2010 secure world boston nist
DESCRIPTION
Presentation on using the NIST Risk Mgmt Framework to comply with FISMA, HIPAA and State Data Privacy RequirementsTRANSCRIPT
SecureWorld Expo - Boston - March 24, 2010 -Room 104
NIST, FISMA, HIPAA and Data Privacy –
Where to Begin
Candy Alexander, CISSP CISMSecureWorld Expo Boston
March 24, 2010Room 104
SecureWorld Expo - Boston - March 24, 2010 -Room 104
Topics
Setting the stage for a Case StudyUnderstanding the requirementsHow can NIST helpCloser look at NISTSummary
SecureWorld Expo - Boston - March 24, 2010 -Room 104
Setting the StageOrganization driven by multiple requirements
FIMSAHIPAA* Data Privacy (45 states and the Feds)MA 201 CMR17
Small organization with minimal resources Need to work smartIdentify 1 size to fit all requirements (framework)
Existing work based on HIPAA Privacy & Security rulesRedirect into the NIST framework to meet *all* requirements
* Additional push with new HITECH Act – Summary of changes at end of slides
SecureWorld Expo - Boston - March 24, 2010 -Room 104
Understanding the Requirements…
Need to understand business requirementsCompliance (just enough or to protect)Big budget or barely enough
Frameworks availableISO ($$$)COBIT ($$)NIST (free)Do it yourself ($?)All of these + Notification process*
Federal Contractor, we usedNIST Risk Management Framework (RMF) for SP800-53SP800-66-Rev.1
SecureWorld Expo - Boston - March 24, 2010 -Room 104
Using the NIST Risk Management Framework (RMF)*
* NIST SP800-66 Rev. 1 October 2008
SecureWorld Expo - Boston - March 24, 2010 -Room 104
Step 1 – Categorize Information and Assets
FIPS199 to identify CIA (confidentiality, Integrity and Availability) rating score
Great tool for communicating risk to businesses.PHI (Protected Health Information) the “C” and “I” should be high – availability is up to process ownerIdentify PII (Personal Identifiable Information) and business owner (supports data privacy requirements)Identify “where” in the organization PII/PHI is
(applications, folders, etc.) Supports the PHI tracking requirement for HIPAAUse NIST SP800-60 for guidance
SecureWorld Expo - Boston - March 24, 2010 -Room 104
Step 2 – Security ControlsUse FIPS 200 to identify the minimum baseline
Select controls to be used Identified in SP800-53 (Rev.3) that are appropriate to the environment (risk approach)
Document controls/requirements into a security plan for each IT System.
NIST SP800-18 Guide for Developing Security Plans for Federal Information Systems
SecureWorld Expo - Boston - March 24, 2010 -Room 104
Step 3 – Implement Security Controls
Uses various automated tools and manual processes
Operating system controlsApplication controlsSystem Development Life Cycle
Full array of publications available to provide guidance to the specific topic/requirement
See http://csrc.nist.govSpecial Pubs, FIPS pubs, IR (internal reports), and ITL (Info Tech Lab) Bulletins
SecureWorld Expo - Boston - March 24, 2010 -Room 104
Step 4 - Assess Controls
Evaluate the controls with SP800-53AInternal AuditsExternal Audits
SecureWorld Expo - Boston - March 24, 2010 -Room 104
Step 5 – Authorize Information System
Authorization to Operate (ATO)Primarily for FISMA compliance
Essentially Designation Authority reviews controls and evaluation of controls – then authorizes use with an explicit decision to accept the risk
Not a BAD idea for getting executives to understand, review and accept the risk
SecureWorld Expo - Boston - March 24, 2010 -Room 104
Step 6 – Monitor SecurityContinuous monitoring
Threats & vulnerabilitiesControls put into place to mitigate risk
Ensure all is effective and as intended
Ensure documentation is updated
Conduct impact analysis
SecureWorld Expo - Boston - March 24, 2010 -Room 104
FISMA… Certification & Accreditation
What is Certification and Accreditation?Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized. 1
Sound a little like MA 201 CMR17?
Obtaining the C&A removes the uncertainty of compliance
Much like a ISO, PCI and SAS70 Type II?
Auditors appreciate the structure1 e-Articles.info on ask.com
SecureWorld Expo - Boston - March 24, 2010 -Room 104
FISMA/NIST C&AC&A guidance available through SP800-37
Provides accrediting authority ( and auditors) high degree of confidence that the managerial, technical and op security controls work as intended & that the information processed, stored and transmitted with the system is protected.
Controls based on FIPS 199, 200 and NIST SP800-66 (HIPAA) and SP800-53
C&A should be completed prior to production and re-accredited when significant change occurs, as directed by the agency contract/ authorizing official or at minimum every three years.
SecureWorld Expo - Boston - March 24, 2010 -Room 104
C & A Phases
Consists of 4 distinct phases1. Initiation Phase2. Security Certification Phase3. Security Accreditation Phase4. Continuous Monitoring Phase
Each phase has a detailed list of tasks and subtasks, documents and artifacts that are used to support the next phase
SecureWorld Expo - Boston - March 24, 2010 -Room 104
Certification Package*1. Updated System Security Plan2. Completed Security Risk Assessment3. Updated Config. Mgmt Plan4. Contingency Mgmt Plan(s)5. Security Test & Eval. Report6. User Manuals7. Interconnection Security Agreements or MOUs
(Business Associates Agreements for HIPAA)8. Privacy Impact Assessments9. Federal Register System of Record Notice10. Plan of Action & Milestones*Exact contents are defined by Information System Owner
SecureWorld Expo - Boston - March 24, 2010 -Room 104
Accreditation Package
1. Security Assessment Report2. Security Accreditation Decision Letter3. System Security Plan4. Plan of Action & Milestones
SecureWorld Expo - Boston - March 24, 2010 -Room 104
HITECH Act - Tougher HIPAA
From Privacy/Security Perspective:Breach Notification (tougher requirements)Wider scope – including BAs (2/17/10)Account of disclosures (more rigorous)Enforcement (2/17/10) – increased $$$State AG’s enforcement
SecureWorld Expo - Boston - March 24, 2010 -Room 104
Questions?
Candy Alexander, CISSP [email protected]