- CMMI Institute
Transcription
- CMMI Institute
Improving Security and Resilience Capability of Postal and Transportation Products and Services Gregory Crabb U.S. Postal Inspection Service Julia H. Allen, Pamela D. Curtis, Dr. Nader Mehravari Software Engineering Institute Carnegie Mellon University Notices Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by USPS under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected]. Capability Maturity Model®, Carnegie Mellon®, CERT®, CMM® and CMMI® are registered marks of Carnegie Mellon University. SCAMPISM DM-0002224 © 2015 Carnegie Mellon University 2 Outline Nomenclature Players Challenges Objectives of the Collaboration Tools in the Toolbox Three Success Stories – Real Life Case Studies 1. 2. 3. Assessing Organizational Capability – Physical Security Creating Organizational Capability – Export Compliance Screening Assessing Organizational Capability – Express Mail Lessons Learned Pointers to More Details © 2015 Carnegie Mellon University 3 Nomenclature (Security & Resilience) © 2015 Carnegie Mellon University 4 Security Protection of assets • • • • • People Information Technology Facilities Supply chain Sample Requirements • • • • • Confidentiality Integrity Custody Sanctity Safety © 2015 Carnegie Mellon University Activities to Keep Assets from Harm Managing the Condition of Risk Ensuring Assets Can Enable Business Mission 5 Resilience An entity under operational stress, while achieving its business mission. © 2015 Carnegie Mellon University 6 Players © 2015 Carnegie Mellon University 7 CMU – SEI – CERT Division Software Engineering Institute (SEI) • Federally funded research and development center based at Carnegie Mellon University • Basic and applied research in partnership with government and private organizations • Helps organizations improve development, operation, and management of software-intensive and networked systems CERT Division – Anticipating and solving our nation’s cybersecurity challenges © 2015 Carnegie Mellon University • Largest technical program at SEI • Focused on internet security, digital investigation, secure systems, insider threat, operational resilience, vulnerability analysis, network situational awareness, and coordinated response 8 Cyber Risk and Resilience Management Team Engaged in • Applied research • Education & training • Putting into practice • Enabling our federal, state, and commercial partners In areas dealing with • Maturity models • Operational resilience • Resilience management • Operation risk management • Cybersecurity maturity models • Integration of cybersecurity, business continuity, & disaster recovery © 2015 Carnegie Mellon University 9 U.S. Postal Service (USPS) Delivers more mail to more addresses in a larger geographical area than any other post in the world. 40% of the world’s mail volume handled by USPS Over 600,000 employees Over 200,000 vehicles Overt $67 billion annual revenue © 2015 Carnegie Mellon University 10 U.S. Postal Inspection Service (USPIS) The law enforcement arm of the U.S. Postal Service (USPS) The oldest origins of any federal law enforcement agency in the United States, dating back to 1772 USPIS responsibilities include: • Ensure safety of mail system from dangerous and illegal use • Ensure safety of USPS employees and customers • Protection of mail infrastructure • Managing risk to revenue © 2015 Carnegie Mellon University 11 Challenges © 2015 Carnegie Mellon University 12 Stress on Postal and Transportation Sectors © 2015 Carnegie Mellon University 13 Operational Stress – White Powder Incidents © 2015 Carnegie Mellon University 14 Operational Stress – Fraudulent Postage • • • • • © 2015 Carnegie Mellon University Short pay Reused Photoshopped Counterfeit Photocopied 15 Operational Stress – Natural Disasters © 2015 Carnegie Mellon University 16 Operational Stress – Dangerous Goods © 2015 Carnegie Mellon University 17 Operational Stress – Illegal Goods © 2015 Carnegie Mellon University 18 Operational Stress - Terrorism © 2015 Carnegie Mellon University 19 Operational Stress – Transportation Disruption © 2015 Carnegie Mellon University 20 Objectives of the Collaboration © 2015 Carnegie Mellon University 21 Objectives of Collaboration Improving the operational capability and processes associated with USPIS’s responsibilities while operating in an ever dynamic risk environment. • Ensure safety of mail system from dangerous and illegal use • Ensure safety of USPS employees and customers • Protection of mail infrastructure • Managing risk to revenue Improving the Security and Resilience Capability of Selected United States Postal Service (USPS) Products and Services © 2015 Carnegie Mellon University 22 Tools in the Toolbox © 2015 Carnegie Mellon University 23 Tools in the Toolbox SCAMPI-Like Methods CERT-RMM Body of