PRoject 4 HHS analysis - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

PRoject 4 HHS analysis

Description:

Project for CSIA 412, HHS cybersecurity presentation – PowerPoint PPT presentation

Number of Views:56
Slides: 29
Provided by: Praezin
Tags: csia_412 | hhs

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: PRoject 4 HHS analysis


1
Cybersecurity and the Department of Health and
Human Services
  • Michael Hathaway
  • CSIA 412

2
Agenda
  • Introduction
  • Legislation
  • Impact Analysis
  • Standards Addressed
  • HHS Security Platform
  • Recommendations
  • Conclusion
  • References

3
Introduction
  • By not complying with Federal cybersecurity
    requirements, the Office of Civil Rights
    increased the risk that it might not identify or
    mitigate system vulnerabilities, (OIG, 2013).

4
Threats
  • The United States is not immune to cyber threats
    and incursion into our information systems

5
Legislation
  • Executive Order 13633
  • Improving Critical Infrastructure Cybersecurity
  • Presidential Policy Directive 21
  • Critical Infrastructure Security and Resilience
  • Department of Homeland Security
  • EO 13633 and PPD 21 Information Fact Sheet

6
Impacts
  • Voluntary framework
  • Information Sharing
  • Incident Management and Response
  • Personnel Cybersecurity Training

7
Voluntary Framework
  • Participation in the framework creation is
    voluntary from both the private and public
    sectors.
  • Neutral in technology
  • Offcice of Civil Rights and the Government
    Accountability Office

8
Information Sharing
  • Voluntary information sharing with industry,
    states, and local government, (LFS, 2011)

9
Incident Management and Response
  • Federal agencies have reported increasing
    numbers of security incidents that placed
    sensitive information at risk, (GAO, 2011)

10
Personnel Cybersecurity Training
  • 32 percent of HHS employees with significant
    security related responsibilities had not
    received specialized security training, (GAO,
    2006, pg20).

11
Standards
  • NIST Federal Information Processing Standards
    Publication (FIPS) 200, titled Minimum Security
    Requirements for Federal Information and
    Information Systems
  • ISO/IEC 27002 standard, titled Information
    technology - Security techniques Code of
    practice for information security controls
  • Categories
  • Awareness Training
  • Malicious Code Protection
  • Incident Management

12
Awareness Training
  • Organizational personnel are adequately trained
    to carry out their assigned information
    security-related duties and responsibilities,
    (NIST, 2006).

13
Malicious Code Protection
  • Malicious code is a strong opponent of
    cybersecurity
  • Introduced from a variety of means such as
  • email to users
  • installing unknown software
  • sharing CDs or other media with others

14
Incident Management
  • Procedures for monitoring, detecting,
    analyzing and reporting of information security
    events and incidents, (OSI, 2013).

15
HHS Cybersecurity Platform
  • Recent GAO audit reports
  • Categorized security Controls
  • Management
  • Operational
  • Technical

16
Management Controls
  • Management controls are meant for the management
    of risks within a system, they are further
    divided with planning being a sub-function.

17
PL-1 Security Planning Policy and Procedures
NIST SP 800-53 Control The organization develops, disseminates, and periodically reviews/updates (i) a formal, documented, security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance and (ii) formal, documented procedures to facilitate the implementation of the security planning policy and associated security planning controls.
NIST SP 800-53 Control Enhancements None.
18
PL-4 Rules of Behavior
NIST SP 800-53 Control The organization establishes and makes readily available to all information system users a set of rules that describes their responsibilities and expected behavior with regard to information system usage. The organization receives signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system and its resident information.
NIST SP 800-53 Control Enhancements None.
19
Operational Controls
  • Operational controls are those that address
    issues with mechanisms that are primarily
    implemented and executed by the systems
    management, administration, and technical support
    personnel. These security controls were put in
    place to improve the overall security of the
    system environment, (SSP-T, nd). Part of the
    operational controls is the incident response
    policies.

20
IR-1 Incident Response Policy Procedures
NIST SP 800-53 Control The organization develops, disseminates, and periodically reviews/updates (i) a formal, documented, incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance and (ii) formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls.
NIST SP 800-53 Control Enhancements None.
21
Technical Controls
  • Technical controls are used to minimize or
    prevent unauthorized users from accessing the
    system and to ensure its integrity,
    confidentiality, and availability, (SSP-T, nd).
    Further subdivided, with System and and
    Communication Protection controls being part of
    the overall.

22
SC-17 Public Key Infrastructure Certificates
NIST SP 800-53 Control The organization develops and implements a certificate policy and certification practice statement for the issuance of public key certificates used in the information system.
NIST SP 800-53 Control Enhancements None.
23
Recommendations for Improvement
  • Areas to be improved upon are
  • Addressing audit reports
  • Policy updates to reflect new standards
  • Expansion of policy

24
Conclusion
  • The concluding presentation was very basic in
    contrast to the overall scope of cybersecurity,
    even in general terms. HHS has implemented much
    that has helped protect the organization and
    HIPAA. While there are some areas to be addressed
    for improvement, overall the organization has
    presented and performed well in recent audits.
    The current policies adhere well with industry
    standards, legislative policies and directives
    and are an adequate foundation for the
    cybersecurity of critical infrastructure the
    nation relies upon.

