ebook img

DTIC ADA571137: Redefining Information Assurance Compliance PDF

0.3 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview DTIC ADA571137: Redefining Information Assurance Compliance

By LTC Christopher Quick Cyberspace has and will continue changing the way we all conduct our Profession of Arms. This applies to everyone--the Infantryman, the Signaler, the intelligence analyst and the com- mander in the field. Global connectivity and the speed at which information is transmitted around the earth have fundamentally altered our world, and we cannot go back to how things were. Technology continues evolv- Global connectivity and the speed ing to meet today’s threats while simultaneously building toward at which information is transmitted the future. Our task is to under- around the earth have fundamentally stand the dynamics driving this rapid change and stay ahead of altered our world, and we cannot go the malefactors loitering in the back to how things were. shadows and acting to impede our progress. The keys to information as- trying to improperly access our ship understanding and involve- surance are understanding and enterprise with nefarious intent. ment in actively implementing mitigating risks. Trend analysis indicates the required IA implementations. We can accomplish this by number and sophistication of In addition, the command implementing standards, correct- attempts to exploit our networks has worked to reduce the fre- ing deficiencies, and enforcing will continue to increase and quency and systemic causes of modes of user behavior, current- mature. We must anticipate the costly IA compliance failures, ly known as compliance. The evolution of these threats. Ev- such as unauthorized disclosures discipline and standards bedrock ery time we enter the network, of classified information (UDCI, undergirding our Army must be regardless of where we are, we formerly known as “spillage”). carried forward into the cyber- are in a contested environment in In all, operational emphasis on space domain. which we must fight to maintain Information Assurance com- Compliance in Information our freedom to operate. pliance has led to tangible im- Assurance is one of Army Cyber Since its creation, Army provements in security and user Command’s most pressing and Cyber Command has actively fo- awareness. Much, however, is important mission imperatives. cused on operationalizing Com- still required of Army Cyber It is a multi-dimensional term puter Network Operations. IA Command, the cyberspace com- subject to wide interpretation in compliance is a key part of this munity of interest, and Army its application. process. leadership to mitigate risk and Driving this vital imperative However, there are unique deny adversaries access to the are cyberspace threats that are challenges in doing so, includ- Army’s sensitive information. real, growing, sophisticated, and ing the volume of IA threats evolving. As we work to take and vulnerabilities, the escalat- Why Information Assurance full advantage of cyberspace’s ing pace and sophistication of Compliance? potential, we must recognize emerging threats, the distributed The better question to ask existing and future threats and and dispersed state of current is why compliance with Army appreciate their ability to prevent Army networks, a general lack of orders and directives? The pri- us from operating freely. Threats security training and awareness, mary reason for enforcing include a wide set of actors with and a traditional lack of leader- digital devices or computers (Continued on page 38) Army Communicator 37 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 2012 2. REPORT TYPE 00-00-2012 to 00-00-2012 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Redefining Information Assurance compliance 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION U.S. Army Signal Center of Excellence,Army Communicator,Signal REPORT NUMBER Towers (Building 29808), Room 713,Fort Gordon,GA,30905-5301 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE Same as 3 unclassified unclassified unclassified Report (SAR) Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 (Continued from page 37) ing with orders and directives is not voluntary. As with any Army operation or task, orders and direc- Army-wide standards and user norms is the need tives must be followed. Just as with any mission or for a strong defense. Protecting information and operation, failure to accomplish assigned tasks can guaranteeing transportation through cyberspace is jeopardize the overall mission. This is critically essential to how our Army fights. important in cyberspace operations because cyber The ability to operate when degraded or dis- enables mission command. rupted provides significant advantages to the side that can gain, protect, and exploit advantages in What is Army Cyber Command doing? the contested cyberspace domain. The advantage Army Cyber Command is actively moving will go to whoever best mitigates the loss of intel- forward with operationalizing IA compliance by lectual capital and reduces the number of vulner- regimenting the orders process and helping com- abilities. manders mitigate risk by prioritizing vulnerability In some cases improved defense results di- remediation to address the most critical enterprise rectly from short term actions taken to diminish vulnerabilities first. This process allows field com- known threats, such as the application of a vendor manders to see risks in operational terms so they patch. In other cases, improved defense results can understand impacts to their units and take ac- from the gradual implementation of enterprise- tion based on operational needs. wide applications that move the LandWarNet Consider the case of the UDCIs described (the Army’s network) toward a more uniform and above. Since reaching a monthly high in Febru- interoperable network. ary 2011, poor user behavior has declined 50% For example, migrating to a common Win- to the end of October 2011. Command emphasis dows platform or synchronizing the tuning of Host and outreach reduced the frequency and severity Based Security System may not give the immedi- of these events; more work, however, is required. ate appearance of defense; but these important Commanders at all