Cybersecurity Profile - Essay Example

Cybersecurity Profile (System Security Plan (SSP) Number Lecturer Cybersecurity Profile (System Security Plan (SSP) Introduction As stipulated in the NIST Special Publication 800-53 Rev 4 Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans, each public organization is required to create a system security plan (SSP) or a cyber-security profile for all their minor and major information systems (NIST, 2012). Additionally, all federal regulations and the department of Treasury information technology security program requires that all the senior officials in-charge of information security should establish a security program for their departments (IRS, 2012). Given the nature of operations and the sensitivity of the information handled by IRS, it is paramount that confidentiality is accorded to these information. Essentially, the information security program includes security controls required for audit and accountability. They also ensure that appropriate identification and authentication controls, integrity controls and audit controls are implemented (NIST, 2012). Consequently, this document provides a cybersecurity profile for IRS, which will basically document the current and the planned controls including management, technical and operational controls for the IRS system. The paper will also address security concerns likely to affect the operating environment of the system. Security profiles/ controls NIST’s Special Publication 800-53 recommends several security controls for the IRS and similar agencies and organizations. These controls are mainly categorized as management controls, technical controls and operational controls (NIST, 2012). For purposes of this assignment, we will elaborate one control in each of the three broad categories. Management controls According to the internal Revenue Manual titled IRM 10.8.1, that contains policy and regulations that guide the IRS organization with regard to information security; management controls are controls that are management oriented (IRS, 2012). They are mainly concerned with the management of risks during the IRS normal system operations. The policy states that the organization shall implement management security controls aimed at mitigating the risk of electronic data and information and Information Technology applications loss in a bid to protect the mission of IRS (IRS, 2012). Planning Control (PL) Among the family of management controls is the Planning (PL) controls. Each information system must have a radiant and effective security plan (Barnard & Von Solms, 2000). Planning Control is a management control that addresses the security planning for each system in the IRS organization. In the IRS context, Planning controls with regard to information security include creation of security policies that will guide the organization in ensuring that there is availability of a security plan. The planning control is required in an organization to ensure that the institution has a working security plan for all their information systems (IRS, 2012). Planning control has several associated family identifiers, two of the associated identifiers include; security planning policy and procedures and system security plan identifiers (Barnard & Von Solms, 2000). a) Security Planning Policy and Procedures Implementation Status; this control is in place. IRS has implemented a security planning policy and procedures that guide the organization in matters information system security (IRS, 2012). In conformity with the NIST SP 800-53 security assessment guidelines the organization has prepared an Internal Revenue Manual that addresses the security planning and related issues. Part 10 of the IRM (10.8) is a formal documented, security planning policy that gives the purpose, roles, scope, responsibilities, coordination, management and compliance. It also provides a documented procedure that facilitate the implementation of the security planning policy and associated security planning controls (IRS, 2012). b) System security Plan The agency has implemented a system security plan for its information systems. The system security plan provides an overview of the security requirements for the information system and a description of the of all the security controls put in place or intended for implementation (IRS, 2012). IRS agency has implemented this control through the use of an IRM manual that comprise of all system security plans, policy and regulations that are implemented in the agency (IRS, 2012). Operation controls Operational controls focus on the mechanisms that are implemented by the management of the information system, the administration and the technical support. Operational controls are security controls that are essentially put in place to improve the overall system security (Barnard & Von Solms, 2000). According to the internal Revenue manual Part 10 Chapter 8 (IRM 10.8.1), IRS shall implement operational security controls that will secure the information systems in the organization (IRS, 2012). One of the operational controls is discussed in the following section: Security Training and Awareness (TA) controls Security Training and Awareness controls are needed to ensure that the employees in the agency have proper security awareness and training. This is achieved by security policies and procedures that have been established and implemented. NIST SP 800-53 recommends several security training and awareness family controls. This paper will look at two of the recommended family identifiers; a) Security training and awareness policy and procedure According the IRS IRM manual which acts as the agency’s security policy and procedure, the agency must develop and implement an IT security awareness and Training program for all its employees. The agency has a formal, well documented security training and awareness policy and procedure in place. The document addresses the purpose scope, roles, responsibilities, management, commitment, coordination and responsibilities among organization entities and management (IRS, 2012). b) Awareness The system users in the agency are required to undergo and complete a security awareness and training before they are granted access to the system (IRS, 2012). Additionally, they are required to undergo the training annually as long as they continue to use the system (IRS, 2012). Technical controls Technical controls are mainly concerned with the controls put in place to address the unauthorized access to the system resources and information. IRS is one of the crucial agencies that handles sensitive data and information that must be protected from unauthorized access using appropriate technical controls. One of the controls from the family of technical controls is the identification and authentication control (NIST, 2012). Identification and Authentication control The Identification and Authentication controls are a set of technical controls that are basically used to prevent unauthorized access to the system by individuals or processes (NIST, 2012). The control is a fundamental element of any information system and in this case the IRS that handles some of the crucial information. The control is needed to identify, authenticate and differentiate users when using the system. The following family of identifiers can be used in this control: a) User identification and Authentication IRS maintains a system that ensures that all users of the system are first identified and defined. The users are given different access privileges depending on their duties and responsibilities within the system. This also includes the processes that acts on behalf of the users of the system (IRS, 2012). The agency has a user identification and authentication procedure in place. The user identification and authentication procedure is guided by the existing guidelines, procedures and policy in the organization (IRS, 2012). b) Device Identification and Authentication The identification and authentication procedures and guidelines in the agency requires that each device is identified and authenticated before a connection is established. Confidentiality and security can easily be breached through intruding devices. The agency has a device identification and authentication procedure in place that is guided by the Internal Revenue Manual of IRS (IRS, 2012). Conclusion In conclusion, it is important to note that security controls and profiles will vary with information systems in different organizations. In this case the security controls inherent in the Agency are crucial controls that are aimed at maintain the privacy and confidentiality of the data and information. To achieve a complete and sound security profile, the management, operational and technical controls must be implemented to complement each other for effective results. Planning control lays a foundation for other management controls, this can be done through security policy and procedures and security plan. Basic operational controls such as security awareness and training is crucial in any organization. Through security awareness and training policy and procedures and user awareness, security can be achieved. Finally, the technical controls offer a final remedy for security concerns in the organization. Basically, the identification and authentication control is one of the effective technical controls. By user identification and authentication and device identification and authentication controls the agency can address the issue of unauthorized access. References Barnard, L., & Von Solms, R. (2000). A formalized approach to the effective selection and evaluation of information security controls. Computers & Security, 19(2), 185-194. IRS. (2012). Part 10: Security Privacy and Assuarance. Retrieved April 24, 2015, from IRS Agency Website: http://www.irs.gov/irm/part10/irm_10-008-034r.html#d0e1573 NIST. (2012). NIST Special Publication 800-53 Revision 4 Recommended Security Controls for Federal Information Systems and Organizations. . CA: CreateSpace, Paramount. Read More