Escolar Documentos
Profissional Documentos
Cultura Documentos
Page 1
Summari7es t&e system arc&itecture and c"mp"nents, and its "verall level "! security8 Includes a list "! t&reats and vulnera$ilities, t&e system3s current security c"ntr"ls, and its
risk levels8
Rec"mmends sa!eguards, and descri$es t&e e0pected level "! risk t&at )"uld remain i!
t&ese sa!eguards )ere put in place8 S&")s )&ere an "rgani7ati"n needs t" c"ncentrate its remedial )"rk8 (an $e used as input t" t&e agency3s $usiness c"ntinuity plan8 Presents t&ese !indings t" management.
Page 2
Team Members
A sample representative risk assessment team may include t&e !uncti"ns listed $el"). *ac& team mem$er may per!"rm m"re t&an "ne !uncti"n. HIPAA#a!!ected agencies s&"uld secure t&e inv"lvement "! t&eir HIPAA security "!!icer. S"me !uncti"ns "verlap, !"r !uncti"ns )&ere team mem$ers revie) eac& "t&er3s )"rk. See Appendi0 ( !"r m"re detail "n t&ese r"les. Risk assessment manager System "r net)"rk administrat"r %ec&nical revie)er System $usiness ")ner System tec&nical ")ner *0ecutive sp"ns"r In!"rmati"n security "!!icer
A d"cumented system invent"ry, listing all system c"mp"nents and esta$lis&ing t&e
system $"undary !"r t&e purp"ses "! t&e Rep"rt8 ."cumentati"n "! t&e system3s p"licies and pr"cedures, and details "! its "perati"n8 /ist "! t&reat 1 vulnera$ility pairs, )it& severity "! impact and likeli&""d "! "ccurrence8 /ist "! sa!eguards !"r c"ntr"lling t&ese t&reats and vulnera$ilities8 /ist "! rec"mmended c&anges, )it& appr"0imate levels "! e!!"rt !"r eac&8 -"r eac& rec"mmended c&ange, t&e resulting reducti"n in risk8 %&e level "! residual risk t&at )"uld remain a!ter t&e rec"mmended c&anges are implemented.
%&e Rep"rt )ill re!lect t&e security p"licies and "$2ectives "! t&e agency3s in!"rmati"n tec&n"l"gy management. It )ill $e presented in a !ace#t"#!ace meeting )it& t&e system $usiness and tec&nical ")ners, t&e risk assessment manager, and "t&er pr"2ect team mem$ers. A Risk Assessment Rep"rt is n"t intended t" create "r include t&e !"ll")ing, &")ever it s&"uld $e used as input !"r6
A system security plan, ne) security arc&itecture, audit rep"rt, "r system accreditati"n8 System security p"licies, "r assignment "! sta!! resp"nsi$ility !"r system security8 .etailed data!l")s8 *0act d"llar c"st estimates "r 2usti!icati"ns8 Assignment "r acceptance "! legal resp"nsi$ility !"r t&e security "! t&e system8 In#dept& analysis "r res"luti"n "! speci!ic security incidents "r vi"lati"ns8 ("ntract revie).
Appendi0 . pr"vides a template !"r t&e d"cumentati"n "! t&e Risk Assessment rep"rt.
Page
Tasks
%&is c&art s&")s t&e se'uence "! &ig&#level tasks. %&e c"mplete list "! tasks and durati"ns )ill $e created, estimated and sc&eduled $y t&e team.
ID 1 2
.escri$e risks8 Identi!y e0isting c"ntr"ls8 .etermine likeli&""d "! "ccurrence8 .etermine severity "! impact8 .etermine risk level.
%&e team must decide )&et&er t" include "nly c"ntr"ls t&at are currently implemented, "r t" include c"ntr"ls t&at are $udgeted and sc&eduled !"r implementati"n.
System administrat"r %ec&nical revie)er System tec&nical ")ner Risk assessment manager ("mplete !#! Sy$tem Identification ta$le in Appendi0 ..
