Information Security for Executives v1.0 MAY 2011

Information Security for Executives Course Introduction Information Security Overview Security Policy and Governance Privacy Protection Security and Your Business Course Summary Appendix

Course Introduction Executive Introduction Welcome to Information Security for Executives “As an executive of the Department of Health and Human Services (HHS), securing the Department’s information and protecting the privacy of the citizens we serve should be one of your top priorities.” Mike Carleton Chief Information Officer (CIO), HHS

Course Introduction The HHS Executive’s Security Role Help employees understand why security and privacy are important and empower them to make protecting the information, health, safety, and well-being of the American people their personal mission. Incorporate security into your management philosophy – make it a routine topic in staff meetings and when making management decisions. Allocate resources to ensure that systems are adequately protected to prevent compromise of sensitive information. Ensure that employees receive the training they need and are held accountable for protecting sensitive information. Heighten awareness on how to quickly identify sensitive data and how to handle this data on a day-to-day basis. Ensure that information security and privacy are integrated into all information systems development activities.

Course Introduction Course Objectives At the end of this course you will be able to: Define information security and emerging threats. Identify governing bodies and legislative drivers for protecting information security. Define privacy and why it is important to protect your assets and investments. Understand your role and responsibilities as an HHS executive in the areas of information security and privacy. Identify where to locate HHS information security resources.

Information Security Overview What is Information Security? Information Security – The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. Achieved through implementing technical, management, and operational measures designed to protect the confidentiality, availability, and integrity of information. The goal of an information security program is to reduce, manage, and understand the risk to information under the control of the organization. In the 21st century, information assets have become a great source of value and wealth for individuals with malicious intent. Therefore, protection of our information at HHS must be a priority in your day-to-day actions.

Information Security Overview Key Items to Information Security Confidentiality – Protecting information from unauthorized disclosure to people or processes. Availability – Defending information and resources from unauthorized or malicious use to ensure information resources are accessible. Integrity – Assuring the reliability and accuracy of information and information technology (IT) resources.

Information Security Overview Information Security Threats Threat – The potential to cause unauthorized disclosure, changes, or destruction to an asset. Impact: potential breach in confidentiality, unavailability of information, and integrity failure Types: natural, environmental, and man-made

Information Security Overview What is a Cyber Attack? Cyber attacks – Attacks that are malicious with the intent to cause major disruptions to our everyday government operations. The Department of Defense (DoD) detects three million unauthorized “scans”- or attempts by possible intruders to access official networks every day. The Department of Homeland Security (DHS) received 37,000 reports of attempted breaches on government and private systems within Fiscal Year (FY) 2007 – an increase of 54 percent from FY2006.

Information Security Overview Potential Impacts Resulting from the Loss of Sensitive Information Failure to exercise due diligence in protecting sensitive information can result in: Reputation damage for HHS; Loss of trust in HHS; Legal ramifications for HHS; Loss/misuse of sensitive information; Injury or damage for those who have had their private information exposed; and Potential financial ramifications for those affected.

Federal Government Governance Security Policy and Governance Federal Government Governance The following governing bodies are responsible for providing legislative guidance to protect Federal information and systems. US Congress Office of Management and Budget (OMB) National Institute of Standards and Technology (NIST) Created the E-Government Act of 2002 (H.R. 2458/S.803) Title III of the E-Government Act of 2002 (Public Law 107-347, 116 Stat. 2899), details the Federal Information Security Management Act (FISMA) of 2002 Evaluates agency effectiveness of programs, policies, and procedures Improves administration management through developing performance measures Develops and issues standards, guidelines, and other publications to assist federal agencies in implementing security requirements Federal Government Governance *See Appendix for a list of HHS security and privacy information resources.

Security Policy and Governance Departmental Governance – HHS Cybersecurity Program HHS Cybersecurity Program is our Department’s information security program. HHS Headquarters (HQ) sets programmatic direction by developing standards guidance, providing an enterprise-wide perspective, facilitating coordination among key stakeholders, setting standards and providing guidance, and supporting streamlined reporting and metrics capabilities. Operating Divisions (OPDIVs) implement programs that meet specific business needs, provide business/domain expertise, participate in establishing an enterprise-wide baseline, manage implementation at the OPDIV level, and manage ongoing operations. HHS Cybersecurity Program oversight is provided by the Office of the Chief Information Officer (CIO) and Chief Information Security Officer (CISO).

