v10 Example v1

8/10/2019 v10 Example v1

http://slidepdf.com/reader/full/v10-example-v1 1/217

OCTAVE ® -S

Implementation

Guide, Version 1.0

Volume 10:

Example Senario

Christopher Alberts

Audrey Dorofee

James Stevens

Carol Woody

January 2005

HANDBOOK

CM!S"#$%&&'$HB$&&'

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


(ittsbur)h* (A +,%+'$'-.&

OCTAVE ® -S Implementation

Guide, Version 1.0

Volume 10: Example Senario

CM!S"#$%&&'$HB$&&'

Christopher Alberts

Audrey Dorofee

James Stevens

Carol Woody

January 2005

!et"or#ed S$stems Sur%i%a&ilit$ 'ro(ram

nlimited distribution sub/e0t to the 0opyri)ht1

8/10/2019 v10 Example v1


This report was prepared for the

SEI Joint Program Office

HQ ESC/DIB

5 Egin Street

Hanscom !"B# $! %&'(&)*&&+

The ideas and findings in this report sho,d not -e constr,ed as an officia DoD position. It is p,-ished in theinterest of scientific and technica information echange.

"O0 THE CO$$!1DE0

Christos Scondras

Chief of Programs# 2P3

This wor4 is sponsored - the 6.S. Department of Defense. The Software Engineering Instit,te is afedera f,nded research and de7eopment center sponsored - the 6.S. Department of Defense.

Copright *%%( - Carnegie $eon 6ni7ersit.

8 OCT!9E is registered in the 6.S. Patent : Trademar4 Office - Carnegie $eon 6ni7ersit.

S$ Operationa Critica Threat# !sset# and 9,nera-iit E7a,ation is a ser7ice mar4 of Carnegie $eon 6ni7ersit.

1O ;!00!1T<

THIS C!01E=IE $E>>O1 61I9E0SIT< !1D SO"T;!0E E1=I1EE0I1= I1STIT6TE $!TE0I!> IS"601ISHED O1 !1 ?!S)IS? B!SIS. C!01E=IE $E>>O1 61I9E0SIT< $!3ES 1O ;!00!1TIESO" !1< 3I1D# EITHE0 E2P0ESSED O0 I$P>IED# !S TO !1< $!TTE0 I1C>6DI1=# B6T 1OT>I$ITED TO# ;!00!1T< O" "IT1ESS "O0 P60POSE O0 $E0CH!1T!BI>IT<# E2C>6SI9IT<# O00ES6>TS OBT!I1ED "0O$ 6SE O" THE $!TE0I!>. C!01E=IE $E>>O1 61I9E0SIT< DOES 1OT $!3E !1< ;!00!1T< O" !1< 3I1D ;ITH 0ESPECT TO "0EEDO$ "0O$ P!TE1T#T0!DE$!03# O0 COP<0I=HT I1"0I1=E$E1T.

6se of an trademar4s in this report is not intended in an wa to infringe on the rights of the trademar4 hoder.

Interna ,se. Permission to reprod,ce this doc,ment and to prepare deri7ati7e wor4s from this doc,ment for interna ,se is

granted# pro7ided the copright and ?1o ;arrant? statements are inc,ded with a reprod,ctions and deri7ati7e wor4s.

Eterna ,se. 0e@,ests for permission to reprod,ce this doc,ment or prepare deri7ati7e wor4s of this doc,ment for eterna

and commercia ,se sho,d -e addressed to the SEI >icensing !gent.

This wor4 was created in the performance of "edera =o7ernment Contract 1,m-er "&A+*)%%)C)%%%( with Carnegie

$eon 6ni7ersit for the operation of the Software Engineering Instit,te# a federa f,nded research and de7eopment

center. The =o7ernment of the 6nited States has a roat)free go7ernment)p,rpose icense to ,se# d,picate# or discose the

wor4# in whoe or in part and in an manner# and to ha7e or permit others to do so# for go7ernment p,rposes p,rs,ant to the

copright icense ,nder the ca,se at *5*.**')'%&(.

"or information a-o,t p,rchasing paper copies of SEI reports# pease 7isit the p,-ications portion of o,r ;e- site

http//www.sei.cm,.ed,/p,-ications/p,-we-.htm.

8/10/2019 v10 Example v1


Ta&le o) Contents

A&out T*is +oument..............................................................................................%

A&strat...................................................................................................................%ii

1 edSite a#(round........................................................................................1

+1+ MedSite Des0ription1111111111111111111111111111111111111111111111111111111111111111111111111111111111111+

+1% MedSite2s Or)ani3ational Stru0ture11111111111111111111111111111111111111111111111111111111111111+

+1' MedSite2s System1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111%+14 MedSite 5eam2s "6perien0e1111111111111111111111111111111111111111111111111111111111111111111111111'

+141+ (hase +7 Build Asset$Based 5hreat (rofiles111111111111111111111111111111111114

+141% (hase %7 #dentify #nfrastru0ture 8ulnerabilities11111111111111111111111111111111-

+141' (hase '7 Develop Se0urity Strate)y and (lans1111111111111111111111111111+&

!otes and /eommendations or#s*eet....................................................1

2 Ation 3ist or#s*eet....................................................................................

4 Impat E%aluation Criteria or#s*eet..........................................................22

5 Asset Identi)iation or#s*eet.....................................................................45

6 Seurit$ 'raties or#s*eet.......................................................................51

Critial Asset Seletion or#s*eet...............................................................72

7 Critial Asset In)ormation or#s*eet )or S$stems......................................7

8 /is# 'ro)ile or#s*eets )or S$stems 9 'I+S...............................................81.1+ 9is: (rofile Wor:sheet for (#DS ; Human A0tors sin) Net<or: A00ess11.'

.1% 9is: (rofile Wor:sheet for (#DS ; Human A0tors sin) (hysi0al A00ess+&+

.1' 9is: (rofile Wor:sheet for (#DS ; System (roblems1111111111111111111111111111111+&.

.14 9is: (rofile Wor:sheet for (#DS ; Other (roblems1111111111111111111111111111111111++=

10 /is# 'ro)ile or#s*eet )or AC S$stems 9 Ot*er 'ro&lems....................121

8/10/2019 v10 Example v1


Ta-e of Contents OCT!9E)S 9&.%

11 !et"or# Aess 'at*s or#s*eet..............................................................128

1 In)rastruture /e%ie" or#s*eets..............................................................142

12 'ro&a&ilit$ E%aluation Criteria or#s*eet.................................................148

14 'rotetion Strate($ or#s*eet...................................................................152

+41+ (rote0tion Strate)y for Se0urity A<areness and 5rainin)11111111111111111111111+,,

+41% (rote0tion Strate)y for Collaborative Se0urity Mana)ement111111111111111111+,.

+41' (rote0tion Strate)y for Monitorin) and Auditin) (hysi0al Se0urity1111111111+>,

+414 (rote0tion Strate)y for Authenti0ation and Authori3ation111111111111111111111111+=+

+41, (rote0tion Strate)y for Se0urity (oli0ies and 9e)ulations1111111111111111111111+==

15 iti(ation 'lan or#s*eet...........................................................................171

16 !ext Steps or#s*eet..................................................................................185

ii CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


OCT!9E)S 9&.% >ist of "ig,res

3ist o) i(ures

?i)ure +7 Hi)h$@evel MedSite Or)ani3ational Chart111111111111111111111111111111111111111111111111%

CM!S"#$%&&'$HB$&&' 8olume +& iii

8/10/2019 v10 Example v1


>ist of "ig,res OCT!9E)S 9&.%

iv CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


OCT!9E)S 9&.% !-o,t This Doc,ment

A&out T*is +oument

This doc,ment is 9o,me &% of the OCTAVE-S Implementation Guide# a &%)7o,me

hand-oo4 s,pporting the OCT!9E)S methodoog. This 7o,me pro7ides compete eampe

scenario of a fictitio,s medica faciit# $edSite# and the res,ts of its OCT!9E)S e7a,ation.

$ost of the wor4sheets showing the eampe res,ts are pro7ided. Howe7er# the compete

wor4sheets for on one asset rather than fi7e are inc,ded.

The other 7o,mes in this hand-oo4 are

• Volume 1: Introduction to OCTAVE-S F This 7o,me pro7ides a -asic description of

OCT!9E)S and ad7ice on how to ,se the g,ide.

• Volume 2: Preparation Guidelines F This 7o,me contains -ac4gro,nd and g,idance for

preparing to cond,ct an OCT!9E)S e7a,ation.

• Volume 3: Metod Guidelines F This 7o,me inc,des detaied g,idance for each

OCT!9E)S acti7it.

• Volume !: Or"ani#ational In$ormation %or&'oo& F This 7o,me pro7ides wor4sheets for

a organiGationa)e7e information gathered and anaGed d,ring OCT!9E)S.

• Volume (: Critical Asset %or&'oo& $or In$ormation F This 7o,me pro7ides wor4sheets to

doc,ment data reated to critica assets that are categoriGed as information.

• Volume ): Critical Asset %or&'oo& $or S*stems F This 7o,me pro7ides wor4sheets todoc,ment data reated to critica assets that are categoriGed as sstems.

• Volume +: Critical Asset %or&'oo& $or Applications F This 7o,me pro7ides wor4sheets

to doc,ment data reated to critica assets that are categoriGed as appications.

• Volume ,: Critical Asset %or&'oo& $or People F This 7o,me pro7ides wor4sheets to

doc,ment data reated to critica assets that are categoriGed as peope.

• Volume : Strate"* and Plan %or&'oo& F This 7o,me pro7ides wor4sheets to record the

c,rrent and desired protection strateg and the ris4 mitigation pans.

• Volume 10: Example Scenario F This 7o,me inc,des a detaied scenario i,strating a

competed set of wor4sheets.

CM!S"#$%&&'$HB$&&' 8olume +& v

8/10/2019 v10 Example v1


!-o,t This Doc,ment OCT!9E)S 9&.%

vi CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


OCT!9E)S 9&.% !-stract

A&strat

The Operationa Critica Threat# !sset# and 9,nera-iit E7a,ationS$ OCT!9E8

approach defines a ris4)-ased strategic assessment and panning techni@,e for sec,rit.

OCT!9E is a sef)directed approach# meaning that peope from an organiGation ass,me

responsi-iit for setting the organiGations sec,rit strateg. OCT!9E)S is a 7ariation of the

approach taiored to the imited means and ,ni@,e constraints tpica fo,nd in sma

organiGations ess than &%% peope. OCT!9E)S is ed - a sma# interdiscipinar team

three to fi7e peope of an organiGations personne who gather and anaGe information#

prod,cing a protection strateg and mitigation pans -ased on the organiGations ,ni@,e

operationa sec,rit ris4s. To cond,ct OCT!9E)S effecti7e# the team m,st ha7e -road

4nowedge of the organiGations -,siness and sec,rit processes# so it wi -e a-e to cond,ct

a acti7ities - itsef.

CM!S"#$%&&'$HB$&&' 8olume +& vii

8/10/2019 v10 Example v1


!-stract OCT!9E)S 9&.%

viii CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


OCT!9E)S 9&.% $edSite Bac4gro,nd

1 edSite a#(round

To hep o, ,nderstand how to compete the indi7id,a steps in this e7a,ation# we pro7ide an

eampe that i,strates how each step was cond,cted - personne in a fictitio,s sma medica

faciit caed $edSite. The first two sections# inc,ding this one# pro7ide -ac4gro,nd on

$edSite and a commentar a-o,t how the e7a,ation proceeded at $edSite. The rest of this

doc,ment consists of OCT!9E)S wor4sheets showing the res,ts achie7ed - the $edSite

anasis team. The -ac4gro,nd pro7ides the necessar contet to ,nderstand the contents of the

wor4sheets and sho,d -e read in con,nction with the wor4sheets.

1.1 edSite +esription

$edSite is a hospita with se7era cinics and a-s# some of which are at remote ocations. The

hospita inc,des the foowing f,nctiona areas

• a permanent administrati7e organiGation

• permanent and temporar medica personne# inc,ding phsicians# s,rgeons# and medica

staff

• permanent and temporar maintenance personne# inc,ding faciit and maintenancestaff

• a sma information technoog department three peope that is responsi-e for on)site

comp,ter and networ4 maintenance and ,pgrades and for hep des4 acti7ities e.g.# handing

simpe ,ser re@,ests

1. edSite;s Or(ani<ational Struture

The $edSite !dministrator is the chief administrator for the hospita. The chief administrator has

a sma staff that is responsi-e for o7erseeing operations at $edSite. Each maor f,nctiona area

of the organiGation administrati7e# medica# and a- reports direct to the chief administrator.

$edSites senior management team inc,des the $edSite !dministrator and the indi7id,as who

ead the f,nctiona areas of the organiGation. Each f,nctiona area of $edSite contains one or

more operationa areas. The head of each operationa area is considered to -e a midde manager

in the organiGation. "ig,re & shows the organiGationa chart for $edSite.

CM!S"#$%&&'$HB$&&' 8olume +& +

8/10/2019 v10 Example v1


$edSite Bac4gro,nd OCT!9E)S 9&.%

1.2 edSite;s S$stem$edSites main information sstem is the Patient Information Data Sstem PIDS. PIDS is a

distri-,ted data-ase appication and sstem software with a dedicated PIDS ser7er on a shared

networ4 accessed - -oth dedicated and shared des4top persona comp,ters PCs. The shared

components s,pport a 7ariet of medica appications and data-ases. The sstem aso in4s and

integrates a set of smaer# oder data-ases reated to patient care# a- res,ts# and -iing.

Patient data can -e entered into PIDS or one of the other data-ases at an time from an

wor4station. Phsicians# administrati7e cer4s# a- technicians# and n,rses ha7e a,thoriGation to

enter data into PIDS as we as the other sstems. Persona comp,ters# or wor4stations# are

ocated in a offices# treatment rooms inc,ding emergenc rooms# n,rsing stations# and a-s. In

addition# phsicians can aso remote access PIDS ,sing their home persona comp,ters. In fact#

there is ta4 aro,nd the hospita that medica personne wi soon -e a-e to access PIDS ,sing

persona digita assistants PD!s.

Figure 1: High-Level MedSite Organizational Chart

!n independent contractor# !BC Sstems# pro7ides s,pport for most of the sstems at $edSite as

we as for the networ4. $edSites information technoog IT personne pro7ide da)to)da

maintenance ,nder the training and direction of !BC Sstems personne. $edSites IT staff aso

s,pport the hep des4 - ta4ing cas and responding to immediate needs. The IT staff mem-ers

from $edSite pro7ide on)site hep des4 s,pport and -asic sstem maintenance. !BC Sstems

pro7ided $edSites IT personne with imited sstems and networ4 training a-o,t a ear ago.

% CM!S"#$%&&'$HB$&&' 8olume +&

MedSite

Administrator

Administration LabsMedical

Maintenance

Information

Technology

Records- Surgery

- In-patient- Out-patient

- etc.

- Pathology

- -ray

- etc.

8/10/2019 v10 Example v1



$edSites senior managers decided the wanted a comprehensi7e re7iew of information sec,rit

within their faciit. Se7era new reg,ations are now in effect e.g.# the Heath Ins,rance

Porta-iit and !cco,nta-iit !ct HIP!!K# re@,iring $edSite to doc,ment the res,ts of an

information sec,rit ris4 e7a,ation. The reg,ations aso re@,ire $edSite to impement a

practice)-ased standard of d,e care. !fter some disc,ssion and cons,tation with other medica

faciit managers# the decided to ,se OCT!9E)S.

The anasis team has -een seected and trained. The core anasis team mem-ers are

• !7areG F a phsician# at $edSite for fi7e ears

• =reen F assistant manager of !dministration# at $edSite for eight ears. =reen wi ead

the anasis team.

• Smith F senior IT staff mem-er# at $edSite for three ears

• Hae F a- technician# at $edSite for fo,r ears

The team met to prepare for the e7a,ation. The decided to scope the e7a,ation to inc,de the

entire organiGation as there are on three rea operationa areas F !dministration# $edica# and

the >a-. The aso chec4ed with coeag,es in other medica faciities to ocate an historica data

on an tpe of threats that the might -e wiing to share ater on or to disc,ss when the anasis

team needed to define pro-a-iit e7a,ation criteria. Pro-a-iit is re@,ired - some reg,ations#

and the team fet that the needed to tr to ,se some form of @,aitati7e pro-a-iit d,ring ris4

anasis.

!s this was their first ,se of OCT!9E)S# the decided not to taior the cataog of practices or the

s,r7es to aign them with c,rrent reg,ations# s,ch as HIP!!. Instead# after the e7a,ation# the

wi ,se a gap anasis to determine what additiona actions are re@,ired to ens,re compiance

and to protect their information)reated assets. The -,dget for sec,rit impro7ements o7er the

net si months is imited# and senior managers prefer to ens,re their critica assets are protected

now and dea with an additiona reg,ation compiance d,ring the net -,dget cce.

1.4 edSite Team;s Experiene

$edSites anasis team competed the e7a,ation in fo,r wee4s wor4ing part time. This section

s,mmariGes the teams acti7ities# its decisions# and other contet,a information reated to the

e7a,ation. !s o, re7iew the res,ts# o, wi notice that we pro7ide compete res,ts for on

one of the critica assets.

