official (isc)2 guide to the cissp-issep cbk

Tiller ISBN: 0-8493-1609-X The Hacker's Handbook: The Strategy Behind Breaking into and Defending Networks Susan Young and Dave Aitel ISBN: 0-8493-0888-7 Information Security Architectur

AUERBACH PUBLICATIONS

www.auerbach-publications.com

To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401

Asset Protection and Security Management

Cyber Forensics: A Field Manual for Collecting,

Examining, and Preserving Evidence of

Computer Crimes

Albert J Marcella, Jr and Robert S Greenfield

ISBN: 0-8493-0955-7

The Ethical Hack: A Framework for Business

Value Penetration Testing

James S Tiller

ISBN: 0-8493-1609-X

The Hacker's Handbook: The Strategy Behind

Breaking into and Defending Networks

Susan Young and Dave Aitel

ISBN: 0-8493-0888-7

Information Security Architecture:

An Integrated Approach to Security in the

Information Security Policies, Procedures, and

Standards: Guidelines for Effective Information

Investigator's Guide to Steganography

Gregory Kipper 0-8493-2433-5

Managing a Network Vulnerability Assessment

Thomas Peltier, Justin Peltier, and John A Blackley ISBN: 0-8493-1270-1

Network Perimeter Security: Building Defense In-Depth

Cliff Riggs ISBN: 0-8493-1628-6

The Practical Guide to HIPAA Privacy and Security Compliance

Kevin Beaver and Rebecca Herold ISBN: 0-8493-1953-6

A Practical Guide to Security Engineering and Information Assurance

Debra S Herrmann ISBN: 0-8493-1163-2

The Privacy Papers: Managing Technology, Consumer, Employee and Legislative Actions

Rebecca Herold ISBN: 0-8493-1248-5

Public Key Infrastructure: Building Trusted Applications and Web Services

John R Vacca ISBN: 0-8493-0822-4

Securing and Controlling Cisco Routers

Peter T Davis ISBN: 0-8493-1290-6

Strategic Information Security

John Wylder ISBN: 0-8493-2041-0

Surviving Security: How to Integrate People, Process, and Technology, Second Edition

Amanda Andress ISBN: 0-8493-2042-9

A Technical Guide to IPSec Virtual Private Networks

James S Tiller ISBN: 0-8493-0876-3

Using the Common Criteria for IT Security Evaluation

Debra S Herrmann ISBN: 0-8493-1404-6

OTHER INFORMATION SECURITY BOOKS FROM AUERBACH

TEAM LinG

Boca Raton New York

Susan Hansche, CISSP-ISSEP

(ISC) 2 , CISSP, ISSEP, and CBK are registered trademarks of the International Information Systems Security Certification Consortium.

Published in 2006 by

Auerbach Publications

Taylor & Francis Group

6000 Broken Sound Parkway NW, Suite 300

Boca Raton, FL 33487-2742

© 2006 by Taylor & Francis Group, LLC

Auerbach is an imprint of Taylor & Francis Group

No claim to original U.S Government works

Printed in the United States of America on acid-free paper

10 9 8 7 6 5 4 3 2 1

International Standard Book Number-10: 0-8493-2341-X (Hardcover)

International Standard Book Number-13: 978-0-8493-2341-6 (Hardcover)

Library of Congress Card Number 2005041144

This book contains information obtained from authentic and highly regarded sources Reprinted material is quoted with permission, and sources are indicated A wide variety of references are listed Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use.

No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc (CCC) 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400 CCC is a not-for-profit organization that provides licenses and registration for a variety of users For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only

for identification and explanation without intent to infringe.

Library of Congress Cataloging-in-Publication Data

Hansche, Susan.

Official (ISC)2 guide to the CISSP-ISSEP CBK / Susan Hansche.

p cm.

Includes bibliographical references and index.

ISBN 0-8493-2341-X (alk paper)

1 Electronic data processing personnel Certification 2 Computer security Examinations Study guides I Title: Official ISC squared guide II Title.

QA76.3.H364 2005

Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Publications Web site at http://www.auerbach-publications.com

Taylor & Francis Group

is the Academic Division of T&F Informa plc.

This book is dedicated to my late father, Sam Hansche, who encouraged me to do my best and gave me confidence

to believe in myself, and my mother, Sandra Montgomery,

who showers me with love and support.

TEAM LinG

Table of Contents

Preface xxv

About the Author xxix

ISSE Domain 1: Information Systems Security Engineering (ISSE) Overview 1

Contributors and Reviewers 4

1 ISSE Intr oduction 7

Introduction 7

SE and ISSE Overview 8

IEEE 1220 Overview 15

The ISSE Model 17

Basic SE and ISSE Principles 21

Principle 1: Always keep the problem and the solution spaces separate 23

Principle 2: The problem space is defined by the customer’s mission or business needs 23

Principle 3: The systems engineer and information systems security engineer define the solution space driven by the problem space 25

Life Cycle and ISSE 27

NIST SP 800-27, Rev A: Engineering Principles 28

Risk Management 29

Defense in Depth 34

People 35

Technology 35

Operations 36

Defense in Multiple Places 38

Layered Defenses 39

Security Robustness 40

TEAM LinG

viii  Official (ISC) 2® Guide to the CISSP ® –ISSEP ® CBK ®

Deploy KMI/PKI 40

Deploy Intrusion Detection Systems 40

Summary 41

References 42

2 ISSE Model Phase 1: Discover Infor mation Pr otection Needs 45

Introduction 45

Systems Engineering Activity: Discover Needs 48

ISSE Activity: Discover Information Protection Needs 49

Task 1: Define the Customer’s Mission/Business Needs 50

Task 2: Define the Information Management 53

From Mission Needs to Information Management Needs 53

Creating an Information Management Model (IMM) 54

Step 1: Identify Processes 56

Step 2: Identify the Information Being Processed 56

FIPS 199 56

NIST SP 800-60 62

NIST SP 800-59 66

DoD Mission Assurance Categories (MACs) 67

Information Domains 68

Step 3: Identify the Users of the Information and the Process 72

Task 3: Define the Information Protection Policy (IPP) 73

Conducting the Threat Analysis and Developing the Information Protection Policy 73

Potential Harmful Events (PHEs) 75

Harm to Information (HTI) 84

Identifying Security Services and Developing the Information Protection Policy 89

Security Services 90

Access Control 90

Confidentiality 91

Integrity 91

Availability 92

Non-Repudiation 93

Security Management 93

Additional Security Controls 95

Creating the Information Protection Policy (IPP) 98

Creating the IPP Document 99

Introduction 99

General Policies 100

Establish Roles and Responsibilities 100

Identify Decision Makers 100

Define Certification and Accreditation (C&A) Team Members and Procedures 100

Identify Information Domains and Information Management 101

Table of Contents  ix

Identify Security Service Requirements 101

Signatures 102

The Information Management Plan (IMP) 102

Final Deliverable of Step 1 103

Summary 103

References 104

3 ISSE Model Phase 2: Defi ne System Security Requir ements 107

Introduction 107

System Engineering Activity: Defining System Requirements 113

Defining the System Context 114

IEEE 1220: 5.1.1.1 System Concept 115

Define System Requirements 117

Define Customer Expectations (Task 6.1.1) 120

Define Constraints (Tasks 6.1.2 and 6.1.3) 120

Define Operational Scenarios (Task 6.1.4) 122

Define Measures of Effectiveness (MOEs) (Task 6.1.5) 122

Define System Boundaries (Task 6.1.6) 122

Define Interfaces (Task 6.1.7) 123

Define Utilization Environments (Task 6.1.8) 123

Define Life-Cycle Process Concepts (Task 6.1.9) 123

Define Functional Requirements (Task 6.1.10) 125

Define Performance Requirements (Task 6.1.11) 125

Define Modes of Operations (Task 6.1.12) 126

Define Technical Performance Measures (Task 6.1.13) 126

Define Design Characteristics (Task 6.1.14) 126

Define Human Factors (Task 6.1.15) 126

Establish Requirements Baseline (Task 6.1.16) 126

Define Design Constraints 127

The Preliminary System Concept of Operations (CONOPS) 128

ISSE Activity: Defining System Security Requirements 129

Define the System Security Context 129

Define System Security Requirements 131

Define the Preliminary System Security CONOPS 132

Final Deliverable of Step 2 134

Summary 134

References 136

4 ISSE Model Phase 3: Defi ne System Security Ar chitectur e 139

Introduction 139

Defining System and Security Architecture 142

Defining System Architecture 142

Defining System Security Architecture 144

Guidelines for Designing System Architectures from DoDAF and FEAF 144

DoD Architectural Framework 145

Federal Enterprise Architecture Framework (FEAF) 150

TEAM LinG

x  Official (ISC) 2® Guide to the CISSP ® –ISSEP ® CBK ®

System Engineering Activity: Designing System Architecture 152

Perform Functional Analysis and Allocation 153

Functional Analysis 153

Functional Hierarchy Diagram 155

Functional Flow Block Diagrams 156

Timeline Analysis Diagram 158

Functional Allocation 159

Identifying and Allocating Components 159

Describe the Relationship Between the CIs 159

Trace Functions and Components to Requirements 161

ISSE Activity: Define the Security Architecture 163

Design System Security Architecture 166

IATF Information Infrastructure 168

Security Functional Analysis and Allocation 173

Identify Security Components, Controls, or Technologies 175

Additional Security Controls 177

Requirements Traceability and the RTM 181

Interface Identification and Security Architecture 187

Trade-Off Analysis 189

ISSE and Risk Management 192

DoD Goal Security Architecture Example 194

CN Security Allocation 197

LSE Security Service Allocations 197

End System and Relay System Security Service Allocations 197

Security Management Security Service Allocations 199

Transfer System Security Service Allocations 200

Physical and Administrative Environment Security Service Allocations 201

Final Deliverable of Designing System and Security Architectures 204

Summary 204

References 205

5 ISSE Model Phase 4: Develop Detailed Security Design 209

Introduction 209

Systems Engineering Activity: System Design 211

Trade-Off Analysis 214

System Synthesis (Design) 216

System Specifications 216

IEEE Systems Engineering Process: Design Phase 219

System Definition Level 219

Preliminary System Design 221

Detailed System Design 224

Fabrication, Assembly, Integration, and Test (FAIT) Stage 225

Production and Customer Support Stages 225

Component Reliability 226

Prototyping 227

System Design Review 228

System Engineering Management Plan (SEMP) 229

ISSE Activity: System Security Design 229

Conducting the Security Trade-Off Analysis 231

Security Synthesis 232

ISSE Design Phases 234

Preliminary Security Design Phase 234

Detailed Security Design Phase 235

Allocating Security Mechanisms 236

Identifying COTS/GOTS/Custom Security Products 236

Identifying Security Mechanism Interfaces 237

Developing Specifications: Common Criteria Profiles 238

Life-Cycle Security Approach and the System Security Design Document 242

Configuration Management and the Life-Cycle Security Approach 243

Software Design 244

Security Design Validation 247

Prototyping for the ISSE Process 251

ISSE Design and Risk Management 255

Final Deliverables of Step 4 255

Summary 256

References 258

Web Sites 259

Software Design and Development Bibliography 259

6 ISSE Model Phase 5: Implement System Security 263

Introduction 263

System Engineering Activity: System Implementation 265

Constructing the System 268

Creating the Acquisition Plan 268

Developing the Installation Plan 272

Constructing Programs 273

Conducting Unit Testing 273

Establishing the Construction Environment 274

Establishing Development Baselines 275

Developing the Transition Plan 275

