Embed Size (px)
Citation preview
Security Issues that a Project Manager at CDC
Needs to Address
Presented by Kevin Lyday, CISSP, PMPTo the CDC Project Management Community of Practice
May 16, 2008
Current Assessment
Q1. When must Web-based applications be scanned for vulnerabilities?
A2. Changes must be scanned for vulnerabilities prior to production. This includes new applications and changes to existing code.*
Q2. Who is responsible for the use of OCISO approved testing tools to test web application code changes?
A2 The CIO’s Information System Security Officer.*
*CDC policy “Web-based Applications: Vulnerability Testing And Change Management”, Dated 01/26/2008
Current Assessment
Q3. During which EPLC project phase should security planning be considered?
A3. Initiation (Determine if the Business Needs Statement contains any potential security concerns.)*
Q4. Who is responsible for the C&A process during the system’s life cycle?
A4. The information system owner, the Designated Approving Authority (DAA), and the certification agent all play key roles.**
* EPLC Overview Document, March 17, 2008 Draft v1)
** IT Security Program Plan, August 2007
Q5. If a website is run by a contractor on behalf of the government and is not a .gov domain, and is primarily viewed by government employees, is it required to be Section 208 (machine-readable privacy policy) compliant?
A5. The machine-readable privacy policy requirements, applies to "all executive branch departments and agencies and their contractors that use IT or that operate websites for purposes of interacting with the public; and relevant cross-agency initiatives, including those that further electronic government.*
* OMB Memorandum M-03-22,
Current Assessment
Information Security Components
Communications
Confidentiality
Information has Confidentiality when discloser or exposure to unauthorized
individuals or system is prevented.
IntegrityIntegrity means that data can not be created, changed, or deleted without
authorization
AvailabilityThe computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is needed.
Planning to Develop a New Application?
Security must be designed into the system from the very beginning, reviewed periodically during the project, and be maintained throughout the life of the system
Security costs must be budgeted from the very beginning of the project
Security policies, practices, and requirements must be reviewed and understood from the very beginning
Data Compromise
1. Design and write poor applications
2. Do not perform a security assessment of the system
3. Do not use server side certificates (SSL)
4. Do not hash passwords or encrypt sensitive data
5. Do not utilize access control management
Ten Easy Ways to Compromise Your Data
Data Compromise
6. Mix your sensitive and non sensitive data
7. Do not change default admin passwords
8. Do not encrypt backups/No back ups at all!
9. Do not separate development/staging/testing environments from production environment
10. Do not waste your time on user training
Ten Easy Ways to Compromise Your Data
Final Thoughts
Top 5 “Kevinisms” Data security is like a relationship… ignore it and your data will go
to someone else So you are a trusting person? Go on a vacation and leave your
teenager and the keys to your Lexus at home. Ignorance is bliss until your name/organization appears on the
front page of the newspaper (CDC missing laptops) Data security is expensive, not doing it is even more so. A strong coop will keep the chickens in and the fox out!
