Due Diligence & Due Care

Posted on: Sat, 04/07/2018 - 14:49 By: dusty

Due Diligence and Due Care.  Many have heard of them and most have practiced them.  But few understand what they mean or how they are applied to information security.  Understanding the relevance of these concepts will become important as we move closer to realizing the risk-based approach to security.

Opposite sides of the same coin, the information security world borrowed Due Diligence and Due Care from the legal world to convey the ethical responsibilities surrounding certain events.

Due diligence describes the efforts taken to prepare for a given event while Due Care describes the actions taken after the event.  Due Diligence includes the training, forecasting, and planning in anticipation of a certain event done to protect the interests of the organization’s mission.  Due Care encompasses all the relative actions taken after the event; the execution of plans, cleanups and mitigations, and damage control taken in the interest of the same organization.  Whereas Due Diligence is proactive, Due Care is reactive.

Classified Information Spills

One of the most prolific examples of Due Diligence and Due Care in industrial security is how we prepare for and execute cleanup of classified information spills; government classified data on unclassified Information Systems (IS).  If you’ve been around a while you know it’s not a matter of “if”, but rather a matter of “when”.  Organizations have little to no control of what is sent to them electronically; as a result, they may find themselves on the receiving end of a classified spill and are now responsible, ethically and legally, to clean and protect the classified data on their systems.

Due Diligence in this scenario includes the formulation of Incident Response Plans, and if you have a Risk Management Framework (RMF)-authorized information system, the RMF package will also include a classified information spill cleanup response plan conforming to the requirements outlined under security control  IR-9 in Appendix A of the DSS Assessment and Authorization Process Manual (DAAPM).  Pre-coordination with government customers, obtaining any required checklists to realize their expectation in the event of a spill is also expected.  Training, running drills, ensuring your IT staff is properly resourced and knows how to run overwrite utilities are all included under Due Diligence.

Due Care relative to a classified information spill includes performance and reporting of the associated Administrative Inquiry (AI) within appropriate timelines.  Identification and cleanup of the affected systems is a given at this stage.  Information Owner (IO) coordination and concurrence round out the expectations for Due Care relative to classified information spills.

DUE DILIGENCE

DUE CARE

Develop Incident Response Plan

  • REF: National Institute of Standards and Technology (NIST) Special Publication (SP) 80061v2: Computer Security Incident Handling Guide

GCA Pre-Coordination

  • REF: Security Classification Guides (SCGs), Statement of Work (SOW), Checklists

Source Overwrite Tools

  • REF: National Institute of Standards and Technology (NIST) Special Publication (SP) 80088

Administrative Inquiries (AI)

  • REF: DSS AI Job Aid For Industry

Cleanup

  • REF: DAAPM Appendix I: Classified Spill Cleanup Procedures
  • REF: IOprovided Checklists/Actions

Table 1: Due Diligence & Due Care Actions and References for Classified Information Spills.

Classified Information Systems (IS)

Another common event in the DSS IS security realm is when it comes to obtaining an approved classified IS in the context of the RMF methodology. Receiving an Authorization To Operate (ATO) in Step 5 is the event or dividing point separating your efforts between Due Diligence and Due Care.

Due Diligence in RMF starts with Step 1 (Categorization) and consists of identifying threat events, calculating their likelihood of exploitation and impact, and determining overall risk to the system and information therein .  It also consists of all the control documentation and vulnerability mitigation in RMF Steps 2 (Selecting Controls) & 3 (Implementing Controls).  Finally, we can see all of the testing, validation, and flaw remediation in RMF Step 4 (Assessing Controls) that make up the final portion of Due Diligence before the system is authorized.

Due Care, after the ATO is received, comprises of all the continuous monitoring actions that occur throughout the course of the system’s life.  Periodic audit trail analysis and patch management, as well as configuration management make up the Due Care aspects of an IS.  In the event of a security violation, performing an AI and executing a graduated scale of discipline (as applicable) no individuals found culpable can also be seen as Due Care.  Knowing when a security-relevant change is made that triggers a reauthorization action is another example of Due Care, as is the retention, safeguarding, and/or sanitization of classified information upon the decommissioning of an IS.

DUE DILIGENCE

DUE CARE

Risk Assessments

  • REF: NIST SP 80039 Managing Information Security Risk: Organization, Mission, and Information System View
  • REF: NIST 80030: Guide for Conducting Risk Assessments

System Security Plans

  • REF: DAAPM V1.2 Section 6: RMF SixStep Process
  • REF: NIST 80053v4 Control Implementation, Testing, and Validation
  • SCAP Compliance Checker
  • STIG Viewer

Continuous Monitoring

  • Audit Trail Analysis
  • Patch Management
  • Changes IAW Configuration Management
    • REF: NIST 800-128: Guide for Security-Focused Configuration Management of Information Systems

Violations: Administrative Inquiries

  • REF: DSS AI Job Aid For Industry

Reaccreditations

  • REF: DAAPM

    able 2: Due Diligence & Due Care Actions and References for Classified Information Systems.

