Abstract image of a woman sitting on books and studying on a laptop

Final Exam Case Study (3)

Download as DOCX, PDF
K
Kathy_67

This document provides a summary of policies for information security at RLK Products. It outlines the job description and qualifications for an Information Assurance/Security Officer who will be responsible for developing and implementing a comprehensive security program. The policies describe requirements for privacy, acceptable use, staff responsibilities, and compliance with regulations. Incident response procedures, risk assessments, training, and an emergency plan are part of maintaining security.

1 of 29
Downloaded 35 times
1
2
3
Most read
4
5
Most read
6
7
8
9
Most read
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Final Exam Case Study ITT-1021-01 Principles of Information Security Instructor: Scott Simenson Kathy Cotterman and Lisa Neuttila December 8, 2010
Table of Contents 1. Introduction 2. Job Description and Qualifications 3. Policies Descriptions 4. Risk Assessment 5. Adequate Procedural and Activity Detail 6. Information, Assurance and Security Ongoing Maintenance 7. Employee Annual Evaluation Criteria 8. Overall Solution to Problem 2|Page
Introduction The purpose of the security architecture blueprint is to bring focus to the key areas of concern for RLK Products, highlighting decision criteria and context for each domain. Since security is a system property it can be difficult for Enterprise Security groups to separate the disparate concerns that exist at different system layers and to understand their role in the system as a whole. This blueprint provides a framework for understanding disparate design and process considerations; to organize architecture and actions toward improving enterprise security. The security architecture blueprint in Figure 1 depicts an approach to map the system’s stakeholders’ conceptual goals to a logical view for security, which is set of security policy and standards, security architecture, and risk management domains. The decisions in the logical layer drive the security processes, defense in depth services and security metrics through design time to run time. Figure 1 3|Page
RLK Products Office of the Chief Information Officer (CIO) Job Description DEPARTMENT: Office of the CIO JOB TITLE: Information Assurance/Security Officer (IA/SO) POSITION RELATIONSHIPS: Reports to: Chief Information Officer Works with: Risk and Contingency Manager, System Owner, Security Operations Manager External Relationships: IT suppliers/vendors, law enforcement POSITION SUMMARY: Under the general direction of the CIO, the Information Assurance/Security Officer (IA/SO) is responsible for the development and delivery of a comprehensive information security and privacy program for RLK Products. The scope of this program is company-wide, and includes information in electronic, print and other formats. The purposes of this program include: to assure that information created, acquired or maintained by RLK and its authorized users, is used in accordance with its intended purpose; to protect RLK information and its infrastructure from external or internal threats; and to assure that RLK complies with statutory and regulatory requirements regarding information access, security and privacy. POSITION DUTIES, RESPONSIBILITIES AND COMPETENCIES Policy Coordinate the development of RLK information security policies, standards and procedures. Work with key IT offices, data custodians and governance groups in the development of such policies. Ensure that company policies support compliance with external requirements. Oversee the dissemination of policies, standards and procedures to the company. Education and Training Coordinate the development and delivery of an education and training program on information security and privacy matters for employees, other authorized users. 4|Page
Compliance and Enforcement Serve as the company compliance officer with respect to RLK, state and federal information security policies and regulations 1 . Work with the company-designated Records Access and HIPAA-privacy Officers on compliance issues as necessary. Prepare and submit required reports to external agencies. Incident Response Develop and implement an Incident Reporting and Response System to address RLK security incidents (breaches), respond to alleged policy violations, or complaints from external parties. Serve as the official company contact point for information security, privacy and copyright infringement incidents, including relationships with law enforcement entities. Risk Assessment and Incident Prevention Develop and implement an ongoing risk assessment program targeting information security and privacy matters; recommend methods for vulnerability detection and remediation, and oversee vulnerability testing. Official Contact Act as the CIO’s designee representing RLK on Information Security matters; serve as the company contact point for external auditors and agencies, survey requests, etc on security/privacy matters. Maintain Knowledgebase Keep abreast of latest security and privacy legislation, regulations, advisories, alerts and vulnerabilities pertaining to the RLK and its mission. Emergency Preparedness Take part in Disaster Recovery Planning. QUALIFICATIONS: The emphasis of this position is on policy development, program administration and compliance/incident response activities. While technical knowledge of information technology and security issues is highly desirable, technical expertise and resources will be available from units such as Systems Management & Operations, and the Office of Telecommunications to support the information security and privacy program. 1 For example, HIPAA, NIST and FIPS Publications, Minnesota Laws and Statutes, USA Patriot Act, et al. Education: Bachelors degree required. Advanced degree preferred. General Skills and Experience Requirements: Experienced in the management of both physical and logical information security systems Strong technical skills (application and operating system hardening, vulnerability assessments, security audits, TCP/IP, intrusion detection systems, firewalls, etc.) Outstanding interpersonal and communication skills Must possess a high degree of integrity and trust along with the ability to work independently
Excellent documentation skills Ability to weigh business risks and enforce appropriate information security measures In-depth knowledge of the HIPAA Security Rule and other government technology laws CISSP (Certified Information Systems Security Professional) certification preferred Preamble In compliance with HIPAA, NIST, and FIPS standards, and generally accepted industry best practices, RLK Products provides for the security and privacy of the data stored on, redirected through, or processed by its technology resources. RLK Products encourages the use of these technology resources; however they remain the property of RLK Products and are offered on a privilege basis only. Throughout this policy, the term “staff” identifies full- and part-time employees, contractors, consultants, temporaries, student assistants, volunteers, retired annuitants, vendors and other users including those affiliated with third parties who access RLK Products technology resources due to their job responsibilities. Management expects staff to comply with this and other applicable RLK Products policies, procedures, and local, state, federal, and international laws. Failure to abide by these conditions may result in forfeiture of the privilege to use technology resources, disciplinary action, and/or legal action. The IT Policy Review Team regularly modifies this and other IT security related policies to reflect changes in industry standards, legislation, technology and/or products, services, and processes at RLK Products. Privacy RLK Products reserves the right to monitor, duplicate, record and/or log all staff use of RLK Products technology resources with or without notice. This includes but is not limited to e-mail, Internet access, keystrokes, file access, logins, and/or changes to access levels. Staff shall have no expectation of privacy in the use of these technology resources. Liability RLK Products makes no warranties of any kind, whether expressed or implied for the services in this policy. In addition, RLK Products is not responsible for any damages which staff may suffer or cause arising from or related to their use of RLK Products technology resources. Staff must recognize that RLK Products technology resource usage is a privilege and that the policies implementing said usage are requirements that mandate adherence. Staff Responsibilities and Accountability Effective information security requires staff involvement as it relates to their jobs. Staff is accountable for their actions and therefore they own any events occurring under their user identification code(s). It is staff’s responsibility to abide by policies and procedures of all networks and systems with which they communicate. Access of personal or private Internet Service Providers while using RLK Products provided information technology resources or using non-RLK Products provided information technology resources to conduct RLK Products business does not indemnify any entity from the responsibilities, accountability and/or compliance with this or other RLK Products policies. Staff responsibilities include but are not limited to: · Access and release only the data for which you have authorized privileges and a need to know (including misdirected e-mail) 6|Page
· Abide by and be aware of all policies and laws (local, state, federal, and international) applicable to computer system use · Report information security violations to the Information Security Officer or designee and cooperate fully with all investigations regarding the abuse or misuse of state owned information technology resources · Protect assigned user IDs, passwords, and other access keys from disclosure · Secure and maintain confidential printed information, magnetic media or electronic storage mechanisms in approved storage containers when not in use and dispose of these items in accordance with RLK Products policy · Log off of systems (or initiate a password protected screensaver) before leaving a workstation unattended · Use only RLK Products acquired and licensed software · Attend periodic information security training provided by RLK Products IT Security Branch · Follow all applicable procedures and policies © SANS Institute 2001, Author retains full rights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 7|Page
Who’s responsible? Risk and Contingency Manager is responsible for administering and managing the facility’s risk management program. They develop and implement the organization’s risk management program in a manner that fulfills the mission and strategic goals of the organization while complying with state and federal laws and accreditation standards related to safety and risk management. They develop and implement systems, policies, and procedures for the identification, collection and analysis of risk related information. They educate and train the leadership, staff and business associates as to the risk management program, and their respective responsibilities in carrying out the risk management program. They lead, facilitate, and advise departments in designing risk management programs within their own departments. They collect, evaluate, and maintain data concerning patient injuries, claims, worker’s compensation, and other risk- related data. They help investigate and analyze root causes, patterns, or trends that could result in compensatory or sentinel events. They help to identify and implement corrective action where appropriate. They provide a quarterly summary to the Board on incidents, claims, and claim payments. They serve as the organization’s liaison to the organization’s insurance carrier. They assist in processing summonses and claims against the facility by working with legal counsel to coordinate the investigation, processing, and defense of claims against the organization. They actively participate in or facilitate committees related to risk management, safety, and quality improvement. 8|Page
System Owner serves as the process owner for all ongoing activities related to the availability, integrity, and confidentiality of patient, provider, employee and business information in compliance with the healthcare organizations information security policies and procedures. Documents for information security policies and procedures instituted by the organizations Information Security Committee. Implements the organization’s information security policies and procedures. Provides direct information security training to all employees, contractors, alliances, and other third-parties. Monitors compliance with the organization’s information security policies and procedures among employees, contractors, alliances, and other third parties and refers problems to appropriate department managers or administrators. Monitor's internal control systems to ensure that appropriate information access levels and security clearances are maintained. Performs information security risk assessment and serves as the internal auditor for information security processes. Prepares the organization’s disaster recovery and business continuity plans for information systems. Serves as an internal information security consultant to the organization. Monitors advancement in information security technologies. Monitors changes in legislation and accreditation standards that affect information security. Initiates, facilitates, and promotes activities to foster information security awareness within the organization. Serves as the information security liaison for users of clinical, administrative, and behavioral systems. Reviews all system- related information security plans throughout the organization's network. Security Operations Manager provide supervisory oversight for day to day security operations of the site. Ensures all required reporting and contract compliance requirements are met by conducting regular performance reviews. Prepares reports or metrics as assigned to track data. Maintains daily contact with patients to solicit feedback regarding performance, operational requirements, and other issues pertaining to site operations. Building, improving and maintaining effective relationships with patients, employees and third-parties. Maintains administrative oversight for site operations including procedural changes, contact information, and works instructions. Assists in operational planning, emergency response, and other security related matters. Handles security issues in emergency situations in accordance with regulations, company policies and contract requirements. Computer Security Specialist plan, Coordinate and maintain an organization's information security. They educate users about computer security, install security software, monitor network for security breaches, respond to cyber-attacks and, in some cases, gather data and evidence to be used in prosecuting cyber-crime. Telecommunications Specialist focus on the interaction between computer and communities communications equipment. They designed voice, video and data communication systems, supervise the installation of the systems, and provide maintenance and other services after the systems are installed. They also test lines, oversees equipment repair, and may compile and maintain system records. Web Administrators are responsible for maintaining website. They oversee issues such as availability to users and speed of access, and are responsible for approving the content of the site. Web Administrators also collect and analyze data on web activity, traffic patterns and other metrics, as well as monitor in respond to user feedback. They are also responsible for the technical aspects of website creation. They use software languages and tools and create applications for the web. They identify the site’s users and oversee its product production and implementation. They determine the information that the site will contain and how it will be organized, and may use web development software to integrate databases and other information systems. Database Administrators work with data base management software and determine ways to store, organize, analyze, use and present data. They identify user needs and set up new computer databases. In many cases, database administrators must integrate data from old systems into a new system. They also test and coordinate modifications to the system when needed, and troubleshoot problems when they occur. They ensure performance of the system, 9|Page
