System Security for Department of Human and Health Services - Essay Example

 System Security for Department of Human and Health Services Introduction The system security plan (SSP) aims at providing an overview of federal information system security requirements as well as describing the current and planned controls for meeting the requirements. Furthermore, the SSP sets out responsibilities and expected behavior of all individuals who access the information system. Thus, it should be perceived as documentation of the structured process for sufficient and cost-efficient planning of security protection for a general support system or major application. The SSP works in accordance to the guidelines provided under the National Institute of Standards and Technology (NIST) Special Publication 800-53 Rev 4 Guide for Assessing Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans. The purpose of this Cybersecurity profile is to provide an overview of the cybersecurity requirements for the HHS (Department of Human and Health Sciences) with a succinct description of how the management, operational, and technical controls in place and those planned for the future, meet NIST’s requirements. 1. System Identification/ Scope of Assessment 1.1. System Name Healthcare Cybersecurity 1.2. Security Categorization Security categorization defines categories of information systems in relation to impact loss. It involves the classification of information and information systems in accordance with the potential effect on an organization. The analysis also depends on the occurrence of events that might jeopardize the information and information systems required by the organization for the accomplishment of its mission, protection of its assets, fulfillment of its legal duties and protection of individuals. Security categorization is based on the vulnerability and threat information in evaluating an organization’s risk. The HHS management evaluates systems and assigns a level (low, moderate, high) in relation to the risk to HSS in case of breach of security. The level depends on risks of confidentiality, integrity, and availability of information (Barker, 2004). 1.2.1. Information System Type It is the responsibility of HHS (System Owner) and its stakeholders to identify and establish the information system type. The security concern of HHS is to ensure that shared resources such as networks, communications and physical access within the whole general support system or major application are sufficiently protected. Therefore, it can be said that the information type held by HHS is mission-based (Barker, 2004). By virtue of the personal information of individuals held by HSS (HHS Cyber Security Program, 2014), the type of information system can be said to be Personally Identifiable Information. 1.2.2. Scope of Assessment The potential impact of the loss of confidentiality and personally identifiable information held on a web server is moderate. The potential impact from the loss of integrity and that from the loss of availability are also moderate. 2. Management Control Management controls deal with the management of the information system and the risk for the system. They are techniques and concerns which are usually addressed by the management. Management controls applied to the SSP system include 2.1. Selected control: Risk assessment 2.1.1. Family Control #1: Vulnerability scanning – update by frequency 2.1.2. Implementation Status: The control has not been fully implemented. NIST SP 800-53 Control: The organization should update the scanned information system vulnerabilities. It should also make updates on any new vulnerability identified and reported. NIST SP 800-53 Control Enhancements: The organization should utilize vulnerability scanning implements which include the capacity to update the number of information vulnerabilities scanned. NIST SP 800-53A(2010) Control Expected Results: HHS is expected to actively update vulnerabilities and make new rules and filers for protecting newly discovered vulnerabilities. 2.2.3. Implementation of Control: HHS has established policies and procedures for organizations to identify and update vulnerabilities. 2.2.1. Family Control #2: Vulnerability scanning – discoverable information 2.2.2. Implementation status: The control has not gone through the implementation process. NIST (2007) SP 800-53 Control: HHS needs to discern the kind of information about the information system that is discoverable by enemies. NIST SP 800-53A(2010) Control Expected Results: HHS needs to support compliance with this requirement by providing relevant evidence through log inspection or audit records of the virtual or physical servers scanned. 2.2.3. Implementation of Control: HHS should implement adequate vulnerability scans. 3. Technical Control Technical controls focus on security issues configured within the system. They guarantee automated protection from unauthorized access or misuse and enhance detection of unauthorized access. 3.1. Selected Control: Access control. 3.1.1. Family Control #1: Access control policy and procedures. 3.1.2. Implementation Status: The control has been partially implemented. HHS has developed and documented an access control policy addressing the purpose, functions, management commitment and compliance. HHS has also defined IT personnel and their roles. The HHS has implemented access controls to the extent that it has identified IT administrators and empowered them to limit unauthorized access to information. Furthermore, there are penalties for individuals and organizations that access information on the web without authorization. However, the implementation is still inadequate because there are many cases of unauthorized access to information. NIST (2007) SP 800-53: The information system implements authorizations for logical access to information as well as system resources in line with relevant access control policies. NIST SP 800-53 Control Enhancements: Access implementation involves the regulation of information system accounts during login. NIST SP 800-53A (2010) Control Expected Results: HHS has the responsibility of ensuring proper implementation of its policies. 3.1.3. Implementation of Control: HHS should set stricter policies and rules with regard to access control. 3.2.1. Family Control #2: Account Management. 3.2.2. Implementation Status: The control has been partially implemented. NIST (2007) SP 800-53 Control: HHS should ensure the auditing of network sessions for accessing organization-defined security functions and other relevant information related to security. NIST SP 800-53 Control Enhancements: The organization should employ automated mechanisms to encourage the management of information system accounts. NIST SP 800-53A (2010) Control Expected Results: HHS should have a clearly defined security plan, explicitly or by reference. 3.2.3 Implementation of Control: HHS enforces and supports security safeguards for purposes of ensuring the cryptographic keys used for protecting the organization’s data are not disclosed. The organization also has a defined plan. 4. Operational Control Operational controls focus on the mechanisms primarily implemented and executed by individuals rather than systems. 4.1 Selected Control: Configuration management. 4.1.1 Family Control #1: Configuration management policy and procedures. 4.1.2 Implementation Status: It has been fully implemented. NIST (2007) SP 800-53 Control: The organization ensures the development, dissemination and periodical review or updates. NIST SP 800-53 Control Enhancements: The organization’s configuration management procedures should address all areas identified in the policy and procedures. NIST SP 800-53A (2010) Control Expected Results: The organization has all relevant configuration management policies and procedures as well as documents or records. 4.1.3 Implementation of Control: HHS has implemented adequate configuration management policies and procedures. 4.2.1 Family Control #2: Baseline configuration. 4.2.2 Implementation Status: This control has been fully implemented. NIST (2007) SP 800-53 Control: The organization creates, records and keeps a current baseline configuration of the information system. NIST SP 800-53 Control Enhancements: The organization carries out frequent updates on the baseline configuration of the information system. NIST SP 800-53A (2010) Control Expected Results: The organization keeps the baseline configuration. 4.2.3 Implementation of Control: HHS has an effective baseline configuration that is updated frequently. Conclusion In conclusion, SSP gives a summary of federal information system security expectations. It also describes the current and future controls necessary for achieving the expectations. In addition, it stipulates the duties and conduct of everyone who uses the information system. Throughout the process of actualizing its mandate, the SSP refers to the National Institute of Standards and Technology (NIST) Special Publication 800-53 Rev 4 Guide for Assessing Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans. Meeting NIST standards is SSP’s major concern. HHS analyzes each of its risks and categorizes them according to their intensity to make it easier to deal with them. This paper has offered an overview of the security requirements and the measures HHS has put in place in order to deal with the security needs in question. References Barker, C. W. (2004). Guide for Mapping Types of Information Systems to Security Categories. NIST Special Publication 800-60 V2. HHS Cybersecurity Program. (2014). The Department of Health and human Services Information Security for Managers. NIST Special Publication 800-53A. (2008). Guide for Assessing the Security Controls in Federal Information Systems, Building Effective Security Assessment Plans. Read More