Privacy Protection What is Privacy? Privacy – A set of fair information practices to ensure that an individual’s personal information is accurate, secure, and current, and that individuals know about the uses of their date. Personally identifiable information (PII) – Any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains.

Privacy Protection HHS’ Role in Protecting Sensitive Information Protect the personal information of individuals. Protect individuals from harm that might be imposed upon them, if certain information were to be released without their consent. Sensitive information in transit should be encrypted. Encrypt devices containing PII and all other sensitive information, such as financial and personnel data with federally approved encryption software.

Enterprise Performance Lifecycle (EPLC) Security and Your Business How Does Security Have An Impact on My Business? Enterprise Performance Lifecycle (EPLC) Capital Planning and Investment Control (CPIC) Training & Awareness Contract Oversight Inappropriate Behavior Incident Reporting

Security and Your Business Enterprise Performance Lifecycle EPLC is HHS’ IT project management methodology that incorporates best government and commercial practices through a consistent and repeatable process, and provides a standard structure for planning, managing and overseeing IT projects over their entire life cycle.  Maximizes project and investment alignment with Departmental and OPDIV strategic goals. Security must be incorporated in all phases of EPLC in order to reduce system risk and enhance the confidentiality, integrity and availability of HHS IT systems.

Security and Your Business Enterprise Performance Lifecycle For more information on the EPLC framework see “Appendix E: Security Deliverables” of the Enterprise Performance Life Cycle Framework

Ensures fiscal accountability of Exhibit 300 business cases. Security and Your Business Security and the Capital Planning and Investment Control (CPIC) Process CPIC – the primary process for making investment decisions, assessing investment process, effectiveness, and refining related policies and procedures. Ensures fiscal accountability of Exhibit 300 business cases. Integrate information security into the CPIC process to avoid budgeting ramifications. Utilize the EPLC framework to strengthen measureable results for IT investments.

Security and Your Business Security Training & Awareness All system users must complete mandatory security awareness training and privacy awareness training before receiving system access. Security awareness training and privacy awareness training must be taken every year by employees, contractor personnel, interns and other non-government employees conducting business for on behalf of the Department through contractual relationships or memoranda of agreement when using IT resources. Role-based training (RBT) is also required for individuals with significant security responsibilities (SSR).

Security and Your Business Contracts and Contractors Executives must ensure that contracts and contractors support the security environment. Contracts must include applicable security requirements. See the Security and Privacy Considerations to Guide IT Procurement (in development) for more information. Contractors must fulfill security training requirements. Non-disclosure agreements (NDA) must be signed by all with access to sensitive information. Reference the HHS Contractor Oversight Guide for detailed information pertaining to adaptable oversight directions.

Security and Your Business What is Inappropriate Behavior? Employees are permitted limited personal use of HHS IT resources. This personal use shall not result in loss of employee productivity, interference with official duties or other than “minimal additional expense” to HHS. Viewing inappropriate websites, gambling online, and installing unauthorized software is considered inappropriate behavior. Refer to the HHS Information Resource Management (IRM) Policy for Personal Use of Information Technology Resources for guidance on sanctions for misuse. Refer to the HHS Rules of Behavior (HHS Rules) and your local OPDIV procedures.

Security and Your Business Incident Handling Encourage compliance and awareness with applicable Department policies: HHS Incident Notification Process HHS Information Resource Management (IRM) Policy for Establishing an Incident Response Capability Updated Departmental Standard for the Definition of Sensitive Information Standard for Encryption Contact your OPDIV CISO or Incident Response Team (IRT) to verify local incident notification procedures

Course Summary Summary of the HHS Executive’s Security Role Help employees understand why security and privacy are important and empower them to make protecting the information, health, safety, and well-being of the American people their personal mission. Incorporate security into your management philosophy – make it a routine topic in staff meetings and when making management decisions. Allocate resources to ensure that systems are adequately protected to prevent compromise of sensitive information. Ensure that employees receive the training they need and are held accountable for protecting sensitive information. Heighten awareness on how to quickly identify sensitive data and how to handle this data on a day-to-day basis. Ensure that information security and privacy are integrated into all information systems development activities. Ensure that security is included in all contracts.