understands the platform on which database runs, and adds new users to the system. They plan and coordinate security measures with network administrators. Systems Architects are the designers of computer networks. They set up, test, and evaluate systems such as local area networks (LANs), wide area networks (WANs), the internet, intranets, and other data communications systems. Systems are configured in many ways and can range from a connection between two offices in the same building to globally distributed networks, voice mail and e-mail systems of a multinational organization. Network architects and engineers perform network modeling, analysis and planning, which often require both hardware and software solutions. For example, setting up a network may involve installation of several pieces of hardware, such as routers and hubs, wireless adapters and cables, as well as the installation and configuration of software, such as network drivers. These workers may also research related products and make necessary hardware and software recommendations, as well as the address information security issues. System Administrators are responsible for LANs, WANs, network segments, and Internet and intranet systems. They are also responsible for maintaining system efficiency. They ensure that the design of an organization's computer system allows all the components, including computers, the network, and software, to work properly together. Administrators also troubleshoot problems reported by users in by automated network monitoring systems and make recommendations for future system upgrades. They maintain network and system security, maintain network hardware and software, analyze problems, and monitor networks to ensure their availability to users. They gather data to evaluate the system's performance, identify user needs, and determine system and network requirements. Computer Security Specialist oversee all ongoing activities related to development, implementation, maintenance of, and adherence to policies and procedures covering security of and access to protected health information (PH I) in compliance to federal and state laws and health system security practices. The Computer Security Specialist ensures that periodic risk assessments and ongoing monitoring of key elements of the security program are monitored. They lead in the development and enforcement of information security policies and procedures, measures and mechanisms to ensure the prevention, detection, containment and correction of security incidents. They ensure that security standards comply with statutory and regulatory requirements regarding health information. Ensures that security policies are maintained that include: administrative security, personnel security, physical safeguards, technical security and transmission security. They provide assurance that appropriate documentation exists of response of the institution of the addressable portion of the security rule. Ensures that security procedures are maintained that include: evaluation of compliance with security measures; contingency plans for emergency and disaster recovery; security incident response process and protocols; testing of security procedures, measures and mechanisms, and continuous improvement; and security incident reporting mechanisms and sanction policy. Ensures that appropriate security measures and mechanisms are in place to guard against unauthorized access to electronically stored and/or transmitted patient data and protect against reasonably anticipated threats and hazards, including, when appropriate: integrity controls, authentication controls, access controls, encryption, and abnormal condition alarms, audit trails, entity authentication and events reporting. They oversee ongoing security monitoring of information systems, including: periodic information security risk assessment; functionality and gap analyses to determine the extent to which key business areas and infrastructure comply with statutory and regulatory requirements; and review of new information security technologies and counter- measures against threats to information or privacy. They oversee training programs, periodic security awareness reminders, and periodic security audits. This position serves as an instrumental resource regarding matters of informational security. Works with administration, legal counsel and other related parties to represent the organization information security interests with external parties (state or local government bodies) who undertake to adopt or amend security legislation, regulation, or standard. They coordinate with the appropriate departments and 10 | P a g e
units to ensure timely development and implementation of corrective action plans in response to monitoring deficiencies and complaints. 11 | P a g e
TABLE 1: SECURITY CONTROL CLASSES, FAMILY CLASS FAMILIES, AND IDENTIFIERS IDENTIFIER AC Access Control Technical AT Awareness and Training Operational AU Audit and Accountability Technical CA Certification, Management Accreditation, and Security Assessments CM Configuration Operational Management CP Contingency Planning Operational IA Identification and Technical Authentication IR Incident Response Operational MA Maintenance Operational MP Media Protection Operational PE Physical and Operational Environmental Protection PL Planning Management PS Personnel Security Operational RA Risk Assessment Management SA System and Services Management Acquisition SC System and Technical Communications Protection SI System and Information Operational Integrity NIST SP 800-53 Risk Assessment Framework Risk Assessment Framework introduces a structured, flexible, extensible, and repeatable process for managing organizational risk and achieving risk-based protection related to the operation and use of information. RLK Enterprises is an electronic medical records storage company and is subject to HIPPA Security Rule. The National Institute of Standards and Technology has created structure, guidelines and procedures that are required to be followed by Federal Agencies when dealing with electronic health information. They have made these available to commercial enterprises and actually recommend their use by the private sector. So we have decided to adopt most if not all of their recommended Risk Assessment Framework, with some scoping and customizing to the specific needs of RLK Enterprises. A Risk Management Policy has been created to: Protect RLK Enterprises from those risks of significant likelihood and consequence in the pursuit of the company’s stated strategic goals and objectives Provide a consistent risk management framework in which the risks concerning business processes and functions of the company will be identified, considered and addressed in key approval, review and control processes Provide assistance to and improve the quality of decision making throughout the company Meet legal or statutory requirements Encourage pro-active rather than re-active management 12 | P a g e
Assist in safeguarding the company's assets -- people, data, property and reputation Health Insurance Portability and Accountability Act (HIPAA) HIPAA Security Rule The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). All HIPAA covered entities, which includes some federal agencies, must comply with the Security Rule. The Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard. Security Rule Goals and Objectives As required by the “Security standards: General rules” section of the HIPAA Security Rule, each covered entity must: • Ensure the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits; • Protect against any reasonably anticipated threats and hazards to the security or integrity of EPHI; and • Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule. In complying with this section of the Security Rule, covered entities must be aware of the definitions provided for confidentiality, integrity, and availability as given by § 164.304: • Confidentiality is “the property that data or information is not made available or disclosed to unauthorized persons or processes.” • Integrity is “the property that data or information have not been altered or destroyed in an unauthorized manner.” • Availability is “the property that data or information is accessible and useable upon demand by an authorized person.” NIST Risk Management Framework (RMF) The NIST RMF, illustrated in Figure 1, provides a disciplined, structured, extensible, and repeatable process for achieving risk-based protection related to the operation and use of information systems and the protection of EPHI. It represents an information security life cycle that facilitates continuous monitoring and improvement in the security state of the information systems within the organization. 13 | P a g e
Figure 1 The steps listed in the NIST RMF create an effective information security program and can be applied to both new and legacy information systems within the context of a system development life cycle. A risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, policies, standards, or regulations. The flexible nature of the NIST RMF allows other communities of interest, such as private sector entities, to use the framework voluntarily either with the NIST security standards and guidelines or with industry-specific standards and guidelines. The RMF provides organizations with the flexibility needed to apply the right security controls to the right information systems at the right time to adequately protect the critical and sensitive information, missions, and business functions of the organization. Categorize the information system and the information resident within that system based on a FIPS 199 impact analysis. Select an initial set of security controls (i.e., security control baseline from Appendix D) for the information system based on the FIPS 199 security categorization and the minimum security requirements defined in FIPS 200; apply tailoring guidance from Section 3.3 as appropriate, to obtain the control set used as the starting point for the assessment of risk associated with the use of the system. Supplement the initial set of tailored security controls based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances. 14 | P a g e
Document the agreed-upon set of security controls in the system security plan including the organization’s rationale for any refinements or adjustments to the initial set of controls. Implement the security controls in the information system. For legacy systems, some or all of the security controls selected may already be in place. Assess the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Authorize information system operation based upon a determination of the risk to organizational operations, organizational assets, or to individuals resulting from the operation of the information system and the decision that this risk is acceptable. Monitor and assess selected security controls in the information system on a continuous basis including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to appropriate organizational officials on a regular basis. Risk Assessment Guidelines This appendix incorporates risk assessment concepts and processes described in NIST SP 800-30 Revision 1, Effective Use of Risk Assessments in Managing Enterprise Risk, the NIST Risk Management Framework, and the HIPAA Security Series: Basics of Risk Analysis and Risk Management. It is intended to assist covered entities in identifying and mitigating risks to acceptable levels. The purpose of a risk assessment is to identify conditions where EPHI could be disclosed without proper authorization, improperly modified, or made unavailable when needed. This information is then used to make risk management decisions on whether the HIPAA-required implementation specifications are sufficient or what additional addressable implementation specifications are needed to reduce risk to an acceptable level. Key Terms Defined When talking about risk, it is important that terminology be defined and clearly understood. This section defines important terms associated with risk assessment and management. • Risk is the potential impact that a threat can have on the confidentiality, integrity, and availability on EPHI by exploiting a vulnerability. • Threats are anything that can have a negative impact on EPHI. Threats are: Intentional (e.g., malicious intent); or Unintentional (e.g., misconfigured server, data entry error). • Threat sources are: Natural (e.g., floods, earthquakes, storms, tornados); Human (e.g., intentional such as identity thieves, hackers, spyware authors; unintentional such as data entry error, accidental deletions); or Environmental (e.g., power surges and spikes, hazmat contamination, environmental pollution). 15 | P a g e
