USAID Mission Site Vulnerability Assessment and Remediation

1.0 Identification Data
1.1 BSP Number
00019
1.2 BSP Title/Name
USAID Mission Site Vulnerability Assessment and Remediation
1.3 Version Number
1.0
1.4 Adoption Date
07/07/2001
1.5 Approving Authority
CIO Council Security Practices Subcommittee (SPS)
1.6 Responsible Organization

United States Agency for International Development (USAID), Bureau for Management, Information Resources Management (M/IRM), Information Systems Security Team

1.7 Level of BSP
Candidate
1.8 Security Processes or other Framework(s) Supported

Security Process Framework:

  • 1.6.3.2, Monitor Effectiveness and Compliance of Organizational Technical Security Program
  • 2.6.3.4.4, Review Security Posture
  • 2.8.2.2.1, Assess Vulnerability

SSE CMM Framework:

  • PA-05, Assess Vulnerability

OMB Circular A-130, Appendix III, Section A:

  • 3.a.3, Review of Security Controls
1.9 Reserved
1.10 Points of Contact

Government BSP Owner:
Yes, post this contact information with the publicly accessible BSP.

  • James P. Craft, CISSP
    USAID Information Systems Security Officer
    Ronald Reagan Building
    1300 Pennsylvania Ave.
    Suite 2.12-032
    Washington DC 20523-2120
    Telephone No. 202-712-5460
    Fax No. 202-712-3053
    E-mail: jcraft@usaid.gov
    Also: cassistance@usaid.gov

Vendor Pa rtner:

Yes, post this contact information with the publicly accessible BSP.

2.0 What This BSP Does
2.1 BSP's Purpose
This BSP describes the steps in the Information Security Vulnerability Assessment and Remediation Process applied at USAID Mission sites, and provides references to supporting documents.  These documents include other BSPs, checklists, templates for reports to local Mission and Headquarters management, and industry and government standards addressing portions of the tasks named here.  It is a first-level description of the whole Information Security Vulnerability Assessment and Remediation Process, and a guide to sources of more detailed information about each element of the process.
2.2 Requirements for this BSP
OMB A-130 Appendix III, Section A.3a.3 states:
"Review of Security Controls. Review the security controls in each system when significant modifications are made to the system, but at least every three years. The scope and frequency of the review should be commensurate with the acceptable level of risk for the system. Depending on the potential risk and magnitude of harm that could occur, consider identifying a deficiency pursuant to OMB Circular No. A-123, "Management Accountability and Control" and the Federal Managers' Financial Integrity Act (FMFIA), if there is no assignment of security responsibility, no security plan, or no authorization to process for a system."
2.3 Success Stories
This letter is from an organization expressing appreciation for raising the security capability at their location through use of this Security Vulnerability Assessment Process.  Because Security Vulnerability Assessment is performed repetitively at all USAID Mission sites, similar results continue to be produced at other locations and are expected to occur during the next visit to the Peru site.
Subject:  COMPUTER SECURITY TEAM VISIT
Source: David Bayer, USAID Peru Executive Office

If you have the opportunity to have the Information Systems Security Officer (ISSO) Jim Craft and his [Security Vulnerability] Assessment Program Area Manager, Rodney Murphy, visit your Mission with their team of computer security experts, then take advantage of it. They did one hell of a job during their February [1999] visit with us at USAID/Peru in getting us up to speed and raising our level of consciousness about security issues. This is not to say that our dedicated IRM staff, led by Systems Manager, Lucho Figueroa, have not been working their hearts out to get us into shape, but it is a real injection of energy to have professional people like Jim, Rodney, John Zoble, Mike Reiter and Steve Bui come in and sit down to review your Computer Security Program and Computer Contingency Plan with you.

And last but not least, they have given us some key advice and methods for closing out some computer security audit issues which are not only USAID/Peru exposures but endemic to all Missions worldwide.

