Information Systems Change Risk Assessment by try14207


More Info
									System Security Plan (SSP) Training

             Conducted by
Centers for Medicare & Medicaid Services

         November 4 - 7, 2002

 List instructors   contact information

 Risk Assessment (RA) Methodology

 Describes   steps to produce IS RA Report

 The Information   Security Risk Assessment process is
  presented as the following three phases:

   System    Documentation Phase

   Risk   Determination Phase

   Safeguard   Determination Phase
      System Documentation Phase
        1.1 System Identification
Official System Name
System Acronym
System of Records (SOR)
Financial Management Investment       N/A
Board (FMIB) Number
Web Support Team (WST) Number         N/A
System Type (select one)              GSS, MA or “Other” System

Name of Organization
City, State, Zip
Contract Number, Contractor
contact information (if applicable)
    System Documentation Phase
   1.1 System Identification (con’t)
Name of Individual
Name of Organization
City, State, Zip
Email Address
Phone number
Contractor contact information (if
  System Documentation Phase
 1.1 System Identification (con’t)
Name (SSO)
Name of Organization
City, State, Zip
Email Address
Phone number
Emergency Contact Information
(name, phone and e-mail only)
     System Documentation Phase
    1.1 System Identification (con’t)
1.2 Asset Identification
  1.2.1 System Environment and Special
  1.2.2 System Interconnection/Information Sharing

1.3 System Security Level

            Risk Determination Phase

   1)  Identify potential dangers to information and systems (threats).
    2) Identify the system weakness that could be exploited
       (vulnerabilities) associated to generate the threat/vulnerability
    3) Identify existing controls to reduce the risk of the threat to
       exploit the vulnerability.
    4) Determine the likelihood of occurrence for a threat exploiting a
       related vulnerability given the existing controls.
    5) Determine the severity of impact on the system by an exploited
    6) Determine the risk level for a threat/vulnerability pair given the
       existing controls.
This six step process for Risk Determination is conducted for each
   identified threat/vulnerability pair.
       Risk Determination Phase (con’t)
          Risk Determination Table

Item   Threat   Vulnerability   Risk Description   Existing   Likelihood   Impact     Risk
 No.   Name        Name                            Controls       of       Severity   Level

    Risk Determination Phase (con’t)
    Likelihood of Occurrence Levels
Likelihood                           Description
Negligible   Unlikely to occur.
Very Low     Likely to occur two/three times every five years
  Low        Likely to occur one every year or less.
 Medium      Likely to occur once every six months or less.
  High                                       ss.
             Likely to occur once per month or le
Very High    Likely to occur multiple times per month
 Extreme     Likely to occur multiple times per day
  Risk Determination Phase (con’t)
       Impact Severity Levels
Impact Severity                                      Description
 Insignificant    Will have almost no impact if threat is realized and exploits vulnerability.

    Minor         Will have some minor effect on the system. It will require
                  minimal effort to repair or reconfigure the system.

  Significant     Will result in some tangible harm, albeit negligible and perhaps only noted
                  by a few individuals or agencies. May cause political embarrassment. Will
                  require some expenditure of resources to repair.
  Damaging        May cause damage to the reputation of syste m management, and/or notable
                  loss of confidence in the system’s resources or services. It will require
                  expenditure of significant resources to repair.
    Serious       May cause considerable system outage, and/or loss of connected customers
                  or business confidenc e. May result in compromise or large amount of
                  Government information or services.
                  May cause system extended outage or to be permanently closed, causing
    Critical      operations to resume in a Hot Site environment. May result in complete
                  compromise of Govern ment agencies’ information or services.                   11
     Risk Determination Phase (con’t)
            Risk Levels Table
Likelihood                          Impact Severity
           Insignificant Minor     Significant Damaging   Serious    Critical
 Negligible    Low        Low         Low       Low         Low        Low

 Very Low      Low        Low         Low       Low       Moderate   Moderate

   Low         Low        Low       Moderate   Moderate    High       High
 Medium        Low        Low       Moderate    High       High       High
   High        Low      Moderate     High       High       High       High
 Very High     Low      Moderate     High       High       High       High
 Extreme       Low      Moderate     High       High       High       High

      Safeguard Determination Phase
1)   Identify the controls/safeguards to reduce the risk level
     of an identified threat/vulnerability pair, if the risk level
     is moderate or high.
2)   Determine the residual likelihood of occurrence of the
     threat if the recommended safeguard is implemented.
3)   Determine the residual impact severity of the exploited
     vulnerability once the recommended safeguard is
4)   Determine the residual risk level for the system.
         Safeguard Determination Phase
   Safeguard Determination Phase Table
        Use  Table 5 to summarize the analysis performed
         during the Safeguard Determination Phase.
        Use the item numbers created for Table 1 as reference
         in Table 5 to correlate the analysis summarized in both
         tables to the same threat/vulnerability pair and
         associated risk level.
Item         Recommended           Residual      Residual   Residual Risk
 No.     Safeguard Description   Likelihood of   Impact         Level
                                  Occurrence     Severity

Risk Assessment Process Flow
  RA Methodology

Questions ?

          Course Objectives

 Understand
   SSP  methodology Version 3.0 (DRAFT)
   Certification & Documentation Requirements for
   SSPs within the Information Systems Security

           Legal Requirements

  Computer Security Act of 1987
 OMB A-130, Appendix III
 Government Information Systems Reform Act
  (GISRA) of 2000
 Contractual

          CMS Requirements

 CMS SSP Methodology  Version 3.0 (DRAFT)
 CMS Risk Assessment (RA) Methodology
 Version 1.1

            CMS SSP Architecture

 3-Tier   Architecture CMS Systems
   Master
   GeneralSupport System (GSS)
   Major Application (MA)

                                      SSP Methodology
                                      Section 1.2
         General Support Systems

 Defined   elements of the infrastructure that provide
  support for a variety of users and/or applications
  under the same direct management control
 Normally includes hardware, software,
  information, data, applications, communication,
  facilities, and people
 Users may be from the same or different
 Physical platform and infrastructure with
                                         SSP Methodology
  environmental software                                 21
                                            Section 1.4.1
             Major Applications

 Systems,  usually software applications, that
  support clearly defined business function for
  which there are readily identifiable security
  considerations and needs
 Application code
 Examples include: MCS, FISS, CWF

                                       SSP Methodology
                                       Section 1.4.2
           BP SSP Documentation

 Tab A: Certification Form
 Tab B: Accreditation Form
 Tab C: System Security Plan with Appendices &
 Tab D: Summaries and References

                                    SSP Methodology
                                    Section 4.3
       BP SSP Formal Submission

 Original Certification Form with all signatures
  must be forwarded to:
 SSP with   a copy of the Certification Form must be
  filed in your Security Profile.

                                       SSP Methodology
                                       Section 4.3
   Reviewing and Updating an SSP

 Security   may degrade over time as technology
 Changes occur to authorizing legislation or
 People and procedures change

                                       SSP Methodology
                                       Section 4.5

Acceptance of the security risk by the system owner

 Requirement   for all CMS systems
 Based on technical evaluation of a system to see how well
  it meets security requirements
 System Owners/Manager, ISSO/SSO, and System
  Maintainer/Manager must sign the certification form

                                             SSP Methodology
                                             Section 4.6

 Major system modification
 Change in security profile
 Serious security violation occurs
 Changes to threat environment
 Every year
 Expiration of Certification

                                      SSP Methodology
                                      Section 4.6

Accepts the risk of the system as it impacts the rest of the agency as
                    certified by the system owner

 CMS  Internal Systems - formal accreditation by CIO or
 Sr. Systems Security Advisor (SSA)
   Must authorize in writing the use of each system based on the
    SSP documentation, certification and the level of risk

                                                  SSP Methodology
                                                  Section 4.7            28
         BP SSP Development Hints
 The SSP   is not:
    a future planning document
    an opportunity to educate the reader on security
     terminology, controls, best practices, etc.
    a document to restate the CMS views on SSP
 The SSP is:
    a document that describes the current operation
    states what is and what is not in place, with any rational
     or compensating measures for what is not in place
 Does not need to be developed from scratch                   29
            SSP Development Hints

 Refer to/use existing system documentation
 Must contain high-level summary of technical information
  about the system, its security requirements, and the controls
  implemented to provide protection against its vulnerabilities
 Where possible provide references to policy/procedures,
  responsible component, and how it can be reviewed
 Must be dated to allow ease of tracking modifications and
 Use a 3-ring binder for certified SSP
 Maintain a history of all documentation and sign-offs
Questions ?

    System Security Plan Sections

An Executive Summary is OPTIONAL. If included
 provide a summary of each of the first four sections of the

     Section 1: System Identification

     Section 2: Management Controls
     Section 3: Operational Controls
     Section 4: Technical Controls

      Section 1: System Identification

1.1    System Name/Title
1.2    Responsible Organization
1.3    Information Contact(s)
1.4    Assignment of Security Responsibility
1.5    System Operational Status
1.6    General Description / Purpose

              1.1 System Name/Title

         name and title of the system, including
 Official
   (example:)   Fiscal Intermediary Standard System (FISS)
 SOR #
 Financial   Management Investment Board(FMIB)
 Web Support Team (WST) # N/A

      1.2 Responsible Organization

 Name of Organization, address, city, state, zip,
 contract number, contractor name (if applicable)

         1.3 Information Contact(s)

   Title, organization, address, city, state, zip, e-mail
    address, and phone number for:
     SSP  Author
     System Owner/Manager
     System Maintainer/Manager
     Business Owner/Manager

           1.4 Assignment of Security
       organization, address, city, state, zip, email
 Title,
  address, and phone number for:
    Individual(s)responsible for security from BP
    Component Information System Security
     Officer/System Security Officer (ISSO/SSO)
 Emergency  contact information (name and phone
  number of different person for backup)
 NOTE     - This section must contain 4 different individuals

     1.5 System Operational Status

 New
 Operational
 Undergoing    a major modification

  1.6 General Description / Purpose

 New   “check one only” block for CMS On-site
  systems, CMS off-site system or External
  Business Partners (Medicare Contractors)
 Brief description (1-3 paragraphs) on the purpose
  of the system and the organizational processes
  supported (include major inputs/outputs, users and
  major business functions performed)
 If GSS, include all applications supported,
  including functions and information processed
1.6.1 System Environment and Special
 Brief (1-3 paragraphs) general description of the
  technical system describing the flow of data and
  processes through the infrastructure covered by
  the SSP.
 Describe environmental factors that raise special
  security concerns
 Document the physical location of the system
 Provide a network diagram or schematic to help
  identify, define, and clarify the system boundaries40
    1.6.2 System Interconnection /
         Information Sharing
 Describe  any system interconnections and/or
  information sharing(inputs and outputs) outside
  the scope of this plan
 Include information on the authorization for
  connection to other systems or the sharing of
 Written management authorization must be
  obtained prior to connection
 Document any written management authorizations
  (MOA/MOU or Data Exchange Agreement)
     1.6.2 System Interconnection /
      Information Sharing (cont’d)
 For GSSs describe various components and sub-
  networks connections and /or interconnections to
  LAN or WAN
 For MAs provide description of the major
  application and sub-applications along with other
  software interdependencies

1.6.3 Applicable Laws or Regulations

 List the laws and regulations not already listed in
  the CMS Master Plan
 Any laws or regulations that establish system
  specific requirements for confidentiality, integrity,
  availability, audit ability, and accountability of
  information in the system

      1.6.4 General Description of
       Information Security Level

Appendix     B, SSP Methodology
  Information  Security Levels Table
   Information Security Levels by Information
 Information Owner (CMS) must define the
  Information Security Level
   Claims processing systems have a Information Security
    Level of …
    Section 1

Questions ?

       2.0 Management Controls

  Management controls focus on the management of
  the computer security system and the management
  of risk for a system
2.1 Risk Assessment and Risk Management
2.2 Review of Security Controls
2.3 Rules of Behavior
2.4 Planning for Security in the Life Cycle

       2.1 Risk Assessment and Risk
       the risk assessment to the SSP and provide a
 Attach
  summary in this section including:
   Value  of the system or application (ie. assets) ??
   Threats
   Vulnerabilities
   Effectiveness of current or proposed safeguards
   Describe the methods used to assess the nature and level of risk to
    the GSS or MA
   Identify the risk assessment methodology used

 Complete   chart in Section 2.1 of SSP

              Sample RA Charts for 2.1
                    RISK ASSESSMENT                             RISK MANAGEMENT
    Vulnerability      Risk    Recommended         Residual       Status of    Updated
                       Level     Safeguard          Risk         Safeguard       Risk
V1: The assigned      HIGH Ensure the ISSO        Low         Continuous       HIGH
ISSO to the DSRDS            assigned                         training for the
GSS lacks the                responsibility to                ISSO will be
technical knowledge          the DSRDS GSS                    scheduled as
specific to this             has complete                     training funds
system                       understanding of                 become
                             the system and                   available
                             appropriate levels
                             of training
V2: Backup tapes are HIGH Store backup            Low         3 cycles of        Low
not stored off-site          tapes off-site, as               weekly and
                             well as on-site                  daily backup
                                                              tapes are stored
    2.2 Review of Security Controls

 Summarize   any/all security evaluation conducted
 within the last 12 months on the system (e.g.SAS-
 70, GAO, IG, Internal Revenue Service, Self
 Assessments, CAST,audits) for each review
   Who  performed the review
   When the review was performed
   The findings and actions taken as a result of the review
   Where the final report is located and who to contact for
    review of the final report

