Project #3: Sample Cyber Security ProfileInsert Name
CSIA 412
The security controls introduced by the National Institute of Standards and Technology (NIST) (2014) provide a framework from which organizations can develop their information system security plans. While some organizations may struggle to implement all of the standards as outlined, many address the various controls through systems they already have in place. This paper seeks to analyze the implementation of security controls by the Department of Human and Health Services (HHS) and provide recommendations for improvements to the information security department as necessary. Specifically, this paper will explore the HHS’ implementation of risk assessment as it pertains to vulnerability scanning of privilege information and updating of tools, identification and authentication as it pertains to local access to privilege accounts and remote access, and incident response as it pertains to incident response training and incident handling.
Selected Controls
Management Control – Risk Assessment
This section of controls focuses mainly on minimizing the risk for the organization associated with computer security and is generally addressed by management through policy and documentation (Department of Health and Human Services, 2014a). The risk assessment control, specifically, addresses how a company chooses to develop a management policy that will work to address the policies required by executive orders, federal laws, and other computer security legislation (Stoneburner, Goguen, & Feringa, 2002). By identifying the risk that exists within the system, assessing the risk, and then taking the appropriate steps to address and reduce the risk, the organization is better able to protect the confidentiality, integrity, and availability of its systems. A comprehensive and solidified risk management policy secures the IT systems, provides justifications for budget expenditures, and provides confidence in IT systems based upon performance evaluations and risk management processes (Stoneburner, Goguen, & Feringa, 2002).
Technical Control – Identification and Authentication
Technical controls prevent unauthorized access to the organization’s networks and therefore provide automated protection of data, applications, and user content (Department of Human and Health Services, 2014a). Identification and authentication is designed to create policies that identify the roles and responsibilities of individuals within the organization as well as put into place procedures that ensure that only authorized parties are accessing restricted portions of the network and obtaining control over various systems and applications (Burr, Dodson, Newton, Perlner, Polk, Gupta & Nabbus, 2013). According to Burr et al (2013), there are four levels of assurance that incorporate various requirements to be met in order to decrease the likelihood of an error in authentication. The Office of Management and Budget (OMB) provides a five-step process to aid organizations in ensuring that their selected technology meets the required electronic authorization standards.
Operational Control – Incident Response
Operational controls focus on decreasing the amount of security risks and breaches that occur as a result of the errors made by people rather than by the operating systems (Department of Human and Health Services, 2014a). Operational controls put into place the systems and trainings that prevent human error through trainings, incident response, policies surrounding interactions with media, system integrity, and various other aspects. Attacks often compromise personal and organizational data and the benefit of a quality incident response policy is that it supports a systematic response to a security breach, allowing for the protection of more vulnerable systems (Cichonski, Millar, Grance, & Scarfone, 2012). A present and updated policy provides the guidance needed in order to ensure a swift, efficient, and organized approach as it pertains to a security breach and also addresses the internal steps that may need to take place in order to reestablish the security of the network.
Associated Family Identifiers
Risk Assessment
Vulnerability Scanning – Update Tool Capability
This family identified ensures that the organization not only has a vulnerability scanning system in place but that the system is able to provide updates to the information system after the scan is complete (NIST, 2014). HHS has employed the use of a system that not only scans for vulnerabilities but also updates the system as necessary (HHS, 2014a). In addition to updating the information system, the system used also tracks the changes made and produces a report which the Chief Internet Security Officer (CISO) then uses in order to adjust current trainings and implement new ones (HHS, 2014a). The vulnerability scanning system in place allows the HHS to stay current and ahead of potential threats by implementing proactive rather than reactionary methods.
Vulnerability Scanning- Privileged Access
This family identifier seeks to establish a policy that requires the definition of scanning activities that are allowed to access privileged information (NIST, 2014). The Department of Health and Human Services guarantees fulfillment of this standard by running a full security test and evaluation (ST&E), which is performed in conjunction with the security control assessment (SCA) (HHS, 2014a). This system runs a full evaluation and audit of the system network and produces a report revealing the weaknesses and vulnerabilities within the system. From here, the information security department assesses the vulnerabilities and either produces an authorization to operate (ATO) to the system that is requesting to store, process, or transmit department data or it produces a denial of ATO. Every system within the department is required to have a SCA and run a ST&E on a routine basis.
Identification and Authentication
Local Access to Privileged Accounts
This family identifier is designed to ensure that only those who have authorized to have access to privileged accounts within the building are able to access said accounts (NIST, 2014). This security control decreases the chances that an unauthorized user would gain access to privileged information by ensuring through multi-level authentication that the individual requesting access is indeed an authorized official. HHS has taken various steps in order to ensure that this standard is fulfilled. Through the use of ID badges, personal identification verification (PIV) cards and numbers, as well as unique passwords for each application (HHS, 2014b), HHS has a great starting point from which to work in ensuring that only authorized individuals are accessing privileged information. The HHS could improve its password verification system, however, by implementing a system-wide password time out where each password expires after a specified period of time. According to the security training documents, not all applications have an automated time frame in which passwords must be reset (HHS, 2014b). This lack of automated reset can provide for application vulnerabilities through user neglect to protect current passwords and/or the use of one password for all systems. The PIV card can mitigate the password issues as it must be plugged into the computer in order for various applications to work, however, an added level of security through the automatic reset is a good idea as well.
