It Security Risk Assessment Guidelines

H

Information Security Risk Assessment Guidelines

Information Security Risk Assessment Guidelines

Introduction and Overview 

Introduction and Overview 

In!"rmati"n security risk assessment is an "n#g"ing p

In!"rmati"n security risk assessment is an "n#g"ing p r"cess "! disc"vering, c"rrecting andr"cess "! disc"vering, c"rrecting and preventing security pr"$lem

preventing security pr"$lems. s. %&e risk assessment is an int%&e risk assessment is an integral part "! a risk managementegral part "! a risk management pr"cess designed t" pr"vide appr"priate levels "!

pr"cess designed t" pr"vide appr"priate levels "! security !"r in!"rmati"n systems. In!"rmati"nsecurity !"r in!"rmati"n systems. In!"rmati"n security risk assessments are part "! s"und security practices and are re'uired $y t&e

security risk assessments are part "! s"und security practices and are re'uired $y t&e ("mm"n)ealt& *nterprise In!"rmati"n Security P"licy. Risk assessments and

("mm"n)ealt& *nterprise In!"rmati"n Security P"licy. Risk assessments and relatedrelated d"cumentati"n are als"

d"cumentati"n are als" an integral part an integral part "! c"mpliance )it& HIPAA s"! c"mpliance )it& HIPAA security standards +see ecurity standards +see $el").$el"). %&e risk assessment )ill &elp eac& agency determine t&e accepta$le level "! risk and t&e

%&e risk assessment )ill &elp eac& agency determine t&e accepta$le level "! risk and t&e resulting security re'uirements !"r eac& system. %&e agency must t&en

resulting security re'uirements !"r eac& system. %&e agency must t&en devise, implement anddevise, implement and m"nit"r a set "! security measur

m"nit"r a set "! security measures t" address t&e level "! identi!ies t" address t&e level "! identi!ied risk. ed risk. -"r a ne) system t&e-"r a ne) system t&e risk assessment is typically c"nducted at t&e

risk assessment is typically c"nducted at t&e $eginning "! t&e System evel"pment /i!e (ycle$eginning "! t&e System evel"pment /i!e (ycle +S/(. -"r an eisting system, risk assessments may $e

+S/(. -"r an eisting system, risk assessments may $e c"nducted "n a regular c"nducted "n a regular $asis$asis t&r"ug&"ut t&e S/( and"r "n an ad#&"c $asis in resp"nse t" speci!ic events suc& as )&en t&r"ug&"ut t&e S/( and"r "n an ad#&"c $asis in resp"nse t" speci!ic events suc& as )&en ma"r m"di!icati"ns are made t" t&e system3s envir"nment "r in resp"nse t" a security incident "r ma"r m"di!icati"ns are made t" t&e system3s envir"nment "r in resp"nse t" a security incident "r audit.

audit.

%&is risk assessment met&"d"l"gy is $ased "n t&e

%&is risk assessment met&"d"l"gy is $ased "n t&e CMS Information Security RA Methodology CMS Information Security RA Methodology ,, devel"ped $y t&e !ederal

devel"ped $y t&e !ederal epartment "! Healt& and Human Services, (enters !"r 4edicare andepartment "! Healt& and Human Services, (enters !"r 4edicare and 4edicaid Services

4edicaid Services +(4S, )&ic& is +(4S, )&ic& is availa$le at availa$le at )))))).cms.&&s.g"vits.cms.&&s.g"vitsecurityd"csRA5mecurityd"csRA5met&.pd!.et&.pd!. It is presented in t&ree p&ases6

It is presented in t&ree p&ases6



 _{System "cumentati"n P&aseSystem "cumentati"n P&ase} 

 _{Risk eterminati"n P&aseRisk eterminati"n P&ase} 

 _{Sa!eguard eterminati"n P&aseSa!eguard eterminati"n P&ase}

%&e risk assessment rep"rt6 %&e risk assessment rep"rt6



 _{Summari7es t&e system arc&itecture and c"mp"nents, and its "verall level Summari7es t&e system arc&itecture and c"mp"nents, and its "verall level "! security"! security} 

