1 misa model douglas petry manager information security architecture methodist health system...
TRANSCRIPT
1
MISA Model MISA Model
Douglas PetryDouglas Petry
Manager Information Security ArchitectureManager Information Security Architecture
Methodist Health SystemMethodist Health System
[email protected]@nmhs.org
402.354.4894402.354.4894
Managed Information Security ArchitectureManaged Information Security Architecture
2
Introduction to MISAIntroduction to MISA
The goal of the MISA model is to provide:The goal of the MISA model is to provide:
Tool to assess the security architectureTool to assess the security architecture 16 Areas of Security16 Areas of Security
Dashboard executive overviewDashboard executive overview Current state of security capabilities. Current state of security capabilities.
3
Introduction to MISAIntroduction to MISA
Additional tools were developed to :Additional tools were developed to :
Provide a method to identify /document the future state of Provide a method to identify /document the future state of our security capabilities.our security capabilities.
Define efficient implementation approaches across the 16 Define efficient implementation approaches across the 16 security areas within the assessment tool.security areas within the assessment tool.
Map and crosswalks to new and existing regulations to Map and crosswalks to new and existing regulations to refine the architecture and align with organizational refine the architecture and align with organizational requirements.requirements.
Provide a metrics or baseline to enable us to modularize Provide a metrics or baseline to enable us to modularize and focus on the levels of security capabilities / and focus on the levels of security capabilities / deficiencies. deficiencies.
Define efficient implementation approaches across the 16 Define efficient implementation approaches across the 16 security areas within the assessment tool.security areas within the assessment tool.
4
Gap Analysis Model Gap Analysis Model
Web
Ser
vers
Web
Ser
vers
App
licat
ion
App
licat
ion
Syst
ems
Syst
ems
e-M
ail
e-M
ail
Net
wor
kN
etw
ork
Infr
astr
uctu
reIn
fras
truc
ture
Ope
ratin
g O
pera
ting
Syst
ems
Syst
ems
Dat
abas
esD
atab
ases
Intr
usio
n In
trus
ion
Det
ectio
nD
etec
tion
Fire
wal
lsFi
rew
alls
Ant
iviru
sA
ntiv
irus
Educ
ate
Educ
ate
Adm
inis
ter
Adm
inis
ter
Mon
itor
Mon
itor
Res
pond
Res
pond
Aud
itA
udit
DocumentationDocumentationPolicies and ProceduresPolicies and Procedures
Essential andEssential andBest PracticesBest Practices
Knowledge GapKnowledge Gap
Compliance GapCompliance Gap
Technology GapTechnology Gap
5
Information Security ArchitectureInformation Security Architecture
What is ISA?What is ISA?
Way to bridge the gapsWay to bridge the gaps
Manage the processesManage the processes
Alignment to business needsAlignment to business needs
Minimize risks without impeding the Minimize risks without impeding the
quality of care to the customerquality of care to the customer
6
ISA –vs.– Managed ISA (MISA)ISA –vs.– Managed ISA (MISA)
Managed ISA, or MISA, provides:Managed ISA, or MISA, provides:
Ongoing review and quality assurance Ongoing review and quality assurance of an ISA with a metrics to track ISA of an ISA with a metrics to track ISA capabilities from a current state to a capabilities from a current state to a future statefuture state
ISA provides system-based ISA provides system-based assessments -- MISA assesses the ISA assessments -- MISA assesses the ISA methodologiesmethodologies
7
ISA –vs.– Managed ISA (MISA)ISA –vs.– Managed ISA (MISA)
ISA provides the framework within which our ISA provides the framework within which our security program aligns with our business security program aligns with our business objectives and involves:objectives and involves:
Organizational InfrastructureOrganizational Infrastructure Policies, Standards, and ProceduresPolicies, Standards, and Procedures Security Baselines and AssessmentsSecurity Baselines and Assessments Training and AwarenessTraining and Awareness ComplianceCompliance
MISA provides the managerial, operational, and MISA provides the managerial, operational, and technical controls necessary to help ensure technical controls necessary to help ensure security.security.
8
Managed ISAManaged ISA
Manage
Measure
Document
MIS
A
ISA
Most security Most security architectures provide architectures provide ample documentation ample documentation on controls, policies, on controls, policies, and procedures. In some and procedures. In some case, metrics are case, metrics are identified for specific identified for specific systems or capabilities.systems or capabilities.
