Security remains the leading concern senior executives have about their information and network infrastructures. In many cases, it is not clear whether the range of security technology in use is effective and affords the protections the organization requires.. As organizations are increasingly dependent on information systems for all their business activities with customers, suppliers, partners and their employees, senior executives need to be confident that they can operate securely. Information systems are subject to serious threats that can have adverse effects on organizational operations. Threats target, assets, individuals, organizations, and the Nation by exploiting both known and unknown vulnerabilities. Their intent is to compromise the confidentiality, integrity, or availability of the information being processed, stored, or transmitted by those systems. Threats to information systems can include purposeful attacks, environmental disruptions, human/machine errors, and structural failures, and can result in harm to the national and economic security interests of the United States. Therefore, it is imperative that leaders and managers at all levels understand their responsibilities and are accountable for managing information security risk—that is, the risk associated with the operation and use of information systems that support the missions and business functions of their organizations.
Risk Assessment Approach
The Program Support Center (PSC) provides a wide range of support services to the Department of Health and Human Services. The PSC is committed to providing the best customer service with a strategic vision of being the leader in shared services across the federal government. PSC’s values include subject matter expertise, competitive prices, responsiveness, timely integrated comprehensive services, accurate and reliable data, and ease of use in direct support of the PSC and its customers. The support services may include a wide variety of assistance in task areas such as Financial Management, Program Management, Occupational Health and Administrative Support. For PSC to continue its mission critical support services, they requiresystems and applications operating at a peak performance without threat of security breach or security incidents while maintaining compliance with all of OMB, HHS, NIST policies, regulations and mandates.
With increased security breaches and cyber threats, the U.S. Government has directed the effort to secure the nation’s critical infrastructure by creating programs to implement the National Strategy to Secure Cyberspace such as the Federal Information Security Management Act (FISMA) of 2002, the Federal Information Security Modernization Act (FISMA) of 2012, the OMB) Circular A-130, Federal Information Processing Standards (FIPS) 199/200/140, National Institute of Standards and Technology (NIST) Special Publications. As such, leaders at all levels must consider risk to their organization from the combination of threats, vulnerabilities, and impacts to the organization. They must regularly assess their methods and processes used to identify, eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and secure their IT assets.
Risk assessments are a key part of effective risk management and facilitate decision making at all three tiers in the risk management hierarchy including the organization, mission/business process, and information system level. The risk management is continuous , risk assessments are conducted throughout the system development life cycle, from pre-system acquisition (i.e., material solution analysis and technology development), through system acquisition (i.e., engineering/manufacturing development and production/deployment), and on into sustainment (i.e., operations/support). There are no formal or specific mandates or requirements regarding methodologies, level of detail, tools or techniques used to conduct risk assessments but National Institute of Standards Technology (NIST) has published guidelines to conduct risk assessments and incorporate them into overall organizational risk management process.
The risk assessment is a key component of a holistic, organization-wide risk management process for Managing Information Security Risk. NIS’ ISO 27001 certified Information Security Management System includes the following Risk management processes: framing risk; assessing risk; responding to risk; and monitoring risk. We will review how PSC addresses risk management and how risk-based decisions are made. The purpose of the risk framing component is to produce a four (4) step risk management strategy that addresses how PSC frames assesses responds, and monitors risks.—making explicit and transparent the risk perceptions that PSC routinely use in making both investment and operational decisions. The risk management strategy establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within PSC.
The second component of our review of PSC’s risk management (risk assessment )addresses how they assess risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify: (1) threats to PSC (i.e., operations, assets, or individuals) or threats directed through PSC against other organizations; (2)vulnerabilities internal and external to PSC and the harm (i.e., adverse impact) that may occur given the potential for threats exploiting vulnerabilities; (3)and the likelihood that harm will occur. This will result in a determination of risk or a function of the degree of harm and likelihood of harm occurring.
The third component of risk management (risk response) addresses how PSC responds to risk once that risk is determined based on the results of a risk assessment. The purpose of the risk response component is to provide a consistent, PSC-wide response to risk in accordance with the organizational risk framework by: (1) developing alternative courses of action for responding to risk; (2) evaluating the alternative courses of action; (3) determining appropriate courses of action consistent with organizational risk tolerance; and (4) implementing risk responses based on selected courses of action.