General descripti"n "! !uncti"n and purp"se t&e system General !uncti"nal re'uirements 9usiness pr"cesses supp"rted Applicati"ns supp"rted, services running General in!"rmati"n !l") ?et)"rk diagram )it& system $"undaries .escripti"n "! p&ysical c"mp"nents P&ysical c"mp"nent asset and tag num$ers P&ysical l"cati"n, envir"nmental c"ntr"ls in place *nvir"nmental !act"rs t&at give rise t" security c"ncerns %ec&nical and $usiness users, list "! system user acc"unts System ")ners&ip6 S&ared "r dedicated
("nnected c"mp"nents /A? and @A? c"nnecti"ns and t"p"l"gy, !ire)all c"n!igurati"ns S"!t)are dependencies Inter!aces ."cument t&e system3s $usiness !uncti"n, c"mp"nents, envir"nment, c"nnecti"ns. System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner In!"rmati"n security "!!icer ("mplete !#2 Sy$tem %ur&o$e and De$cri&tion ta$le in Appendi0 ..
Page <
1. Identi!y p"tential dangers t" in!"rmati"n and system +t&reats,. 2. Identi!y t&e system )eakness t&at c"uld $e e0pl"ited +vulnera$ilities, ass"ciated t"
generate t&e t&reat 1 vulnera$ility pair.
3. Identi!y e0isting c"ntr"ls t" reduce t&e risk "! t&e t&reat e0pl"iting t&e vulnera$ility. 4. .etermine t&e likeli&""d "! "ccurrence !"r a t&reat e0pl"iting a related vulnera$ility given 5. 6.
t&e e0isting c"ntr"ls. .etermine t&e severity "! impact "n t&e system $y an e0pl"ited vulnera$ility. .etermine t&e risk level !"r a t&reat1vulnera$ility pair given t&e e0isting c"ntr"ls.
%&is si0#step pr"cess !"r Risk .eterminati"n is c"nducted !"r eac& identi!ied t&reat 1 vulnera$ility pair. Ase t&e Risk .eterminati"n %a$le in Appendi0 . t" d"cument t&e analysis per!"rmed in t&is p&ase.
Page =
.escripti"ns "! t&reat1vulnera$ility pairs. System administrat"r %ec&nical revie)er System tec&nical ")ner ("mplete t&e BItem ?".C, B%&reat ?ameC and BDulnera$ility ?ameC c"lumns in 2#0 Ri$, Determination ta$le in Appendi0 ..
.escri$e risks in relati"n t" t&reat1vulnera$ility pairs. System administrat"r %ec&nical revie)er System tec&nical ")ner ("mplete t&e BRisk .escripti"nC c"lumn "! t&e 2#0 Ri$, Determination ta$le in Appendi0 ..
System tec&nical ")ner ("mplete t&e B*0isting ("ntr"lsC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi0 ..
0ikelihood ?egligi$le Dery /") /") 4edium Hig& Dery Hig& *0treme
%&reat 1 vulnera$ility pairs )it& likeli&""d "! success!ul e0pl"itati"n. System administrat"r %ec&nical revie)er System tec&nical ")ner (ateg"ri7e t&reat 1 vulnera$ility pairs $y likeli&""d "! "ccurrence, c"mplete t&e B/ikeli&""d "! EccurrenceC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi0 ..
Im!act Se#erity 0e#els Insigni!icant 4in"r Signi!icant .amaging Seri"us /ittle "r n" impact 4inimal e!!"rt t" repair, rest"re "r rec"n!igure Small $ut tangi$le &arm, may$e n"ticea$le $y a limited audience, s"me em$arrassment, s"me e!!"rt t" repair .amage t" reputati"n, l"ss "! c"n!idence, signi!icant e!!"rt t" repair ("nsidera$le system "utage, l"ss "! c"nnected cust"mers, $usiness c"n!idence, c"mpr"mise "! large am"unt in!"rmati"n
Page >
(ritical
*0tended "utage, permanent l"ss "! res"urce, triggering $usiness c"ntinuity pr"cedures, c"mplete c"mpr"mise "! in!"rmati"n
%&reat 1 vulnera$ility pairs )it& severity "! success!ul e0pl"itati"n. System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner (ateg"ri7e t&reat 1 vulnera$ility pairs $y severity "r magnitude "! impact, and c"mplete t&e BImpact SeverityC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi0 ..
