SlideShare a Scribd company logo

IT Position of Trust Designation

Murray Security Services
Murray Security Services

ADP-IT Requirements for Government Contracts Cyber Security Course

Technology
1 of 22
Download to read offline
Guest Lecturer: Dr. Shawn P. Murray, C|CISO, CISSP, CRISC IT Position of Trust Designation ADP-IT Requirements for Government Contracts Cyber Security Brief Presented to the Defense Acquisition University 23 May 2013 Updated to add DIACAP – 8500.2 Controls to RMF - 800-53 Controls Alignment 22 November 2015
Agenda – ADP-IT Defined – History – Basis – Public Law – Application & Compliance Directives – DoD 5200.2-R – DODI 8500.2, February 6, 2003 – DISA STIG - Traditional Security – Strategy ADP-IT Requirements for Government Contracts Cyber Security Brief 2
ADP & IT Defined  ADP - Automated Data Processing  IT - Information Technology (Both terms are used synonymously)  ADP/IT requirements identify a specific “Position of Trust” for IT work that is to be accomplished by certain individuals on government information systems.  It is meant to reduce the risk of the Insider Threat  There are three ADP/IT Position of Trust levels:  ADP/IT-I, ADP/IT-II & ADP/IT-III  ADP/IT Positions of Trust are required to be recorded on a DD Form 2875 and assigned to specific personnel in the Joint Personnel Adjudication System (JPAS). ADP-IT Requirements for Government Contracts Cyber Security Brief 3
ADP & IT Defined  ADP - Automated Data Processing  IT - Information Technology (Both terms are used synonymously)  ADP/IT requirements apply to Military, Govt. Civilian and Contractor Personnel  Military – MOS or AFSC  Govt. Civilian – Described in Position Description (PD)  ADP/IT requirements for contractors are derived from a Statement of Work (SOW) supporting a DoD contract which includes IT Services or General Access to Government Systems or Sensitive Information to fulfill a contractual need. • The SOW should have specific language for persons who will have access to government systems and/or information. − IE: Privileged User Access or Controlled Unclassified Information (CUI) • ADP/IT requirements are normally articulated in section 11.l of the DD254 which is married to the SOW. • In many instances, the DD254 does not articulate the correct ADP/IT requirements or does not align to the SOW properly. − This is normally due to a lack of knowledge of the requirement or a missing contract security review by an experienced security professional (government & contractor) − When this happens the risk to the Insider Threat can be greater ADP-IT Requirements for Government Contracts Cyber Security Brief 4
History - OMB Circular A-71 (and Transmittal Memo #B1), July 1978 - OMB Circular A-130, December 12, 1985 - FPM Letter 732, November 14, 1978 These artifacts contain the criteria for designating positions under the existing categories used in the personnel security program for Federal civilian employees as well as the criteria for designating ADP and ADP related positions outlined in public law. ► Title 32: National Defense  PART 154 - DEPARTMENT OF DEFENSE PERSONNEL SECURITY PROGRAM REGULATION  Subpart K - Program Management  Appendix J to Part 154 (ADP Position Categories and Criteria for Designating Positions) ADP-IT Requirements for Government Contracts Cyber Security Brief 5
Appendix J to Part 154 - ADP Position Categories and Criteria for Designating Positions OMB Circular A-71 (and Transmittal Memo #B1), July 1978 OMB Circular A-130, December 12, 1985, and FPM Letter 732, November 14, 1978 contain the criteria for designating positions under the existing categories used in the personnel security program for Federal civilian employees as well as the criteria for designating ADP and ADP related positions. This policy is outlined below: ADP Position Categories 1. Critical-Sensitive Positions ADP-I positions. Those positions in which the incumbent is responsible for the planning, direction, and implementation of a computer security program; major responsibility for the direction, planning and design of a computer system, including the hardware and software; or, can access a system during the operation or maintenance in such a way, and with a relatively high risk for causing grave damage, or realize a significant personal gain. 2. Noncritical-Sensitive Positions ADP-II positions. Those positions in which the incumbent is responsible for the direction, planning, design, operation, or maintenance of a computer system, and whose work is technically reviewed by a higher authority of the ADP-I category to insure the integrity of the system. 4. Nonsensitive Positions ADP-III positions. All other positions involved in computer activities. In establishing the categories of positions, other factors may enter into the determination, permitting placement in higher or lower categories based on the agency's judgement as to the unique characteristics of the system or the safeguards protecting the system. Criteria for Designating Positions Three categories have been established for designating computer and computer-related positions—ADP-I, ADP-II, and ADP-III. Specific criteria for assigning positions to one of these categories is displayed on the next slide: ADP-IT Requirements for Government Contracts Cyber Security Brief 6
ADP-IT Requirements for Government Contracts Cyber Security Brief Specific Criteria as written into Title 32 Part 154 (Appendix J) 7
Compliance Requirements DISA STIG Traditional Security Checklist - Version 1, Release 2 (July 24, 2013) DoD 5200.2-R, Personnel Security Program, (January 1987) DoDI 8500.2 IA Controls(DIACAP) NIST-800.53 Controls (RMF) DCIT-1 800-53: PS-7, SA-9 PECF-1 800-53: PE-2, PE-2(1), PE-7 & MA-5 PECF-2 800-53: PE-2, PE-2(3) & PE-7 PRAS-1 800-53: PS-3, PS-6 & PS-6(1) PRAS-2 800-53: PS-3(1), PS-6 & PS-6(2) PRNK-1 800-53: PS-3, PS-6(1) & PS-6(2) ECPA-1 800-53: AC-2 IAAC-1 800-53: AC-2 ADP-IT Requirements for Government Contracts Cyber Security Brief 8