The fourth component of risk management (risk monitoring) addresses how PSC monitors risk over time. The purpose of the risk monitoring component is to: (1) determine the ongoing effectiveness of risk responses (consistent with the organizational risk framework); (2) identify risk-impacting changes to organizational information systems and the environments in which the systems operate; and (3) verify that planned risk responses are implemented and information security requirements are satisfied . The security requirements are derived from and traceable to PSC missions/business functions, federal legislation, directives, regulations, policies, standards, and guidelines.
Our risk assessments will identify relevant threats to PSC and both internal and external vulnerabilities to PSC, their impact/s to PSC systems and business given the potential for threats exploiting vulnerabilities; and the information to inform decision makers and recommendations for risk mitigation strategies and solutions. We will conduct Risk assessments at all three tiers in the risk management hierarchy—including Tier 1 (organization level), Tier 2 (mission/business process level), and Tier 3 (information system level). At Tiers 1 and 2, we will review and evaluate systemic information security-related risks associated with organizational governance and management activities, mission/business processes, enterprise architecture, or the funding of information security programs. At Tier 3, we will use risk assessments to more effectively support the implementation of the Risk Management Framework (i.e., security categorization; security control selection, implementation, and assessment; information system and common control authorization; and security control monitoring).
Risk assessments should not be simply one-time activities that provide permanent and definitive information for decision makers to guide and inform responses to information security risks. Instead, organizations should employ risk assessments on an ongoing basis throughout their operations andsystem development life cycle. Risk assessments should cover all of the tiers in the risk management hierarchywith resources applied during the assessments, commensurate with the expressly defined purpose and scope of the assessments. . Risk assessments can support a wide variety of risk-based decisions and activities by organizational officials across all three tiers in the risk management hierarchy. Depending on the scope, NIS team will be able to provide the following:
- Development of an information security architecture;
- Definition of interconnection requirements for information systems (including systems supporting mission/business processes and common infrastructure/support services);
- Design of security solutions for information systems and environments of operation including selection of security controls, information technology products, suppliers/supply chain, and contractors;
- Authorization (or denial of authorization) to operate information systems or to use security controls inherited by those systems (i.e., common controls);
- Modification of missions/business functions and/or mission/business processes permanently, or for a specific time frame (e.g., until a newly discovered threat or vulnerability is addressed, until a compensating control is replaced);
- Implementation of security solutions (e.g., whether specific information technology products or configurations for those products meet established requirements); and
- Operation and maintenance of security solutions (e.g., continuous monitoring strategies and programs, ongoing authorizations).
For many years NIS has supported our clients incorporation of security into their information systems and business operations. NIS is currently supporting multiple organizations with their cybersecurity requirements including defending and managing information systems classified from low to high risk information systems including Top Secret and Secret systems. In order for an Information Assurance program to be effective, it must become an integral part of our agency’s overall business strategy. When security management is accepted as a core business operation, it necessitates the development of guidelines and creates the security practices necessary to support the business strategy. The guidelines become the overarching security policy that in turn drives the development of an overall security management architecture. NIS leverages a large number of tools to scan networks to determine what services are running and whether software versions are up-to-date, as well as to scan for known vulnerabilities. If requested, NIS can conduct compromise assessments to discover whether a system or network may be compromised. We can also conduct, Independent penetration testing to test PSC’s informations systems and network resilience and readiness. A successfully implemented risk assessment process can provide the necessary emphasis on security policy during the most important phases of a project – the planning and design phases. Furthermore, an increasing number of projects require some aspect of security (authentication, authorization, etc.) as the key project enabler. As such, security requirements must be emphasized throughout the life of the project – from requirements and design, through implementation.
Upon completion of risk assessment, our best practices include properly communicating the results to all stakeholders. Since security is an ongoing and evolving process, NIS can provide PSC recommendations (based on our assessment findings) for improvement or maintaining their current security procedures with a goal to improve over time consistent with their risk posture.