• Vulnerabilities are a flaw or weakness in a system security procedure, design, implementation, or control that could be intentionally or unintentionally exercised by a threat. • Impact is a negative quantitative and/or qualitative assessment of a vulnerability being exercised on the confidentiality, integrity, and availability of EPHI. It can be easy to confuse vulnerabilities and threats. An organization may be vulnerable to damage from power spikes. The threats that could exploit this vulnerability may be overloaded circuits, faulty building wiring, dirty street power, or too much load on the local grid. It is important to separate these two terms in order to assist in proper security control selection. In this example, security controls could range from installing UPS systems, additional fuse boxes, or standby generators, or rewiring the office. These additional security controls may help to mitigate the vulnerability but not necessarily for each threat. HIPAA Risk Assessment Requirements Standard 164.308(a)(1)(i), Security Management Process, requires covered entities to: Implement policies and procedures to prevent, detect, contain, and correct security violations. The Security Management Process standard includes four required implementation specifications. Two of these specifications deal directly with risk analysis and risk management. 1. Risk Analysis (R123) – 164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. 2. Risk Management (R) – 163.308(a)(1)(ii)(B): Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.306(a). How to Conduct the Risk Assessment: Risk assessments can be conducted using many different methodologies. There is no single methodology that will work for all organizations and all situations. The following steps represent key elements in a comprehensive risk assessment program, and provide an example of the risk assessment methodology described in NIST SP 800-30. It is expected that these steps will be customized to most effectively identify risk for an organization based on its own uniqueness. Even though these items are listed as steps, they are not prescriptive in the order that they should be conducted. Some steps can be conducted simultaneously rather than sequentially. 1. Scope the Assessment. The first step in assessing risk is to define the scope of the effort, resulting in a general characterization of the information system, its operating environment, and its boundary. To do this, it is necessary to identify where EPHI is created, received, maintained, processed, or transmitted. 16 | P a g e
The scope of a risk assessment should include both the physical boundaries of a covered entity’s location as well as a logical boundary covering the media containing EPHI, regardless of its location. Ensure that the risk assessment scope takes into consideration the remote work force and telecommuters, and removable media and portable computing devices (e.g., laptops, removable media, and backup media). 2. Gather Information. During this step, the covered entity should identify: • The conditions under which EPHI is created, received, maintained, processed, or transmitted by the covered entity; and • The security controls currently being used to protect the EPHI. This step is essential to ensure that vulnerabilities and threats are correctly identified. For example, an invalidated belief that a policy is being followed can miss a potential vulnerability, and not knowing about portable media containing EPHI can miss a threat to that environment. The level of effort needed to gather the necessary information depends heavily on the scope of the assessment and the size of the covered entity. 3. Identify Realistic Threats. Often performed simultaneously with step 4, Identify Potential Vulnerabilities, the goal of this step is to identify the potential threat sources and compile a threat statement listing potential threat-sources that are applicable to the covered entity and its operating environment. The listing of threat sources should include realistic and probable human and natural incidents that can have a negative impact on an organizations ability to protect EPHI. Threats can be easily identified by examining the environments where EPHI is being used. Many external sources can be used for threat identification. Internet searches, vendor information, insurance data, and crime statistics are all viable sources of threat data. Examples of some common threat sources are listed in Table 5 below. Table 5. Common Threat Sources 17 | P a g e
4. Identify Potential Vulnerabilities. Often performed simultaneously with step 3, Identify Realistic Threats, the goal of this step is to develop a list of vulnerabilities (flaws or weaknesses) that could be exploited by potential threat sources. This list should focus on realistic technical and nontechnical areas where EPHI can be disclosed without proper authorization, improperly modified, or made unavailable when needed. Covered entities should use internal and external sources to identify potential vulnerabilities. Internal sources may include previous risk assessments, vulnerability scan and system security test results, and audit reports. External sources may include Internet searches, vendor information, insurance data, and vulnerability databases such as the National Vulnerability Database (http://nvd.nist.gov). 5. Assess Current Security Controls. Often performed simultaneously with step 2, Gather Information, the purpose of this step is to determine if the implemented or planned security controls will minimize or eliminate risks to EPHI. A thorough understanding of the actual security controls in place for a covered entity will reduce the list of vulnerabilities, as well as the realistic probability, of a threat attacking (intentionally or unintentionally) EPHI. Covered entities should evaluate technical and nontechnical security controls at all places where EPHI is created, received, maintained, processed, or transmitted. This evaluation should determine whether the security measures implemented or planned are adequate to protect EPHI, and whether those measures required by the Security Rule are in place, configured, and used properly. The appropriateness and adequacy of security measures may vary depending on the structure, size, and geographical dispersion of the covered entity. 6. Determine the Likelihood and the Impact of a Threat Exercising a Vulnerability. The next major step in measuring the level of risk is to determine the likelihood and the adverse impact resulting from a threat successfully exploiting a vulnerability. This information can be obtained from existing organizational documentation, such as business impact and asset criticality assessments. A business impact assessment prioritizes the impact levels associated with the compromise of an organization’s information assets based on a qualitative or quantitative assessment of the sensitivity and criticality of those assets. An asset criticality assessment identifies and prioritizes the sensitive and critical organization information assets (e.g., hardware, software, systems, services, and related technology assets) that support the organization’s critical missions. If these organizational documents do not exist, the system and data sensitivity can be determined based on the level of protection required to maintain the EPHI’s confidentiality, integrity, and availability. The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of the following three security objectives: integrity, availability, and confidentiality. Table 6 provides a brief description of each security objective and the consequence (or impact) of its not being met. Table 6. Security Objectives and Impacts 18 | P a g e
Some tangible impacts can be measured quantitatively in terms of lost revenue, the cost of repairing the system, or the level of effort required to correct problems caused by a successful threat action. Other impacts, such as the loss of public confidence, the loss of credibility, or damage to an organization’s interest, cannot be measured in specific units but can be qualified or described in terms of high, medium, and low impacts. Qualitative and quantitative methods can be used to measure the impact of a threat occurring 7. Determine the Level of Risk. The purpose of this step is to assess the level of risk to the IT system. The determination of risk takes into account the information gathered and determinations made during the previous steps. The level of risk is determined by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. The risk-level determination may be performed by 19 | P a g e
assigning a risk level based on the average of the assigned likelihood and impact levels. A risk-level matrix, such as the sample depicted in Table 7, can be used to assist in determining risk levels. Table 7. Sample Risk-Level Matrix 8. Recommend Security Controls. During this step, security controls that could mitigate the identified risks, as appropriate to the organization’s operations, are recommended. The goal of the recommended controls is to reduce the level of risk to the IT system and its data to an acceptable level. Security control recommendations provide input to the risk mitigation process, during which the recommended security controls are evaluated, prioritized, and implemented. It should be noted that not all possible recommended security controls can be implemented to reduce loss. To determine which ones are required and appropriate for a specific organization, a cost-benefit analysis should be conducted for the proposed recommended controls, to demonstrate that the costs of implementing the controls can be justified by the reduction in the level of risk. In addition to cost, organizations should consider the operational impact and feasibility of introducing the recommended security controls into the operating environment. 9. Document the Risk Assessment Results. Once the risk assessment has been completed (threat sources and vulnerabilities identified, risks assessed, and security controls recommended), the results of each step in the risk assessment should be documented. NIST SP 800-30 provides a sample risk assessment report outline that may prove useful to covered entities. Risk Assessment Results Affect Risk Management The results of a risk assessment play a significant role in executing an organization’s risk management strategy. In the context of the HIPAA Security Rule, the security control baseline, which consists of the standards and required implementation specifications, should be viewed as the foundation or starting point in the selection of adequate security controls necessary to protect EPHI. In many cases, additional security controls or control enhancements will be needed to protect EPHI or to satisfy the requirements of applicable laws, policies, standards, or regulations. 20 | P a g e
The risk assessment provides important inputs to determine the sufficiency of the security control baseline. The risk assessment results, coupled with the security control baseline, should be used to identify which addressable implementation specifications should be implemented to adequately mitigate identified risks. Identification and Categorization of Information Types in RLK System We have identified the information types and assigned a category number on a scale of 1 to 5 according to the magnitude of harm resulting were the system to suffer a compromise of Confidentiality, Integrity, or Availability. NIST SP 800-60 provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of the three criteria. The overall FIPS-199 system categorization is the high water mark of the impact rating of all the criteria of all information types resident in the system. Category 0-1 -- The potential impact is LOW if— − The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. AMPLIFICATION: A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. Category 2-3 -- The potential impact is MODERATE if— − The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. AMPLIFICATION: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries. Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law. FIPS Publication 199 Standards for Security Categorization of Federal Information and Information Systems Category 4-5 -- The potential impact is HIGH if— − The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major 21 | P a g e
damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. Selection of Security Controls for System During the design and implementation life-cycle phase, a set of security controls must be selected and incorporated into the system implementation. NIST SP 800-53 provides a catalog of security controls in Special Publication 800-53, Revision 2 the following chart is a small sample of the security controls recommended, 22 | P a g e
along with the control baselines. The following specific example shows the criteria for determining control baselines: 23 | P a g e
Implementing and Documentation of the System Pertinent system information such as system boundaries, information types, constituent components, responsible individuals, description of user communities, interconnections with other systems and implementation details for each security control need to be documented in the system security plan. NIST SP 800-18 Rev 1 gives guidance on documentation standards. Additional documentation such as a contingency plan for the system also needs to be prepared at this stage. Guidance on contingency planning can be found in NIST SP 800-34. Performing Risk Assessment Once the controls implementation are documented, a risk assessment can be performed. A risk assessments starts by identifying potential threats and vulnerabilities, and maps implemented controls to individual vulnerabilities. One then determines risk by calculating the likelihood and impact of any given vulnerability being exploited, taking into account existing controls. The culmination of the risk assessment shows the calculated risk for all vulnerabilities, and describes whether the risk is to accepted or mitigated. If mitigated, one needs to describe what additional SP 800-53 controls will be added to the system. NIST SP 800-30 provides guidance on the risk assessment process. Certification of System Once the system documentation and risk assessment is complete, the system needs to have its controls assessed and certified to be functioning appropriately. For systems with a FIPS-199 categorization of Low, a self-assessment is sufficient for certification. For systems categorized at higher FIPS-199 levels, a certification performed by an independent 3rd party is required. NIST SP 800-26 provides guidance on the self-assessment process. NIST SP 800-53A provides guidance on the assessment methods applicable to individual controls. Accreditation (Authorization) of System Once a system has been certified, the security documentation package is reviewed by an accrediting official, 24 | P a g e
who, if satisfied with the documentation and the results of certification, accredits the system by issuing an authorization to operate. This authorization is usually for a 3 year period, and may be contingent on additional controls or processes being implemented. NIST SP 800-37 provides guidance on the certification and accreditation of systems. Continuous Monitoring All accredited systems are required to monitor a selected set of security controls for efficacy, and the system documentation is updated to reflect changes and modifications to the system. Significant changes to the security profile of the system should trigger an updated risk assessment, and controls that are significantly modified may need to be re-certified. Guidance on continuous monitoring can be found in NIST SP 800-37 and SP 800-53A. Future Review of the IA/SO position The future review of the IA/SO position will take place every 6 months to evaluate if the processes put in place by the IA/SO are still relevant. Proposed Solution The above Framework of risk identification, security controls and mitigation procedures, when scoped to the particular needs and applied to the specific operation of RLK Enterprises, is designed to provide an acceptable level of data assurance as well as meeting Federal Government requirements and guidelines. 25 | P a g e
26 | P a g e
27 | P a g e
28 | P a g e
29 | P a g e

