ASSET: SECURITY ASSESSMENT TOOL FOR FEDERAL AGENCIES Elizabeth B. Lennon, Editor Information Technology Laboratory National Institute of Standards and Technology Based on the Federal IT Security Assessment Framework, ITL's governmentwide information security assessment tool, Automated Security Self-Evaluation Tool (ASSET), assists federal agencies in improving the security of their information systems and resources. ASSET automates the completion of ITL's security questionnaire, which was published in NIST Special Publication (SP) 800-26, Security Self-Assessment Guide for Information Technology Systems, by Marianne Swanson. Guidance from the Office of Management and Budget directs federal agencies to use this document as the basis for conducting their annual reviews under the Federal Information Security Management Act (FISMA). Through interpretation of the questionnaire results, users are able to assess the IT security posture for any number of systems within their organization and, in particular, assess the status of the organization's security program plan. This ITL Bulletin describes the features and capabilities of ASSET, which is freely available at http://csrc.nist.gov/asset. The Assessment Process The Federal IT Security Assessment Framework identifies five levels of IT security program effectiveness. Each level contains criteria to determine whether the level is adequately implemented. Once the degree of sensitivity of information has been established, the asset owner determines whether the measurement criteria are being met. Benefits of the framework include identifying a standard way of performing self- assessments and providing flexibility in assessments based on the size and complexity of the asset. Assessment refers to the entire process of collecting and analyzing system data. The assessment process involves three steps: ? Data collection – the process of gathering and entering system data ? Reporting – creating aggregate data so that it can be analyzed ? Analysis – the process of understanding, evaluating, and making judgments upon a set of system data ASSET supports the assessment process by facilitating the data collection and reporting steps of the process. It is important to note that ASSET can be used to assess one or more systems or an entire security program in terms of the five levels of IT security program effectiveness established by the framework. Roles and Responsibilities Within the assessment process, roles and responsibilities need to be clearly defined. The manager is the individual(s) with primary responsibility for the assessment. This individual is responsible for analysis of the results. The manager is often the CIO or program official within the organization. The reporter is responsible for importing multiple system data into ASSET. This individual must fully understand the deployment, installation, and execution of ASSET. The reporter ensures that all questions are answered for all systems and aggregates results from all systems within an agency or enterprise. The reporter also generates all reports. The collector ensures that all questions are answered for each system under a collector's review. This individual(s) interacts with the subject matter expert to gather system information and clarifies data as necessary. The collector enters individual system data into ASSET. A typical assessment will have multiple collectors and one reporter. The subject matter expert (SME) must be knowledgeable about the system or topic areas (i.e., physical security) being assessed. This individual provides specific responses to assessment questions. The subject matter expert interacts with the collector on an as- needed basis. ASSET Scope ASSET assists in gathering data and reporting results for IT systems. It is a stand-alone java-based software application, which requires that users be responsible for the security of the data (host-based security). ASSET is not a web-based application (client:server). It does not establish new security requirements, analyze report results, or assess system or program risk. ASSET Architecture ASSET is comprised of two separate host-based applications: ASSET-System and ASSET-Manager. ASSET-System: ? Provides for data entry and storage of individual system data; ? Generates single system summary reports, for the user who completes the questionnaire, providing immediate picture of single system assessment results; and ? Tracks all collectors and SMEs who provide answers to ASSET questions. Within ASSET-System, the questionnaire is presented in a progressive format, allowing users to move backward and forward in the questionnaire at their discretion. ASSET- System allows users to return to the assessment of a particular system, by saving the prior status of the assessment. Once the assessment is completed, a user can locally generate summary reports of individual systems giving an immediate picture of the assessment results. Reports can be exported to any popular spreadsheet or charting program. Reports provide: ? A summary of topic areas by levels of effectiveness; ? A list of N/A questions; ? A list of risk-based decisions; and ? A system summary. ASSET-Manager provides the ability to sort and summarize the questionnaire results for all systems assessed and to display the results through several formatted reports or through an export capability. ASSET-Manager: ? Aggregates data from multiple systems so that agency-wide reports can be developed; and ? Tracks all collectors and SMEs who provide answers to ASSET questions. ASSET-Manager is intended to generate reports, exportable to any spreadsheet application, that are interpreted by the managers who request an assessment. Reports provide: ? A summary of all systems; ? A summary of system types; ? A summary by system sensitivities; and ? A summary by organization. ASSET Installation Minimum System Requirements ? Hardware – Pentium II – 266 MHz processor ? Operating systems – designed to operate on all Windows 9X operating systems; initial operating capability on W2000 Professional ? Memory requirements – 120 MB free space. Following Windows conventions, the ASSET installation wizard guides the user through the installation process. ASSET Information Security Considerations Agencies should determine data and report sensitivity, and are responsible for data protection. ASSET does not provide for any security of data, such as encryption, while the data is stored or in transit. Application-based security is not provided for data transmitted between data collector and reporter. Since it uses Microsoft SQL Server Desktop Engine (MSDE), ASSET has the vulnerabilities of MSDE. Users should mitigate these vulnerabilities before using ASSET. Finally, as a best practice of all assessments, ASSET-System should be uninstalled after an assessment is completed. Access controls are provided by operating system login requirements. New ASSET user accounts are created when ASSET is installed. Login consists of user name and e-mail address. No password protection is provided for accessing the application or data. Since data collection efforts represent a substantial expenditure of labor, agencies should determine and implement an appropriate backup strategy. ASSET saves the current file on specified intervals but does not provide automated backup of data. Conclusion ASSET-System and ASSET-Manager work together to assist agencies in collecting and reporting IT security self-assessment data. Federal agencies are now utilizing the ASSET software tool to automate the collection of system data and the creation of reports in conducting annual reviews to satisfy the requirements of FISMA. In testimony given on November 19, 2002, before the Congressional Committee on Government Reform, the Associate Director for Information Technology and Electronic Government, Office of Management and Budget, described eight achievements that had improved the federal government's IT security in 2002. One of the achievements was ITL's development of ASSET. The ASSET software and all documentation, including NIST SP 800-26, are available at http://csrc.nist.gov/asset. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.