MISA manages and MISA manages and measures the security measures the security capabilities and the capabilities and the architecture.architecture.
9
MISA – Documentation MISA – Documentation
DocumentDocumentManagement ControlsManagement Controls
Operational ControlsOperational Controls
Technical ControlsTechnical Controls
System Security Plan – NIST 800-18System Security Plan – NIST 800-18Business Contingency Plan – NIST 800-34Business Contingency Plan – NIST 800-34Incident Response Capability – NIST 800-3Incident Response Capability – NIST 800-3
10
MISA – Measurement MISA – Measurement
MeasureMeasureAssessmentsAssessments
Internal / External AuditInternal / External Audit
Operational MetricsOperational Metrics
Security Metrics Guide – NIST 800-55Security Metrics Guide – NIST 800-55Security Self Assessment Guide – NIST 800-26 Security Self Assessment Guide – NIST 800-26 CSI – IPAK, NSA IAM, BS 7799, ISO 17799CSI – IPAK, NSA IAM, BS 7799, ISO 17799
11
MISA – Management MISA – Management
ManageManageReview / RefineReview / Refine
CertificationCertification
AccreditationAccreditation
URACURACBS 7799 / ISO 17799BS 7799 / ISO 17799
12
MISA - OverviewMISA - Overview
MISA requires you to :MISA requires you to :
Determine Security CapabilitiesDetermine Security Capabilities Determine Current StateDetermine Current State Determine Future StateDetermine Future State
Develop Route Map to Future StateDevelop Route Map to Future State Identify Key InitiativesIdentify Key Initiatives
Continuous Quality ImprovementContinuous Quality Improvement Re-Assess Current State/Future StateRe-Assess Current State/Future State
13
Security Capability IdentificationSecurity Capability Identification
NIST
Review of Security Controls
Life Cycle
System Secuiryt Plan
Authorized Processing C/A
Risk Management
Physical / Environmental Protection
Production Input/Output Control
Hardware and System Software Maintenance
Contingency Planning
Personnel Security
Documentation
Security Awareness, Training, Education
Identification and Authorization
Incident Response
Data Integrity
Audit Trails
Logical Access Controls
Security Strategy
Security Program Structure
Security Policies, Standards & Guidelines
User Security Awareness
Security Sponsorship
User Security Management
Contingency Planning & Controls
Security Operations
Physical & Environmental Controls
Security Program Resources & Skill Sets
Host Based Security
Internal Network Security
Application Security
Network Perimeter Security
Security Monitoring
Database/Datasets Security
NSA
Information Security Roles & Responsibilities
Identification & Authentication
Session Controls
Account Management
Information Security Documentation
Telecommunications
Auditing
Contingency Planning
Virus Protection
External Connectivity
Configuration Management
Back-ups
Media Sanitization/Disposal
Labeling
Maintenance
Personnel Security
Physical Controls
HIPAA
Security Responsibility
Workforce Security
Security Awareness & Training
Information Access Management
Security Management Process
Contingency Plan
Evaluation
Facility Access Controls
Business Associate Contracts & Agreements
Security Incident Response Procedures
Workstation Security
Device & Media Controls
Audit Controls
Access Controls
Workstation Use
Person or Entity Authentication
Integrity
Sponsorship/Responsibiility
Certification/Accreditation/Evaluation
Documentation
Risk Management
Charter/Plan
End User Controls
Training/Awareness
Audit Controls
Integrity Controls
Information Management
Network/Telecommunications
Contingency Controls
Access Controls
Encryption
Physical/Environmental
Incident Response
Baylor
MISASecurity
Capabilities
Training & Awareness
Transmission Security
14
Security CapabilitiesSecurity Capabilities
C / A – Evaluation
End User Controls Training / Awareness
Integrity Controls
Charter / Plan
Contingency Controls
Incident Response
Physical / Environmental
Encryption
Network / Telecom
Access Controls
Audit Controls
Sponsorship / Responsibility
Information Mgmt
Risk Management
Documentation
Strategic
Tactical
15
ManageManage
MeasureMeasure
DocumentDocument
MISAMISA
16
Information Service Policy StructureInformation Service Policy Structure
Tier 3 PolicySystem Specific
Tier 2 PolicyBusiness Unit / Service
Tier 1 PolicyCorporate
Sys
tem
Adm
inis
trat
or H
andb
ook
Ris
k M
anag
emen
t Gui
de
Sys
