Information Assurance 101

Similar documents
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

SAC PA Security Frameworks - FISMA and NIST

The NIST Cybersecurity Framework

Executive Order 13556

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Cybersecurity for the Electric Grid

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

_isms_27001_fnd_en_sample_set01_v2, Group A

Cybersecurity: Incident Response Short

Introduction to ISO/IEC 27001:2005

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CCISO Blueprint v1. EC-Council

SECURITY & PRIVACY DOCUMENTATION

Why you should adopt the NIST Cybersecurity Framework

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Security Policies and Procedures Principles and Practices

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Critical Cyber Asset Identification Security Management Controls

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

TAN Jenny Partner PwC Singapore

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Cyber Threats? How to Stop?

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

THE TRIPWIRE NERC SOLUTION SUITE

NIST Security Certification and Accreditation Project

ADIENT VENDOR SECURITY STANDARD

Compliance with NIST

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Cyber security for digital substations. IEC Europe Conference 2017

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

NIST Special Publication

Monthly Cyber Threat Briefing

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Information Security Management System

What is ISO ISMS? Business Beam

Standard Development Timeline

Summary of FERC Order No. 791

Checklist: Credit Union Information Security and Privacy Policies

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version

Altius IT Policy Collection Compliance and Standards Matrix

NCSF Foundation Certification

Critical Information Infrastructure Protection Law

Business continuity management and cyber resiliency

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Altius IT Policy Collection Compliance and Standards Matrix

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

New Guidance on Privacy Controls for the Federal Government

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Standard CIP Cyber Security Systems Security Management

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

ISO/IEC Information technology Security techniques Code of practice for information security controls

The Impact of Cybersecurity, Data Privacy and Social Media

Internet of Things Toolkit for Small and Medium Businesses

TEL2813/IS2820 Security Management

Standard CIP Cyber Security Critical Cyber Asset Identification

Cybersecurity, safety and resilience - Airline perspective

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Cyber Risks in the Boardroom Conference

Standard CIP Cyber Security Critical Cyber Asset Identification

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

The Common Controls Framework BY ADOBE

Security Management Models And Practices Feb 5, 2008

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Outline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Verizon Software Defined Perimeter (SDP).

Department of Management Services REQUEST FOR INFORMATION

NCSF Foundation Certification

The Honest Advantage

Standard CIP 007 4a Cyber Security Systems Security Management

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

CIP Cyber Security Security Management Controls. A. Introduction

Securing Industrial Control Systems

Applying ISO and NIST to Address Compliance Mandates The Four Laws of Information Security

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

ISO/IEC Information technology Security techniques Code of practice for information security management

CYBER SECURITY AND MITIGATING RISKS

Security and Architecture SUZANNE GRAHAM

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Cybersecurity and Hospitals: A Board Perspective

Apex Information Security Policy

Transcription:

BUILT FOR SECURITY Information Assurance 101 Barbara Wert, Regulatory Compliance Specialist FoxGuard Solutions, Inc. The value of an organization lies within its information its security is critical for business operations, as well as retaining credibility and earning the trust of clients. Margaret Rouse, TechTarget Barbara Wert Regulatory Compliance Specialist FoxGuard Solutions, Inc. September 2017

Executive Summary What is Information Assurance, and why should we care? Headlines over the past 24 months have cited security breaches in Anthem, the Philippines Commission on Elections (COMELEC), Wendy s, LinkedIn, the Red Cross, Cisco, Yahoo, financial institutions around the world, and even the U.S. Department of Justice. As well, statistics show that 43% of cyberattacks target small businesses. Earlier this year, a high school server system in Illinois was infiltrated and the perpetrator attempted to extort the district for $37,000 in order to restore their access to the information on the servers. (1) Information Assurance programs provide a comprehensive approach to addressing the urgent need to protect sensitive data and the systems that house the information for organizations of any size and industry. This white paper will: Look at some key definitions in the scope of information assurance Discuss the basic factors of information assurance found in the CIA Triad Consider the role of risk management in an information assurance program Explore framework options

Contents Executive Summary... 2 Introduction... 4 Basic Definitions... 4 Information Assurance (IA)... 4 Information Assets... 5 Information Security Management System (ISMS)... 5 Cyber Security... 5 Security Controls... 6 The CIA Triad... 6 Confidentiality... 6 Integrity... 6 Availability... 7 Risk Management in an IA Program... 7 Programs / Frameworks... 8 ISO/IEC 27001:2013... 8 NIST s Risk Management Framework (RMF)... 8 The Cyber Security Framework... 9 NERC CIP... 9 Conclusion... 10 FoxGuard Solutions, Inc.... 10 References... 11