More Related Content

PPTX
public key infrastructure
vimal kumar
 
PPT
Email Security : PGP & SMIME
Rohit Soni
 
PPT
DES
Naga Srimanyu Timmaraju
 
PPT
6. cryptography
7wounders
 
PDF
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Journey to the Center of Security Operations
♟Sergej Epp
 
PPTX
cyber-security-reference-architecture
Birendra Negi ☁️
 
PPT
1. security management practices
7wounders
 
public key infrastructure
vimal kumar
 
Email Security : PGP & SMIME
Rohit Soni
 
DES
Naga Srimanyu Timmaraju
 
6. cryptography
7wounders
 
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Journey to the Center of Security Operations
♟Sergej Epp
 
cyber-security-reference-architecture
Birendra Negi ☁️
 
1. security management practices
7wounders
 

What's hot (20)

PDF
Data Engineering Basics
Catherine Kimani
 
PPTX
Information Security Awareness
SnapComms
 
PPTX
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
RAMESHBABU311293
 
PPTX
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
PPTX
Encryption
Syed Taimoor Hussain Shah
 
PDF
Privacy and Data Security
WilmerHale
 
PPTX
cyber security in arabic.pptx
huda2018
 
PDF
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Eryk Budi Pratama
 
PPTX
Introduction to Network Security
Shitiz Upreti
 
PDF
Common Practice in Data Privacy Program Management
Eryk Budi Pratama
 
PDF
Public key Infrastructure (PKI)
Venkatesh Jambulingam
 
PPT
Network Security and Cryptography
Adam Reagan
 
PPTX
Information security principles an understanding
HelpWithAssignment.com
 
PDF
Personal Data Protection in Indonesia
Eryk Budi Pratama
 
PPTX
Introduction to GDPR
Priyab Satoshi
 
PPTX
Cyber Security: A Hands on review
MiltonBiswas8
 
PPT
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
PPTX
Meaningfull security metrics
Vladimir Jirasek
 
PPT
Information security
LJ PROJECTS
 
PPTX
Octave
Amar Myana
 
Data Engineering Basics
Catherine Kimani
 
Information Security Awareness
SnapComms
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
RAMESHBABU311293
 
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Encryption
Syed Taimoor Hussain Shah
 
Privacy and Data Security
WilmerHale
 
cyber security in arabic.pptx
huda2018
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Eryk Budi Pratama
 
Introduction to Network Security
Shitiz Upreti
 
Common Practice in Data Privacy Program Management
Eryk Budi Pratama
 
Public key Infrastructure (PKI)
Venkatesh Jambulingam
 
Network Security and Cryptography
Adam Reagan
 
Information security principles an understanding
HelpWithAssignment.com
 
Personal Data Protection in Indonesia
Eryk Budi Pratama
 
Introduction to GDPR
Priyab Satoshi
 
Cyber Security: A Hands on review
MiltonBiswas8
 
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Meaningfull security metrics
Vladimir Jirasek
 
