information security salary

information systems security salary

information systems security salary

information systems security salary

Information system security salary is usually above average within the IT career field, but what salary you get will vary.  The main factors affecting information systems security salary are experience level, title/position, credentials.

Also, the term “information systems security” is very broad.  As information technology has gotten more complex and diverse, it has broken into sub-specializations within specializations.  For example, within information system security there are engineers, analysts, information system security officers, information system security managers, architects and many others.

The words “engineer”, “analyst”, “specialist” and others are thrown around a lot, but can really mean anything as far as what you end up doing so its best to look at the description of the position and talk to those doing the hiring.  Information system security managers have the potential for the highest amount.  For engineers and analysts it depends on the complexity of the work.  Architects can sometimes make as much or more than even a manager.  An information system security architect knows so many aspects of technology, that they usually are in charge of the security vision of an organization or business unit.

So to figure out the salary of an information system security professional you will really have to know the specifics of the job.

One of the best places to go to look up salaries of a position is Glassdoor.com and salary.com.  Glassdoor is an incredible site featuring anonymous people that give information on their pay, the environment, the interview process and ratings of the company.

example of information systems security salary:

http://www.glassdoor.com/Salaries/information-systems-security-officer-salary-SRCH_KO0,36.htm

diarmf risk management of information security

diacap to diarmf: manage information security risk

Risk Management Framework is implemented throughout an organization.

NIST 800-39, Manage Information Security Risk, describes how to implement risk within t three layers (or tiers) of of an organization:

Tier 1: Organization level
Tier 2: Mission/Business Process level
Tier 3: Information System level

diarmf risk management of information security

Tier 1: Organization Level risk management
Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

Tier 2: Mission/Business Process Level risk management

Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organization�s resilience to such an attack that can be achieved with a given mission/business process

Tier 3: Information System risk management

From the information system perspective, tier 3 addresses the following tasks:
1) Categorization of the information system
2) Allocating the organizational security control
3) Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
Risk Framing
Risk Assessing
Risk Response
Risk Monitoring

 

For more information go to: http://elamb.org/training-certification800-39-manage-information-security-risks/

 

DIACAP to DIARMF: Assessment Authorization

DIACAP to DIARMF: Assessment Authorization

DIACAP to DIARMF: Assessment Authorization

With the move from certification and accreditation (C&A) to risk management framework, comes a few new terms.  “C&A” will be replaced with assessment and authorization.  Even though “information assurance (IA) controls” will be call “security controls”, the definition and work is still the same, but the hope is that its done continuously and more cost-effective.

 

Certification (NIST Assessment) - Comprehensive evaluation of an information system assessment of IA Controls/Security Controls to determine the extent to which the controls are implemented correctly and operating as intended. That means when evaluated, they produce the desired outcome.  An assessment is about gathering information to providing the factual basis for an authorizing official (Designated Accrediting Authority) to render a security accreditation decision

Accreditation (NIST Authorization) – Security accreditation is the official management decision to operate (DAA – Formal approval of the system). Authorization is given by a senior agency official (upper-management/higher head quarters/combat commander). The official should have the authority to oversee the budget and business operations of the information system explicitly accept the risk to operations, assets, individuals. They accept responsibility for the security of the system and are fully accountable for the security of the system.

The official management decision given by a senior organization“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.”

- NIST SP 800-37 rev 1

March 14, 2014, UPDATE RMF – DoD IT:

DIARMF will be known as Risk Management Framework for DoD IT.

 

diacap diarmf

diacap to diarmf: intro

DIACAP to DIARMF: Intro

diacap diarmf

image of diacap to rmf

DoD Chief Information Officer (formerly Assistant Security Defense), in collaboration with the Department of the Navy CIO, has developed a DoDI 8500.2 to NIST SP 800-53 IA control mapping (2010). More DIACAP Knowledge Service.

DIACAP Knowledge Service

On the DIACAP Knowledge Service goto “C&A Transformation”. This page introduces some of the coming changes from Certification & Accreditation changes to the Risk Management Framework seen in NIST SP 800-37.

DIACAP has “Risk Management Framework Transformation Initiative” underway that provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253.

The site introduces changes being made to DoDD 8500.01, DoDI 8500.2, DoDI 8510.01 and other documents that will be aligned with NIST 800 and FISMA 2013. They will feature an attempt to keep up with new arising cyberthreats, vulnerabilites and security incidence using real-time, “continuous monitoring” technologies such as HP ArcSight, McAfee ESM, ePO, NSP, Retina, Nessuss and other near real-time active monitoring systems.

diacap to diarmf

road to diarmf

Why DIACAP to DIARMF?