25
Questions?
26
References
  • CRS Congressional Research Service. (Nov, 2013).
    The 2013 Cybersecurity Executive Order Overview
    and Considerations for Congress. Retrieved from
    https//www.crs.gov
  • DHS Homeland Security. (Mar, 2013). Executive
    Order (EO) 13636 Improving Infrastructure Cyber
    Security Presidential Policy Directive (PPD)
    21 Critical Infrastructure Security and
    Resilience. Retrieved from Course Content, file
    EO-13636-PPD-21-Fact-Sheet-508.pdf.
  • Legislative Fact Sheet. (May, 2011) Fact Sheet
    Cybersecurity Legislative Proposal. Retrieved
    from Course Content, file May 2011 Fact Sheet
    Cybersecurity Legislative Proposal.pdf
  • GAO United States Government Accountability
    Office. (Oct, 2011). Information Security
    Weaknesses Continue Amid New Federal Efforts to
    Implement Requirements. Retrieved from
    http//www.gao.gov/new.items/d12137.pdf
  • GAO United States Government Accountability
    Office. (Feb, 2006). Information Security
    Department of Health and Human Services Needs to
    Fully Implement Its Program. Retrieved from
    http//www.gao.gov/new.items/d06267.pdf
  • OIG Office of Inspector General. (Nov, 2013). The
    Office for Civil Rights Did Not Meet All Federal
    Requirements in its Oversight and Enforcement of
    the Health Insurance Portability and
    Accountability Act Security Rule. Retrieved from
    https//oig.hhs.gov/oas/reports/region4/41105025.p
    df

27
  • FIPS 199. (Mar, 2006). Minimum Security
    Requirements for Federal Information and
    Information Systems. Retrieved from class
    content.
  • FIPS 200. (Mar, 2006). Standards for Security
    Categorization of Federal Information and
    Information Systems. Retrieved from class
    content.
  • HHS IRM. (Apr, 2010). Policy for Information
    Technology (IT) Security and Privacy Incident
    Reporting and Response. Retrieved from
    http//www.hhs.gov/ocio/policy/hhs_ocio_policy_201
    0_0004.html
  • HHS MS. (Jan, 2001). HHS IRM Policy for the
    Prevention, Detection, Removal and Reporting of
    Malicious Software. Retrieved from
    http//www.hhs.gov/ocio/policy/2000-0007.html
  • HHS OCIO. (Aug, 2008). HHS-OCIO Standard for the
    Segregation of Development/Test Environments from
    Production. Retrieved from http//www.hhs.gov/ocio
    /policy/2008-0003.002s.html
  • HHS PKI. (Jan, 2001). HHS IRM Policy for Public
    Key Infrastructure (PKI) Certification Authority
    (CA). Retrieved from http//www.hhs.gov/ocio/polic
    y/2000-0011.html
  • HHS POL. (Jul, 2011). HHS-OCIO-2011-0003 Policy
    for Information Systems Security and Privacy.
    Retrieved from http//www.hhs.gov/ocio/policy/hhs-
    ocio-2011-0003.html
  • HHS RoB. (Jul, 2013). Rules of Behavior for Use
    of HHS Information Systems. Retrieved from for
    http//www.hhs.gov/ocio/policy/hhs-rob.html
  • NIST 800-53v4. (Apr, 2013). Security and Privacy
    Controls for Federal Information Systems and
    Organizations. Retrieved from class content.
  • SSP-T. (nd). 800-53 SSP Template Examples.
    Retrieved from class content.

28
  • CSIRC Department of Health and Human Services
    Computer Security Incident Response Center. (Apr,
    2010). Policy for Information Technology (IT)
    Security and Privacy Incident Reporting and
    Response. Retrieved from http//www.hhs.gov/ocio/p
    olicy/hhs_ocio_policy_2010_0004.html
  • HHSCP Department of Health and Human Services
    Cybersecurity Program. (2014). Department of
    Health and Human Services Information Systems
    Security Awareness Training. Retrieved from
    http//www.hhs.gov/ocio/securityprivacy/awarenesst
    raining/issa.pdf
  • HHSIRM Department of Health and Human Services
    Incident Response Management. (Jan, 2001). HHS
    IRM Policy for the Prevention, Detection, Removal
    and Reporting of Malicious Software. Retrieved
    from http//www.hhs.gov/ocio/policy/2000-0007.html
  • HHSOCIO Department of Health and Human Services
    Office of Chief Information Officer. (Jul, 2009).
    HHS-OCIO Standard for IEEE 802.11 WLAN. Retrieved
    from http//www.hhs.gov/ocio/policy/policydocs/sta
    ndard_2009-0003_001s_-_ocio.DOC
  • ISO (Oct, 2013). ISO/IEC 27002 Information
    technology security techniques Code of
    practice for information security controls..
    Retrieved from class content.
  • NIST National Institute of Standards and
    Technology. (Mar, 2006). Minimum Security
    Requirements for Federal Information and
    Information Systems.. Retrieved from class
    content.
About PowerShow.com