Introduction The purpose of information security is to build a system that takes into account all possible risks to the security of information (IT or non-it related), and implements comprehensive controls that reduce all kinds of unacceptable risks. Secure and Simple, A Small-Business Guide to Implementing ISO27001 on Your Own, by Dejan Kosutic Welcome to the first of a series of white papers dealing with the ever-growing concern of Information Assurance. As a manufacturer and integrator of IT/OT systems for diverse industries and end destinations, we at FoxGuard Solutions have found that one-size does not fit all when it comes to information assurance programs. When considering program options, two questions come to mind: What company needs and legislative requirements should be considered for your industry? What needs and legislative requirements of customers, and others further downstream on the supply chain, including end users, should be considered? Basic Definitions Information Assurance (IA) Simply put, Information Assurance (IA) is the practice of managing information-related risks. IA protects information and information assets by addressing various areas of impact to the organization in the event information security is breached or becomes inaccessible when needed. The three main areas of impact considered are: Confidentiality Integrity Availability We will look into these areas of impact (known as the CIA Triad ) a bit further into the paper; but in short, ensuring security in these areas results in information being available (1) to those, and only those, who should have access to it, (2) in its authentic form, and (3) at the time it s needed. Some mistakenly think that IA is all about information technology equipment (ITE). ITE security is only one aspect of IA. Comprehensive information assurance considers multiple facets of an information asset, including:

The physical environment surrounding the information asset Organizational policies and operational processes Employee awareness and training, and other applicable Human Resources programs Development and support processes Information transfer Supplier relationships Incident management Change management Monitoring and reviews of information assets and security controls Information Assurance addresses both intentional and nonintentional dangers. Information Assets An information asset is an entity that can gather, store, transfer, or report information. Information assets range from automated processing machines to file cabinets, to online storage tools, and even to an organization s employees and contractors. Buildings, hard copy documents, electronic databases, DVDs and other media, reporting tools, and information technology infrastructure are among the long list of information assets within an organization. Not all information assets are or remain on site. For example, a company or employee-owned vehicle is an information asset when used to carry laptops, files, reports, etc. from one location to another. Mobile phones provide access to all types of information, some of which can be confidential. Mail carriers and courier services, consultants, and service providers must also be considered in a comprehensive IA program. Information Security Management System (ISMS) The purpose of an ISMS (also referred to as a framework ) is to minimize risk and ensure business continuity by implementing controls to limit the impact of a security breach. An ISMS is the compilation of policies and procedures, controls, and other guidance designed to address the elements encompassing the security of information and information assets within an organization. An ISMS will address the facets of information assurance as outlined above, including organizational policies and procedures pertaining to information security. Cyber Security Cyber Security is the set of standards and processes implemented to safeguard computers, computer networks, programs and information from attack, damage and unauthorized access. Cyber Security is an integral part of a modern IA program. Cyberattacks can result in a loss of assets and credibility, crippled operations, legal retribution, and even loss of life. (2) Keeping up with ever-increasing technology and networking has become a major challenge for organizations worldwide. Tactics such as spear phishing, skimming, and malware were the cause of several hundred cyber security breaches reported in 2016. (3)

Security Controls Security controls are measures to detect, avoid and/or mitigate the effects of security breaches. Types of controls vary according to the needs associated with an information asset, and include areas such as: Alarm systems and access control for physical locations Technical controls for computers, programs and networks Policies and procedures to deter harmful actions and behaviors The CIA Triad The CIA Triad is a model depicting the three chief goals of an IA program: Confidentiality Information that s intended only for a restricted audience is called confidential. Often this information has the potential of compromising organizational operations, organizational assets, or individuals, should it be accessible to unauthorized parties. An unhappy employee sharing information with a competitor, inappropriate disposal of an information asset containing sensitive data, unprotected storage of information, and unauthorized access to an information asset are just a few of the many ways that confidentiality can be breached. Control measures such as non-disclosure agreements, disposal procedures, and access restrictions can be considered in response to confidentiality risks. Integrity Information integrity is the assurance that the data being accessed has neither been tampered with, nor been altered or damaged through a system error, since the time of the last authorized access. (4) In other words, information integrity is the ability to ensure that accessed data is authentic to its original content. Information can be altered maliciously or unintentionally, with threats ranging from user or application error, to malicious code, theft or sabotage. Information backup, antivirus protection, information transfer procedures, and equipment maintenance are measures that can be implemented to minimize integrity issues.

