Date post: | 27-Dec-2015 |
Category: |
Documents |
Upload: | robert-mcdowell |
View: | 216 times |
Download: | 1 times |
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Protecting Your Institutional Data: If You Don’t Do It, Who Will?
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Data and Application Issues
• Processing, Storage and Transmission of Sensitive Data in Third Party Applications
– Where is sensitive data being stored and accessed?– Who has access to it?– What controls are in place to manage and/or limit access?
• Application Sprawl• Awareness• Regulatory Requirements
2
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Questions to Ask Yourself
• What data do we as an Institution deem as sensitive?• Where is sensitive data being stored, processed or transmitted?• Who has access to sensitive data?• What controls are in place to secure applications which have sensitive
data? • Are we addressing all controls as required by the USM Security Guidelines
and DOIT Security Policy? (including all controls in NIST 800-53)• What processes are in place to manage changes to applications that have
sensitive data?• Are we doing enough?
3
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
A Scope of Work to Answer Those Questions and Address the Underlying Issues
• Template Preparation– Develop data capture templates and assessment questions– Identify NIST Access Control Policy Categories and/or individual
controls to include in application review– Confirm sensitivity level when controls are applicable
• Application Review– Phase One: Data Capture
• Review all applications, capture required data and determine application sensitivity level• Classify Information Types by Data Sensitivity Risk Level Designation
– Phase Two: Control Review• Obtain detailed information on sensitive data,• Review controls for sensitive applications and verify through documentation or by
demonstration
– Develop Recommendations• Procedural Documentation
– Develop onboarding documentation for all new applications– Develop easily understandable access control procedure
documentation for all applications– Develop easily understandable change control procedures for all
applications
Template Preparation
Phase One Review
Phase Two ReviewAccess Control
Procedural Documentation
Review of Current Procedures for
Onboarding, Identifying Controls and Change
Control
Onboarding Documentation
Change Control Procedural
DocumentationRecommendations
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Why NIST?
5
USM Security Guidelines
MD DOIT IT Security Policy
NIST 800-53
Addresses security standards established by DOIT, interpreted in the context of USM.
Framework developed using applicable guidelines in NIST. Only those controls designed to protect systems with a ‘moderate’ category level are included.
Minimum information security requirements based on categorizations by FIPS 199 and 200
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Use NIST Guidelines to Map Data to Sensitivity to Risk Policy
Use the high water mark to determine the risk level of the individual information type AND the risk level of the application.
Information Type 1: {(confidentiality, HIGH), (integrity, MODERATE), (availability, MODERATE)} = HIGH
Information Type 2: {(confidentiality, MODERATE), (integrity, LOW), (availability, LOW)} = MODERATE
The application is classified as a HIGH. Correlate this to Institution-defined risk levels.
What is impact to the Institution if the confidentiality, integrity or availability of this data is compromised?
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Who Should Determine Sensitivity?
Possible Sources:•Data Stewards / Data Governance Committee•Application/Business Owners•Information Technology Owners•IT Security Team
What We Found:
7
• Impacts associated with integrity and Availability made sense at the department level
• Confidentiality was applicable to the Institution as a whole
• Confidentiality was always the driver for the risk level
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Identify NIST Controls to include in Application Review
• Control Families from FIPS-200:– Access Control (AC) – Awareness and Training (AT)– Audit and Accountability (AU)– Certification, Accreditation and Security Assessments (CA)– Configuration Management (CM) – Contingency Planning (CP) – Out of Scope– Identification and Authentication (IA) – Incident Response (IR) – Out of Scope– Maintenance (MA) – Out of Scope– Media Protection (MP) – Out of Scope– Physical and Environmental Protection (PE) – Planning (PL)– Personnel Security (PS) – Risk Assessment (RA) – System and Services Acquisition (SA) – System and Communications Protection (SC)– Systems and Information Security (SI)
Start by segregating controls by Application, System or Organization
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Confirm and tailor baselines for system level
• Are all of the controls applicable to an application-level review? For example, boundary protection is not an application concern, it’s a network infrastructure concern.
• Are any of the controls listed “Common Controls? That is, managed by an organization entity other than the information system owner.
LOW MOD HIGH 0-Low 1- Moderate 2-High 3-HighestAC-2 Account
ManagementP1 AC-2 AC-2 (1)
(2) (3) (4)AC-2 (1) (2) (3) (4)
Yes Yes Yes Yes
AC-3 Access Enforcement
P1 AC-3 AC-3 AC-3 Yes Yes Yes Yes
AC-5 Separation of Duties
P1 Not Selected
AC-5 AC-5 No Yes Yes Yes
AC-6 Least Privilege P1 Not Selected
AC-6 (1) (2)
AC-6 (1) (2)
No Yes Yes Yes
AC-7 Unsuccessful Login Attempts
P1 AC-7 AC-7 AC-7 Yes Yes Yes Yes
AC-8 System Use Notification
P1 AC-8 AC-8 AC-8 Yes Yes Yes Yes
AC-14 Permitted Actions without Identification or Authentication
P1 AC-14 AC-14 (1) AC-14 (1) Yes Yes Yes Yes
AC-17 Remote Access P1 AC-17 AC-17 (1) (2) (3) (4) (5) (7) (8)
AC-17 (1) (2) (3) (4) (5) (7) (8)
Yes Yes Yes Yes
AC-19 Access Control for Mobile Devices
P1 AC-19 AC-19 (1) (2) (3)
AC-19 (1) (2) (3)
Yes Yes Yes Yes
PriorityApplication Control BaselineControl Baselines
CNTL # Control Name
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Are all Controls Equal?
10
• NIST identifies a priority associated with each control• May choose to develop internal priority based on other sources (ie USM)
Chart removed
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Control Segregation
• 67 Application-level controls (42 Prioritized as higher)• 56 Organization-level controls• 65 System-level Controls• 21 Not Applicable *
11
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Phase 1: Data Capture
• Capture basic information on the application, including a description, user types and roles
• Identify information types stored in the application• Assess impact of confidentiality, integrity and availability for each
application• Identify integration points with other applications• Capture all “sensitive” data stored in the application or queried from other
sources• Identify current procedures to gain access to the application
12
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Data Classification
• Consolidate data capture results • Review information types by application• Assign confidentiality impact across all information types• Categorize application risk level• Develop reports to illustrate risk levels by institution, department, # of
occurrences, database type, application host, and use of specific PII (i.e. SSN and Credit Card Number)
• Identify applications requiring control review.
13
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Phase 2: Control Review
• For each application deemed “sensitive”, review all applicable controls for the given sensitivity category
• Verify selected controls through documentation or demonstration
• Capture all instances of failed controls and document• Pass/fail the application
14
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Making a Control Review Make Sense
Develop questions and guidance for each control 15
Chart removed
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Final Report
• Provide pass/fail statistics for each application and illustrate trending across all applications by control.
• Develop action items for each application addressing areas where additional follow up is required.
• Make recommendations associated with the appropriateness of process and procedures associated with the access and storage of data.
• Make recommendations on subsequent security assessments.
16
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
17
Slide removed
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
18
Slide removed
Applied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.comApplied Technology Services, Inc.
Your Partner in Technologywww.appliedtechnologyservices.com
Ongoing Assessment Program
• Identification of compensating security controls and common controls, or where the baseline should be tailored given the environment at Towson
• 6 month plan to address suggestions, including removal of unnecessary data storage, changes to user access rights, implementation of controls, etc.
• Annual reassessment of applications with a risk level of High• Use the System-level controls to drive additional testing or projects• Use the Organization-level controls to develop institution-wide policies or
procedures• Verification of adhoc controls through demonstration
19