CM!S"#$%&&'$HB$&&' 8olume +& '

8/10/2019 v10 Example v1



1.4.1 '*ase 1: uild Asset-ased T*reat 'ro)iles

The anasis team met dai o7er the co,rse of one wee4 to finish Phase &. !t the end of the

wee4# the team met with $edSites senior managers to re7iew the impact e7a,ation criteria and

get them appro7ed. $edSites senior managers decided to ,se the criteria de7eoped - the team

and s,-se@,ent re7iew the res,ts. If the criteria t,rned o,t to -e too 7ag,e or if the seemed tos4ew the res,ts# senior managers reser7ed the right to re7ise the criteria and as4 the team to re)

e7a,ate the ris4s.

1.4.1.1 'roess S1: Identi)$ Or(ani<ational In)ormation

S1.1: Establish impact evaluation criteria (Step 1)

6sing the Impact E.aluation Criteria %or&seet p. ((K# the anasis team defined the ranges of

possi-e impacts on the organiGation. The team had s,fficient information on the nat,re of

impacts ca,sed - common pro-ems and emergencies# and it ,sed this information as the -asisfor setting impact meas,res high# medi,m# ow across m,tipe impact areas. "or eampe#

$edSite is a 7er s,ccessf, compan# with more than '5L of the regions peope coming to

$edSite for medica care. $edSite norma sees a 5)&5L f,ct,ation in patient n,m-ers from

month to month. The team ,ses this information to determine that the compan co,d reco7er

from a &%L drop in c,stomers# -,t a (%L drop wo,d mean a serio,s pro-em that co,d -e

irre7ersi-e. $edSites -,dget inc,des a *L margin for ,nepected changes in operating costs

and a 5L margin for ,nepected changes in o7era re7en,e. Ins,rance co7ers near a tpes of

osses of ,p to M*5%#%%% and man items ,p to M& miion witho,t an increase in premi,ms. !n

co7era-e oss of more than M& miion means an immediate increase in premi,ms. In terms of

prod,ction# minor increases &%L for a few das in personne ho,rs happen a the time -eca,seof accidents and ,nepected f,ct,ations in patient needs. ! high increase occ,rred d,ring the

pre7io,s ear when a snowstorm near paraGed the comm,nit. 1ear e7erone at $edSite

wor4ed an additiona (%L for a ()da period to ma4e ,p for ost time. The team aso determined

that an oss of ife or permanent damage to patients was considered ,naccepta-e. These items

were incorporated into the e7a,ation criteria.

S1.2: Identify organizational assets (Step 2)

The anasis team ,sed its 4nowedge of $edSites sstems as a starting point for identifing

assets# -eca,se staff mem-ers dai tas4s were tight integrated with the sstems the ,sed.

;hen ,sing the Asset Identi$ication %or&seet p. N5K to identif assets# team mem-ers co,d see

how m,ch information act,a resided on $edSites information sstems. Patient information#

which was reg,ated in terms of pri7ac and sec,rit# co,d -e fo,nd in se7era forms inc,ding

-oth eectronic and paper fies. The team aso noticed that persona comp,ters were common to

a sstems and pro7ided a cond,it to a important eectronic information. It was more diffic,t

for the team to identif peope)reated assets# -eca,se e7erone had important roes at $edSite.

4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1



E7en tho,gh the maorit of answers for the incident management area were negati7e# this was

one area in which $edSite had a good set of doc,mented proced,res. The proced,res were a

standard# tested# and 7erified set pro7ided - a medica societ to which $edSite -eonged. !s a

res,t# the team ga7e the compan a eow stat,s for that area.

1o other notes or action items res,ted from Process S&.

1.4.1. 'roess S: Create T*reat 'ro)iles

S2.1: Select #ritical $ssets (Steps % & ')

Seecting critica assets pro7ed to -e ess diffic,t that the anasis team epected. The team

seected the foowing critica assets

• PIDS Patient Information Data Sstem F This was an o-7io,s choice for the team.

PIDS is centra to $edSites medica operations# -eca,se it is the centra repositor for

patient)identifia-e information. In addition# $edSite m,st comp with reg,ations for

protecting the pri7ac of and sec,ring eectronic patient information.

• Paper medica records F These records are somewhat ess important than PIDS# -eca,se

$edSite is tring to mo7e awa from its reiance on paper medica records. Howe7er# the

migration wi ta4e se7era ears. In the meantime# the team decided that paper records aso

constit,ted a critica asset# -eca,se those records contain patient)identifia-e information

and are s,-ect to pri7ac reg,ations.

• !BC Sstems F $edSite has -ecome reiant ,pon the information technoog IT

ser7ices pro7ided - !BC Sstems# $edSites main IT contractor. !BC Sstems maintainsPIDS and other sstems for $edSite and is aso de7eoping PIDS II# the repacement for

PIDS. !BC Sstems was an o-7io,s choice as a critica asset gi7en the importance of PIDS#

PIDS II# and $edSites ongoing efforts to -ecome a paperess en7ironment. !BC Sstems is

aso tpica of other tpes of contracting done - $edSite.

• Persona comp,ters PCs F The anasis team noted that persona comp,ters were

common to a sstems# pro7iding a cond,it to a important eectronic information.

• ECDS Emergenc Care Data Sstem F This sstem was seected -eca,se it is

representati7e of man smaer sstems ,sed at $edSite.

The anasis team recorded its choices for critica assets on the Critical Asset Selection %or&seet

p. (K.The team then started a Critical Asset %or&'oo& for each critica asset Step +. It aso

recorded its rationae for seecting each asset Step ' as we as who ,ses and is responsi-e for

each critica asset Step on each assets Critical Asset In$ormation %or&seet p. 'K.

Information a-o,t asset reationships had aread -een recorded on the Asset Identi$ication

%or&seet and was transcri-ed to the Critical Asset In$ormation %or&seet Step A.

> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



S2.2: Identify security reuirements for critical assets (Steps 1 & 11)

Team mem-ers disc,ssed which @,aities of each asset were important to protect. This disc,ssion

res,ted in the identification of sec,rit re@,irements for each critica asset# which were recorded

on the appropriate Critical Asset In$ormation %or&seets Step &% p. 'K. Seecting the most

important sec,rit re@,irement was fre@,ent diffic,t# re@,iring significant disc,ssion. "or

eampe# team mem-ers spent a ot of time disc,ssing which sec,rit re@,irement for PIDS was

most important Step &&. !fter a heath de-ate# the team seected a7aia-iit of patient

information as the most important sec,rit re@,irement for PIDS -eca,se the heath and safet of

patients re@,ire immediate and contin,o,s access to patient information on PIDS. Confidentiait

was aso considered to -e important# -,t it ac4ed the ife and heath impications of a7aia-iit.

$ost of the iss,es s,rro,nding confidentiait were act,a reated to reg,ations. The team

decided that when ma4ing tradeoffs# the a7aia-iit of medica information ,timate tr,mped

7ioations of pri7ac aws.

S2.: Identify threats to critical assets (Steps 12 & 1*)

The anasis team then -egan constr,cting a threat profie for each critica asset# recording the

profie on the appropriate /is& Pro$ile %or&seets pp. A& and &((K. Team mem-ers cons,ted the

appropriate Treat Translation Guide 9o,mes 5) to ens,re the act,a ,nderstood the

impied threats. "or PIDS ,sing 9o,me + for sstems assets# the team -eie7ed that a of the

-ranches for the uman actors usin" net0or& and p*sical access trees were acti7e# non)

negigi-e threats Step &*. Team mem-ers came to this conc,sion -ased on their eperiences

and 4nown iss,es reated to networ4 and phsica sec,rit. The team -eie7ed that most threats

from the s*stem pro'lems categor wo,d tpica affect on the a7aia-iit of information onPIDS. The eception to this was maicio,s code# which co,d res,t in an o,tcome. Threats from

the oter pro'lems categor were aso -eie7ed to affect on the a7aia-iit of PIDS.

"or !BC Sstems# the nat,re of the threats was @,ite different# -eca,se it is a different tpe of

asset peope than PIDS sstem. The team was rea concerned a-o,t on one tpe of threat F

not ha7ing @,aified# time s,pport from !BC Sstems personne. This was the on threat that

the team recorded for !BC Sstems.

"or PIDS# the team identified the tpes of peope who might -e considered threat actors Step

&(. The team doc,mented a -road range of potentia actors# inc,ding hac4ers# disgr,nted

empoees# and !BC Sstems personne. ;ith no insight into how !BC Sstems handed access

to confidentia information or 7ioations of sec,rit# the team was concerned a-o,t the potentia

threat posed - that contractors empoees. Team mem-ers were aso concerned a-o,t the a

-eha7ior of man staff mem-ers at $edSite# especia regarding cas,a and oose con7ersations

a-o,t patients. Smith ac4nowedged that the imitations of space and f,nding had res,ted in

etreme tight wor4ing conditions that 7irt,a forced most admissions staff to share passwords

CM!S"#$%&&'$HB$&&' 8olume +& =

8/10/2019 v10 Example v1



and acco,nts ,st to get their o-s done in a reasona-e amo,nt of time. Empoees constit,ted a

strong so,rce of a range of accidenta incidents.

;ith the eception of disgr,nted empoees# the team determined that the moti7ation of insiders

was genera ow Step &N. O,tsiders moti7es were diffic,t to estimate# -,t the team did fee

that -eing a sma# reati7e anonmo,s medica organiGation made $edSite a ess attracti7e

target for o,tsiders. The team decided that the moti7es of o,tsiders were ow.

The team decided to ta4 to a few 4nowedgea-e staff mem-ers at $edSite and !BC Sstems to

determine the 4nown histor for some of the threats Step &5. !BC Sstems had some data# -,t

the were not comprehensi7e. In fact# gi7en the ac4 of tangi-e data prod,ced - peope from

!BC Sstems# anasis team mem-ers -ecame concerned a-o,t what !BC Sstems was doing to

monitor PIDS and other sstems. The team mem-er with information technoog eperience

4new eno,gh to -e s4eptica of !BC Sstems networ4 monitoring practices. The team recorded a

recommendation to the otes and /ecommendations %or&seet p. &'K to 7erif what !BCSstems was doing to monitor $edSites sstems and networ4s. The team aso mar4ed its

confidence in this historica data as ow.

Specific areas of concern were recorded on the /is& Pro$ile %or&seets Step &+ pp. A& and

&((K whene7er the team had a partic,ar eampe or historica incident reati7e to a threat. "or

eampe# it was we)4nown that staff mem-ers occasiona oo4ed ,p patient information a-o,t

their friends and reati7es# 7ioating pri7ac. In addition# the phsica config,ration of offices and

the inc,sion of wor4stations in patient rooms aso ed to man pri7ac 7ioations. !7areG

mentioned that phsicians were sti ha7ing a hard time remem-ering to og off PIDS when the

eft a treatment room. ! team mem-ers aso noted PIDS notorio,s histor of faiing atinopport,ne times. "ina# the team was concerned that !BC Sstems did not rea ,nderstand

either the genera needs of a medica faciit or the effects of the new pri7ac and sec,rit

reg,ations.

! actions items from Process S* were doc,mented on the Action ist %or&seet p. *'K.

1.4. '*ase : Identi)$ In)rastruture Vulnera&ilities

The anasis team met dai o7er the co,rse of a few das to compete Phase *. Team mem-ers

performed a c,rsor eamination of how peope at $edSite accessed critica assets 7ia the

organiGations networ4s. The team aso re7iewed the etent to which sec,rit was considered

when config,ring and maintaining $edSites comp,ters and networ4s. Beca,se peope at

$edSite had itte insight into what !BC Sstems was doing to config,re and maintain $edSites

sstems and networ4s# the team decided to record a recommendation see otes and

/ecommendations %or&seet p. &'K. The recommendation caed for $edSites IT staff to wor4

- CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



more cose with !BC Sstems after the e7a,ation to comm,nicate $edSites sec,rit

re@,irements to !BC Sstems and to 7erif that those re@,irements were -eing met.

1.4..1 'roess S2: Examine t*e Computin( In)rastruture in /elation toCritial Assets

S.1: E+amine access paths (Steps 1, & 1-)

The anasis team ,sed the et0or& Access Pats %or&seet p. &N(K as it re7iewed how peope

accessed $edSites critica assets. The team noted that PIDS was its own sstem of interest Step

&'. It aso noted that ECDS was its own sstem of interest# whie PCs inc,ded a maor sstems

as their sstems of interest. 1either !BC Sstems nor the paper medica records were re7iewed

d,ring this phase# -eca,se networ4 attac4s are irree7ant to these tpes of assets.

"or PIDS# the anasis team identified 4e casses of components that were part of or reated to

PIDS. This acti7it inc,ded a c,rsor eamination of interna and eterna access points for

PIDS Step &. Team mem-ers had different 7iews of what constit,ted the PIDS sstem. !fter

m,ch disc,ssion# the agreed that PIDS inc,ded ser7er ! and on)site wor4stations Step &a.

The then oo4ed at how peope tpica accessed PIDS. The team determined that peope ,sed

on)site wor4stations# aptops# PD!s# and home wor4stations to access PIDS Step &c. The team

decided that intermediate access points inc,ded -oth interna and eterna networ4s Step &-

and that PIDS information was stored -oth oca and off)site Step &d. "ina# the team

determined that other sstems# most nota- ECDS and the "inancia 0ecord 3eeping Sstem

"03S# aso a,tomatica accessed information from PIDS Step &e.

S.2: $nalyze technology!related processes (Steps 1' & 21)

This acti7it re@,ires an anasis team to ass,me an infrastr,ct,re point of 7iew when anaGing

information. $edSites team doc,mented the 4e casses of components Step &Aa and then

noted which critica assets were reated to each 4e cass Step &A-. The team then determined

who was responsi-e for maintaining and sec,ring each 4e cass Step *%. ;here $edSites

own IT personne were responsi-e for da)to)da operations# the co,d ma4e an estimate of

how sec,re the component casses were Step *&. $an casses# howe7er# were maintained -

!BC Sstems# and the e7e of sec,rit for those casses was ,n4nown. The anasis team

recorded this information on the In$rastructure /e.ie0 %or&seet p. &NAK.

O7era# the sec,rit of most casses of components was not consistent 4nown. The team

recorded some genera recommendations to p,rs,e the reationship with !BC Sstems and wor4

towards more forma 7,nera-iit testing with them on the otes and /ecommendations

%or&seet p. &'K.

CM!S"#$%&&'$HB$&&' 8olume +& .

8/10/2019 v10 Example v1



"ina# the team re7iewed the /is& Pro$iles for PIDS# ECDS# and PCs pp. A& and &((K as we as

the Securit* Practices %or&seet p. 5&K# oo4ing to refine information on those wor4sheets -ased

on the teams Phase * anasis. Team mem-ers decided there were no changes to the threat trees#

,st more 7aidation for the concerns aread identified. The did add an additiona area of

concern on the /is& Pro$ile %or&seet Step &+ p. &((K a-o,t !BC Sstems personne not on

ha7ing access to patient information -,t aso -eing a-e to destro it.

The IT team mem-er aso -ro,ght ,p the concern that what he o-ser7ed on a dai -asis did not

s,pport !BC Sstems statements that it 4ept ,p with 7,nera-iit testing and patches. The team

recorded this o-ser7ation on the Securit* Practices %or&seet p. 5&K as an eampe of what

$edSites contractor was not doing we.

1o other action items# notes# or recommendations from Process S( were identified.

1.4.2 '*ase 2: +e%elop Seurit$ Strate($ and 'lans

The anasis team added an additiona team mem-er to hep with the de7eopment of mitigation

pans in Process S5. The new team mem-er had a ot of epertise in pro-em so7ing as we as

de7eoping pans# -,dgets# and sched,es for $edSite. To ens,re that she de7eoped an

,nderstanding of the e7a,ation# the new team mem-er o-ser7ed Process SN.

1.4.2.1 'roess S4: Identi)$ and Anal$<e /is#s

S".1: Evaluate impact of threats (Step 22)

The anasis team ,sed the Impact E.aluation Criteria p. ((K the de7eoped d,ring Process S&

to e7a,ate the impacts of the threats on the organiGation. The team recorded a impact 7a,es on

the /is& Pro$ile %or&seets pp. A& and &((K. Team mem-ers considered the heath and safet of

patients to -e the most important criteria# with the remaining criteria a -eing e@,a to each other.

The team had some diffic,t estimating the impacts to prod,cti7it and rep,tation for a few of

the threats and decided to get additiona hep. Team mem-ers identified 4e peope with

eperience in ega matters# p,-ic reations# and n,rsing to hep the team estimate the 7a,es for

certain threats. Together# the a re7iewed each area of concern and ta4ed a-o,t the tpes of

specific actions that wo,d ha7e to -e ta4en to dea with a reaiGed threat# pro7iding a -asis for

estimating the act,a e7e of impact high# medi,m# ow. In partic,ar# team mem-ers oo4ed for an threats that might res,t in phsica harm or death to patients. The team aso noted on the

otes and /ecommendations %or&seet p. &'K that the e7a,ation criteria sho,d -e more

-road re7iewed and appro7ed - management.

+& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



S".2: Establish probability evaluation criteria (Step 2)

The team defined $edSites pro-a-iit e7a,ation criteria ,sing the Pro'a'ilit* E.aluation

Criteria %or&seet p. &5'K. It reied on its eperience and epertise as we as the imited

historica information it had for threats. Team mem-ers re7iewed the 4nown histories of threats

recorded on the /is& Pro$ile %or&seets pp. A& and &((K when setting pro-a-iit meas,res

high# medi,m# ow. ;hen defining the criteria# the team aso referenced historica data a-o,t

certain tpes of threats common ,sed - other medica organiGations when assessing ris4.

