| 1.0 |
Identification
Data |
| 1.1 |
BSP
Number |
|
00019 |
| 1.2 | BSP
Title/Name |
|
USAID Mission Site Vulnerability Assessment
and Remediation |
| 1.3 | Version
Number |
|
1.0 |
| 1.4 |
Adoption
Date |
|
07/07/2001 |
| 1.5 | Approving
Authority |
| CIO
Council Security Practices Subcommittee (SPS) |
| 1.6 |
Responsible
Organization |
|
United
States Agency for International Development
(USAID), Bureau for Management, Information Resources Management (M/IRM),
Information Systems Security Team
|
| 1.7 |
Level
of BSP |
| Candidate |
| 1.8 | Security
Processes or other Framework(s) Supported |
|
Security Process Framework:
- 1.6.3.2, Monitor Effectiveness and Compliance of Organizational
Technical Security Program
- 2.6.3.4.4, Review Security Posture
- 2.8.2.2.1, Assess Vulnerability
SSE CMM Framework:
- PA-05, Assess Vulnerability
OMB Circular A-130, Appendix III, Section A:
- 3.a.3, Review of Security Controls
|
| 1.9 |
Reserved |
| 1.10 |
Points
of Contact |
|
Government BSP Owner:
Yes, post this contact information with the publicly accessible BSP.
- James P. Craft, CISSP
USAID Information Systems Security Officer
Ronald Reagan Building
1300 Pennsylvania Ave.
Suite 2.12-032
Washington DC 20523-2120
Telephone No. 202-712-5460
Fax No. 202-712-3053
E-mail: jcraft@usaid.gov
Also: cassistance@usaid.gov
Vendor Pa rtner:
Yes, post this contact information with the publicly accessible
BSP.
|
| |
| 2.0 |
What
This BSP Does |
| 2.1 |
BSP's
Purpose |
|
This BSP describes the
steps in the Information Security Vulnerability Assessment and Remediation
Process applied at USAID Mission sites, and provides references to supporting
documents. These documents include other BSPs, checklists, templates for
reports to local Mission and Headquarters management, and industry and government
standards addressing portions of the tasks named here. It is a first-level
description of the whole Information Security Vulnerability Assessment and
Remediation Process, and a guide to sources of more detailed information
about each element of the process. |
| 2.2 |
Requirements
for this BSP |
|
OMB A-130 Appendix III, Section A.3a.3 states:
"Review of Security Controls. Review the security controls
in each system when significant modifications are made to the system, but at
least every three years. The scope and frequency of the review should be
commensurate with the acceptable level of risk for the system. Depending on the
potential risk and magnitude of harm that could occur, consider identifying a
deficiency pursuant to OMB Circular No. A-123, "Management Accountability
and Control" and the Federal Managers' Financial Integrity Act (FMFIA), if
there is no assignment of security responsibility, no security plan, or no
authorization to process for a system." |
| 2.3 |
Success
Stories |
|
This letter is from an organization
expressing appreciation for raising the security capability at their location
through use of this Security Vulnerability Assessment Process. Because
Security Vulnerability Assessment is performed repetitively at all USAID
Mission sites, similar results continue to be produced at other locations
and are expected to occur during the next visit to the Peru site.
Subject: COMPUTER SECURITY TEAM VISIT
Source: David Bayer, USAID Peru Executive Office
If you have the opportunity to have the Information Systems Security Officer
(ISSO) Jim Craft and his [Security Vulnerability] Assessment Program Area
Manager, Rodney Murphy, visit your Mission with their team of computer
security experts, then take advantage of it. They did one hell of a job
during their February [1999] visit with us at USAID/Peru in getting us
up to speed and raising our level of consciousness about security issues.
This is not to say that our dedicated IRM staff, led by Systems Manager,
Lucho Figueroa, have not been working their hearts out to get us into
shape, but it is a real injection of energy to have professional people
like Jim, Rodney, John Zoble, Mike Reiter and Steve Bui come in and sit
down to review your Computer Security Program and Computer Contingency
Plan with you.
And last but not least, they have given us some key advice and methods
for closing out some computer security audit issues which are not only
USAID/Peru exposures but endemic to all Missions worldwide.
Computer security is becoming an important issue in for USAID and all
organizations. In this environment, new security standards and having
a formal security program in each overseas Mission is very important.