 _{Includes a list "! t&reats and Includes a list "! t&reats and vulnera$ilitivulnera$ilities, t&e system3s current security c"ntr"ls, and itses, t&e system3s current security c"ntr"ls, and its}

risk levels risk levels



 _{Rec"mmends sa!eguards, and descri$es t&e epected level Rec"mmends sa!eguards, and descri$es t&e epected level "! risk t&at )"uld remain i!"! risk t&at )"uld remain i!}

t&ese sa!eguards )ere put in

t&ese sa!eguards )ere put in placeplace



 _{S&")s )&ere an "rgani7ati"n needs t" S&")s )&ere an "rgani7ati"n needs t" c"ncentrate its remedial )"rkc"ncentrate its remedial )"rk} 

 _{(an $e used as input t" t&e agency3s $usiness c"ntinuity plan(an $e used as input t" t&e agency3s $usiness c"ntinuity plan} 

 _{Presents t&ese !indings t" management.Presents t&ese !indings t" management.}

Note on HIPAA Security

Note on HIPAA Security

("mm"n)ealt& agencies de!ined as ("vered *ntities +(*3s, and t&"se )&" are 9usiness ("mm"n)ealt& agencies de!ined as ("vered *ntities +(*3s, and t&"se )&" are 9usiness  Ass"ciates "! (

 Ass"ciates "! (*3s, must c*3s, must c"mply )it& t&e H"mply )it& t&e HIPIPAA AA security rule, :security rule, :; (-R parts 1<; (-R parts 1<0, 1<2 and 1<:.0, 1<2 and 1<:. %&e HIPA

%&e HIPAA security !rame)"rk calls !"r due A security !rame)"rk calls !"r due diligence $ased "n diligence $ased "n g""d $usiness practices, !"rg""d $usiness practices, !"r systems &andling electr"nic pr"tected &ealt& in!"rm

systems &andling electr"nic pr"tected &ealt& in!"rmati"n +*PHI. ati"n +*PHI. (reating an In!"rmati"n Risk(reating an In!"rmati"n Risk  Assessment Rep"rt

 Assessment Rep"rt satis!ies t&e Rsatis!ies t&e Rule3s re'uiremule3s re'uirements t" analy7e risents t" analy7e risks, !"rmulate apprks, !"rmulate appr"priate"priate sa!eguards, and d"cument t&e risk

sa!eguards, and d"cument t&e risk management decisi"n#making pr"cess +:; (-R partmanagement decisi"n#making pr"cess +:; (-R part 1<:.08+a+1+ii+A

1<:.08+a+1+ii+A+9 and in!"rms t&e agency3s acti"ns in c"mplying )it& "t&er +9 and in!"rms t&e agency3s acti"ns in c"mplying )it& "t&er parts "! t&e rule.parts "! t&e rule.

H

Team Members

 A sample representative risk assessment team may include t&e !uncti"ns listed $el"). *ac& team mem$er may per!"rm m"re t&an "ne !uncti"n. HIPAA#a!!ected agencies s&"uld secure t&e inv"lvement "! t&eir HIPAA security "!!icer. S"me !uncti"ns "verlap, !"r !uncti"ns )&ere team mem$ers revie) eac& "t&er3s )"rk. See Appendi ( !"r m"re detail "n t&ese r"les.

Risk assessment manager  System "r net)"rk administrat"r  %ec&nical revie)er 

System $usiness ")ner  System tec&nical ")ner  *ecutive sp"ns"r 

In!"rmati"n security "!!icer 

The Risk Assessment Report 

 A Risk Assessment +RA Rep"rt applies t" a selected in!"rmati"n system. An in!"rmati"n system is a gr"up "! c"mputing and net)"rk c"mp"nents t&at s&are a $usiness !uncti"n, under c"mm"n ")ners&ip and management. %&e Rep"rt )ill include6

  _{A d"cumented system invent"ry, listing all system c"mp"nents and esta$lis&ing t&e}

system $"undary !"r t&e purp"ses "! t&e Rep"rt

 _{"cumentati"n "! t&e system3s p"licies and pr"cedures, and details "! its "perati"n}  _{/ist "! t&reat  vulnera$ility pairs, )it& severity "! impact and likeli&""d "! "ccurrence}  _{/ist "! sa!eguards !"r c"ntr"lling t&ese t&reats and vulnera$ilities}

 _{/ist "! rec"mmended c&anges, )it& appr"imate levels "! e!!"rt !"r eac&}  _{-"r eac& rec"mmended c&ange, t&e resulting reducti"n in risk}

 _{%&e level "! residual risk t&at )"uld remain a!ter t&e rec"mmended c&anges are}

implemented.

