TDI has been providing C&A support services to The Smithsonian for the better part of the decade. Our latest effort relates to performing the C&A on several of the Institution's Major Systems. We work extensively with system owners to provide IA guidance and develop methods of remediating identified vulnerabilities. We also assist the Information Technology Security Staff with any additional documentation, compliance issues, and audit findings. The Smithsonian OCIO/ITSS noted that TDI "made significant contributions in completing two big IT Security milestones at the Smithsonian Institution.” She also mentioned, while referencing our work on this task, that “FISMA auditors noted that control testing & evidence was significantly improved by the Smithsonian in FY09."
TDI currently provides an Information System Security Officer with responsibilities to support POA&M/Audit Findings, log reviews, PCI Compliance issues, system documentation, and system compliance.
Currently, other active TDI projects at SI involve maintaining and operating firewalls and IDS infrastructure. The tasks associated with these projects include the full spectrum of systems management such as rules configuration, traffic control, network anomaly detection, incident monitoring and remediation, compliance reports generation, etc.
TDI supported the development of The Smithsonian Institution’s (SI’s) Disaster Recovery Plan (DRP) for a Major System. The plan establishes procedures and assigns responsibilities for restoring the system following a disruption. TDI also performed DRP Table-Top testing for SI. The goal of the DRP was to establish emergency response procedures that are known and understood in order to restore the system to service if a disaster causes disruption. Its objectives are to: maximize the effectiveness of DR operations through an established plan and through procedures for DRP training and testing; assign responsibilities to designated personnel and provide guidance for recovering during prolonged periods of interruption to minimal and ultimately normal operations; ensure coordination with other SI staff and with external points of contact and vendors who participate in DR and contingency planning strategies; and ensure that preventive controls are operational.
TDI ensured that the system's DRP fully and thoroughly covered all important areas, including: recovery priority, recovery team with alternates, emergency contact information, machine maintenance requirements, fire policies, plan change control, testing procedures, process directions, distribution of the plan, backup procedures, organization chart, update frequency, inventory, configuration diagrams, and restoration procedures. Our approach included performing a risk analysis to evaluate the system's readiness for a disaster and exploring the impact an interruption in business operations would have. When performing the risk analysis, we adhered to a methodology that identified those essential business processes that are critically linked to system's assets, finances, and customers. TDI analyzed the facilities, systems, equipment, software, documentation, and procedures related to critical business processes. We assessed financial and impalpable losses that might occur with an interruption to a critical business process.
Finally, TDI helped to identify the necessary components of disaster recovery. We drafted disaster scenarios and structured them for use during table-top DR testing exercise. TDI assumed a moderator role and administered table top exercises that used team role-play of disaster scenarios. Various SI disaster recovery plans were used during the exercise by the DR Manager and System Owners to refer to for acting out of the disaster.
TDI conducted numerous security, risk, and vulnerability assessments for The Smithsonian Institution (SI) to ensure a high security posture for their systems, networks, and applications. Our staff performed vulnerability assessments and penetration tests. These exercises tested the system security using our standardized testing methodology. TDI also examined the security controls built into various SI applications. We assessed these applications determine their configuration, integration within SI's network, and vulnerabilities that existed.
TDI evaluated a Smithsonian's Windows baseline build document and standard as it related to security best practices. As part of this process, TDI ensured that appropriate security measures were taken throughout the procedures prescribed in the build document. To ensure complete security best practices in the build process, we also evaluate the mechanisms for instantiating an instance of the build along with the corresponding package of scripts, templates, patches, and critical updates. Based upon our findings and recommendations in the previous steps, TDI revised build and installation mechanisms.
Finally, TDI has provided SI with incident response security assessments to perform post-incident forensics and triage assessment activities.
TDI conducted Security Test and Evaluation (ST&E) efforts on various systems in the Smithsonian Institution (SI) network. We completed ST&E efforts for several of SI's major systems. TDI used appropriate verification techniques to demonstrate that management, operational, and technical security controls for these SI systems were implemented correctly and effectively. In addition, TDI prepared the final ST&E Findings reports based upon results of ST&E activities.
The overall ST&E effort is a critical element of the Certification and Accreditation process, and is intended to assess the technical and non-technical implementation of a system security design. TDI's ST&E efforts examined and analyzed security features for the systems' operational environments to determine their respective security posture. Security features affecting confidentiality, integrity, availability, and accountability were designed to protect these systems according to applicable organizational or governmental regulations. TDI's ST&E team ascertained and assessed the effectiveness and proper performance of these security features.
Security testing encompassed all aspects of the systems, including both commercial and in-house developed components. Investigated components included control areas such as: identification and authentication; audit trails; logical access controls; risk management; physical and environmental protection; personnel security; production, input/output controls; contingency planning; hardware and system software maintenance; data integrity; documentation; security awareness, training, and education; and incident response capabilities. Other tasks included a functional and vulnerability assessment of a web application, a Physical Configuration Audit of an internal system, and an IV&V of the SI Enterprise Security Infrastructure implementation.
Working with Smithsonian Institution (SI) personnel, TDI performed technical evaluations of SI Baseline Builds. To ensure complete security best practices in the build process for SI's systems deployment, we also evaluated the mechanisms for instantiating an instance of a given build along with the corresponding package of scripts, templates, patches, and critical updates.
TDI extrapolated the necessary fixes from our assessment to help with the development of Installation and Hardening Scripts. In evaluating the application of our hardening mechanisms and guidelines, we addressed all potential areas of concern, including partitioning, hardware specifications, specific server roles, audit settings, operating system components and services, and database corruption after applying a security template. In short, we ensured that our hardening efforts achieved the goal of security without compromising the functionality of any respective system.
TDI's review, and development of hardening scripts and recommendations, and validation of these recommended hardening items based on current best practices (Microsoft, NSA, SANS, and NIST) showed that SI Builds coupled with TDI's recommended additional security safeguards produced a solid system configuration ready for enterprise deployment.
In 2008 TDI was tasked with an important and deadline-driven project of completing Privacy Impact Assessments (PIAs) for Smithsonian Institution systems. The project demanded very active management and communication with system owners in order to provide them with guidance on completing the provided PIA forms. TDI created PIA reports for a mock system in order to illustrate what information was required The final outcome of the process answered the following types of questions:
- What information is to be collected (e.g., nature and source);
- Why the information is being collected (e.g., to determine eligibility);
- The intended use of the information (e.g., to verify existing data);
- With whom the information will be shared (e.g., another agency for a specified programmatic purpose);
- What opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), and how individuals can grant consent;
- How the information will be secured (e.g., administrative and technological controls); and
TDI created PIA reports for a mock system in order to illustrate what information is required. One of the most important results of this work was a more educated and privacy conscious staff that is now keenly aware of the importance of PIA, based on the training and consulting that TDI provided.