SAIJE Thoughts

Or “Minding the GAP(s)”

One of the items I notice a good deal is the extensive use of spreadsheets with Security Frameworks or Controls sets. The sad part is that there are so many tools out there that can better provide an overview of how well your organization is committed to Information Assurance and implementation of controls.In this post I am using Rational Requisite Pro and the NIST SP 800-53 as an example as I am a fan of the Open Unified Process (and Rational Unified Process by extension), but I am sure this method will work with any robust requirements management tool and framework/control set should you be willing to do the upfront work (or contract someone else to do it).

Within Requisite Pro, you have the means to track various types of requirements (such as Enterprise Requirements, Features and Supplemental Requirements). In my example, I use the NIST SP 800-53rev2 as a set of Enterprise Requirements. In other words, these requirements are applicable to all implemented projects in your organization. The document (or database should you use the database version of the NIST) is not in the proper format for importing into a Requirements Management Tool, so you need to either convert it into the proper format or find someone that may be doing the work for you already. In this case, I converted the NIST to a CSV table with the following key fields:

• Name – Name of the Control for Requisite Pro – eg. AC-2 : ACCOUNT MANAGEMENT
• Requirement Text – The text of the individual control – eg. The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accountsThe organization reviews information system accounts [Assignment: organization-defined frequency, at least annually].
• Other fields – other fields that your Req. Management system uses are populated as well. I use Guidance extensively to add in all the supplemental information in the NIST Controls.

Each Control and Supplemental Control is listed as a discrete requirement.

Once populated, you now have a powerful means to implement controls, track projects, and even highlight projects that have gaps in their implementation.

Several Examples of uses are listed below:

1. Tracking your programs. Suppose you wish to Implement an Active Directory Project in your enterprise. You can now enter Active Directory as a subsystem, enter all the features you are implementing as Feature Requirements and then trace those to the Enterprise Requirements from the NIST. This will allow you to not lose sight of your goals, and also see what portion of the NIST Control set will be implemented with your project. Also, it will quickly allow you to see that there may be features you are missing. For example, you may notice that AC-7 Unauthorised Login Attempts does not is not traced from your Active Directory Feature set, indicating you have a gap in your project implementation.
2. Highlighting Gaps as part of your risk assessment. After entering your existing projects as subsystems and tracing their features back to your master Enterprise requirements, you can see what controls are not implemented. You now can fix your gaps by implementing policies, starting new projects, etc.
3. Issue an RFP to fix your gaps. Use the gaps as a requirements list for an RFP to hire a vendor and use the same list to evaluate vendor responses.
4. Highlight key areas. Using the attributes of each Enterprise requirement, you can prioritize your work. Standard Attributes for each requirement can include Priority (Critical, High, Medium, Low) and Implementation (Easy, Moderate, Difficult). This way you can see your critical needs and even prioritise them in order of difficulty. You can improve your security posture the best by selecting your Critical needs that are easy to do….
5. Features that do not have a Enterprise control that they can map to. This tells you one of three things. Either you have a feature that isn’t needed, you aren’t fully aware of which control it would trace to, or your Enterprise set is lacking. If your Enterprise set is lacking, then you need to perhaps add additional control sets to support your primary control set.

In summary, implementing your selected control set into a Requirements Management Program is a great way to track your information protection controls and ensure you are aware of and addressing existing gaps in your program. This will greatly enhance your information protection posture and may even help defending programs or prepare for Information Systems Audits at the management level.

Currently a Major Government Agency is implementing Requisite Pro in this manner using the NIST as a master list of Enterprise Controls. HIPAA Security Rules have been added as Business Rules that trace from the NIST control set, ensuring that all controls will be tracked over implementation of Information Security Projects.

For any questions, assistance on Rational Requisite Pro, OpenUP and/or information security controls, feel free to contact me. Ready to import templates of NIST and ISO standards for Enterprise Requirements in Requisite Pro can be made available, depending on your Enterprise Requirements Management Plan.

This entry was posted on Wednesday, March 19th, 2008 at 2:08 pm and is filed under Basic Security, IT Governance, NIST. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.