Enterprise Security Management Protection Profiles: An Implementation Plan Brickman, J CA Inc., Framingham, MA USA Winterton, E Booz | Allen | Hamilton Linthicum, MD USA At the 9th ICCC, Eric Winterton and I presented a proposal to create a family of Protection Profiles (PP) covering Enterprise Security Management (ESM). Our proposal called for starting with a base PP using minimal requirements and building upon those functions for more complex functionality. We would use some existing PP’s and Security Targets as templates. The ultimate plan was to create a new family of PP’s for ESM. They would cover multiple Evaluation Assurance Levels for various needs of customers and vendors. We have built a working group consisting of Booz Allen, most of the vendors who have ESM products, as well as full NIAP support. In this talk Mr. Brickman and Mr. Winterton will take the proposal down to the next level. We’ll walk through the various product types and their functions. We’ll describe the authoring and vetting process as well as the roll-out plan. Finally we will tie this proposal into NIAP’s strategy going forward. This new family of Protection Profiles would be used throughout industry including the U.S. Government DoD, IC, and Civil U.S. Markets. An outline of the process and strategy for collaboration with interested customer nations, and vendors to create these Protection Profiles will be provided. Booz Allen Hamilton, and the ESM vendor community are committed to devoting resources to make this proposed effort a success. Organization: CA & Booz Allen Hamilton BIO (1): Eric Winterton, CISSP, has over 21 years of direct experience in information assurance systems, security engineering, and security product testing. Mr. Winterton has been performing IA product assessments for the past 11 years and has performed as the Common Criteria Technical Director for the Booz Allen Hamilton CC lab for the past 5 years. He holds an undergraduate degree in computer science and a Master's Degree from Johns Hopkins University. BIO (2): Joshua Brickman, Federal Certifications Program Manager at CA Inc, has led his company through the successful evaluation of Seven products through NIAP’s scheme of Common Criteria over the last three years. Prior to CA, Mr. Brickman worked in Program and Project Management at several software companies including PeopleSoft and Ceridian. He holds an undergraduate degree from Emerson College and a Masters in Management from Lesley College. Title of Paper: Enterprise Management Solutions Protection Profiles: An Implementation Plan

1. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
Enterprise Security Management
Protection Profiles:
An Implementation Plan
September 2009
Eric Winterton, Booz | Allen| Hamilton
Joshua Brickman, CA Inc.

2. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
2
Agenda
- Review
- Enterprise Security Management—what are
these products?
-Categories
-Methodology
- Schedule
- Communication Plan
- Risks/Beta/Roll-out
- How can you get involved (Participants)

3. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
3
How did we got here?
-2008 Proposal (Winterton/Brickman)
-Approach
-Consensus
-All Participating Countries

4. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
Enterprise Security Management
4
Standardized
logging
Compliance
&
configuration
Identity
Management
Monitoring
&
response
Policy/Access

5. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
What Products Make Up ESM?
CA Identity
Manager
CA GRC Manager CA Siteminder CA Auditor for z/OS CA Enterprise Log
Manager
SC Operations
Manager, SC
Configuration
Manager & SC VMM
SC Operations
Manager, SC
Configuration
Manager, SC
Essentials
SC Operations
Manager &
SC Essentials
SC Operations
Manager*
Symantec Alteris Symantec CCS/FTK Symantec Alteris Symantec SSIM Symantec Alteris
EMC RSA Access
Manager
EMC RSA Envision EMC RSA Envision
Oracle Identity
Manager
Oracle Enterprise
Manager
Oracle Access
Manager
Oracle Audit Vault Oracle Audit Vault
IBM Tivoli Identity
Manager
IBM Tivoli
Compliance Insight
Manager (TCIM) ,
Security
Information Event
Manager (TSIEM)
IBM Tivoli Unified
Single Sign-On ,
Tivoli Security
Policy Manager
IBM Common Audit
and Reporting
(CARS) & TCIM
5
Identity
Management Compliance
and
configuration
Policy/Access
Monitoring
and
response
Standardized
logging

6. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
6
Approach
ID CC
Gaps for
ESM
Start
Establish
Industry
Team and
Select Lab
Created
ESM Product
Categories
Collected
Products
and Data
Define next
level of Use
Cases
Develop
Global
Threat
Analysis
Select
Protection
Profile
Establish
High-level
Spec for PP
Develop PP
Verify (QA)
on PP
Publish PP
Draft for
Public
Comment
Declare PP
Status
(Global
Conference)
Publish PP
PPs
Complete?
Stop
No
Yes
Publish PP
Draft for
Public
Comment
Completed as of Sept 09

7. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
7
Cause and Effect/Fishbone

8. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
8
Timeline so far
- Sept 2008 Proposal
- Received well at 9th ICCC--interest by multiple
vendors, NIAP, consultants and other schemes
- May 2009: NIAP pledges support for creation of
the ESM PP’s.
- May-Aug 2009: Concurrence of ESM product
categories among Microsoft, IBM, EMC, Oracle
Symantec, Ricoh, and CA Inc solidified

9. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
Implementation Plan
9

10. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
Communication Plan
- Comment Periods
-Posted on official sites
-Allow for anyone to provide feedback
- CCVF
- ICCC and RSA
10

11. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
Participation to Date
- You can be a part of this team
- The more participants the better the quality
11

12. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
Joshua Brickman, PMP
CA, Inc.
Program Manager, Federal Certifications
(508) 628-8917
Joshua.Brickman@ca.com
Q & A
12
Eric Winterton, CISSP
Booz | Allen | Hamilton
CCTL Director
(410) 684-6691
winterton_eric@bah.com

13. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
13
Backup Slides

14. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
Impact to Effort Matrix
14

15. Copyright ©2009 CA & Booz Allen Hamilton. All rights reserved. All trademarks, trade names, services
marks and logos referenced herein belong to their respective companies.
All Products in ESM
15