Tune IT Up Campaign OverviewTune IT Up Campaign Overview

Mark KaletkaComputing Division

9/29/2009

Mark KaletkaComputing Division

9/29/2009

Audit not Quite “Fail”Audit not Quite “Fail”

Safeguards and Security Audit of Computer Security Program in May 2009 resulted in 6 findings;– For us this is like going from A+ to C-.

Auditors will keep coming back, we need to work together Lab-wide to improve;– And address the specific findings and their

underlying causes.

A “Few” of the Lab’s IT Directives & RegulationsA “Few” of the Lab’s IT Directives & Regulations

One of the items specified in that contract is the list of regulations that Fermilab must comply with, and a process for updating that list managed through our DOE site office;– Applicable Standards and Guidance– Legislation – Office of Management and Budget (OMB) Memorandum 03-33 Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 September 26, 2003.– Office of Management and Budget (OMB) Memorandum 99-05 Instructions For Complying With The President's Memorandum Of May 14, 1998, "Privacy and Personal Information in Federal Records, January 7,

1999.– Public Law 107-347 (44 U.S.C. Ch 36) E-Government Act of 2002, Title III— Information Security, also known as the Federal Information Security Management Act (FISMA) of 2002.– Office of Management and Budget (OMB) Circular No. A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, February 8, 1996. – Public Law, Information Technology Management Reform Act of 1996 (Clinger-Cohen Act)– NIST Guidance – Federal Information Processing Standards (FIPS)– FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, July 2005. – FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004.– Special Publications– SP 800-70, The NIST Security Configuration Checklists Program,May 2005.– SP 800-65, Integrating Security into the Capital Planning and Investment Control Process, January 2005.– SP 800-64, Security Considerations in the Information System Development Life Cycle, October 2003 (publication original release date) (revision 1 released June 2004).– SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, June 2004.– SP 800-53, Recommended Security Controls for Federal Information Systems,

February 2005.– SP 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices, November 2002.– SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004.– SP 800-34, Contingency Planning Guide for Information Technology Systems, June 2002.– SP 800-30, Risk Management Guide for Information Technology Systems, July 2002.– SP 800-26, Rev. 1 NIST DRAFT Special Publication 800-26, Revision 1: Guide for Information Security Program Assessments and System Reporting Form.– SP 800-18, Rev. 1 Guide for Developing Security Plans for Federal Information Systems February 2006.– DOE Policy and Guidance – Revitalization of the Department of Energy Cyber Security Program (1/2006)– Department of Energy Cyber Security Management Program Order 205.1, (Draft)– Department of Energy Cyber Security Management Program, (3/21/2003) – Notice 205.1-1 Incident Prevention Warning and Response Manual – Notice 205.2 Foreign National Access to DOE Cyber Systems (extended to 9/30/06) – Notice 205.3 Password Generation, Protection and Use, (extended to 9/30/06)– Notice 205.4 Handling Cyber Alerts and Advisories, and Reporting Cyber Security Incidents (extended to 07/06/05) – Notice 205.8 Cyber Security Requirements for Wireless Devices and Information Systems, (3/18/06)– Notice 205.9 Certification and Accreditation Process for Information Systems, including National Security Systems, (3/18/06) – Notice 205.10 Cyber Security Requirements for Risk Management, (3/18/06) – Notice 205.11 Security Requirements for Remote Access to DOE and Applicable Contractor Information Technology Systems (3/1/8/06)– Notice 205.12 Clearing, Sanitizing, and Destroying Information System Storage Media, Memory Devices, and Other Related Hardware (2/19/2004)– Notice 205.13 Extension of DOE Directive on Cyber Security, (7/6/2004)

Audit Findings = Consequences…Audit Findings = Consequences…

Findings have serious consequences for the Lab; There is a contract between FRA and DOE to manage

Fermilab; Consequences of failing to meet terms of contract can be

both tangible (financial, resources, rebid our contract) and intangible (credibility of lab to conduct scientific program);– Just like safety, quality assurance;

We want to fix the underlying causes that led to audit findings;– Not just address isolated consequences;

Launch!Launch!

Lab Director (Pier) instructed CIO (Vicky White) to lead a lab wide response;

CIO placed me (Mark Kaletka) in charge of leading the lab wide response;

Progress is being monitored by DOE Site office;

The response is the Tune IT Up Campaign;

Message from the DirectorMessage from the Director

I have directed Vicky White, Fermilab’s chief information officer, to take whatever steps are necessary to address the findings in this audit and to bring Fermilab cybersecurity up to the same standard of excellence we require for every other area of laboratory operations. With my full support, she will lead a campaign, “Tune IT Up,” that will involve every Fermilab employee and user in making changes to the way we manage computers. We will need to move quickly. Just like safety, cybersecurity is the responsibility of every person at the laboratory. Line managers are responsible for understanding and enforcing policies on computer security. System administrators must follow the requirements for configuration of the machines under their control. Each user is responsible for understanding and following the Fermilab Policy on Computing. Employees with higher levels of responsibility, for example those handling privacy information, must exercise a higher level of care handling the information under their control.