%&e Rep"rt )ill re!lect t&e security p"licies and "$ ectives "! t&e agency3s in!"rmati"n tec&n"l"gy management. It )ill $e presented in a !ace#t"#!ace meeting )it& t&e system $usiness and

tec&nical ")ners, t&e risk assessment manager, and "t&er pr"ect team mem$ers.

 A Risk Assessment Rep"rt is n"t intended t" create "r include t&e !"ll")ing, &")ever it s&"uld $e used as input !"r6

  _{A system security plan, ne) security arc&itecture, audit rep"rt, "r system accreditati"n}  _{System security p"licies, "r assignment "! sta!! resp"nsi$ility !"r system security}  _{etailed data!l")s}

 _{*act d"llar c"st estimates "r usti!icati"ns}

  _{Assignment "r acceptance "! legal resp"nsi$ility !"r t&e security "! t&e system}  _{In#dept& analysis "r res"luti"n "! speci!ic security incidents "r vi"lati"ns}

 _{("ntract revie).}

 Appendi  pr"vides a template !"r t&e d"cumentati"n "! t&e Risk Assessment rep"rt.

Tasks

%&is c&art s&")s t&e se'uence "! &ig&#level tasks. %&e c"mplete list "! tasks and durati"ns )ill $e created, estimated and sc&eduled $y t&e team.

ID

Risk Assessment Project

Mar 2003

5  6  7 8  !0 !!

2 _{1.0 Set $"undary !"r selected system}

 _{1.1 Rec"rd system identi!icati"n in!"rmati"n} : _{1.2 "cument system purp"se and desc.} ; _{1. "cument t&e system security level} < _{2 System Risk Determination Phase} = _{2.1 Identi!y t&reats and vulnera$ilities} 8 _{2.2 escri$e risks}

> _{2. Identi!y eisting c"ntr"ls}

10 _{2.: etermine likeli&""d "! "ccurrence} 11 _{2.; etermine severity "! impact}

12 _{2.< etermine risk levels}

1 _{3 Safeguard Determination Phase}

1: _{.1 Rec"mmend c"ntr"ls and sa!eguards}

18 _{ Re!ort !resentation" archi#ing and sign$off}  1 _{% System Documentation Phase}

1<

1; _{.2 etermine residual likeli&""d "! "ccurrence}

. etermine residual severity "! impact

!2 !3 !" !5  

1= _{.: etermine residual risk level}

System Documentation Phase

 _{"cument system identi!icati"n}

 _{"cument system purp"se and descripti"n}  _{"cument t&e system security level.}

%&e team must make a decisi"n a$"ut )&ere t" dra) t&e $"undaries "! t&e system t" $e assessed.

Risk Determination Phase

 _{Identi!y t&reats}

 _{Identi!y vulnera$ilities}

 _{escri$e risks}

 _{Identi!y eisting c"ntr"ls}

 _{etermine likeli&""d "! "ccurrence}  _{etermine severity "! impact}

 _{etermine risk level.}

%&e team must decide )&et&er t" include "nly c"ntr"ls t&at are currently implemented, "r t" include c"ntr"ls t&at are $udgeted and sc&eduled !"r implementati"n.

Safeguard Determination Phase

- _{Rec"mmend c"ntr"ls and sa!eguards}

- _{etermine residual +remaining likeli&""d "! "ccurrence i! c"ntr"ls and sa!eguards are}

implemented

- _{etermine residual severity "! impact i! candidate c"ntr"ls and sa!eguards are}

implemented

- _{etermine residual risk levels.}

Risk Assessment Process

1.0 System Documentation hase

%&e System "cumentati"n P&ase pr"vides a descripti"n "! t&e system and t&e data it &andles, as c"mputing assets used t" !ul!ill t&e "rgani7ati"n3s $usiness missi"n. %&is p&ase esta$lis&es a !rame)"rk !"r su$se'uent risk assessment p&ases.

%&e system ")ner pr"vides t&e system identi!icati"n, including t&e system descripti"n, $usiness !uncti"n and assets. -"r ne) systems, t&ese are de!ined )&en t&e system is !irst c"nceived and devel"ped during t&e S/(3s design and implementati"n p&ases +see Appendi 9.