Risk determination -"r eac& t&reat 1 vulnera$ility pair, assess t&e !"ll")ing6 - /ikeli&""d "! t&e t&reat attempting t" e0ercise t&e vulnera$ility8 - 4agnitude "! impact i! t&e t&reat 1 vulnera$ility e0pl"it is success!ul8 - Ade'uacy "! planned "r e0isting security c"ntr"ls !"r reducing "r eliminating risk8 Note& (he !roject team must decide 5hether to use only currently im!lemented controls for this analysis" or to include controls that are *udgeted and scheduled for installation" and document that decision in the Re!ort, - Resulting risk t" t&e in!"rmati"n "n t&e system !r"m t&e t&reat and vulnera$ility.
%&is ta$le s&")s t&e resulting risk level, !"r eac& degree "! likeli&""d and eac& level "! severity. Risk 0e#els
0ikelihood of +ccurrenc e Im!act Se#erity Insignificant )inor Significant Damaging Serious /ritical
/") Negligi*l e 1ery 0o5 0o5 )edium High 1ery High -2treme /") /") /") /") /") /")
/")
/")
/")
/")
/")
(ask 2,4&
System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner ("m$ine t&e likeli&""d "! "ccurrence )it& magnitude "! impact t" derive t&e risk level !"r eac& t&reat 1 vulnera$ility pair. ("nsider t&e risks t" t&e in!"rmati"n "n t&e system, and c"mplete t&e BRisk /evelC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi0 ..
1. Identi!y c"ntr"ls and sa!eguards t" reduce t&e risk level "! eac& risk#t&reat pair, i! t&e risk 2. 3. 4.
level is m"derate "r &ig&. .etermine t&e residual likeli&""d "! "ccurrence "! t&e t&reat i! t&e rec"mmended sa!eguard is implemented. .etermine t&e residual impact severity "! t&e e0pl"ited vulnera$ility "nce t&e rec"mmended sa!eguard is implemented. .etermine t&e residual risk level !"r t&e system.
("nsider sa!eguards related t" testing and maintenance, impr"ved audit capa$ility, and restricting p&ysical access.
1. 2. 3. 4. 5. 6.
Security area )&ere it $el"ngs, suc& as management, "perati"nal, tec&nical. 4et&"d it empl"ys t" reduce t&e "pp"rtunity !"r t&e t&reat t" e0pl"it t&e vulnera$ility. Its e!!ectiveness in mitigating t&e risk t" in!"rmati"n. P"licy and arc&itectural parameters re'uired !"r its implementati"n in t&e envir"nment. In!"rmati"n security categ"ry +c"n!identiality, integrity, availa$ility, access c"ntr"l, audit, etc., t" )&ic& t&e sa!eguard applies. @&et&er t&e c"st "! t&e sa!eguard is c"mmensurate )it& its reducti"n in risk.
I! m"re t&an "ne sa!eguard is identi!ied !"r t&e same t&reat 1 vulnera$ility pair, list t&em in t&is c"lumn in separate r")s and c"ntinue )it& t&e analysis steps. %&e residual risk level must $e evaluated during t&is p&ase "! t&e assessment and may $e !urt&er evaluated in risk management activities "utside t&e sc"pe "! t&is pr"2ect. I! t&e rec"mmended sa!eguard cann"t $e c"mpletely implemented in t&e envir"nment due t" c"st, management, "perati"nal "r tec&nical c"nstraints, d"cument t&e circumstances and c"ntinue )it& t&e analysis.
Page 11
("nsider c"ntr"l elements implemented as p"licies and pr"cedures, training, and impr"ved p"licy en!"rcement. (ask 3,%& 'ey (eam )em*er s& +ut!ut& (reate a list "! current, planned "r availa$le sa!eguards and c"ntr"ls suita$le !"r pr"tecting t&e in!"rmati"n System administrat"r System tec&nical ")ner %ec&nical revie)er /ist "! sa!eguards and c"ntr"ls, )it& implementati"n c"nsiderati"ns. ("mplete t&e BRec"mmended Sa!eguardC c"lumn in 3#0 Safeguard Determination ta$le in Appendi0 ..