Message from the CIOMessage from the CIO

It’s time for a tune-up!

Today we launch a campaign to tune up our Information Technology (IT) to fully comply with our published security baselines and policies. We do this not only to comply with the audit requirements but to strengthen computing at Fermilab to support our physics mission.

In the coming months every desktop and laptop owned by Fermilab will receive either a physical or virtual visit from a trained system administrator who will check it for full compliance with required baseline configurations. Those who do not need administrative privileges to carry out their job functions will no longer have such privileges. Those who do will maintain administrative privileges and will be retrained in how to ensure that their systems meet requirements. We will incorporate every machine into the automated inventory and patching systems provided for Windows, Linux and Mac systems. We will remove from the network desktops and laptops that are not running an approved OS with a published security baseline. We will take out of service desktops and laptops that are too old to be updated or are running systems that cannot be brought up to standards; or we will fully document the need to run them and put in place compensatory controls (such as isolating them in their own network segment).

TimelineTimeline

The campaign is expected to last approximately six months with an intense period of activity in the period mid July to mid October, 2009 followed by an ongoing program of work for the remainder of 2009 to ensure that the goals of the campaign are met and that the IT management practices put into place are sustainable.

At that time attention will turn to beginning execution of Information Systems projects that are not part of this campaign but are part of the corrective action plan for the audit findings.

Campaign GoalsCampaign Goals

Review and update all security baselines and policies (including password and authentication policies).

Ensure that all computers at Fermilab conform to security baselines and security plans and that all applications are patched.

Improve efficiency and consistency of management of desktop and laptops and move towards standards and central management of all systems with least user privilege granted.

Ensure all systems deviating from baselines are assessed and approved (or have corrective action plans) – or are detected and responded to.

Ensure that all sensitive data and PII are in systems protected with moderate level controls detailed in “major application” security plans, that those people who have access to such data are approved, and that all lab contracts related to such data are reviewed.

Tune up and increase training and education on cyber secure behaviors and how to recognize and protect sensitive data and PII.

Tune up and make more rigorous our internal assessments and ST&E of our cyber security program.

Strategies to Achieve the GoalsStrategies to Achieve the Goals

Consolidate the management of IT under a CIO in order to procure, operate, dispose of and protect IT assets in a more standard, cost effective and secure manner.

Enhance the computer security program (which provides the guidelines for operating IT in a secure manner, based on program requirements and assessment/acceptance of a certain level of risk) to increase audit, oversight and training capabilities.

Create additional IT policies and begin to lay out an enterprise architecture – in order to set requirements and guidance for selecting, procuring and operating IT assets (including software assets)

DeliverablesDeliverables

Services Management Password Policy Baseline Security Information Security Antivirus Alerts

Color KeyColor Key

Completed In Progress Yet to Start

Services ManagementServices Management

Form a policy committee to write and maintain configuration requirements for Mac and Linux desktops.

Enforce configuration requirements for all desktop machines.

Require supervisors to approve employee requests to run non-standard services, such as Web services.

Password PolicyPassword Policy

Enforce DOE password complexity requirements in the Windows domain.

Stop adding new IMAP accounts and begin setting up all new accounts on the Exchange e-mail server.

Enforce a 10-character minimum for passwords on the IMAP e-mail server.

Enforce password complexity guidelines for local Windows accounts.

Migrate laboratory employees’ e-mail accounts from IMAP to Exchange e-mail server.

Baseline SecurityBaseline Security

Disable remote access to local accounts with administrative privileges.

Require supervisors to approve employee requests for local administrative privileges.

Information SecurityInformation Security

Review roles and responsibilities associated with system identified in review as needing improvement.

Review architecture and configuration of system identified in review as needing improvement.

Implement architectural review recommendations. Reduce usage of personally identifiable information. Hold basic and advanced trainings for handling

personally identifiable information.

Antivirus AlertsAntivirus Alerts

Automate response procedure for antivirus alerts.

Create new policy for response procedure for antivirus alerts.

Centralize management of system administrators.

Baseline AssessmentBaseline Assessment

As part of the lab-wide Tune IT Up campaign, every employee and visitor at the lab who uses a laptop, desktop or smart phone to connect to the Fermilab network for daily work must fill out an assessment form.

The laboratory is taking this inventory to gather up-to-date information about the laptops, desktops and smart phones used to connect to the Fermilab network. Using this information will allow the laboratory to better support and protect computers and to ensure that systems are appropriately configured. The vulnerability of even one computer can cause a disruption across the entire laboratory.

To date, 1276 users (58% of the Lab’s employees) have completed surveys for 2043 computers;