8500.2 DCIT-1 V0008392 (CAT I) Acquisition does not address IA roles Vulnerability Acquisition does not address IA roles and responsibilities. 8500.2 IA Control: DCIT-1 References: Department of Defense Instruction 8500.2 (DODI 8500.2) Vulnerability Discussion Security procedures are vital to ensure the integrity, confidentiality and availability of systems and data. In outsourcing situations the requirements and responsibilities to perform them must be spelled out to ensure all are accomplished. Checks 8500.2 DCIT-1:  Examine acquisition and outsourcing documents including task orders to ensure IT services explicitly addresses Government, service provider, and end user IA roles and responsibilities.  Ensure the organization monitors compliance. Default Finding Details The following issues were noted:  Government, service provider, and end user IA roles and responsibilities are not explicitly stated in acquisition or outsourcing requirements.  The organization is not monitoring compliance of IT roles and responsibilities in outsourcing agreements. OPEN: __________ NOT A FINDING: __________ NOT REVIEWED: __________ NOT APPLICABLE: __________ 8500.2 DCIT-1 Fixes:  Amend IT services acquisition and outsourcing documents including task orders to ensure explicitly addresses Government, service provider, and end user IA roles and responsibilities are explicitly addressed .  Insure the organization monitors contractor compliance with all contract provisions plus applicable federal laws, directives, policies, regulations, standards, guidance, and established service level agreements . ADP-IT Requirements for Government Contracts Cyber Security Brief 9
ADP-IT Requirements for Government Contracts Cyber Security Brief PS-7: Third-Party Personnel Security Control Text: "The organization: a. Establishes personnel security requirements including security roles and responsibilities for third-party providers; b. Documents personnel security requirements; and c. Monitors provider compliance." Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. The organization explicitly includes personnel security requirements in acquisition-related documents. NIST 800-53 PS-7 10
ADP-IT Requirements for Government Contracts Cyber Security Brief SA-9: External Information System Services Control Text: "The organization: a. Requires that providers of external information system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and c. Monitors security control compliance by external service providers." Supplemental Guidance: An external information system service is a service that is implemented outside of the authorization boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system). Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges. The responsibility for adequately mitigating risks arising from the use of external information system services remains with the authorizing official. Authorizing officials require that an appropriate chain of trust be established with external service providers when dealing with the many issues associated with information security. For services external to the organization, a chain of trust requires that the organization establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered to the organization. The extent and nature of this chain of trust varies based on the relationship between the organization and the external provider. Where a sufficient level of trust cannot be established in the external services and/or service providers, the organization employs compensating security controls or accepts the greater degree of risk. The external information system services documentation includes government, service provider, and end user security roles and responsibilities, and any service-level agreements. Service-level agreements define the expectations of performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instance of noncompliance. NIST 800-53 SA-9 11
“Failure to designate position sensitivity could result in personnel having access to classified information or other sensitive duties (such as privileged access to DoD Information Systems) without the required investigative and adjudicative prerequisites” STIG Check #3. For privileged users (eg, SA, IAO, NSO): Check to ensure that privileged users if military or government civilian are in critical sensitive positions and have a successfully adjudicated SSBI with 5-year periodic reviews. Contractors performing work in privileged IS roles must also undergo successful SSBIs with 5-year reviews. Privileged users must undergo an SSBI regardless of the security clearance level required (eg, even if no clearance or only Confidential or Secret is required). Foreign Nationals or Local Nationals employed by DoD ARE NOT AUTHORIZED to have (IT-I) privileged access to US Information Systems. ADP-IT Requirements for Government Contracts Cyber Security Brief 12
DoDI 8500.2 Enclosure 3 (page 46) Privileged Access = IT-I Position of Trust (Privileged Access = Privileged User - (PU) Identifies PU access for: • DAA or IAM (ISSM) (government) • IAO (ISSO) • Monitors or Testers (CND & Developers) • Network Administrators • Systems Administrators • Maintenance of IA products (ACAS, HBSS, PKI, EMET, AV…) Requires a final SSBI prior to being provided PU access to any IT systems (US Military, Civilian or Contractor) ADP-IT Requirements for Government Contracts Cyber Security Brief 13
SSBI Investigation IT-I Position of Trust Designation Personnel Category: • Govt. Civilian • Contractor ADP-IT Requirements for Government Contracts Cyber Security Brief 14
ADP-IT Requirements for Government Contracts Cyber Security Brief Funding Who pays for the SSBI? - Government Civilian and Military – The Service Component or Agency (OPM) - Contractors – DSS pays for SSBIs for contractors that require Top Secret clearances - If the contractor only needs a SSBI for privileged user access and does not need a Top Secret Clearance, then the Agency or Service Component the contractor is assigned to has to budget for and fund the requirement. 15
ADP-IT Requirements for Government Contracts Cyber Security Brief Strategy - Most Department of Defense agencies and service components have applied IT-I, IT-II, & IT-III to privileged users differently due to funding the SSBI, which in 2013 was estimated to be $3700 per person. - Strategy 1: Align the SSBI to a person who has a requirement to access Top Secret information so DSS has to funds the investigation. - Risk 1: A person can be provided access to TS information that does not really have a need to know - Strategy 2: Assign one privileged user as an IT-I and all other privileged users as an IT-II to save money. - Risk 1: An IT-II who is being provided privileged user access is not being properly vetted as required (Insider Threat) - Risk 2: An IT-I privileged user is required to directly oversee and validate tasks completed by all IT-II privileged users they supervise. This is not always feasible in an organization with multiple IT-II privileged users - Strategy 3: Do not address the IT Position of Trust for privileged users - Risk 1: This is the greatest risk and does not protect against the Insider Threat. NOTE: This is the most common approach due to lack of knowledge by acquisition, contracting and security personnel 16
