ITIL and the DoD RMF - Part 2 of 3 - Security Controls

  • Article

In Part 1, a basic overview of the United States Department of Defense (DoD) Risk Management Framework (RMF) may be found.  Now we turn to the “so what” - this entry examines how process consultants may apply their knowledge and skills to assist organizations’ efforts to realize the desired outcome of the RMF.  It is important to note that the RMF and the underlying security controls from the applicable NIST publications may be used by anyone, not just DoD!  Indeed, NIST SP 800-37r1 states, in section 1.2, “State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.”

The heart of the interfaces between ITIL and the RMF are the security controls.  Many of them are process-oriented!  Recall from Part 1 that these controls must be selected, implemented, and assessed.  Process consultants may be of great use in the implementation and assessment of controls.

NIST SP 800-53r1, Appendix F, contains some details about the various security controls that may be applied to systems and, most importantly to us, it provides requirements and recommendations for these controls.  There are many controls that may be influenced by IT processes.  Account management and privileged access are two, as well as contingency planning, and others.  The one that is most obvious to me is Configuration Management, and it has an entire family of controls and requirements under it, so let’s look at that.

If you were to open the NIST publication just referenced and find your way to Appendix F, you’d be able to find, somewhere in the neighborhood of page F-64, an overview of the Configuration Management family of controls.  All the controls may be implemented through a Configuration Management Plan (CMP), which is a common product of process consultants.  The task is to ensure that the CMP meets the requirements of this control family.

When assessments find artifacts and evidence that a control is implemented correctly, and that the result is an enhanced security posture, a higher degree of assurance is attained.  Enter the process consultant – we have all seen plans and process documentation wherein it is stated that things will be done a certain way, only to find that there is little to no evidence (in the form of process artifacts) that this is the case in practice.  A process consultant is particularly well-suited to review a CMP and ensure that it meets the requirements for this family of controls and, if they are diligent, to provide assurance that this is so.

CM-3 is of particular note – Change Management.   A process consultant may evaluate the organization’s change management plan to ensure that it

a)       Categorizes changes and clearly defines the categories

b)      Provides for an information security specialist be on the change review board and that this role possesses either change decision recommendation rights or voting rights

c)       Requires change decisions to be documented

d)      Requires that change records not be closed until verification of change implementation is complete

e)      Provides for the archival of change decisions and implementation verifications

f)        Provides for audit and review of change-related activities

g)       Defines change review board policies and procedures

All of this is merely to say that the plan meets the basic requirements of the control.  The text goes on to provide even more detail as to enhancements that may be made to the control.  After a review of the CMP, the act of providing assurance requires that proof be found – plans are just plans.  Therefore, the consultant should

a)       Review change records to ensure that changes are being categorized and that the system in question is distinguishable in change records from other systems (“I’d like to see all the change records in the last year for [system].”

b)      Attend several change review meetings and verify that an information security specialist is in attendance and that they either make recommendations or vote.

c)       Review change management artifacts to ensure that change decisions have been captured.

d)      Review change records to see if there is evidence that they are closed only upon verification that the change is implemented.

e)      Ensure that the artifacts of change decisions and change records in general are archived in accordance with policy.

f)        Locate evidence of change implementation and ensure that it records who made the change and is tied to the change record.  Also, incident records should be attributable to a change when applicable.

g)       Attend several change review meetings and ensure that they are conducted in accordance with policy/plan.

There are scores of controls defined in the NIST publication, many of which are either directly or indirectly influenced by “traditional” IT processes such as asset management and change/configuration management, as well as the more obviously security-related ITIL processes of Security Management, IT Service Continuity Management, and Access Management.

We have reviewed in this entry an example of how a process consultant may assist an organization in the implementation of the security controls required by the RMF.  In Part 3 I will provide an example from my work in which a customer complained of a control not being met and how I approached the matter. Forward to Part 3 Back to Part 1