Page 12
.epending "n t&e nature and circumstances "! t&reats and vulnera$ilities, a rec"mmended sa!eguard may reduce t&e risk level t" B/").C 4ake a n"te "! t&e situati"n )it& a descripti"n $el") t&e ta$le, i! needed, i! suc& special c"nditi"ns e0ist. -"r ne) systems, t&e ne0t steps )"uld include creating a sensitivity assessment, system security re'uirements, risk assessment rep"rt, and system security plan in t&e S./(. (ask 3, & 'ey (eam )em*er s& +ut!ut& Repeat t&e derivati"n t&e risk level !"r eac& t&reat 1 vulnera$ility pair !r"m task 2.<, t&is time assuming t&e selected sa!eguard &as $een implemented. System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner ("mplete t&e BResidual Risk /evelC c"lumn "! 3#0 Safeguard Determination ta$le in Appendi0 ..
Page 1
4"derate
Hig&
(atastr"p&ic
/a) en!"rcement and state security in!"rmati"n /i!e#critical in!"rmati"n In!"rmati"n a$"ut pers"ns
-inancial, $udgetary, c"mmercial, pr"prietary and trade secret in!"rmati"n Pu$lic in!"rmati"n
In!"rmati"n related t" investigati"ns !"r la) en!"rcement purp"ses8 security plans, c"ntingency plans, emergency "perati"ns plans, incident rep"rts, rep"rts "! investigati"ns, risk "r vulnera$ility assessments certi!icati"n rep"rts8 d"es n"t include general plans, p"licies, "r re'uirements. In!"rmati"n critical t" li!e#supp"rt systems +i.e., in!"rmati"n )&ere inaccuracy, l"ss, "r alterati"n c"uld result in l"ss "! li!e,. In!"rmati"n related t" pers"nnel, medical, and similar data +e.g., salary data, s"cial security in!"rmati"n, pass)"rds, user identi!iers +I.s,, **E, pers"nnel pr"!ile +including &"me address and p&"ne num$er,, medical &ist"ry, empl"yment &ist"ry +general and security clearance in!"rmati"n,, and arrest1criminal investigati"n &ist"ry,. In!"rmati"n related t" !inancial in!"rmati"n and applicati"ns, c"mmercial in!"rmati"n received in c"n!idence, "r trade secrets +i.e., pr"prietary, c"ntract $idding in!"rmati"n, sensitive in!"rmati"n a$"ut empl"yees "r citi7ens,. Als" included is in!"rmati"n a$"ut payr"ll, aut"mated decisi"n making, pr"curement, invent"ry, "t&er !inancially related systems, and site "perating and security e0penditures. Any in!"rmati"n t&at is declared !"r pu$lic c"nsumpti"n $y "!!icial aut&"rities. %&is includes in!"rmati"n c"ntained in press releases. It als" includes in!"rmati"n placed "n pu$lic access )"rld#)ide#)e$ servers.
Hig&
Hig& 4"derate
4"derate
/")
Page 1;
Step : F System Security Plan (he System Security Plan incor!orates all of the elements re7uired for the system o5ner to determine if the system should *e certified as meeting *oth /)S !olicy and *usiness re7uirements, Information from the RA Re!ort is incor!orated into the System Security Plan in Section 2 = )anagement /ontrols, Security steps als" c"rresp"nd t" p&ases in t&e Integrated I% Investment 4anagement R"ad 4ap +REA.4AP, !"r system devel"pment. %&e REA.4AP is (4S3s implementati"n standard !"r S./( and Investment 4anagement and can $e !"und at cms.&&s.g"v1it1r"admap. In -igure 9#1, t&e system devel"pment li!e cycle and REA.4AP are s&")n "n t&e rig&t and le!t sides )it& t&e in!"rmati"n security delivera$les and t""ls entered in t&e center secti"n $et)een t&em. %&is !"rmat illustrates t&e relati"ns&ip "! t&e in!"rmati"n security tasks t" $"t& pr"cesses.