Where do we go from here? • All ISSMs managing Cyber Security on a DoD contract should already have: 1. List of all Privileged Users for their specific areas (IA, SA, NA/E, SE, CND, etc.) 2. Privileged User Agreements for them (signed) 3. Privileged User training certificate 4. 8570 Certification IAT or IAM 5. 8570 Certification Computing Environment (CE) 6. Completed 2875s for all PU personnel 7. HBSS training certificate if required by one of your PUs 8. ACAS training certification if required by one of your PUs 9. ISSO appointment letters for your appointed ISSOs • A Review/Audit of contracts should be considered • Statement of work should identify privileged user roles • DD254 Should also identify IT-I, IT-II & IT-III Positions of Trust • A strategy should be developed to address deficiencies ADP-IT Requirements for Government Contracts Cyber Security Brief 17
References – http://www.ecfr.gov/cgi-bin/text- idx?c=ecfr&sid=aa33bc45d44c89541aef4096bf908831&rgn=div5&view=text& node=32:1.1.1.6.75&idno=32 – https://www.law.cornell.edu/cfr/text/32/part-154/appendix-J – http://iase.disa.mil/stigs/Lists/stigs-masterlist/policy-traditional.aspx – http://csrc.nist.gov/groups/SMA/fisma/framework.html – http://www.cac.mil/docs/DoDD-8500.2.pdf – http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf ADP-IT Requirements for Government Contracts Cyber Security Brief 18
Questions? Backup Slides Available ADP-IT Requirements for Government Contracts Cyber Security Brief 19
Industrial Security - DD Form 254 ID-01.02.01 - Industrial Security - DD Form 254 Vulnerability Discussion: Failure to complete a DD Form 254 (Contract Security Classification Specification) or to specify security clearance and/or IT requirements for all contracts that require access to classified material can result in unauthorized personnel having access to classified material or mission failure if personnel are not authorized the proper access IA Controls PECF-1, PRAS-2, PRNK-1 VMS Target Traditional Security DISA FSO VMS Target Traditional Security - 2506 1. DD Forms 254 must be on hand for each classified contract. 2. 2. All security requirements must be properly detailed on the form, particularly for Information technology related requirements, such as IT Position levels for the positions or types of work to be performed. 1. Check there are DD Forms 254 available for all classified contracts. NOTE: These forms may be held by the site contracting officials but should be available to the site security manager and information security manager for review. 2. Conduct a cursory review of the DD 254 to ensure all security requirements are properly detailed on the form, especially with regard to Information Assurance (ie., IT Position level designation). NOTE: Applicable to tactical environments if there are contractor personnel performing classified work. This form will likely only be found at fixed locations rather than field locations. While the DD 254 may not be available on site or even in Theater, the completed document's location should be identified and if possible a scanned and emailed copy requested for review. This will likely only be able to occur via SIPRNet email because some of these forms contain classified information, while all others are only FOUO. ADP-IT Requirements for Government Contracts Cyber Security Brief 20
Industrial Security - Contractor VALs ID-02.03.01 - Industrial Security - Contractor Visit Authorization Letters (VALs) Vulnerability Discussion: Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials being released to unauthorized personnel. IA Controls -ECAN-1, PECF-1, PRAS-2 VMS Target Traditional Security - DISA FSO VMS Target - Traditional Security – 2506 Checks: • 1. Written procedures must be developed that cover the requirements and process for Visit Authorization Letters (VAL) for contractors visiting and/or employed at government sites. • 2. All government sites must have a VAL on file for each contractor visiting the site temporarily and also for permanent party contractors routinely working/physically employed at the site. Notes: JPAS should be used for most short term "visitor" VALs; however, in addition to JPAS (or as an alternative to JPAS for contractors who do not have JPAS accounts) VALs may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because JPAS is by design intended for short term visits; whereas, contractor "employee" VALs require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via JPAS. A hard copy VAL for assigned contractor employees will help to eliminate substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable Statements of Work (SOW and/or DD 254), etc. ADP-IT Requirements for Government Contracts Cyber Security Brief 21
Industrial Security - Contractor VALs (Continued from previous page) ID-02.03.01 - Industrial Security - Contractor Visit Authorization Letters (VALs) Vulnerability Discussion: Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials being released to unauthorized personnel. IA Controls -ECAN-1, PECF-1, PRAS-2 VMS Target Traditional Security - DISA FSO VMS Target - Traditional Security – 2506 Checks: • 1. Check with the security manager or personnel security specialists to ensure there are written procedures for contractors visiting government sites. • 2. Ask to see copies of the site VALs and/or determine site VAL process based on the processing of contractors on your inspection team. • 3. Ensure all government facilities have a VAL on file for all contractors visiting the site - to include permanent party contractors. Notes: • 1. JPAS should and will likely be used for most short term "visitor" VALs; however, in addition to JPAS the VAL may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because JPAS is by design intended for short term visits; whereas, contractor "employee" VALs should require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via JPAS. Lack of a hard copy VAL alone for assigned contractor employees at a site will not necessarily be cause for a finding if a VAL in JPAS is available. Reviewers must use discretion when evaluating if the lack of hard copy VAL has caused any substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable Statements of Work (SOW and/or DD 254), etc. when deciding if a finding is warranted. For instance an individual employee's JPAS access might indicate they have TS clearance - but the FCL for the company is only at the Secret level and/or the contract only allows for up to Secret access. If the site is allowing access to TS for this individual - then the lack of a hard copy VAL could be cited as a finding, in addition to any other related findings for this discovery. • 2. Applies in a tactical environment if contract personnel visit or are assigned. • 3. Reviewers should be sure to note in the findings report if the finding concerns JPAS issues for short term contractor visitors or if it concerns "hard copy" VALs for assigned contractor employees. ADP-IT Requirements for Government Contracts Cyber Security Brief 22

