Integrated Compliance Management

Formark is currently extending an innovative collaborative certification and accreditation solution delivered to the US Department of Energy to incorporate the Harmonized Threat and Risk Assessment (HTRA) methodology used within the Government of Canada.

The enhanced solution, including web-based application registration, risk assessment and C&A process guidance, will provide automated and integrated compliance management support to facilitate and enforce the discipline and rigour of the Certification & Accreditation process.

Canadian Security Context
Information is the life-blood of government institutions, from the development of policy and programs to the delivery of citizen-focused services to the monitoring of outcomes and impacts. The Canadian Policy on Government Security requires that information assets be safeguarded from compromise to ensure the continued delivery of services that contribute to the health, safety, economic well-being and security of Canadians.

Certification and Accreditation
The government's information environment is characterized by evolving security threats, risks and vulnerabilities, a large number of legacy systems, complex development projects and regular new system releases. The Certification and Accreditation (C&A) process is a key element in the protection of information assets from deliberate and accidental compromise. It is designed to ensure that mandatory security controls, as specified in standards and guidelines, are implemented and that additional controls are applied based on the results of risk assessments.

C&A Process Status Quo

Government departments have developed detailed process documentation that outlines the deliverables and steps of the C&A process. This process is designed to coordinate with the development life cycle (SDLC) for the IT system being developed or upgraded.

In many cases these processes are manual and document-based which are difficult to follow with the discipline and rigour required due to the complexity of the development projects, the large number of possible mandatory security requirements, the volume of required evidence and the large number of process participants. As a result the following issues can arise:

• Audit Difficulties - significant difficulty responding to IT security audits in a timely manner; no central repository for certification evidence and process compliance
• Projects Can Take Too Long to Manually Comply with Security Policy - the manual certification process sometimes takes too long, delaying the completion and deployment of IT projects
• Duplication of Effort - duplication of effort through the re-creation of certification evidence by each IT project, and
• No Central Source for Certification Status - difficult to respond to questions on process status, schedule for re-certification or the meeting of accreditation conditions
• No Security Registry of IT Applications - difficult to prioritize department security compliance work including certification, based on relative risk.

Integrated Compliance Management - a system to facilitate and enforce discipline and rigour

Integrated Compliance Management Framework

Formark has developed and delivered an innovative collaborative certification and accreditation solution to the National Nuclear Security Administration (NNSA) of the US Department of Energy. The solution, the Integrated Certification and Accreditation System (iCAS), has dramatically reduced the cost, time and effort for the NNSA to certify and re-certify that their IT systems are compliant to government security requirements. It has also ensured that this compliance can be successfully audited. This solution is described in the US Government Case Study For more information download the White paper An Architecture for Collaborative Certification & Accreditation [PDF 433k]

Formark is currently extending the collaborative certification and accreditation solution to incorporate the Harmonized Threat and Risk Assessment (HTRA) methodology used within the Government of Canada. Integrated Compliance Management, the extended C&A solution, will provide integrated risk management support and develop a deep and broad security knowledge base.

In addition, greater emphasis is being put on audit capabilities and the re-use and repurposing of certification evidence and other content to increase consistency and dramatically reduce effort. The latest Microsoft technology, including SharePoint 2010 and SQL Server 2008, is being used to provide web 2.0 collaboration support and to provide management with a department-wide view of C&A requirements, activity and risk.

The Integrated Compliance Management Framework includes the:

• Application Systems Registry (ASR)
  • Provides the ability to profile the relative security risk for IT systems deployed within government departments. The ASR solution captures the risk elements relating to the criticality, sensitivity and exposure of the IT assets, which are integral to risk assessment. The ASR also provides for the monitoring, supervision and tracking activities of events for the risk assessment process. With the ASR solution, departments can focus on the risk exposure of critical assets, and proactively identify risk exposure shared across assets within Departments. The initial release of the Formark Application Systems Registry solution is scheduled for the 3rd quarter 2010 timeframe.
• Risk Assessment Platform (RAP)
  • Provides departments the capability to assess their risk and tracking their compliance to regulatory requirements. RAP is based on the Government of Canada Harmonized Threat and Risk Assessment Methodology (HTRA). It is architected to provide the identification and the linkages of the complex relationships between assets, threats and risks, and to develop risk mitigation strategies. These relationships provide the basis of the Government of Canada's Threat and Risk Assessment (TRA) program, a core component of the larger government cyber security program. RAP Version 1.0 allows the user to visually link their assets to related risk assessments, to generate a risk exposure profile. With this information, a Statement of Sensitivity document can be automatically generated.
• Certification & Accreditation Module (CAM)
  • Provides collaborative, roles-based process support to facilitate and enforce the discipline and rigour of the C&A process to reduce the burden of compliance. The process support guides analysts, developers and management through the department's security management process which supports the development life cycle (SDLC) for the IT system being developed or upgraded. This includes identifying the security requirements; performing necessary analysis (eg. PIA, BIA, TRA, etc.); collecting, cataloguing and assessing compliance evidence; and compiling necessary certification documentation and reports. The extent of analysis identified by CAM is geared to the level of risk. The ASR is updated with results from this detailed compliance assessment.

The Integrated Compliance Management solution will provide automated and integrated compliance management support to facilitate and enforce the discipline and rigour of the C&A process to:

• Ensure that IT systems are compliant, and can be demonstrated to be compliant, to government security policy, and
• Reduce the cost, time and effort to certify and re-certify systems.