Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.

Similar presentations

Presentation on theme: "1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002."— Presentation transcript:

1 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002

2 2 Faculty u List instructors contact information

3 3 u Describes steps to produce IS RA Report u The Information Security Risk Assessment process is presented as the following three phases: u System Documentation Phase u Risk Determination Phase u Safeguard Determination Phase Risk Assessment (RA) Methodology

4 4 System Documentation Phase 1.1 System Identification

5 5 System Documentation Phase 1.1 System Identification (cont)

6 6

7 7 1.2 Asset Identification 1.2.1 System Environment and Special Considerations 1.2.2 System Interconnection/Information Sharing 1.3 System Security Level System Documentation Phase 1.1 System Identification (cont)

8 8 1) Identify potential dangers to information and systems (threats). 2) Identify the system weakness that could be exploited (vulnerabilities) associated to generate the threat/vulnerability pair. 3) Identify existing controls to reduce the risk of the threat to exploit the vulnerability. 4) Determine the likelihood of occurrence for a threat exploiting a related vulnerability given the existing controls. 5) Determine the severity of impact on the system by an exploited vulnerability. 6) Determine the risk level for a threat/vulnerability pair given the existing controls. This six step process for Risk Determination is conducted for each identified threat/vulnerability pair. Risk Determination Phase

9 9 Risk Determination Phase (cont) Risk Determination Table

10 10 Risk Determination Phase (cont) Likelihood of Occurrence Levels

11 11 Risk Determination Phase (cont) Impact Severity Levels

12 12 Risk Determination Phase (cont) Risk Levels Table

13 13 1) Identify the controls/safeguards to reduce the risk level of an identified threat/vulnerability pair, if the risk level is moderate or high. 2) Determine the residual likelihood of occurrence of the threat if the recommended safeguard is implemented. 3) Determine the residual impact severity of the exploited vulnerability once the recommended safeguard is implemented. 4) Determine the residual risk level for the system. Safeguard Determination Phase (4-steps)

14 14 u Use Table 5 to summarize the analysis performed during the Safeguard Determination Phase. u Use the item numbers created for Table 1 as reference in Table 5 to correlate the analysis summarized in both tables to the same threat/vulnerability pair and associated risk level. Safeguard Determination Phase Safeguard Determination Phase Table

15 Risk Assessment Process Flow

16 16 RA Methodology Questions ?

17 17 Course Objectives u Understand u SSP methodology Version 3.0 (DRAFT) u Certification & Documentation Requirements for SSPs u SSPs within the Information Systems Security Program

18 18 Legal Requirements u Computer Security Act of 1987 u OMB A-130, Appendix III u Government Information Systems Reform Act (GISRA) of 2000 u Contractual

19 19 CMS Requirements u CMS SSP Methodology Version 3.0 (DRAFT) u CMS Risk Assessment (RA) Methodology Version 1.1

20 20 CMS SSP Architecture u 3-Tier Architecture CMS Systems u Master u General Support System (GSS) u Major Application (MA) SSP Methodology Section 1.2

21 21 General Support Systems u Defined elements of the infrastructure that provide support for a variety of users and/or applications under the same direct management control u Normally includes hardware, software, information, data, applications, communication, facilities, and people u Users may be from the same or different organizations u Physical platform and infrastructure with environmental software SSP Methodology Section 1.4.1

22 22 Major Applications u Systems, usually software applications, that support clearly defined business function for which there are readily identifiable security considerations and needs u Application code u Examples include: MCS, FISS, CWF SSP Methodology Section 1.4.2

23 23 BP SSP Documentation u Tab A: Certification Form u Tab B: Accreditation Form u Tab C: System Security Plan with Appendices & Attachments u Tab D: Summaries and References SSP Methodology Section 4.3

24 24 BP SSP Formal Submission u Original Certification Form with all signatures must be forwarded to: [address] u SSP with a copy of the Certification Form must be filed in your Security Profile. SSP Methodology Section 4.3

25 25 Reviewing and Updating an SSP u Security may degrade over time as technology changes u Changes occur to authorizing legislation or requirements u People and procedures change SSP Methodology Section 4.5

26 26 Certification Acceptance of the security risk by the system owner u Requirement for all CMS systems u Based on technical evaluation of a system to see how well it meets security requirements u System Owners/Manager, ISSO/SSO, and System Maintainer/Manager must sign the certification form SSP Methodology Section 4.6

27 27 Re-Certification u Major system modification u Change in security profile u Serious security violation occurs u Changes to threat environment u Every year u Expiration of Certification SSP Methodology Section 4.6