S".: Evaluate probabilities of threats (Step 2")

6sing the Pro'a'ilit* E.aluation Criteria p. &5'K the team e7a,ated the pro-a-iit of each

acti7e threat occ,rring - ,sing the contet,a information the had pre7io,s recorded on the

/is& Pro$ile %or&seets Steps &()&+ pp. A& and &((K. Beca,se the had ow confidence in their

historica estimations for networ4)-ased threats# team mem-ers ac4ed confidence in their pro-a-iit estimates for those tpes of threats. Howe7er# for a few threats# s,ch as ,na,thoriGed

insiders accidenta 7iewing information 7ia sstems and networ4s# team mem-ers were @,ite

confident that the pro-a-iit was high -eca,se of the 4nown histor of s,ch actions. Beca,se it

had minima confidence in man of its pro-a-iit estimates# the team decided to ,se pro-a-iit

on as a tie)-rea4er when seecting ris4s for mitigation. Impact wo,d -e the primar decision)

ma4ing dri7er. The team recorded estimates for pro-a-iit for a acti7e ris4s on the /is& Pro$ile

%or&seets pp. A& and &((K.

1o additiona actions# notes# or recommendations were identified d,ring Process SN.

1.4.2. 'roess S5: +e%elop 'rotetion Strate($ and iti(ation 'lans

S%.1: escribe current protection strategy (Step 2%)

The anasis team re7iewed the Securit* Practices %or&seet p. 5&K that it competed earier in

the e7a,ation. Team mem-ers transcri-ed the stopight stat,s for each area to the Protection

Strate"* %or&seets p. &+&K. The then disc,ssed the c,rrent practices and 7,nera-iities

identified in each practice area. The team noted that the protection strateg and the sec,rit

practices s,r7e eamine two different facets of sec,rit practice areas. The protection strateg

descri-es the processes ,sed to perform acti7ities in each sec,rit practice area# foc,sing on theetent to which processes are forma defined. On the other hand# the stopight stat,s on the

sec,rit practices s,r7e indicates how we the team -eie7es its organiGation is performing in

each area. Team mem-ers noted that an organiGation co,d -e performing 7er we in an area#

-,t ha7e 7er informa processes. >i4ewise# an organiGation co,d ha7e significant room for

impro7ement despite ha7ing 7er forma poicies and proced,res. The defined the c,rrent

protection strateg for the organiGation and recorded the res,ts on the Protection Strate"*

CM!S"#$%&&'$HB$&&' 8olume +& ++

8/10/2019 v10 Example v1



%or&seets p. &+&K. The protection strateg# aong with stopight stat,s information# pro7ided

team mem-ers with a -road 7iew of $edSites o7era approach to sec,rit and the etent to

which it was wor4ing.

S%.2: Select mitigation approaches (Steps 2* ! 2,)

The team transcri-ed the stopight stat,ses from the Securit* Practices %or&seet p. 5&K to the

/is& Pro$ile %or&seets Step *+ pp. A& and &((K# i,strating the c,rrent stat,s of each sec,rit

practice area in reation to the acti7e ris4s. Before proceeding# the anasis team needed to agree

,pon the criteria for ma4ing decisions. Team mem-ers decided that the wo,d oo4 to mitigate

ris4s meeting the foowing criteria

• ris/s affecting the health and safety of 0edSites patients (i.e. ris/s 3ith a high

impact value for the 4Safety5 impact area). 6eputation and financial impacts 3ere

considered to be secondary factors.

• ris/s affecting the most important security reuirement (Step 1) of the asset (e.g.

availability of 7IS)

• ris/s lin/ed to specific areas of concern about the asset

Beca,se it had itte confidence in man if its pro-a-iit estimates# the team decided to ,se

pro-a-iit as a tie)-rea4er when comparing two simiar ris4s. Team mem-ers re7iewed the /is&

Pro$ile %or&seet for each critica asset pp. A& and &((K# foc,sing on potentia impacts of ris4s in

reation to stopight stat,ses. The anasis team was initia o7erwhemed. It had assigned nine

sec,rit practice areas red stopight stat,ses and si sec,rit practice areas eow stopight

stat,ses. Howe7er# the team did not assign a green stopight stat,s to an area. Based on its

decision)ma4ing criteria# the team oo4ed across a critica assets and decided which ris4s it

wo,d mitigate. 1et it decided which ris4s it co,d accept. ! remaining ris4s were designated

to -e deferred and re7isited at a ater date. The anasis team decided to recommend on the

otes and /ecommendations %or&seet p. &'K that a deferred ris4s -e oo4ed at again a month

after the end of the e7a,ation.

To mitigate the ris4s# the team seected the foowing sec,rit practice areas as mitigation areas

• Sec,rit !wareness and Training & 8he analysis team believed that their security

a3areness training did not adeuately prepare personnel to handle the day!to!day

security issues that arise. Improving this area should reduce the accidental inside

threat sources.

• Coa-orati7e Sec,rit $anagement & $9# Systems provided support for managing

the net3or/ and most of the systems at 0edSite including 7IS. $9# Systems also

conducted periodic vulnerability evaluations of 0edSites computing infrastructure.

8he analysis team 3as concerned about 0edSites procedures for 3or/ing 3ith $9#

+% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



Systems. 8he team believed that $9# Systems might not be meeting 0edSites

information security reuirements. 0any unans3ered uestions and ambiguities arose

during 7rocess S so the team recommended that 0edSite revie3 and revise its

procedures for 3or/ing 3ith $9# Systems. ith respect to physical security the

;acilities 0anagement <roup 3as responsible for physically securing 0edSites

building. =o one at 0edSite has been formally 3or/ing 3ith the staff from ;acilities

0anagement group. 9ecause of this the team recommended that the organization

revie3 and revise procedures for 3or/ing 3ith the ;acilities 0anagement <roup.

• $onitoring and !,diting Phsica Sec,rit & 8here 3as some concern by team

members that physical security problems e+isted at 0edSite and 3ere not being

handled by the ;acilities 0anagement <roup. 8he team identified several ris/s 3ith

potentially high impact to the health and safety of patients based on physical access by

internal and e+ternal threat actors. 8he team decided that practices related to Physical

Access Control 3ere adeuate. >o3ever practices related to Monitoring and Auditing

Physical Security reuired significant improvement. ;or this reason Monitoring and

Auditing Physical Security 3as selected as a mitigation area. >o3ever because third

parties 3ere involved in monitoring and auditing physical security for 0edSite there

3as some overlap 3ith the Collaborative Security Management security practice area.

• !,thentication and !,thoriGation & 0edSite 3as not using a consistent means of

controlling access to its systems and net3or/s (e.g. role!based management of

accounts). Staff members inherited far too many access privileges over time. 8he team

3as concerned about the potential conseuences of these issues. ;or e+ample

disgruntled staff members could abuse this increased access to affect the availability of

7IS or to modify medical information.

The team doc,mented its rationae for seecting each area on the otes and /ecommendations

%or&seet p. &'K. It aso circed mitigation areas on the appropriate /is& Pro$ile %or&seets pp.

A& and &((K that red,ce ris4s designated as mitigate. Despite its own earier recommendation to

oo4 at Vulnera'ilit* Mana"ement as a mitigation area# the team decided that the impro7ements in

the Colla'orati.e Securit* Mana"ement area co,d mitigate a greater n,m-er of ris4s reated to

the comp,ting infrastr,ct,re than co,d impro7ements in Vulnera'ilit* Mana"ement .

S%.: evelop ris/ mitigation plans (Step 2-)

The team de7eoped mitigation pans for each seected area ,sing the Miti"ation Plan %or&seetsp. &AK. The pan for each seected sec,rit practice area inc,des specific acti7ities designed to

mitigate specified ris4s. Some of the mitigation acti7ities were @,ite -road in nat,re. "or

eampe# one mitigation acti7it indicated that periodic sec,rit awareness training sho,d -e

pro7ided for a empoees once a ear. Other mitigation acti7ities were more foc,sed in nat,re.

"or eampe# one mitigation acti7it specified that IT staff mem-ers recei7e training in partic,ar

technoogies. This acti7it did not address training across a technoogies# on for a seected

CM!S"#$%&&'$HB$&&' 8olume +& +'

8/10/2019 v10 Example v1



few. !s it defined each mitigation acti7it# the team aso recorded its rationae for that partic,ar

acti7it what was it mitigating or impro7ing# who sho,d -e responsi-e for the acti7it# and an

additiona management action that might -e re@,ired to impement that acti7it.

S%.": Identify changes to protection strategy (Step 2')

The anasis team re7iewed the Protection Strate"* %or&seets p. &+&K to note an changes

triggered - mitigation acti7ities. "or eampe# the mitigation acti7it that caed for sec,rit

awareness training for a empoees once a ear triggered a change in $edSites protection

strateg. The protection strateg pre7io,s re@,ired sec,rit awareness training on for new

empoees. On the other hand# the mitigation acti7it that specified training in partic,ar

technoogies for IT staff mem-ers did not trigger a change in $edSites protection strateg

-eca,se the acti7it did not address training for a technoogies. This acti7it simp impro7ed

how one aspect of $edSites protection strateg was impemented.

1et# the team re7iewed the protection strateg# oo4ing for an additiona changes to the strateg

that it wanted to ma4e. It immediate foc,sed on the Securit* Policies and /e"ulations area.

$edSite had a partia set of doc,mented sec,rit)reated poicies. Beca,se $edSite wo,d soon

-e re@,ired to comp with new data sec,rit reg,ations# the team decided that proced,res for

comping with those reg,ations wo,d need to -e created. It mar4ed that change to the

protection strateg. Team mem-ers aso noted that whie some sec,rit)reated poicies eisted#

few staff mem-ers ,nderstood them. Since sec,rit awareness training was aread -eing

,pdated# the team decided to inc,de information a-o,t $edSites sec,rit poic in that training.

"ina# the team decided to address poic enforcement. E7en if peope 4new a-o,t and

,nderstood $edSites sec,rit poic# their -eha7iors wo,d change on if the aso 4new thatmanagement was enforcing that poic. Th,s# the team decided that proced,res for enforcing

$edSites poic needed to -e created. The team then de7eoped a mitigation pan to impement

the changes to the Securit* Policies and /e"ulations area. In the rationae area for each mitigation

acti7it# the team noted that these acti7ities were dri7en - genera concerns and reg,ations#

rather than - specific ris4s.

The anasis team aso identified the foowing two action items d,ring Process S5# doc,menting

them on the Action ist %or&seet p. *'K

• esend basic security policy reminders! 8he I8 department had sent emails to all staff

in the past regarding basic security policy issues. 9ecause improving 0edSites security

a3areness and training program 3as seen as a long!term initiative this action item

provided a short!term a3areness mechanism 3ithout much investment.

• Change the physical con"iguration o" the admissions o""ice! ?ne of the physical

security problems identified during the evaluation 3as the physical configuration of

the admissions area. 0ost 3or/stations 3ere directed to3ard public areas 3here

+4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



patients and staff could see medical information on the screens of those 3or/stations.

8o protect the privacy of medical and admissions information the analysis team

decided to recommend changing the configuration of the admissions office to ensure

that 3or/stations could not be easily seen by people passing through the admissions

area.

S%.%: Identify ne+t steps (Step )

6sing the e4t Steps %or&seet p. *%(K# the team identified se7era items re@,ired to s,pport

impementation of OCT!9E)S res,ts. "irst# senior management needed to ma4e information

sec,rit a priorit and not a -ac4)-,rner iss,e. Second# ade@,ate f,nding to impement the

mitigation pans# protection strateg changes# and action items needed to -e aocated. The team

aso noted that the foowing items wo,d need to -e competed within the net month.

• 7eople 3ho had been assigned responsibility for implementing a mitigation plan 3ill

provide a detailed implementation plan for revie3.

• $ll deferred ris/s 3ill be revie3ed.

• 8he analysis team 3ill compare the security practice surveys to regulations

(including >I7$$) to determine if there are any additional practices that need to be

added or improved to comply 3ith current regulations.

The team aso recommended cond,cting another OCT!9E)S e7a,ation in a-o,t &*)& months#

pro7iding s,fficient time to impement the recommendations from the e7a,ation it had ,st

competed.

CM!S"#$%&&'$HB$&&' 8olume +& +,

8/10/2019 v10 Example v1



+> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


!otes and /eommendations or#s*eet

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


1otes and 0ecommendations ;or4sheet

6ecommendation

%at recommendations do *ou 0ant to record5 7or 0ic step is tis

recommendation

rele.ant5

!e need a "ay to determine "hat A*+ Systems is doing to monitor for

e$ternal attac%s. This may re,uire a contractual discussion.Step (

6ecommendation


recommendationrele.ant5

!e need a more formal or increased communication "ith A*+ Systems.Step )(

CM!S"#$%&&'$HB$&&' 8olume +& +.

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

=ote

%at notes do *ou 0ant to record5

Is tere a recommendation associated 0it tis note5 I$ *es document it in tecorrespondin" recommendations 'o46

7or 0ic step is

tis note rele.ant5

!e do not belie#e #ulnerability management is being ade,uately

performed on PIS.Step )(

=ote


Is tere a recommendation associated 0it tis note5 I$ *es document it in te

correspondin" recommendations 'o46

7or 0ic step is

tis note rele.ant5

Step

%& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



6ecommendation


recommendation

rele.ant5

The ability to manage #ulnerabilities should be a candidate for a ris%

mitigation plan in Phase /. This may also be more of A*+ Systems'

responsibility than ours.

Step )0

6ecommendation


recommendation

rele.ant5

Security A"areness and Training is selected as a mitigation area.

Rationale1 MedSite's security a"areness training does not ade,uately

address the security issues that staff members face on a daily basis.

Impro#ing this area "ould help to address se#eral ris%s "ith a high

safety impact lin%ed to accidental actions by staff members.

Step )0

CM!S"#$%&&'$HB$&&' 8olume +& %+

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

=ote



7or 0ic step is

tis note rele.ant5

Step

=ote




7or 0ic step is

tis note rele.ant5

Step

%% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



6ecommendation


recommendation

rele.ant5

+ollaborati#e Security Management is selected as a mitigation area.

Rationale1 A*+ Systems pro#ides support for managing the net"or%

and most of the systems at MedSite& including PIS. A*+ Systems

also conducts periodic #ulnerability e#aluations of MedSite's computing

infrastructure. A*+ Systems might not be meeting MedSite's

information security re,uirements. Since A*+ Systems plays such a

#ital role in configuring& maintaining& and securing MedSite's computinginfrastructure& procedures for "or%ing "ith A*+ Systems should be

re#ie"ed and re#ised.

Step )0

6ecommendation


recommendation

rele.ant5

Monitoring and Auditing Physical Security is selected as a mitigation

area.

Rationale1 There is concern that physical security problems e$ist at

MedSite. The team identified se#eral ris%s "ith potentially high

impact to the health and safety of patients based on physical access

by internal and e$ternal threat actors. 2o"e#er& the team does not

ha#e enough information to determine e$actly ho" to address the

issue. +onducting a physical security audit "ill characteri3e the e$tentof the problem.

Step )0

CM!S"#$%&&'$HB$&&' 8olume +& %'

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

=ote



7or 0ic step is

tis note rele.ant5

Step

=ote




7or 0ic step is

tis note rele.ant5

Step

%4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



6ecommendation


recommendation

rele.ant5

Authentication and Authori3ation is selected as a mitigation area.

Rationale1 MedSite is currently not using role-based management of

accounts. In addition& staff members inherit far too many access

pri#ileges o#er time. The team is concerned about the potential

conse,uences of these issues. 4or e$ample& disgruntled staff members

could abuse this increased access to modify information.

Step )0

6ecommendation


recommendation

rele.ant5

@oo: at all deferred ris:s a)ain in '& days1Step )5

CM!S"#$%&&'$HB$&&' 8olume +& %,

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

%> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


2 Ation 3ist or#s*eet

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


!ction >ist ;or4sheet

$ction Item

%at additional in$ormation do *ou 0ant to document $or eac action item5

/ecord additional in$ormation 'elo06

6esponsibility: %o is responsi'le $or completin" te action item5

Administration 7 contract manager

#ompletion ate: 8* 0en must te action item 'e completed5

!ithin the ne$t ) "ee%s

$dditional

Support:

%at additional support 9'* mana"ement or oters is re;uired to complete te

action item5

$ction Item




Analysis team members and a fe" others "ho attend conferences

and seminars.


!ithin the ne$t 5 months

$dditional

Support:


action item5

CM!S"#$%&&'$HB$&&' 8olume +& %.

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

$ction Item

%at actions do *ou intend to ta&e5

Assi"n an identi$ication num'er to eac action item6

7or 0ic step is

tis action item

rele.ant5

ID RResend basic security policy reminders.

Step )8

(

$ction Item

%at actions do *ou intend to ta&e5

Assi"n an identi$ication num'er to eac action item6

7or 0ic step is

tis action item

rele.ant5

ID R+hange the physical configuration of the admissions

office.Step )8

9

'& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


!ction >ist ;or4sheet

$ction Item




IT :roup


!ithin the ne$t ) "ee%s

$dditional

Support:


action item5

MedSite's +IO needs to appro#e this action item and assign it to

someone in the IT group.

$ction Item




4acilities Management


!ithin the ne$t month

$dditional

Support:


action item5

MedSite's management team needs to appro#e this action item

and assign it to the 4acilities Management :roup.