Phase %& Set t&e $"undaries !"r t&e set "! c"mp"nents t&at c"nstitute t&e in!"rmati"n system.  An in!"rmati"n system is a gr"up "! c"mputing and supp"rting c"mp"nents t&at

s&are a $usiness !uncti"n, under c"mm"n ")ners&ip and management. 'ey (eam )em*er  s& System administrat"r  %ec&nical revie)er  System tec&nical ")ner 

+ut!ut& Hig&#level d"cumentati"n and net)"rk diagram s&")ing t&e system and a dacent systems, )it& a line s&")ing t&e cut#"!! !"r t&e sc"pe "! t&is risk assessment.

%,% System Identification

/ist t&e system name, "t&er related in!"rmati"n, and t&e resp"nsi$le "rgani7ati"n. See t&e System Identi!ication ta$le in Appendi .

(ask %,%& ("mplete and veri!y system identi!icati"n and resp"nsi$le c"ntacts.

'ey (eam )em*er  s& System administrat"r  %ec&nical revie)er  System tec&nical ")ner  Risk assessment manager 

+ut!ut& ("mplete !#! Sy$tem Identification ta$le in Appendi .

%,2 System Pur!ose and Descri!tion

%" identi!y t&e assets c"vered $y t&e RA, pr"vide a $rie! descripti"n "! t&e !uncti"n and purp"se "! t&e system and t&e "rgani7ati"nal $usiness pr"cesses it supp"rts, including !uncti"ns and pr"cessing "! data.

(echnical Descri!tion and -n#ironmental .actors

 _{General descripti"n "! !uncti"n and purp"se t&e system}  _{General !uncti"nal re'uirements}

 _{9usiness pr"cesses supp"rted}

  _{Applicati"ns supp"rted, services running}  _{General in!"rmati"n !l")}

 _{?et)"rk diagram )it& system $"undaries}  _{escripti"n "! p&ysical c"mp"nents}

 _{P&ysical c"mp"nent asset and tag num$ers}  _{P&ysical l"cati"n, envir"nmental c"ntr"ls in place}

 _{*nvir"nmental !act"rs t&at give rise t" security c"ncerns}  _{%ec&nical and $usiness users, list "! system user acc"unts}  _{System ")ners&ip6 S&ared "r dedicated}

System /onnections and Information Sharing

 _{("nnected c"mp"nents}

 _{/A? and @A? c"nnecti"ns and t"p"l"gy, !ire)all c"n!igurati"ns}  _{S"!t)are dependencies}

 _Inter!aces

(ask %,2& "cument t&e system3s $usiness !uncti"n, c"mp"nents, envir"nment, c"nnecti"ns. 'ey (eam )em*er  s& System administrat"r  %ec&nical revie)er  System tec&nical ")ner  System $usiness ")ner  In!"rmati"n security "!!icer 

+ut!ut& ("mplete !#2 Sy$tem %ur&o$e and De$cri&tion ta$le in Appendi .

%,3 System Security 0e#el

escri$e and d"cument t&e in!"rmati"n &andled $y t&e system, and identi!y t&e "verall system security level. %&e classi!icati"n levels and t&e categ"ries assigned t" di!!erent types "!

in!"rmati"n s&"uld c"rresp"nd t" t&e agency3s in!"rmati"n classi!icati"n designati"ns. In!"rmati"n security levels and designati"ns s&"uld $e part "! t&e agency3s in!"rmati"n security p"licy.

 Appendi A, Information Security 'e(el$) pr"vides eamples "! security levels and &") t&ey can $e assigned t" di!!erent categ"ries "! in!"rmati"n.

-"r t&is step, t&e team )ill d"cument t&e sensitivity "! t&e in!"rmati"n &andled $y t&e system, t&en classi!y t&e resulting level "! security re'uirements !"r t&e system itsel!.

%&is element includes a general descripti"n "! t&e in!"rmati"n, t&e in!"rmati"n3s sensitivity, and system criticality. It includes re'uirements !"r c"n!identiality, integrity, availa$ility, audita$ility and acc"unta$ility as dictated $y t&e agency3s in!"rmati"n security p"licy.

(ask %,3& "cument t&e criticality and sensitivity "! t&e in!"rmati"n t&e system &andles, )it& $rie! re!erences t" t&e agency3s in!"rmati"n security p"licy, and t&e "verall system security re'uirements. 'ey (eam )em*er  s& %ec&nical revie)er  System $usiness ")ner  System tec&nical ")ner 

+ut!ut& ("mplete !#3 Information Security 'e(el$ and *(erall Sy$tem Security 'e(el  ta$le in Appendi .