Page 1<
Figure B-1. Security in the System evelopment Life Cycle an! C"S#s $oa!map
I( In#estment )anagement Road )a!
Pre#.evel"pment
1. *0press need !"r system 2. Assess?determine data sensiti#ity 3. Define initial security re7uirements
Ac'uisiti"ns
# 9(A 10.; F In!"rmati"n Sensitivity Assessment
.evel"pment
1. Identi!y detailed system security re'uirements during system design. 2. .evel"p appr"priate security c"ntr"ls )it& evaluati"n G test pr"cedures pri"r pr"curement acti"ns . .evel"p s"licitati"n d"cuments t" include security re'uirements G evaluati"n1test pr"cedures :. Apdate security re'uirements as tec&n"l"gies are implemented ;. Identi!y security re'uirements !"r pr"curement "! (E%S applicati"ns c"mp"nents <. Per!"rm design revie) t" ensure security c"ntr"ls are c"nsidered pri"r t" pr"ducti"n =. *nsure security !eatures are c"n!igured, ena$les, tested, and d"cumented during devel"pment 8. Apdate, design, per!"rm and d"cument ne)ly devel"ped security c"ntr"ls @, Document system security tests and risk assessment 10. *nsure c"mpliance )it& -ederal la)s, regulati"ns, p"licies and standards %%, /ertify system and o*tain system accreditation 12. Pr"vide security training
Re'uirements .e!initi"n
$ Define System Re7uirements # In!"rmati"n Security Risk Assessment
Page 1=
.evel"pment
# S"!t)are %est Plan # Pr"gram S"!t)are Anit and Integrati"n # %est (ase Scenari"s # %est .ata
P"st#.evel"pment
1. ."cument all security activities 2. Per!"rm security "perati"ns and administrati"n a. Per!"rm $ackups $. Pr"vide security training c. 4aintain G revie) user admin G access privileges d. Apdate security s"!t)are as re'uired e. Apdate security pr"cedures as re'uired . Per!"rm "perati"nal assurance a. Per!"rm G d"cument peri"dic security audits $. Per!"rm G d"cument m"nit"ring "! system security c. *valuate G d"cument results "! security m"nit"ring d. Per!"rm G d"cument c"rrective acti"ns
e. %est c"ntingency plans "n a regular $asis f. Perform Risk Assessment and u!date Security Plan" as needed" 5ith each configuration change or e#ery year
:. ."cument disp"sal "! in!"rmati"n ;. Ase c"ntr"ls t" ensure c"n!identiality "! in!"rmati"n
Identify -ulnera.ilitie$
Page 18
Eperati"ns G 4aintenance
$ A!dated Risk Assessment $ A!dated System Security Plan
Page 1>
%ec&nical Revie)er
Page 20
System /"cati"n -ull Address ("ntract ?um$er, ("ntract"r names, p&"ne num$ers and emails, i! applica$le System type+s, +main!rame, applicati"n 1 data$ase 1 net)"rk 1 !ile server, )"rkstati"n, Primary System ("ntact+s,, ?ame and %itle +usually t&e system administrat"r, Ergani7ati"n ?ame -ull Address *mail Address P&"ne and pager num$ers
%,2 System Pur!ose and Descri!tion -uncti"n and purp"se "! t&e system
9usiness pr"cesses, applicati"ns and services supp"rted System c"mp"nents *nvir"nmental !act"rs ?et)"rk diagram )it& system $"undaries +attac&, General in!"rmati"n !l")
Page 21
%ec&nical and $usiness users +list, System ")ners&ip +s&ared "r dedicated,
%,3 Information Security 0e#els and +#erall System Security 0e#el In!"rmati"n (ateg"ry In!"rmati"n Security /evel In!"rmati"n (ateg"ry In!"rmati"n Security /evel In!"rmati"n (ateg"ry In!"rmati"n Security /evel Everall System Security /evel
Page 22
Si$natures
Su$mitted $y6 55555555555555555555555 .ate6 555555555 Risk Assessment 4anager
Page 2