CM!S"#$%&&'$HB$&&' 8olume +& '+

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

'% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


4 Impat E%aluation Criteria or#s*eet

Step 1

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

Step 1

6eputation@#ustomer #onfidence

Impact 8ype Ao3 Impact

/eputation 0ep,tation is minima effected itte or no

effort or epense is re@,ired to reco7er.

Customer oss >ess than (; L red,ction in c,stomers

d,e to oss of confidence

Oter:

Oter:

'4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


Impact E7a,ation Criteria ;or4sheet

6eputation@#ustomer #onfidence

0edium Impact >igh Impact

0ep,tation is damaged# and some effort and

epense is re@,ired to reco7er.

0ep,tation is irre7oca- destroed or

damaged.

(; to /; L red,ction in c,stomers


$ore than /; L red,ction in c,stomers


CM!S"#$%&&'$HB$&&' 8olume +& ',

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

Step 1

;inancial


Operatin" Costs Increase of ess than ) L in ear

operating costs

/e.enue oss >ess than L ear re7en,e oss

One-Time 7inancial oss One)time financia cost of ess than

M );&;;;

Oter:

'> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.%

Step 1

7roductivity


Sta$$ <ours Staff wor4 ho,rs are increased - ess than

(; L for to ) das.

Oter:

Oter:

Oter:

'- CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



7roductivity


Staff wor4 ho,rs are increased -etween

(; L and /; L for to )

das.

Staff wor4 ho,rs are increased - greater than

/; L for to ) das.

CM!S"#$%&&'$HB$&&' 8olume +& '.

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

Step 1

Safety@>ealth


i$e

patients'

1o oss or significant threat to c,stomers or staffmem-ers i7es

<ealt $inima# immediate treata-e degradation inc,stomers or staff mem-ers heath with

reco7er within fo,r das patients'

Sa$et* Safet @,estioned

Oter:

4& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



Safety@>ealth


Patients'C,stomers or staff mem-ers i7es are

threatened# -,t the wi reco7er after

recei7ing medica treatment.

patients'

>oss of c,stomers or staff mem-ers i7es

Temporar or reco7era-e impairment of

c,stomers or staff mem-ers heath

patients'

Permanent impairment of significant aspects

of c,stomers or staff mem-ers heath

patients'

Safet affected Safet 7ioated

CM!S"#$%&&'$HB$&&' 8olume +& 4+

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

Step 1

;ines@Aegal 7enalties


7ines "ines ess than M (;&;;; are e7ied.

a0suits 1on)fri7oo,s aws,its ess than

M (;;&;;; are fied against the

organiGation or fri7oo,s aws,its are fied

against the organiGation.

In.esti"ations 1o @,eries from go7ernment or other

in7estigati7e organiGations.

Oter:

4% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



;ines@Aegal 7enalties


"ines -etween M (;&;;; and

M (;;&;;; are e7ied.

"ines greater than M (;;&;;; are e7ied.

1on)fri7oo,s aws,its -etween

M (;;&;;; and M ( million is

fied against the organiGation.

1on)fri7oo,s aws,its greater than

M ( million is fied against the

organiGation.

=o7ernment or other in7estigati7e

organiGation re@,ests information or records

ow profie.

=o7ernment or other in7estigati7e

organiGation initiates a high)profie# in)depth

in7estigation into organiGationa practices.

CM!S"#$%&&'$HB$&&' 8olume +& 4'

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

44 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


5 Asset Identi)iation or#s*eet

Step

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.%

Step 2

7eople

7eople S/ills and Bno3ledge

%ic people a.e a special s&ill or &no0led"e tat

is .ital to *our or"ani#ation and 0ould 'e di$$icult

to replace5

%at are teir special s&ills or &no0led"e5

?$ternal relations A group of people "ho controls

the release of patient medical

information

A*+ Systems :roup that manages all ma@orchanges& maintenance& and

up%eep of all ma@or systems

MT4 help des% P+ technicians "ho troubleshoot

P+ problems for users

Mr. Smith Senior IT staff member. 2e is

the only on-site staff member

"ith net"or%ing s%ills.

4- CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


!sset Identification ;or4sheet

7eople

6elated Systems 6elated $ssets

%ic s*stems do tese people use5 %ic oter assets do tese people use 9i6e6

in$ormation ser.ices or applications5

− PIS

− PIS

− 4R>S

− ?+S

− net"or%

− P+s

CM!S"#$%&&'$HB$&&' 8olume +& 4.

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

,& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


6 Seurit$ 'raties or#s*eet

Steps 2a, 2&, and 4

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


Sec,rit Practices ;or4sheet

1. Security $3areness and 8raining

Step b Step "

hat is your organization currently

doing 3ell in this areaC

hat is your organization currently not


>o3 effectively is

your organization

implementing the

practices in this

areaC

− !e ha#e training&

guidance& regulations&

and policies.− A"areness training is

re,uired to get an

account.

− There is a lac% of

training for IT staff.

− A"areness trainingis inade,uate.

− Staff does not

understand security

issues.

− There is little

understanding of

security roles andresponsibilities.

− People share

accounts and

pass"ords.

0ed

<

eow

=

reen

1

ot !ppica-e

CM!S"#$%&&'$HB$&&' 8olume +& ,'

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

2. Security Strategy

Step a

Statement 8o 3hat e+tent is this statement reflected in your

organizationC

The organiGations -,siness strategies ro,tineincorporate sec,rit considerations.

9er $,ch Somewhat 1ot !t ! Dont 3now

Sec,rit strategies and poicies ta4e into considerationthe organiGations -,siness strategies and goas.


Sec,rit strategies# goas# and o-ecti7es aredoc,mented and are ro,tine re7iewed# ,pdated# and

comm,nicated to the organiGation.


,4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



2. Security Strategy

Step b Step "





>o3 effectively is

your organization

implementing the

practices in this

areaC

− Our current

protection strategy is

not effecti#e.− Our security

strategy lac%s business

sense. It is not

proacti#e.

0

ed

<

eow

=

reen

1

ot !ppica-e

CM!S"#$%&&'$HB$&&' 8olume +& ,,

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

. Security 0anagement

Step a


organizationC

$anagement aocates s,fficient f,nds and reso,rces toinformation sec,rit acti7ities.


Sec,rit roes and responsi-iities are defined for astaff in the organiGation.


! staff at a e7es of responsi-iit impement theirassigned roes and responsi-iit for informationsec,rit.


There are doc,mented proced,res for a,thoriGing ando7erseeing a staff inc,ding personne from third) part organiGations who wor4 with sensiti7einformation or who wor4 in ocations where theinformation resides.


The organiGations hiring and termination practices forstaff ta4e information sec,rit iss,es into acco,nt.


The organiGation manages information sec,rit ris4s#inc,ding

• assessing ris4s to information sec,rit

• ta4ing steps to mitigate information sec,rit

ris4s


$anagement recei7es and acts ,pon ro,tine reportss,mmariGing sec,rit)reated information e.g.# a,dits#ogs# ris4s and 7,nera-iit assessments.


,> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



. Security 0anagement

Step b Step "





>o3 effectively is

your organization

implementing the

practices in this

areaC

− This ris% e#aluation is a

step in the right

direction.

− !e ha#e an

inade,uate budget for

security.− Staff members are

complacent about

security.

0

ed

<

eow

=

reen

1

ot !ppica-e

CM!S"#$%&&'$HB$&&' 8olume +& ,=

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

". Security 7olicies and 6egulations

Step a


organizationC

The organiGation has a comprehensi7e set ofdoc,mented# c,rrent poicies that are periodicare7iewed and ,pdated.


There is a doc,mented process for management ofsec,rit poicies# inc,ding

• creation

• administration inc,ding periodic re7iewsand ,pdates

• comm,nication


The organiGation has a doc,mented process fore7a,ating and ens,ring compiance with informationsec,rit poicies# appica-e aws and reg,ations# andins,rance re@,irements.


The organiGation ,niform enforces its sec,rit poicies.


,- CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



". Security 7olicies and 6egulations

Step b Step "





>o3 effectively is

your organization

implementing the

practices in this

areaC

− Policies and

procedures e$ist.

− There are establishedincident-handling

policies and procedures.

− There is poor

communication of

policies.− People don't al"ays

read and follo" policies

and procedures.

− There is a lac% of

follo"-up on reported

#iolations.

−

!e don't enforce ourpolicies.

0

ed

<

eow

=

reen

1

ot !ppica-e

CM!S"#$%&&'$HB$&&' 8olume +& ,.

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1



%. #ollaborative Security 0anagement

Step b Step "





>o3 effectively is

your organization

implementing the

practices in this

areaC

− !e rely on more

than A*+ Systems to

support our net"or%s.− There is no single

point of contact for

the net"or%. Things

get confused

sometimes.

− MedSite does not

communicate its

security-related

re,uirements for PIS

to A*+ Systems.

0

ed

<

eow

=

reen

1

ot !ppica-e

CM!S"#$%&&'$HB$&&' 8olume +& >+

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

*. #ontingency 7lanning@isaster 6ecovery

Step a


organizationC

!n anasis of operations# appications# and datacriticait has -een performed.


The organiGation has doc,mented# re7iewed# and tested

• -,siness contin,it or emergenc operation

pans

• disaster reco7er pans

• contingenc pans for responding to

emergencies


The contingenc# disaster reco7er# and -,sinesscontin,it pans consider phsica and eectronicaccess re@,irements and contros.


! staff are

• aware of the contingenc# disaster reco7er#

and -,siness contin,it pans

• ,nderstand and are a-e to carr o,t their

responsi-iities


>% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



*. #ontingency 7lanning@isaster 6ecovery

Step b Step "





>o3 effectively is

your organization

implementing the

practices in this

areaC

− !e ha#e disaster

reco#ery plans for

natural disasters andsome emergencies.

− !e don't ha#e a

business continuity

plan.− !e don't ha#e

disaster reco#ery plans

for systems and

net"or%s.

− !e're not sure ho"

much testing has been

done of the plans "e do

ha#e.

0

ed

<

eow

=

reen

1

ot !ppica-e

CM!S"#$%&&'$HB$&&' 8olume +& >'

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.%

-. 0onitoring and $uditing 7hysical Security

Step a


organizationC

#" sta"" "rom your organi$ation is responsible "or this

area:

$aintenance records are 4ept to doc,ment therepairs and modifications of a faciits phsicacomponents.


!n indi7id,as or gro,ps actions# with respect to a phsica controed media# can -e acco,nted for. 9er $,ch Somewhat 1ot !t ! Dont 3now

!,dit and monitoring records are ro,tine eaminedfor anomaies# and correcti7e action is ta4en asneeded.


#" sta"" "rom a third party is responsible "or this area:

The organiGations re@,irements for monitoring phsica sec,rit are forma comm,nicated to acontractors and ser7ice pro7iders that monitor phsica access to the -,iding and premises# wor4

areas# IT hardware# and software media.


The organiGation forma 7erifies that contractorsand ser7ice pro7iders ha7e met the re@,irements formonitoring phsica sec,rit.


>> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1




Step b Step "





>o3 effectively is

your organization

implementing the

practices in this

areaC

− Audit records are

spotty. !e're not sure

that anyone re#ie"sthem.

0

ed

<

eow

=

reen

1

ot !ppica-e

CM!S"#$%&&'$HB$&&' 8olume +& >=

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

'. System and =et3or/ 0anagement

Step a


organizationC


area:

There are doc,mented and tested sec,rit pans forsafeg,arding the sstems and networ4s.


Sensiti7e information is protected - sec,re storage e.g.# -ac4,ps stored off site# discard process for sensiti7einformation.


The integrit of instaed software is reg,ar 7erified. 9er $,ch Somewhat 1ot !t ! Dont 3now

! sstems are ,p to date with respect to re7isions# patches# and recommendations in sec,rit ad7isories.


There is a doc,mented and tested data -ac4,p pan for -ac4,ps of -oth software and data. ! staff ,nderstandtheir responsi-iities ,nder the -ac4,p pans.


Changes to IT hardware and software are panned#controed# and doc,mented.


IT staff mem-ers foow proced,res when iss,ing#changing# and terminating ,sers passwords# acco,nts#and pri7ieges.

• 6ni@,e ,ser identification is re@,ired for a

information sstem ,sers# inc,ding third)part,sers.

• Defa,t acco,nts and defa,t passwords ha7e

-een remo7ed from sstems.


On necessar ser7ices are r,nning on sstems F a,nnecessar ser7ices ha7e -een remo7ed.


Toos and mechanisms for sec,re sstem and networ4administration are ,sed# and are ro,tine re7iewed and,pdated or repaced.



The organiGations sec,rit)reated sstem and networ4management re@,irements are forma comm,nicated toa contractors and ser7ice pro7iders that maintainsstems and networ4s.


The organiGation forma 7erifies that contractors andser7ice pro7iders ha7e met the re@,irements for sec,rit)reated sstem and networ4 management.


>- CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



'. System and =et3or/ 0anagement

Step b Step "





>o3 effectively is

your organization

implementing the

practices in this

areaC

− A*+ Systems has a

security plan.

− !e force users to

change their pass"ords

regularly.

− A*+ Systems has

reported #ery fe"

intrusions.

− Systems are "ell

protected "ith

pass"ords.

− A*+ Systems runs tools

from their site.

− MedSite has no

documented security

plan.

− !e don't clean up

inherited access rights

#ery "ell.

− !e're not sure

"hether A*+ Systems

%eeps up "ith security

notices.

− !e ha#en't beentrained in the use of

the latest system

administration tools.

0

ed

<

eow

=

reen

1

ot !ppica-e

CM!S"#$%&&'$HB$&&' 8olume +& >.

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

1. 0onitoring and $uditing I8 Security

Step a


organizationC


area:

Sstem and networ4 monitoring and a,diting toosare ro,tine ,sed - the organiGation. 6n,s,aacti7it is deat with according to the appropriate poic or proced,re.


"irewa and other sec,rit components are periodica a,dited for compiance with poic.



The organiGations re@,irements for monitoringinformation technoog sec,rit are formacomm,nicated to a contractors and ser7ice pro7iders that monitor sstems and networ4s.


The organiGation forma 7erifies that contractorsand ser7ice pro7iders ha7e met the re@,irements for

monitoring information technoog sec,rit.


=& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



1. 0onitoring and $uditing I8 Security

Step b Step "





>o3 effectively is

your organization

implementing the

practices in this

areaC

− A*+ Systems does

all IT audits.

− A*+ Systems runsmonitoring tools.

− A*+ Systems does not

report unusual acti#ity

to anyone here.

0

ed

<

eow

=

reen

1

ot !ppica-e

CM!S"#$%&&'$HB$&&' 8olume +& =+

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1



11. $uthentication and $uthorization

Step b Step "





>o3 effectively is

your organization

implementing the

practices in this

areaC

− There are policies

and procedures for

access and controlpermissions.

− Systems are protected

"ell using pass"ords.

− !e're not using role-

based management of

accounts.− People inherit far too

many pri#ileges.

0

ed

<

eow

=

reen

1

ot !ppica-e

CM!S"#$%&&'$HB$&&' 8olume +& ='

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

12. Dulnerability 0anagement

Step a


organizationC


area:

There is a doc,mented set of proced,res formanaging 7,nera-iities# inc,ding

• seecting 7,nera-iit e7a,ation toos#

chec4ists# and scripts

• 4eeping ,p to date with 4nown 7,nera-iit

tpes and attac4 methods

• re7iewing so,rces of information on

7,nera-iit anno,ncements# sec,rit aerts#and notices

• identifing infrastr,ct,re components to -e

e7a,ated

• sched,ing of 7,nera-iit e7a,ations

• interpreting and responding to the res,ts

• maintaining sec,re storage and disposition of

7,nera-iit data


9,nera-iit management proced,res are foowedand are periodica re7iewed and ,pdated.


Technoog 7,nera-iit assessments are performedon a periodic -asis# and 7,nera-iities are addressedwhen the are identified.



The organiGations 7,nera-iit managementre@,irements are forma comm,nicated to acontractors and ser7ice pro7iders that manage

technoog 7,nera-iities.


The organiGation forma 7erifies that contractorsand ser7ice pro7iders ha7e met the re@,irements for7,nera-iit management.


=4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



12. Dulnerability 0anagement

Step b Step "





>o3 effectively is

your organization

implementing the

practices in this

areaC

− A*+ Systems does

all #ulnerability

e#aluation andmanagement.

− !e ha#en't recei#ed

training about ho" to

interpret #ulnerabilityreports.

0

ed

<

eow

=

reen

1

ot !ppica-e

CM!S"#$%&&'$HB$&&' 8olume +& =,

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

1. Encryption

Step a


organizationC


area:

!ppropriate sec,rit contros are ,sed to protectsensiti7e information whie in storage and d,ringtransmission e.g.# data encrption# p,-ic 4einfrastr,ct,re# 7irt,a pri7ate networ4 technoog.


Encrpted protocos are ,sed when remotemanaging sstems# ro,ters# and firewas.



The organiGations re@,irements for protectingsensiti7e information are forma comm,nicated toa contractors and ser7ice pro7iders that pro7ideencrption technoogies.


The organiGation forma 7erifies that contractorsand ser7ice pro7iders ha7e met the re@,irements for

impementing encrption technoogies.


=> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



1. Encryption

Step b Step "





>o3 effectively is

your organization

implementing the

practices in this

areaC

− !e don't protect

patient information

"hen "e send itelectronically to third

parties.

− !e don't %no" "hether

A*+ Systems protects

patient information

using encryption. The

topic has ne#er come

up.