Recommended

Communicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for successCommunicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for successClaus Thaudahl Hansen
 
Auditoria informatica
Auditoria informaticaAuditoria informatica
Auditoria informaticaGabriela Mariangel Valderrama Hernandez
 
Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response SwimlanesDaniel P Wallace
 
CRM and ERP
CRM and ERPCRM and ERP
CRM and ERPYaswanth Babu Gummadivelli
 
Kpi for hr department
Kpi for hr departmentKpi for hr department
Kpi for hr departmentharrisrytermoha
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
What is erp implementation
What is erp implementationWhat is erp implementation
What is erp implementationNimishaDubey3
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityEng Hasan Shamroukh CISCO Exams Author
 

Recommended

Communicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for successCommunicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for successClaus Thaudahl Hansen
 
Auditoria informatica
Auditoria informaticaAuditoria informatica
Auditoria informaticaGabriela Mariangel Valderrama Hernandez
 
Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response SwimlanesDaniel P Wallace
 
CRM and ERP
CRM and ERPCRM and ERP
CRM and ERPYaswanth Babu Gummadivelli
 
Kpi for hr department
Kpi for hr departmentKpi for hr department
Kpi for hr departmentharrisrytermoha
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
What is erp implementation
What is erp implementationWhat is erp implementation
What is erp implementationNimishaDubey3
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityEng Hasan Shamroukh CISCO Exams Author
 
Information classification
Information classificationInformation classification
Information classificationJyothsna Sridhar
 
Esterhuyse, Stephan Christiaan - Skills Matrix Template
Esterhuyse, Stephan Christiaan - Skills Matrix TemplateEsterhuyse, Stephan Christiaan - Skills Matrix Template
Esterhuyse, Stephan Christiaan - Skills Matrix TemplateStephan Esterhuyse
 
Threats to an information system
Threats to an information systemThreats to an information system
Threats to an information systemNimisha Walecha
 
Cryptika cybersecurity - company profile
Cryptika cybersecurity - company profileCryptika cybersecurity - company profile
Cryptika cybersecurity - company profileSafwan Talab
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Business Continuity Standards is more then ISO 22301/22313
Business Continuity Standards is more then ISO 22301/22313Business Continuity Standards is more then ISO 22301/22313
Business Continuity Standards is more then ISO 22301/22313Sidney Modenesi, MBCI
 
Data center disaster recovery.ppt
Data center disaster recovery.ppt Data center disaster recovery.ppt
Data center disaster recovery.ppt omalreda
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Narudom Roongsiriwong, CISSP
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance AwarenessDinesh O Bareja
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
Sistema de control de acceso a mina
Sistema de control de acceso a minaSistema de control de acceso a mina
Sistema de control de acceso a minaEsteban Eduardo Cuello Cuello
 
Business Continuity Detailed Plan
Business Continuity Detailed PlanBusiness Continuity Detailed Plan
Business Continuity Detailed PlanWissam Abdel Baki
 
Auditoria explotacion
Auditoria explotacionAuditoria explotacion
Auditoria explotacionmariadiazsandoval
 
Data center
Data centerData center
Data centergssmedia
 
Cyber Risks
Cyber RisksCyber Risks
Cyber RisksRickWaldman
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)Ali Habeeb
 
Customer relationship management
Customer relationship managementCustomer relationship management
Customer relationship managementsmorrison28
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptxGovt. P.G. College Sendhwa, Barwani (M.P.)
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Security Clearance Information
Security Clearance InformationSecurity Clearance Information
Security Clearance InformationClearanceJobs
 
Barcode Metadata & Privacy - What is the risk really?
Barcode Metadata & Privacy - What is the risk really?Barcode Metadata & Privacy - What is the risk really?
Barcode Metadata & Privacy - What is the risk really?Murray Security Services
 

More Related Content

What's hot

Information classification
Information classificationInformation classification
Information classificationJyothsna Sridhar
 
Esterhuyse, Stephan Christiaan - Skills Matrix Template
Esterhuyse, Stephan Christiaan - Skills Matrix TemplateEsterhuyse, Stephan Christiaan - Skills Matrix Template
Esterhuyse, Stephan Christiaan - Skills Matrix TemplateStephan Esterhuyse
 
Threats to an information system
Threats to an information systemThreats to an information system
Threats to an information systemNimisha Walecha
 
Cryptika cybersecurity - company profile
Cryptika cybersecurity - company profileCryptika cybersecurity - company profile
Cryptika cybersecurity - company profileSafwan Talab
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Business Continuity Standards is more then ISO 22301/22313
Business Continuity Standards is more then ISO 22301/22313Business Continuity Standards is more then ISO 22301/22313
Business Continuity Standards is more then ISO 22301/22313Sidney Modenesi, MBCI
 
Data center disaster recovery.ppt
Data center disaster recovery.ppt Data center disaster recovery.ppt
Data center disaster recovery.ppt omalreda
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Narudom Roongsiriwong, CISSP
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
Business Continuity Detailed Plan
Business Continuity Detailed PlanBusiness Continuity Detailed Plan
Business Continuity Detailed PlanWissam Abdel Baki
 
Data center
Data centerData center
Data centergssmedia
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)Ali Habeeb
 
Customer relationship management
Customer relationship managementCustomer relationship management
Customer relationship managementsmorrison28
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 

What's hot (20)

Information classification
Information classificationInformation classification
Information classification
 
Esterhuyse, Stephan Christiaan - Skills Matrix Template
Esterhuyse, Stephan Christiaan - Skills Matrix TemplateEsterhuyse, Stephan Christiaan - Skills Matrix Template
Esterhuyse, Stephan Christiaan - Skills Matrix Template
 
Threats to an information system
Threats to an information systemThreats to an information system
Threats to an information system
 