".0 Risk Determination hase

%&e g"al "! t&e Risk eterminati"n P&ase is t" calculate t&e level "! risk !"r eac& t&reat 

vulnera$ility pair $ased "n t&e likeli&""d "! a t&reat epl"iting a vulnera$ility, and t&e severity "! impact t&at t&e epl"ited vulnera$ility )"uld &ave "n t&e system, its data and its $usiness

!uncti"n. ("nsider t&e impact in terms "! l"ss "! c"n!identiality, integrity "r availa$ility "! t&e data classi!ied in %ask 1..

In!"rmati"n )ill $e c"llected in t&e !"rm "! 'uesti"nnaires, intervie)s, d"cumentati"n revie), and aut"mated scanning t""ls.

%&e Risk eterminati"n P&ase is c"mprised "! si steps6

1. _{Identi!y p"tential dangers t" in!"rmati"n and system +t&reats.}

2. _{Identi!y t&e system )eakness t&at c"uld $e epl"ited +vulnera$ilities ass"ciated t"}

generate t&e t&reat  vulnera$ility pair.

3. _{Identi!y eisting c"ntr"ls t" reduce t&e risk "! t&e t&reat epl"iting t&e vulnera$ility.}

4. _{etermine t&e likeli&""d "! "ccurrence !"r a t&reat epl"iting a related vulnera$ility given}

t&e eisting c"ntr"ls.

5. _{etermine t&e severity "! impact "n t&e system $y an epl"ited vulnera$ility.} 6. _{etermine t&e risk level !"r a t&reatvulnera$ility pair given t&e eisting c"ntr"ls.}

%&is si#step pr"cess !"r Risk eterminati"n is c"nducted !"r e ac& identi!ied t&reat  vulnera$ility pair. se t&e Risk eterminati"n %a$le in Appendi  t" d"cument t&e analysis per!"rmed in t&is p&ase.

2,% Identify (hreats and 1ulnera*ilities

-irst, identi!y t&reats t&at c"uld epl"it system vulnera$ilities. Re!er t" t&e CMS +hreat

Identification Re$ource +))).cms.&&s.g"vitsecurityd"cs%&reat5I5res"urce.pd! !"r p"ssi$le envir"nmental, p&ysical, &uman, natural, and tec&nical t&reats. sing t&e "utput "! task 1.2, c"nsider t&e system3s c"nnecti"ns, dependencies )it& "t&er systems, in&erited risks and c"ntr"ls, risks !r"m s"!t)are !aults and sta!! err"rs and malici"us intent, and suc& !act"rs as pr"imity t" t&e Internet, inc"rrect !ile permissi"ns, risks !r"m maintenance pr"cedures and pers"nnel c&anges.

?et, c"nsider t&e p"tential vulnera$ilities ass"ciated )it& eac& t&reat, t" pr"duce a pair. A vulnera$ility can $e ass"ciated )it& "ne "r m"re t&reats. ("llect input !r"m previ"us risk

assessments, audits, system de!iciency rep"rts, security advis"ries, scanning t""ls, security test results, system devel"pment testing, industry and g"vernment listings, suc& as sans."rg,

security!"cus.c"m, vend"r advis"ries, and t&e ?IS% vulnera$ility data$ase at icat.nist.g"v.

(ask 2,%& escripti"ns "! t&reatvulnera$ility pairs. 'ey (eam )em*er  s& System administrat"r  %ec&nical revie)er  System tec&nical ")ner 

+ut!ut& ("mplete t&e BItem ?".C, B%&reat ?ameC and BDulnera$ility ?ameC c"lumns in 2#0 Ri$, Determination ta$le in Appendi .

2,2 Descri*e Risks

escri$e &") eac& vulnera$ility creates a risk t" t&e system in terms "! c"n!identiality, integrity, availa$ility, audita$ility "r acc"unta$ility elements t&at may result in a c"mpr"mise "! t&e system.

(ask 2,2& escri$e risks in relati"n t" t&reatvulnera$ility pairs. 'ey (eam )em*er  s& System administrat"r  %ec&nical revie)er  System tec&nical ")ner 

+ut!ut& ("mplete t&e BRisk escripti"nC c"lumn "! t&e 2#0 Ri$, Determination ta$le in  Appendi .