0

ed

<

eow

=

reen

1

ot !ppica-e

CM!S"#$%&&'$HB$&&' 8olume +& ==

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

1". Security $rchitecture and esign

Step a


organizationC


area:

Sstem architect,re and design for new and re7isedsstems inc,de considerations for

• sec,rit strategies# poicies# and proced,res

• histor of sec,rit compromises

• res,ts of sec,rit ris4 assessments


The organiGation has ,p)to)date diagrams that showthe enterprise)wide sec,rit architect,re and networ4 topoog.



The organiGations sec,rit)reated re@,irements areforma comm,nicated to a contractors and ser7ice pro7iders that design sstems and networ4s.


The organiGation forma 7erifies that contractorsand ser7ice pro7iders ha7e met the re@,irements forsec,rit architect,re and design.


=- CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.%

1%. Incident 0anagement

Step a


organizationC


area:

Doc,mented proced,res eist for identifing#reporting# and responding to s,spected sec,ritincidents and 7ioations.


Incident management proced,res are periodicatested# 7erified# and ,pdated. 9er $,ch Somewhat 1ot !t ! Dont 3now

There are doc,mented poicies and proced,res forwor4ing with aw enforcement agencies.



The organiGations re@,irements for managingincidents are forma comm,nicated to acontractors and ser7ice pro7iders that pro7ideincident management ser7ices.


The organiGation forma 7erifies that contractorsand ser7ice pro7iders ha7e met the re@,irements formanaging incidents.


-& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



1%. Incident 0anagement

Step b Step "





>o3 effectively is

your organization

implementing the

practices in this

areaC

− Procedures e$ist for

incident response.

− !e ha#e ne#er

considered ho" to deal

"ith la" enforcement.− It is not clear ho"

or "here "e should

report incidents.

− !e ha#e ne#er

discussed incident

management "ith A*+

Systems.

0

ed

<

eow

=

reen

1

ot !ppica-e

CM!S"#$%&&'$HB$&&' 8olume +& -+

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

-% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.%

Step %

uestions to #onsider: %ic assets 0ill a.e a lar"e ad.erse impact on te or"ani#ation i$

• te* are disclosed to unautori#ed people5

•

te* are modi$ied 0itout autori#ation5

• te* are lost or destro*ed5

• access to tem is interrupted5

#ritical $sset

&. Patient Information ata System <PIS=

*. Paper medical records

(. Personal computers

N. A*+ Systems

5. ?mergency ata +are System <?+S=

-4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


Critica !sset Seection ;or4sheet

=otes

!e are dependent on PIS.

The number one data source for patient information is paper

medical records.

All staff access %ey medical systems using personal computers.

They control our net"or%.

This is typical of the /) functional systems at MedSite.

CM!S"#$%&&'$HB$&&' 8olume +& -,

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.%

Step * Step ,

#ritical $sset 6ationale for Selection

%at is te critical s*stem5 %* is tis s*stem critical to te or"ani#ation5

Patient Information

ata System <PIS=

!e are 8B dependent on PIS for deli#ering patient

care.

Step '

6elated $ssets

%ic assets are related to tis s*stem5

Information Ser7ices and !ppications

− Patient medical information − atabase

− ?mail

Other

− Personal computers

− Paper medical records

− Internet connecti#ity

− A*+ Systems

− ?$ternal relations

-- CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


Critica !sset Information ;or4sheet Sstems

Step -

escription

%o uses te s*stem5 %o is responsi'le $or te s*stem5

Pro#iders& lab technician& pharmacists& and appointment schedulers all use PIS. ?ach

group is responsible for a subset of the medical information on PIS. A*+ Systems

has primary responsibility for maintaining PIS. Some day-to-day maintenance "or% is

performed by our IT staff.

Step 1 Step 11

Security 6euirements 0ost Important Security

6euirement

%at are te securit* re;uirements $or tis s*stem5

9<int: 7ocus on 0at te securit* re;uirements sould 'e $or tis s*stem not 0at te* currentl* are6

%ic securit* re;uirement

is most important $or tis

s*stem5

Confidentiait On a,thoriGed personne can 7iew information on

PIS . Information should be restricted to

those "ith a Cneed to %no".D Information is sub@ect to

the pri#acy act.

Confidentiait

Integrit

!7aia-iit

Other

Integrit On a,thoriGed personne can modif information on

PIS . Records must be complete and correct.

!7aia-iit E PIS m,st -e a7aia-e for personne to perform their o-s.

Access to information is re,uired )960.6na7aia-iit cannot eceed ho,rs per e7er ho,rs.

Other

CM!S"#$%&&'$HB$&&' 8olume +& -.

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

.& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


OCT!9E)S 9&.% 0is4 Profie ;or4sheets

8 /is# 'ro)ile or#s*eets )or S$stems 9

'I+S

Steps 1, 12, 14, 15, 16, , 2, 4, 6,

CM!S"#$%&&'$HB$&&' 8olume +& .+

8/10/2019 v10 Example v1


0is4 Profie ;or4sheets OCT!9E)S 9&.%

.% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


OCT!9E)S 9&.% 0is4 Profie ;or4sheet for PIDS 1etwor4 !ccess

8.1 /is# 'ro)ile or#s*eet )or 'I+S 9 =uman Ators

>sin( !et"or# Aess

CM!S"#$%&&'$HB$&&' 8olume +& .'

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

>uman $ctors Fsing =et3or/ $ccess 9asic 6is/ 7rofile

Step 12 Step 22

8hreat Impact Dalues

7or 0ic 'rances is tere a non-ne"li"i'le possi'ilit* o$ a treat to teasset5 Mar& tese 'rances on te tree6

7or 0ic o$ te remainin" 'rances is tere a ne"li"i'le possi'ilit* or no

possi'ilit* o$ a treat to te asset5 >o not mar& tese 'rances6

%at is te potential impact on teor"ani#ation in eac applica'le

area5

$sset $ccess $ctor 0otive ?utcome Impact Dalues

6 e p u t a t i o n

; i n a n c i a l

7 r o d u c t i v i t y

; i n e s

S a f e t y

? t h e r

discos,re M M L M L -

accidenta modification M M M M 2 -

oss# destr,ction M M 2 M 2 -

inside interr,ption M M 2 M 2 -


dei-erate modification M M M M 2 -

PIS networ4 oss# destr,ction M M 2 M 2 -

interr,ption M M 2 M 2 -

discos,re 2 2 L M L -



o,tside interr,ption M M 2 M 2 -





.4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


0is4 Profie ;or4sheet for PIDS 1etwor4 !ccess

9asic 6is/ 7rofile >uman $ctors Fsing =et3or/ $ccess

Step 2" Step 2* Step 2,

7robability Security 7ractice $reas $pproach

<o0 li&el* is te treat to

occur in te $uture5 <o0con$ident are *ou in *ourestimate5

%at is te stopli"t status $or eac securit* practice area5 %at is *our

approac $oraddressin" eacris&5

Dalue #onfidence Strategic ?perational

D e r y 0 u c h

S o m e 3 h a t

= o t $ t $ l l

1 .

S e c 8 r a i n i n g

2 .

S e c S t r a t e g y

.

S e c 0 g m t

" .

S e c 7 o l i c y G 6 e g

% .

# o l l S e c 0 g m t

* .

# o n t 7 l a n n i n g

, .

7 h y s $ c c # n t r l

- .

0 o n i t o r 7 h y s S e c

' .

S y s G = e t 0 g m t

1 ) .

0 o n i t o r I 8 S e c

1 1 .

$ u t h e n G $ u t h

1 2 .

D u l 0 g m t

1 .

E n c r y p t i o n

1 " .

S e c $ r c h G e s

1 % .

I n c i d e n t 0 g m t

$ c c e p t

e f e r

0 i t i g a t e

2 HX!!!!H!!!!!!H R R R F R F F F R R R R F

L H!!!!XH!!!!!!H R R R F R F F F R R R R F


L HX!!!!H!!!!!!H R R R F R F F F R R R R F

2 HX!!!!H!!!!!!H R R R F R F F F R R R R F




L H!!!!!!H!!!!XH R R R F R F F F R R R R F








CM!S"#$%&&'$HB$&&' 8olume +& .,

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

.> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



>uman $ctors Fsing =et3or/ $ccess 8hreat #onte+t

Step 1

8hreat $ctors

%ic actors pose te 'i""est treats to tis s*stem .ia te net0or&5

discos,re Insiders actin" accidentall*:

accidenta modification ata entry personnel& medical

staff discussing sensiti#e

information in public areas

oss# destr,ction

inside interr,ption

discos,re Insiders actin" deli'eratel*:

dei-erate modification isgruntled employees& staff

misusing PIS information for

non-malicious reasonsPIS networ4 oss# destr,ction

interr,ption

discos,re Outsiders actin" accidentall*:

accidenta modification A*+ Systems

oss# destr,ction

o,tside interr,ption

discos,re Outsiders actin" deli'eratel*:

dei-erate modification Terrorist& spies& hac%ers

oss# destr,ction

interr,ption

CM!S"#$%&&'$HB$&&' 8olume +& .=

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.%

$reas of #oncern

Insiders Fsing =et3or/ $ccess

Role-based access builds o#er time. Many staff members ha#e

access to too much information.

?utsiders Fsing =et3or/ $ccess

A*+ Systems has access to PIS and the net"or%. Any deliberate

or accidental acts by their staff could affect our ability to pro#ide

patient care if they modify or delete #ital information on

PIS.

+&& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



CM!S"#$%&&'$HB$&&' 8olume +& +&+

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

8. /is# 'ro)ile or#s*eet )or 'I+S 9 =uman Ators

>sin( '*$sial Aess

+&% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


0is4 Profie ;or4sheet for PIDS H,man !ccess

>uman $ctors Fsing 7hysical $ccess 9asic 6is/ 7rofile

Step 12 Step 22


7or 0ic 'rances is tere a non-ne"li"i'le possi'ilit* o$ a treat to te

asset5 Mar& tese 'rances on te tree6



%at is te potential impact on te

or"ani#ation in eac applica'learea5

$sset $ccess $ctor 0otive ?utcome Impact Dalues

6 e p u t a t i o n

; i n a n c i a l


; i n e s

S a f e t y

? t h e r




inside interr,ption M M 2 M 2 -



PIS phsica oss# destr,ction M M 2 M 2 -





o,tside interr,ption M M 2 M 2 -





CM!S"#$%&&'$HB$&&' 8olume +& +&'

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

9asic 6is/ 7rofile >uman $ctors Fsing 7hysical $ccess



<o0 li&el* is te treat tooccur in te $uture5 <o0

con$ident are *ou in *our

estimate5

%at is te stopli"t status $or eac securit* practice area5 %at is *ourapproac $or

addressin" eac

ris&5


D e r y

S o m e 3 h a t

= o t $ t $ l l

1 .


2 .


.

S e c 0 g m t

" .


% .


* .


, .

7 h y s $ c c # n t r l

- .


' .


1 ) .


1 1 .


1 2 .

D u l 0 g m t

1 .

E n c r y p t i o n

1 " .

S e c $ r c h G e s

1 % .


$ c c e p t

e f e r

0 i t i g a t e

L H!!!!XH!!!!!!H R R R F R F F R R F








L H!!!!!!H!!!!XH R R R F R F F R R F








+&4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



>uman $ctors Fsing 7hysical $ccess 8hreat #onte+t

Step 1

8hreat $ctors

%ic actors pose te 'i""est treats to tis s*stem .ia p*sical means5

discos,re Insiders actin" accidentall*:

accidenta modification Staff using other people's

computersoss# destr,ction

inside interr,ption

discos,re Insiders actin" deli'eratel*:

dei-erate modification isgruntled employees

PIS phsica oss# destr,ction

interr,ption

discos,re Outsiders actin" accidentall*:

accidenta modification A*+ Systems& patients

oss# destr,ction

o,tside interr,ption

discos,re Outsiders actin" deli'eratel*:

dei-erate modification Patients& terrorists& spies&

#andalsoss# destr,ction

interr,ption

CM!S"#$%&&'$HB$&&' 8olume +& +&,

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

8hreat #onte+t >uman $ctors Fsing 7hysical $ccess

Step 1" Step 1%

0otive >istory

<o0 stron" iste actor?smoti.e5

<o0 con$ident are *ou in tisestimate5

<o0 o$ten as tis treatoccurred in te past5

<o0 accurateare te data5

> i g h

0 e d i u m

A o 3

D e r y

S o m e 3 h a t

= o t $ t $ l l

D e r y

S o m e 3 h a t

= o t $ t $ l l

) times in ears

; times in ears

; times in ears

; times in ears

; times in ears

; times in ears

) times in ears

; times in ears

; times in ears

; times in ears

; times in ears

; times in ears

; times in ears

; times in ears

( times in ears

; times in

ears

+&> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



Step 1*

>uman $ctors Fsing 7hysical $ccess $reas of #oncern

Insiders Fsing 7hysical $ccess

=i7e eampes of howinsiders actin" accidentall* co,d ,se phsica accessto threaten this sstem.

=i7e eampes of howinsiders actin" deli'eratel*

co,d ,se phsica accessto threaten this sstem.

Any staff member can get physical access to PIS by using P+s

left unattended in e$am rooms. P+s in e$am rooms are typically

left logged on to PIS.

Our main computer room is often left unloc%ed. Also& too many

staff members seem to ha#e %eys to the room. Any staff member

"ith malicious intent could gain access.

?utsiders Fsing 7hysical $ccess

=i7e eampes of howoutsiders actin" accidentall* co,d ,se phsica access

to threaten this sstem.

Any patient could accidentally see PIS information "hen they are

left alone in e$am rooms. They could also deliberately loo% at PIS

information if they "anted to.

A*+ Systems has physical access all of our IT e,uipment. Any

deliberate or accidental acts by their staff could affect our

ability to pro#ide patient care.

=i7e eampes of howoutsiders actin" deli'eratel* co,d ,se phsica accessto threaten this sstem.

Any patient could accidentally see PIS information "hen they are

left alone in e$am rooms. They could also deliberately loo% at PIS

information if they "anted to.

A*+ Systems has physical access all of our IT e,uipment. Anydeliberate or accidental acts by their staff could affect our

ability to pro#ide patient care.

CM!S"#$%&&'$HB$&&' 8olume +& +&=

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

$reas of #oncern

Insiders Fsing 7hysical $ccess

?utsiders Fsing 7hysical $ccess

Terrorists and spies could attempt to physically access PIS @ust

as easily as they could try to hac% it. If they disrupt PIS& they

could shut do"n MedSite.

The PIS ser#er is located at A*+ Systems' site. Its staff has

physical access to PIS. Their physical security for the ser#er is aconcern.

+&- CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



CM!S"#$%&&'$HB$&&' 8olume +& +&.

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

8.2 /is# 'ro)ile or#s*eet )or 'I+S 9 S$stem 'ro&lems

++& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


0is4 Profie ;or4sheet for PIDS Sstem Pro-ems

System 7roblems 9asic 6is/ 7rofile

Step 12 Step 22





%at is te potential impact onte or"ani#ation in eac

applica'le area5

$sset $ctor ?utcome Impact Dalues

6 e p u t a t i o n

; i n a n c i a l


; i n e s

S a f e t y

? t h e r

discos,re

software defects modification



discos,re

sstem crashes modification

PIS oss# destr,ction M M 2 M 2 -


discos,re

hardware defects modification




maicio,s code modification M M M M 2 -

7ir,s# worm# Troanhorse# -ac4 door



CM!S"#$%&&'$HB$&&' 8olume +& +++

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

9asic 6is/ 7rofile Systems 7roblems



<o0 li&el* is te treatto occur in te $uture5

<o0 con$ident are *ouin *our estimate5


addressin" eacris&5


D e r y

S o m e 3 h a t

= o t $ t $ l l

1 .


2 .


.

S e c 0 g m t

" .


% .


* .


, .

7 h y s $ c c # n t r l

- .


' .


1 ) .


1 1 .


1 2 .

D u l 0 g m t

1 .

E n c r y p t i o n

1 " .

S e c $ r c h G e s

1 % .


$ c c e p t

e f e r

0 i t i g a t e

H!!!!!!H!!!!!!H

H!!!!!!H!!!!!!H

2 H!!!!XH!!!!!!H R R R F R F F F R R F

2 HX!!!!H!!!!!!H R R R F R F F F R R F

H!!!!!!H!!!!!!H

H!!!!!!H!!!!!!H

2 H!!!!X

H!!!!!!H R R R F R F F F R R R F

2 HX!!!!H!!!!!!H R R R F R F F F R R R F

H!!!!!!H!!!!!!H

H!!!!!!H!!!!!!H

L HX!!!!H!!!!!!H R R R F R F F F R R F

L HX!!!!H!!!!!!H R R R F R F F F R R F




M H!!!!XH!!!!!!H R R R F R F F F R R R R F

++% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



System 7roblems 8hreat #onte+t

Step 1%

>istory



D e r y

S o m e 3 h a t

= o t $ t $ l l

discos,re times in ears

software defects modification times in ears

oss# destr,ction (; times in ( ears

interr,ption (; times in ( ears


sstem crashes modification times in ears

PIS oss# destr,ction (;G times in ( ears

interr,ption (;G times in ( ears


hardware defects modification times in ears

oss# destr,ction ; times in ears

interr,ption ; times in ears

discos,re ; times in ears

maicio,s code modification ; times in ears

7ir,s# worm# Troan

horse# -ac4 door oss# destr,ction ( times in ears

interr,ption ) times in ( ears

CM!S"#$%&&'$HB$&&' 8olume +& ++'

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

8hreat #onte+t System 7roblems

=otes

%at additional notes a'out eac treat do *ou 0ant to record5

++4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


8/10/2019 v10 Example v1



CM!S"#$%&&'$HB$&&' 8olume +& ++=

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


0is4 Profie ;or4sheet for PIDS Other

?ther 7roblems 9asic 6is/ 7rofile

Step 12 Step 22





%at is te potential impact on teor"ani#ation in eac applica'le

area5

$sset $ctor ?utcome

6 e p u t a t i o n

; i n a n c i a l


; i n e s

S a f e t y

? t h e r

discos,re

power s,pp modification

pro-emsoss# destr,ction M M 2 M 2 -


discos,re

teecomm,nications modification

PIS pro-ems or

,na7aia-iit

oss# destr,ction


discos,re

third)part pro-ems modification

or ,na7aia-iit ofthird)part sstems

oss# destr,ction



nat,ra disasters modification

e.g.# food# fire#tornado



CM!S"#$%&&'$HB$&&' 8olume +& ++.

