Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advancing Access to Restricted Data:

Published byBathsheba Johnson Modified over 6 years ago

Similar presentations

Presentation on theme: "Advancing Access to Restricted Data:"— Presentation transcript:

1 Advancing Access to Restricted Data:
Regulations, Compliance, Continuous Monitoring…. OH MY!!! Cornell Institute for Social and Economic Research and Cornell Restricted Access Data Center

2 CISER’s Mission: ….anticipate and support the evolving computational and data needs of Cornell social scientists and economists throughout the entire research process and data life cycle.

3 CISER’s Suite of Services:
Hardware – High-performance Windows computing environment Software – Complete range of software applications Data – Extensive archive; supplemented by ICPSR and ROPER memberships Data Use Support – Training, consultations, research support, data programming services Secure Data Services – Tiered secure environments, including administrative support Hardware – High-performance hardware resources to support larger amounts of data being analyzed, access possible from almost anywhere, backup taken care of, shared disk space Software – Extensive set of quantitative and qualitative software programs available for use in all public and secure environments, custom solutions, and other software packages useful for researchers such as reference software like endnote, scientific typesetting like Scientific Workplace, Adobe Professional, Microsoft Office. Data – Extensive archives of numeric data files with emphasis on demography, economics, labor, political and social behavior, and health, workshops on data resources, archiving of research data, ongoing expansion of data resources Secure Data Services – Multiple, tiered secure environments, support and expertise in obtaining and using restricted data Data Use Support – Training, helpdesk, individual consultations, data programming, sponsored project assistance, assistance with research data management plans

4 CRADC Cornell Restricted Access Data Center
Established in 1999 as a pilot project Sponsored by National Science Foundation Secure computing environment with remote access 4

5 CRADC exists to: Deliver a high level of customized support
House and protect restricted research data Help PIs comply with requirements of data distributors Provide a computing platform as flexible as data use agreements permit Identification of applicable data sources Writing security plans to meet requirements of data providers Coordination with Office of Sponsored Programs (OSP) and Cornell’s Institutional Review Board (IRB) Design of sponsor-required research data management plans Work with data provider for secure transfer of data to CRADC servers Disclosure avoidance review where required Customized user environment and backup routines Audit and site-visit support 5

6 Multiple Modes of Secure Access
Secure Rooms/Dedicated Stand-alone computers Secure Rooms/Thin-client access to remote-servers Cornell Census Research Data Center (RDC) Institut für Arbeitsmarkt- und Berufsforschung (IAB) Secure Remote Access 6

7 Declining use of Public Data in Research
7

8 Increasing use of Restricted Data in Research
8

9

10 Secure research project stages: Proposal development
Security Plan, data agreement process Project setup Data procurement, account creation Ongoing project support Continuous monitoring, audit support Project closeout processing De-provisioning, disposal of data Proposal Development Data use agreement Security plan IRB protocol approvals Form 10 Office of Sponsored Programs approval Data distributor approval Project Setup Creates project spaces and accounts Produces local user agreements Data custodian receives data directly from distributor or from PI Data custodian files to CRADC environment Ongoing Project Support Accommodate changes to research team Assist with data use agreement modifications Work with IRB and OSP as needed Audit support Project close out System updates during monthly downtimes Software modules or applications to support research needs Secure Data Services Identification of applicable data sources Writing security plans to meet requirements of data providers Coordination with Office of Sponsored Programs and Institutional Review Board Design of sponsor-required research data management plans Work with data provider for secure transfer of data to CRADC servers Disclosure avoidance review where required Customized user environment and backup routines Audit and site-visit support A complete range of software applications from advanced statistical analysis to graphical presentation and word processing 10

11

12 FIPS 199 FIPS 200 SP 800-137 SP 800-53 SP 800-37 SP 800-160 SP 800-53A
Step 1: FIPS 199 Step 2: FIPS 200 and NIST Step 3: NIST Step 4: NIST A Step 5: NIST Step 6: NIST SP A

13

14 NIST SP Guide for Developing Security Plans for Federal Information Systems The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system.

15 FIPS 199 Standards for Security Categorization of Federal Information and Information Systems

16 NIST SP

17 FIPS 200 Minimum Security Requirements for Federal Information and Information Systems SC=Security categorization

18 NIST SP Rev 4 Security and Privacy Controls for Federal Information Systems and Organizations The security controls in NIST Special Publication are designed to facilitate compliance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Compliance is not about adhering to static checklists or generating unnecessary FISMA reporting paperwork. Rather, compliance necessitates organizations executing due diligence with regard to information security and risk management. Information security due diligence includes using all appropriate information as part of an organization-wide risk management program to effectively use the tailoring guidance and inherent flexibility in NIST publications so that the selected security controls documented in organization security plans meet the mission and the business requirements of organizations. Using the risk management tools and techniques that are available to organizations is essential in developing, implementing, and maintaining the safeguards and countermeasures with the necessary and sufficient strength of mechanism to address the current threats to organizational operations and assets, individuals, other organizations, and the Nation. Employing effective risk-based processes, procedures, and technologies will help ensure that all federal information systems and organizations have the necessary resilience to support ongoing federal responsibilities, critical infrastructure applications, and continuity of government. 18 Families Hundreds of qualifiers 457 pages

19

20

21 NIST SP (Draft) Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems This publication addresses the engineering-driven actions necessary for developing a more defensible and survivable information technology (IT) infrastructure – including the component products, systems, and services that compose the infrastructure. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronic Engineers (IEEE) and infuses systems security engineering techniques, methods, and practices into those systems and software engineering processes. The ultimate objective is to address security issues from a stakeholder requirements and protection needs perspective and to use established organizational processes to ensure that such requirements and needs are addressed early in and throughout the life cycle of the system.

22

23 NIST SP Guide for Applying the Risk Management Framework to Federal Information Systems The purpose of this publication is to provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring. The guidelines have been developed: • To ensure that managing information system-related security risks is consistent with the organization’s mission/business objectives and overall risk strategy established by the senior leadership through the risk executive (function); • To ensure that information security requirements, including necessary security controls, are integrated into the organization’s enterprise architecture and system development life cycle processes; • To support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk management-related information, and reciprocity; and • To achieve more secure information and information systems within the federal government through the implementation of appropriate risk mitigation strategies.

24

25 NIST SP Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance (i.e., is the control implemented in accordance with the security plan to address threats and is the security plan adequate).

26 CRADC ……gateway to restricted access data at Cornell University.

27 Questions? ciser@cornell.edu cradc@cornell.edu ciser.cornell.edu
11/15/2018 Questions? ciser.cornell.edu Not for further distribution

Download ppt "Advancing Access to Restricted Data:"

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.

KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Assessment Frameworks

Risk Assessment Frameworks
Risk Management Framework

Risk Management Framework
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Basel Accord IITRANSITIONSERVICES Business Integration Support FCM Management Limited Paris New York Toronto.

Basel Accord IITRANSITIONSERVICES Business Integration Support FCM Management Limited Paris New York Toronto.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Consultancy.

Consultancy.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’

A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’

Similar presentations

Ads by Google