Availability In the context of an information asset, information availability refers to the ability of an authorized party or system to access data at the appropriate time and in the appropriate format. Information and information assets can be rendered unavailable through data interception, equipment failure, misappropriation of resources, and adverse environmental conditions. Controls in the areas of asset handling, information transfer, and capacity management are ways to mitigate availability risks. Risk Management in an IA Program Risk Management, an integral part of a comprehensive information assurance program, is a systematic overview of the threats and vulnerabilities associated with an information asset, and a subsequent decision of which controls to put into place to reduce or eliminate the risk. The risk management process involves four basic steps: 1. Identify the risk o In what ways could this system, or the information in it, be exposed (Confidentiality), altered (Integrity), or made unavailable (Availability)? 2. Analyze the risk o What would the impact be (low, medium, high) to organizational operations and assets, individuals, and/or the environment if this system, or the information in it, is compromised? o To what degree (if any) is the risk acceptable? o What controls are in place to protect this system and the information in it? o How likely is it that this system, or the information on it, will be compromised, given the existing controls? 3. Treat the risk o What [further] controls will help mitigate the risk? What policies and/or processes need to be put into place? o What priority should be assigned to each of the control measures that need to be put into place? 4. Monitor the system and the controls put into place to mitigate the risk - o Are the controls effective o Have any new risks to this system, or the information in it, been identified? Most information assets will have more than one identified risk; in fact, one system could easily have a whole list of threats and vulnerabilities associated with it! A Risk Assessment Table is a compilation of an organization s information assets, the threats and vulnerabilities associated with each information asset, the impact and likelihood associated with each threat and vulnerability, controls already in place to avoid or mitigate risks, and controls that need to be

put into place to further ensure the confidentiality, integrity, and availability of the information and the information asset. From this table, a Risk Response can be formulated, giving a prioritized plan for mitigating or accepting the identified risks. A risk management program is a living program. Updates should be made when: A new information asset is introduced to the organization Technology changes impact existing information assets An information asset is retired Existing threats and vulnerabilities have been resolved New threats and/or vulnerabilities have been identified In addition, periodic reviews afford the ability to assess the ongoing security of an organization s information assets and the effectiveness of controls put into place to avoid or mitigate risk to those assets. Programs / Frameworks The type of ISMS, or framework, an organization adopts can depend on factors such as industry type and the size of the organization. Compliance requirements specific to the industry (such as HIPAA for the healthcare industry) and the region (such as NERC for the North American power systems) must be considered to ensure the framework chosen meets applicable government and industry regulations. Most programs can be tailored to fit an organization s specific needs. Below is an overview of several framework options. ISO/IEC 27001:2013 ISO/IEC 27001:2013 (Information technology Security techniques Information security management systems Requirements) is part of the ISO/IEC 27000 family, which pertains to ISMS. ISO/IEC 27001:2013 provides the requirements for an ISMS, while other standards in the series provide security controls, implementation guidance, risk management guidelines, ISMS auditing, and more. Advantages of ISO 27001:2013 include certification and international recognition. ISO 27001 uses the Plan-Do- Check-Act (PDCA) cycle, which provides not only for initial implementation of policies and controls, but regular assessment and continuous improvement of the system as a whole. More information on ISO 27001: 2013 can be found at https://www.iso.org/standard/54534.html. NIST s Risk Management Framework (RMF) The Computer Security Division of NIST (National Institute of Standards and Technology) developed numerous standards dealing with information security as part of the FISMA Implementation Project. FISMA (the Federal Information Security Management Act) is Title III of the E-Government Act (Public Law 107-347). In 2014 FISMA was amended by the Federal Information Security Modernization Act of