Federal government has gotten more serious about security.  They realize that enterprise level security and process is a continuous and expensive business.  The old certification & accreditation process is not only long and expensive but so slow that it cannot keep up with the constant changes of information technology.

Risk based/cost effective security means creating security systems and policies that focus on “adequate security”.  The Executive Branch Office of Management and Budget (OMB) defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.  The feds are also attempting to make the process of implementing and evaluating security controls by creating as much paper-less automation as possible.

note IMHO: Since technology is changing at a rate of what Ray Kurzweil calls “accelerating returns” I think for governments and organizations stuck in “static policy” based systems there is no way they can ever keep up with information technology without revolutionary shift in thinking.  Google is probably the closest to understanding what is actually happening.  The best any of us can do is observe.

 Source documents for all U.S. Federal information security:

OMB A-130 – Management of Federal Information Resources

FISMA – Federal Information Security Management Act of 2002

Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541) enacted as Title III of the E-Government Act of 2002 (Public Law 107-347)

Required for all government agencies  to develop, document, and implement an agency-wide information security program to provide information security for the information and systems that support the operations and assets of the agency Applies to contractors and other sources.

The federal government has created various acts/laws to implement to changes to the C&A process to a more risk management approach and emphasize a risk-based policy for cost-effective security. These acts include (but are not limited to):

  •  Federal Information Security Management Act of 2002 (amended as of 2013 April)
  • The Paperwork Reduction Act of 1995
  • The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources

 

diacap-to-diarmf-ca-vs-rmf

diacap to diarmf: C&A vs RMF

DIACAP is transitioning from a Certification and Accreditation to a Risk Management Framework.  Most of the new Risk Manager Framework is in the NIST Special Publication 800-37.  The old NIST SP 800-37 was also based on Certification and Accreditation.  After FISMA 2002, it adjusted to a Risk Management Framework in NIST SP 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems.

diacap-to-diarmf-ca-vs-rmf

diacap-to-diarmf-ca-vs-rmf

NIST SP 800-37 to SP 800-37 rev 1 transformed from a Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF).  The changes included:

  1. Revised process emphasizes
  2. Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
  3. Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes
  4. Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems
diacap-diarmf

diacap to diarmf: FISMA 2013

The Federal Information Security Amendments Act, H.R. 1163, Amends the Federal Information Security Management Act of 2002 (FISMA).

Main Points of FISMA 2002:

  • Cost-effectively reduce information technology security risks
  • Vulnerability Database  System
  • Maintain an inventory of major information systems
  • Security Categorization of Federal IS by risk levels
  • Minimum security requirements
  • System Security planning process
  • Annual review of assigned IS compliance
  • Risk Management

 

The amendment has a few big changes to the previous 2002 version that will affect federal agencies.  But two main ones the stood out for me is the emphasis on automation and the CISO position.

The FISMA Amendment was passed by the House of Representatives (4 April 2013) but must still pass the Senate and be signed into law by the President.

 

1 – Continuous monitoring / automation of Everything -FISMA 2013, requires continuous monitoring (automation) and regular cyberthreat assessments for better oversight to federal organizations.

Security Incidents -  Security incidents are automatically detected with tools like McAfee Network Security Platform (IPS), Source Fire SNORT (IDS), McAfee ePO and Cisco IDS.  With the right people to manage the signatures and the configuration, theses are great products.  Once they are detected you can then do incident handling with something like Remedy.  FISMA 2013: “with a frequency sufficient to support risk-based security decisions, automated and continuous monitoring, when possible, for detecting, reporting, and responding to security incidents, consistent with standards and guidelines issued by the National Institute of Standards and Technology”

Information Systems Security – Vulnerability scanners such as Retina and Tenable’s Nessuss are great with automatically detecting security controls and policies within an agency.  Change Auditor and other tools can detect changes the GPO’s within a domain.  FISMA 2013: “with a frequency sufficient to support risk-based security decisions, automated and continuous monitoring, when possible, for testing and evaluation of the effectiveness and compliance of information security policies, procedures, and practices, including…” Security controls

Risk Level & Impact of Harm – McAfee ESM and ArcSight are good and pulling in the data from security tools that detect security events, evaluating the risk level and giving an measurement of the possible harm of and asset.  FISMA 2013: “automated and continuous monitoring, when possible, of the risk and magnitude of the harm that could result from the disruption or unauthorized access, use, disclosure, modification, or destruction of information and information systems that support the operations and assets of the agency;

Detection/Correlation – this one could be grouped in with Security Incident, but Security Incident gets more into incident handling.  Also, ArcSight, McAfee, LogRythm, LogLogic, AlienVault and other Security Incident Event Managers do Correlation automatically.  FISMA 2013: “efficiently detect, correlate, respond to, contain, mitigate, and remediate incidents that impair the adequate security of the information systems of more than one agency. To the extent practicable, the capability shall be continuous and technically automated.”

