Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology.

Slides:



Advertisements
Similar presentations
2 3 Global Foundation Services Security Global Delivery Sustainability Infrastructure.
Advertisements

CIP Cyber Security – Security Management Controls
Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland Telephone Facsimile Satellite.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
First Practice - Information Security Management System Implementation and ISO Certification.
Risk Assessment Frameworks
Session 3 – Information Security Policies
Privacy and Security Tiger Team Meeting Recommendations regarding a framework of security protections for EHRs December 7, 2011.
Complying With The Federal Information Security Act (FISMA)
An overview of the NIST Risk Management Framework ISA 652 Fall 2010
Peer Information Security Policies: A Sampling Summer 2015.
Information Security Framework & Standards
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
DFARS & What is Unclassified Controlled Technical Information (UCTI)?
McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information.
Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.
HIPAA COMPLIANCE WITH DELL
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
NIST Special Publication Revision 1
2011 NPMA Conference Series III National Capital Area Conference Leaders in Asset Management Application of Standards into Policy Bill Franklin - Moderator.
WSV323. CSO/CIO department Regulation translated to control objectives Infrastructure Support Control objectives turned into control activities.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Engineering Essential Characteristics Security Engineering Process Overview.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
DATA IT Senate Data Governance Membership IT Senate Data Governance Committee Membership Annie Burgad, Senior Programmer, Central IT Julie Cannon, Director.
SecSDLC Chapter 2.
Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
US Department of State Jay Coplon. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be.
Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester.
The NIST Special Publications for Security Management By: Waylon Coulter.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
US Department of State Jay Coplon. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
Safeguarding CDI - compliance with DFARS
Strategies in the Game of
Presenter: Mohammed Jalaluddin
JU September Stakeholder Engagement Conference Webinar #1
Data Architecture World Class Operations - Impact Workshop.
Introduction to the Federal Defense Acquisition Regulation
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
GDPR Security: How to do IT? IT reediness for competitive advantage
Matthew Christian Dave Maddox Tim Toennies
Privacy Project Framework & Structure
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Continuous Monitoring
HIPAA Security Standards Final Rule
Presentation transcript:

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Protecting Your Institutional Data: If You Don’t Do It, Who Will?

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Data and Application Issues Processing, Storage and Transmission of Sensitive Data in Third Party Applications – Where is sensitive data being stored and accessed? – Who has access to it? – What controls are in place to manage and/or limit access? Application Sprawl Awareness Regulatory Requirements 2

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Questions to Ask Yourself What data do we as an Institution deem as sensitive? Where is sensitive data being stored, processed or transmitted? Who has access to sensitive data? What controls are in place to secure applications which have sensitive data? Are we addressing all controls as required by the USM Security Guidelines and DOIT Security Policy? (including all controls in NIST ) What processes are in place to manage changes to applications that have sensitive data? Are we doing enough? 3

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology A Scope of Work to Answer Those Questions and Address the Underlying Issues Template Preparation – Develop data capture templates and assessment questions – Identify NIST Access Control Policy Categories and/or individual controls to include in application review – Confirm sensitivity level when controls are applicable Application Review – Phase One: Data Capture Review all applications, capture required data and determine application sensitivity level Classify Information Types by Data Sensitivity Risk Level Designation – Phase Two: Control Review Obtain detailed information on sensitive data, Review controls for sensitive applications and verify through documentation or by demonstration – Develop Recommendations Procedural Documentation – Develop onboarding documentation for all new applications – Develop easily understandable access control procedure documentation for all applications – Develop easily understandable change control procedures for all applications

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Why NIST? 5 Addresses security standards established by DOIT, interpreted in the context of USM. Framework developed using applicable guidelines in NIST. Only those controls designed to protect systems with a ‘moderate’ category level are included. Minimum information security requirements based on categorizations by FIPS 199 and 200

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Use NIST Guidelines to Map Data to Sensitivity to Risk Policy Use the high water mark to determine the risk level of the individual information type AND the risk level of the application. Information Type 1: {(confidentiality, HIGH), (integrity, MODERATE), (availability, MODERATE)} = HIGH Information Type 2: {(confidentiality, MODERATE), (integrity, LOW), (availability, LOW)} = MODERATE The application is classified as a HIGH. Correlate this to Institution- defined risk levels. What is impact to the Institution if the confidentiality, integrity or availability of this data is compromised?

Applied Technology Services, Inc. Your Partner in Technology Who Should Determine Sensitivity? Possible Sources: Data Stewards / Data Governance Committee Application/Business Owners Information Technology Owners IT Security Team What We Found: 7 Impacts associated with integrity and Availability made sense at the department level Confidentiality was applicable to the Institution as a whole Confidentiality was always the driver for the risk level

Applied Technology Services, Inc. Your Partner in Technology Identify NIST Controls to include in Application Review Control Families from FIPS-200: – Access Control (AC) – Awareness and Training (AT) – Audit and Accountability (AU) – Certification, Accreditation and Security Assessments (CA) – Configuration Management (CM) – Contingency Planning (CP) – Out of Scope – Identification and Authentication (IA) – Incident Response (IR) – Out of Scope – Maintenance (MA) – Out of Scope – Media Protection (MP) – Out of Scope – Physical and Environmental Protection (PE) – Planning (PL) – Personnel Security (PS) – Risk Assessment (RA) – System and Services Acquisition (SA) – System and Communications Protection (SC) – Systems and Information Security (SI) Start by segregating controls by Application, System or Organization

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Confirm and tailor baselines for system level Are all of the controls applicable to an application- level review? For example, boundary protection is not an application concern, it’s a network infrastructure concern. Are any of the controls listed “Common Controls? That is, managed by an organization entity other than the information system owner.

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Are all Controls Equal? 10 NIST identifies a priority associated with each control May choose to develop internal priority based on other sources (ie USM) Chart removed

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Control Segregation 67 Application-level controls (42 Prioritized as higher) 56 Organization-level controls 65 System-level Controls 21 Not Applicable * 11

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Phase 1: Data Capture Capture basic information on the application, including a description, user types and roles Identify information types stored in the application Assess impact of confidentiality, integrity and availability for each application Identify integration points with other applications Capture all “sensitive” data stored in the application or queried from other sources Identify current procedures to gain access to the application 12

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Data Classification Consolidate data capture results Review information types by application Assign confidentiality impact across all information types Categorize application risk level Develop reports to illustrate risk levels by institution, department, # of occurrences, database type, application host, and use of specific PII (i.e. SSN and Credit Card Number) Identify applications requiring control review. 13

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Phase 2: Control Review For each application deemed “sensitive”, review all applicable controls for the given sensitivity category Verify selected controls through documentation or demonstration Capture all instances of failed controls and document Pass/fail the application 14

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Making a Control Review Make Sense Develop questions and guidance for each control 15 Chart removed

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Final Report Provide pass/fail statistics for each application and illustrate trending across all applications by control. Develop action items for each application addressing areas where additional follow up is required. Make recommendations associated with the appropriateness of process and procedures associated with the access and storage of data. Make recommendations on subsequent security assessments. 16

Applied Technology Services, Inc. Your Partner in Technology 17 Slide removed

Applied Technology Services, Inc. Your Partner in Technology 18 Slide removed

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology Ongoing Assessment Program Identification of compensating security controls and common controls, or where the baseline should be tailored given the environment at Towson 6 month plan to address suggestions, including removal of unnecessary data storage, changes to user access rights, implementation of controls, etc. Annual reassessment of applications with a risk level of High Use the System-level controls to drive additional testing or projects Use the Organization-level controls to develop institution-wide policies or procedures Verification of adhoc controls through demonstration 19

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.