Cryptika cybersecurity - company profile
Cryptika cybersecurity - company profileCryptika cybersecurity - company profile
Cryptika cybersecurity - company profile
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 
Business Continuity Standards is more then ISO 22301/22313
Business Continuity Standards is more then ISO 22301/22313Business Continuity Standards is more then ISO 22301/22313
Business Continuity Standards is more then ISO 22301/22313
 
Data center disaster recovery.ppt
Data center disaster recovery.ppt Data center disaster recovery.ppt
Data center disaster recovery.ppt
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
Sistema de control de acceso a mina
Sistema de control de acceso a minaSistema de control de acceso a mina
Sistema de control de acceso a mina
 
Business Continuity Detailed Plan
Business Continuity Detailed PlanBusiness Continuity Detailed Plan
Business Continuity Detailed Plan
 
Auditoria explotacion
Auditoria explotacionAuditoria explotacion
Auditoria explotacion
 
Data center
Data centerData center
Data center
 
Cyber Risks
Cyber RisksCyber Risks
Cyber Risks
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)
 
Customer relationship management
Customer relationship managementCustomer relationship management
Customer relationship management
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 

Viewers also liked

Security Clearance Information
Security Clearance InformationSecurity Clearance Information
Security Clearance InformationClearanceJobs
 
Barcode Metadata & Privacy - What is the risk really?
Barcode Metadata & Privacy - What is the risk really?Barcode Metadata & Privacy - What is the risk really?
Barcode Metadata & Privacy - What is the risk really?Murray Security Services
 
Countering the Cyber Espionage Threat from China
Countering the Cyber Espionage Threat from ChinaCountering the Cyber Espionage Threat from China
Countering the Cyber Espionage Threat from ChinaMurray Security Services
 
Company Hierarchy
Company HierarchyCompany Hierarchy
Company Hierarchyjsoftspl
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkVolker Hirsch
 

Viewers also liked (8)

Security Clearance Information
Security Clearance InformationSecurity Clearance Information
Security Clearance Information
 
Barcode Metadata & Privacy - What is the risk really?
Barcode Metadata & Privacy - What is the risk really?Barcode Metadata & Privacy - What is the risk really?
Barcode Metadata & Privacy - What is the risk really?
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
 
Countering the Cyber Espionage Threat from China
Countering the Cyber Espionage Threat from ChinaCountering the Cyber Espionage Threat from China
Countering the Cyber Espionage Threat from China
 
ToR - Deep Web
ToR - Deep Web ToR - Deep Web
ToR - Deep Web
 
Company Hierarchy
Company HierarchyCompany Hierarchy
Company Hierarchy
 
SlideShare 101
SlideShare 101SlideShare 101
SlideShare 101
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of Work
 

Similar to IT Position of Trust Designation

Cyber Security.pptx
Cyber Security.pptxCyber Security.pptx
Cyber Security.pptxJohn96107
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCUnderstanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCAdam Levithan
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingIgnyte Assurance Platform
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfElyes ELEBRI
 
Security Landscape of a Strong Ecosystem to Protect Sensitive Information in ...
Security Landscape of a Strong Ecosystem to Protect Sensitive Information in ...Security Landscape of a Strong Ecosystem to Protect Sensitive Information in ...
Security Landscape of a Strong Ecosystem to Protect Sensitive Information in ...IRJET Journal
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...IRJET Journal
 
WITDOM Credit Risk Scoring use case at ISSE 2017
WITDOM Credit Risk Scoring use case at ISSE 2017WITDOM Credit Risk Scoring use case at ISSE 2017
WITDOM Credit Risk Scoring use case at ISSE 2017Elsa Prieto
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guidemfmurat
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...IRJET Journal
 
SOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete GuideSOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete GuideBrielle Aria
 

Similar to IT Position of Trust Designation (20)

Cyber Security.pptx
Cyber Security.pptxCyber Security.pptx
Cyber Security.pptx
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
 
Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government Contractors
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCUnderstanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
 
Security Landscape of a Strong Ecosystem to Protect Sensitive Information in ...
Security Landscape of a Strong Ecosystem to Protect Sensitive Information in ...Security Landscape of a Strong Ecosystem to Protect Sensitive Information in ...
Security Landscape of a Strong Ecosystem to Protect Sensitive Information in ...
 
Information security
Information securityInformation security
Information security
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
 
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...
 
WITDOM Credit Risk Scoring use case at ISSE 2017
WITDOM Credit Risk Scoring use case at ISSE 2017WITDOM Credit Risk Scoring use case at ISSE 2017
WITDOM Credit Risk Scoring use case at ISSE 2017
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices Framework
 
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
 
SOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete GuideSOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete Guide
 

More from Murray Security Services

Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationMurray Security Services
 
Global Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
Global Shortage on Cyber Security Workforce - An Analysis of a Complex IssueGlobal Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
Global Shortage on Cyber Security Workforce - An Analysis of a Complex IssueMurray Security Services
 
Internet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber CrimeInternet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber CrimeMurray Security Services
 

More from Murray Security Services (11)

Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 Version
 
Manufacturing Hacks
Manufacturing HacksManufacturing Hacks
Manufacturing Hacks
 
Spectre & Meltdown
Spectre & MeltdownSpectre & Meltdown
Spectre & Meltdown
 
Global Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
Global Shortage on Cyber Security Workforce - An Analysis of a Complex IssueGlobal Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
Global Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
 
Cybersecurity for Small Business
Cybersecurity for Small BusinessCybersecurity for Small Business
Cybersecurity for Small Business
 
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
How to Write Good Policies
How to Write Good PoliciesHow to Write Good Policies
How to Write Good Policies
 
Internet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber CrimeInternet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber Crime
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0
 

Recently uploaded

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

Recently uploaded (20)

