Presentation is loading. Please wait.

Presentation is loading. Please wait.

Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology.

Published byRobert McDowell Modified over 8 years ago

Similar presentations

Presentation on theme: "Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology."— Presentation transcript:

1 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Protecting Your Institutional Data: If You Don’t Do It, Who Will?

2 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Data and Application Issues Processing, Storage and Transmission of Sensitive Data in Third Party Applications – Where is sensitive data being stored and accessed? – Who has access to it? – What controls are in place to manage and/or limit access? Application Sprawl Awareness Regulatory Requirements 2

3 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Questions to Ask Yourself What data do we as an Institution deem as sensitive? Where is sensitive data being stored, processed or transmitted? Who has access to sensitive data? What controls are in place to secure applications which have sensitive data? Are we addressing all controls as required by the USM Security Guidelines and DOIT Security Policy? (including all controls in NIST 800-53) What processes are in place to manage changes to applications that have sensitive data? Are we doing enough? 3

4 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com A Scope of Work to Answer Those Questions and Address the Underlying Issues Template Preparation – Develop data capture templates and assessment questions – Identify NIST Access Control Policy Categories and/or individual controls to include in application review – Confirm sensitivity level when controls are applicable Application Review – Phase One: Data Capture Review all applications, capture required data and determine application sensitivity level Classify Information Types by Data Sensitivity Risk Level Designation – Phase Two: Control Review Obtain detailed information on sensitive data, Review controls for sensitive applications and verify through documentation or by demonstration – Develop Recommendations Procedural Documentation – Develop onboarding documentation for all new applications – Develop easily understandable access control procedure documentation for all applications – Develop easily understandable change control procedures for all applications

5 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Why NIST? 5 Addresses security standards established by DOIT, interpreted in the context of USM. Framework developed using applicable guidelines in NIST. Only those controls designed to protect systems with a ‘moderate’ category level are included. Minimum information security requirements based on categorizations by FIPS 199 and 200

6 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Use NIST Guidelines to Map Data to Sensitivity to Risk Policy Use the high water mark to determine the risk level of the individual information type AND the risk level of the application. Information Type 1: {(confidentiality, HIGH), (integrity, MODERATE), (availability, MODERATE)} = HIGH Information Type 2: {(confidentiality, MODERATE), (integrity, LOW), (availability, LOW)} = MODERATE The application is classified as a HIGH. Correlate this to Institution- defined risk levels. What is impact to the Institution if the confidentiality, integrity or availability of this data is compromised?

7 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Who Should Determine Sensitivity? Possible Sources: Data Stewards / Data Governance Committee Application/Business Owners Information Technology Owners IT Security Team What We Found: 7 Impacts associated with integrity and Availability made sense at the department level Confidentiality was applicable to the Institution as a whole Confidentiality was always the driver for the risk level

8 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Identify NIST Controls to include in Application Review Control Families from FIPS-200: – Access Control (AC) – Awareness and Training (AT) – Audit and Accountability (AU) – Certification, Accreditation and Security Assessments (CA) – Configuration Management (CM) – Contingency Planning (CP) – Out of Scope – Identification and Authentication (IA) – Incident Response (IR) – Out of Scope – Maintenance (MA) – Out of Scope – Media Protection (MP) – Out of Scope – Physical and Environmental Protection (PE) – Planning (PL) – Personnel Security (PS) – Risk Assessment (RA) – System and Services Acquisition (SA) – System and Communications Protection (SC) – Systems and Information Security (SI) Start by segregating controls by Application, System or Organization

9 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Confirm and tailor baselines for system level Are all of the controls applicable to an application- level review? For example, boundary protection is not an application concern, it’s a network infrastructure concern. Are any of the controls listed “Common Controls? That is, managed by an organization entity other than the information system owner.

10 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Are all Controls Equal? 10 NIST identifies a priority associated with each control May choose to develop internal priority based on other sources (ie USM) Chart removed

11 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Control Segregation 67 Application-level controls (42 Prioritized as higher) 56 Organization-level controls 65 System-level Controls 21 Not Applicable * 11

12 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Phase 1: Data Capture Capture basic information on the application, including a description, user types and roles Identify information types stored in the application Assess impact of confidentiality, integrity and availability for each application Identify integration points with other applications Capture all “sensitive” data stored in the application or queried from other sources Identify current procedures to gain access to the application 12

13 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Data Classification Consolidate data capture results Review information types by application Assign confidentiality impact across all information types Categorize application risk level Develop reports to illustrate risk levels by institution, department, # of occurrences, database type, application host, and use of specific PII (i.e. SSN and Credit Card Number) Identify applications requiring control review. 13

14 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Phase 2: Control Review For each application deemed “sensitive”, review all applicable controls for the given sensitivity category Verify selected controls through documentation or demonstration Capture all instances of failed controls and document Pass/fail the application 14

15 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Making a Control Review Make Sense Develop questions and guidance for each control 15 Chart removed

16 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Final Report Provide pass/fail statistics for each application and illustrate trending across all applications by control. Develop action items for each application addressing areas where additional follow up is required. Make recommendations associated with the appropriateness of process and procedures associated with the access and storage of data. Make recommendations on subsequent security assessments. 16

17 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com 17 Slide removed

18 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com 18 Slide removed

19 Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Ongoing Assessment Program Identification of compensating security controls and common controls, or where the baseline should be tailored given the environment at Towson 6 month plan to address suggestions, including removal of unnecessary data storage, changes to user access rights, implementation of controls, etc. Annual reassessment of applications with a risk level of High Use the System-level controls to drive additional testing or projects Use the Organization-level controls to develop institution-wide policies or procedures Verification of adhoc controls through demonstration 19

Download ppt "Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology."

Similar presentations

2 3 Global Foundation Services Security Global Delivery Sustainability Infrastructure.

2 3 Global Foundation Services Security Global Delivery Sustainability Infrastructure.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland 20910 301.565.2988 Telephone 301.565.2995 Facsimile www.e-mcinc.com Satellite.

Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland Telephone Facsimile Satellite.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Risk Assessment Frameworks

Risk Assessment Frameworks
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Privacy and Security Tiger Team Meeting Recommendations regarding a framework of security protections for EHRs December 7, 2011.

Privacy and Security Tiger Team Meeting Recommendations regarding a framework of security protections for EHRs December 7, 2011.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
An overview of the NIST Risk Management Framework ISA 652 Fall 2010

An overview of the NIST Risk Management Framework ISA 652 Fall 2010
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
Information Security Framework & Standards

Information Security Framework & Standards
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.

1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?

Similar presentations

Ads by Google