               2.3 Rules of Behavior

 Provide summary of ROB, reference policy and how
 it can be reviewed
   Describe and document the system specific rules of
    behavior or “code of conduct” of users of the GSS or MA
   Must include the consequences of non-compliance
   Must clearly state the exact behavior expected of each
   Include appropriate limits on interconnections to other
   Cover such matters as work at home, dial-in access,
    connection to the Internet, the assignment and limitation
    of system privileges
 2.4 Planning for Security in the Life
 Summarize    how security is handled by your
 corporation/business entity for each phase of the
 life cycle, reference policy and where it can be
   Phase 1: Pre-Development
   Phase 2: Development
   Phase 3: Post-Development

    Section 2

Questions ?

       3.0 Operational Controls

      Operational controls are the day-to-day procedures
      and mechanisms
3.1   Personnel Security
3.2   Physical and Environmental Protection
3.3   Production, I/O Controls
3.4   Incident Response Capability
3.5   Contingency Planning
3.6   Hardware, Operating Systems and System Software
      Maintenance Controls
  3.0 Operational Controls - con’t

3.7   Data Integrity/Validation Controls
3.8   Documentation
3.9   Security Awareness and Training

            3.1 Personnel Security

 Providea detailed summary of personnel security
 requirements of your corporation/business entity,
 reference policy/procedures, the responsible
 component, and how it can be reviewed
   IT related positions require evaluation and sensitivity
    level designations and screening
   Mechanisms in place for holding users accountable for
    their actions (individual accountability)
   User access restrictions (least privilege)
   Are critical functions divided among different
    individuals (separation of duties)
       3.2 Physical & Environmental
 Providea detailed summary of physical and
 environmental protections, reference
 policy/procedures, the responsible component, and
 how it can be reviewed
   Describe   and document the physical security and
    environmental controls
   List attributes of the physical protection afforded the
    area where processing of the MA system takes place
    Access Controls              Plumbing
    Fire Safety Factors          Raised floor access
    Water sensors                Emergency exits
      3.3 Production, I/O Controls

 Summarize  hardcopy and media controls in place,
 reference policy/procedures, the responsible
 component, and how it can be reviewed
   Handling, processing, storage, and disposal of media
   System unique production rules, if any
   Describe Help-Desk support, if any is provided

                  3.4 Incident Response
Applies to GSS system security plans only, for MAs refer to the GSS

 Summarize    the following information, reference
   policy and how it can be reviewed
     Detail the preventative measures in place (automated
      intrusion detection tools, automated audit logs,
      penetration testing)
     Describe the procedures for recognizing, handling, and
      reporting incidents
     Document who responds to alerts/advisories
     Describe and document the formal incident response
      capability and the capability to provide users with help
      when an incident occurs
       3.5 Contingency Planning

 Provide a detailed summary of the contingency
 plan, reference policy and how it can be reviewed
   Discuss  the arrangement and planned safeguards to
    ensure the alternate processing site will provide an
    adequate level of security
   Describe any documented backup procedures
   Describe coverage of backup procedures and physical
    location of stored backups
   Describe the generations of backups kept

  3.6 Hardware, Operating System, and
 System Software Maintenance Controls

 Summarize   security controls used to monitor the
 installation and updates to hardware, operating
 system software, and other system software to
 ensure that the hardware and software functions as
 expected and that a historical record is maintained
 of system changes
   3.6.1   Configuration Management (GSS)
   3.6.2   Software Management (GSS)
   3.6.3   Application Software Management Controls (MA)
    3.6.1 Configuration Management
Applies to GSS system security plans only, for MAs refer to the GSS

 Summarize   Configuration Management
  Procedures, reference policy and how it can be
    Testing and/or approving system components prior to
    Impact analyses to determine the effect of proposed
    Change identification, approval, and documentation

            3.6.2 Software Management
              (Environmental Software)
Applies to GSS system security plans only, for MAs refer to the GSS

  Summarize    software management, reference
    policy and how it can be reviwed
      Coordinate     and control updates to environment
      Monitor installation and updates
      Version Control
      Describe and document the policies for handling
       copyrighted software or shareware

            3.6.3 Application Software
                Management Controls
 Applies to MA security plans only

 Summarize  Application Software Management
 Controls, reference policy and how it can be
   Describe     the application software controls Version
   Describe the security controls used to monitor the
    installation and updates of the application software
   Describe: (or summarize and reference procedures)
      If the application software is developed in-house or under contract
      Who owns the software
      How emergency fixes are handled
      If test data is “live” data or made-up
3.7 Data Integrity/Validation Controls

 Summarize  controls in place to prevent/detect
 destruction or unauthorized data modification,
 reference policy and how it can be reviewed
   Virus  detection and elimination software procedures
   Reconciliation routines used by the system
   Integrity verification programs used by the application to
    look for evidence of data tampering, errors, and
   System performance monitoring
   Message authentication                                  64
              3.8 Documentation

 Describe  the set of formal materials which support
  the operation of the GSS or MA, its components,
  operations, and use
 List the existing documentation maintained,
  including the title, date, and office responsible for
  maintaining the documentation

        3.8 Documentation (con’t)

 Hardware   and software     Security policies,
  descriptions                 standards, procedures, and
 Standard operating           approvals
  procedures                  Emergency procedures
 Application requirements    MOU/MOAs
 Application program         User manuals
  documentation and specs     Backup procedures

3.9 Security Awareness and Training

 List the types and frequency of system-specific security
  training established, how the training is conducted,
  attendance is documented and how the system owner
  ensures that it is conducted prior to allowing access

    Section 3

Questions ?

          4.0 Technical Controls

Technical and logical in place controls to authorize
  or restrict users and information. For MAs,
  describe additional enhancements or modifications
  of the controls beyond the GSS
4.1 Identification and Authentication
4.2 Authorization & Access Controls
4.3 Remote Users & Dial Up Controls
4.4 Wide Area Network (WAN) Controls
4.5 Public Access Controls
4.6 Test Scripts/Results
4.7 Audit Trails                                     69
  4.1 Identification & Authentication
 Providea detailed summary of the Identification and
 Authentication controls in place, reference policy
 and how it can be reviewed
   Unique   identification, e.g., UserId
   Unique authentication, e.g. password
   Maintenance of UserId and password
   Length of password and frequency of password changes
   For GSS state name of software used to control all
    aspects of UserID and password
   If used, describe biometrics or token controls
    4.2 Authorization & Access Controls

    Provide a detailed summary of procedures,
    hardware, and/or software used to control access
    to resources, reference policy and how it can be
     Role  based access
     Separation of duties
     Usage of Access Control Lists (ACL’s)
     Security software and restricting access
     How access is restricted between systems
     Controls for detecting unauthorized access
     Inactive user activity and automated disconnection
     System access outside normal working hours           71
4.2 Authorization & Access Controls -
   How   the access control mechanism supports individual
    accountability and audit trails
   State the number of invalid access attempts that may
    occur and the actions taken when that limit is exceeded
   If cryptography is used, provide a detailed summary of
    methodology and key management procedures
   Provide sample system-specific warning banner

 4.3 Remote Users & Dial-up Controls

 Providea detailed summary of remote users and dial-
 up controls, reference policy and how it can be
   Describe   the type of remote access (dial, Internet)
   Functions that may or may not be authorized for remote
    use, i.e., differences from internal access permissions

   4.4 Wide Area Networks (WAN)
        a detailed summary of the wide area
 Provide
 network controls
   Protection  against unauthorized system penetration,
    Internet threats & vulnerabilities
   Types of network connections, e.g., Internet
   Describe additional hardware or technical controls to
    provide protection e.g., firewalls, proxy servers
   Network Diagram can be included

        4. 5 Public Access Controls

 Provide detail summary when or if public access is
  authorized, reference policy/procedures, the responsible
  component and how it can be reviewed
   Access controls used to secure the system
   Controls to prevent public users, if access is authorized, from
    modifying information on the system
   Legal considerations to allowing access to the information
   Describe rationale for the use or non-use of warning banners
    and provide an example of the banners used for this system
   If no public access state “system does not allow public access”

         4.6 Test Scripts/Results

 Summarize    the findings of all tests/results
   Describe   the test scripts and results that were used to
    test the effectiveness of the security controls
   Include title, date, and office responsible for
    maintaining the test scripts/results

                 4.7 Audit Trails

 Provide   a detailed summary of existing audit trails
   Document    the auditing mechanisms
   Describe what is recorded, who reviews, how often are
    they reviewed and what procedures are employed for
    corrective actions as a result of a finding
   Describe when audit trails are employed, e.g., on a given
    cycle, continuously, when an incident occurs, etc.
   Describe audit trail archive procedures including how
    long they are kept, where stored, and what media type

    5.0 Appendices & Attachments

 Appendix A – Equipment List (Primarily for GSS)
 Appendix B – Software List
 Attachments
   Risk   Assessment (Required)

   Section 4 & 5

Questions ?


To top