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

9asic 6is/ 7rofile ?ther 7roblems



<o0 li&el* is te treat to

occur in te $uture5 <o0con$ident are *ou in *ourestimate5

%at is te stopli"t status $or eac securit* practice area5 %at is *our

approac $oraddressin" eacris&5


D e r y

S o m e 3 h a t

= o t $ t $ l l

1 .


2 .


.

S e c 0 g m t

" .


% .


* .


, .

7 h y s $ c c # n t r l

- .


' .


1 ) .


1 1 .


1 2 .

D u l 0 g m t

1 .

E n c r y p t i o n

1 " .

S e c $ r c h G e s

1 % .


$ c c e p t

e f e r

0 i t i g a t e

H!!!!!!H!!!!!!H

H!!!!!!H!!!!!!H

M H!!!!XH!!!!!!H R R R F R F F R F

M HX!!!!H!!!!!!H R R R F R F F R F

H!!!!!!H!!!!!!H

H!!!!!!H!!!!!!H

H!!!!!!H!!!!!!H

L HX!!!!H!!!!!!H R R R F R F F R F

H!!!!!!H!!!!!!H

H!!!!!!H!!!!!!H

H!!!!!!H!!!!!!H

M HX!!!!H!!!!!!H R R R F R F F

L HX!!!!H!!!!!!H R R R F R F F R

H!!!!!!H!!!!!!H



+%& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


8/10/2019 v10 Example v1



8hreat #onte+t ?ther 7roblems

=otes


Po"er supply is controlled by the site and its facilities group.

CM!S"#$%&&'$HB$&&' 8olume +& +%'

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

Step 1*

?ther 7roblems $reas of #oncern

7o3er Supply 7roblems

=i7e eampes of how po0er suppl* pro'lems co,dthreaten this sstem.

Po"er supply problems can lead to a denial of access to PIS. Ourbac%up procedures ha#e failed in the past& so this is a concern.

8elecommunications 7roblems

=i7e eampes of how

telecommunications pro'lemsco,d threaten this sstem.

!e access PIS using telecommunications lines. If there is a

problem "ith any telecommunications e,uipment& then "e could notaccess PIS.

8hird!7arty 7roblems

=i7e eampes of how tird-

part* pro'lems co,d threaten

this sstem.

MedSite is not a priority for A*+ Systems. This prolongs

do"ntime for PIS.

=atural isasters

=i7e eampes of hownatural disasters co,dthreaten this sstem.

MedSite is located on a flood plane. !e ha#e had a history of

floods& especially in the past fi#e years. Access to PIS "as

interrupted each time.

+%4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



$reas of #oncern

7o3er Supply 7roblems

8elecommunications 7roblems

8hird!7arty 7roblems

A*+ Systems' configuration of our fire"all restricts access to

important Internet medical sites. They do not understand our

re,uirements.

=atural isasters

CM!S"#$%&&'$HB$&&' 8olume +& +%,

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

?ther 7roblems (cont.) 9asic 6is/ 7rofile

Step 12 Step 22





%at is te potential impact onte or"ani#ation in eac

applica'le area5

$sset $ctor ?utcome

6 e p u t a t i o n

; i n a n c i a l


; i n e s

S a f e t y

? t h e r


phsica config,ration modification

or arrangement of -,idings# offices# ore@,ipment

oss# destr,ction

interr,ption

discos,re

modification

PIS oss# destr,ction

interr,ption

discos,re

modification

oss# destr,ction

interr,ption

discos,re

modification

oss# destr,ction

interr,ption

+%> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.%

8hreat #onte+t ?ther 7roblems (cont.)

=otes


+'& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



Step 1*

?ther 7roblems (cont.) $reas of #oncern

7hysical #onfiguration 7roblems

=i7e eampes of how p*sical con$i"uration o$'uildin"s o$$ices or

e;uipment co,d threaten thissstem.

Physical configuration of "or% areas permits unauthori3ed #ie"ingof pri#ate patient information by staff members as "ell as

outsiders.

=i7e eampes of how

co,d threaten this sstem.

=i7e eampes of how


=i7e eampes of how


CM!S"#$%&&'$HB$&&' 8olume +& +'+

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

$reas of #oncern

7hysical #onfiguration 7roblems

+'% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



CM!S"#$%&&'$HB$&&' 8olume +& +''

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

10 /is# 'ro)ile or#s*eet )or AC S$stems

9 Ot*er 'ro&lems

+'4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


0is4 Profie ;or4sheet for !BC Sstems Other

?ther 7roblems 9asic 6is/ 7rofile

Step 12 Step 22


7or 0ic 'rances is tere a non-ne"li"i'le possi'ilit* o$ a treat tote asset5 Mar& tese 'rances on te tree6

7or 0ic o$ te remainin" 'rances is tere a ne"li"i'le possi'ilit* or

no possi'ilit* o$ a treat to te asset5 >o not mar& tese 'rances6

%at is te potential impact on teor"ani#ation in eac applica'le area5

$sset $ctor ?utcome

6 e p u t a t i o n

; i n a n c i a l


; i n e s

S a f e t y

? t h e r

discos,re

4e peope ta4ing a modification

temporar ea7e ofa-sence e.g.# d,e toiness# disa-iit

oss# destr,ction

interr,ption

discos,re

4e peope ea7ing the modification

organiGation

permanente.g.# retirement# otheropport,nities

A*+ oss# destr,ction

Systems interr,ption

discos,re

threats affecting modification

a third)part orser7ice pro7ider

oss# destr,ction

A*+ Systems interr,ption L L L L L -

discos,re

modification

oss# destr,ction

interr,ption

CM!S"#$%&&'$HB$&&' 8olume +& +',

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

9asic 6is/ 7rofile ?ther 7roblems



<o0 li&el* is te treat tooccur in te $uture5 <o0

con$ident are *ou in *our

estimate5


addressin" eac

ris&5


D e r y

S o m e 3 h a t

= o t $ t $ l l

1 .


2 .


.

S e c 0 g m t

" .


% .


* .


, .

7 h y s $ c c # n t r l

- .


' .


1 ) .


1 1 .


1 2 .

D u l 0 g m t

1 .

E n c r y p t i o n

1 " .

S e c $ r c h G e s

1 % .


$ c c e p t

e f e r

0 i t i g a t e

H!!!!!!!!H!!!!!!!!H

H!!!!!!!!H!!!!!!!!H

H!!!!!!!!H!!!!!!!!H

H!!!!!!!!H!!!!!!!!H

H!!!!!!!!H!!!!!!!!H

H!!!!!!!!H!!!!!!!!H

H!!!!!!!!H!!!!!!!!H

H!!!!!!!!H!!!!!!!!H

H!!!!!!!!H!!!!!!!!H

H!!!!!!!!H!!!!!!!!H

H!!!!!!!!H!!!!!!!!H

LH!!!!!!!!H!!!!!!

H

R R R F

H!!!!!!!!H!!!!!!!!H

H!!!!!!!!H!!!!!!!!H

H!!!!!!!!H!!!!!!!!H

+'> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



H!!!!!!!!H!!!!!!!!H

CM!S"#$%&&'$HB$&&' 8olume +& +'=

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

?ther 7roblems 8hreat #onte+t

Step 1%

>istory



D e r y

S o m e 3 h a t

= o t $ t $ l l


4e peope ta4ing a modification times in ears

temporar ea7e of

a-sence e.g.# d,e toiness# disa-iit

oss# destr,ction times in ears

interr,ption times in ears


4e peope ea7ing modification times in ears

the organiGation permanentA*+ oss# destr,ction times in ears

e.g.# retirement#other opport,nitiesSystems interr,ption times in ears


threats affecting modification times in ears

a third)part orser7ice pro7ider

A*+ Systems


interr,ption ( times in ears


modification times in ears


interr,ption times in ears

+'- CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



8hreat #onte+t ?ther 7roblems

=otes


To our %no"ledge& there has been one time that security issues affected A*+

Systems' ser#ice in the last years.

CM!S"#$%&&'$HB$&&' 8olume +& +'.

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

Step 1*

?ther 7roblems $reas of #oncern

7eople 8a/ing a 8emporary Aeave of $bsence

=i7e eampes of how &e* people ta&in" a temporar* lea.e

o$ a'sence co,d affect thea-iit of this person or gro,pof peope to pro7ide criticaser7ices# s4is# and4nowedge.

7eople Aeaving the ?rganization 7ermanently

=i7e eampes of how &e*

people lea.in" te or"ani#ation permanentl* co,d affect thea-iit of this person or gro,pof peope to pro7ide criticaser7ices# s4is# and4nowedge.

8hreats $ffecting a 8hird!7arty

=i7e eampes of how treats

a$$ectin" a tird part* or ser.ice

pro.ider co,d affect the a-iitof that third part or ser7ice pro7ider to pro7ide criticaser7ices# s4is# and4nowedge.

A*+ Systems configures and maintains all ma@or systems and the

net"or% for MedSite. If A*+ Systems is unable to pro#ide

ser#ices to MedSite because of threats to their systems and

net"or%s& MedSite's operations could be affected.

+4& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1



$reas of #oncern

7eople 8a/ing a 8emporary Aeave of $bsence

7eople Aeaving the ?rganization 7ermanently

8hreats $ffecting a 8hird!7arty

If there is a problem "ith PIS or the net"or% and A*+ Systems

is unable to respond in a timely manner& MedSite's do"ntime could

be increased.

CM!S"#$%&&'$HB$&&' 8olume +& +4+

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

+4% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


11!et"or# Aess 'at*s or#s*eet

Steps 1 and 17

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


1etwor4 !ccess Paths ;or4sheet

CM!S"#$%&&'$HB$&&' 8olume +& +4,

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

1ote ;hen o, seect a 4e cass of components# ma4e s,re that o,aso doc,ment an ree7ant s,-casses or specific eampes whenappropriate.

$ccess 7oints

ata Storage

Aocations

System $ccess

by 7eople

?ther Systems@

#omponents

Step 1-c Step 1-d Step 1-e

System $ccess by 7eople ata Storage Aocations ?ther Systems and #omponents

7rom 0ic o$ te $ollo0in"

classes o$ components can people9e6"6 users attac&ers access te

s*stem o$ interest5

Consider access points 'ot

internal and e4ternal to *our

or"ani#ation?s net0or&s6

On 0ic classes o$

components is in$ormation $romte s*stem o$ interest stored $or

'ac&up purposes5

%ic oter s*stems access

in$ormation or applications $romte s*stem o$ interest5

%ic oter classes o$ componentscan 'e used to access critical

in$ormation or applications $rom

te s*stem o$ interest5

On)Site;or4stations

StorageDe7ices

lo0al ba0:ups* off$site tapes

?+S

>aptops

admin* physi0ians* #5

Others ist 4R>S

PD!s/;irees

s Components

Most of the other systems

Home/Eterna

;or4stationsphysi0ians* senior admin

Others ist

+4> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


1etwor4 !ccess Paths ;or4sheet

CM!S"#$%&&'$HB$&&' 8olume +& +4=

8/10/2019 v10 Example v1


1 In)rastruture /e%ie" or#s*eets

Steps 18, 0, and 1

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

Step 1'a Step 1'b Step 2

#lass #ritical $ssets 6esponsibility

ote

In Step 1a

mar& te pat toeac class selected in Steps

1,a-1,e6

%ic classes o$ components

are related to one or more

critical assets5

%ic critical assets are

related to eac class5

%o is responsi'le $or

maintainin" and securin"

eac class o$ component5

9>ocument an* rele.ant

su'classes or speci$ic

e4amples 0en appropriate6 ( .

P I S

) . p a p e r m e d r e c s

/ .

P + s

9 .

A * + S y s t e m s

- .

? + S

Ser7ers

Ser#er A A*+ Systems

Ser#er * A*+ Systems

Interna 1etwor4s

All A*+ Systems our IT

On)Site ;or4stations

Admin A*+ Systems our IT

Physicians A*+ Systems our IT

Patient treatment rooms A*+ Systems our IT

>aptops

Admin A*+ Systems our IT


IT A*+ Systems our IT

PD!s/;ireess Components


Others A*+ Systems our IT

+,& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.%

Step 21

7rotection =otes@Issues

To 0at e4tent is securit*considered 0en con$i"urin"

and maintainin" eac class o$ component5

<o0 do *ou&no05

%at additional in$ormation do *ou 0ant to record5

D e r y 0 u c h

S o m e 3 h a t

= o t $ t $ l l

o n t B n o 3

; o r m a l 8 e c h n i ( u e s

I n f o r m a l 0 e a n s

? t h e r

Ser7ers

))))))))))))))))))))))))))))

))))))))))))))))))))))))))))

))))))))))))))))))))))))))))

Interna 1etwor4s

)))))))))))))))))))))))))) IT does some items on these.

))))))))))))))))))))))))))))

))))))))))))))))))))))))))))

On)Site ;or4stations

)))))))))))))))))))))))))) IT focuses on Admin's "or%stations.

))))))))))))))))))))))))))

))))))))))))))))))))))))))

>aptops

))))))))))))))))))))))))))))

))))))))))))))))))))))))))

)))))))))))))))))))))))))) IT does a lot of e$tras on their o"n P+s.

PD!s/;ireess Components

)))))))))))))))))))))))))) Jo one has paid attention to this.

))))))))))))))))))))))))))

))))))))))))))))))))))))))))

+,% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


Infrastr,ct,re 0e7iew ;or4sheet

Step 1'a Step 1'b Step 2

#lass #ritical $ssets 6esponsibility

ote

In Step 1a

mar& te pat toeac class

selected in Steps1,a-1,e6

%ic classes o$ components

are related to one or more

critical assets5

%ic critical assets are

related to eac class5

%o is responsi'le $or

maintainin" and securin"

eac class o$ component5

9>ocument an* rele.ant

su'classes or speci$ice4amples 0en appropriate6

( .

P I S

) . p a p e r m e d r e c s

/ .

P + s

9 .

A * + S y s t e m s

- .

? + S

Other Sstems

All other systems A*+ Systems and our IT

Storage De7ices

Local bac%-up A*+ Systems and our IT

Off-site tapes Jot sure

Eterna 1etwor4s

All Kn%no"n

Home/Eterna ;or4stations

(hysi0ians* senior admin1 Indi#idual

Other

CM!S"#$%&&'$HB$&&' 8olume +& +,'

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

Step 21

7rotection =otes@Issues

To 0at e4tent is securit*considered 0en con$i"urin"

and maintainin" eac class o$ component5

<o0 do *ou&no05

%at additional in$ormation do *ou 0ant to record5

D e r y 0 u c h

S o m e 3 h a t

= o t $ t $ l l

o n t B n o 3

; o r m a l 8 e c h n i ( u e s

I n f o r m a l 0 e a n s

? t h e r

Other Sstems

))))))))))))))))))))))))))

))))))))))))))))))))))))))))

))))))))))))))))))))))))))))

Storage De7ices

))))))))))))))))))))))))))))

)))))))))))))))))))))))))))) Might be outsourced from A*+ Systems

))))))))))))))))))))))))))))

Eterna 1etwor4s

))))))))))))))))))))))))))))

))))))))))))))))))))))))))))

))))))))))))))))))))))))))))

Home/Eterna ;or4stations

)))))))))))))))))))))))))))) Kp to o"ner to manage

)))))))))))))))))))))))))))) ))))))))))))))))))))))))))))

Other

))))))))))))))))))))))))))))

))))))))))))))))))))))))))))

))))))))))))))))))))))))))))

+,4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


12 'ro&a&ilit$ E%aluation Criteria or#s*eet

Step 2

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


Pro-a-iit E7a,ation Criteria ;or4sheet

26 >ra0 lines tat separate i" $rom medium and medium $rom lo06

Medium Lo"

One Time Per

<ear

( Time Per

Fear

Once E7er

Two <ears

Once E7er

"i7e <ears

Once E7er &%

<ears

Once E7er *%

<ears

Once E7er 5%

<ears

& %.5

(%.* %.& %.%5 %.%*

CM!S"#$%&&'$HB$&&' 8olume +& +,.

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

+>& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


14 'rotetion Strate($ or#s*eet

Steps 5, 8

This section inc,des an ecerpt of the entire protection strateg for $edSite. Two tpes of

practice areas are inc,ded the seected mitigation areas and a few of the other practice areas with

genera# strategic impro7ements.

The mitigation areas refect corporate or strategic)e7e changes dri7en primari - the

mitigation pans for specific ris4s to critica assets. The mitigation areas are

• Sec,rit awareness and training

• Coa-orati7e sec,rit management

• $onitoring and a,diting phsica sec,rit

• !,thentication and a,thoriGation

Strategic e7e changes were aso identified for the rest of the sec,rit practice areas. The other

areas with strategic changes inc,ded here are sec,rit poicies and reg,ations.