Computer security is becoming an important issue in for USAID and all organizations. In this environment, new security standards and having a formal security program in each overseas Mission is very important.
USAID/Peru was selected as a Beta site....
3.0 What This BSP Is
3.1 Description of BSP

The Information Security Vulnerability Assessment (VA) process is performed at USAID Mission locations whenever a Triggering Event happens. This trigger usually occurs routinely, activated by scheduled system changes at a Mission or expiration of the OMB-specified three-year interval since the last VA. These assessments assure that a Missionís systems are installed and maintained according to current Agency policies and specifications. Occasionally, the trigger is activated by a security relevant event of sufficient magnitude to disrupt normal processing somewhere in the USAID network, which reveals an unexpected weakness in the standard system configuration.  Assessments responding to these events assure that the new information gained has been applied at each Mission most effectively for that siteís configuration.

Information Security Vulnerability Assessment is a repetitive process.  Each cycle begins with the Triggering Event and ends with the Final Report step, which resets the Trigger in anticipation of the next assessment.  Figure 3.1-1 illustrates the process.  The names of the steps are in the boxes forming the inner circle.  The products of the steps are beside the arrows forming the outer circle.  This BSP shows the sequence of tasks comprising the VA Process cycle, indicates where more details may be found for each task, and illustrates the main points of coordination between USAID management officials and the VA team.  Each of these major actors has a role in the successful completion of the process.

Figure 3.1-1 USAID Mission Security Vulnerability Assessment Cycle

Figure 3.1-1 LEGEND

Trigger

A condition or event, planned or random, which activates the cycle.  May be a periodically scheduled event or a response to a detected incident.
 

Coordinate

Assessor teams & cognizant site representatives interact.  Includes production of approvals, schedules, site surveys, questionnaires, checklists, & travel/visit-relevant activities.
 

Probe/Scan

Evaluation of target site for general and specific vulnerabilities.
 

Analyze

Review of detected vulnerabilities -- used to define corrective measures.  Results depend upon specific tool used.
 

Advise

An immediate needs report.  Responds to critical vulnerabilities without delay.  Not necessarily formal in structure.
 

Correct

Apply software updates/patches, configuration changes, other vulnerability countermeasures. Current program includes training & assistance to site representatives in defining security and contingency plans.
 

Validate

Reevaluation, using probe/scan, to confirm effectiveness of corrections.
 

Report

Final, formal documentation of current site status, advisory to site representatives of any remaining, unresolved vulnerabilities.  Defines modified site baseline.  Includes post-activity feedback from target site.  End of this phase resets the trigger for the target site.
 

3.1.1 Inputs

Note: This list suggests the information that may be available to the VA team. Not every document may be available to every VA visit, but the more that are available, the better focused and more efficient the visit becomes. Improved team focus results in more useful information for the Mission Director, Executive Officer (EXO), System Administrators and users.  The list is compiled during the Visit Coordination phase, through an exchange of questionnaires and other correspondence between the VA team and cognizant Mission officials. These inputs are:

a. Approved Mission Security Plan;
b. USAID Automated Directive System (ADS);
c. VA Team Visit Schedule;
d. Action Items from last VA Team visit;
e. Current Threats List published by CERT, SANS and system-specific authoritative sources such as NTBUGTRAQ;
f. Intrusion Detector Alarm logs;
g. Firewall Incident logs;
h. Current system hardware and software configuration details.

3.1.2 Processes

Step 1, Trigger: Determine from Input data that a triggering event has happened.
Step 2, Coordinate: Determine details of a visit from the VA team home location:

a. Initiate survey questionnaires, to determine user/manager knowledge of security-relevant features of on-site systems and networks;
b. Obtain access permissions for sites;
c. Select assessment tools matched to site configurations; build detailed assessment plan, prepare assessment checklist;
d. Designate team members from USAID and VA contractor, with skills matched as closely as possible to site system components;
e. Obtain USAID management approval.
f. Make travel arrangements, 30 days in advance of departure date;
g. Using Input documents, preconfigure and pack assessment tool kit.
Step 3. Probe and Scan
a. Travel to the Mission, execute pre-assessment steps, which include:
  • Introduce team in an initial briefing to Mission Director, EXO, System Administrators and other interested parties;
  • Evaluate assessment checklist against actual configuration status at the Mission; update the checklist as required;
b. Run tools appropriate for the system being reviewed to determine where configuration problems exist. (Tools are described in Section 4.4 of BSP 0001 and BSP 0003)
c. Update the checklist as each item is verified/corrected.
d. Mark items not found on the checklist for analysis;
Step 4. Analyze. Document problems, evaluate and obtain patches or fixes. Submit items implemented as a result of the analysis for addition to the OS checklist.
Step 5. Advise. Coordinate and document all changes with Application owners and system administrators.
Step 6. Correct the identified problems: apply software updates and patches, reconfiguration, other countermeasures.
Step 7. Validate: Rerun the tool appropriate for the system being reviewed to determine that the configuration problems have been resolved.  Document any remaining vulnerability.
Step 8: Report: Draft final report, obtain site staff concurrence and additional input. Prepare Final Report, forward to the organization's ISSO, the reviewed system's owner, and other appropriate parties.
Step 9: Present outbrief, ensure that site conditions are fully understood and accurately described.
3.1.3 Outputs
Advice and Final Report; see BSP 0004.
3.2 Relationship to Other BSPs
  1. BSP 0001, Detecting Unauthorized Modem Connections at USAID Missions, explains the dial-up line security process followed during a cyber-assistance visit.  This process evaluates the security Vulnerability of a Missionís communications facilities outside the Internet.
  2. BSP 0002, Developing Security Plans at USAID Missions, explains the process of building and obtaining official approval for the security plan document which governs all subsequent security-related efforts at a Mission location.
  3. BSP 0003, Configuring Technical Safeguards, shows details of the system attributes being examined during a cyber-assistance visit, explains the processes used in the assessment steps, and gives reasons for selecting the recommended IT system configuration values.
  4. BSP 0004, Training, often accompanies the cyber-assistance visit, to familiarize Mission staff with the latest practices being introduced into USAID and to demonstrate corrections being made to the Missionís information processing facilities.
4.0 How To Use This BSP
4.1 Implementation Guidance
Referring to Figure 3.1-1, USAID Mission Directors, EXOs and System Administrators should be aware of all phases of the Assessment process, from the Coordinate Visit step to the Final Report step.  EXOs are most engaged during the coordination, advise and report steps; System Administrators and other technical staff are most engaged during the measurement, correction and validation steps.
4.2 Implementation Resource Estimates
Vulnerability Assessment visits normally require 5 days on-site.  The assessment team, usually consisting of 5 or 6 people, can work unassisted during much of this time.  The Coordinate and Report steps in Figure 3.1-1 are most effective when attended by the Assessment Team Leader, the EXO and the System Administrator, plus other local staff designated by these Mission supervisors.  Each training session normally lasts 1 hour, attended by the Assessment Team Trainer and Mission personnel designated by the Director or EXO.  Coordination sessions usually start before the Assessment Team arrives.  Preliminary meetings usually take place via e-mail or brief telephone calls, to consider trip logistics.  The initial visit meeting usually lasts less than an hour, because most details have already been worked out. Final meeting time varies, depending on the teamís findings and the contents of the final report.  Team experience indicates that this meeting usually requires about 1 hour to present results, and an additional half hour for discussion.  Those attending include the Mission Director, EXO, System Administrator, and 2 or 3 other people nominated by these officials.
4.3 Performance Goals and Indicators (Metrics)

General Goal: To select and apply the processes described in BSPs 0001 through 0004 which together identify and eliminate the security vulnerabilities associated with the configuration of the subject information systems.
Output goal: To bring a Missionís security Vulnerability into compliance with OMB A130 guidelines.
General Objective: To protect automated information systems against potential threats.

4.4 Tools
None applicable.
4.5 Training Materials
Presentations are tailored to the siteís needs, based on returns from questionnaires.  Initial materials include the standard courseware on file at USAID Headquarters, plus resources known to the team Training member.  This member is selected for his/her experience in the areas of interest.
Appendices
A Executive Overview and Briefing
BSP 0004 shows an example in-briefing presentation.
B Reference List
  1. National Institute of Standards and Technology (NIST) Special Publication 800-14, September 1996, Generally Accepted Principles and Practices for Securing Information Technology Systems. Guides organizations on the types of controls, objectives, and procedures that comprise an effective security program.
  2. National Institute of Standards and Technology (NIST) Special Publication 800-18, December 1998, Guide for Developing Security Plans for Information Technology Systems.  Details the specific controls that should be documented in a security plan.
  3. National Institute of Standards and Technology (NIST) Federal Information Processing Standards Publication 191, November 1994, Guideline for the Analysis of Local Area Network Security.
  4. National Security Agency (NSA), National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 1000, April 2000, National Information Assurance Certification and Accreditation Process (NIACAP).
  5. National Security Agency (NSA), National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4013 and 4014, August 1997, National Training Standard for System Administrators and Information Systems Security officers (ISSO) in Information Systems Security (INFOSEC).
  6. Office of Management and Budget (OMB) Circular A-130, Appendix III, February 8th, 1996, requires Risk Assessment every three years or sooner when changes take place in Information Technology systems and major applications.
  7. USAID Automated Directives System (ADS), Section ADS-545, Security Policies.  (available on the USAID Internal Network.)
  8. System Administration, Networking, and Security (SANS) Institute 5401 Westbard Ave. Suite 1501, Bethesda, MD 20816, is a cooperative research and education organization for system administrators, security professionals, and network administrators.
  9. The Computer Emergency Reaction Team (CERTģ) Coordination Center (CERT/CC) is a center of Internet security expertise. It is located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University, Pittsburgh, PA. The CERTģ/CC, studies Internet security vulnerabilities, handles computer security incidents, publishes a variety of security alerts, does research for long-term changes in networked systems, and develops information and training to help improve security at information processing sites.
C Procurement Information
The United States Agency for International Development (USAID) has contracted for general IRM support with Computer Sciences Corporation (CSC) under the Agency's Principal Resource for Information Management Enterprise-wide (PRIME) contract (GS00K96AJD0012) with FEDSIM.  USAID obtains its information system security support from CSC under the PRIME contract using the Performance Work Statement (PWS) tasking method.
D Evaluation Information
  Not to be completed by the drafter.
E Recommended Changes
  Not to be completed by the drafter.
F Glossary

Acronym

Meaning

ADS

USAID Automated Directives System - Management
 

BSP

Best System Practices, published by the Chief Information Officersí Council
 

CERT

Computer Emergency Reaction Team, a task force which develops repairs for Internet security incidents; based at Carnegie-Mellon University, Pittsburgh, PA.
 

COG

Continuity of Government
 

COOP

Continuity of (Information Processing) Operations
 

CSC

Computer Sciences Corporation
 

EXO

USAID Mission Executive Officer
 

FEDSIM

Federal Systems Integration and Management Center, a contracting office within the General Services Administration
 

IRM

Information Resources Management
 

ISSO

Information Systems Security Officer
 

M/IRM

USAID Bureau for Management, Information Resources Management
 

NCSC

National Computer Security Center, the civilian security standards-setting office of the National Security Agency. Recommends applications of military information security standards for commercial uses.
 

NIST

National Institute of Standards and Technology, official United States center for maintenance of standard values for physical, chemical and biological sciences. Charged with maintaining Information Technology standards by the Brooks Act of 1984.
 

NTBUGTRAQ

Incident reporting and tracking center for Windows-NT security issues
 

OMB

Executive Office of Management and Budget
 

PRA

Paperwork Reduction Act of 1995.
 

PRIME

Principal Resource for Information Management Enterprise-wide, a general support contracting vehicle for IRM services
 

PWS

Performance Work Statement, a means for assigning explicit increments of work within a general contracting vehicle.
 

SANS

System and Network Security Institute, a network security analysis & training group
 

USAID

United States Agency for International Development
 

VA

(Security) Vulnerability Assessment