Generating Operating Documents 286

Developing a Training Program Plan 278

Integration and Testing Phase 278

Conduct Integration Testing 280

Conduct System Testing 280

Initiate Acceptance Process 282

Conduct Acceptance Test Team Training 283

Develop Maintenance Plan 283

TEAM LinG

System Delivery 284

IEEE 1220 Perspective on System Implementation Activities 285

Fabrication, Assembly, Integration, and Test (FAIT) 285

Preparing the Customer and Users 287

Is the System Really Ready? 288

ISSE and System Security Implementation 288

Acquire the Security Components 290

NIST Special Publication (SP) 800-23 292

NSTISSP, Number 11 292

Secure Integration Efforts 296

Secure System Configuration 298

Security Test and Evaluation 299

Accept the Security of the System 302

System Security Documentation 303

Training for Secure Operations 304

ISSE and Risk Management 305

Final Deliverable of Phase 5 305

Summary 305

References 307

Web Sites 308

7 ISSE Model Phase 6: Assess Security Ef fectiveness 309

Introduction 309

System Engineering Activity: System Assessment 311

Benchmarking 312

Baldrige Criteria for Performance Excellence 314

ISO 9001 (2000) 316

Six Sigma 321

Software Engineering Institute Capability Maturity Models (SEI-CMM) 323

Benchmarking, Baldrige, ISO 9001, Six Sigma, and CMM 326

ISSE and System Security Assessment 327

Information Protection Effectiveness Activities 327

System Security Profiling 329

Six Categories of Information Assurances 331

1 Processes (can be obtained by the way the system is built) 331

2 Properties (can be obtained by the way the system is built) 332

3 Analysis (can be obtained by an analysis of system descriptions for conformance to requirements and vulnerabilities) 333

4 Testing (can be obtained by testing the system itself to determine operating characteristics and to find vulnerabilities) 333

5 Guidance (can be obtained by the way the system is built) 333

6 Fielded Systems Evaluation (can be obtained by the operational experience and field evaluation of the system) 333

NIST SP 800-55 334

NIST SP 800-26 338

NIST SP 800-42 340

ISSE and Risk Management 348

Final Deliverable of Phase 6 349

Summary 349

References 351

Web Sites 353

ISSE Domain 2: Certification and Accreditation Contributors and Reviewers 356

8 DITSCAP and NIACAP 357

Introduction 357

DITSCAP and NIACAP Overview 359

DITSCAP Background 359

NIACAP Background 360

DITSCAP/NIACAP Definition 360

Definitions 362

Certification 362

Accreditation 362

Program Manager 362

Designated Approving Authority (DAA) 362

Security Manager 363

Certification Agent (CA) 363

User Representative 363

System Security Authorization Agreement (SSAA) 363

Phase 1: Definition 364

Preparation Activity 377

Registration Activity 377

Registration Task 1: Prepare Business or Operational Functional Description and System Identification 368

Registration Task 2: Inform the DAA, Certifier, and User Representative That the System Will Require C&A Support (Register the System) 370

Registration Task 3: Prepare the Environment and Threat Description 374

Registration Task 4: Prepare System Architecture Description and Describe the C&A Boundary 374

Registration Task 5: Determine the System Security Requirements 375

Security Requirements Traceability Matrix (RTM) 376

Registration Task 6: Tailor the C&A Tasks, Determine the C&A Level of Effort, and Prepare a C&A Plan 377

Registration Task 7: Identify Organizations That Will Be Involved in the C&A and Identify Resources Required 382

Registration Task 8: Develop the Draft SSAA 383

The Security System Authorization Agreement (SSAA) 383

Negotiation Activity 386

TEAM LinG

Negotiation Task 1: Conduct the Certification Requirements

Review (CRR) 387

Negotiation Task 2: Agree on the Security Requirements, Level of Effort, and Schedule 387

Negotiation Task 3: Approve Final Phase 1 SSAA 387

Phase 2: Verification 388

SSAA Refinement Activity 389

System Development and Integration Activity 390

Initial Certification Analysis (ICA) Activity 390

Initial Certification Analysis Task 1: System Architectural Analysis 391

Initial Certification Analysis Task 2: Software, Hardware, and Firmware Design Analysis 391

Initial Certification Analysis Task 3: Network Connection Rule Compliance Analysis 392

Initial Certification Analysis Task 4: Integrity Analysis of Integrated Products 392

Initial Certification Analysis Task 5: Life-Cycle Management Analysis 392

Initial Certification Analysis Task 6: Security Requirements Validation Procedure Preparation 393

Initial Certification Analysis Task 7: Vulnerability Assessment 394

Analysis of the Certification Results Activity 396

Phase 3: Validation 397

SSAA Refinement Activity 398

Certification Evaluation of the Integrated System Activity 398

Certification Evaluation Task 1: Security Test and Evaluation (ST&E) 399

Certification Evaluation Task 2: Penetration Testing 400

Certification Evaluation Task 3: TEMPEST and RED-BLACK Verification 400

Certification Evaluation Task 4: COMSEC Compliance Evaluation 401

Certification Evaluation Task 5: System Management Analysis 401

Certification Evaluation Task 6: Site Accreditation Survey 402

Certification Evaluation Task 7: Contingency Plan Evaluation 402

Certification Evaluation Task 8: Risk Management Review 402

Recommendation to DAA Activity 403

DAA Accreditation Decision Activity 403

Phase 4: Post Accreditation 405

System and Security Operation Activities 405

System and Security Operation Task 1: SSAA Maintenance 407

System and Security Operation Task 2: Physical, Personnel, and Management Control Review 407

System and Security Operation Task 3: TEMPEST Evaluation 407

System and Security Operation Task 4: COMSEC Compliance Evaluation 408

System and Security Operation Task 5: Contingency Plan

Maintenance 408

System and Security Operation Task 6: Configuration Management 408

System and Security Operation Task 7: System Security Management 409

System and Security Operation Task 8: Risk Management Review 409

Compliance Validation Activity 409

Summary 410

9 C&A NIST SP 800-37 415

Introduction 415

Roles and Responsibilities 418

Scope of C&A Activities 419

The C&A Process 421

System Development Life Cycle 423

Phase 1: Initiation 425

Preparation Activity 425

Preparation Task 1: Information System Description 427

Preparation Task 2: Security Categorization 427

Preparation Task 3: Threat Identification 427

Preparation Task 4: Vulnerability Identification 427

Preparation Task 5: Security Control Identification 427

Preparation Task 6: Initial Risk Determination 427

Notification and Resource Identification Activity 428

Notification Task 1: Notification 428

Notification Task 2: Planning and Resources 428

Security Plan Analysis, Update, and Acceptance Activity 428

Security Plan Task 1: Security Categorization Review 429

Security Plan Task 2: SSP Analysis 429

Security Plan Task 3: SSP Update 429

Security Plan Task 4: SSP Acceptance 429

Phase 2: Security Certification 430

Security Control Assessment Activity 431

Security Control Assessment Task 1: Review Documentation and Supporting Materials 431

Security Control Assessment Task 2: Develop Methods and Procedures 431

Security Control Assessment Task 3: Conduct Security Assessment 432

Security Control Assessment Task 4: Create Security Assessment Report 432

Security Certification Documentation Activity 432

Security Certification Document Task 1: Present Findings and Recommendations 432

TEAM LinG

Security Certification Document Task 2: Update SSP 432

Security Certification Document Task 3: Prepare Plan of Action and Milestones 432

Security Certification Document Task 4: Assemble Accreditation Package 433

Phase 3: Security Accreditation 434

Security Accreditation Decision Activity 436

Security Accreditation Decision Activity Task 1: Final Risk Determination 436

Security Accreditation Decision Activity Task 1: Residual Risk Acceptability 436

Security Accreditation Package Documentation Activity 436

Security Accreditation Package Task 1: Security Accreditation Package Transmission 437

Security Accreditation Package Task 2: SSP Update 437

Phase 4: Continuous Monitoring 438

Configuration Management and Control Activity 438

Configuration Management Task 1: Documentation of Information System Changes 440

Configuration Management Task 2: Security Impact Analysis 440

Ongoing Security Control Verification Activity 440

Ongoing Security Control Verification Task 1: Security Control Selection 440

Ongoing Security Control Verification Task 2: Selected Security Control Assessment 440

Status Reporting and Documentation Activity 440

Status Reporting and Documentation Task 1: SSP Update 441

Status Reporting and Documentation Task 2: Status Reporting 441

Summary 441

Domain 2 References 442

Web Sites 443

Acronyms 443

ISSE Domain 3: Technical Management Contributors and Reviewers 447

10 Technical Management 449

Introduction 449

Elements of Technical Management 451

Planning the Effort 453

Starting Off 453

Goals 454

Plan the Effort 456

Task 1: Estimate Project Scope 456

Task 2: Identify Resources and Availability 457

Task 3: Identify Roles and Responsibilities 457

Task 4: Estimate Project Costs 458

Task 5: Develop Project Schedule 458

Task 6: Identify Technical Activities 458

Task 7: Identify Deliverables 458

Task 8: Define Management Interfaces 458

Task 9: Prepare Technical Management Plan 459

Task 10: Review Project Management Plan 460

Task 11: Obtain Customer Agreement 460

Managing the Effort 461

Task 1: Direct Technical Effort 461

Task 2: Track Project Resources 462

Task 3: Track Technical Parameters 462

Task 4: Monitor Progress of Technical Activities 462

Task 5: Ensure Quality of Deliverables 463

Task 6: Manage Configuration Elements 463

Task 7: Review Project Performance 463

Task 8: Report Project Status 464

Technical Roles and Responsibilities 464

Technical Documentation 468

System Engineering Management Plan (SEMP) 469

Quality Management Plan 474

The Concept of Quality 474

Quality Management Plan 476

Quality Control 476

Total Quality Management 478

Quality Management 478

Quality Management in a Project — ISO 10006 479

Configuration Management Plan 484

Reasons for Change 487

Implementation of Changes 487

Evolution of Change 488

Configuration Management as a System 489

CM Management and Planning 489

Configuration Identification 492

Configuration Control 494

Change Initiation 495

The Review Process 497

Configuration Status and Accounting 497

Configuration Verification and Audit 500

Risk Management Plan 501

Statement of Work (SOW) 503

Format 505

Work Breakdown Structure (WBS) 507

WBS and the Systems Security Engineering Process 508

Types of WBS 510

Level Identification 510

Selecting WBS Elements 511

WBS Dictionary 512

TEAM LinG

What a WBS Is Not 512

Other Work Breakdown Structures 514

Milestones 514

Development of Project Schedules 514

Preparation of Cost Projections 515

Technical Management Tools 516

Scheduling Tools 517

The Gantt Chart 517

The PERT Chart 519

PERT Example 519

Key Events and Activities 520

Defining Logical Relationships 521

Assigning Durations 521

Analyzing the Paths 528

Impact of Change 529

Software Tools 529

Summary 530

References 531

Web Sites 533

ISSEP Domain 4: Introduction to United States Government Information Assurance Regulations Contributors and Reviewers 536

11 Infor mation Assurance Or ganizations, Public Laws, and Public Policies 537

Introduction 537

Section 1: Federal Agencies and Organizations 538

U.S Congress 539

White House 539

Office of Management and Budget (OMB) 540

Director of Central Intelligence/Director of National Intelligence 540

National Security Agency (NSA) 541

NSA Information Assurance Directorate (IAD) 541

National Institute of Standards and Technology (NIST) 542

Committee on National Security Systems (CNSS) 543

National Information Assurance Partnership (NIAP) 543

Section 2: Federal Laws, Executive Directives and Orders, and OMB Directives 543

U.S Congress: Federal Laws 543

H.R.145 Public Law: 100-235 (01/08/1988) 544

Chapter 35 of title 44, United States Code 544

H.R 2458-48, Chapter 35 of Title 44, United States Code TITLE III — Information Security §301 Information Security 546

10 USC 2315 Defense Program 548

5 USC § 552a, PL 93-579: The U.S Federal Privacy Act of 1974 549

Fraud and Related Activity in Connection with Computers 550

18 USC § 1030 P.L 99-474: The Computer Fraud and Abuse Act of 1984, Amended in 1994 and 1996, Broadened in 2001 551

Executive Orders 552

Executive Order (EO) 13231: Critical Infrastructure Protection in the Information Age (October 18, 2001) 552

Office of Management and Budget (OMB) Circulars and Memoranda 553

Office of Management and Budget (OMB) Circular A-130 553

History 554

Circular No A-130, Revised, Transmittal Memorandum No 4 (November 2000) 558

OMB M-99-18: Privacy Policies and Data Collection on Federal Web Sites (June 1999) 560

OMB M-00-13: Privacy Policies and Data Collection on Federal Web Sites (June 2000) 560

OMB M-00-07: Incorporating and Funding Security in Information Systems Investments (February 2000) 561

OMB M-01-08: Guidance on Implementing the Government Information Security Reform Act (January 2001) 563

OMB M-03-19: Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting (August 6, 2003) 564

Director of Central Intelligence Directive DCID 6/3 565

Summary 566

References 567

Web Sites 568

12 Department of Defense (DoD) Infor mation Assurance Organizations and Policies 571

Introduction 571

Background Information 572

Communities of Interest 575

Metadata 575

GIG Enterprise Services (GES) 576

Net-Centric Data Strategy 576

Overview of DoD Policies 577

DoD Information Assurance (IA) Organizations and Departments 580

Defensewide Information Assurance Program (DIAP) 580

Defense Information Systems Agency (DISA) 580

Defense Technical Information Center (DTIC®) 581

National Security Agency (NSA) Information Assurance Directorate (IAD) 582

Networks and Information Integration (NII) 582

Information Assurance Support Environment (IASE) 583

Defense Advanced Research Projects Agency (DARPA) 583

TEAM LinG

DoD Issuances 594

DoD 8500.1 Information Assurance (IA) (October 2002/November 2003) 585

DoD 8500.2 Information Assurance Implementation (February 2003) 589

Robustness Levels 590

DoD IA Policies and DITSCAP 592

DITSCAP Phases 594

DoD 8510.1-M DITSCAP (July 2000) 594

DoD 8510.xx DIACAP 595

Summary 595

References 596

Web Sites 596

13 Committee on National Security Systems 597

Introduction 597

Overview of CNSS and NSTISSC 599

National Communication Security Committee (NCSC) 601

CNSS and NSTISSC Issuances 601

CNSS Policies 601

NSTISSP No 6, National Policy on Certification and Accreditation of National Security Telecommunications and Information Systems (April 1994) 602

NSTISSP No 7, National Policy on Secure Electronic Messaging Service (February 1995) 602

NSTISSP No 11, National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products (Revision June 2003) 603

NSTISSP No 101, National Policy on Securing Voice Communications (September 1999) 605

NSTISSP No 200, National Policy on Controlled Access Protection (July 1987) 605

CNSS Policy No 14, National Policy Governing the Release of Information Assurance Products and Services to Authorized U.S Persons or Activities That Are Not a Part of the Federal Government (November 2002), Superseded NCSC-2 (1983) 606

NCSC-5, National Policy on Use of Cryptomaterial by Activities Operating in High Risk Environments (U) (January 1981) 608

CNSS Directive 608

NSTISSD-500, Information Systems Security (INFOSEC) Education, Training, and Awareness (February 1993) 608

CNSS Instructions 609

NSTISSI No 1000, National Information Assurance Certification and Accreditation Process (NIACAP) (April 2000) 610

NSTISSI No 4009, National Information System Security (INFOSEC) Glossary (Revised May 2003) 610

CNSS (NSTISSI) Training Standards 610

NSTISSI No 4011, National Training Standard for INFOSEC

Professionals (June 1994) 611CNSSI No 4012 (June 2004), National Information Assurance

Training Standard for Senior System Managers, Supersedes NSTISSI

No 4012, National Training Standard for Designated Approving Authority (DAA) (August 1997) 612CNSSI No 4013 (March 2004), National Information Assurance

Training Standard for System Administrators Supersedes NSTISSI

No 4013 National Training Standard for System Administrators

(August 1997) 616CNSSI No 4014 (April 2004), National Information Assurance

Training Standard for Information Systems Security Officers (ISSO), Supersedes NSTISSI No 4014, National Training Requirements for Information System Security Officers (August 1997) 617NSTISSI No 4015, National Training Standard for System

Certifiers (December 2000) 618NSTISSI No 7003, Protected Distribution Systems (December 1996) 622NACSI-6002, Protection of Government Contractor

Telecommunications (June 1984) 623CNSS Advisory Memoranda 624NSTISSAM COMPUSEC 1-98, The Role of Firewalls and Guards in Enclave Boundary Protection (December 1998) 624NSTISSAM COMPUSEC 1-99, Advisory Memorandum on the

Transition from Trusted Computer System Evaluation Criteria to Evaluation Criteria (TCSEC) to the International Common Criteria (CC) for Information Security Technology Evaluation (March 1999) 627NSTISSAM INFOSEC/1-00, Advisory Memorandum for the Use of FIPS 140 Validated Cryptographic Modules in Protecting

Unclassified National Security Systems (February 2000) 627NSTISSAM INFOSEC 2-00, Advisory Memorandum for the Strategy for Using National Information Assurance Partnership (NIAP) for the Evaluation of Commercial Off-the-Shelf (COTS) Security

Enabled Information Technology Products (February 2000) 628CNSSAM 1-04, Advisory Memorandum for Information Assurance (IA) — Security through Product Diversity (July 2004) 629Summary 630References 630Web Sites 633

14 National Institute of Standar ds and T echnology (NIST)

Publications 635

Introduction 635Federal Information Processing Standards (FIPS) 641FIPS 46-3, Data Encryption Standard (DES) (Reaffirmed October 1999) 643DES Background Information 645FIPS 81, DES Mode of Operation (December 1980) 647

TEAM LinG

Electronic Codebook (ECB) Mode 648Cipher Block Chaining (CBC) Mode 650Cipher Feedback (CFB) Mode 651Output Feedback (OFB) Mode 652FIPS 102, Guidelines for Computer Security Certification and

Accreditation (September 1983) 652FIPS 140-2, Security Requirement for Cryptographic Modules

(May 2001; Supersedes FIPS 140-1, January 1994) 662The DES Challenge 662FIPS 197, Advance Encryption Standard (AES) (November 2001) 664FIPS 197 and CNSS Policy No 15 665NIST Special Publications 666NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook (October 1995) 666NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems (September 1996) 669NIST SP 800-18, Guide for Developing Security Plans for

Information Technology Systems (December 1998) 673Developing an SSP 674NIST SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication (October 2000) 679NIST SP 800-27 Rev A, Engineering Principles for Information

Technology Security: A Baseline for Achieving Security, Revision A (June 2004) 680NIST SP 800-30, Risk Management Guide for Information

Technology Systems (January 2002) 685Overview of Risk Management 686Risk Assessment 688Risk Mitigation 700Evaluation and Assessment 705NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems (September 2002) 706Summary 710References 712Web Sites 714

15 National Infor mation Assurance Partnership (NIAP) and

Common Criteria (CC) 715

Introduction 715Note to ISSEP: You are expected to know Common Criteria

Historical View of IT Security Evaluations 717Trusted Computer System Evaluation Criteria 718The Trusted Network Interpretation (TNI) 721Information Technology Security Evaluation Criteria (ITSEC) 722Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) 724National Information Assurance Partnership (NIAP) 725

The Common Criteria 726

CC Part 1: Introduction and General Model 729Protection Profile (PP) 729Security Target (ST) 729Target of Evaluation (TOE) 730Evaluation 730Evaluation Assurance Level (EAL) 730Security Environment 733Security Objectives 735Security Requirements 735TOE Summary Specification 737TOE Implementation 737Protection Profile and Security Target Contents 737Protection Profile Contents 737Security Target Contents 739

CC Part 2: Security Functional Requirements 740

CC Part 3: Security Assurance Requirements 741Protection Profile (PP) and Security Target (ST) Evaluation Criteria 745Assurance Classes, Families, and Components 745Assurance Maintenance Class 748Evaluation Assurance Levels 749

CC Scenario 756Phase 1: Mission/Business Need 756Phase 2: Identify Security Requirements 756Phase 3: Identify Security Architecture 757Phase 4: Develop Detailed Security Design 757Phase 5: Implement System Security 758Phase 6: Assess Security Effectiveness 758Summary 758References 759Web Sites 761

Appendix A: Linking ISSE Phases to SE Phases 763 Appendix B: Enterprise Architecture 777 Appendix C: Combining NIST SP 800-55 and SP 800-26 781 Appendix D: Common Criteria Security Assurance

Requirements 787 Appendix E: ISSEP Sample Questions 805 Index 947

TEAM LinG

When I started to write this book, my goal was to provide one referencesource for information system security practitioners that would be prepar-ing to take the Information Systems Security Engineering Professional®(ISSEP) exam As the book began to take shape, I realized it was devel-oping into more than just a study book for the ISSEP exam It had become

an encompassing overview of information systems security for the federalgovernment sector, which has been the focus of my career as an infor-mation systems security professional

By the time I took the Certified Information Systems Security sional (CISSP®) exam in September 2000, I had already been working forseveral years as a government contractor performing information systemssecurity work for the U.S government (USG) An important part of myjob is to read, understand, and interpret federal laws, regulations, andguidance In addition to staying current on this wide array of information,

Profes-I must also adequately provide guidance on how to make it apply andfit within a government agency Since 1998, I have been working as acontractor for the U.S Department of State at the Diplomatic SecurityTraining Center The primary focus of my professional work is on trainingand mentoring employees who have responsibility for adequately protect-ing information systems The recently created ISSEP concentration examhas similar aims in that it tests the knowledge and skills of securityprofessionals in the federal sector My practical experience in designingand conducting training courses requires that I am well versed in thefederal requirements for information systems security, thus the ISSEP examprovided me an opportunity to integrate my experience, practical knowl-edge, and the documented research in this field into a new publication Information Systems Security Engineering (ISSE) is considered a genericprocess that is applied throughout the system life cycle and provides

TEAM LinG

mechanisms for identifying and evolving security products and processes.

An ISSEP follows and practices the ISSE model to ensure that security isincluded in the life cycle of systems Regardless of where in its life cyclethe system is, the ISSEP provides security expertise to analyze the pro-tection needs, define the security requirements, and identify the securitycontrols (i.e., products, policies, etc.) in order to meet the security require-ments Security professionals also ensure security controls have beenimplemented, as well as verifying and validating that the controls havemet the necessary security requirements Thus, the core responsibility ofperforming the role of an ISSEP is using the ISSE model and then verifyingthat security has been implemented and is operational (certification andaccreditation)

One of the most important and most daunting challenges for an ISSEPlies in having a basic familiarity with various sets of USG regulations.Because of this, you will find that more than one-half of this book isdevoted to providing an in-depth overview of some USG policies andprocedures About half way through my research for this book, I began

to tire of reading policy and regulations and, no doubt, you will too Thisbook is written to provide candidates for the ISSEP exam and thoseprofessionals who are already performing ISSEP duties a synopsis of theregulations defined in the ISSEP Common Body of Knowledge® and alsothose that I think are the most important Note that the ISSEP CommonBody of Knowledge was defined as a collaboration between (ISC)2® andthe National Security Agency If you are performing ISSEP or otherinformation systems security work for the USG, you should take the time

to read the entire policies in more detail Remember you are responsiblefor the implementation of information security policies If your organiza-tion requires you to follow a specific policy or guideline, it is absolutelynecessary that you take the time to read the entire requirement A note

of caution: the information in this book provides a general and oftendetailed overview; however it is not so specific that it explains theimplementation of every policy or procedure

Systems engineers will find the ISSE model and concepts similar tosystems engineering processes However, there is one important differ-ence The ISSE model adds a security element into each phase of thesystem life cycle Regardless of your specific background, the principlesdescribed throughout the book will be beneficial in all aspects of per-forming the role of an information systems security professional One doesnot need to be a systems engineer to understand the ISSE framework,nor does one need to be a systems engineer to find the ISSE frameworkuseful Although my background is not systems engineering, for the pasteight years I have worked alongside and learned from senior security

engineers who are responsible for providing technical security tations worldwide and also securing the enterprise information systems.Through this experience I have seen the gr owth and innovation ofdesigning and implementation security through various phases of thesystem life cycle For security professionals, the change in having security

implemen-as a focus seems slow and arduous However, like me, I hope you toocan see that the focus is changing and security is becoming an importantattribute of information systems

With its focus on the federal sector, the ISSEP certification is one ofthree concentrations of the CISSP certification However, even if you arenot a CISSP nor plan to take the CISSP or ISSEP certification, the materialcovered in this book will assist you with understanding security require-ments for the USG Moreover, the principles covered in this text can bebeneficial to any project or organization, regardless of whether it is forthe private or public sector

If you are reading this book it means you have become passionateabout information systems security Hopefully, you have also acceptedanother mission: to speak assertively in meetings about the importance

of security matters, to ask the tough questions, and also to pr ovidesolutions that will change the way that information is protected Be assuredthat your efforts will have an immediate and long-term impact on securityissues It is my sincerest hope that this book will help you make adifference in your organization and in your career, and also, that it willplay a role in protecting the nation’s information and information systems

Susan Hansche

September 2005

TEAM LinG

Susan Hansche, CISSP-ISSEP, is the trainingdirector for information assurance at NortelPEC Solutions in Fairfax, Virginia She is the

lead author of The Official (ISC) 2® Guide to the CISSP Exam, which is a reference for

professionals in the information systemssecurity field who are studying for the Cer-tified Information Systems Security Profes-

sional (CISSP) exam The Official (ISC) 2®

book She has over 15 years of experience

in the design and development of trainingand, since 1998, Ms Hansche has been instrumental in establishing a full-scale, role-based Information Assurance (IA) training program for the U.S.Department of State This includes the design, development, and instruc-tion of role-based IA courses to over 1,000 employees per year In addition,she has taught many IA courses, seminars, and workshops for both thepublic and private sectors Since 1992, she has been an adjunct facultymember in the Communication Department at George Mason University

in Fairfax, Virginia Ms Hansche has written numerous articles on mation systems security and training and is a regular speaker at confer-ences and seminars

infor-Errata and Comments

Please send errata and other comments to the e-mail addr ess: book@cox.net A list of current errata can be obtained by sending an e-mail request to this same address

issep-TEAM LinG

The IATF is supported by the Information Assurance Technical work Forum (IATFF) The IATFF is a National Security Agency (NSA)sponsored outreach activity created to foster dialog among U.S govern-ment agencies, U.S industry, and U.S academia that provide their cus-tomers with solutions for information assurance problems According tothe IATFF, “The ultimate objective of the IATFF is to agree on a frameworkfor information assurance solutions that meet customers’ needs and fosterthe development and use of solutions that ar e compatible with theframework” (IATFF Introduction, p 1).

Frame-TEAM LinG

The principles outlined in the IATF provide protection based on theconcept of layers called “defense-in-depth.” Because this concept is impor-tant to IA and the ISSE process, more information on defense-in-depth isprovided in Chapter 1 Another important concept of the IATF is using arisk-based approach to making decisions, which is discussed in variouschapters.

Figure D1.1 shows the relationship of the Department of Defense(DoD) Global Information Grid (GIG) to the IATF and provides anoverview of the intended use of the IATF It is the combination of people,technology, and operations that provides adequate protections Federalagencies could follow a similar relationship format According to itsdesigners, the IATF is “a leading source of information on security solutionsimplemented through the application of technology” (IATF, Introduction,

p 2)

The IATF has four main sections Figure D1.2 is a graphical view ofthe IATF sections In the first four chapters, general IA guidance is provided

so that information system users, security architects, software architects,

Figure D1.1 IATF relationship to GIG policy (Source: From IATF, Introduction,

p 2.)

system architects, security engineers, software engineers, systems neers, and others can gain a better understanding of the IA issues involved

engi-in protectengi-ing today’s engi-interconnected engi-information systems

The chapters in this domain are based primarily on IATF Chapter 3,

“The Information Systems Security Engineering Process.” IATF Chapters 5through 10 and Appendices A through E, H, and J provide specificrequirements and solutions for each of the defense-in-depth areas TheExecutive Summaries provide outlines of the threats, requirements, andrecommended solutions for a variety of specific protection needs in specific

Figure D1.2 IATF composition (Source: From IATF, p 1-16.)