Knowledge Subject Matter Expertise • • • • • Cybersecurity Risk Management IT Operations Business Continuity Disaster Recovery © 2015 Carnegie Mellon University Process Improvement 24 Three Success Stories 1. Assessing Organizational Capability – Physical Security 2. Creating Organizational Capability – Export Compliance Screening 3. Assessing Organizational Capability – Express Mail © 2015 Carnegie Mellon University 25 Lightweight Assessment Instrument Assessing Organizational Capability Physical Security © 2015 Carnegie Mellon University 26 Objective Development of a simple and lightweight assessment method and associated field instrument to identify gaps in the physical security of international mail processing centers and similar shipping and transportation processing facilities against UPU physical security standards. © 2015 Carnegie Mellon University 27 Approach UPU Security Standards S58 and S59 Normalization & Annotation Reformatted UPU Standards that Look Like Process Areas, Goals, & Practices Lightweight QuestionnaireBased Gap Identification and Assessment Methodology and Field Instrument Evaluation Method Derived from SCAMPI Methodology © 2015 Carnegie Mellon University 28 Three Phases of Assessment Preparation Onsite Wrap-up • Scheduling • Interviews • Report production • Pre-assessment questionnaire • Observations • Report delivery • Initial site visit • Logistics - Inspections • Other paperwork - Document reviews • Follow-up items • Characterizations - Interpreter • Ratings - Access • Preliminary findings - Camera permission - Prepare paperbased instrument • Method and standard improvement requests © 2015 Carnegie Mellon University 29 Stages of Assessment Fully Implemented Subsection Characterization Largely Implemented Partially Implemented Not Implemented Not Applicable Section Rating Satisfied Not Applicable Not Satisfied Overall Compliance Determination © 2015 Carnegie Mellon University 30 Example Output Summary assessment output will be in “heat map” form as shown here Subsections are scored using defined rules and a 5-point scale: Fully, Largely, Partially, or Not Implemented or Not Applicable © 2015 Carnegie Mellon University Sections are scored using defined rules and a 3-point scale: Satisfied, Not Satisfied or Not Applicable 31 Summary Results 1 8 16 Compliant Not Applicable © 2015 Carnegie Mellon University Non-Compliant 32 Benefits Repeatable The method can be used consistently by different independent teams in the same situation to acquire the same results. Cost effective and scalable The method is economical and functional for all locations, regardless of size or capability. Accurate The method is evidence-based and derived from international standards so that results can be relied upon by the international community (e.g., UPU, International Civil Aviation Organization, International Air Transport Association, Transportation Security Administration, and World Customs Organization). Meaningful The method generates results that can easily be acted on by owners and operators of the assessed processing facilities. Transparent The method is publicly available and can be used for selfassessment. © 2015 Carnegie Mellon University 33 Creating Assessing Organizational Capability Export Compliance Screening © 2015 Carnegie Mellon University 34 Challenge On a weekly basis, the U.S. Postal Service (USPS) processes over one million packages destined to overseas locations. All international shipments being sent from the United States are subject to federal export laws. Export compliance screening procedures are expensive and time consuming, and can negatively affect the efficiency of international mail delivery services. © 2015 Carnegie Mellon University 35 Objectives Reduce the incidence of mail shipments violating export control laws, regulations, and standards. Evaluate current processes and systems and identify actions required to improve overall efficiency, effectiveness, and accuracy • Reducing delays in processing outbound parcels. • Reducing excess labor costs and improve the efficiency of resources used. © 2015 Carnegie Mellon University 36 Approach Use CERT-RMM to: Identify required or desired organizational functions One or more process areas Determine how to implement chosen functions Based on specific goals and specific practices © 2015 Carnegie Mellon University 37 RMM Process Areas AM Access Management MA Measurement and Analysis ADM Asset Definition and Management MON Monitoring COMM Communications OPF Organizational Process Focus COMP Compliance OPD Organizational Process Definition CTRL Controls Management OTA Organizational Training & Awareness EF Enterprise Focus PM People Management EC Environmental Control RRD Resiliency Requirements Development EXD External Dependencies RRM Resiliency Requirements Management