2014. NIST also developed a comprehensive Risk Management Framework (RMF) based on a set of NIST standards, Federal Information Publications (FIPS), and other federal documents. The RMF process includes six steps that cover the life cycle of an information asset: 1. Categorize the information asset 2. Select an initial set of baseline security controls for the information asset 3. Implement the security controls 4. Assess the security controls 5. Authorize system operation 6. Monitor and assess on an ongoing basis Guidance for these steps is a work-in-process for NIST; currently FAQs, roles and responsibilities, and quick start guides are available for steps 1, 2, and 6. Although RMF was established as a mandatory program for federal agencies, it is also available for use by nonfederal agencies and other organizations. More information on RMF can be found at http://csrc.nist.gov/groups/sma/fisma/framework.html. The Cyber Security Framework Also a NIST program, the Cyber Security Framework was developed pursuant to the 2013 Executive Order 13636, Improving Critical Infrastructure Cyber Security, and includes a set of industry standards and best practices to help organizations manage cybersecurity risks. (3) The program consists of three parts: 1. The Framework Core o A set of common cyber security activities and references 2. The Framework Profile o Guidance for tailoring the program to an individual organization 3. The Framework Implementation Tiers o Portrayal of an organization s approach to managing cyber security risk As with RMF, the Cyber Security Framework, although intended for use by organizations connected with U.S. critical infrastructure, is also available for use by other organizations. More information on the Cyber Security Framework can be found at https://www.nist.gov/cyberframework. NERC CIP The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) plan was developed to address the cyber security needs of the North American bulk electric system (BES). Current standards subject to enforcement include: CIP-002-5.1a: Cyber Security BES Cyber System Categorization CIP-003-6: Cyber Security - Security Management Controls

CIP-004-6: Cyber Security - Personnel and Training CIP-005-5: Cyber Security - Electronic Security Perimeters CIP-006-06: Cyber Security - Physical Security of BES Cyber Assets CIP-007-06: Cyber Security - Systems Security Management CIP-008-05: Cyber Security - Incident Reporting and Response Planning CIP-009-06: Cyber Security - Recovery Plans for BES Cyber Systems CIP-010-2: Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-011-2: Cyber Security Information Protection CIP-014-2: Cyber Security Physical Security Further information on NERC CIP standards can be found at: http://www.nerc.com/pa/stand/pages/cipstandards.aspx. Conclusion In this age of online communication and storage, cyber security breaches, and mobile resources, the protection of an organization s information and information assets is critical. As technology becomes more sophisticated, so do tactics for unauthorized access and compromise to information assets. To this end, much effort has been put into designing and developing programs to help defend the confidentiality, integrity, and availability of organizational information assets. While the focus of different frameworks may vary, many of the program fundamentals are the same. Key components include: implementation of policies and procedures designed to protect an organization s information and information assets; preparing a list of all information assets and assessing the risks associated with each asset; assigning and implementing controls to mitigate the risks identified; continuous monitoring and assessment of the controls and the program to ensure its ongoing effectiveness. When considering the options for an organization s information assurance, regional and industryspecific regulations should be considered. Also consider that many programs can be tailored to meet an organization s specific needs, and components from multiple frameworks can be combined to create the best program for your organization. FoxGuard Solutions, Inc. FoxGuard Solutions, Inc. is committed to providing secure computing solutions for our customers, as well as protecting all customer data. As our Director of IT & Security Operations recently stated, FoxGuard Solutions is committed to protecting our customers data from the prying eyes of would-be bad actors. When proprietary data must be exchanged between parties, we can provide secure transport via industry-standard SSL/TLS protocols, with no less than AES 128-bit encryption.

FoxGuard has been BUILT FOR SECURITY for well over a decade, long before we began preparing for ISO 27001:2013 registration and assessing our policies and processes for compliance to NIST SP 800-53 controls and the Risk Management Framework (RMF). Our highly-skilled engineers can design systems to meet industry and project-specific standards, including those associated with the North American Electric Reliability Corporation s Critical Infrastructure Protection (NERC CIP) Standards, Nuclear Energy Institute s Cyber Security Plan for Nuclear Power Reactors (NEI 08-09), Security Technical Implementation Guides (STIGs) and Security Readiness Guides (SRGs), NIST SP 800-53 controls for Federal information and information systems, and NIST controls for protecting controlled unclassified information (CUI) in nonfederal information systems and organizations (NIST SP 800-171). Next in our Series: NIST s Risk Management Framework (RMF) References (1) http://www.pekintimes.com/news/20170426/pchs-subject-of-cyberattack (2) http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/ http://threatbrief.com/cyber-attack-may-cause-loss-life/ (3) https://www.bloomberg.com/news/articles/2017-01-19/data-breaches-hit-record-in-2016-as-dnc-wendy-s-co-hacked (4) http://www.businessdictionary.com/definition/information-integrity.html (5) https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback