• No results found

Security Compliance: Making the Proper Decisions

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security Compliance: Making the Proper Decisions"

Copied!
31
0
0

Loading.... (view fulltext now)

Download now ( 31 Page )

Full text

(1)

Security Compliance:

Making the Proper Decisions

L. Arnold Johnson

National Information Assurance Partnership National Institute of Standards and Technology

(2)

Short Answer to Moderators

Questions

Advice Now: Use IT hardware/software/network/plan security tools to detect & block further damage

Advice Before: Perform IT system security accreditation/certification/validation analysis • Standards of Care: Demonstrate adherence to

International/National/Industry IT security

Standards/Practices/Policies through recognized Accreditation/Certification/Validation sources

HIPAA Effect: Need to show documented, traceable evidence of HIPAA compliance through requirements definition, analysis, technology selection, product & system evaluation/validation by recognized sources

(3)

The Healthcare Security

Dilemma

How can the healthcare community

satisfactorily demonstrate that its

information technology systems are

in compliance with policy

(HIPAA,

(4)

The Dilemma is multifaceted.

How do we:

• capture needs and concerns in

implementable policy?

• translate policy into technology?

• confirm technology complies with

(5)

Security Requirements

Compliance with what

???

• Healthcare IT security architecture(s)

– operational environment – functional needs

– security objectives

• Policy

– public law

– federal, state, local, organizational policy – standards

– regulations – et al

(6)

Basic Healthcare IT Security

Problem

• Lack of a common language to bridge the

communication gap among HC security policy

makers, standards organizations, consumers and developers

• Lack of a common structure for expressing HC security requirements and assurance

• Lack of accredited labs & recognized sources for – evaluating the security properties of HC products

(7)

Is there an industry-recognized

methodology or mechanism to

bring some coherence to this

problem

(8)

The

Common Criteria

a promising, and accepted, solution

• International Standard (ISO/IEC 15408) • Practical way to specify and measure IT

security

– capture users’ functional and assurance requirements

– translate policy into product/system specifications – guide product/system development

– evaluate products/systems

(9)

Standard for

Defining Security Requirements

Standard for

Defining Security Requirements

Common Criteria (CC), a.k.a. ISO/IEC International Standard 15408, provides a

framework for defining security requirements (both features and assurances) in IT products • CC Protection Profiles (PP) describe

generalized security requirements for a class of IT products (from consumers perspective), e.g., banking, healthcare

• CC Security Targets (ST) describe specific security claims by producers of IT products

(10)

Kinds of Requirements

• Functional Requirements

for defining security behavior

implemented requirements become security functions

• Assurance Requirements

for establishing confidence in security functions

correctness of implementation

(11)

Defining Security

Requirements

Defining Security

Requirements

• Determine probability of data insecurity • Determine business impact

from data insecurity • Derive level of concern (Data Protection Level - DPL)

• Determine Security Assurance Requirements • Determine Security

Functional Requirements

• Define User Roles • Determine Access Needs • Map Users to Data Access • Define Criteria for Access to Data (includes Data Control Class - DCC)

• Determine Logical and Physical Data Architecture

Design solution with adequate functionality and assurance

• Identify Security Policies • Identify data owner

Functionality

(12)

Protection Profiles

Moving Toward Compliance

• Consumers specify generalized requirements in PP(s)

– Implementation-independent

– States security problem to be solved

– Specifies functional and assurance requirements – Can be adopted, tailored or developed for

healthcare

• Developers/vendors build specific products to satisfy PP(s)

– To satisfy customer demand – For competitive advantage

(13)

Protection Profiles (generic)

& Security Targets (specific)

Protection Profiles (generic)

Protection Profiles (generic)

& Security Targets (specific)

& Security Targets (specific)

Consumer …..

Protection Profile contentsIntroduction

TOE Description

Security EnvironmentSecurity Environment

Assumptions

Threats

Organizational Security Policies

Security ObjectivesSecurity Objectives

Security RequirementsSecurity Requirements

Functional Req’ts

Assurance Req’ts

Rationale

Developer/Vendor …..