Remote Access
Remote access can cause issues due to the use of personal networks and technology devices to access privileged and confidential information. In order to meet the standard for this family identifier, the organization must ensure that a multi-level authentication process is used to ensure that the individual’s device has permission to access the network (NIST, 2014). To guarantee that the network nor any sensitive information is compromised while an employee is accessing the network remotely, all aspects of the employee’s role and the work they will be accessing must be taken into account before the ability to access the network remotely is granted (HHS, 2001). HHS has created a policy with solid definitions of what type of information is able to accessed remotely as well as the system that must be used and the level of encryption that must be in place in order for the operation to be carried out. The HHS dictates that all information that needs to be saved must be saved on a shared system server rather than a personal storage device to preserve the confidentiality and integrity of the data as well as ensure that it will be backed up on a daily basis (HHS, 2001). In addition to the requirements that are in place for the technology, there are standards that are also in place for the employee and the employee is required to sign a waiver indicating that they understand the consequences should any information or network be compromised as a result of an action they commit.
Incident Response
Incident Response Training
Incident response training is designed to decrease the amount of incidents that occur from user (human) error. Incident response training (IRT) is conducted under the belief that the better quality of training the staff receives and the more often they are provided with refresher courses, the less likely it is that an incident will happen due to negligence. HHS has ensured that its employees are properly trained in cyber security by appointing the Chief Information Security Officer (CISO) as the point person for facilitating information sharing across departments as well as for coordinating necessary trainings (HHS, 2010). To guarantee that employees of all departments are properly trained, the CISO holds annual and as needed overview trainings for the managers of each department at HHS that share the importance of information security, how HHS is to respond in case of an incident/breach, and the role that each individual plays in the implementation and maintenance of the information security program (HHS, 2014a). In addition, the CISO has implemented various security controls, such as deactivation sequences when an employee is fired, in order to ensure that the vulnerabilities that the organization is exposed to stay as low as possible.
Incident Handling
The Department of Health and Human Services (HHS) requires that any incident that involves the loss or destruction of data as it pertains to any information that deals with unique personal data or any information that can be linked to an individual (HHS, 2014a). Incident handling as defined by NIST (2014) requires that the organization be prepared to handle the incident, and have a system in place that works to detect and analyze, contain, eradicate, and recover from the security breach. After handling and recovering from the security breach, it is required that the organization incorporates training related to the incident into future trainings and education sessions. HHS has fully implemented all aspects of incident handling by having a solidified policy of what is to happen in the case of a security breach. According to the Breach Response Team’s (BRT) policy (2008), when a breach is identified as having occurred, the team is to come together to assess and analyze the depth and breadth of the threat. After the analysis, the team then moves to contain the threat by assigning specific duties to the responsible party to both contain and eradicate the threat. The final step in the HHS policy is to create a plan of actions that need to be taken after the threat has been contained and subsequently eradicated (HHS, 2014a). Within the HHS, as it pertains to this particular family identifier, each member of the team has a role and understands how their role functions within the whole group. There are members that communicate with others based upon the threat level of the breach, there are those that address the situation once it arises, and there are those that supervise depending upon clearance level and responsibilities assigned.
Conclusion
There are only two areas of concern that arise for this evaluator and that would be the lack of update in the remote access policy for over 14 years and the lack of automatic reset as it pertains to application and systems passwords. While the remote access policy may not require significant updates, it may be necessary to update small components as technology has advanced significantly over the past decade and a half and some portions of the policy may be outdated due to advancement. The lack of automated reset for passwords, as stated earlier, provides an area of vulnerability due to human error and negligence and while the PIV cards assist in strengthening security controls, implementing routine password changes adds and extra layer of protection. Overall, based upon the security controls assessed, the Department of Health and Human Services has created a fairly comprehensive and solid systems security plan, reassessing and addressing the two areas of concern can only create a more proactive and preventative plan.
References
Burr, W.E., Dodson, D.F., Newton, E.M., Perlner, R.A., Polk, W.T., Gupta, S., & Nabbus, E.A. (2013). Electronic authentication guidelines (NIST Special Publication 800-63-2). DOI: http://dx.doi.org/10.6028/NIST.SP.800-63-2
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST Special Publication 800-61r2). DOI: http://dx.doi.oeg/10.6028/NIST.SP.800-61r2
Department of Human and Health Services. (2001). HHS IRM policy for IT security for remote access (HHS Document Number HHS-IRM-2000-0005). Retrieved from: http://www.hhs.gov/ocio/policy/
Department od Human and Health Services. (2008). Personally identifiable information (PII) breach response team (BRT) policy (HHS Document Number HHS-OCIO-2008-0001.003). Retrieved from: http://www.hhs.gov/ocio/policy/20080001.003.html
Department of Health and Human Services. (2010). Policy for information technology (IT) security and privacy incident reporting and response (Policy 2010-0004 – OCIO). Retrieved from: http://www.hhs.gov/ocio/policy/hhs_ocio_policy_2010_0004.html
Department of Health and Human Services. (2014a). The department of health and human services information security for managers [PowerPoint slides]. Retrieved from: http://www.hhs.gov/ocio/securityprivacy/awarenesstraining/infosecurity-managers.pdf
Department of Health and Human Services (2014b). The department of health and human services information systems security awareness training [PowerPoint slides]. Retrieved from: http://www.hhs.gov/ocio/securityprivacy/awarenesstraining/issa.pdf
National Institute of Standards and Technology. (2014). Assessing security and privacy controls in federal information systems and organizations (NIST Special Publication 800-53Ar4). DOI: hhtp://dx.doi.org/10.6028/NIST.SP.800-53Ar4
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems (NIST Special Publication 800-30). Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Write a comment: