Information Systems Change Risk Assessment by try14207

VIEWS: 31 PAGES: 79

More Info
									System Security Plan (SSP) Training



             Conducted by
Centers for Medicare & Medicaid Services

         November 4 - 7, 2002
                                           1
                         Faculty

 List instructors   contact information




                                           2
 Risk Assessment (RA) Methodology

 Describes   steps to produce IS RA Report

 The Information   Security Risk Assessment process is
  presented as the following three phases:

   System    Documentation Phase

   Risk   Determination Phase

   Safeguard   Determination Phase
                                                          3
      System Documentation Phase
        1.1 System Identification
Official System Name
System Acronym
System of Records (SOR)
Financial Management Investment       N/A
Board (FMIB) Number
Web Support Team (WST) Number         N/A
System Type (select one)              GSS, MA or “Other” System

Name of Organization
Address
City, State, Zip
Contract Number, Contractor
contact information (if applicable)
                                                                  4
    System Documentation Phase
   1.1 System Identification (con’t)
Name of Individual
Title
Name of Organization
Address
Mailstop
City, State, Zip
Email Address
Phone number
Contractor contact information (if
applicable)
                                       5
  System Documentation Phase
 1.1 System Identification (con’t)
Name (SSO)
Title
Name of Organization
Address
Mailstop
City, State, Zip
Email Address
Phone number
Emergency Contact Information
(name, phone and e-mail only)
                                     6
     System Documentation Phase
    1.1 System Identification (con’t)
1.2 Asset Identification
  1.2.1 System Environment and Special
          Considerations
  1.2.2 System Interconnection/Information Sharing


1.3 System Security Level



                                                     7
            Risk Determination Phase

   1)  Identify potential dangers to information and systems (threats).
    2) Identify the system weakness that could be exploited
       (vulnerabilities) associated to generate the threat/vulnerability
       pair.
    3) Identify existing controls to reduce the risk of the threat to
       exploit the vulnerability.
    4) Determine the likelihood of occurrence for a threat exploiting a
       related vulnerability given the existing controls.
    5) Determine the severity of impact on the system by an exploited
       vulnerability.
    6) Determine the risk level for a threat/vulnerability pair given the
       existing controls.
This six step process for Risk Determination is conducted for each
                                                                          8
   identified threat/vulnerability pair.
       Risk Determination Phase (con’t)
          Risk Determination Table


Item   Threat   Vulnerability   Risk Description   Existing   Likelihood   Impact     Risk
 No.   Name        Name                            Controls       of       Severity   Level
                                                              Occurrence




                                                                                              9
    Risk Determination Phase (con’t)
    Likelihood of Occurrence Levels
Likelihood                           Description
Negligible   Unlikely to occur.
Very Low     Likely to occur two/three times every five years
  Low        Likely to occur one every year or less.
 Medium      Likely to occur once every six months or less.
  High                                       ss.
             Likely to occur once per month or le
Very High    Likely to occur multiple times per month
 Extreme     Likely to occur multiple times per day
                                                          10
  Risk Determination Phase (con’t)
       Impact Severity Levels
Impact Severity                                      Description
 Insignificant    Will have almost no impact if threat is realized and exploits vulnerability.



    Minor         Will have some minor effect on the system. It will require
                  minimal effort to repair or reconfigure the system.

  Significant     Will result in some tangible harm, albeit negligible and perhaps only noted
                  by a few individuals or agencies. May cause political embarrassment. Will
                  require some expenditure of resources to repair.
  Damaging        May cause damage to the reputation of syste m management, and/or notable
                  loss of confidence in the system’s resources or services. It will require
                  expenditure of significant resources to repair.
    Serious       May cause considerable system outage, and/or loss of connected customers
                  or business confidenc e. May result in compromise or large amount of
                  Government information or services.
                  May cause system extended outage or to be permanently closed, causing
    Critical      operations to resume in a Hot Site environment. May result in complete
                  compromise of Govern ment agencies’ information or services.                   11
     Risk Determination Phase (con’t)
            Risk Levels Table
Likelihood                          Impact Severity
    of
           Insignificant Minor     Significant Damaging   Serious    Critical
Occurrence
 Negligible    Low        Low         Low       Low         Low        Low