Security Target contentsIntroduction

TOE Description

Security EnvironmentSecurity Environment

Assumptions

Threats

Organizational Security Policies

Security ObjectivesSecurity Objectives

Security RequirementsSecurity Requirements

Functional Req’ts

Assurance Req’ts

TOE Summary SpecificationTOE Summary Specification

PP Claims PP Claims

(14)

Benefits of using the

Common Criteria

• A common language for specifying security functional & assurance requirements

• A comprehensive catalogue of security requirements that

– can be mixed/matched, extended & refined

(15)

Benefits of using Protection

Profiles

• Standard framework for capturing

– government & social policies & regulations – enterprise specific policies & objectives

• Standard structure for articulating security functional & assurance requirements of

solutions (products) that

address specific HC security policies

meet specified HC security objectives

address specified HC risks/threats

(16)

Common Criteria

Evaluation/Validation

Scheme (CCEVS)

• Internationally recognized program

– that accredits commercial security evaluation labs • to use approved test methods e.g., CEM

standard

• to evaluate products claiming compliance to CC-based security requirements traceable to security policies

– provides independent validation of commercial labs’ evaluations

(17)

Demonstrating

Compliance

Demonstrating

Compliance

NIAP Validation Body Accreditation

Consumers Consumers Consumers Consumers

Validated Products Lists NIAP Validated Products List Accreditation Bodies NVLAP IT Product Developer 4 3 2 1 3 4 Accredited Testing Labs 2 Private Sector Validation Bodies 3 3 4 4

Activity 1: Developer self declaration of conformity.

Activity 2: Conformance demonstrated by 3rd party evaluation only.

Activity 3: Conformance demonstrated by 3rd party evaluation and private sector validation. Activity 4: Conformance demonstrated by 3rd party evaluation and U.S. Government validation.

(18)

Benefits of using CCEVS

• Increases consumer confidence about purchased products

verifies products built right, do what’s expected, comply with policies

• Lowers user expenses

– shortens acquisition cycles

outsourced security testing minimizes acceptance testing

fosters “build/buy/use anywhere” strategy

– increases vendor competitiveness – decrease liability costs

legal: can provide “due diligence” & “best practices” evidence

(19)

Mutual Recognition

Arrangement

NIAP, in conjunction with the U.S. State Department, negotiated a Common Criteria Recognition

Arrangement that:

• Provides recognition of U.S. issued Common Criteria certificates by 13 nations:

Australia, Canada, Finland, France, Germany, Greece, Israel, Italy, New Zealand, Norway, Spain, The Netherlands, United Kingdom

• Minimizes need for costly security evaluations in more than one country

• Offers excellent global market opportunities for U.S. IT industry

(20)

Common Criteria Information

Common Criteria Information

Common Criteria Information

For more introductory info about the CC:

NIST

NIST--ITL Bulletin (11/98)ITL Bulletin (11/98) , get it at:

http://csrc.nist.gov/cc/info/cc_bulletin.htm

http://csrc.nist.gov/cc/info/cc_bulletin.htm

To obtain a copy of the

To obtain a copy of the CC: An IntroductionCC: An Introduction and and

CC User Guide

CC User Guide brochuresbrochures

http://csrc.nist.gov/cc/info/infolist.htm

http://csrc.nist.gov/cc/info/infolist.htm

To get sample Protection Profiles:

http://csrc.nist.gov/cc/pp/pplist.htm

http://csrc.nist.gov/cc/pp/pplist.htm http://www.iatf.net

http://niap.nist.gov/cc-scheme/PPRegistry.html

For further information on the CCEVS and Validated Products

http://niap.nist.gov/cc-scheme

(21)

Have these concepts actually

(22)

The Forum on Privacy and

Security in Healthcare

Sponsored by industry and the

National Information Assurance

(23)

General Focus of the Forum

Seek industry adoption of a common

method to establish compliance with

applicable security-related

(24)

Strawman target for

Demonstration

Construct CC PP(s) that will articulate

system requirements to capture HIPAA regulatory requirements

Demonstrate how PPs and the supporting

NIAP testing infrastructure can provide

traceable Healthcare Security Information Systems requirements from policies

(25)

Status of NIAP Common Criteria

Healthcare Examples

HC MethodologyDraft Development of a Methodology & Reference Architecture for Construction of Security