Information security
LJ PROJECTS
 
Octave
Amar Myana
 
Ad

Similar to Final Exam Case Study (3) (20)

DOC
Case Study
lneut03
 
PPTX
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
PDF
1 info sec+risk-mgmt
madunix
 
PDF
Erwin (Chris) Carrow resume Brief 10-23-2015
Erwin Carrow
 
PPTX
Topic11
Anne Starr
 
PDF
Chapter 12 iso 27001 awareness
newbie2019
 
PDF
Information security principles to the private versus public sector.pdf
info401595
 
PPSX
1 Info Sec+Risk Mgmt
Alfred Ouyang
 
PPTX
entregable ingles 01.pptx trabajo de senati V ciclo
282110mario
 
PDF
CyberSecurity Cyber24x7.pdf
Varinder K
 
PDF
Chapter 7 Managing Secure System.pdf
AbuHanifah59
 
PDF
CIA-Triad-Presentation.pdf
BabyBoy55
 
DOCX
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docx
toltonkendal
 
PPTX
Security Foundation and Incident Mgmt and BCMS.pptx
MohsenMojabi1
 
PPTX
Security Organization/ Infrastructure
Priyank Hada
 
PPTX
Human Factors_MODULE_2.pptx
Shreeveni
 
PPTX
Sec+ Organizational Security
David Meltzer
 
PDF
1. Security and Risk Management
Sam Bowne
 
PDF
Information Security Career Day Presentation
djglass
 
PDF
Cyber_Management_Issues.pdf
AliAhmed675993
 
Case Study
lneut03
 
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
1 info sec+risk-mgmt
madunix
 
Erwin (Chris) Carrow resume Brief 10-23-2015
Erwin Carrow
 
Topic11
Anne Starr
 
Chapter 12 iso 27001 awareness
newbie2019
 
Information security principles to the private versus public sector.pdf
info401595
 
1 Info Sec+Risk Mgmt
Alfred Ouyang
 
entregable ingles 01.pptx trabajo de senati V ciclo
282110mario
 
CyberSecurity Cyber24x7.pdf
Varinder K
 
Chapter 7 Managing Secure System.pdf
AbuHanifah59
 
CIA-Triad-Presentation.pdf
BabyBoy55
 
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docx
toltonkendal
 
Security Foundation and Incident Mgmt and BCMS.pptx
MohsenMojabi1
 
Security Organization/ Infrastructure
Priyank Hada
 
Human Factors_MODULE_2.pptx
Shreeveni
 
Sec+ Organizational Security
David Meltzer
 
1. Security and Risk Management
Sam Bowne
 
Information Security Career Day Presentation
djglass
 
Cyber_Management_Issues.pdf
AliAhmed675993
 
Ad

Final Exam Case Study (3)