 Very Low      Low        Low         Low       Low       Moderate   Moderate

   Low         Low        Low       Moderate   Moderate    High       High
 Medium        Low        Low       Moderate    High       High       High
   High        Low      Moderate     High       High       High       High
 Very High     Low      Moderate     High       High       High       High
 Extreme       Low      Moderate     High       High       High       High

                                                                                12
      Safeguard Determination Phase
                (4-steps)
1)   Identify the controls/safeguards to reduce the risk level
     of an identified threat/vulnerability pair, if the risk level
     is moderate or high.
2)   Determine the residual likelihood of occurrence of the
     threat if the recommended safeguard is implemented.
3)   Determine the residual impact severity of the exploited
     vulnerability once the recommended safeguard is
     implemented.
4)   Determine the residual risk level for the system.
                                                                 13
         Safeguard Determination Phase
   Safeguard Determination Phase Table
        Use  Table 5 to summarize the analysis performed
         during the Safeguard Determination Phase.
        Use the item numbers created for Table 1 as reference
         in Table 5 to correlate the analysis summarized in both
         tables to the same threat/vulnerability pair and
         associated risk level.
Item         Recommended           Residual      Residual   Residual Risk
 No.     Safeguard Description   Likelihood of   Impact         Level
                                  Occurrence     Severity




                                                                            14
Risk Assessment Process Flow
  RA Methodology



Questions ?


                   16
          Course Objectives

 Understand
   SSP  methodology Version 3.0 (DRAFT)
   Certification & Documentation Requirements for
    SSPs
   SSPs within the Information Systems Security
    Program




                                                     17
           Legal Requirements

  Computer Security Act of 1987
 OMB A-130, Appendix III
 Government Information Systems Reform Act
  (GISRA) of 2000
 Contractual




                                              18
          CMS Requirements

 CMS SSP Methodology  Version 3.0 (DRAFT)
 CMS Risk Assessment (RA) Methodology
 Version 1.1




                                             19
            CMS SSP Architecture

 3-Tier   Architecture CMS Systems
   Master
   GeneralSupport System (GSS)
   Major Application (MA)




                                      SSP Methodology
                                                        20
                                      Section 1.2
         General Support Systems

 Defined   elements of the infrastructure that provide
  support for a variety of users and/or applications
  under the same direct management control
 Normally includes hardware, software,
  information, data, applications, communication,
  facilities, and people
 Users may be from the same or different
  organizations
 Physical platform and infrastructure with
                                         SSP Methodology
  environmental software                                 21
                                            Section 1.4.1
             Major Applications

 Systems,  usually software applications, that
  support clearly defined business function for
  which there are readily identifiable security
  considerations and needs
 Application code
 Examples include: MCS, FISS, CWF



                                       SSP Methodology
                                                         22
                                       Section 1.4.2
           BP SSP Documentation

 Tab A: Certification Form
 Tab B: Accreditation Form
 Tab C: System Security Plan with Appendices &
         Attachments
 Tab D: Summaries and References




                                    SSP Methodology
                                                      23
                                    Section 4.3
       BP SSP Formal Submission

 Original Certification Form with all signatures
  must be forwarded to:
      [address]
 SSP with   a copy of the Certification Form must be
  filed in your Security Profile.




                                       SSP Methodology
                                                         24
                                       Section 4.3
   Reviewing and Updating an SSP

 Security   may degrade over time as technology
  changes
 Changes occur to authorizing legislation or
  requirements
 People and procedures change




                                       SSP Methodology
                                                         25
                                       Section 4.5
                     Certification

Acceptance of the security risk by the system owner

 Requirement   for all CMS systems
 Based on technical evaluation of a system to see how well
  it meets security requirements
 System Owners/Manager, ISSO/SSO, and System
  Maintainer/Manager must sign the certification form




                                             SSP Methodology
                                                               26
                                             Section 4.6
               Re-Certification

 Major system modification
 Change in security profile
 Serious security violation occurs
 Changes to threat environment
 Every year
 Expiration of Certification


                                      SSP Methodology
                                                        27
                                      Section 4.6
                   Accreditation

Accepts the risk of the system as it impacts the rest of the agency as
                    certified by the system owner


 CMS  Internal Systems - formal accreditation by CIO or
 Sr. Systems Security Advisor (SSA)
   Must authorize in writing the use of each system based on the
    SSP documentation, certification and the level of risk



                                                  SSP Methodology
                                                  Section 4.7            28
         BP SSP Development Hints
 The SSP   is not:
    a future planning document
    an opportunity to educate the reader on security
     terminology, controls, best practices, etc.
    a document to restate the CMS views on SSP
     methodology
 The SSP is:
    a document that describes the current operation
    states what is and what is not in place, with any rational
     or compensating measures for what is not in place
 Does not need to be developed from scratch                   29
            SSP Development Hints

 Refer to/use existing system documentation
 Must contain high-level summary of technical information
  about the system, its security requirements, and the controls
  implemented to provide protection against its vulnerabilities
 Where possible provide references to policy/procedures,
  responsible component, and how it can be reviewed
 Must be dated to allow ease of tracking modifications and
  approvals
 Use a 3-ring binder for certified SSP
 Maintain a history of all documentation and sign-offs
                                                             30
Questions ?


              31
    System Security Plan Sections

An Executive Summary is OPTIONAL. If included
 provide a summary of each of the first four sections of the
 SSP

     Section 1: System Identification

     Section 2: Management Controls
     Section 3: Operational Controls
     Section 4: Technical Controls


                                                          32
      Section 1: System Identification

1.1    System Name/Title
1.2    Responsible Organization
1.3    Information Contact(s)
1.4    Assignment of Security Responsibility
1.5    System Operational Status
1.6    General Description / Purpose


                                               33
              1.1 System Name/Title

         name and title of the system, including
 Official
  acronym
   (example:)   Fiscal Intermediary Standard System (FISS)
 SOR #
 Financial   Management Investment Board(FMIB)
  N/A
 Web Support Team (WST) # N/A


                                                          34
      1.2 Responsible Organization

 Name of Organization, address, city, state, zip,
 contract number, contractor name (if applicable)
  




                                                     35
         1.3 Information Contact(s)

   Title, organization, address, city, state, zip, e-mail
    address, and phone number for:
     SSP  Author
     System Owner/Manager
     System Maintainer/Manager
     Business Owner/Manager




                                                         36
           1.4 Assignment of Security
                 Responsibility
       organization, address, city, state, zip, email
 Title,
  address, and phone number for:
    Individual(s)responsible for security from BP
    Component Information System Security
     Officer/System Security Officer (ISSO/SSO)
 Emergency  contact information (name and phone
  number of different person for backup)
 NOTE     - This section must contain 4 different individuals

                                                                 37
     1.5 System Operational Status

 New
 Operational
 Undergoing    a major modification




                                       38
  1.6 General Description / Purpose

 New   “check one only” block for CMS On-site
  systems, CMS off-site system or External
  Business Partners (Medicare Contractors)
 Brief description (1-3 paragraphs) on the purpose
  of the system and the organizational processes
  supported (include major inputs/outputs, users and
  major business functions performed)
 If GSS, include all applications supported,
  including functions and information processed
                                                   39
1.6.1 System Environment and Special
           Considerations
 Brief (1-3 paragraphs) general description of the
  technical system describing the flow of data and
  processes through the infrastructure covered by
  the SSP.
 Describe environmental factors that raise special
  security concerns
 Document the physical location of the system
 Provide a network diagram or schematic to help
  identify, define, and clarify the system boundaries40
    1.6.2 System Interconnection /
         Information Sharing
 Describe  any system interconnections and/or
  information sharing(inputs and outputs) outside
  the scope of this plan
 Include information on the authorization for
  connection to other systems or the sharing of
  information
 Written management authorization must be
  obtained prior to connection
 Document any written management authorizations
                                                  41
  (MOA/MOU or Data Exchange Agreement)
     1.6.2 System Interconnection /
      Information Sharing (cont’d)
 For GSSs describe various components and sub-
  networks connections and /or interconnections to
  LAN or WAN
 For MAs provide description of the major
  application and sub-applications along with other
  software interdependencies