    Security Vulnerability Assessments (SVAs)

    Many security programs rely on their Security Vulnerability Assessments (SVAs) as a gauge of effectiveness and opportunities for improvement as feedback from the SVA is incorporated into business practices.

    Due Diligence for SVAs include all the training (received and given), self-inspections, and adherence to established Standard Operating Procedures (SOPs), baselines, and plans.  Adherence to reporting and safeguarding requirements both demonstrate how you’ve implemented an effective security program prior to the SVA.  Retention of artifacts from other Due Care efforts also fall under the Due Diligence and preparedness aspect of SVAs.

    Due Care for SVAs includes appropriate mitigation of identified vulnerabilities, the development of realistic plans of action, lessons learned, and process improvement that all feed back into Due Diligence cycle for the next SVA.

    DUE DILIGENCE

    DUE CARE

     

    Training

    Self-Inspections

    • DSS SelfInspection Handbook

    SOPs, Security Baselines, & Tailored Security Plans

     

     

    Plan Of Action and Milestones (POA&M)

    Vulnerability Closure

    Vulnerability Follow up

    Lessons Learned

    Continuous Evaluation

     

    Table 3: Due Diligence & Due Care Actions and References for Security Vulnerability Assessments.

    The Economics of Due Diligence & Due Care

    “An ounce of prevention is worth a pound of cure.” ~Benjamin Franklin

    As we move forward into risk-based security, the risk assessment becomes all too important to our efforts.  Whether it’s the RMF-required Risk Assessment Report (RAR) or the DSS in Transition (DiT) Security Baseline transforming into a Tailored Security Plan, risk assessments drive the tailored controls that prepare us and encompass our Due Diligence efforts.  Risk Assessments have us identifying critical assets, threats to those assets along with their likelihood of exploitation and impact, then formulating risk mitigations as appropriate.  Plans to implement mitigations are then prioritized based on importance to the organization and mission.

    There is indeed a challenge inherent to obtaining adequate resources for security functions; especially those Due Diligence functions that prepare for things that may or may not happen.  Too many times, the security staff is in the shark tank competing for resources by stomping their boots shouting about the potential blood on the floor.  Senior leadership only sees the boy who cried wolf; always pointing to a “what if” scenario that may or may not materialize.  This is how security programs get under-resourced, writher, and die.  The solution to this challenge is to speak in a language senior leadership can understand; translate your needs in terms of resources such as dollars and cents.  Instead of qualitative risk assessments, try using quantitative figures to secure those precious security resources.

    There is plenty of open source data for many of the everyday activities we perform; the man-hours for a specific task like server cleanup, the cost associated with destroying backup tapes, etc.  For those that have performed these tasks before, we should be able to put a realistic value on the tasks in terms of resources required should such-and-such happen (e.g., overwrite software ($30) + 4 man/hours to clean and document cleanup actions ($240) = $270 for the ISSM to clean a system plus the opportunity cost of…).  We should also be able to calculate the cost of not preparing (e.g., loss of this server jeopardizes our ability to perform on this $1.5 million contract…).  As the security staff becomes more experienced, they should be able to calculate more and more realistic costs of resources corresponding to given threats and mitigations.

    When we can equate what we do for Due Diligence and Due Care in terms of dollars and cents, senior leaders tend to be more willing to resource adequately to protect their assets.  Where an appropriate amount of Due Diligence is practiced before an event, Due Care may simply be the execution of the plans previously approved and resourced (and if done efficiently, reduce costs).  In the event no Due Diligence is performed, the cost of Due Care could be catastrophic.  Knowing this ahead of time, most senior leaders would rather practice an ample amount of Due Diligence.

    Summary

    Due diligence is what you do before the fact, it’s how you prepare for what you anticipate.  Due Care is how you execute after the fact, what degree of completion you will attain to contain or put closure on whatever happened.  In the world of information security, we have both ethical and legal obligations to perform both Due Diligence and Due Care.  We face a myriad of challenges every day in the shape of known (e.g., SVAs, RMF) and unknown (e.g., classified information spills) events.  If adequate Due Diligence and Due Care can be leveraged for these events, we minimize interruptions, deliver more confidently, and execute a little more effectively than if not.