tem
Sec
urity
Pla
n
Sys
tem
Con
tinui
ty P
lan
Sys
tem
Inci
dent
Res
pons
e P
lan
17
MISA – TopologyMISA – TopologySystem Security
Plan
BusinessContingency Plan
Incident ResponsePlan
Security Charter
Security Policy
Vision
Mission
Values
CapabilityAssessment
CurrentState
FutureState
Charter / Plan
Audit Controls
Access Controls
Encryption
Integrity Controls
Networks & Telecommunication
Physical / Environmental
Incident Response
Contingency Controls
Training / Awareness
End User Controls
Information Management
Documentation
Risk Management
Certification / Accreditation
Sponsorship / Responsibility
Bas
elin
e /
Ong
oing
Met
rics
SecurityCertification and
Accreditation of ITSystem
Security Handbook
Admin
User
18
ManageManage
MeasureMeasure
DocumentDocument
MISA – TopologyMISA – TopologySystem Security
Plan
BusinessContingency Plan
Incident ResponsePlan
Security Charter
Security Policy
Vision
Mission
Values
CapabilityAssessment
CurrentState
FutureState
Charter / Plan
Audit Controls
Access Controls
Encryption
Integrity Controls
Networks & Telecommunication
Physical / Environmental
Incident Response
Contingency Controls
Training / Awareness
End User Controls
Information Management
Documentation
Risk Management
Certification / Accreditation
Sponsorship / Responsibility
Bas
elin
e /
Ong
oing
Met
rics
SecurityCertification and
Accreditation of ITSystem
Security Handbook
Admin
User
Foundations for Security ProgramFoundations for
Security Program
The DocumentationThe Documentation
19
MISA – TopologyMISA – TopologySystem Security
Plan
BusinessContingency Plan
Incident ResponsePlan
Security Charter
Security Policy
Vision
Mission
Values
CapabilityAssessment
CurrentState
FutureState
Charter / Plan
Audit Controls
Access Controls
Encryption
Integrity Controls
Networks & Telecommunication
Physical / Environmental
Incident Response
Contingency Controls
Training / Awareness
End User Controls
Information Management
Documentation
Risk Management
Certification / Accreditation
Sponsorship / Responsibility
Bas
elin
e /
Ong
oing
Met
rics
SecurityCertification and
Accreditation of ITSystem
Security Handbook
Admin
User
Security Capabilities
Security Capabilities
The MeasurementThe Measurement
ManageManage
MeasureMeasure
DocumentDocument
20
Implementation Road MapImplementation Road Map
I nformation Management
First Month
Assess curent practices
Gather best practiceguides
Determine gaps ininformation managementpractices
Assign members to sub-committee to developdocumentation policy &procedures
Determine gaps interminated employeeremoval process
Second Month
Draft changes made toConfidentiality & NetworkSecurity policies
Update System Accessforms
Update System AccessAuthorization Procedure
Draft informationclassification guide
Third Month
Approve policy changeswith the InformationSystems Committee
Put new System Accessforms on the intranet
Communicate newSystem AccessAuthorization Procedureto Directors & Managers
Finalize informationclassification guide
Fourth Month
Implement training forInformation Systems onnew policies & procedures
Implement training forInternal Audit on newpolicies & procedures
Distribute informationclassification guide to alldepartments
Six Months
Implement inspection ofpolicies & procedures byInternal Audit
Revise procedures &policies as needed
Information ManagementCurrent State
Network SecurityPolicy
System AccessAuthorization Forms
No InformationClassification Guide
System AccessAuthorization Procedure
ConfidentialityPolicy
Future State
Policies updated toreflect best practices
Procedures updated
Classification Guidedeveloped
Information is labeled &disposed of under IAWpolicies & procedures
Information is stored& handled under IAWpolicies & procedures
21
Capability AssessmentCapability Assessment
Metrics Low
Med
ium
Hig
h
Doe
s N
ot A
pply
Not
hing
in P
lace
A L
ittle
in p
lace
Acc
epta
ble
Leve
l
A lo
t in
plac
e
Ful
ly In
tegr
ated
Deposits and withdrawals of tapes and other storage media from the library authorized and logged.
X X X
Audit trails used for receipt of sensitive inputs/outputs. X X X xControls in place for transporting or mailing media or printed output.
X X X
Audit trails kept for inventory management. X X X xActivity involving access to and modification of sensitive or critical files logged, monitored, and possible security violations investigated.
X X X x
Audit trail provide a trace of user actions. X X
Audit trail supporting after-the fact investigations of how, when, and why normal operations ceased to operate.
X X X
Access to online audit logs strictly controlled. X X X
Off-line storage of audit logs retained for a period of time, and if so, is access to audit logs strictly controlled.
X X X x
Separation of duties exist between security personnel who Administer the access control function and those who administer the audit trail.
X X X
Audit trails reviewed frequently X X xAutomated tools used to review audit records in real time or near real time
X X X X x
Suspicious activity investigated and appropriate action taken.X X X
If keystroke monitoring used are users notified of it. X XPhysical security audit team regularly tests and assesses the quality of organization's physical security
X X x
Organization established routine testing, auditing and change management procedures to support the certification process.
X X X
4 8 4 1 0 3 6 5 1 12 1 7
Security Auditing Capabilities Risk Value 28.82%
16. Auditing
Business Implemented Safeguard /
Hig
h P
rio
rity
Bud
gete
d
Doc
umen
tatio
n
Impact AnalysisImpact AnalysisRisk AnalysisRisk Analysis
22
Security CapabilitiesSecurity Capabilities
High Medium Low Capability Risk
1 Charter / Plan 34.25%2 Sponsorship / Responsibility 44.12%3 Certification / Accreditation Evaluation 68.74%4 Risk Management 31.49%5 Documentation 57.11%6 Information Management 48.14%7 End User Controls 74.67%8 Training / Awareness 63.18%9 Contingency Controls 16.41%10 Incident Response 81.44%11 Physical / Environmental Controls 14.51%12 Networks and Telecommunications Controls 11.26%13 Integrity Controls 64.21%14 Encryption 68.49%15 Access Controls 41.71%16 Audit Controls 28.82%
Security CapabilityCurrent Risk Rating
Te
ch
nic
al
Ma
ng
em
en
tO
pe
rati
on
al
23
MISA – TopologyMISA – TopologySystem Security
Plan
BusinessContingency Plan
Incident ResponsePlan
Security Charter
Security Policy
Vision
Mission
Values
CapabilityAssessment
CurrentState
FutureState
Charter / Plan
Audit Controls
Access Controls
Encryption
Integrity Controls
Networks & Telecommunication
Physical / Environmental
Incident Response
Contingency Controls
Training / Awareness
End User Controls
Information Management
Documentation
Risk Management
Certification / Accreditation
Sponsorship / Responsibility
Bas
elin
e /
Ong
oing
Met
rics
SecurityCertification and
Accreditation of ITSystem
Security Handbook
Admin
User
Strategic Initiative Alignment
Strategic Initiative Alignment
The ManagementThe Management
ManageManage
MeasureMeasure
DocumentDocument
24
MISA – TopologyMISA – TopologySystem Security
Plan
BusinessContingency Plan
Incident ResponsePlan
Security Charter
Security Policy
Vision
Mission
Values
CapabilityAssessment
CurrentState
FutureState
Charter / Plan
Audit Controls
Access Controls
Encryption
Integrity Controls
Networks & Telecommunication
Physical / Environmental
Incident Response
Contingency Controls
Training / Awareness
End User Controls
Information Management
Documentation
Risk Management
Certification / Accreditation
Sponsorship / Responsibility
Bas
elin
e /
Ong
oing
Met
rics
SecurityCertification and
Accreditation of ITSystem
Security Handbook
Admin
User
Quality ImprovementQuality Improvement
The RefinementThe Refinement
ManageManage
MeasureMeasure
DocumentDocument
25
Security CapabilitiesSecurity Capabilities
C / A – Evaluation
End User Controls Training / Awareness
Integrity Controls
Charter / Plan
Contingency Controls
Incident Response
Physical / Environmental
Encryption
Network / Telecom
Access Controls
Audit Controls
Sponsorship / Responsibility
Information Mgmt
Risk Management
Documentation
Strategic
Tactical
ManageManage
MeasureMeasure
DocumentDocument
26
Benefit SummaryBenefit Summary
The Bottom Line = MISA provides:The Bottom Line = MISA provides:
A structured approach to a security architectureA structured approach to a security architecture
andand
Consistent tools/methods encourages Consistent tools/methods encourages collaboration and vendor leverage resulting in collaboration and vendor leverage resulting in increased security awareness! increased security awareness!