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 

IT Position of Trust Designation

  • 1. Guest Lecturer: Dr. Shawn P. Murray, C|CISO, CISSP, CRISC IT Position of Trust Designation ADP-IT Requirements for Government Contracts Cyber Security Brief Presented to the Defense Acquisition University 23 May 2013 Updated to add DIACAP – 8500.2 Controls to RMF - 800-53 Controls Alignment 22 November 2015
  • 2. Agenda – ADP-IT Defined – History – Basis – Public Law – Application & Compliance Directives – DoD 5200.2-R – DODI 8500.2, February 6, 2003 – DISA STIG - Traditional Security – Strategy ADP-IT Requirements for Government Contracts Cyber Security Brief 2
  • 3. ADP & IT Defined  ADP - Automated Data Processing  IT - Information Technology (Both terms are used synonymously)  ADP/IT requirements identify a specific “Position of Trust” for IT work that is to be accomplished by certain individuals on government information systems.  It is meant to reduce the risk of the Insider Threat  There are three ADP/IT Position of Trust levels:  ADP/IT-I, ADP/IT-II & ADP/IT-III  ADP/IT Positions of Trust are required to be recorded on a DD Form 2875 and assigned to specific personnel in the Joint Personnel Adjudication System (JPAS). ADP-IT Requirements for Government Contracts Cyber Security Brief 3
  • 4. ADP & IT Defined  ADP - Automated Data Processing  IT - Information Technology (Both terms are used synonymously)  ADP/IT requirements apply to Military, Govt. Civilian and Contractor Personnel  Military – MOS or AFSC  Govt. Civilian – Described in Position Description (PD)  ADP/IT requirements for contractors are derived from a Statement of Work (SOW) supporting a DoD contract which includes IT Services or General Access to Government Systems or Sensitive Information to fulfill a contractual need. • The SOW should have specific language for persons who will have access to government systems and/or information. − IE: Privileged User Access or Controlled Unclassified Information (CUI) • ADP/IT requirements are normally articulated in section 11.l of the DD254 which is married to the SOW. • In many instances, the DD254 does not articulate the correct ADP/IT requirements or does not align to the SOW properly. − This is normally due to a lack of knowledge of the requirement or a missing contract security review by an experienced security professional (government & contractor) − When this happens the risk to the Insider Threat can be greater ADP-IT Requirements for Government Contracts Cyber Security Brief 4
  • 5. History - OMB Circular A-71 (and Transmittal Memo #B1), July 1978 - OMB Circular A-130, December 12, 1985 - FPM Letter 732, November 14, 1978 These artifacts contain the criteria for designating positions under the existing categories used in the personnel security program for Federal civilian employees as well as the criteria for designating ADP and ADP related positions outlined in public law. ► Title 32: National Defense  PART 154 - DEPARTMENT OF DEFENSE PERSONNEL SECURITY PROGRAM REGULATION  Subpart K - Program Management  Appendix J to Part 154 (ADP Position Categories and Criteria for Designating Positions) ADP-IT Requirements for Government Contracts Cyber Security Brief 5
  • 6. Appendix J to Part 154 - ADP Position Categories and Criteria for Designating Positions OMB Circular A-71 (and Transmittal Memo #B1), July 1978 OMB Circular A-130, December 12, 1985, and FPM Letter 732, November 14, 1978 contain the criteria for designating positions under the existing categories used in the personnel security program for Federal civilian employees as well as the criteria for designating ADP and ADP related positions. This policy is outlined below: ADP Position Categories 1. Critical-Sensitive Positions ADP-I positions. Those positions in which the incumbent is responsible for the planning, direction, and implementation of a computer security program; major responsibility for the direction, planning and design of a computer system, including the hardware and software; or, can access a system during the operation or maintenance in such a way, and with a relatively high risk for causing grave damage, or realize a significant personal gain. 2. Noncritical-Sensitive Positions ADP-II positions. Those positions in which the incumbent is responsible for the direction, planning, design, operation, or maintenance of a computer system, and whose work is technically reviewed by a higher authority of the ADP-I category to insure the integrity of the system. 4. Nonsensitive Positions ADP-III positions. All other positions involved in computer activities. In establishing the categories of positions, other factors may enter into the determination, permitting placement in higher or lower categories based on the agency's judgement as to the unique characteristics of the system or the safeguards protecting the system. Criteria for Designating Positions Three categories have been established for designating computer and computer-related positions—ADP-I, ADP-II, and ADP-III. Specific criteria for assigning positions to one of these categories is displayed on the next slide: ADP-IT Requirements for Government Contracts Cyber Security Brief 6
  • 7. ADP-IT Requirements for Government Contracts Cyber Security Brief Specific Criteria as written into Title 32 Part 154 (Appendix J) 7
  • 8. Compliance Requirements DISA STIG Traditional Security Checklist - Version 1, Release 2 (July 24, 2013) DoD 5200.2-R, Personnel Security Program, (January 1987) DoDI 8500.2 IA Controls(DIACAP) NIST-800.53 Controls (RMF) DCIT-1 800-53: PS-7, SA-9 PECF-1 800-53: PE-2, PE-2(1), PE-7 & MA-5 PECF-2 800-53: PE-2, PE-2(3) & PE-7 PRAS-1 800-53: PS-3, PS-6 & PS-6(1) PRAS-2 800-53: PS-3(1), PS-6 & PS-6(2) PRNK-1 800-53: PS-3, PS-6(1) & PS-6(2) ECPA-1 800-53: AC-2 IAAC-1 800-53: AC-2 ADP-IT Requirements for Government Contracts Cyber Security Brief 8
  • 9. 8500.2 DCIT-1 V0008392 (CAT I) Acquisition does not address IA roles Vulnerability Acquisition does not address IA roles and responsibilities. 8500.2 IA Control: DCIT-1 References: Department of Defense Instruction 8500.2 (DODI 8500.2) Vulnerability Discussion Security procedures are vital to ensure the integrity, confidentiality and availability of systems and data. In outsourcing situations the requirements and responsibilities to perform them must be spelled out to ensure all are accomplished. Checks 8500.2 DCIT-1:  Examine acquisition and outsourcing documents including task orders to ensure IT services explicitly addresses Government, service provider, and end user IA roles and responsibilities.  Ensure the organization monitors compliance. Default Finding Details The following issues were noted:  Government, service provider, and end user IA roles and responsibilities are not explicitly stated in acquisition or outsourcing requirements.  The organization is not monitoring compliance of IT roles and responsibilities in outsourcing agreements. OPEN: __________ NOT A FINDING: __________ NOT REVIEWED: __________ NOT APPLICABLE: __________ 8500.2 DCIT-1 Fixes:  Amend IT services acquisition and outsourcing documents including task orders to ensure explicitly addresses Government, service provider, and end user IA roles and responsibilities are explicitly addressed .  Insure the organization monitors contractor compliance with all contract provisions plus applicable federal laws, directives, policies, regulations, standards, guidance, and established service level agreements . ADP-IT Requirements for Government Contracts Cyber Security Brief 9