8/10/2019 v10 Example v1


Protection Strateg ;or4sheet OCT!9E)S 9&.%

+>% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.%

1. Security $3areness and 8raining Stoplight Status R

Step 2(: <o0 $ormal is *our or"ani#ation?s trainin" strate"*5

Step 2: %ill an* miti"ation acti.ities can"e *our trainin" strate"*5

>o *ou 0ant to ma&e an* additional can"es to *our trainin" strate"*5

8raining Strategy Step 2% Step 2'

The organiGation has a doc,mented training strateg that inc,des sec,ritawareness training and sec,rit)reated training for s,pported technoogies.

C,rrent Change

The organiGation has an informa and ,ndoc,mented training strateg. C,rrent Change

C,rrent Change

Step 2(: <o0 o$ten is securit* a0areness trainin" pro.ided5

Step 2: %ill an* miti"ation acti.ities can"e o0 o$ten securit* a0areness trainin" is pro.ided5

>o *ou 0ant to ma&e an* additional can"es to o0 o$ten securit* a0areness trainin" is pro.ided5

Security $3areness 8raining Step 2% Step 2'

Periodic sec,rit awareness training is pro7ided for a empoees

( times e7er ( ears.

C,rrent Change

Sec,rit awareness training is pro7ided for new staff mem-ers as part of theirorientation acti7ities.

C,rrent Change

The organiGation does not pro7ide sec,rit awareness training. Staff mem-ersearn a-o,t sec,rit iss,es on their own.

C,rrent Change

C,rrent Change

+>4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


Protection Strateg for Sec,rit !wareness and Training

1. Security $3areness and 8raining

Step 2(: To 0at e4tent are IT sta$$ mem'ers re;uired to attend securit*-related trainin"5

Step 2: %ill an* miti"ation acti.ities can"e te re;uirement $or attendin" securit*-related trainin"5 >o *ou 0ant to ma&e an* additional can"es to te re;uirement $or attendin" securit*-related trainin"5

Security!6elated 8raining for Supported 8echnologies Step 2% Step 2'

Information technoog staff mem-ers are re@,ired to attend sec,rit)reatedtraining for an technoogies that the s,pport.

C,rrent Change

Information technoog staff mem-ers can attend sec,rit)reated training foran technoogies that the s,pport if the re@,est it.

C,rrent Change

The organiGation genera does not pro7ide opport,nities for informationtechnoog staff mem-ers to attend sec,rit)reated training for s,pportedtechnoogies. Information technoog staff mem-ers earn a-o,t sec,rit)reated

iss,es on their own.

C,rrent Change

C,rrent Change

Step 2(: <o0 $ormal is *our or"ani#ation?s mecanism $or pro.idin" periodic securit* updates5

Step 2: %ill an* miti"ation acti.ities can"e *our mecanism $or pro.idin" periodic securit* updates5

>o *ou 0ant to ma&e an* additional can"es to *our mecanism $or pro.idin" periodic securit* updates5

7eriodic Security Fpdates Step 2% Step 2'

The organiGation has a forma mechanism <including coordination "ith A*+

Systems= for pro7iding staff mem-ers with periodic ,pdates/-,etins a-o,t

important sec,rit iss,es.

C,rrent Ch

ange

The organiGation does not ha7e a mechanism for pro7iding staff mem-ers with periodic ,pdates/-,etins a-o,t important sec,rit iss,es.

C,rrent Change

C,rrent Change

CM!S"#$%&&'$HB$&&' 8olume +& +>,

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

1. Security $3areness and 8raining Stoplight Status R

Step 2(: <o0 $ormal is *our or"ani#ation?s mecanism $or .eri$*in" tat sta$$ recei.es trainin"5

Step 2: %ill an* miti"ation acti.ities can"e *our mecanism $or .eri$*in" tat sta$$ recei.es trainin"5 >o *ou 0ant to ma&e an* additional can"es to *our mecanism $or .eri$*in" tat sta$$ recei.es trainin"5

8raining Derification Step 2% Step 2'

The organiGation has forma mechanisms for trac4ing and 7erifing that staffmem-ers recei7e appropriate sec,rit)reated training.

C,rrent Change

The organiGation has informa mechanisms for trac4ing and 7erifing that staffmem-ers recei7e appropriate sec,rit)reated training.

C,rrent Change

The organiGation has no mechanisms for trac4ing and 7erifing that staffmem-ers recei7e appropriate sec,rit)reated training.

C,rrent Change

C,rrent Change

Step 2(: %at additional caracteristic o$ *our current approac to securit* a0areness and trainin" do *ou 0ant to record5

Step 2: %ill an* miti"ation acti.ities can"e tis caracteristic5

>o *ou 0ant to ma&e an* additional can"es to tis caracteristic5

?ther: Step 2% Step 2'

C,rrent Change

C,rrent Change

C,rrent Change

+>> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.%

%. #ollaborative Security 0anagement Stoplight Status R

Step 2(: <o0 $ormal are *our or"ani#ation?s policies and procedures $or protectin" in$ormation 0en 0or&in" 0itcollaborators and partners5

Step 2: %ill an* miti"ation acti.ities can"e te policies and procedures $or protectin" in$ormation 0en 0or&in" 0it

colla'orators and partners5 >o *ou 0ant to ma&e an* additional can"es to te policies and procedures $or protectin" in$ormation 0en

0or&in" 0it colla'orators and partners5

#ollaborators and 7artners Step 2% Step 2'

The organiGation has doc,mented poicies and proced,res for protectinginformation when wor4ing with coa-orators and partners.

C,rrent Change

The organiGation has doc,mented poicies and proced,res for protecting certaininformation when wor4ing with coa-orators and partners. The organiGation hasinforma and ,ndoc,mented poicies and proced,res for protecting other tpes of

information when wor4ing with coa-orators and partners.

C,rrent Change

The organiGation has informa and ,ndoc,mented poicies and proced,res for protecting information when wor4ing with coa-orators and partners.

C,rrent Change

C,rrent Change

Step 2(: <o0 $ormal are *our or"ani#ation?s policies and procedures $or protectin" in$ormation 0en 0or&in" 0itcontractors and subcontractors5


contractors and su'contractors5

>o *ou 0ant to ma&e an* additional can"es to te policies and procedures $or protectin" in$ormation 0en0or&in" 0it contractors and su'contractors5

#ontractors and Subcontractors Step 2% Step 2'

The organiGation has doc,mented poicies and proced,res for protectinginformation when wor4ing with contractors and s,-contractors.

C,rrent Change

The organiGation has doc,mented poicies and proced,res for protecting certaininformation when wor4ing with contractors and s,-contractors. The organiGationhas informa and ,ndoc,mented poicies and proced,res for protecting other

tpes of information when wor4ing with contractors and s,-contractors.

C,rrent Change

The organiGation has informa and ,ndoc,mented poicies and proced,res for protecting information when wor4ing with contractors and s,-contractors.

C,rrent Change

C,rrent Change

+>- CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


Protection Strateg for Coa-orati7e Sec,rit $anagement


Step 2(: <o0 $ormal are *our or"ani#ation?s policies and procedures $or protectin" in$ormation 0en 0or&in" 0it service

providers5


ser.ice pro.iders5 >o *ou 0ant to ma&e an* additional can"es to te policies and procedures $or protectin" in$ormation 0en

0or&in" 0it ser.ice pro.iders5

Service 7roviders Step 2% Step 2'

The organiGation has doc,mented poicies and proced,res for protectinginformation when wor4ing with ser7ice pro7iders.

C,rrent Change

The organiGation has doc,mented poicies and proced,res for protecting certaininformation when wor4ing with ser7ice pro7iders. The organiGation has informaand ,ndoc,mented poicies and proced,res for protecting other tpes of

information when wor4ing with ser7ice pro7iders.

C,rrent Change

The organiGation has informa and ,ndoc,mented poicies and proced,res for protecting information when wor4ing with ser7ice pro7iders.

C,rrent Change

C,rrent Change

Step 2(: To 0at e4tent does *our or"ani#ation $ormall* communicate its in$ormation protection re;uirements to tird

parties5

Step 2: %ill an* miti"ation acti.ities can"e o0 *our or"ani#ation communicates its in$ormation protection re;uirements

to tird parties5

>o *ou 0ant to ma&e an* additional can"es to o0 *our or"ani#ation communicates its in$ormation protectionre;uirements to tird parties5

6euirements Step 2% Step 2'

The organiGation doc,ments information protection re@,irements and epicitcomm,nicates them to a appropriate third parties.

C,rrent Change

The organiGation informa comm,nicates information protection re@,irements

to a appropriate third parties. 4acilities Management and A*+ Systems. C,rrent Change

The organiGation does not comm,nicate information protection re@,irements tothird parties.

C,rrent Change

C,rrent Change

CM!S"#$%&&'$HB$&&' 8olume +& +>.

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

%. #ollaborative Security 0anagement Stoplight Status R

Step 2(: To 0at e4tent does *our or"ani#ation .eri$* tat tird parties are addressin" in$ormation protection re;uirements5

Step 2: %ill an* miti"ation acti.ities can"e .eri$ication mecanisms5

>o *ou 0ant to ma&e an* additional can"es to .eri$ication mecanisms5

Derification Step 2% Step 2'

The organiGation has forma mechanisms for 7erifing that a third)partorganiGations# o,tso,rced sec,rit ser7ices# mechanisms# and technoogies meetits needs and re@,irements.

C,rrent Change

4acilities Management and A*+ SystemsThe organiGation has informa mechanisms for 7erifing that a third)partorganiGations# o,tso,rced sec,rit ser7ices# mechanisms# and technoogies meetits needs and re@,irements.

C,rrent Change

The organiGation has no mechanisms for 7erifing that a third)partorganiGations# o,tso,rced sec,rit ser7ices# mechanisms# and technoogies meetits needs and re@,irements.

C,rrent Change

C,rrent Change

Step 2(: To 0at e4tent does *our securit*-a0areness trainin" pro"ram include in$ormation a'out colla'orati.e securit*mana"ement5

Step 2: %ill an* miti"ation acti.ities can"e te content o$ *our securit* a0areness trainin" to include in$ormation a'out

colla'orati.e securit* mana"ement5

>o *ou 0ant to ma&e an* additional can"es to te content o$ *our securit* a0areness trainin"5

Staff $3areness Step 2% Step 2'

The organiGations sec,rit)awareness training program inc,des informationa-o,t the organiGations coa-orati7e sec,rit management poicies and proced,res. This training is pro7ided for a empoees times e7er ears.

C,rrent Change

The organiGations sec,rit)awareness training program inc,des informationa-o,t the organiGations coa-orati7e sec,rit management poicies and proced,res. This training is pro7ided for new staff mem-ers as part of theirorientation acti7ities.

C,rrent Change

The organiGations sec,rit)awareness training program does not inc,deinformation a-o,t the organiGations coa-orati7e sec,rit management poiciesand proced,res. Staff mem-ers earn a-o,t coa-orati7e sec,rit management poicies and proced,res on their own.

C,rrent Change

C,rrent Change

+=& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


Protection Strateg for Coa-orati7e Sec,rit $anagement


Step 2(: %at additional caracteristic o$ *our current approac to colla'orati.e securit* mana"ement do *ou 0ant torecord5

Step 2: %ill an* miti"ation acti.ities can"e tis caracteristic5

>o *ou 0ant to ma&e an* additional can"es to tis caracteristic5

?ther: Step 2% Step 2'

C,rrent Change

C,rrent Change

C,rrent Change

CM!S"#$%&&'$HB$&&' 8olume +& +=+

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.% Protection Strateg for $onitoring and !,diting Phsica Sec,rit

14.2 'rotetion Strate($ )or onitorin( and Auditin(

'*$sial Seurit$

CM!S"#$%&&'$HB$&&' 8olume +& +='

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

-. 0onitoring and $uditing 7hysical Security Stoplight Status R

Step 2(: %o is currentl* responsi'le $or monitorin" and auditin" p*sical securit*5

Step 2: %ill an* miti"ation acti.ities can"e responsi'ilit* $or monitorin" and auditin" p*sical securit*5

>o *ou 0ant to ma&e an* additional can"es a$$ectin" responsi'ilit* $or monitorin" and auditin" p*sical securit*5

6esponsibility Step 2% Step 2'

C,rrent Change

Tas4

I n t e r n a

E / t e r n a

C o m - i n e d

I n t e r n a

E / t e r n a

C o m - i n e d

3eeping maintenance records to doc,ment repairs and modifications to IThardware

$onitoring phsica access to controed IT hardware

$onitoring phsica access to controed IT software media

$onitoring phsica access to restricted wor4 areas

0e7iewing monitoring records on a periodic -asis

In7estigating and addressing an ,n,s,a acti7it that is identified

+=4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


Protection Strateg for $onitoring and !,diting Phsica Sec,rit


Step 2(: To 0at e4tent are procedures $or tis area $ormall* documented5

Step 2: %ill an* miti"ation acti.ities can"e te e4tent to 0ic procedures are $ormall* documented $or tis area5

>o *ou 0ant to ma&e an* additional can"es to o0 procedures are documented $or tis area5

7rocedures Step 2% Step 2'

#" sta"" "rom your organi$ation is partly or completely responsible "or this area:

The organiGation has forma doc,mented pans and proced,res formonitoring phsica access to the -,iding and premises# wor4 areas# IThardware# and software media.

C,rrent Change

The organiGation has some forma doc,mented poicies and proced,res formonitoring phsica access to the -,iding and premises# wor4 areas# IThardware# and software media. Some poicies and proced,res in this area areinforma and ,ndoc,mented.

C,rrent Change

The organiGation has informa and ,ndoc,mented pans and proced,res formonitoring phsica access to the -,iding and premises# wor4 areas# IThardware# and software media.

C,rrent Change

C,rrent Change

Step 2(: To 0at e4tent are sta$$ mem'ers re;uired to attend trainin" in tis area5

Step 2: %ill an* miti"ation acti.ities can"e te re;uirement $or attendin" trainin" in tis area5

>o *ou 0ant to ma&e an* additional can"es to te re;uirement $or attendin" trainin" in tis area5

8raining Step 2% Step 2'


Designated staff mem-ers are re@,ired to attend training for monitoring phsica access to the -,iding and premises# wor4 areas# IT hardware# andsoftware media.

C,rrent Change

Designated staff mem-ers can attend training for monitoring phsica accessto the -,iding and premises# wor4 areas# IT hardware# and software media ifthe re@,est it.

C,rrent Change

The organiGation genera does not pro7ide opport,nities for designated staff mem-ers to attend training for monitoring phsica access to the -,iding and premises# wor4 areas# IT hardware# and software media. Designated staffmem-ers earn a-o,t monitoring phsica access on their own.

C,rrent Change

C,rrent Change

CM!S"#$%&&'$HB$&&' 8olume +& +=,

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

-. 0onitoring and $uditing 7hysical Security Stoplight Status R

8hird 7arty $: 4acilities Management

Step 2(: To 0at e4tent does *our or"ani#ation $ormall* communicate its re;uirements in tis area to tis tird part*5

Step 2: %ill an* miti"ation acti.ities can"e o0 *our or"ani#ation communicates its re;uirements to tis tird part*5

>o *ou 0ant to ma&e an* additional can"es to o0 *ou communicate re;uirements to tis tird part*5

#ollaborative Issues Step 2% Step 2'

#" sta"" "rom a third party is partly or completely responsible "or this area:

The organiGations re@,irements for monitoring phsica sec,rit are formacomm,nicated to a contractors and ser7ice pro7iders that monitor phsicaaccess to the -,iding and premises# wor4 areas# IT hardware# and softwaremedia.

C,rrent Change

The organiGations re@,irements for monitoring phsica sec,rit are

informa comm,nicated to a contractors and ser7ice pro7iders that monitor phsica access to the -,iding and premises# wor4 areas# IT hardware# andsoftware media.

C,rrent Change

The organiGations re@,irements for monitoring phsica sec,rit are notcomm,nicated to a contractors and ser7ice pro7iders that monitor phsicaaccess to the -,iding and premises# wor4 areas# IT hardware# and softwaremedia.

C,rrent Change

C,rrent Change

Step 2(: To 0at e4tent does *our or"ani#ation .eri$* tat tis tird part* is addressin" re;uirements in tis area5

Step 2: %ill an* miti"ation acti.ities can"e o0 *ou .eri$* tat tis tird part* is addressin" re;uirements in tis area5 >o *ou 0ant to ma&e an* additional can"es to o0 *ou .eri$* tat re;uirements are 'ein" met5



The organiGation forma 7erifies that contractors and ser7ice pro7iders ha7emet the re@,irements for monitoring phsica sec,rit.

C,rrent Change

The organiGation informa 7erifies that contractors and ser7ice pro7idersha7e met the re@,irements for monitoring phsica sec,rit.

C,rrent Change

The organiGation does not 7erif that contractors and ser7ice pro7iders ha7emet the re@,irements for monitoring phsica sec,rit.

C,rrent Change

C,rrent Change

+=> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


Protection Strateg for $onitoring and !,diting Phsica Sec,rit


8hird 7arty 9:


Step 2: %ill an* miti"ation acti.ities can"e o0 *our or"ani#ation communicates its re;uirements to tis tird part*5 >o *ou 0ant to ma&e an* additional can"es to o0 *ou communicate re;uirements to tis tird part*5



The organiGations re@,irements for monitoring phsica sec,rit are formacomm,nicated to a contractors and ser7ice pro7iders that monitor phsicaaccess to the -,iding and premises# wor4 areas# IT hardware# and softwaremedia.