28 28 Accepts the risk of the system as it impacts the rest of the agency as certified by the system owner u CMS Internal Systems - formal accreditation by CIO or Sr. Systems Security Advisor (SSA) u Must authorize in writing the use of each system based on the SSP documentation, certification and the level of risk SSP Methodology Section 4.7 Accreditation Accreditation

29 29 BP SSP Development Hints u The SSP is not: u a future planning document u an opportunity to educate the reader on security terminology, controls, best practices, etc. u a document to restate the CMS views on SSP methodology u The SSP is: u a document that describes the current operation u states what is and what is not in place, with any rational or compensating measures for what is not in place u Does not need to be developed from scratch

30 30 SSP Development Hints u Refer to/use existing system documentation u Must contain high-level summary of technical information about the system, its security requirements, and the controls implemented to provide protection against its vulnerabilities u Where possible provide references to policy/procedures, responsible component, and how it can be reviewed u Must be dated to allow ease of tracking modifications and approvals u Use a 3-ring binder for certified SSP u Maintain a history of all documentation and sign-offs

31 31 Questions ?

32 32 System Security Plan Sections An Executive Summary is OPTIONAL. If included provide a summary of each of the first four sections of the SSP Section 1: System Identification Section 2: Management Controls Section 3: Operational Controls Section 4: Technical Controls

33 33 Section 1: System Identification 1.1System Name/Title 1.2 Responsible Organization 1.3 Information Contact(s) 1.4Assignment of Security Responsibility 1.5System Operational Status 1.6General Description / Purpose

34 34 1.1System Name/Title u Official name and title of the system, including acronym u (example:) Fiscal Intermediary Standard System (FISS) u SOR # u Financial Management Investment Board(FMIB) N/A u Web Support Team (WST) # N/A

35 35 1.2 Responsible Organization u Name of Organization, address, city, state, zip, contract number, contractor name (if applicable) u

36 36 1.3Information Contact(s) u Title, organization, address, city, state, zip, e-mail address, and phone number for: u SSP Author u System Owner/Manager u System Maintainer/Manager u Business Owner/Manager

37 37 1.4Assignment of Security Responsibility u Title, organization, address, city, state, zip, email address, and phone number for: u Individual(s) responsible for security from BP u Component Information System Security Officer/System Security Officer (ISSO/SSO) u Emergency contact information (name and phone number of different person for backup) u NOTE - This section must contain 4 different individuals

38 38 1.5System Operational Status u New u Operational u Undergoing a major modification

39 39 1.6General Description / Purpose u New check one only block for CMS On-site systems, CMS off-site system or External Business Partners (Medicare Contractors) u Brief description (1-3 paragraphs) on the purpose of the system and the organizational processes supported (include major inputs/outputs, users and major business functions performed) u If GSS, include all applications supported, including functions and information processed

40 40 1.6.1 System Environment and Special Considerations u Brief (1-3 paragraphs) general description of the technical system describing the flow of data and processes through the infrastructure covered by the SSP. u Describe environmental factors that raise special security concerns u Document the physical location of the system u Provide a network diagram or schematic to help identify, define, and clarify the system boundaries

41 41 1.6.2 System Interconnection / Information Sharing u Describe any system interconnections and/or information sharing(inputs and outputs) outside the scope of this plan u Include information on the authorization for connection to other systems or the sharing of information u Written management authorization must be obtained prior to connection u Document any written management authorizations (MOA/MOU or Data Exchange Agreement)

42 42 1.6.2 System Interconnection / Information Sharing (contd) u For GSSs describe various components and sub- networks connections and /or interconnections to LAN or WAN u For MAs provide description of the major application and sub-applications along with other software interdependencies

43 43 1.6.3 Applicable Laws or Regulations u List the laws and regulations not already listed in the CMS Master Plan u Any laws or regulations that establish system specific requirements for confidentiality, integrity, availability, audit ability, and accountability of information in the system

44 44 1.6.4 General Description of Information Security Level u Appendix B, SSP Methodology u Information Security Levels Table u Information Security Levels by Information Categories u Information Owner (CMS) must define the Information Security Level u Claims processing systems have a Information Security Level of …

45 45 Section 1 Questions ?