  • 1. Final Exam Case Study ITT-1021-01 Principles of Information Security Instructor: Scott Simenson Kathy Cotterman and Lisa Neuttila December 8, 2010
  • 2. Table of Contents 1. Introduction 2. Job Description and Qualifications 3. Policies Descriptions 4. Risk Assessment 5. Adequate Procedural and Activity Detail 6. Information, Assurance and Security Ongoing Maintenance 7. Employee Annual Evaluation Criteria 8. Overall Solution to Problem 2|Page
  • 3. Introduction The purpose of the security architecture blueprint is to bring focus to the key areas of concern for RLK Products, highlighting decision criteria and context for each domain. Since security is a system property it can be difficult for Enterprise Security groups to separate the disparate concerns that exist at different system layers and to understand their role in the system as a whole. This blueprint provides a framework for understanding disparate design and process considerations; to organize architecture and actions toward improving enterprise security. The security architecture blueprint in Figure 1 depicts an approach to map the system’s stakeholders’ conceptual goals to a logical view for security, which is set of security policy and standards, security architecture, and risk management domains. The decisions in the logical layer drive the security processes, defense in depth services and security metrics through design time to run time. Figure 1 3|Page
  • 4. RLK Products Office of the Chief Information Officer (CIO) Job Description DEPARTMENT: Office of the CIO JOB TITLE: Information Assurance/Security Officer (IA/SO) POSITION RELATIONSHIPS: Reports to: Chief Information Officer Works with: Risk and Contingency Manager, System Owner, Security Operations Manager External Relationships: IT suppliers/vendors, law enforcement POSITION SUMMARY: Under the general direction of the CIO, the Information Assurance/Security Officer (IA/SO) is responsible for the development and delivery of a comprehensive information security and privacy program for RLK Products. The scope of this program is company-wide, and includes information in electronic, print and other formats. The purposes of this program include: to assure that information created, acquired or maintained by RLK and its authorized users, is used in accordance with its intended purpose; to protect RLK information and its infrastructure from external or internal threats; and to assure that RLK complies with statutory and regulatory requirements regarding information access, security and privacy. POSITION DUTIES, RESPONSIBILITIES AND COMPETENCIES Policy Coordinate the development of RLK information security policies, standards and procedures. Work with key IT offices, data custodians and governance groups in the development of such policies. Ensure that company policies support compliance with external requirements. Oversee the dissemination of policies, standards and procedures to the company. Education and Training Coordinate the development and delivery of an education and training program on information security and privacy matters for employees, other authorized users. 4|Page
  • 5. Compliance and Enforcement Serve as the company compliance officer with respect to RLK, state and federal information security policies and regulations 1 . Work with the company-designated Records Access and HIPAA-privacy Officers on compliance issues as necessary. Prepare and submit required reports to external agencies. Incident Response Develop and implement an Incident Reporting and Response System to address RLK security incidents (breaches), respond to alleged policy violations, or complaints from external parties. Serve as the official company contact point for information security, privacy and copyright infringement incidents, including relationships with law enforcement entities. Risk Assessment and Incident Prevention Develop and implement an ongoing risk assessment program targeting information security and privacy matters; recommend methods for vulnerability detection and remediation, and oversee vulnerability testing. Official Contact Act as the CIO’s designee representing RLK on Information Security matters; serve as the company contact point for external auditors and agencies, survey requests, etc on security/privacy matters. Maintain Knowledgebase Keep abreast of latest security and privacy legislation, regulations, advisories, alerts and vulnerabilities pertaining to the RLK and its mission. Emergency Preparedness Take part in Disaster Recovery Planning. QUALIFICATIONS: The emphasis of this position is on policy development, program administration and compliance/incident response activities. While technical knowledge of information technology and security issues is highly desirable, technical expertise and resources will be available from units such as Systems Management & Operations, and the Office of Telecommunications to support the information security and privacy program. 1 For example, HIPAA, NIST and FIPS Publications, Minnesota Laws and Statutes, USA Patriot Act, et al. Education: Bachelors degree required. Advanced degree preferred. General Skills and Experience Requirements: Experienced in the management of both physical and logical information security systems Strong technical skills (application and operating system hardening, vulnerability assessments, security audits, TCP/IP, intrusion detection systems, firewalls, etc.) Outstanding interpersonal and communication skills Must possess a high degree of integrity and trust along with the ability to work independently
  • 6. Excellent documentation skills Ability to weigh business risks and enforce appropriate information security measures In-depth knowledge of the HIPAA Security Rule and other government technology laws CISSP (Certified Information Systems Security Professional) certification preferred Preamble In compliance with HIPAA, NIST, and FIPS standards, and generally accepted industry best practices, RLK Products provides for the security and privacy of the data stored on, redirected through, or processed by its technology resources. RLK Products encourages the use of these technology resources; however they remain the property of RLK Products and are offered on a privilege basis only. Throughout this policy, the term “staff” identifies full- and part-time employees, contractors, consultants, temporaries, student assistants, volunteers, retired annuitants, vendors and other users including those affiliated with third parties who access RLK Products technology resources due to their job responsibilities. Management expects staff to comply with this and other applicable RLK Products policies, procedures, and local, state, federal, and international laws. Failure to abide by these conditions may result in forfeiture of the privilege to use technology resources, disciplinary action, and/or legal action. The IT Policy Review Team regularly modifies this and other IT security related policies to reflect changes in industry standards, legislation, technology and/or products, services, and processes at RLK Products. Privacy RLK Products reserves the right to monitor, duplicate, record and/or log all staff use of RLK Products technology resources with or without notice. This includes but is not limited to e-mail, Internet access, keystrokes, file access, logins, and/or changes to access levels. Staff shall have no expectation of privacy in the use of these technology resources. Liability RLK Products makes no warranties of any kind, whether expressed or implied for the services in this policy. In addition, RLK Products is not responsible for any damages which staff may suffer or cause arising from or related to their use of RLK Products technology resources. Staff must recognize that RLK Products technology resource usage is a privilege and that the policies implementing said usage are requirements that mandate adherence. Staff Responsibilities and Accountability Effective information security requires staff involvement as it relates to their jobs. Staff is accountable for their actions and therefore they own any events occurring under their user identification code(s). It is staff’s responsibility to abide by policies and procedures of all networks and systems with which they communicate. Access of personal or private Internet Service Providers while using RLK Products provided information technology resources or using non-RLK Products provided information technology resources to conduct RLK Products business does not indemnify any entity from the responsibilities, accountability and/or compliance with this or other RLK Products policies. Staff responsibilities include but are not limited to: · Access and release only the data for which you have authorized privileges and a need to know (including misdirected e-mail) 6|Page
  • 7. · Abide by and be aware of all policies and laws (local, state, federal, and international) applicable to computer system use · Report information security violations to the Information Security Officer or designee and cooperate fully with all investigations regarding the abuse or misuse of state owned information technology resources · Protect assigned user IDs, passwords, and other access keys from disclosure · Secure and maintain confidential printed information, magnetic media or electronic storage mechanisms in approved storage containers when not in use and dispose of these items in accordance with RLK Products policy · Log off of systems (or initiate a password protected screensaver) before leaving a workstation unattended · Use only RLK Products acquired and licensed software · Attend periodic information security training provided by RLK Products IT Security Branch · Follow all applicable procedures and policies © SANS Institute 2001, Author retains full rights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 7|Page
  • 8. Who’s responsible? Risk and Contingency Manager is responsible for administering and managing the facility’s risk management program. They develop and implement the organization’s risk management program in a manner that fulfills the mission and strategic goals of the organization while complying with state and federal laws and accreditation standards related to safety and risk management. They develop and implement systems, policies, and procedures for the identification, collection and analysis of risk related information. They educate and train the leadership, staff and business associates as to the risk management program, and their respective responsibilities in carrying out the risk management program. They lead, facilitate, and advise departments in designing risk management programs within their own departments. They collect, evaluate, and maintain data concerning patient injuries, claims, worker’s compensation, and other risk- related data. They help investigate and analyze root causes, patterns, or trends that could result in compensatory or sentinel events. They help to identify and implement corrective action where appropriate. They provide a quarterly summary to the Board on incidents, claims, and claim payments. They serve as the organization’s liaison to the organization’s insurance carrier. They assist in processing summonses and claims against the facility by working with legal counsel to coordinate the investigation, processing, and defense of claims against the organization. They actively participate in or facilitate committees related to risk management, safety, and quality improvement. 8|Page
  • 9. System Owner serves as the process owner for all ongoing activities related to the availability, integrity, and confidentiality of patient, provider, employee and business information in compliance with the healthcare organizations information security policies and procedures. Documents for information security policies and procedures instituted by the organizations Information Security Committee. Implements the organization’s information security policies and procedures. Provides direct information security training to all employees, contractors, alliances, and other third-parties. Monitors compliance with the organization’s information security policies and procedures among employees, contractors, alliances, and other third parties and refers problems to appropriate department managers or administrators. Monitor's internal control systems to ensure that appropriate information access levels and security clearances are maintained. Performs information security risk assessment and serves as the internal auditor for information security processes. Prepares the organization’s disaster recovery and business continuity plans for information systems. Serves as an internal information security consultant to the organization. Monitors advancement in information security technologies. Monitors changes in legislation and accreditation standards that affect information security. Initiates, facilitates, and promotes activities to foster information security awareness within the organization. Serves as the information security liaison for users of clinical, administrative, and behavioral systems. Reviews all system- related information security plans throughout the organization's network. Security Operations Manager provide supervisory oversight for day to day security operations of the site. Ensures all required reporting and contract compliance requirements are met by conducting regular performance reviews. Prepares reports or metrics as assigned to track data. Maintains daily contact with patients to solicit feedback regarding performance, operational requirements, and other issues pertaining to site operations. Building, improving and maintaining effective relationships with patients, employees and third-parties. Maintains administrative oversight for site operations including procedural changes, contact information, and works instructions. Assists in operational planning, emergency response, and other security related matters. Handles security issues in emergency situations in accordance with regulations, company policies and contract requirements. Computer Security Specialist plan, Coordinate and maintain an organization's information security. They educate users about computer security, install security software, monitor network for security breaches, respond to cyber-attacks and, in some cases, gather data and evidence to be used in prosecuting cyber-crime. Telecommunications Specialist focus on the interaction between computer and communities communications equipment. They designed voice, video and data communication systems, supervise the installation of the systems, and provide maintenance and other services after the systems are installed. They also test lines, oversees equipment repair, and may compile and maintain system records. Web Administrators are responsible for maintaining website. They oversee issues such as availability to users and speed of access, and are responsible for approving the content of the site. Web Administrators also collect and analyze data on web activity, traffic patterns and other metrics, as well as monitor in respond to user feedback. They are also responsible for the technical aspects of website creation. They use software languages and tools and create applications for the web. They identify the site’s users and oversee its product production and implementation. They determine the information that the site will contain and how it will be organized, and may use web development software to integrate databases and other information systems. Database Administrators work with data base management software and determine ways to store, organize, analyze, use and present data. They identify user needs and set up new computer databases. In many cases, database administrators must integrate data from old systems into a new system. They also test and coordinate modifications to the system when needed, and troubleshoot problems when they occur. They ensure performance of the system, 9|Page