Protection Profiles for Healthcare Information Systems”

[Scheduled Revision 12/01]

HCFA based “Draft Security Functional Package for

Systems Transmitting Sensitive HCFA Data (STS-HCFA)”

[Scheduled Revision 10/01]

HIPAA based “Draft Functional Profile for Healthcare Provider Intranet with Limited Internet Exposure”

[Scheduled Revision 11/01]

HC Application Protection Profile - HIPAA based

“Patient Point-of-Care Admission, Discharge & Transfer”

(26)

The Forum on Privacy and

Security in Healthcare

(FPSH)

• Incorporated as non-profit charitable organization • Liaison established with

– Smart Card Security Users Group,

– AFEHCT/WEDI Project, CPRI-HOST, – HIPAA Summit Project, etc.

• Liaison discussions with Nat’l Assoc. of Chain Drug Stores (NACDS) and Electronic Healthcare Network Accreditation Commission (EHNAC) • FPSH website (http://healthcaresecurity.org)

(27)

How can the industry

[healthcare org,

vendors/developers and

certifying organizations]

take

part in developing a set of

(28)

Send contact info and queries to:

[email protected]

(29)

For More Information

• Forum on Privacy and Security in Healthcare

- http://

www.healthcaresecurity.org

The Healthcare Security Dilemma:

Demonstrating Compliance

(white paper)

http://

www.arca.com

• NIAP Website http://

niap.nist.gov

• NIAP interim Protection Profile Registry

http://

csrc.nist.gov/cc/pp/pplist.htm

(30)

Summary

• ISO/IEC 15408 Common Criteria for IT Security Evaluation and NIAP IT product/system

evaluation and validation infrastructure an

approach for “due diligence” in HC IT security • NIAP providing sample protection profiles for

selected HC environments as proof of concept for healthcare

• Demonstrating CC/PP paradigm tool for providing traceable and documented evidence of

implementation of high level healthcare policy (i.e., HIPAA & HCFA) to product compliance

(31)

Contact Information

Contact Information

For further information contact:

L. Arnold Johnson

National Institute of Standards and Technology Information Technology Laboratory

100 Bureau Dr. Building 820 (NIST North) Stop 8930 Gaithersburg, MD 20899

email: [email protected] phone: (301) 975-3247 web: http://niap.nist.gov fax: (301) 948-0275

References

Download now ( PDF - 31 Page - 239.22 KB )

Related documents

Macro-performance evaluation of friction stir welded automotive tailor-welded blank sheets: Part I – Material properties

As for the isotropic hardening, the Voce type work hardening law showed better curve fitting for aluminum base materials and aluminum/DP590 weld zones while, for DP590 base

Manichaeism and Its Legacy (Nag Hammadi and Manichaean Studies)

1) Gold’s affi rmation that it is the Magdalene who is the important Mary in Gnosticism continues to invite further investigation; but less equivocal is her identifi cation

Dear Exhibitor, OPTION #1 (The Expo Group)

This declaration of compliance with the security requirements as noted herein is an acknowledgement of Smart City’s filtering policies and must be completed,

RIMS ANNUAL CONFERENCE & EXHIBITION DEADLINE FOR ADVANCED RATE

This declaration of compliance with the security requirements as noted herein is an acknowledgement of Smart City’s filtering policies and must be completed,

6766994-Aprilia C361m C364m C216m 50cc 2004 - 2005 Engine Workshop Manual Repair Manual Service Manual Download

When the complete driven pulley assembly is attached, check that the belt is free so as to prevent the risk of false tightening that might cause damage to the drive shaft knurl-

Dynamic implications of patenting for crop genetic resources:

As the distance from the timing of the previous patent increases, or the period of overhang decreases, area C becomes smaller and the current payoff increases, given the patent

Impure Public Goods and Technological Interdependencies

In contrast to the unambiguous impacts of the increase in p s predicted by the analytical impure public good model, the model’s forecasts of effects of a change in the level s of

KC 1.2: Rights-Based Approaches in Rural Heritage - Principles and Practice

a) ICOMOS members acknowledge that they have a general moral obligation to conserve cultural heritage and to transmit it to present and future generation, and they have