Course Summary You should now be able to: Define information security and emerging threats; Identify governing bodies and legislative drivers for protecting information security; Define privacy and why it is important to protect; Understand your role and responsibilities as an HHS executive in the areas of information security and privacy; and Identify where to locate HHS information security resources.

Congratulations Congratulations! You have completed the Information Security for Executives course.

Appendix HHS Resources Information pertaining to HHS policy and guidance can be located by accessing the following links: OCIO Policy HHS Cybersecurity Program Online

Appendix HHS Resources (Continued) Federal compliance can be accessed using the following links: Public Law 93-579, U.S. Code 532(a), the Privacy Act (1974), http://www.justice.gov/opcl/privacyact1974.htm OMB Circular A-130, Management of Federal Information Resources http://www.whitehouse.gov/omb/circulars_a130_a130trans4/ Public Law 104-106 [40 USC Section 1401 (1996) Information Technology Management Reform Act (Clinger-Cohen Act), http://www.cio.gov/Documents/it_management_reform_act_Feb_1996.html Health Insurance Portability and Accountability Act (HIPAA), http://www.cms.gov/HIPAAGenInfo/

Appendix HHS Resources (Continued) Federal compliance can be accessed using the following links: Health Information Technology for Economic and Clinical Health Act (HITECH), http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf Public Law 107-347, Federal Information Security Management Act of 2002 (FISMA), supersedes the Computer Security Act (1987), http://csrc.nist.gov/drivers/documents/HR2458-final.pdf Homeland Security Presidential Directive (HSPD) 7 (2003), http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm HSPD-12 (2004), http://www.dhs.gov/xabout/laws/gc_1217616624097.shtm

Appendix Privacy Resources Privacy Resource Center – A compilation of privacy resources to help all HHS employees understand privacy and what they can do to protect PII at work and home. Privacy Breach Frequently Asked Questions – Outlines frequently asked questions about how to identify and report a privacy breach. Privacy Impact Assessment (PIA) Standard Operating Procedures – Outlines the standard approach for conducting a PIA for all Department systems (2010). Policy for Information Systems Security and Privacy – Establishes comprehensive IT security and privacy requirements for the IT security programs and information systems of OPDIVs and STAFFDIVs within HHS (2010). Access the HHS Cybersecurity Program intranet page for additional guidance.

Appendix Information Security Requirements FISMA Statutory Requirements: OMB Budgeting and Reporting Requirements OMB Circular A-11, Section 53, Information Technology and E- Government (2007) OMB A-130, Appendix III, Security of Federal Automated Information Resources OMB Memorandum (M) 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (2003) OMB M-04-04, E-Authentication Guidance for Federal Agencies (2003) OMB M-05-08, Designation of Senior Agency Officials for Privacy (2005) OMB M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management

Appendix Information Security Requirements (Continued) FISMA Statutory Requirements: NIST Security Standards and Implementation Requirements NIST Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems (2002) NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems (2010) NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems (2010) NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations (2009) NIST SP 800-65 Revision 1 (DRAFT), Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC) (2009) *Read the full NIST documents

Appendix Information Security Requirements (Continued) FISMA Statutory Requirements: NIST Security Standards and Implementation Requirements Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems (2004) FIPS 200, Minimum Security Requirements for Federal Information and Information Systems (2006) *Read the full FIPS documents

Appendix Personnel and Physical Security Information, personnel and physical security teams at HHS work hand in hand to ensure the security of our information. The Office of Security and Strategic Information (OSSI) Leads and manages personnel security/suitability, information security, drug testing, and foreign travel/visitor policy for the Department. Ensures HHS’ compliance with Homeland Security Presidential Directive 12 (HSPD-12). Physical Security Protects offices, staff, contractors, visitors, and HHS assets; the prevention, investigation, and detection of crimes; and the apprehension of offenders.

Appendix Security Authorization OMB requires agencies to assess security controls to determine their overall effectiveness and formally authorize and accept the risk associated with their operation. Security Authorization (formerly Certification & Accreditation) is initiated when a system is developed or modified in response to mission need business case, operational requirement or significant change. NIST SP 800-53 Rev. 1 establishes government-wide responsibilities for federal computer security, and requires agencies to adopt a minimum set of security controls.