  • 10. understands the platform on which database runs, and adds new users to the system. They plan and coordinate security measures with network administrators. Systems Architects are the designers of computer networks. They set up, test, and evaluate systems such as local area networks (LANs), wide area networks (WANs), the internet, intranets, and other data communications systems. Systems are configured in many ways and can range from a connection between two offices in the same building to globally distributed networks, voice mail and e-mail systems of a multinational organization. Network architects and engineers perform network modeling, analysis and planning, which often require both hardware and software solutions. For example, setting up a network may involve installation of several pieces of hardware, such as routers and hubs, wireless adapters and cables, as well as the installation and configuration of software, such as network drivers. These workers may also research related products and make necessary hardware and software recommendations, as well as the address information security issues. System Administrators are responsible for LANs, WANs, network segments, and Internet and intranet systems. They are also responsible for maintaining system efficiency. They ensure that the design of an organization's computer system allows all the components, including computers, the network, and software, to work properly together. Administrators also troubleshoot problems reported by users in by automated network monitoring systems and make recommendations for future system upgrades. They maintain network and system security, maintain network hardware and software, analyze problems, and monitor networks to ensure their availability to users. They gather data to evaluate the system's performance, identify user needs, and determine system and network requirements. Computer Security Specialist oversee all ongoing activities related to development, implementation, maintenance of, and adherence to policies and procedures covering security of and access to protected health information (PH I) in compliance to federal and state laws and health system security practices. The Computer Security Specialist ensures that periodic risk assessments and ongoing monitoring of key elements of the security program are monitored. They lead in the development and enforcement of information security policies and procedures, measures and mechanisms to ensure the prevention, detection, containment and correction of security incidents. They ensure that security standards comply with statutory and regulatory requirements regarding health information. Ensures that security policies are maintained that include: administrative security, personnel security, physical safeguards, technical security and transmission security. They provide assurance that appropriate documentation exists of response of the institution of the addressable portion of the security rule. Ensures that security procedures are maintained that include: evaluation of compliance with security measures; contingency plans for emergency and disaster recovery; security incident response process and protocols; testing of security procedures, measures and mechanisms, and continuous improvement; and security incident reporting mechanisms and sanction policy. Ensures that appropriate security measures and mechanisms are in place to guard against unauthorized access to electronically stored and/or transmitted patient data and protect against reasonably anticipated threats and hazards, including, when appropriate: integrity controls, authentication controls, access controls, encryption, and abnormal condition alarms, audit trails, entity authentication and events reporting. They oversee ongoing security monitoring of information systems, including: periodic information security risk assessment; functionality and gap analyses to determine the extent to which key business areas and infrastructure comply with statutory and regulatory requirements; and review of new information security technologies and counter- measures against threats to information or privacy. They oversee training programs, periodic security awareness reminders, and periodic security audits. This position serves as an instrumental resource regarding matters of informational security. Works with administration, legal counsel and other related parties to represent the organization information security interests with external parties (state or local government bodies) who undertake to adopt or amend security legislation, regulation, or standard. They coordinate with the appropriate departments and 10 | P a g e
  • 11. units to ensure timely development and implementation of corrective action plans in response to monitoring deficiencies and complaints. 11 | P a g e
  • 12. TABLE 1: SECURITY CONTROL CLASSES, FAMILY CLASS FAMILIES, AND IDENTIFIERS IDENTIFIER AC Access Control Technical AT Awareness and Training Operational AU Audit and Accountability Technical CA Certification, Management Accreditation, and Security Assessments CM Configuration Operational Management CP Contingency Planning Operational IA Identification and Technical Authentication IR Incident Response Operational MA Maintenance Operational MP Media Protection Operational PE Physical and Operational Environmental Protection PL Planning Management PS Personnel Security Operational RA Risk Assessment Management SA System and Services Management Acquisition SC System and Technical Communications Protection SI System and Information Operational Integrity NIST SP 800-53 Risk Assessment Framework Risk Assessment Framework introduces a structured, flexible, extensible, and repeatable process for managing organizational risk and achieving risk-based protection related to the operation and use of information. RLK Enterprises is an electronic medical records storage company and is subject to HIPPA Security Rule. The National Institute of Standards and Technology has created structure, guidelines and procedures that are required to be followed by Federal Agencies when dealing with electronic health information. They have made these available to commercial enterprises and actually recommend their use by the private sector. So we have decided to adopt most if not all of their recommended Risk Assessment Framework, with some scoping and customizing to the specific needs of RLK Enterprises. A Risk Management Policy has been created to: Protect RLK Enterprises from those risks of significant likelihood and consequence in the pursuit of the company’s stated strategic goals and objectives Provide a consistent risk management framework in which the risks concerning business processes and functions of the company will be identified, considered and addressed in key approval, review and control processes Provide assistance to and improve the quality of decision making throughout the company Meet legal or statutory requirements Encourage pro-active rather than re-active management 12 | P a g e
  • 13. Assist in safeguarding the company's assets -- people, data, property and reputation Health Insurance Portability and Accountability Act (HIPAA) HIPAA Security Rule The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). All HIPAA covered entities, which includes some federal agencies, must comply with the Security Rule. The Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard. Security Rule Goals and Objectives As required by the “Security standards: General rules” section of the HIPAA Security Rule, each covered entity must: • Ensure the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits; • Protect against any reasonably anticipated threats and hazards to the security or integrity of EPHI; and • Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule. In complying with this section of the Security Rule, covered entities must be aware of the definitions provided for confidentiality, integrity, and availability as given by § 164.304: • Confidentiality is “the property that data or information is not made available or disclosed to unauthorized persons or processes.” • Integrity is “the property that data or information have not been altered or destroyed in an unauthorized manner.” • Availability is “the property that data or information is accessible and useable upon demand by an authorized person.” NIST Risk Management Framework (RMF) The NIST RMF, illustrated in Figure 1, provides a disciplined, structured, extensible, and repeatable process for achieving risk-based protection related to the operation and use of information systems and the protection of EPHI. It represents an information security life cycle that facilitates continuous monitoring and improvement in the security state of the information systems within the organization. 13 | P a g e
  • 14. Figure 1 The steps listed in the NIST RMF create an effective information security program and can be applied to both new and legacy information systems within the context of a system development life cycle. A risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, policies, standards, or regulations. The flexible nature of the NIST RMF allows other communities of interest, such as private sector entities, to use the framework voluntarily either with the NIST security standards and guidelines or with industry-specific standards and guidelines. The RMF provides organizations with the flexibility needed to apply the right security controls to the right information systems at the right time to adequately protect the critical and sensitive information, missions, and business functions of the organization. Categorize the information system and the information resident within that system based on a FIPS 199 impact analysis. Select an initial set of security controls (i.e., security control baseline from Appendix D) for the information system based on the FIPS 199 security categorization and the minimum security requirements defined in FIPS 200; apply tailoring guidance from Section 3.3 as appropriate, to obtain the control set used as the starting point for the assessment of risk associated with the use of the system. Supplement the initial set of tailored security controls based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances. 14 | P a g e
  • 15. Document the agreed-upon set of security controls in the system security plan including the organization’s rationale for any refinements or adjustments to the initial set of controls. Implement the security controls in the information system. For legacy systems, some or all of the security controls selected may already be in place. Assess the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Authorize information system operation based upon a determination of the risk to organizational operations, organizational assets, or to individuals resulting from the operation of the information system and the decision that this risk is acceptable. Monitor and assess selected security controls in the information system on a continuous basis including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to appropriate organizational officials on a regular basis. Risk Assessment Guidelines This appendix incorporates risk assessment concepts and processes described in NIST SP 800-30 Revision 1, Effective Use of Risk Assessments in Managing Enterprise Risk, the NIST Risk Management Framework, and the HIPAA Security Series: Basics of Risk Analysis and Risk Management. It is intended to assist covered entities in identifying and mitigating risks to acceptable levels. The purpose of a risk assessment is to identify conditions where EPHI could be disclosed without proper authorization, improperly modified, or made unavailable when needed. This information is then used to make risk management decisions on whether the HIPAA-required implementation specifications are sufficient or what additional addressable implementation specifications are needed to reduce risk to an acceptable level. Key Terms Defined When talking about risk, it is important that terminology be defined and clearly understood. This section defines important terms associated with risk assessment and management. • Risk is the potential impact that a threat can have on the confidentiality, integrity, and availability on EPHI by exploiting a vulnerability. • Threats are anything that can have a negative impact on EPHI. Threats are: Intentional (e.g., malicious intent); or Unintentional (e.g., misconfigured server, data entry error). • Threat sources are: Natural (e.g., floods, earthquakes, storms, tornados); Human (e.g., intentional such as identity thieves, hackers, spyware authors; unintentional such as data entry error, accidental deletions); or Environmental (e.g., power surges and spikes, hazmat contamination, environmental pollution). 15 | P a g e
  • 16. • Vulnerabilities are a flaw or weakness in a system security procedure, design, implementation, or control that could be intentionally or unintentionally exercised by a threat. • Impact is a negative quantitative and/or qualitative assessment of a vulnerability being exercised on the confidentiality, integrity, and availability of EPHI. It can be easy to confuse vulnerabilities and threats. An organization may be vulnerable to damage from power spikes. The threats that could exploit this vulnerability may be overloaded circuits, faulty building wiring, dirty street power, or too much load on the local grid. It is important to separate these two terms in order to assist in proper security control selection. In this example, security controls could range from installing UPS systems, additional fuse boxes, or standby generators, or rewiring the office. These additional security controls may help to mitigate the vulnerability but not necessarily for each threat. HIPAA Risk Assessment Requirements Standard 164.308(a)(1)(i), Security Management Process, requires covered entities to: Implement policies and procedures to prevent, detect, contain, and correct security violations. The Security Management Process standard includes four required implementation specifications. Two of these specifications deal directly with risk analysis and risk management. 1. Risk Analysis (R123) – 164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. 2. Risk Management (R) – 163.308(a)(1)(ii)(B): Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.306(a). How to Conduct the Risk Assessment: Risk assessments can be conducted using many different methodologies. There is no single methodology that will work for all organizations and all situations. The following steps represent key elements in a comprehensive risk assessment program, and provide an example of the risk assessment methodology described in NIST SP 800-30. It is expected that these steps will be customized to most effectively identify risk for an organization based on its own uniqueness. Even though these items are listed as steps, they are not prescriptive in the order that they should be conducted. Some steps can be conducted simultaneously rather than sequentially. 1. Scope the Assessment. The first step in assessing risk is to define the scope of the effort, resulting in a general characterization of the information system, its operating environment, and its boundary. To do this, it is necessary to identify where EPHI is created, received, maintained, processed, or transmitted. 16 | P a g e