USAID/Peru was selected as a Beta site....
|
| |
| 3.0 |
What
This BSP Is |
| 3.1 |
Description
of BSP |
|
The Information Security Vulnerability Assessment (VA)
process is performed at USAID Mission locations whenever a Triggering
Event happens. This trigger usually occurs routinely, activated by scheduled
system changes at a Mission or expiration of the OMB-specified three-year
interval since the last VA. These assessments assure that a Mission’s
systems are installed and maintained according to current Agency policies
and specifications. Occasionally, the trigger is activated by a security
relevant event of sufficient magnitude to disrupt normal processing somewhere
in the USAID network, which reveals an unexpected weakness in the standard
system configuration. Assessments responding to these events assure that
the new information gained has been applied at each Mission most effectively
for that site’s configuration.
Information Security Vulnerability Assessment is a repetitive
process. Each cycle begins with the Triggering Event and ends with the
Final Report step, which resets the Trigger in anticipation of the next
assessment. Figure 3.1-1 illustrates the process. The names of the steps
are in the boxes forming the inner circle. The products of the steps
are beside the arrows forming the outer circle. This BSP shows the sequence
of tasks comprising the VA Process cycle, indicates where more details
may be found for each task, and illustrates the main points of coordination
between USAID management officials and the VA team. Each of these major
actors has a role in the successful completion of the process.
Figure 3.1-1 USAID Mission Security
Vulnerability Assessment Cycle
|
Figure 3.1-1 LEGEND
|
|
Trigger
|
A condition or event, planned or random, which activates the
cycle. May be a periodically scheduled event or a response to a
detected incident.
|
|
Coordinate
|
Assessor teams & cognizant site representatives interact.
Includes production of approvals, schedules, site surveys, questionnaires,
checklists, & travel/visit-relevant activities.
|
|
Probe/Scan
|
Evaluation of target site for general and specific vulnerabilities.
|
|
Analyze
|
Review of detected vulnerabilities -- used to define corrective
measures. Results depend upon specific tool used.
|
|
Advise
|
An immediate needs report. Responds to critical vulnerabilities
without delay. Not necessarily formal in structure.
|
|
Correct
|
Apply software updates/patches, configuration changes, other
vulnerability countermeasures. Current program includes training
& assistance to site representatives in defining security and
contingency plans.
|
|
Validate
|
Reevaluation, using probe/scan, to confirm effectiveness of
corrections.
|
|
Report
|
Final, formal documentation of current site status,
advisory to site representatives of any remaining, unresolved vulnerabilities. Defines
modified site baseline. Includes post-activity feedback from target
site. End of this phase resets the trigger for the target site.
|
|
| 3.1.1 |
Inputs |
|
Note: This list suggests the information
that may be available to the VA team. Not every document may be available to every VA
visit, but the more that are available, the better focused and more efficient the visit becomes.
Improved team focus results in more useful information for the Mission
Director, Executive Officer (EXO), System Administrators and
users. The list is compiled during the Visit Coordination
phase, through an exchange of questionnaires and other correspondence between
the VA team and cognizant Mission officials. These inputs are:
a. Approved Mission Security Plan;
b. USAID Automated Directive System (ADS);
c. VA Team Visit Schedule;
d. Action Items from last VA Team visit;
e. Current Threats List published by CERT,
SANS
and system-specific authoritative sources such as NTBUGTRAQ;
f. Intrusion Detector Alarm logs;
g. Firewall Incident logs;
h. Current system hardware and software configuration details.
|
| 3.1.2 |
Processes |
|
Step 1, Trigger: Determine
from Input data that a triggering event has happened.
Step 2, Coordinate: Determine details of a visit from the VA team
home location:
a. Initiate survey questionnaires, to
determine user/manager knowledge of security-relevant features of on-site
systems and networks;
b. Obtain access permissions for sites;
c. Select assessment tools matched to site configurations; build
detailed assessment plan, prepare assessment checklist;
d. Designate team members from USAID and VA contractor, with skills
matched as closely as possible to site system components;
e. Obtain USAID management approval.
f. Make travel arrangements, 30 days in advance of departure date;
g. Using Input documents, preconfigure and pack assessment tool
kit.
