Matthew Christian Dave Maddox Tim Toennies

Slides:



Advertisements
Similar presentations
NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
Advertisements

Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:
IT Security Policy Framework
SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
Data Ownership Responsibilities & Procedures
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Assessment Frameworks
Federal IT Security Professional - Manager FITSP-M Module 1.
1 IT Security Awareness, Training and Education Trends Dan Costello Policy Analyst OMB.
Complying With The Federal Information Security Act (FISMA)
Panel: Moderator: Michele Iversen Guest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
FISMA 2.0: A CISO Perspective
Information Security Framework & Standards
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Effective Management and Compliance 1 ANA GRANTEE MEETING  FEBRUARY 5, 2015.
NIST Special Publication Revision 1
Federal IT Security Professional - Auditor
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 Defense Health Agency Privacy and Civil Liberties Office Data Sharing Program Overview Ms. Rita DeShields DHA Data Sharing Compliance Manager August.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
© MCR, LLC MCR Proprietary - Distribution Limited Earned Value Management Application, Guidance, and Education Neil F. Albert President/CEO MCR, LLC
National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.
APAN Group Owner Training. APAN Groups Overview FOUO PII Other types Information Categories Aggregate data impacts OPSEC Group Owner Responsibilities.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
NIST / URAC / WEDi Health Care Security Workgroup Presented by: Andrew Melczer, Ph.D. Illinois State Medical Society.
Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,
FISMA 101.
HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI
DOE S&S Audit and Tune IT Up Campaign Mark Leininger August 26, 2009.
An Information Security Management System
Computer Security Division Information Technology Laboratory
Information Security for Executives v1.0
Project Integration Management
Introduction to the Federal Defense Acquisition Regulation
IS4680 Security Auditing for Compliance
Advancing Access to Restricted Data:
UConn NIST Compliance Project
NCHER Knowledge Symposium Federal Contractor/TPS Session
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Group Meeting Ming Hong Tsai Date :
Building a Vertical Around Regulated Industries to Increase Your Business
Capital Improvement Plans
HQ Expectations of DOE Site IRBs
Security Policies and Implementation Issues
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

Matthew Christian Dave Maddox Tim Toennies FISMA at SLU Matthew Christian Dave Maddox Tim Toennies

Agenda FISMA overview Current state of FISMA at SLU Future state

Acronym soup oversimplification FERPA: Federal Educational Rights and Privacy Act; students HIPAA: Health Insurance Portability and Accountability Act; patients PII: Personally Identifiable data; all people PCI: Payment Card Industry; credit cards FISMA: Federal Information Security Management Act; government

What is FISMA? Included by Congress as part of e-Government act in 2002, modernized in 2014. Codified by Department of Homeland Security. Establishes security guidelines for federal agencies or those providing services to federal agencies Mandatory for federal contracts, may be required for federal grants. How do I know? FISMA: Effective in 2002, modernized in 2014. (1) if the grant requires the research organization to return the data to the federal project sponsor, and (2) if the grant has been awarded using a contracting form.

Does my work need FISMA cert? Look for language in the contract to know if FISMA is required: System Security Plan Authority to Operate (ATO) OMB A­130 FIPS 199 Comply with all applicable NIST standards If any of these are in a Grant treat it as a red flag, confirm. OMB: White House Office of Management and Budget FIPS 199: Government standard for categorizing federal information and information systems according to an agency's level of concern for data & confidentiality. NIST: National Institute of Standards and Technology

FISMA security levels Different security levels Low Moderate High ​. Each level has a mandatory set of security controls, with each level building upon the previous. In addition, FISMA mandates separate evaluations for the confidentiality​, integrity​, and availability ​of the sensitive data. For example, research data containing individually identifiable health information would pose significant consequences to the university if that data was stolen, lost, or inadvertently disclosed, and thus the confidentiality security category would likely be Moderate. This same historical data may not require 24/7 access so the security category for availability may be Low. FISMA Low could be done by CDC, FISMA High by DOD.

FISMA impact Separate Accounts Remote Access Controlled Data Transfer Formal Change Management Proactive Log Review Security Assessment ​. Each level has a mandatory set of security controls, with each level building upon the previous. In addition, FISMA mandates separate evaluations for the confidentiality​, integrity​, and availability ​of the sensitive data. For example, research data containing individually identifiable health information would pose significant consequences to the university if that data was stolen, lost, or inadvertently disclosed, and thus the confidentiality security category would likely be Moderate. This same historical data may not require 24/7 access so the security category for availability may be Low.

FISMA is a Framework

Top FISMA Requirements Maintain an inventory of information systems Categorize information and information systems according to risk level Maintain a system security plan Utilize security controls Conduct risk assessments Certification and accreditation Conduct continuous monitoring While the full FISMA are extensive and very detailed, the top requirements can be summarized by the following: Maintain an inventory of information systems – Every agency should have in place an inventory of information systems that are operated by or under the control of the agency. The inventory must include an identification of the interfaces between each system and all other systems or networks, including those not operated by or under the control of the agency. Categorize information and information systems according to risk level – All information and information systems should be categorized based on the objectives of providing appropriate levels of information security according to a range of risk levels defined by FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems.” The guidelines are provided by NIST SP 800-60 “Guide for Mapping Types of Information and Information Systems to Security Categories.” Maintain a system security plan – Agencies should develop and maintain a system security plan, which is a living document that requires periodic review, modification, and plans of action and milestones for implementing security controls. The system security plan is the major input to the security certification and accreditation process for the system. Utilize security controls – Federal information systems must meet the minimum security requirements which are defined in FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems.” Organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems.” Agencies have flexibility in applying the baseline security controls to more closely fit their mission requirements and operational environments. The controls selected or planned must be documented in the System Security Plan. Conduct risk assessments – Each agency should conduct risk assessments to validate its security controls and to determine if any additional controls are needed to protect agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the United States. The resulting set of security controls establishes a level of “security due diligence” for the federal agency and its contractors. Certification and accreditation – Once the system documentation and risk assessment have been completed, the system’s controls must be reviewed and certified to be functioning appropriately. Based on the results of the review, the information system is accredited. The certification and accreditation process is defined in NIST SP 800-37 “Guide for the Security Certification and Accreditation of Federal Information Systems.” Conduct continuous monitoring – All accredited systems are required to monitor a selected set of security controls and the system documentation should be updated to reflect changes and modifications to the system. Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting.

Current State FISMA Ready Compliance is not a quick effort; lots of planning and coordination are needed. At this time there are is no research at SLU which requires FISMA but… We have the hardware on site and to the best of our knowledge it has been built to the standards but.. It’s necessary to qualify the hardware which would need to be done by the Agency we work with for Certification. The Agency chosen would be dependent on the security level. Once completed the Agency would provide an Authority to Operate (ATO) FISMA Low could be done by CDC, FISMA High by DOD.

Current State We believe the environment on-site has been built to FISMA standards The environment is capable and scalable for large needs. We have the hardware on site and to the best of our knowledge it has been built to the standards but.. It’s necessary to qualify the hardware which would need to be done by the Agency we work with for Certification. The Agency chosen would be dependent on the security level. Once completed the Agency would provide an Authority to Operate (ATO) FISMA Low could be done by CDC, FISMA High by DOD.

Future State Up to all of us… The FISMA hardware was not a trivial investment; we would love the opportunity to use it.

Keep in mind.. FISMA certification is not an overnight process… There would need to be a project plan and resources marshalled for the effort.

Who should I contact? Work with Research department Ask the CISO Review the material in the Appendix

VP Research, Matthew Christian CISO, Dave Maddox

Questions ??

Appendix For further research: https://www.slu.edu/its/services-and-products/research-technology-group/secure-research-environment-and-fisma https://www.dhs.gov/fisma https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002 https://csrc.nist.gov/Topics/Laws-and-Regulations/laws/FISMA

Contact Information Tim Toennies tim.toennies@health.slu.edu 314-977-7365 Dave Maddox dave.maddox@health.slu.edu 314-977-4917 Matthew Christian matthew.christian@slu.edu 314-977-2047