MSIS 4253/5253ACCT 5603
Spring 2022
Homework #2
CDK
CKD is a virtual reality application maker that specializes in the advanced VR technologies that are often used by government agencies as training simulators and by gamers who seek cutting edge gaming technology. When it comes to advances in application technology, no one beats CKD.
CKD‘s business strategy focuses on forward thinking research and development (R&D) and very high end VR systems. They have built a niche market catering to those in want of advanced VR capabilities. As such, their rivals (both foreign and domestic) would love to get their hand on CKD‘s research data and design specifications. That threat is only second to CKD having its production line shut down. CKD is a small start-up company with about 100 employees selling high end products. They have no inventory and must keep up with government contracts not to mention gaming customer demand. If their production line goes down for any length of time, they are out of business.
Because CKD relies heavily on its information and information systems, having a solid information security program is imperative. Loss of R&D data would wipe them out. However, because CKD is a start-up funds for information security are limited and the accounting officer keeps a tight hold on spending, and because production cannot be interrupted the operations officer doesn’t want anything fowling up product output even if it is essential to information security.
Major decisions at CKD are made by the executive council (EC) which consist of the Chief Executive Officer (CEO), Chief Operations Officer (COO), Chief Financial Officer (CFO), Chief Legal Officer (CLO) and Chief Information Officer (CIO). You have been hired to file the role of Chief Information Security Officer (CISO). In that capacity you and your staff of six are responsible for developing cyber security policies, securing the CDKs information infrastructure and performing IT audits for security and compliance.
Homework #2 – Audit!!!
Because CKD has a contract with the military they are subject to an audit under FISMA. The CIO has turned to you, the CISO to conduct a complete security (risk) assessment of CDKs information security posture. You have a staff of 5 to help you. This is your time to shine. Explain to the CIO in detail how you intend to go about conducting the assessment. You recall that in your system certification course, you learned the steps required for conducting the assessment (NIST SP 800-30R1). You decide to start there. You also remember that FISMA requires government agencies and third-party contractors like CDK to have C&As (NIST SP 80037R1) for all their systems and all organization employees must have annual information security assurance training. You use that to help scope your assessment.
Please explain how you would conduct the risk assessment.
NIST SP 800-30R1
Module 3
The Process
4 Step Process
Step 1: Prepare for Assessment
Step 2: Conduct Assessment
Step 3: Communicate Results
Step 4: Maintain Assessment
Each step is divided into a set of tasks
Consistent with the assessment process in 800-39
Step 1: Prepare for Assessment
Task 1-1: Identify the purpose of the assessment
Can be at Tiers 1, 2 or 3
Initial Assessment
Establishing baseline assessment of risk
Identifying threats and vulnerabilities to be tracked over time as part of risk monitoring
Providing a comparative analysis of alternative risk responses
Answering a specific question (e.g. What is the risk of delivering packages with drones?)
Reassessment
Ongoing determination of the effectiveness of security controls
Changes to information systems or operational environment
Results from compliance verification activities
Initiated by organization due to events that have occurred
Step 1: Prepare for Assessment
Task 1-2: Identify the scope of the assessment
Organizational Applicability: Which parts of the organization are affect by the RA?
Effectiveness Time Frame: How long are the results of the RA useful to inform risk-based decisions?
Architecture/Technology Considerations: What systems and how do they fit in the overall architecture?
Step 1: Prepare for Assessment
Task 1-3: Assumptions and constraints
Assumptions
Threat sources
Threat events
Vulnerabilities and Pre-existing conditions
Likelihood
Impacts
Risk Tolerance and Uncertainty
Analytical Approach
Constraints
Resources available for assessment
Skills and expertise required
Operational considerations related to mission/business activies
Step 1: Prepare for Assessment
Task 1-4: Identify the sources of threat, vulnerability and impact information
Internal
External (US-CERT, Information Sharing and Analysis Centers, etc)
Task 1-5: Identify Risk Model and Analytic Approach
Risk Model: Most companies/industries will identify that for you
Analytic Approach
Assessment: Qualitative, Quantitative, Semi-Quantitative
Analysis: Threat-oriented, asset-impact oriented, vulnerability oriented
Step 2: Conduct the Assessment
Task 2-1: Identify and Characterize Threat Sources
Capability
Intent
Targeting Characteristics
See NIST SP 800-30R1, Appendix D for exemplary tables
Step 2: Conduct the Assessment
Task 2-2: Identify potential threat events, relevance of events, and threat sources that could initiate the events
Many-to-many relationship
Multiple sources can carry out an event
A single source can carry out multiple events.
See NIST SP 800-30R1, Appendix E for exemplary tables for use in identify threat events
Step 2: Conduct the Assessment
Task 2-3: Identify vulnerabilities and predisposing conditions
Many-to-many relationship in vulnerabilities
Multiple threat events can target a single vulnerability
Multiple vulnerabilities can be exploited by a single threat event
Predisposing conditions can include mission/business processes, information systems, and environments of operation
Ex: Nurse collecting data in a patient’s room could result in information disclosure to unauthorized individuals and can increase the opportunity for computer theft
Step 2: Conduct the Assessment
Task 2-4: Determine Likelihood
1. That threat events will be initiated
2. How much damage will they cause once initiated?
3. Combination of likelihood of initiation and likelihood they will cause damage
Overall likelihood approaches”
Use the maximum of the two values
Use the minimum of the two values
Use only threat event initiation values
Use only threat impact values
Take a weighted average of the two values
See NIST SP 800-30R1, Appendix G
Step 2: Conduct the Assessment
Task 2-5: Determine impact
Characteristics of the threat source
Vulnerabilities/Predisposing conditions
Susceptibility of the controls planned or implemented to impede such events
Usually want these in a dollar amount
See NIST SP 800-30R1, Appendix H
Step 2: Conduct the Assessment
Task 2-6: Determine Risk
Multiply Probability times Impact
Prioritize based on the highest level of risk
Use this information to determine what controls are needed
See NIST SP 800-30R1, Appendix I
Step 3: Communicating and Sharing Risk Assessment Information
Task 3-1: Communicate risk assessment results
Inform decision makers what you learned
Helps them prioritize risks and the controls need to mitigate risk
Helps them budget for controls
Most organizations will want you to brief the results and many organizations will want recurring risk assessment briefings
See NIST SP 800-30R1, Appendix K
Step 3: Communicating and Sharing Risk Assessment Information
Task 3-2: Share Risk-related Information
Share risk information with other stakeholders in the organization…especially if it affects them
Various laws require RM results are shared with the Executive Branch office that oversees the law (e.g. Department of Health and Human Serves oversees HIPAA)
Share with other in the supply chain
A risk assessment is a snapshot in time. Controls need to be continually monitored
Step 4: Maintaining the Risk Assessment
Task 4-1: Conduct on-going monitoring of the risk factors that contribute to changes in risk
Monitor risk factors (threat sources, threat events, vulnerabilities, predisposing conditions, etc.) that can provide critical information on changing conditions
Also monitor the implementation, effectiveness/efficiency of controls and their ability to mitigate risk
Usually reported to senior leadership on a recurring basis
See NIST SP 800-137 for guidance on the ongoing monitoring of organizational information systems and environments of operation
Step 4: Maintaining the Risk Assessment
Step 4-2: Update risk assessment
If there are significant changes to organizational policy, direction or guidance, revisit the purpose, scope, assumptions and constraints
Also review any new threat events, vulnerabilities, predisposing conditions, undesirable consequences, and affected assets
The point is to keep an eye on things and do updated in between formal risk assessments
Onward
Risk assessment is a continuous process
It give you the risk posture of the organization
It also helps you prioritize risk and make decisions regarding what to do about risk (accept, avoid, transfer, mitigate)
Most organization will take steps to mitigate risk by implement controls.
NIST 800-53R4, “Security and Privacy Controls for Federal Information Systems and Organizations” is where we are heading next
Note: They are NOT just for Federal information systems
Guide for Applying the Risk
Management Framework to
Federal Information Systems
NIST Special Publication 800-37
Revision 1
What it does
This publication, developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF).
Specifically…
Promotes the concept of near real-time risk management and ongoing information system
authorization through the implementation of robust continuous monitoring processes;
• Encourages the use of automation to provide senior leaders the necessary information to
make cost-effective, risk-based decisions with regard to the organizational information
systems supporting their core missions and business functions;
• Integrates information security into the enterprise architecture and system development life
cycle;
• Provides emphasis on the selection, implementation, assessment, and monitoring of security
controls, and the authorization of information systems;
• Links risk management processes at the information system level to risk management
processes at the organization level through a risk executive (function); and
• Establishes responsibility and accountability for security controls deployed within
organizational information systems and inherited by those systems (i.e., common controls).
The Process
Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.
Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Process Continued
Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.
STEP 1 – CATEGORIZE INFORMATION SYSTEM
TASK 1-1: Categorize the information system and document the results of the security categorization in the security plan.
TASK 1-2: Describe the information system (including system boundary) and document the description in the security plan.
TASK 1-3: Register the information system with appropriate organizational program/management offices.
Milestone Checkpoint #1
Has the organization completed a security categorization of the information system
including the information to be processed, stored, and transmitted by the system?
Are the results of the security categorization process for the information system
consistent with the organization’s enterprise architecture and commitment to
protecting organizational mission/business processes?
Do the results of the security categorization process reflect the organization’s risk
management strategy?
Has the organization adequately described the characteristics of the information
system?
Has the organization registered the information system for purposes of
management, accountability, coordination, and oversight
STEP 2- SELECT SECURITY CONTROLS
TASK 2-1: Identify the security controls that are provided by the organization as common controls for organizational information systems and document the controls in a security plan (or equivalent document).
TASK 2-2: Select the security controls for the information system and document the controls in the security plan.
TASK 2-3: Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation.
TASK 2-4: Review and approve the security plan.
Milestone Checkpoint #2
– Has the organization allocated all security controls to the information system as system-specific, hybrid, or common controls?
– Has the organization used its risk assessment (either formal or informal) to inform and guide the security control selection
process?
– Has the organization identified authorizing officials for the information system and all common controls inherited by the
system?
– Has the organization tailored and supplemented the baseline security controls to ensure that the controls, if implemented, adequately mitigate risks to organizational operations and assets, individuals, other organizations, and the Nation?
– Has the organization addressed minimum assurance requirements for the security controls employed within and inherited by the information system?
– Has the organization consulted information system owners when identifying common controls to ensure that the security capability provided by the inherited controls is sufficient to deliver adequate protection?
– Has the organization supplemented the common controls with system-specific or hybrid controls when the security control baselines of the common controls are less than those of the information system inheriting the controls?
Has the organization documented the common controls inherited from external providers?
– Has the organization developed a continuous monitoring strategy for the information system (including monitoring of security control effectiveness for system-specific, hybrid, and common controls) that reflects the organizational risk
management strategy and organizational commitment to protecting critical missions and business functions?
– Have appropriate organizational officials approved security plans containing system-specific, hybrid, and common controls?
STEP 3 – IMPLEMENT SECURITY CONTROLS
TASK 3-1: Implement the security controls specified in the security plan.
TASK 3-2: Document the security control implementation, as appropriate, in the security plan, providing a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs).
Milestone Checkpoint #3
Has the organization allocated security controls as system-specific, hybrid, or common controls
consistent with the enterprise architecture and information security architecture?
Has the organization demonstrated the use of sound information system and security
engineering methodologies in integrating information technology products into the information
system and in implementing the security controls contained in the security plan?
Has the organization documented how common controls inherited by organizational
information systems have been implemented?
Has the organization documented how system-specific and hybrid security controls have been
implemented within the information system taking into account specific technologies and
platform dependencies?
Has the organization taken into account the minimum assurance requirements when
implementing security controls?
STEP 4 – ASSESS SECURITY CONTROLS
TASK 4-1: Develop, review, and approve a plan to assess the security controls
TASK 4-2: Assess the security controls in accordance with the assessment procedures defined in the security assessment plan
TASK 4-3: Prepare the security assessment report documenting the issues, findings, and recommendations from the security control assessment.
TASK 4-4: Conduct initial remediation actions on security controls based on the findings and recommendations of the security assessment report and reassess remediated control(s), as appropriate.
Milestone Checkpoint #4
Has the organization developed a comprehensive plan to assess the security controls employed within or inherited by the information system?
Was the assessment plan reviewed and approved by appropriate organizational officials?
Has the organization considered the appropriate level of assessor independence for the security control assessment?
Has the organization provided all of the essential supporting assessment-related materials needed by the assessor(s)
to conduct an effective security control assessment?
Has the organization examined opportunities for reusing assessment results from previous assessments or from other
sources?
Did the assessor(s) complete the security control assessment in accordance with the stated assessment plan?
Did the organization receive the completed security assessment report with appropriate findings and
recommendations from the assessor(s)?
Did the organization take the necessary remediation actions to address the most important weaknesses and
deficiencies in the information system and its environment of operation based on the findings and recommendations in the security assessment report?
Did the organization update appropriate security plans based on the findings and recommendations in the security
assessment report and any subsequent changes to the information system and its environment of operation?
STEP 5 – AUTHORIZE INFORMATION SYSTEM
TASK 5-1: Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken.
TASK 5-2: Assemble the security authorization package and submit the package to the authorizing official for adjudication.
TASK 5-3: Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.
TASK 5-4: Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable.
Milestone Checkpoint #5
Did the organization develop a plan of action and milestones reflecting organizational priorities for addressing the remaining weaknesses and deficiencies in the information system and its environment of operation?
Did the organization develop an appropriate authorization package with all key documents including the security plan, security assessment report, and plan of action and milestones (if applicable)?
Did the final risk determination and risk acceptance by the authorizing official reflect the risk management strategy developed by the organization and conveyed by the risk executive (function)?
Was the authorization decision conveyed to appropriate organizational personnel including information system owners and common control providers?
STEP 6 – MONITOR SECURITY CONTROLS
TASK 6-1: Determine the security impact of proposed or actual changes to the information system and its environment of operation.
TASK 6-2: Assess a selected subset of the technical, management, and operational security controls employed within and inherited by the information system in accordance with the organization-defined monitoring strategy
TASK 6-3: Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones.
TASK 6-4: Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process.
TASK 6-5: Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system) to the authorizing official and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy.
TASK 6-6: Review the reported security status of the information system (including the effectiveness of security controls employed within and inherited by the system) on an ongoing basis in accordance with the monitoring strategy to determine whether the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation remains acceptable.
TASK 6-7: Implement an information system decommissioning strategy, when needed, which executes required actions when a system is removed from service.
Milestone Checkpoint #6
Is the organization effectively monitoring changes to the information system and its environment of operation including the effectiveness of deployed security controls in accordance with the continuous monitoring strategy?
Is the organization effectively analyzing the security impacts of identified changes to the information system and its environment of operation?
Is the organization conducting ongoing assessments of security controls in accordance with the monitoring strategy?
Is the organization taking the necessary remediation actions on an ongoing basis to address identified weaknesses and deficiencies in the information system and its environment of operation?
Does the organization have an effective process in place to report the security status of the information system and its environment of operation to the authorizing officials and other designated senior leaders within the organization on an ongoing basis?
Is the organization updating critical risk management documents based on ongoing monitoring activities?
Are authorizing officials conducting ongoing security authorizations by employing effective continuous monitoring activities and communicating updated risk determination and acceptance decisions to information system owners and common control providers?
Other notes
Site Authorization
Type Authorization
External system providers