. Protecting Sensitive Compartmented Information (SC) within Information Systems, Director of Central Intelligence Directive (DCID) 6/3. 5

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback