Advancing Access to Restricted Data:

Slides:



Advertisements
Similar presentations
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Assessment Frameworks
Risk Management Framework
Control environment and control activities. Day II Session III and IV.
Complying With The Federal Information Security Act (FISMA)
Basel Accord IITRANSITIONSERVICES Business Integration Support FCM Management Limited Paris New York Toronto.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Consultancy.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
Basics of OHSAS Occupational Health & Safety Management System
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.
NIST Special Publication Revision 1
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
1.Summary of Needs Analysis 2.Summary of Action Plan 3.Systems Analysis between Microsoft SharePoint® and OpenText Content Server 4.System Recommendation.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Georgia Institute of Technology CS 4320 Fall 2003.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.
Seeking a National Standard for Security: Developing a Systematic Crosswalk of the Final HIPAA Security Rule, the NIST SP , NIST SP Security.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Frontline Enterprise Security
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
The NIST Special Publications for Security Management By: Waylon Coulter.
UNDERSTANDING INFORMATION MANAGEMENT (IM) WITHIN THE FEDERAL GOVERNMENT.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
LECTURE 5 Nangwonvuma M/ Byansi D. Components, interfaces and integration Infrastructure, Middleware and Platforms Techniques – Data warehouses, extending.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
ISO17799 / BS ISO / BS Introduction Information security has always been a major challenge to most organizations. Computer infections.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
JU September Stakeholder Engagement Conference Webinar #1
Software Configuration Management
TechStambha PMP Certification Training
Introduction to the Federal Defense Acquisition Regulation
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Connecting Researchers with Data: Discovery, Documentation, Access and Security Cornell Institute for Social and Economic Research (CISER); German Institute.
Matthew Christian Dave Maddox Tim Toennies
UNLV Data Governance Executive Sponsors Meeting
Connecting Researchers with Data: Discovery, Documentation, Access and Security Cornell Institute for Social and Economic Research (CISER); German Institute.
By Jeff Burklo, Director
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Cybersecurity ATD technical
Making Your IRBs and Clinical Investigators HIPAA-Ready
Sam Catherine Johnston, Senior TA Specialist National AEM Center
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Cynthia Curry, Director National AEM Center
DRAFT ISO 10007:2017 Revision Overview Quality management – Guidelines for configuration management ISO/TC176 TG 01.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

Advancing Access to Restricted Data: Regulations, Compliance, Continuous Monitoring…. OH MY!!! Cornell Institute for Social and Economic Research and Cornell Restricted Access Data Center

CISER’s Mission: ….anticipate and support the evolving computational and data needs of Cornell social scientists and economists throughout the entire research process and data life cycle.

CISER’s Suite of Services: Hardware – High-performance Windows computing environment Software – Complete range of software applications Data – Extensive archive; supplemented by ICPSR and ROPER memberships Data Use Support – Training, consultations, research support, data programming services Secure Data Services – Tiered secure environments, including administrative support Hardware – High-performance hardware resources to support larger amounts of data being analyzed, access possible from almost anywhere, backup taken care of, shared disk space Software – Extensive set of quantitative and qualitative software programs available for use in all public and secure environments, custom solutions, and other software packages useful for researchers such as reference software like endnote, scientific typesetting like Scientific Workplace, Adobe Professional, Microsoft Office. Data – Extensive archives of numeric data files with emphasis on demography, economics, labor, political and social behavior, and health, workshops on data resources, archiving of research data, ongoing expansion of data resources Secure Data Services – Multiple, tiered secure environments, support and expertise in obtaining and using restricted data Data Use Support – Training, helpdesk, individual consultations, data programming, sponsored project assistance, assistance with research data management plans

CRADC Cornell Restricted Access Data Center Established in 1999 as a pilot project Sponsored by National Science Foundation Secure computing environment with remote access 4

CRADC exists to: Deliver a high level of customized support House and protect restricted research data Help PIs comply with requirements of data distributors Provide a computing platform as flexible as data use agreements permit Identification of applicable data sources Writing security plans to meet requirements of data providers Coordination with Office of Sponsored Programs (OSP) and Cornell’s Institutional Review Board (IRB) Design of sponsor-required research data management plans Work with data provider for secure transfer of data to CRADC servers Disclosure avoidance review where required Customized user environment and backup routines Audit and site-visit support 5

Multiple Modes of Secure Access Secure Rooms/Dedicated Stand-alone computers Secure Rooms/Thin-client access to remote-servers Cornell Census Research Data Center (RDC) Institut für Arbeitsmarkt- und Berufsforschung (IAB) Secure Remote Access 6

Declining use of Public Data in Research 7 http://obs.rc.fas.harvard.edu/chetty/admin_data_trends.pdf

Increasing use of Restricted Data in Research 8 http://obs.rc.fas.harvard.edu/chetty/admin_data_trends.pdf

Secure research project stages: Proposal development Security Plan, data agreement process Project setup Data procurement, account creation Ongoing project support Continuous monitoring, audit support Project closeout processing De-provisioning, disposal of data Proposal Development Data use agreement Security plan IRB protocol approvals Form 10 Office of Sponsored Programs approval Data distributor approval Project Setup Creates project spaces and accounts Produces local user agreements Data custodian receives data directly from distributor or from PI Data custodian files to CRADC environment Ongoing Project Support Accommodate changes to research team Assist with data use agreement modifications Work with IRB and OSP as needed Audit support Project close out System updates during monthly downtimes Software modules or applications to support research needs Secure Data Services Identification of applicable data sources Writing security plans to meet requirements of data providers Coordination with Office of Sponsored Programs and Institutional Review Board Design of sponsor-required research data management plans Work with data provider for secure transfer of data to CRADC servers Disclosure avoidance review where required Customized user environment and backup routines Audit and site-visit support A complete range of software applications from advanced statistical analysis to graphical presentation and word processing 10

FIPS 199 FIPS 200 SP 800-137 SP 800-53 SP 800-37 SP 800-160 SP 800-53A Step 1: FIPS 199 Step 2: FIPS 200 and NIST 800-53 Step 3: NIST 800-160 Step 4: NIST 800-53A Step 5: NIST 800-37 Step 6: NIST 800-137 SP 800-53A

NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system.

FIPS 199 Standards for Security Categorization of Federal Information and Information Systems

NIST SP 800-160

FIPS 200 Minimum Security Requirements for Federal Information and Information Systems SC=Security categorization

NIST SP 800-53 Rev 4 Security and Privacy Controls for Federal Information Systems and Organizations   The security controls in NIST Special Publication 800-53 are designed to facilitate compliance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Compliance is not about adhering to static checklists or generating unnecessary FISMA reporting paperwork. Rather, compliance necessitates organizations executing due diligence with regard to information security and risk management. Information security due diligence includes using all appropriate information as part of an organization-wide risk management program to effectively use the tailoring guidance and inherent flexibility in NIST publications so that the selected security controls documented in organization security plans meet the mission and the business requirements of organizations. Using the risk management tools and techniques that are available to organizations is essential in developing, implementing, and maintaining the safeguards and countermeasures with the necessary and sufficient strength of mechanism to address the current threats to organizational operations and assets, individuals, other organizations, and the Nation. Employing effective risk-based processes, procedures, and technologies will help ensure that all federal information systems and organizations have the necessary resilience to support ongoing federal responsibilities, critical infrastructure applications, and continuity of government. 18 Families Hundreds of qualifiers 457 pages

NIST SP 800-160 (Draft) Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems This publication addresses the engineering-driven actions necessary for developing a more defensible and survivable information technology (IT) infrastructure – including the component products, systems, and services that compose the infrastructure. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronic Engineers (IEEE) and infuses systems security engineering techniques, methods, and practices into those systems and software engineering processes. The ultimate objective is to address security issues from a stakeholder requirements and protection needs perspective and to use established organizational processes to ensure that such requirements and needs are addressed early in and throughout the life cycle of the system.

NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems The purpose of this publication is to provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring. The guidelines have been developed: • To ensure that managing information system-related security risks is consistent with the organization’s mission/business objectives and overall risk strategy established by the senior leadership through the risk executive (function); • To ensure that information security requirements, including necessary security controls, are integrated into the organization’s enterprise architecture and system development life cycle processes; • To support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk management-related information, and reciprocity; and • To achieve more secure information and information systems within the federal government through the implementation of appropriate risk mitigation strategies.

NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance (i.e., is the control implemented in accordance with the security plan to address threats and is the security plan adequate).

CRADC ……gateway to restricted access data at Cornell University.

Questions? ciser@cornell.edu cradc@cornell.edu ciser.cornell.edu 11/15/2018 Questions? ciser@cornell.edu cradc@cornell.edu ciser.cornell.edu Not for further distribution

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.