46 46 2.0Management Controls Management controls focus on the management of the computer security system and the management of risk for a system 2.1Risk Assessment and Risk Management 2.2Review of Security Controls 2.3Rules of Behavior 2.4Planning for Security in the Life Cycle

47 47 u Attach the risk assessment to the SSP and provide a summary in this section including: u Value of the system or application (ie. assets) ?? u Threats u Vulnerabilities u Effectiveness of current or proposed safeguards u Describe the methods used to assess the nature and level of risk to the GSS or MA u Identify the risk assessment methodology used u Complete chart in Section 2.1 of SSP 2.1Risk Assessment and Risk Management

48 Sample RA Charts for 2.1

49 49 2.2 Review of Security Controls u Summarize any/all security evaluation conducted within the last 12 months on the system (e.g.SAS- 70, GAO, IG, Internal Revenue Service, Self Assessments, CAST,audits) for each review u Who performed the review u When the review was performed u The findings and actions taken as a result of the review u Where the final report is located and who to contact for review of the final report

50 50 2.3Rules of Behavior u Provide summary of ROB, reference policy and how it can be reviewed u Describe and document the system specific rules of behavior or code of conduct of users of the GSS or MA u Must include the consequences of non-compliance u Must clearly state the exact behavior expected of each person u Include appropriate limits on interconnections to other systems u Cover such matters as work at home, dial-in access, connection to the Internet, the assignment and limitation of system privileges

51 51 2.4Planning for Security in the Life Cycle u Summarize how security is handled by your corporation/business entity for each phase of the life cycle, reference policy and where it can be found u Phase 1: Pre-Development u Phase 2: Development u Phase 3: Post-Development

52 52 Section 2 Questions ?

53 53 3.0Operational Controls Operational controls are the day-to-day procedures and mechanisms 3.1Personnel Security 3.2Physical and Environmental Protection 3.3Production, I/O Controls 3.4Incident Response Capability 3.5Contingency Planning 3.6Hardware, Operating Systems and System Software Maintenance Controls

54 54 3.0Operational Controls - cont 3.7Data Integrity/Validation Controls 3.8Documentation 3.9Security Awareness and Training

55 55 3.1Personnel Security u Provide a detailed summary of personnel security requirements of your corporation/business entity, reference policy/procedures, the responsible component, and how it can be reviewed u IT related positions require evaluation and sensitivity level designations and screening u Mechanisms in place for holding users accountable for their actions (individual accountability) u User access restrictions (least privilege) u Are critical functions divided among different individuals (separation of duties)

56 56 3.2Physical & Environmental Protection u Provide a detailed summary of physical and environmental protections, reference policy/procedures, the responsible component, and how it can be reviewed u Describe and document the physical security and environmental controls u List attributes of the physical protection afforded the area where processing of the MA system takes place u u Access Controls u u Fire Safety Factors u u Water sensors u u Plumbing u u Raised floor access u u Emergency exits

57 57 3.3Production, I/O Controls u Summarize hardcopy and media controls in place, reference policy/procedures, the responsible component, and how it can be reviewed u Handling, processing, storage, and disposal of media u System unique production rules, if any u Describe Help-Desk support, if any is provided

58 58 3.4 Incident Response u Summarize the following information, reference policy and how it can be reviewed u Detail the preventative measures in place (automated intrusion detection tools, automated audit logs, penetration testing) u Describe the procedures for recognizing, handling, and reporting incidents u Document who responds to alerts/advisories u Describe and document the formal incident response capability and the capability to provide users with help when an incident occurs Applies to GSS system security plans only, for MAs refer to the GSS

59 59 u Provide a detailed summary of the contingency plan, reference policy and how it can be reviewed u Discuss the arrangement and planned safeguards to ensure the alternate processing site will provide an adequate level of security u Describe any documented backup procedures u Describe coverage of backup procedures and physical location of stored backups u Describe the generations of backups kept 3.5 Contingency Planning

60 60 3.6 Hardware, Operating System, and System Software Maintenance Controls u Summarize security controls used to monitor the installation and updates to hardware, operating system software, and other system software to ensure that the hardware and software functions as expected and that a historical record is maintained of system changes u 3.6.1Configuration Management (GSS) u 3.6.2Software Management (GSS) u 3.6.3Application Software Management Controls (MA)

61 61 u Summarize Configuration Management Procedures, reference policy and how it can be reviewed u Testing and/or approving system components prior to production u Impact analyses to determine the effect of proposed changes u Change identification, approval, and documentation procedures Applies to GSS system security plans only, for MAs refer to the GSS 3.6.1 Configuration Management

62 62 3.6.2 Software Management (Environmental Software) u Summarize software management, reference policy and how it can be reviwed u Coordinate and control updates to environment software u Monitor installation and updates u Version Control u Describe and document the policies for handling copyrighted software or shareware Applies to GSS system security plans only, for MAs refer to the GSS