  • 10. ADP-IT Requirements for Government Contracts Cyber Security Brief PS-7: Third-Party Personnel Security Control Text: "The organization: a. Establishes personnel security requirements including security roles and responsibilities for third-party providers; b. Documents personnel security requirements; and c. Monitors provider compliance." Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. The organization explicitly includes personnel security requirements in acquisition-related documents. NIST 800-53 PS-7 10
  • 11. ADP-IT Requirements for Government Contracts Cyber Security Brief SA-9: External Information System Services Control Text: "The organization: a. Requires that providers of external information system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and c. Monitors security control compliance by external service providers." Supplemental Guidance: An external information system service is a service that is implemented outside of the authorization boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system). Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges. The responsibility for adequately mitigating risks arising from the use of external information system services remains with the authorizing official. Authorizing officials require that an appropriate chain of trust be established with external service providers when dealing with the many issues associated with information security. For services external to the organization, a chain of trust requires that the organization establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered to the organization. The extent and nature of this chain of trust varies based on the relationship between the organization and the external provider. Where a sufficient level of trust cannot be established in the external services and/or service providers, the organization employs compensating security controls or accepts the greater degree of risk. The external information system services documentation includes government, service provider, and end user security roles and responsibilities, and any service-level agreements. Service-level agreements define the expectations of performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instance of noncompliance. NIST 800-53 SA-9 11
  • 12. “Failure to designate position sensitivity could result in personnel having access to classified information or other sensitive duties (such as privileged access to DoD Information Systems) without the required investigative and adjudicative prerequisites” STIG Check #3. For privileged users (eg, SA, IAO, NSO): Check to ensure that privileged users if military or government civilian are in critical sensitive positions and have a successfully adjudicated SSBI with 5-year periodic reviews. Contractors performing work in privileged IS roles must also undergo successful SSBIs with 5-year reviews. Privileged users must undergo an SSBI regardless of the security clearance level required (eg, even if no clearance or only Confidential or Secret is required). Foreign Nationals or Local Nationals employed by DoD ARE NOT AUTHORIZED to have (IT-I) privileged access to US Information Systems. ADP-IT Requirements for Government Contracts Cyber Security Brief 12
  • 13. DoDI 8500.2 Enclosure 3 (page 46) Privileged Access = IT-I Position of Trust (Privileged Access = Privileged User - (PU) Identifies PU access for: • DAA or IAM (ISSM) (government) • IAO (ISSO) • Monitors or Testers (CND & Developers) • Network Administrators • Systems Administrators • Maintenance of IA products (ACAS, HBSS, PKI, EMET, AV…) Requires a final SSBI prior to being provided PU access to any IT systems (US Military, Civilian or Contractor) ADP-IT Requirements for Government Contracts Cyber Security Brief 13
  • 14. SSBI Investigation IT-I Position of Trust Designation Personnel Category: • Govt. Civilian • Contractor ADP-IT Requirements for Government Contracts Cyber Security Brief 14
  • 15. ADP-IT Requirements for Government Contracts Cyber Security Brief Funding Who pays for the SSBI? - Government Civilian and Military – The Service Component or Agency (OPM) - Contractors – DSS pays for SSBIs for contractors that require Top Secret clearances - If the contractor only needs a SSBI for privileged user access and does not need a Top Secret Clearance, then the Agency or Service Component the contractor is assigned to has to budget for and fund the requirement. 15
  • 16. ADP-IT Requirements for Government Contracts Cyber Security Brief Strategy - Most Department of Defense agencies and service components have applied IT-I, IT-II, & IT-III to privileged users differently due to funding the SSBI, which in 2013 was estimated to be $3700 per person. - Strategy 1: Align the SSBI to a person who has a requirement to access Top Secret information so DSS has to funds the investigation. - Risk 1: A person can be provided access to TS information that does not really have a need to know - Strategy 2: Assign one privileged user as an IT-I and all other privileged users as an IT-II to save money. - Risk 1: An IT-II who is being provided privileged user access is not being properly vetted as required (Insider Threat) - Risk 2: An IT-I privileged user is required to directly oversee and validate tasks completed by all IT-II privileged users they supervise. This is not always feasible in an organization with multiple IT-II privileged users - Strategy 3: Do not address the IT Position of Trust for privileged users - Risk 1: This is the greatest risk and does not protect against the Insider Threat. NOTE: This is the most common approach due to lack of knowledge by acquisition, contracting and security personnel 16