2,3 Identify -isting /ontrols

Identi!y eisting c"ntr"ls t&at reduce t&e likeli&""d "r pr"$a$ility "! a t&reat epl"iting a system vulnera$ility, and"r reduce t&e magnitude "! impact "! t&e epl"ited vulnera$ility "n t&e system. *isting c"ntr"ls may $e management, "perati"nal "r tec&nical c"ntr"ls depending "n t&e t&reat  vulnera$ility and t&e risk t" t&e system.

(ask 2,3& escripti"n "! system c"ntr"ls, cr"ss#re!erenced )it& t&reat  vulnera$ility pairs. 'ey

(eam

System administrat"r  %ec&nical revie)er 

)em*er  s&

System tec&nical ")ner 

+ut!ut& ("mplete t&e B*isting ("ntr"lsC c"lumn "! 2#0 Ri$, Determination ta$le in  Appendi .

2, Determine 0ikelihood of +ccurrence

*stimate t&e likeli&""d t&at a t&reat )ill epl"it a vulnera$ility. /ikeli&""d "! "ccurrence is $ased "n a num$er "! !act"rs t&at include system arc&itecture, system envir"nment, in!"rmati"n system access and eisting c"ntr"ls t&e presence, m"tivati"n, tenacity, strengt& and nature "! t&e t&reat t&e presence "! vulnera$ilities and t&e e!!ectiveness "! eisting c"ntr"ls.

Re!er t" t&is ta$le t" )&en estimating t&e likeli&""d t&at t&e t&reat )ill $e reali7ed and epl"it t&e vulnera$ility "n t&e system.

0ikelihood of +ccurrence 0e#els

0ikelihood Descri!tion

?egligi$le nlikely ever t" "ccur 

Dery /") /ikely t" "ccur t)"t&ree times every !ive years /") /ikely t" "ccur "nce every year "r less

4edium /ikely t" "ccur "nce every si m"nt&s "r less Hig& /ikely t" "ccur "nce per m"nt& "r less

Dery Hig& /ikely t" "ccur multiple times per m"nt& *treme /ikely t" "ccur multiple times per day

(ask 2,& %&reat  vulnera$ility pairs )it& likeli&""d "! success!ul epl"itati"n. 'ey (eam )em*er  s& System administrat"r  %ec&nical revie)er  System tec&nical ")ner 

+ut!ut& (ateg"ri7e t&reat  vulnera$ility pairs $y likeli&""d "! "ccurrence, c"mplete t&e B/ikeli&""d "! EccurrenceC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi .

2, Determine Se#erity of Im!act

etermine t&e magnitude "r severity "! impact "n t&e system3s "perati"nal capa$ilities and t&e in!"rmati"n it &andles, i! t&e t&reat is reali7ed and epl"its t&e ass"ciated vulnera$ility. etermine t&e severity "! impact !"r eac& t&reat  vulnera$ility pair $y evaluating t&e p"tential l"ss in eac& security categ"ry +c"n!identiality, integrity, availa$ility, audita$ility, acc"unta$ility $ased "n t&e system3s in!"rmati"n security level as eplained in Appendi A.

Im!act Se#erity 0e#els Insigni!icant /ittle "r n" impact

4in"r 4inimal e!!"rt t" repair, rest"re "r rec"n!igure

Signi!icant Small $ut tangi$le &arm, may$e n"ticea$le $y a limited audience, s"me em$arrassment, s"me e!!"rt t" repair 

amaging amage t" reputati"n, l"ss "! c"n!idence, signi!icant e!!"rt t" repair  Seri"us ("nsidera$le system "utage, l"ss "! c"nnected cust"mers, $usiness

c"n!idence, c"mpr"mise "! large am"unt in!"rmati"n

(ritical *tended "utage, permanent l"ss "! res"urce, triggering $usiness c"ntinuity pr"cedures, c"mplete c"mpr"mise "! in!"rmati"n

(ask 2,& %&reat  vulnera$ility pairs )it& severity "! success!ul epl"itati"n. 'ey (eam )em*er  s& System administrat"r  %ec&nical revie)er  System tec&nical ")ner  System $usiness ")ner 

+ut!ut& (ateg"ri7e t&reat  vulnera$ility pairs $y severity "r magnitude "! impact, and c"mplete t&e BImpact SeverityC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi .

2,4 Determine Risk 0e#els

Risk level is t&e likeli&""d "! "ccurrence multiplied $y t&e severity "! impact. %&e !inal value is su$ect t" t&e system $usiness and tec&nical ")ners3 discreti"n.

