Thursday, December 27, 2007

Apologies and a new rant

I apologize for not keeping up with the blog.

I wish I had more time, apparently I thought I was going to manufacture some in the other room. I have been hard at work on a certification consulting task, a certification task, a personal web development project and general house administrivia (oh, and the holidays).

Since my last post, the 800-53A Final Public Draft is out. I think it is somewhat helpful, I am getting ready to use it on a project that is "bleeding edge" as they call it.

I suppose my concern revolves around using this public draft on 800-53 rev 0. That is not a typo, we certified something on rev 0 of the 800-53 and now we are going to be using 53A test cases. There will be gaps, there will be problems. I hope that we can plug them quickly.

What I hope to convey here is that the 53A contains test cases. They are not test steps. You will still need to turn these cases in to a meaningful process to test the control.

Case in point, AC-6 Least Privilege. Here is the control text:

Control: The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks.

Supplemental Guidance: The organization employs the concept of least privilege for specific duties and information systems (including specific ports, protocols, and services) in accordance with risk assessments as necessary to adequately mitigate risk to organizational operations, organizational assets, and individuals.

Here is the 800-53A Objective and Method:

ASSESSMENT OBJECTIVE:
Determine if: (i) the organization assigns the most restrictive set of rights/privileges or accesses needed by users for the performance of specified tasks; and

(ii)
the information system enforces the most restrictive set of rights/privileges or accesses needed by users.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:


Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; list of assigned access authorizations (user privileges); information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (M) (H)


Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks]. (H)

So we aren't suppose to look at the settings on the box? The answer is Maybe.

The whole gist of the NIST Special Pubs is that they are tailorable. If you, the assessor, you the security operations team or you in the back, the IG auditor, feel it necessary to add a test case with extra test steps. Then you must do that. I will be submitting comments on the 53A, especially because I don't feel on this one (in particular) that they have addressed the control. Look at the second objective in the example above.

I don't an Accreditation Authority that would say, "Nah, we believe that the system doesn't have to enforce least privilege. Our documentation and interview results should be fine. Don't check it."

If you are from NIST, please take no offense here. I want to help, explain or educate as best I can. I know it is hard covering all these bases and this format is much improved over 1st and 2nd public drafts.

This time I promise to post the comments I send on the 53A to NIST. Since I am actually going to do it this time.

Lastly, you will notice that there is something called an 800-53 Rev 2. My understanding is that the changes to it will mainly be affecting Federal Industrial Control Systems. I haven't done a compare yet. I have bigger fish to fry.