TEAM LinG

environments Appendix G discusses the Common Criteria ProtectionProfiles for a system or product The IATF is considered an evolvingdocument; thus, some sections are still in development and continue to

be updated by the IATFF More information on the IATF can be found atwww.iatf.net

Note to ISSEP candidates: The ISSE model is one of the fundamental

elements of the ISSEP® exam and of being an ISSE professional Key tounderstanding this process is recognizing the importance of identifyingsecurity requirements based on a mission need and creating a securityarchitecture that provides the appropriate level of controls needed Donot get stuck in the details of the systems engineering elements for eachphase; instead, be sure to comprehend the fundamental security elementsthat are presented

Contributors and Reviewers

Susan Hansche researched, contributed, and finalized the material in this

domain She would like to thank the following individuals for reviewingsome or all of the material in this domain:

Robert B Batie , CISSP, ISSAP, ISSEP, CISM, is a Security

Engi-neering Manager for Raytheon NCS, St Petersburg, Florida

Benjamin Ber gersen , CISSP CISA IAM, is a Security & Privacy

Senior in the Washington Federal Practice at PricewaterhouseCoopers

Larry L Buickel , CISSP, is an enterprise security consultant with

Graphic Example Technologies, Inc

Aar on J Fer guson , Ph.D., CISSP, is an Assistant Professor &

National Security Agency Visiting Fellow, Department of ElectricalEngineering & Computer Science, United States Military Academy

at West Point, New York

Richar d K McAllister is a developer and instructor of the

Pro-tection Needs Elicitation Course and other ISSE courses for theNSA/National Cryptologic School, as well as a practitioner in ISSE

as a senior scientist at SPARTA Inc

Cheryl Resch works in the Information Operations Group at Johns

Hopkins University Applied Physics Lab, Columbia, Maryland

Steven Rodrigo , CISSP, is a senior systems security analyst at

Tenacity Solutions, Herndon, Virginia

Blair Semple, CISSP , is the Director of Business Development and

a Technology Officer for Kasten Chase in Sterling, Virginia

Carl H Stucke , Ph.D., is Security SIG Coordinator in the

Depart-ment of Computer Information System at Robinson College ofBusiness, Georgia State University

TEAM LinG

Of critical importance and necessity is the USG’s ability to adequatelyprotect its information and information systems Along with this is the factthat networks and systems processing get more complex every day It isthis vital need and increasing complexity that requires a new way ofthinking — one that combines information systems security with traditionalsecurity disciplines, such as physical security and personnel security.

In response to the emerging demands for greater USG informationsystems security capabilities, the National Security Agency’s InformationSystems Security Organization (NSA ISSO) instituted a Systems SecurityEngineering Process Action Team (SSE PAT) in mid-1993 The mission ofthe SSE PAT was to synthesize previous and new information systemssecurity initiatives into a consistent, customer-focused model for Informa-tion Systems Security Engineering (ISSE), which is intended as a discipline

of Systems Engineering Although the ISSE process can be tailored to any

TEAM LinG

organization, the design is intended for and focuses on following USGstandards and directives for systems acquisition, system life cycle, systemcomponents, system certification and accreditation, etc (IATF Introduction).

To help understand the field of ISSE, this chapter (Figure 1.1) beginswith definitions of several key terms related to ISSE and Systems Engi-neering The second section defines the six phases of the ISSE model.The remaining sections discuss several concepts important to the role of

an Information Systems Security Engineering Professional (ISSEP®) Thesections are:

 SE and ISSE Overview

 ISSE Model

 Life Cycle and ISSE

 Risk Management

 Defense in Depth

SE and ISSE Overview

Because it is fundamental to this domain, we begin with some tions — the first is answering the question, “What is a system ?”

defini-A system can be defined as a combination of elements or parts

that are designed to function as a unitary whole to achieve an objective.

In 1998, the Institute of Electrical and Electronics Engineers (IEEE)released the “IEEE 1220 Standard for Application and Management of theSystems Engineering Process.” This standard defines systems “as relatedelements (subsystems and components) and their interfaces” (p 2) Theseelements include the hardware, software, and people required to develop,produce, test, distribute, operate, support, or dispose of the element’sproducts, or to train those people to accomplish their role within thesystem The system may also be an element of a larger system, where it

is then necessary to understand and define the boundaries of the systemand the interfaces between this system and other systems

To fully appreciate the definition, it is important to look at some keywords For it to be a system, the elements must have been designed

with the purpose of achieving a goal Having a specific purpose is afundamental characteristic of a system The system can have one ormultiple functions to achieve its purpose or objective

Not every combination of components is a system — it is the nation of components specifically designed to meet a goal that makes a

combi-system Not only must the components be designed together, but they

also need to be designed in such a manner that they function together —they perform certain actions in specific ways Thus, they are not merely

a collection of things, but rather components assembled to function as awhole This whole must then, as a system, achieve an objective Forexample, an air conditioning system contains a compressor, air handler,vents, and thermostat controller — these components, when combined,function for a purpose: cooling air Therefore, a system must have at leastone defined function that is designed to achieve a specific goal

A system can also be viewed as an element of a larger system Thechallenge is to understand the boundary of the system and the relationshipsbetween this system and other systems

The basic building blocks of a system are shown in Figure 1.2 Ofimportance to this definition is the inclusion of several life-cycle phasessuch as design and development, manufacturing and construction, test,distribution, operation, support, training, and disposal IEEE 1220 definesthe elements as the:

 System itself

 System’s-related product(s) and subsystems

 Life-cycle processes required to support the products and systems that make up the product(s)

sub-Typically, a system combines products developed by the organization

or outside vendors Each vendor considers its product as part of its system.Products purchased by vendors are typically referred to as subcomponents,

Figure 1.1 Chapter overview.

ISSE Introduction Chapter Overview

SE and ISSE Overview