2 – CISO positions and responsibilities backed by Law – The amendment requires each department head to be held accountable for IT.  In DoD Information Assurance Risk Management Framework (DIARMF) this department director is known as the Authorizing Official (aka Designated Authorizing Authority in DIACAP).  FISMA 2013 require the AO to have an Chief Information Security Officer.  This is a position that is already assigned under Risk Management Framework.  The DoD has referred to this position as Senior Information Assurance Officer in DIACAP.  Under FISMA 2013, CISO/SIAO must have must have qualifications to implement agency-wide security programs for which they are responsible
and report directly to the AO.

The CISCO/SIAO will also have responsibility of Automated Security systems.  The CISO will be responsible for development, maintaining and overseeing these automated systems.

FISMA 2013 is targeted to minimize the risk of cyberattacks by conducting pentesting.

Overall, they made automation a requirement, which is the direction the field of information security has already been following and put some more emphasis on the CISO.  The amendments highlight the changes from DIACAP to DIARMF as many of the changes are already in the NIST 800 series that DIARMF is based on.

source:

http://beta.congress.gov/bill/113th/house-bill/1163/text

Training and Certification: 800-66 – HIPPA

Guidance for Health Insurance Portability and Accountability Act (HIPPA)

NIST Special Publication 800-66 offers guidance for HIPPA. HIPPA is broken up into (5) different Titles:
Title 1) Healthcare accessibility, portability and renewability
Title 2) Healthcare Fraud and abuse prevention; Healthcare Liability; Administrative Simplicity
Title 3) Tax-related healthcare provisions
Title 4) Group Health plan
Title 5) Revenue Offset

The focus of NIST SP 800-66 is Title 2 Administrative Simplification, HIPPA Security Rule. The HIPPA Security Rule is broken into Electronic Data Interchange (code set, identifiers, transactions), Privacy, Security.
Security includes all efforts to protect the confidentiality, integrity & availability of electronic protected health information (EPHI). HIPPA Security is applicable to covered entities. Covered entities include: Covered Healthcare providers, health plans, Healthcare Clearinghouses, and Medicare prescription drug card sponsors.

This involves physical, administrative, technical safeguards, organizational requirements, policy, procedure and documentation requirements. The controls are used to meet these controls are required or addressable.

Physical security safeguards: all security controls needed to physically protect electronic protection health information (EPHI) and resources. These controls reduce physical access to the EPHI systems and their resources by isolating and limiting and locking areas in which the resources housing EPHI is located.
Administrative safeguards: administrative controls include documentation, procedures that reflect the security of systems containing EPHI.
Technical safeguards: technical security features that protect EPHI. This includes access control lists, least functionality on ports, protocols & services and other logical protection mechanisms over a network.
Organizational requirements: organizational requirements include policies, standards and guidelines that the organization must adhere to. This may include federal, state law and healthcare best practice.
Policy, procedure and documentation requirements: physical, administrative, technical controls are captured in documentation to establish a baseline, have consistency and act as a blueprint for future employees and/or managers.

Training and Certification: NIST SP 800-39 Manage Information Security Risk

NIST SP 800-39, Manage Information Security Risk

NIST 800-39 is a federal document that talks about risk management of information system and their security. It is cited as one of the sources for the ISC2 Certified Authorization Professional (CAP) certification. For study of the document go to Chapters 2 and 3 of 800-39. Chapter 2 talks about the fundamentals of risk management & chapter 3 breaks down the process of applying risk management across and organization.

The Fundamentals of Risk Management (Chapter 2, 800-39)
800-39 goes into the philosophy (or the why) and the how of managing information security at multiple levels (or multitier risk management approach). The three layers (or tiers) of risk management addressed in the 800-39 are:
Tier 1: Organization level
Tier 2: Mission/Business Process level
Tier 3: Information System level

Tier 1: Organization Level risk management
Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

Tier 2: Mission/Business Process Level risk management

Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organizations resilience to such an attack that can be achieved with a given mission/business process

Tier 3: Information System risk management

From the information system perspective, tier 3 addresses the following tasks:
1) Categorization of the information system
2) Allocating the organizational security control
3) Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
Risk Framing
Risk Assessing
Risk Response
Risk Monitoring

Risk Framing
Risk framing are the assumptions, constraints, risk tolerance and priorities that shape an organizations managing risk. Risk framing is created based on organizational governance structure, how much money is available, regulations imposed, environment, culture and trust relationships.
In order to frame risk (or get an organizational context of the risk) the organization must determine: Risk assumptions, risk constraints, risk tolerance and priorities/trade-offs

Risk Assumptions
Risk assumption has to do determining how to risk will be assessed for an organization. Assumptions are based on identification of threats, vulnerabilities, the impact to the organization if attacks are successful and likelihood of attacks.