                                                      42
1.6.3 Applicable Laws or Regulations

 List the laws and regulations not already listed in
  the CMS Master Plan
 Any laws or regulations that establish system
  specific requirements for confidentiality, integrity,
  availability, audit ability, and accountability of
  information in the system



                                                      43
      1.6.4 General Description of
       Information Security Level

Appendix     B, SSP Methodology
  Information  Security Levels Table
   Information Security Levels by Information
     Categories
 Information Owner (CMS) must define the
  Information Security Level
   Claims processing systems have a Information Security
    Level of …
                                                       44
    Section 1



Questions ?


                45
       2.0 Management Controls

  Management controls focus on the management of
  the computer security system and the management
  of risk for a system
2.1 Risk Assessment and Risk Management
2.2 Review of Security Controls
2.3 Rules of Behavior
2.4 Planning for Security in the Life Cycle

                                                46
       2.1 Risk Assessment and Risk
               Management
       the risk assessment to the SSP and provide a
 Attach
  summary in this section including:
   Value  of the system or application (ie. assets) ??
   Threats
   Vulnerabilities
   Effectiveness of current or proposed safeguards
   Describe the methods used to assess the nature and level of risk to
    the GSS or MA
   Identify the risk assessment methodology used

 Complete   chart in Section 2.1 of SSP

                                                                     47
              Sample RA Charts for 2.1
                    RISK ASSESSMENT                             RISK MANAGEMENT
    Vulnerability      Risk    Recommended         Residual       Status of    Updated
                       Level     Safeguard          Risk         Safeguard       Risk
V1: The assigned      HIGH Ensure the ISSO        Low         Continuous       HIGH
ISSO to the DSRDS            assigned                         training for the
GSS lacks the                responsibility to                ISSO will be
technical knowledge          the DSRDS GSS                    scheduled as
specific to this             has complete                     training funds
system                       understanding of                 become
                             the system and                   available
                             receives
                             appropriate levels
                             of training
V2: Backup tapes are HIGH Store backup            Low         3 cycles of        Low
not stored off-site          tapes off-site, as               weekly and
                             well as on-site                  daily backup
                                                              tapes are stored
                                                              off-site
    2.2 Review of Security Controls

 Summarize   any/all security evaluation conducted
 within the last 12 months on the system (e.g.SAS-
 70, GAO, IG, Internal Revenue Service, Self
 Assessments, CAST,audits) for each review
   Who  performed the review
   When the review was performed
   The findings and actions taken as a result of the review
   Where the final report is located and who to contact for
    review of the final report

                                                               49
               2.3 Rules of Behavior

 Provide summary of ROB, reference policy and how
 it can be reviewed
   Describe and document the system specific rules of
    behavior or “code of conduct” of users of the GSS or MA
   Must include the consequences of non-compliance
   Must clearly state the exact behavior expected of each
    person
   Include appropriate limits on interconnections to other
    systems
   Cover such matters as work at home, dial-in access,
    connection to the Internet, the assignment and limitation
    of system privileges
                                                          50
 2.4 Planning for Security in the Life
                Cycle
 Summarize    how security is handled by your
 corporation/business entity for each phase of the
 life cycle, reference policy and where it can be
 found
   Phase 1: Pre-Development
   Phase 2: Development
   Phase 3: Post-Development




                                                     51
    Section 2



Questions ?


                52
       3.0 Operational Controls

      Operational controls are the day-to-day procedures
      and mechanisms
3.1   Personnel Security
3.2   Physical and Environmental Protection
3.3   Production, I/O Controls
3.4   Incident Response Capability
3.5   Contingency Planning
3.6   Hardware, Operating Systems and System Software
      Maintenance Controls
                                                      53
  3.0 Operational Controls - con’t


3.7   Data Integrity/Validation Controls
3.8   Documentation
3.9   Security Awareness and Training




                                           54
            3.1 Personnel Security

 Providea detailed summary of personnel security
 requirements of your corporation/business entity,
 reference policy/procedures, the responsible
 component, and how it can be reviewed
   IT related positions require evaluation and sensitivity
    level designations and screening
   Mechanisms in place for holding users accountable for
    their actions (individual accountability)
   User access restrictions (least privilege)
   Are critical functions divided among different
    individuals (separation of duties)
                                                         55
       3.2 Physical & Environmental
                 Protection
 Providea detailed summary of physical and
 environmental protections, reference
 policy/procedures, the responsible component, and
 how it can be reviewed
   Describe   and document the physical security and
    environmental controls
   List attributes of the physical protection afforded the
    area where processing of the MA system takes place
    Access Controls              Plumbing
    Fire Safety Factors          Raised floor access
    Water sensors                Emergency exits
                                                              56
      3.3 Production, I/O Controls

 Summarize  hardcopy and media controls in place,
 reference policy/procedures, the responsible
 component, and how it can be reviewed
   Handling, processing, storage, and disposal of media
   System unique production rules, if any
   Describe Help-Desk support, if any is provided




                                                           57
                  3.4 Incident Response
Applies to GSS system security plans only, for MAs refer to the GSS


 Summarize    the following information, reference
   policy and how it can be reviewed
     Detail the preventative measures in place (automated
      intrusion detection tools, automated audit logs,
      penetration testing)
     Describe the procedures for recognizing, handling, and
      reporting incidents
     Document who responds to alerts/advisories
     Describe and document the formal incident response
      capability and the capability to provide users with help
      when an incident occurs
                                                                      58
       3.5 Contingency Planning

 Provide a detailed summary of the contingency
 plan, reference policy and how it can be reviewed
   Discuss  the arrangement and planned safeguards to
    ensure the alternate processing site will provide an
    adequate level of security
   Describe any documented backup procedures
   Describe coverage of backup procedures and physical
    location of stored backups
   Describe the generations of backups kept

                                                           59
  3.6 Hardware, Operating System, and
 System Software Maintenance Controls

 Summarize   security controls used to monitor the
 installation and updates to hardware, operating
 system software, and other system software to
 ensure that the hardware and software functions as
 expected and that a historical record is maintained
 of system changes
   3.6.1   Configuration Management (GSS)
   3.6.2   Software Management (GSS)
   3.6.3   Application Software Management Controls (MA)
                                                            60
    3.6.1 Configuration Management
Applies to GSS system security plans only, for MAs refer to the GSS


 Summarize   Configuration Management
  Procedures, reference policy and how it can be
  reviewed
    Testing and/or approving system components prior to
     production
    Impact analyses to determine the effect of proposed
     changes
    Change identification, approval, and documentation
     procedures


                                                                      61
            3.6.2 Software Management
              (Environmental Software)
Applies to GSS system security plans only, for MAs refer to the GSS


  Summarize    software management, reference
    policy and how it can be reviwed
      Coordinate     and control updates to environment
       software
      Monitor installation and updates
      Version Control
      Describe and document the policies for handling
       copyrighted software or shareware


                                                                      62
            3.6.3 Application Software
                Management Controls
 Applies to MA security plans only

 Summarize  Application Software Management
 Controls, reference policy and how it can be
 reviewed
   Describe     the application software controls Version
    control
   Describe the security controls used to monitor the
    installation and updates of the application software
   Describe: (or summarize and reference procedures)
      If the application software is developed in-house or under contract
      Who owns the software
      How emergency fixes are handled
      If test data is “live” data or made-up
                                                                             63
3.7 Data Integrity/Validation Controls

 Summarize  controls in place to prevent/detect
 destruction or unauthorized data modification,
 reference policy and how it can be reviewed
   Virus  detection and elimination software procedures
   Reconciliation routines used by the system
   Integrity verification programs used by the application to
    look for evidence of data tampering, errors, and
    omissions
   System performance monitoring
   Message authentication                                  64
              3.8 Documentation

 Describe  the set of formal materials which support
  the operation of the GSS or MA, its components,
  operations, and use
 List the existing documentation maintained,
  including the title, date, and office responsible for
  maintaining the documentation



                                                          65
        3.8 Documentation (con’t)

 Hardware   and software     Security policies,
  descriptions                 standards, procedures, and
 Standard operating           approvals
  procedures                  Emergency procedures
 Application requirements    MOU/MOAs
 Application program         User manuals
  documentation and specs     Backup procedures




                                                       66
3.9 Security Awareness and Training

 List the types and frequency of system-specific security
  training established, how the training is conducted,
  attendance is documented and how the system owner
  ensures that it is conducted prior to allowing access




                                                             67
    Section 3



Questions ?


                68
          4.0 Technical Controls

Technical and logical in place controls to authorize
  or restrict users and information. For MAs,
  describe additional enhancements or modifications
  of the controls beyond the GSS
4.1 Identification and Authentication
4.2 Authorization & Access Controls
4.3 Remote Users & Dial Up Controls
4.4 Wide Area Network (WAN) Controls
4.5 Public Access Controls
4.6 Test Scripts/Results
4.7 Audit Trails                                     69
  4.1 Identification & Authentication
                Controls
 Providea detailed summary of the Identification and
 Authentication controls in place, reference policy
 and how it can be reviewed
   Unique   identification, e.g., UserId
   Unique authentication, e.g. password
   Maintenance of UserId and password
   Length of password and frequency of password changes
   For GSS state name of software used to control all
    aspects of UserID and password
   If used, describe biometrics or token controls
                                                       70
    4.2 Authorization & Access Controls

    Provide a detailed summary of procedures,
    hardware, and/or software used to control access
    to resources, reference policy and how it can be
    reviewed
     Role  based access
     Separation of duties
     Usage of Access Control Lists (ACL’s)
     Security software and restricting access
     How access is restricted between systems
     Controls for detecting unauthorized access
     Inactive user activity and automated disconnection
     System access outside normal working hours           71
4.2 Authorization & Access Controls -
                con’d
   How   the access control mechanism supports individual
    accountability and audit trails
   State the number of invalid access attempts that may
    occur and the actions taken when that limit is exceeded
   If cryptography is used, provide a detailed summary of
    methodology and key management procedures
   Provide sample system-specific warning banner




                                                          72
 4.3 Remote Users & Dial-up Controls

 Providea detailed summary of remote users and dial-
 up controls, reference policy and how it can be
 reviewed
   Describe   the type of remote access (dial, Internet)
    permitted
   Functions that may or may not be authorized for remote
    use, i.e., differences from internal access permissions



                                                            73
   4.4 Wide Area Networks (WAN)
              Controls
        a detailed summary of the wide area
 Provide
 network controls
   Protection  against unauthorized system penetration,
    Internet threats & vulnerabilities
   Types of network connections, e.g., Internet
   Describe additional hardware or technical controls to
    provide protection e.g., firewalls, proxy servers
   Network Diagram can be included



                                                            74
        4. 5 Public Access Controls

 Provide detail summary when or if public access is
  authorized, reference policy/procedures, the responsible
  component and how it can be reviewed
   Access controls used to secure the system
   Controls to prevent public users, if access is authorized, from
    modifying information on the system
   Legal considerations to allowing access to the information
   Describe rationale for the use or non-use of warning banners
    and provide an example of the banners used for this system
   If no public access state “system does not allow public access”


                                                                  75
         4.6 Test Scripts/Results

 Summarize    the findings of all tests/results
   Describe   the test scripts and results that were used to
    test the effectiveness of the security controls
   Include title, date, and office responsible for
    maintaining the test scripts/results




                                                                76
                 4.7 Audit Trails

 Provide   a detailed summary of existing audit trails
   Document    the auditing mechanisms
   Describe what is recorded, who reviews, how often are
    they reviewed and what procedures are employed for
    corrective actions as a result of a finding
   Describe when audit trails are employed, e.g., on a given
    cycle, continuously, when an incident occurs, etc.
   Describe audit trail archive procedures including how
    long they are kept, where stored, and what media type


                                                           77
    5.0 Appendices & Attachments

 Appendix A – Equipment List (Primarily for GSS)
 Appendix B – Software List
 Attachments
   Risk   Assessment (Required)




                                                78
   Section 4 & 5



Questions ?


                   79

								
To top