C,rrent Change

The organiGations re@,irements for monitoring phsica sec,rit areinforma comm,nicated to a contractors and ser7ice pro7iders that monitor

phsica access to the -,iding and premises# wor4 areas# IT hardware# andsoftware media.

C,rrent Change

The organiGations re@,irements for monitoring phsica sec,rit are notcomm,nicated to a contractors and ser7ice pro7iders that monitor phsicaaccess to the -,iding and premises# wor4 areas# IT hardware# and softwaremedia.

C,rrent Change

C,rrent Change


Step 2: %ill an* miti"ation acti.ities can"e o0 *ou .eri$* tat tis tird part* is addressin" re;uirements in tis area5

>o *ou 0ant to ma&e an* additional can"es to o0 *ou .eri$* tat re;uirements are 'ein" met5



The organiGation forma 7erifies that contractors and ser7ice pro7iders ha7emet the re@,irements for monitoring phsica sec,rit.

C,rrent Change

The organiGation informa 7erifies that contractors and ser7ice pro7idersha7e met the re@,irements for monitoring phsica sec,rit.

C,rrent Change

The organiGation does not 7erif that contractors and ser7ice pro7iders ha7emet the re@,irements for monitoring phsica sec,rit.

C,rrent Change

C,rrent Change

CM!S"#$%&&'$HB$&&' 8olume +& +==

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

+=- CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


OCT!9E)S 9&.% Protection Strateg for !,thentication and !,thoriGation

14.4 'rotetion Strate($ )or Aut*entiation and

Aut*ori<ation

CM!S"#$%&&'$HB$&&' 8olume +& +=.

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

11. $uthentication and $uthorization Stoplight Status R

Step 2(: %o is currentl* responsi'le $or autentication and autori#ation5

Step 2: %ill an* miti"ation acti.ities can"e responsi'ilit* $or autentication and autori#ation5 >o *ou 0ant to ma&e an* additional can"es a$$ectin" responsi'ilit* $or autentication and autori#ation5

6esponsibility Step 2% Step 2'

C,rrent Change

Tas4

I n t e r n a

E / t e r n a

C o m - i n e d

I n t e r n a

E / t e r n a

C o m - i n e d

Impementing access contros e.g.# fie permissions# networ4

config,ration to restrict ,ser access to information# sensiti7e sstems#specific appications and ser7ices# and networ4 connections

Impementing ,ser a,thentication e.g.# passwords# -iometrics to restrict,ser access to information# sensiti7e sstems# specific appications andser7ices# and networ4 connections

Esta-ishing and terminating access to sstems and information for -othindi7id,as and gro,ps

+-& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


Protection Strateg for !,thentication and !,thoriGation

11. $uthentication and $uthorization

Step 2(: To 0at e4tent are procedures $or tis area $ormall* documented5

Step 2: %ill an* miti"ation acti.ities can"e te e4tent to 0ic procedures are $ormall* documented $or tis area5 >o *ou 0ant to ma&e an* additional can"es to o0 procedures are documented $or tis area5

7rocedures Step 2% Step 2'


The organiGation has forma doc,mented a,thoriGation and a,thentication proced,res for restricting ,ser access to information# sensiti7e sstems#specific appications and ser7ices# and networ4 connections.

C,rrent Change

The organiGation has some forma doc,mented a,thoriGation anda,thentication proced,res for restricting ,ser access to information# sensiti7esstems# specific appications and ser7ices# and networ4 connections. Some proced,res in this area are informa and ,ndoc,mented.

C,rrent Change

The organiGation has informa and ,ndoc,mented a,thoriGation anda,thentication proced,res for restricting ,ser access to information# sensiti7esstems# specific appications and ser7ices# and networ4 connections.

C,rrent Change

C,rrent Change

Step 2(: To 0at e4tent are sta$$ mem'ers re;uired to attend trainin" in tis area5

Step 2: %ill an* miti"ation acti.ities can"e te re;uirement $or attendin" trainin" in tis area5

>o *ou 0ant to ma&e an* additional can"es to te re;uirement $or attendin" trainin" in tis area5

8raining Step 2% Step 2'


Information technoog staff mem-ers are re@,ired to attend training forimpementing technoogica meas,res to restrict ,ser access to information#sensiti7e sstems# specific appications and ser7ices# and networ4connections.

C,rrent Change

Information technoog staff mem-ers can attend training for impementingtechnoogica meas,res to restrict ,ser access to information# sensiti7esstems# specific appications and ser7ices# and networ4 connections if there@,est it.

C,rrent Change

The organiGation genera does not pro7ide opport,nities for informationtechnoog staff mem-ers to attend training for impementing technoogicameas,res to restrict ,ser access to information# sensiti7e sstems# specificappications and ser7ices# and networ4 connections. Information technoogstaff mem-ers earn a-o,t a,thentication and a,thoriGation on their own.

C,rrent

Change

C,rrent Change

CM!S"#$%&&'$HB$&&' 8olume +& +-+

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

11. $uthentication and $uthorization Stoplight Status R

8hird 7arty $: A*+ Systems


Step 2: %ill an* miti"ation acti.ities can"e o0 *our or"ani#ation communicates its re;uirements to tis tird part*5

>o *ou 0ant to ma&e an* additional can"es to o0 *ou communicate re;uirements to tis tird part*5



The organiGations re@,irements for controing access to sstems andinformation are forma comm,nicated to a contractors and ser7ice pro7iders that pro7ide a,thentication and a,thoriGation ser7ices.

C,rrent Change

The organiGations re@,irements for controing access to sstems andinformation are informa comm,nicated to a contractors and ser7ice

pro7iders that monitor sstems and networ4s.

C,rrent Change

The organiGations re@,irements for controing access to sstems andinformation are not comm,nicated to a contractors and ser7ice pro7idersthat monitor sstems and networ4s.

C,rrent Change

C,rrent Change


Step 2: %ill an* miti"ation acti.ities can"e o0 *ou .eri$* tat tis tird part* is addressin" re;uirements in tis area5

>o *ou 0ant to ma&e an* additional can"es to *ou .eri$* tat re;uirements are 'ein" met5



The organiGation forma 7erifies that contractors and ser7ice pro7iders ha7emet the re@,irements for a,thentication and a,thoriGation.

C,rrent Change

The organiGation informa 7erifies that contractors and ser7ice pro7idersha7e met the re@,irements for a,thentication and a,thoriGation.

C,rrent Change

The organiGation does not 7erif that contractors and ser7ice pro7iders ha7emet the re@,irements for a,thentication and a,thoriGation.

C,rrent Change

C,rrent Change

+-% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.%

+-4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


OCT!9E)S 9&.% Protection Strateg for Sec,rit Poicies and 0eg,ations

14.5 'rotetion Strate($ )or Seurit$ 'oliies and

/e(ulations

CM!S"#$%&&'$HB$&&' 8olume +& +-,

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


OCT!9E)S 9&.%

0itigation $rea: (. Security A"areness and Training

Step 2-

0itigation $ctivity 6ationale

%ic miti"ation acti.ities are *ou "oin" to implement in tis

securit* practice area5

%* did *ou select eac acti.it*5

Pro#ide periodic security a"areness training for all

employees once a year.

Jote1 This "ill change MedSite's protection strategy.

MedSite's current policy is to pro#ide a"areness

training for ne" employees only. This is

inade,uate. Security a"areness training should be

pro#ided on a periodic basis.

?nable IT staff members to attend security-related

training for any technologies that they support.

The security practices sur#ey indicated that

there is a lac% of training for IT staff at

MedSite.

The manager in each department "ill %eep a list of

people "ho ha#e recei#ed security a"areness training

and "hen they recei#ed it.

!e must set up a trac%ing mechanism if "e intend

to impro#e our training related to security.

+.& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


$itigation Pan ;or4sheet

0itigation 6esponsibility $dditional Support

%o needs to 'e in.ol.ed in implementin" eac acti.it*5%*5

%at additional support 0ill 'e needed 0enimplementin" eac acti.it* 9e6"6 $undin" commitment o$

sta$$ sponsorsip5

MedSite's senior management team and the

training department manager

Increasing the fre,uency of security a"areness

training re,uires commitment and funding from

senior management. It "ill also re,uire a

commitment from MedSite's Training epartment.

MedSite's IT manager must ta%e responsibility

for implementing this mitigation acti#ity.

MedSite's senior managers must appro#e and find

funding for this acti#ity. MedSite's +IO needs to

sponsor implementation of this acti#ity.

The manager in each MedSite department ?ach department manager must participate in thisacti#ity. Senior managers need to ma%e this a

re,uirement for it to "or%.

CM!S"#$%&&'$HB$&&' 8olume +& +.+

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

0itigation $rea: . +ollaborati#e Security Management

Step 2-





esignate an IT staff member as point of contact to

communicate our re,uirements for protecting PIS

information to A*+ Systems.

esignate staff member from the Maintenance

epartment to communicate our physical security

re,uirements for building security to the 4acilities

Management :roup.


!e are currently doing nothing "ith respect to

communicating security re,uirements to A*+

Systems and the 4acilities Management :roup.

?stablishing a point of contact for each

organi3ation should impro#e communication of our

re,uirements.

The IT point of contact "ill #erify that re,uirements

for protecting PIS information are met by A*+

Systems.

The Maintenance epartment point of contact "ill

#erify that re,uirements for physical security are met

by the 4acilities Management :roup for the building.


If "e are establishing a means to communicate

our re,uirements to A*+ Systems and the

4acilities Management :roup& then "e need the

points of contact to ma%e sure that those

re,uirements ha#e been met.

+ontract "ith A*+ Systems to send security bulletins

to MedSite's IT point of contact& "ho "ill for"ard the

bulletins to MedSite's staff.

MedSite's staff is not recei#ing information

about security problems& such as #iruses.

+.% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1






sta$$ sponsorsip5

T* 7 Responsibility must be assigned by

MedSite's +IO and the manager of the

Maintenance epartment.

MedSite's senior management team must sponsor

this acti#ity. The +IO and manager of the

Maintenance epartment must assign the points

of contact.

T* 7 A point of contact must be assigned to

"or% "ith A*+ Systems. A point of contact must

be assigned to "or% "ith the 4acilities

Management :roup.


this acti#ity. The +IO and manager of the

Maintenance epartment must assign the points

of contact.


"or% "ith A*+ Systems.


this acti#ity. The +IO must assign the point of

contact.

CM!S"#$%&&'$HB$&&' 8olume +& +.'

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

0itigation $rea: . Monitoring and Auditing Physical Security

Step 2-





ocument formal procedures for monitoring physical

access to all IT hard"are and soft"are media.


Some staff members from MedSite's IT

department informally monitor the physical

security of IT hard"are and soft"are.

4ormali3ing the procedures "ould help to ensure

that they are consistently applied by all IT staff

members.

Assign a point of contact from MedSite to "or% "ith

the 4acilities Management :roup to monitor physical

access to the building and premises. The point of

contact "ill be responsible for communicating

MedSite's re,uirements for monitoring physical

security and for #erifying that the re,uirements ha#e

been met.


Responsibility for monitoring and auditing physical

security is assigned to the 4acilities Management

:roup and MedSite. Acti#ities are not

coordinated among the t"o organi3ations.

?stablishing points of contact at MedSite to "or%

"ith staff from the 4acilities Management :roup

should impro#e communication of our

re,uirements and impro#e ho" physical security is

managed.

+.4 CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1






sta$$ sponsorsip5

T* 7 A small team to document the procedures

must be assigned by MedSite's +IO and6or IT

manager.

MedSite's +IO must sponsor this acti#ity and

assign a small team to document the procedures.


"or% "ith 4acilities Management :roup.


this acti#ity. The manager of the Maintenance

epartment must assign the points of contact.

CM!S"#$%&&'$HB$&&' 8olume +& +.,

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1






sta$$ sponsorsip5


"or% "ith A*+ Systems.


this acti#ity. The +IO must assign staff to "or%

"ith A*+ Systems.

T* 7 A small team to document the procedures

must be assigned by MedSite's +IO and6or IT

manager. The team should include representation

from the IT department and the point of contact

for A*+ Systems.


this acti#ity. MedSite's +IO must sponsor this

acti#ity and assign a small team to document the

procedures.

T* 7 A point of contact must be assigned to"or% "ith A*+ Systems.

MedSite's senior management team must sponsorthis acti#ity. The +IO must assign the point of

contact.

CM!S"#$%&&'$HB$&&' 8olume +& +.=

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1






sta$$ sponsorsip5

T* 7 MedSite's +IO and6or IT manager "ill

identify the IT staff "ho "ill implement this

acti#ity. esignated staff "ill ha#e to "or% "ith

staff from A*+ Systems to set automatic

timeouts.


this acti#ity. MedSite's +IO must sponsor this

acti#ity and assign a staff to set automatic

timeouts.

CM!S"#$%&&'$HB$&&' 8olume +& +..

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

0itigation $rea: 9. Security Policies and Regulations

Step 2-





+reate procedures for complying "ith 2IPAA data

security regulations.


MedSite has t"o years in "hich to be in

compliance "ith the 2IPAA data security

re,uirements.

Jote1 This acti#ity is dri#en by the regulations

rather than any specific ris%.

Include information about MedSite's security-related

policies and procedures in the ne" security a"areness

training.


4e" staff members are a"are of or understand

MedSite's security-related policies. This

information must be featured in a"areness

training.

Jote1 This acti#ity is dri#en by general concerns


Procedures for enforcing MedSite's security-related

policies must be created.


People's beha#iors related to security "ill only

change if they understand that management

strictly enforces MedSite's security policies.

Jote1 This acti#ity is dri#en by general concerns


%&& CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1






sta$$ sponsorsip5

T* 7 Responsibility must be assigned by

MedSite's senior management team.


this acti#ity.

MedSite's senior management team and the

Training epartment manager

Kpdating the content of security a"areness

training re,uires commitment and funding from

senior management. It "ill also re,uire a

commitment from MedSite's Training epartment.

MedSite's senior management team MedSite's senior management team must sponsor

this acti#ity.

CM!S"#$%&&'$HB$&&' 8olume +& %&+

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

%&% CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


16 !ext Steps or#s*eet

Step 20

8/10/2019 v10 Example v1


8/10/2019 v10 Example v1


1et Steps ;or4sheet

0onitoring Implementation

%at 0ill te or"ani#ation do to trac& pro"ress and ensure tat te results o$ tis e.aluation areimplemented5

?ach team assigned responsibility for a ris% mitigation plan "ill be

responsible for scheduling and implementing that plan. ?ach team "ill pro#ide

a "ritten status report prior to the monthly management team meeting.

E+panding the #urrent Information Security 6is/ Evaluation

%ill *ou e4pand te current OCTAVE-S e.aluation to include additional critical assets5 %ic ones5

Jo& but "e "ill re#ie" all deferred ris%s "ithin the ne$t /; days to see if

anything else needs to be done for them. !e "ill also do a gap analysis

bet"een the results of O+TAH?-S and current regulations <including 2IPAA=and see if there are any other re,uired practices that "e should consider

during another round of resource allocations in the ne$t ,uarter.

=e+t Information Security 6is/ Evaluation

%en 0ill te or"ani#ation conduct its ne4t OCTAVE-S e.aluation5

The ne$t O+TAH?-S e#aluation "ill be performed ()-( months from no".

CM!S"#$%&&'$HB$&&' 8olume +& %&,

8/10/2019 v10 Example v1


OCT!9E)S 9&.%

%&> CM!S"#$%&&'$HB$&&' 8olume +&

8/10/2019 v10 Example v1


/E'O/T +OC>E!TATIO! 'AGE Form Approved

OMB No. 0704-0188(ubli0 reportin) burden for this 0olle0tion of information is estimated to avera)e + hour per response* in0ludin) the time for revie<in) instru0tions* sear0hin)e6istin) data sour0es* )atherin) and maintainin) the data needed* and 0ompletin) and revie<in) the 0olle0tion of information1 Send 0omments re)ardin)this burden estimate or any other aspe0t of this 0olle0tion of information* in0ludin) su))estions for redu0in) this burden* to Washin)ton HeaduartersServi0es* Dire0torate for information Operations and 9eports* +%+, Jefferson Davis Hi)h<ay* Suite +%&4* Arlin)ton* 8A %%%&%$4'&%* and to the Offi0e ofMana)ement and Bud)et* (aper<or: 9edu0tion (ro/e0t &=&4$&+--* Washin)ton* DC %&,&'1

1. AGENCY USE ONLY

(Leave Blank)

2. REPORT DATE

August 2003

3. REPORT TYPE AND DATES COVERED

Final4. TITLE AND SUBTITLE

OCTAVE-S !"le!entati#n $ui%e& Ve'si#n 1.0& V#lu!e 10

. FUNDING NUMBERS

F1*2+-00-C-0003

*. AUTHOR(S)

C,'ist#",e' Ale'ts& Au%'e /#'#ee& a!es Stevens& Ca'#l ##%

. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)

S#ta'e Enginee'ing nstituteCa'negie 5ell#n 6nive'sit7ittsu'g,& 7A 1213

+. PERFORMING ORGANIZATION REPORT NUMBER

C568SE-2003-9B-003

Date post:	02-Jun-2018
Category:	Documents
Upload:	livia-banica
View:	215 times
Download:	0 times

v10 Example v1

Documents