levels have come together with actions promote a more automated and thus more a common sense of urgency to correct the problem. responsive network. Without these common con- Where orders implementation is concerned, figurations, the network cannot effectively feed the one process in particular is putting a fine point on emerging common operational pictures, such as compliance. Dubbed the IT asset management or “High Risk Vulnerability continuous monitoring. List,” this new breed of We can neither afford order identifies the most the loss of critical infor- widespread and potentially mation, nor afford the debilitating vulnerabilities cost of remediation. A in the Army and mandates clear example of this is in they be addressed im- the area of UDCI, where mediately. Their status an entirely avoidable act is reviewed weekly, with can result in a sizeable focus on a manageable set remediation price tag for of vulnerabilities versus the unit involved. This the full continuum of active year remediation costs vendor patches. Anecdotal exceeded $700,000. That responses from the field is unacceptable. A new breed of order identifies the most widespread have been positive, as this Most important, and potentially debilitating vulnerabilities in the “High Risk” order estab- however, is that comply- Army and mandates they be addressed immediately. 38 Fall - 2012 lishes a common priority of effort thorough follow up of any signif- and the mindset within the Army based on command direction. icant findings through sustained so compliance becomes second Cyberspace operations or- contact with the affected organi- nature. ders also work well in high pro- zations. As in any defense, adver- file cases where the Army must In addition to influencing saries will find and exploit our act immediately and decisively assessments and their results, weakness. To counter this we in the face of emerging threats. Army Cyber Command wants must treat compliance like a On the heels of the Wikileaks in- to improve the integrity of its weapon system and be ready cident in late 2010, for example, IA compliance reports and to defend and protect against a Army Cyber Command issued statistics, both through manual threat that is real, growing and the single codifying order that and automated means. Today, evolving. In the end, compliance aligned all mitigation actions; compliance reporting is largely with orders and directives in units subsequently reported full done through semi-automated IA is no different than with any compliance within weeks of the methods (e.g., machine scanning Army operation, task, or direc- release of the order. This single with “stubby pencil” analysis), tive. Leaders actively engage to recognized orders process con- but command emphasis is now ensure mission accomplishment, tinues to pay dividends across a on a fully automated reporting no matter the operational do- broad range of deliberate actions, structure. With the enterprise main. Maintaining the freedom from Enterprise E-mail to the tools now available to perform to operate in cyberspace is ev- patching and scanning of Army these scanning and reporting eryone’s business. Army Cyber systems. functions, it makes little sense to Command is committed to sup- Army Cyber Command has wait for the “ultimate” reporting porting commands and enabling also established a recurring com- structure. Rather, Army Cyber mission command. mand forum for the assessment Command is reaching aggres- of other compliance indicators. sively for the “low hanging LTC Christopher R. Quick is The monthly Cyberspace Opera- fruit,” things that can be lever- currently the Director of Strategic tions Readiness Report brings all aged today. Communications for the U.S. Army components together to discuss Cyber Command / Second Army at the status of orders implemen- The Way Ahead Fort Belvoir, Va. His assignments tation, cyber security training, Standards must be clear and include Fire Support Officer, Bat- “High Risk” vulnerability imple- enforced. Discipline is a mili- tery Executive Officer, Brigade mentation, and the results of tary hallmark and we must be Assistant Operations Officer, and external inspection. as disciplined on our network as Brigade Fire Direction Officer. It is this last compliance ele- we are with our weapon sys- He commanded a Battery with 1st ment where Army Cyber Com- tems. By making IA compliance Battalion, 17th Field Artillery. He mand stands poised to make a a commander’s priority exercised served in the 41st Signal Battalion, fundamental difference. For too through educated users who un- 1st Signal Brigade as a Battalion long the Army’s information se- derstand their role in the defense Automations Officer. LTC Quick curity inspections have been “fire of the network, we will better served as Brigade Information Oper- and forget” events that might promote a strong defense of our ations Officer with the 2nd Brigade, have received attention early on, networks. 101st Airborne, where he served a but then faded into obscurity The continued cultivation tour in Iraq. He has served on the soon afterward. Army Cyber of an environment where the Army Staff within the Army G3/5/7 Command has taken the lead role standard is strong compliance, in DAMO-ODI and served on the in de-conflicting the numerous the protection of information, Army Cyber Task Forces as the lead IA inspections pending at any and the guaranteed transport of action officer for the development given time by various organiza- information through cyberspace of Army Cyber Command. LTC tions (e.g., Defense Information will make serious and lasting im- Quick holds a B.S. degree from Park Systems Agency, Command provements for the security and University in Kansas City, Mo. Cyber Readiness Inspections, efficiency of Army networks. and an M.S in Computer Science Inspector General, and Army While resourcing and tech- and another in Information Opera- G3), and is aligning the full nical constraints deter rapid, tions from the Naval Post Graduate Army audience to a concise list uniform compliance, Army School in Monterey, Calif. of candidate sites. Army Cyber Cyber Command will continue Command will also ensure the to push to change the conditions Army Communicator 39

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.