Integrated Security Services
Cybercrime, global cyber espionage, and cyberattacks are a real and growing threat to an organization’s mission. The need for Critical Infrastructure Protection (CIP) and Information Assurance (IA) has never been greater. Today’s enterprise architectures require integrated processes to address cyber security as a governance and management concern, as a risk management concern, and as a project management concern at the earliest phases of the IT system development life cycle (SDLC). Cyber security is integral to achieving organizational resilience through the integration of business continuity, operational and technology risk management, compliance, information security and privacy.
Shivoy’s approach to CIP and IA requirements is firmly rooted in National Institute of Standards and Technology (NIST) processes and guidance that includes the following standards:
– FIPS 199 (Security Categorization);
– FIPS 200 (Minimum Security Requirements);
– NIST SP 800-30, Revision 1 (Risk Management);
– NIST SP 800-37, Revision 1 (Risk Management Framework or RMF);
– NIST SP 800-39 (Managing Risk);
– NIST SP 800-53, Revision 4 (Security and Privacy Controls);
– NIST SP 800-53A, Revision 4 (Assessing Security and Privacy Controls);
– and NIST SP 800-137 (Continuous Monitoring).
We routinely conduct our IT engagements in accordance with NIST processes and guidance as modified by agency or executive office directives. Major elements of our approach to Security Assessment and Compliance programs include documenting cyber security requirements, generating system security plans, and employing IT Security Assessment and Authorization (SA&A) processes.
Documenting Cyber Security Requirements – To develop the necessary documentation for cyber security requirements, we conform to NIST Special Publication 800-37 – RMF as a holistic risk management methodology. The following six steps incorporate defined processes for implementing and documenting your cyber security requirements:
- System Categorization: All systems operated and maintained will be categorized in accordance with FIPS 199.
- Select Security Controls: Establish security control baseline(s) in accordance with FIPS 200 and NIST SP 800-53 Revision 4.
- Implement Security Controls: Implement and test cybersecurity controls per latest NIST test protocols.
- Assess Security Controls: All systems operated and maintained will be assessed on at least an annual basis in accordance with NIST SP 800-53A Revision 4.
- Authorize Information System(s): Results of the annual assessment(s) will be briefed to the Authorizing Official following the annual assessment to request initial or continued Authority to Operate (ATO).
- Monitor Security Controls: All systems operated and maintained will be monitored in full conformance to NIST SP 800-137 and applicable agency directives.