FM Financial Resource Management RTSE Resilient Technical Solution Engr. HRM Human Resource Management RISK Risk Management ID Identity Management SC Service Continuity IMC Incident Management & Control TM Technology Management KIM Knowledge & Information Mgmt VAR Vulnerability Analysis & Resolution © 2015 Carnegie Mellon University 38 Organizational Functions Functional Area Human Resources CERT-RMM Process Area(s) HRM Human Resource Management COMP Compliance Compliance Screening CTRL Controls Management MON Monitoring Physical Controls and Mail Security EC Environmental Control Communications COMM Communications Information Management MA Measurement and Analysis Training OTA Organizational Training and Awareness Incident Management IMC Incident Management and Control MA Measurement and Analysis Measurement and Monitoring MON Monitoring © 2015 Carnegie Mellon University 39 Implementing Each Function Example: Compliance Screening COMP:SG1.SP1 Establish a Compliance Plan COMP:SG1.SP2 Establish a Compliance Program COMP:SG1.SP3 Establish Compliance Guidelines and Standards COMP:SG2.SP1 Identify Compliance Obligations COMP:SG2.SP3 Establish Ownership for Meeting Obligations COMP:SG3.SP1 Collect and Validate Compliance Data © 2015 Carnegie Mellon University 40 Field Implementation Post Office International Service Center (ISC) Processing & Distribution Center (P&DC) Induct Outbound International Mail & Packages Intermediate Processing Centers Review & Screening Dispatch Outbound International Mail & Packages Flow of Electronic Data About Packages Physical Package Movement © 2015 Carnegie Mellon University 41 Benefits There has been a reduction in delays associated with processing outbound parcels. There is increased efficiency in how staff and technology resources are used. There is increased accuracy in how parcels that require export screening are identified. There is reduced risk of dispatching parcels that violate export control laws and/or that may be of interest to fellow law enforcement agencies. © 2015 Carnegie Mellon University 42 Assessing Organizational Capability Express Mail Products and Services © 2015 Carnegie Mellon University 43 CERT-RMM Focus on Assets People Facilities Technology Information Supply Chain / Raw Material © 2015 Carnegie Mellon University 44 When Expanded for Postal Sector People Facilities Technology Information Mailpieces Supply Chain / Raw Material © 2015 Carnegie Mellon University 45 CERT-RMM with Mail-Specific Extension AM Access Management MA Measurement and Analysis ADM Asset Definition and Management MD Mail Delivery* COMM Communications MI Mail Induction* COMP Compliance MON Monitoring CTRL Controls Management MRA Mail Revenue Assurance* DMT Domestic Mail Transportation* OPF Organizational Process Focus EF Enterprise Focus OPD Organizational Process Definition EC Environmental Control OTA Organizational Training & Awareness EXD External Dependencies PM People Management FM Financial Resource Management RRD Resiliency Requirements Development HRM Human Resource Management RRM Resiliency Requirements Management ID Identity Management RTSE Resilient Technical Solution Engr. IMC Incident Management & Control RISK Risk Management IMT International Mail Transportation* SC Service Continuity KIM Knowledge & Information Mgmt TM Technology Management VAR Vulnerability Analysis & Resolution * Indicates mail-specific process areas © 2015 Carnegie Mellon University 46 Approach CERT-RMM with Mail-Specific Extensions Class C Appraisal in Discovery Mode Headquarters and Enterprise-Wide Recommendations Lightweight QuestionnaireBased Assessment Instrument Development Evaluation Method Derived from SCAMPI Methodology Conducted once. © 2015 Carnegie Mellon University Improved Express Mail Products and Services Appraisal Outcomes Deployment of Assessment Instrument into the Field Recommendations per Local Facility Conducted many times. 47 Lessons Learned © 2015 Carnegie Mellon University 48 Lessons Learned The tools and techniques are flexible enough to be applicable to a wide range of domains and applications Foundational elements can be expanded/tailored to arrive at domain-specific tools and techniques Structured process improvement concepts have become a component of many new projects © 2015 Carnegie Mellon University 49 More Details http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=77277 http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=77265 http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=433528 Point of Contact: Dr. Nader Mehravari Cyber Risk and Resilience Management Team Software Engineering Institute Carnegie Mellon University [email protected] 607-379-9556 http://www.cert.org/resilience/ © 2015 Carnegie Mellon University 50 Thank you for your attention… © 2015 Carnegie Mellon University 51