Risk Constraints
Risk constraints have to do with accepted limits of risk assessments, risk monitoring & risk response. Those limitation might be financial, cultural, the need to rely on legacy systems, or regulations imposed on the organization.

Risk Tolerance
Risk tolerance is how much risk the organization is willing to take.
Priorities/Tradeoffs
Risk is experienced at different levels, in different forms, and in different time frames. At Tier
1, organizations make trade-offs among and establish priorities for responding to such risks. Organizations tend to have multiple priorities that at times conflict, which generates potential risk. Approaches employed by organizations for managing portfolios of risks reflect organizational culture, risk tolerance, as well as risk-related assumptions and constraints. These approaches are typically embodied in the strategic plans, policies, and roadmaps of organizations which may indicate preferences for different forms of risk response. For example, organizations may be willing to accept short-term risk of slightly degraded operations to achieve long-term reduction in information security risk.
However, this trade-off could be unacceptable for one particularly critical mission/business function (e.g., real-time requirements in many industrial/process control systems). For that high-priority area, a different approach to improving security may be required including the application of compensating security controls.

Risk Assessment
Risk assessment is threat & vulnerability identification and risk determination. Organizaitonal risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.

Risk Response
Risk response identifies, evaluates, decides on, and implements appropriate courses of action to
accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals,
other organizations, and the Nation, resulting from the operation and use of information systems.

Risk identification is key to risk response. Risk types include:
Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.

Risk avoidance- Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk.

Risk mitigation-adding management, technical, administrative safeguards to minimize identified risks to the system.
Risk share & transfer- Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance
companies).

Risk Monitoring Risk changes with each modification of the system. Its important to monitor the changes of the risk of a system. Changes to threats can also change risk.

Training & Certification: CAP – Security Authorization of Federal Information Systems

Understanding the Security Authorization of federal information systems

The ISC2 CAP candidate needs to understand the multitier approach to evaluating strategic & tactical risk across an organization/enterprise. This is discussed thoroughly in NIST SP 800-39, Managing Information Security Risk. 800-39 explains risk management from the organization, mission, and system perspective.

800-39 explains how and organization does risk framing by making risk assumptions, knowing risk constraints, risk tolerance, priorities & tradeoffs. Implementation of an organizations risk management strategy is also based its governance structure.

Security Authorization is a risk management process that based on identification of threats, vulnerabilities and countermeasures. 800-39 and 800-37 explains what must be included in a risk assessments that will evaluated residual risks and determine if they are acceptable or unacceptable to the organization as whole. Unacceptable risks can be reduced by implementing security controls.

Understanding the Security Authorization of federal information systems covers the following key areas:

Understand the Risk Management Approach to Security Authorization
Understanding and distinguishing among the Risk Management Framework (RMF) steps
Define and Understand Roles & Responsibilities
Understand the Relationship between the RMF and SDLC
Understand Legal, Regulatory, and Other Requirements for Security Authorization
Understand Common Controls and Security Control Inheritance
Understand Ongoing Monitoring Strategies
Understand How the Security Authorization Process Relates to:

1. Organization-wide risk management
2. System Development Life Cycle (SDLC)
3. Information system boundaries
4. Authorization decisions

Training and Certification: certified authorization professional (1)

The Certified Authorization Professional (CAP) is a certification that indicates a professional level of knowledge/skill on the subject of federal information system authorization (formerly certification & accreditation). In the US federal government, Authorization to operate a federally owned information system is a formal acceptance of risk from an Authorization Officer (AO). An AO is a high ranking official granted the authority to make major risk related decisions for an entire branch/or unit within a federal organization. The AO accepts or rejects the risks that information systems poses to his or her organization based on the recommendations of a security control assessors audit and accompanied Security Authorization Package.

The CAP is based almost entirely on federal information security/protection laws, National Institute of Standards & Technology (NIST), and Office of Management & Budget regulations.

There are seven domains the CAP exam focuses on:
1. Understanding the Security Authorization of Information Systems
2. Categorize Information Systems
3. Establish the Security Control Baseline
4. Apply Security Controls
5. Assess Security Controls
6. Authorize Information System
7. Monitor Security Controls

1 2 3