  • 17. The scope of a risk assessment should include both the physical boundaries of a covered entity’s location as well as a logical boundary covering the media containing EPHI, regardless of its location. Ensure that the risk assessment scope takes into consideration the remote work force and telecommuters, and removable media and portable computing devices (e.g., laptops, removable media, and backup media). 2. Gather Information. During this step, the covered entity should identify: • The conditions under which EPHI is created, received, maintained, processed, or transmitted by the covered entity; and • The security controls currently being used to protect the EPHI. This step is essential to ensure that vulnerabilities and threats are correctly identified. For example, an invalidated belief that a policy is being followed can miss a potential vulnerability, and not knowing about portable media containing EPHI can miss a threat to that environment. The level of effort needed to gather the necessary information depends heavily on the scope of the assessment and the size of the covered entity. 3. Identify Realistic Threats. Often performed simultaneously with step 4, Identify Potential Vulnerabilities, the goal of this step is to identify the potential threat sources and compile a threat statement listing potential threat-sources that are applicable to the covered entity and its operating environment. The listing of threat sources should include realistic and probable human and natural incidents that can have a negative impact on an organizations ability to protect EPHI. Threats can be easily identified by examining the environments where EPHI is being used. Many external sources can be used for threat identification. Internet searches, vendor information, insurance data, and crime statistics are all viable sources of threat data. Examples of some common threat sources are listed in Table 5 below. Table 5. Common Threat Sources 17 | P a g e
  • 18. 4. Identify Potential Vulnerabilities. Often performed simultaneously with step 3, Identify Realistic Threats, the goal of this step is to develop a list of vulnerabilities (flaws or weaknesses) that could be exploited by potential threat sources. This list should focus on realistic technical and nontechnical areas where EPHI can be disclosed without proper authorization, improperly modified, or made unavailable when needed. Covered entities should use internal and external sources to identify potential vulnerabilities. Internal sources may include previous risk assessments, vulnerability scan and system security test results, and audit reports. External sources may include Internet searches, vendor information, insurance data, and vulnerability databases such as the National Vulnerability Database (http://nvd.nist.gov). 5. Assess Current Security Controls. Often performed simultaneously with step 2, Gather Information, the purpose of this step is to determine if the implemented or planned security controls will minimize or eliminate risks to EPHI. A thorough understanding of the actual security controls in place for a covered entity will reduce the list of vulnerabilities, as well as the realistic probability, of a threat attacking (intentionally or unintentionally) EPHI. Covered entities should evaluate technical and nontechnical security controls at all places where EPHI is created, received, maintained, processed, or transmitted. This evaluation should determine whether the security measures implemented or planned are adequate to protect EPHI, and whether those measures required by the Security Rule are in place, configured, and used properly. The appropriateness and adequacy of security measures may vary depending on the structure, size, and geographical dispersion of the covered entity. 6. Determine the Likelihood and the Impact of a Threat Exercising a Vulnerability. The next major step in measuring the level of risk is to determine the likelihood and the adverse impact resulting from a threat successfully exploiting a vulnerability. This information can be obtained from existing organizational documentation, such as business impact and asset criticality assessments. A business impact assessment prioritizes the impact levels associated with the compromise of an organization’s information assets based on a qualitative or quantitative assessment of the sensitivity and criticality of those assets. An asset criticality assessment identifies and prioritizes the sensitive and critical organization information assets (e.g., hardware, software, systems, services, and related technology assets) that support the organization’s critical missions. If these organizational documents do not exist, the system and data sensitivity can be determined based on the level of protection required to maintain the EPHI’s confidentiality, integrity, and availability. The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of the following three security objectives: integrity, availability, and confidentiality. Table 6 provides a brief description of each security objective and the consequence (or impact) of its not being met. Table 6. Security Objectives and Impacts 18 | P a g e
  • 19. Some tangible impacts can be measured quantitatively in terms of lost revenue, the cost of repairing the system, or the level of effort required to correct problems caused by a successful threat action. Other impacts, such as the loss of public confidence, the loss of credibility, or damage to an organization’s interest, cannot be measured in specific units but can be qualified or described in terms of high, medium, and low impacts. Qualitative and quantitative methods can be used to measure the impact of a threat occurring 7. Determine the Level of Risk. The purpose of this step is to assess the level of risk to the IT system. The determination of risk takes into account the information gathered and determinations made during the previous steps. The level of risk is determined by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. The risk-level determination may be performed by 19 | P a g e
  • 20. assigning a risk level based on the average of the assigned likelihood and impact levels. A risk-level matrix, such as the sample depicted in Table 7, can be used to assist in determining risk levels. Table 7. Sample Risk-Level Matrix 8. Recommend Security Controls. During this step, security controls that could mitigate the identified risks, as appropriate to the organization’s operations, are recommended. The goal of the recommended controls is to reduce the level of risk to the IT system and its data to an acceptable level. Security control recommendations provide input to the risk mitigation process, during which the recommended security controls are evaluated, prioritized, and implemented. It should be noted that not all possible recommended security controls can be implemented to reduce loss. To determine which ones are required and appropriate for a specific organization, a cost-benefit analysis should be conducted for the proposed recommended controls, to demonstrate that the costs of implementing the controls can be justified by the reduction in the level of risk. In addition to cost, organizations should consider the operational impact and feasibility of introducing the recommended security controls into the operating environment. 9. Document the Risk Assessment Results. Once the risk assessment has been completed (threat sources and vulnerabilities identified, risks assessed, and security controls recommended), the results of each step in the risk assessment should be documented. NIST SP 800-30 provides a sample risk assessment report outline that may prove useful to covered entities. Risk Assessment Results Affect Risk Management The results of a risk assessment play a significant role in executing an organization’s risk management strategy. In the context of the HIPAA Security Rule, the security control baseline, which consists of the standards and required implementation specifications, should be viewed as the foundation or starting point in the selection of adequate security controls necessary to protect EPHI. In many cases, additional security controls or control enhancements will be needed to protect EPHI or to satisfy the requirements of applicable laws, policies, standards, or regulations. 20 | P a g e
  • 21. The risk assessment provides important inputs to determine the sufficiency of the security control baseline. The risk assessment results, coupled with the security control baseline, should be used to identify which addressable implementation specifications should be implemented to adequately mitigate identified risks. Identification and Categorization of Information Types in RLK System We have identified the information types and assigned a category number on a scale of 1 to 5 according to the magnitude of harm resulting were the system to suffer a compromise of Confidentiality, Integrity, or Availability. NIST SP 800-60 provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of the three criteria. The overall FIPS-199 system categorization is the high water mark of the impact rating of all the criteria of all information types resident in the system. Category 0-1 -- The potential impact is LOW if— − The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. AMPLIFICATION: A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. Category 2-3 -- The potential impact is MODERATE if— − The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. AMPLIFICATION: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries. Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law. FIPS Publication 199 Standards for Security Categorization of Federal Information and Information Systems Category 4-5 -- The potential impact is HIGH if— − The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major 21 | P a g e
  • 22. damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. Selection of Security Controls for System During the design and implementation life-cycle phase, a set of security controls must be selected and incorporated into the system implementation. NIST SP 800-53 provides a catalog of security controls in Special Publication 800-53, Revision 2 the following chart is a small sample of the security controls recommended, 22 | P a g e
  • 23. along with the control baselines. The following specific example shows the criteria for determining control baselines: 23 | P a g e
  • 24. Implementing and Documentation of the System Pertinent system information such as system boundaries, information types, constituent components, responsible individuals, description of user communities, interconnections with other systems and implementation details for each security control need to be documented in the system security plan. NIST SP 800-18 Rev 1 gives guidance on documentation standards. Additional documentation such as a contingency plan for the system also needs to be prepared at this stage. Guidance on contingency planning can be found in NIST SP 800-34. Performing Risk Assessment Once the controls implementation are documented, a risk assessment can be performed. A risk assessments starts by identifying potential threats and vulnerabilities, and maps implemented controls to individual vulnerabilities. One then determines risk by calculating the likelihood and impact of any given vulnerability being exploited, taking into account existing controls. The culmination of the risk assessment shows the calculated risk for all vulnerabilities, and describes whether the risk is to accepted or mitigated. If mitigated, one needs to describe what additional SP 800-53 controls will be added to the system. NIST SP 800-30 provides guidance on the risk assessment process. Certification of System Once the system documentation and risk assessment is complete, the system needs to have its controls assessed and certified to be functioning appropriately. For systems with a FIPS-199 categorization of Low, a self-assessment is sufficient for certification. For systems categorized at higher FIPS-199 levels, a certification performed by an independent 3rd party is required. NIST SP 800-26 provides guidance on the self-assessment process. NIST SP 800-53A provides guidance on the assessment methods applicable to individual controls. Accreditation (Authorization) of System Once a system has been certified, the security documentation package is reviewed by an accrediting official, 24 | P a g e
  • 25. who, if satisfied with the documentation and the results of certification, accredits the system by issuing an authorization to operate. This authorization is usually for a 3 year period, and may be contingent on additional controls or processes being implemented. NIST SP 800-37 provides guidance on the certification and accreditation of systems. Continuous Monitoring All accredited systems are required to monitor a selected set of security controls for efficacy, and the system documentation is updated to reflect changes and modifications to the system. Significant changes to the security profile of the system should trigger an updated risk assessment, and controls that are significantly modified may need to be re-certified. Guidance on continuous monitoring can be found in NIST SP 800-37 and SP 800-53A. Future Review of the IA/SO position The future review of the IA/SO position will take place every 6 months to evaluate if the processes put in place by the IA/SO are still relevant. Proposed Solution The above Framework of risk identification, security controls and mitigation procedures, when scoped to the particular needs and applied to the specific operation of RLK Enterprises, is designed to provide an acceptable level of data assurance as well as meeting Federal Government requirements and guidelines. 25 | P a g e
  • 26. 26 | P a g e
  • 27. 27 | P a g e
  • 28. 28 | P a g e
  • 29. 29 | P a g e