​McAfee Professional Services

​Building Security Into Projects:

​Making it work in the Real World

Kelly Vance, CISSP, CGEIT | Sr. Director, McAfee Professional Services

Agenda
Overview

Where to begin
• Identifying requirements
• How to proceed
• Documenting requirements
Frameworks and methodology
Examples

2
McAfee Confidential
 ​Context. Perspectives. Why?

3
McAfee Confidential
 Where to begin.
Look beyond your current technical controls
Server Auditing Network
Web Application Vulnerability
– Vuln Scanning Scanning
Malicious Code DB Protection
– Vuln Scanning Firewall
– VirusScan
– Virtual Patching File, Mail. IP, Domain
– HIPS, Whitelisting DLP Monitor
Network IPS
– Virtualization Geo Location
Discover
Optimization Prevent Reputation
Servers Mail Gateway
Intelligence

Web Gateway
Mail / Web SaaS
Mobile Network Data
Protection Tokenization
Mobile
Devices

Malicious Code
– VirusScan Risk Posture
– HIPS, Firewall Advanced
Analysis
– VDI Optimization Malware
– Endpoint Auditing Analysis

Workstations
Data Protection
SOC
– Encryption
– Device Control Security SIEM
– USB Devices
– DLP
Management
.

McAfee Confidential
Recognize that Security is a Process, and Start
Strengths, Governance
Weaknesses, Risk
Assessment
Opportunities,
Threats Compliance

Tuning and Policy

Upgrades Development

Discovery
Reports
Metrics Remediation

Capacity Solution
Management Architecture

Policy
Incident
Enforcement
Management

Event Technical
Management Operational Controls
Processes .

McAfee Confidential
Think Holistically
Plan for an iterative approach
Stakeholder requirements
Start with the requirements you
already know. Then expand. • Risk mitigation
• Incident reviews
For many organizations this • New business
begins with Internal Administrative requirements and
Control requirements. organization initiatives
These are the constants and
sometimes they’re aligned with
external standards.
Allow Information Technology and
Information Security to partner and
enable the organization, not
unnecessarily restrict and confine.
This holds true for the State.

6
McAfee Confidential
Common Control Frameworks
ISO 27002:2013 and SAM Chapter 5300
• 14 Security Control Clauses Data Classification Controls
• 35 Main Security Categories
8.1.2 Ownership of assets 5305.5
• 114 Controls
8.2.1 Classification of information 5305.5

Controls are intended to 8.2.2 Labelling of information

provide reasonable assurance 8.1.1 Roles and responsibilities 5305.3
that the objective can be met 8.2.3 Handling of assets
9.1 Access control policy 5360
Can provide a measure of 13.2.1 Information transfer policies and
organizational discipline and procedures
capabilities maturity: 13.2.4 Confidentiality or non-disclosure
• 0: Non-existent agreements
• 1: Ad-hoc, 12.1.1 Documented operating procedures
• 2: Repeatable, 14.1.1 Information security requirements 5315
• 3: Defined, analysis and specification
• 4: Measured,
• 5: Optimized

7
McAfee Confidential
Think Holistically
Plan for an iterative approach
State Administrative Manual
Information Security Integration
Chapter 5315
Implementation Guidance further
outlined
• 5315.1 – 5315.9
How can this be accomplished?
Establish a framework, apply it to
each scenario and endeavor to
continuously improve.
Reference: ISO/IEC 27002:2013 (E)
McAfee Confidential
Each state entity is
responsible for the
integration of information
security and privacy within
the organization.
This includes, but is not
limited to, the designing of
appropriate security controls
in new systems, or systems
that are undergoing
substantial redesign,
including both in-house and
outsourced solutions
Reference: SAM Information Security 5315
.
8
Requirements Gathering

How do I proceed?
Take a data centric Legislative FISMA, HIPAA, NIST
approach to
requirements gathering
Regulatory PCI DSS
Align your design with
requirements to Standards ITIL, COBIT, ISO
maximize project
success. Contracts Vendor/partner agreements
Bottom up or top down
either approach can Internal Controls SIM / SAM
work.
Service Management SLA / SLO

Project Scope and Charter Project Stakeholders Agency CISO

9
McAfee Confidential
Documenting
Requirements
Project Management
California Project
Project Charter Management Methodology
Purpose, justification (CA-PMM)
In scope • Reference Manual
Out of scope • Related Toolkits
Measurable project objectives • Already identifies
common members of
Success criteria the project team
• What constitutes project including technical
success? leads responsible for
security
• Who decides the project is
successful?
• Requirements traceability
matrix