63 63 3.6.3 Application Software Management Controls u Summarize Application Software Management Controls, reference policy and how it can be reviewed u Describe the application software controls Version control u Describe the security controls used to monitor the installation and updates of the application software u Describe: (or summarize and reference procedures) u If the application software is developed in-house or under contract u Who owns the software u How emergency fixes are handled u If test data is live data or made-up Applies to MA security plans only

64 64 u Summarize controls in place to prevent/detect destruction or unauthorized data modification, reference policy and how it can be reviewed u Virus detection and elimination software procedures u Reconciliation routines used by the system u Integrity verification programs used by the application to look for evidence of data tampering, errors, and omissions u System performance monitoring u Message authentication 3.7Data Integrity/Validation Controls

65 65 3.8Documentation u Describe the set of formal materials which support the operation of the GSS or MA, its components, operations, and use u List the existing documentation maintained, including the title, date, and office responsible for maintaining the documentation

66 66 u Hardware and software descriptions u Standard operating procedures u Application requirements u Application program documentation and specs u Security policies, standards, procedures, and approvals u Emergency procedures u MOU/MOAs u User manuals u Backup procedures 3.8Documentation (cont)

67 67 3.9Security Awareness and Training u List the types and frequency of system-specific security training established, how the training is conducted, attendance is documented and how the system owner ensures that it is conducted prior to allowing access

68 68 Section 3 Questions ?

69 69 4.0Technical Controls Technical and logical in place controls to authorize or restrict users and information. For MAs, describe additional enhancements or modifications of the controls beyond the GSS 4.1Identification and Authentication 4.2Authorization & Access Controls 4.3Remote Users & Dial Up Controls 4.4 Wide Area Network (WAN) Controls 4.5Public Access Controls 4.6Test Scripts/Results 4.7Audit Trails

70 70 4.1 Identification & Authentication Controls u Provide a detailed summary of the Identification and Authentication controls in place, reference policy and how it can be reviewed u Unique identification, e.g., UserId u Unique authentication, e.g. password u Maintenance of UserId and password u Length of password and frequency of password changes u For GSS state name of software used to control all aspects of UserID and password u If used, describe biometrics or token controls

71 71 4.2 Authorization & Access Controls u Provide a detailed summary of procedures, hardware, and/or software used to control access to resources, reference policy and how it can be reviewed u Role based access u Separation of duties u Usage of Access Control Lists (ACLs) u Security software and restricting access u How access is restricted between systems u Controls for detecting unauthorized access u Inactive user activity and automated disconnection u System access outside normal working hours

72 72 4.2 Authorization & Access Controls - cond u How the access control mechanism supports individual accountability and audit trails u State the number of invalid access attempts that may occur and the actions taken when that limit is exceeded u If cryptography is used, provide a detailed summary of methodology and key management procedures u Provide sample system-specific warning banner

73 73 4.3 Remote Users & Dial-up Controls u Provide a detailed summary of remote users and dial- up controls, reference policy and how it can be reviewed u Describe the type of remote access (dial, Internet) permitted u Functions that may or may not be authorized for remote use, i.e., differences from internal access permissions

74 74 4.4 Wide Area Networks (WAN) Controls u Provide a detailed summary of the wide area network controls u Protection against unauthorized system penetration, Internet threats & vulnerabilities u Types of network connections, e.g., Internet u Describe additional hardware or technical controls to provide protection e.g., firewalls, proxy servers u Network Diagram can be included

75 75 4. 5 Public Access Controls u Provide detail summary when or if public access is authorized, reference policy/procedures, the responsible component and how it can be reviewed u Access controls used to secure the system u Controls to prevent public users, if access is authorized, from modifying information on the system u Legal considerations to allowing access to the information u Describe rationale for the use or non-use of warning banners and provide an example of the banners used for this system u If no public access state system does not allow public access

76 76 4.6Test Scripts/Results u Summarize the findings of all tests/results u Describe the test scripts and results that were used to test the effectiveness of the security controls u Include title, date, and office responsible for maintaining the test scripts/results

77 77 4.7 Audit Trails u Provide a detailed summary of existing audit trails u Document the auditing mechanisms u Describe what is recorded, who reviews, how often are they reviewed and what procedures are employed for corrective actions as a result of a finding u Describe when audit trails are employed, e.g., on a given cycle, continuously, when an incident occurs, etc. u Describe audit trail archive procedures including how long they are kept, where stored, and what media type

78 78 5.0Appendices & Attachments u Appendix A – Equipment List (Primarily for GSS) u Appendix B – Software List u Attachments u Risk Assessment (Required)

79 79 Section 4 & 5 Questions ?

Download ppt "1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002."

Similar presentations

Ads by Google