Step 3. Probe and Scan
a. Travel to the Mission, execute pre-assessment
steps, which include:
- Introduce team in an initial briefing to Mission
Director, EXO, System Administrators and other interested parties;
- Evaluate assessment checklist against actual configuration
status at the Mission; update the checklist as required;
b. Run tools appropriate for the system being reviewed
to determine where configuration problems exist. (Tools are described
in Section 4.4 of BSP 0001 and BSP 0003)
c. Update the checklist as each item is verified/corrected.
d. Mark items not found on the checklist for analysis;
Step 4. Analyze. Document problems, evaluate and obtain
patches or fixes. Submit items implemented as a result of the analysis for
addition to the OS checklist.
Step 5. Advise. Coordinate and document all changes with Application
owners and system administrators.
Step 6. Correct the identified problems: apply software updates and
patches, reconfiguration, other countermeasures.
Step 7. Validate: Rerun the tool appropriate for the system being
reviewed to determine that the configuration problems have been resolved.
Document any remaining vulnerability.
Step 8: Report: Draft final report, obtain site staff concurrence
and additional input. Prepare Final Report, forward to the organization's
ISSO, the reviewed system's owner, and other appropriate parties.
Step 9: Present outbrief, ensure that site conditions are fully
understood and accurately described. |
| 3.1.3 |
Outputs |
|
Advice and Final Report; see BSP 0004. |
| 3.2 |
Relationship
to Other BSPs |
|
- BSP 0001, Detecting Unauthorized
Modem Connections at USAID Missions, explains the dial-up line security
process followed during a cyber-assistance visit. This process evaluates
the security Vulnerability of a Mission’s communications facilities
outside the Internet.
- BSP 0002, Developing Security Plans at USAID
Missions, explains the process of building and obtaining official approval
for the security plan document which governs all subsequent security-related
efforts at a Mission location.
- BSP 0003, Configuring Technical Safeguards,
shows details of the system attributes being examined during a cyber-assistance
visit, explains the processes used in the assessment steps, and gives
reasons for selecting the recommended IT system configuration values.
- BSP 0004, Training, often accompanies the cyber-assistance
visit, to familiarize Mission staff with the latest practices being
introduced into USAID and to demonstrate corrections being made to the
Mission’s information processing facilities.
|
| |
| 4.0 |
How
To Use This BSP |
| 4.1 |
Implementation
Guidance |
|
Referring to Figure 3.1-1, USAID Mission Directors, EXOs
and System Administrators should be aware of all phases of the Assessment process,
from the Coordinate Visit step to the Final Report step. EXOs are most engaged during the coordination,
advise and report steps; System Administrators and other technical staff are
most engaged during the measurement, correction and validation steps.
|
| 4.2 |
Implementation
Resource Estimates |
|
Vulnerability Assessment visits normally require
5 days on-site. The assessment team,
usually consisting of 5 or 6 people, can work unassisted during much of this
time. The Coordinate and Report steps
in Figure 3.1-1 are most effective when attended by the Assessment Team Leader,
the EXO and the System Administrator, plus other local staff designated by these
Mission supervisors. Each training session
normally lasts 1 hour, attended by the Assessment Team Trainer and Mission personnel
designated by the Director or EXO. Coordination sessions usually start before
the Assessment Team arrives. Preliminary
meetings usually take place via e-mail or brief telephone calls, to consider
trip logistics. The initial visit meeting usually lasts less than an hour, because most details
have already been worked out. Final meeting time varies, depending on the team’s
findings and the contents of the final report. Team experience indicates that this meeting usually
requires about 1 hour to present results, and an additional half hour for discussion. Those
attending include the Mission Director, EXO, System Administrator,
and 2 or 3 other people nominated by these officials.
|
| 4.3 |
Performance
Goals and Indicators (Metrics) |
|
General Goal: To select and apply the processes described in BSPs
0001 through 0004 which together identify and eliminate the security vulnerabilities
associated with the configuration of the subject information systems.
Output goal: To bring a Mission’s security Vulnerability into compliance with OMB
A130 guidelines.
General Objective: To protect automated information
systems against potential threats.
|
| 4.4 |
Tools
|
|
None applicable. |
| 4.5 |
Training
Materials |
|
Presentations are tailored to the site’s needs, based on returns from
questionnaires. Initial materials include
the standard courseware on file at USAID Headquarters, plus resources known
to the team Training member. This member
is selected for his/her experience in the areas of interest. |
| |
| Appendices |
| A |
Executive
Overview and Briefing |
|
BSP 0004 shows an example in-briefing presentation. |
| B |
Reference
List |
|
- National Institute of Standards and Technology (NIST)
Special Publication 800-14,
September 1996, Generally Accepted Principles and Practices for Securing
Information Technology Systems. Guides organizations on the types
of controls, objectives, and procedures that comprise an effective security
program.
- National Institute of Standards and Technology (NIST)
Special Publication 800-18,
December 1998, Guide for Developing Security Plans for Information
Technology Systems. Details the specific controls that should be
documented in a security plan.
- National Institute of Standards and Technology (NIST)
Federal Information Processing
Standards Publication 191, November 1994, Guideline
for the Analysis of Local Area Network Security.
- National Security Agency (NSA), National Security Telecommunications
and Information Systems Security Instruction (NSTISSI) No. 1000,
April 2000, National Information Assurance Certification and
Accreditation Process (NIACAP).
- National Security Agency (NSA), National Security Telecommunications
and Information Systems Security Instruction (NSTISSI) No. 4013 and 4014,
August 1997, National Training Standard for System Administrators
and Information Systems Security officers (ISSO) in Information Systems
Security (INFOSEC).
- Office of Management and Budget (OMB) Circular A-130,
Appendix III, February 8th, 1996, requires Risk Assessment
every three years or sooner when changes take place in Information Technology
systems and major applications.
- USAID Automated Directives System (ADS), Section ADS-545,
Security Policies. (available on the USAID Internal Network.)
- System
Administration, Networking, and Security (SANS) Institute 5401 Westbard
Ave. Suite 1501, Bethesda, MD 20816, is a cooperative research and education
organization for system administrators, security professionals, and
network administrators.
- The Computer
Emergency Reaction Team (CERT®) Coordination Center (CERT/CC) is
a center of Internet security expertise. It is located at the Software
Engineering Institute, a federally funded research and development
center operated by Carnegie
Mellon University, Pittsburgh, PA. The CERT®/CC, studies
Internet security vulnerabilities, handles computer security incidents,
publishes a variety of security alerts, does research for long-term
changes in networked systems, and develops information and training
to help improve security at information processing sites.
|
| C |
Procurement
Information |
|
The United States Agency for International Development
(USAID) has contracted for general IRM support with Computer Sciences Corporation
(CSC) under the Agency's Principal Resource for Information Management Enterprise-wide
(PRIME) contract (GS00K96AJD0012) with FEDSIM. USAID obtains its information
system security support from CSC under the PRIME contract using the Performance
Work Statement (PWS) tasking method.
|
| D |
Evaluation
Information |
| |
Not to be completed by the drafter. |
| E |
Recommended
Changes |
| |
Not to be completed by the drafter. |
| F |
Glossary
|
|
|
Acronym
|
Meaning
|
|
ADS
|
USAID Automated Directives System - Management
|
|
BSP
|
Best System Practices, published by the Chief Information
Officers’ Council
|
|
CERT
|
Computer Emergency Reaction Team, a task force which
develops repairs for Internet security incidents; based at Carnegie-Mellon
University, Pittsburgh, PA.
|
|
COG
|
Continuity of Government
|
|
COOP
|
Continuity of (Information Processing) Operations
|
|
CSC
|
Computer Sciences Corporation
|
|
EXO
|
USAID Mission Executive Officer
|
|
FEDSIM
|
Federal Systems Integration and Management Center,
a contracting office within the General Services Administration
|
|
IRM
|
Information Resources Management
|
|
ISSO
|
Information Systems Security Officer
|
|
M/IRM
|
USAID Bureau for Management, Information Resources
Management
|
|
NCSC
|
National Computer Security Center, the civilian
security standards-setting office of the National Security Agency.
Recommends applications of military information security standards
for commercial uses.
|
|
NIST
|
National Institute of Standards and Technology,
official United States center for maintenance of standard values
for physical, chemical and biological sciences. Charged with maintaining
Information Technology standards by the Brooks Act of 1984.
|
|
NTBUGTRAQ
|
Incident reporting and tracking center for Windows-NT
security issues
|
|
OMB
|
Executive Office of Management and Budget
|
|
PRA
|
Paperwork Reduction Act of 1995.
|
|
PRIME
|
Principal Resource for Information Management Enterprise-wide,
a general support contracting vehicle for IRM services
|
|
PWS
|
Performance Work Statement, a means for assigning
explicit increments of work within a general contracting vehicle.
|
|
SANS
|
System and Network Security Institute, a network
security analysis & training group
|
|
USAID
|
United States Agency for International Development
|
|
VA
|
(Security) Vulnerability Assessment
|
|