10
McAfee Confidential
Plan

Plan

Bring the team together How will the solution be operated Best Practice:
• Project meetings long term? Identify
• Discuss project and business What about availability? resources that
objectives What about security? can bring the
• Identify business applications, different
administrators and application owners • Discuss current security management stakeholder
practices perspectives
Common high level discussions • Review corporate security policies and together
begin supporting documentation
• Discuss migration from previous • Discuss policy requirements
service • Incorporate security requirements into
• Discuss the implementation process the plan to meet availability objectives
• Identify users for the initial pilot testing
• Discuss change control processes
• Discuss back out and recovery plans
• Discuss end user communications
• Discuss application validation testing
• Discuss business application testing
procedures

Even before a plan is developed or a design is started

many organizations are talking about the implementation
.

11
McAfee Confidential
Design

Plan Design

• Solution architecture overview Best Practice: Collect requirements

• Discuss the systems architecture
• Discuss the network architecture
• Discuss network port requirements
• Determine high availability
requirements
• Discuss capacity planning and
monitoring
• Discuss authentication methods
• Discuss Users, Roles and
Responsibilities, Groups and
Permissions
• Discuss the use of service accounts
• Discuss account management
• Discuss user management
• Discuss methods for user account
management
during the design phase.
• Less costly
• Correcting gaps later can impact the
project schedule and budget
• Especially avoid costly data disclosure
penalties or expenses related to required
notifications and reactive credit
monitoring services.
Best Practice: Use currently available
guidance, tools, and templates
• SAM Chapter 5300

• Further define policy requirements

12
McAfee Confidential
 ​Frameworks and methodologies

13
McAfee Confidential
FIPS 199 Standards for Security Categorization of
Federal Information and Information Systems

Applicability:
Best Practice:
Establishes security categories for information
and information systems Classify your data
• Based on potential impact should certain SAM 5305.5
events occur Each state entity
• Used with vulnerability and threat information must understand
the value of its
• Information type examples: information assets
• Public information and the level of
• Investigative information protection those
• Administrative information
assets require.

SC information type = {(confidentiality, impact), (integrity, impact), (availability,

impact)}, where the acceptable values for potential impact are LOW, MODERATE,
HIGH, or NOT APPLICABLE.
.

14
McAfee Confidential
Think Holistically

Many organizations think about the technology alone and not the
business problem the solution is attempting to resolve
• Or the business processes required to enable
• This approach doesn’t take into account feedback or changes in
requirements or the solution

Best Practice: Apply a business driven approach

• Use existing Enterprise Architecture tools and processes
• An Enterprise Architecture process can bring Agencies and
departments together, working collaboratively to facilitate a unified
vision
• The enterprise architecture includes a baseline architecture, target
architecture, and a sequencing plan
.

15
McAfee Confidential
Federal Enterprise Architecture Framework
Think Holistically

Performance Reference Model (PRM)

• Inputs, outputs, and outcomes
Business Driven Approach

• Uniquely tailored performance

Component Based Architecture

indicators

Business Reference Model (BRM)

• Lines of Business
• Agencies, customers, partners

Service Component Reference Model (SRM)

• Service domains, service types
• Business and service components

Data Reference Model (DRM)

• Business-focused data standardization
• Cross-agency information exchanges

Technical Reference Model (TRM)

• Service component interfaces,
interoperability
• Technologies, recommendations

Federal Enterprise Architecture Consolidated Reference Model (CRM) Version 2.3

.

McAfee Confidential
Enterprise Architecture
Holistic System View

What: Who: How: Why: Where: When:

Data People Process Motivation Locations Timing
• CIO • Compliance • Statewide • Legislative deadline
• CSO • Risk Mitigation • Agency • Incident Response
PRM

• Cost Efficiencies • Department

What data is
collected?
• Contract Renewal
• CISO
Who needs • Risk & Compliance • FISMA • New License
BRM

• Legal • FIPS 199 Acquisition

• • Technology Refresh
access? •
•
IT Management
Project Management •
FIPS 200
NIST SP800-53, • Product Release
Rev3 • Consolidation

How will it be
stored?
DRM

Where is it
stored? •
•
Server Operations
Security Operations
SRM

• Network Operations
•
What are the •
Internal Audit
Service Desk

threat actors?
• ePO Admin
• Server Admin
TRM

• SQL Server Admin

• Email Admin
• Web Admin
• Desktop Support

McAfee Confidential
Enterprise Architecture
Holistic System View

What: Who: How: Why: Where: When:

Data People Process Motivation Locations Timing
• Protecting Information • CIO • Data Protection • Compliance • State wide • Legislative deadline
• Obtaining Benefit from • CSO • Privacy of Personal • Risk Mitigation • Branch • Incident Response
PRM

PCI Information • Cost Efficiencies • Single agency

• Protecting Information
from Insider Threat

• Administrative, • CISO • Risk Assessment • FISMA • Lines of Business • License Renewal

Physical, Technical • Risk & Compliance • Business Impact Analysis • FIPS 199 • AD Domains • New License
BRM

• Deterrent • Legal • Continuity Planning • FIPS 200 Acquisition

• Preventative • IT Management • Privacy • NIST SP800-53, • Technology Refresh
• Detective • Project Management Rev3 • Consolidation
• Corrective • SB1386
• PCI DSS
DRM

• Business Data Owner • Service Level Management Security Baseline based on FIPS 199
• Content Author • Availability Management Information and Information Systems
• Capacity Management Classification
• Business Relationship
Management Sequence priority codes
• Security Management • Server Operations • Continuity Planning P1 – Implement P1 codes first
• Remedy • Security Operations • Business Impact Analysis • ITIL P2 – After implementation of P1
SRM

• HP Open View • Network Operations • Configuration Management • COBIT P3 – After implementation of P2

• Internal Audit • Change Management • VALIT P0 – not selected for baseline
• Service Desk • Release and Deployment • OCTAVE
Management Establish Project Charter
• Service Test Management
• ePO • NDLP • ePO Admin • Knowledge Management • AD • ICAP
• Device Control • MEG • DLP Architect • Request Fulfillment • LDAP • SMTP
• DLP Endpoint • MWG • DLP Admin • • •
TRM

Problem Management MSSQL IMAP

• Drive • ATD • SQL Server Admin • Event Monitoring • NTFS • MAPI
encryption • SIEM • Email Admin • Incident Management • HTTPS • X.509
• • Web Admin
Adobe DRM • Continual Service • HTTP • AES
• MS RMS• Desktop Support Improvement • SNMP
.

18
McAfee Confidential
Framework Resources

Statewide Information Management Manual (SIMM)

State Administrative Manual (SAM)
Feasibility Study Report
• Service Delivery, Service Management, Security Management

State of CA Enterprise Architecture (CEA)

• Technology Agency - Business, Technology and Services Templates
• Technology Agency Rollup Templates
• Enterprise Architecture Developers Guide

FIPS 199 Standards for Security Categorization of

Federal Information and Information Systems
FIPS 200
NIST SP 800-53, Rev 4

19
McAfee Confidential
Summary

Project Managers
• Expand the project team, include data owners and security architects
that are familiar with internal requirements
Application Developers & Technical Engineers
• Limit data collected, it has value and represents risk
• Think holistically
• Develop your design methodology based on the CEAF
Security Leaders
• Approach controls from security categorization
• Based on risk assessments
Everyone
• Use the currently available policies, templates and toolkits
.

20
McAfee Confidential
 ​Examples

21
McAfee Confidential
Examples
State of California Agency

Vertical
State Government Business Drivers
• The agency knew personal/sensitive information was being collected but was
Region
North America unsure how data was being transferred or used

Applicable State of CA
Requirements:
Project Details
• 5305.5 Information
Asset Management • Contractor staff augmentation to provide lab environment configuration
• 5315 Information • Design and test data protection controls
Security Integration
• High availability configuration required
• 5315.4 System
Developer Security
Testing
Outcomes
• Data classification controls developed based on agency labels for sensitive
information e.g. confidential, restricted
• Cluster configuration provided, failover testing performed
• Capacity planning guidance and modeling provided for use with production
deployment

22
McAfee Confidential
Examples
Other State Agency, Outside of California

Vertical
State Government Business Drivers
• Agency objectives weren’t clearly defined. Not fully developed.
Region
North America • Not based on data classification or risk

Applicable State of CA
Requirements:
• 5325.6 Information
Project Details
System Backup • A project team wasn’t formed and the focus was simply on the latest
technology

Outcomes
• The group implemented controls narrowly; not based on risk
• Additional best practices for backups were ignored and the following year the
solution was corrupted and needed to rebuilt from scratch

23
McAfee Confidential
 .

McAfee Confidential