System Identification and Security Categorization - Essay Example

VA’s Cyber Security Profile Contents INTRODUCTION 3 1.1. SYSTEM IDENTIFICATION 3 1.2.Security Categorization 3 1.2.1.Information System Type 3 1.2.2.Scope of Assessment 4 2.MANAGEMENT CONTROL 4 2.1.Selected Control 4 2.1.1.Control Family 1 5 2.1.2.Implementation Status 5 2.1.3.Implementation of Control 5 2.2.Control Family 2 5 2.2.1.Implementation Status 5 2.2.2.Implementation of Control 6 3.TECHNICAL CONTROL 6 3.1.Selected Control 6 3.1.1.Family Control 1 7 3.1.2.Implementation Status: 7 3.1.3.Implementation of Control: 7 3.2.Family Control 2 7 3.2.2.Implementation Status: 7 Family Control 3 8 3.2.3.Implementation Status and Control 8 4.OPERATIONAL CONTROL 8 4.1.Selected Control 8 4.1.1.Family Control 1 8 4.1.2.Implementation Status: 8 4.1.3.Implementation of Control: 9 4.2.Family Control 2 9 4.2.2.Implementation Status: 9 4.2.3.Implementation Control: 9 5.CONCLUSIONS 9 5.2.Results and Recommendations 10 References 10 INTRODUCTION The federal statue and requirement are very important to observe in order to access the security pose of the Department of Veterans Affairs (VA). The ability to establish a successful information security system lies on having a good knowledge of the requirements. In order to protect information and information system, it is essential to acquire information security program. The major concern of the VA's is to maintain a revolutionary information system and its information system which is the basis of this paper. The major draw backs such as intrusion, interruption, unauthorized access, exposure and alteration are the considered variable in protecting information and information systems. 1.1. SYSTEM IDENTIFICATION The principles of the CIA triad; integrity, availability and confidentiality are highly prioritized in the information system. Necessary control mechanism has been incorporated into the information security system in order to provide protection. 1.2. Security Categorization These controls have been categorized to technical, management and operational controls. VA’s contain critical information and therefore effective organization, an accomplishment and supervision controls should be conducted with care. The main obligation of the e VA's is to accomplish highest level of security while meeting the critical needs of an organization. 1.2.1. Information System Type The VA has been typically viewed by majority as a mechanism for protecting information and information systems. This is not the case since its major concern is to protect the availability, confidentiality and integrity of the information and the information system. The control principles form the pillars of the CIA triad. 1.2.2. Scope of Assessment This paper will cover the in details the management control, operational and technical control with in relation to Cyber security. These will include the associated families too. 2. MANAGEMENT CONTROL Management of risk and management of information are the basis of management controls according to FIPS 200, (2006).Security plans majorly relies on management controls. Actions regarding risk management can be executed when planning, assessment of the significance of the risk and identification are carried out in a proper way. Though risk management will not absolutely eliminate risk, it possibly reduces the risk actualization, provide significant remedy and penitential risks in the future. The main goal of the VA is to protect information and information system through risk management program to achieve strategic and operational goals. 2.1. Selected Control The strategy adopted by the Information Security Management Act is based on risk approach. This is sated in the VA (2007), “the operating unit is responsible for conducting accurate and thorough risk assessment to identify potential risk, vulnerabilities and threats to the confidentiality, integrity and availability of sensitive information held by VA.” The possibility of incurring a threat is potentially construed by the management controls. In case the postulated risk occurs, the proper procedure is followed when distributing the risk, lessening or accepting the risk with the third party. Management systems are not invincible to risk and therefore appropriate action should be taken to reduce the risk. This helps reduce the devastating effects of the threats. 2.1.1. Control Family 1 The controls are guided by one common objective which is to protect the information and information system. For instance, (FIPS, 2006),”A control family is associated with given class based on the dominant characteristics of the controls in the family”. 2.1.2. Implementation Status The VA regularly relies on guidance provided by Insurance Portability and Accountability Act to manage general health information and identification of the health records. Generally, handling of information will depend on categorization of the assigned information. 2.1.3. Implementation of Control The security requirement in handling health records is highly associated with the three principles of control, i.e. integrity confidentiality and availability. 2.2. Control Family 2 2.2.1. Implementation Status RA-3 Risk Assessments constitutes the third family control. The NIST 800-53 REV 1 outlines the requirements for RA-3. NIST, (2010). 2.2.2. Implementation of Control It is used to access the possibility of and the extent of harm from third parties, modification, disclosure, disruption, use, access or destruction with regard to the information it stores, processes or transmit. 3. TECHNICAL CONTROL The VA has the mandate to conduct risk evaluation which consists of three components. Furthermore, ten primary areas are covered by the risk evaluation. According to FIPS 200, (2006), software, hardware and firmware components constitute the mechanisms used by the information system to execute technical control. Vulnerabilities, loss minimization and unavailability resulting from threats are encountered by technical controls which supports the information security policy. The VA promptly uses identification and authentication to uniquely identify users or processes that runs remotely in the user systems. Individuals are associated with user ID and password which uniquely identifies them to the system. Based on positive user identification, all users are uniquely controlled with some limitations. Minimum requirements of access control, least privileges and system integrity are based on a uniform platform with the support of authentication mechanism (VA, 2007).Identification and Authentication is supplemented by the following associated family groups: 3.1. Selected Control IA-1, Procedures and policies for Identification and authentication IA-2, identification and authentication (organizational users), and IA-3 device identification and authentication 3.1.1. Family Control 1 The Procedures and policies for Identification and authentication is defined as “documented, formal procedures to facilitate the implementation and authentication policy associated identification and authentication controls”. (NVD, n.d). The account management procedure is outlined by VA as follows according to the IA-1, identification and authentication policy procedures: 3.1.2. Implementation Status: VA’s sensitive information such as electronic signature codes, assignment of access codes and use ID to all users require the same level of protection as individual access and verification codes. 3.1.3. Implementation of Control: The number of Privileged users and general user’s sessions should be limited in high impact system. 3.2. Family Control 2 3.2.2. Implementation Status: Specific applications to users of the information system is dedicated to the second, IA-2, identification and authentication (organizational users). Family Control 3 3.2.3. Implementation Status and Control The third i.e. IA-3, requires users devices to be identified before establishing connection to the system. Although the VA (2007) remote access requires two-factor authentication, it allows remote access. 4. OPERATIONAL CONTROL Operational control is the last management risk control factor. They are executed by users as opposed to the technical control which is executed by the system. Personal security is one of the most important operational controls. As stated by the current VA policy,” VA directive 0710, Personal Suitability and Security Program”, it requires that Federal and contractor positions are designated risk and that screening criteria are established for filling the positions. The revision of the risk designation must be conducted at list after every three years if need there be (VA, 2007). 4.1. Selected Control Personal security is associated with personnel screening, termination and transfer respectively with regard to PS-3, 4, 5. Before being granted access to information, it is a mandatory requirement that the personnel be screened. In order to access VA information, the policy of screening applies up to and including employees, contractors, applicants or any individual that may require access to the information. 4.1.1. Family Control 1 4.1.2. Implementation Status: The warrant under which access is allowed is stated by PS-4 personnel termination. 4.1.3. Implementation of Control: Upon termination of contract by an employee, user’s information system access, exit interviews and submission of all organizational properties is conducted in timely manner. This is inclusive including and up to keys, identification cards and building passes. The appropriate personnel should have access s to the official records of the terminated employee that are stored in the VA system before being recycled (VA, 2007). 4.2. Family Control 2 4.2.2. Implementation Status: Upon termination, PS-5 outlines the personal transfer procedure and reassignment of the appropriate employee. 4.2.3. Implementation Control: On the event of reassignment, the VA conducts review s if there may be some actions to be taken. Department of Veterans Affairs can be disposed to lasting and damaging effect on their mission in the event of loss, unauthorized modification, or compromise of sensitive information. Therefore, protection of the confidentiality, integrity and availability of the information contained within its information systems should be implemented through information security program as a mechanism to identify, and apply information security standards. 5. CONCLUSIONS To provide frameworks for information security, legitimate policies should be set up by the management. Information is assigned threat impact levels as well as categorized with levels of security. Information should therefore be handled with mush care. 5.2. Results and Recommendations Legislative requirements should be observed when storing data, transporting or handling information with regard to technical and operational controls. In the process of securing information, the VA has been superseded to exceed all expectations and poses all crafted plans of securing data. References FOPS 200. (2006, March). Retrieved February 23, 2013, from http://csrc.nist.gov/publications/fips/fips200/ Information Security Plan. (2007, September 18). U.S. Department of Veterans Affairs. Retrieved February 20 2013, from http://www.va.gov National Institute of Standards and Technology. (2010, June). Retrieved February 21, 2013, from http://csrc.nist.gov/publications/nistpubs National Vulnerability Database Home. (n.d.). National Vulnerability Database Home. Retrieved February 22, 2013, from http://nvd.nist.gov/home.cfm Read More