  • 17. Where do we go from here? • All ISSMs managing Cyber Security on a DoD contract should already have: 1. List of all Privileged Users for their specific areas (IA, SA, NA/E, SE, CND, etc.) 2. Privileged User Agreements for them (signed) 3. Privileged User training certificate 4. 8570 Certification IAT or IAM 5. 8570 Certification Computing Environment (CE) 6. Completed 2875s for all PU personnel 7. HBSS training certificate if required by one of your PUs 8. ACAS training certification if required by one of your PUs 9. ISSO appointment letters for your appointed ISSOs • A Review/Audit of contracts should be considered • Statement of work should identify privileged user roles • DD254 Should also identify IT-I, IT-II & IT-III Positions of Trust • A strategy should be developed to address deficiencies ADP-IT Requirements for Government Contracts Cyber Security Brief 17
  • 18. References – http://www.ecfr.gov/cgi-bin/text- idx?c=ecfr&sid=aa33bc45d44c89541aef4096bf908831&rgn=div5&view=text& node=32:1.1.1.6.75&idno=32 – https://www.law.cornell.edu/cfr/text/32/part-154/appendix-J – http://iase.disa.mil/stigs/Lists/stigs-masterlist/policy-traditional.aspx – http://csrc.nist.gov/groups/SMA/fisma/framework.html – http://www.cac.mil/docs/DoDD-8500.2.pdf – http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf ADP-IT Requirements for Government Contracts Cyber Security Brief 18
  • 19. Questions? Backup Slides Available ADP-IT Requirements for Government Contracts Cyber Security Brief 19
  • 20. Industrial Security - DD Form 254 ID-01.02.01 - Industrial Security - DD Form 254 Vulnerability Discussion: Failure to complete a DD Form 254 (Contract Security Classification Specification) or to specify security clearance and/or IT requirements for all contracts that require access to classified material can result in unauthorized personnel having access to classified material or mission failure if personnel are not authorized the proper access IA Controls PECF-1, PRAS-2, PRNK-1 VMS Target Traditional Security DISA FSO VMS Target Traditional Security - 2506 1. DD Forms 254 must be on hand for each classified contract. 2. 2. All security requirements must be properly detailed on the form, particularly for Information technology related requirements, such as IT Position levels for the positions or types of work to be performed. 1. Check there are DD Forms 254 available for all classified contracts. NOTE: These forms may be held by the site contracting officials but should be available to the site security manager and information security manager for review. 2. Conduct a cursory review of the DD 254 to ensure all security requirements are properly detailed on the form, especially with regard to Information Assurance (ie., IT Position level designation). NOTE: Applicable to tactical environments if there are contractor personnel performing classified work. This form will likely only be found at fixed locations rather than field locations. While the DD 254 may not be available on site or even in Theater, the completed document's location should be identified and if possible a scanned and emailed copy requested for review. This will likely only be able to occur via SIPRNet email because some of these forms contain classified information, while all others are only FOUO. ADP-IT Requirements for Government Contracts Cyber Security Brief 20
  • 21. Industrial Security - Contractor VALs ID-02.03.01 - Industrial Security - Contractor Visit Authorization Letters (VALs) Vulnerability Discussion: Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials being released to unauthorized personnel. IA Controls -ECAN-1, PECF-1, PRAS-2 VMS Target Traditional Security - DISA FSO VMS Target - Traditional Security – 2506 Checks: • 1. Written procedures must be developed that cover the requirements and process for Visit Authorization Letters (VAL) for contractors visiting and/or employed at government sites. • 2. All government sites must have a VAL on file for each contractor visiting the site temporarily and also for permanent party contractors routinely working/physically employed at the site. Notes: JPAS should be used for most short term "visitor" VALs; however, in addition to JPAS (or as an alternative to JPAS for contractors who do not have JPAS accounts) VALs may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because JPAS is by design intended for short term visits; whereas, contractor "employee" VALs require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via JPAS. A hard copy VAL for assigned contractor employees will help to eliminate substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable Statements of Work (SOW and/or DD 254), etc. ADP-IT Requirements for Government Contracts Cyber Security Brief 21
  • 22. Industrial Security - Contractor VALs (Continued from previous page) ID-02.03.01 - Industrial Security - Contractor Visit Authorization Letters (VALs) Vulnerability Discussion: Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials being released to unauthorized personnel. IA Controls -ECAN-1, PECF-1, PRAS-2 VMS Target Traditional Security - DISA FSO VMS Target - Traditional Security – 2506 Checks: • 1. Check with the security manager or personnel security specialists to ensure there are written procedures for contractors visiting government sites. • 2. Ask to see copies of the site VALs and/or determine site VAL process based on the processing of contractors on your inspection team. • 3. Ensure all government facilities have a VAL on file for all contractors visiting the site - to include permanent party contractors. Notes: • 1. JPAS should and will likely be used for most short term "visitor" VALs; however, in addition to JPAS the VAL may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because JPAS is by design intended for short term visits; whereas, contractor "employee" VALs should require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via JPAS. Lack of a hard copy VAL alone for assigned contractor employees at a site will not necessarily be cause for a finding if a VAL in JPAS is available. Reviewers must use discretion when evaluating if the lack of hard copy VAL has caused any substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable Statements of Work (SOW and/or DD 254), etc. when deciding if a finding is warranted. For instance an individual employee's JPAS access might indicate they have TS clearance - but the FCL for the company is only at the Secret level and/or the contract only allows for up to Secret access. If the site is allowing access to TS for this individual - then the lack of a hard copy VAL could be cited as a finding, in addition to any other related findings for this discovery. • 2. Applies in a tactical environment if contract personnel visit or are assigned. • 3. Reviewers should be sure to note in the findings report if the finding concerns JPAS issues for short term contractor visitors or if it concerns "hard copy" VALs for assigned contractor employees. ADP-IT Requirements for Government Contracts Cyber Security Brief 22