Risk determination

-"r eac& t&reat  vulnera$ility pair, assess t&e !"ll")ing6

- _{/ikeli&""d "! t&e t&reat attempting t" eercise t&e vulnera$ility} - _{4agnitude "! impact i! t&e t&reat  vulnera$ility epl"it is success!ul}

-  _{Ade'uacy "! planned "r eisting security c"ntr"ls !"r reducing "r eliminating risk}

Note& (he !roject team must decide 5hether to use only currently im!lemented controls for this analysis" or to include controls that are *udgeted and scheduled for installation" and document that decision in the Re!ort,

- _{Resulting risk t" t&e in!"rmati"n "n t&e system !r"m t&e t&reat and vulnera$ility.}

%&is ta$le s&")s t&e resulting risk level, !"r eac& degree "! likeli&""d and eac& level "! severity. Risk 0e#els 0ikelihood of +ccurrenc e Im!act Se#erity

Insignificant )inor Significant Damaging Serious /ritical

Negligi*l e

/") /") /") /") /") /")

1ery 0o5 /") /") /") /") 4"derate 4"derate 0o5 /") /") 4"derate 4"derate Hig& Hig& )edium /") /") 4"derate Hig& Hig& Hig& High /") 4"derate Hig& Hig& Hig& Hig& 1ery High /") 4"derate Hig& Hig& Hig& Hig& -treme /") 4"derate Hig& Hig& Hig& Hig&

(ask 2,4& %&reat  vulnera$ility pairs )it& assigned risk levels.

'ey (eam )em*er  s& System administrat"r  %ec&nical revie)er  System tec&nical ")ner  System $usiness ")ner 

+ut!ut& ("m$ine t&e likeli&""d "! "ccurrence )it& magnitude "! impact t" derive t&e risk level !"r eac& t&reat  vulnera$ility pair. ("nsider t&e risks t" t&e in!"rmati"n "n t&e system, and c"mplete t&e BRisk /evelC c"lumn "! 2#0 Ri$, Determination ta$le in  Appendi .

#.0 Sa!e$uard Determination hase

%&e sa!eguard determinati"n p&ase inv"lves identi!icati"n "! additi"nal c"ntr"ls, sa!eguards "r c"rrective acti"ns t" minimi7e t&e t&reat ep"sure and vulnera$ility t" epl"itati"n !"r eac& t&reat vulnera$ility pair )it& a m"derate "r &ig& risk level. %&e residual risk level is t&e am"unt "! risk t&at )"uld remain i! t&e rec"mmended c"ntr"l "r sa!eguard )ere implemented.

Sa!eguard determinati"n steps6

1. _{Identi!y c"ntr"ls and sa!eguards t" reduce t&e risk level "! eac& risk#t&reat pair, i! t&e risk}

level is m"derate "r &ig&.

2. _{etermine t&e residual likeli&""d "! "ccurrence "! t&e t&reat i! t&e rec"mmended sa!eguard is}

implemented.

3. _{etermine t&e residual impact severity "! t&e epl"ited vulnera$ility "nce t&e rec"mmended}

sa!eguard is implemented.

4. _{etermine t&e residual risk level !"r t&e system.}

("nsider sa!eguards related t" testing and maintenance, impr"ved audit capa$ility, and restricting p&ysical access.

3,% Recommend /ontrols and Safeguards

Identi!y c"ntr"ls and sa!eguards t" reduce t&e risk presented $y eac& t&reat  vulnera$ility pair )it& a m"derate "r &ig& risk level as identi!ied in t&e Risk eterminati"n P&ase. @&en identi!ying a c"ntr"l "r sa!eguard, c"nsider6

1. _{Security area )&ere it $el"ngs, suc& as management, "perati"nal, tec&nical.}

2. _{4et&"d it empl"ys t" reduce t&e "pp"rtunity !"r t&e t&reat t" epl"it t&e vulnera$ility.} 3. _{Its e!!ectiveness in mitigating t&e risk t" in!"rmati"n.}

4. _{P"licy and arc&itectural parameters re'uired !"r its implementati"n in t&e envir"nment.} 5. _{In!"rmati"n security categ"ry +c"n!identiality, integrity, availa$ility, access c"ntr"l, audit, etc.}

t" )&ic& t&e sa!eguard applies.

6. _{@&et&er t&e c"st "! t&e sa!eguard is c"mmensurate )it& its reducti"n in risk.}

I! m"re t&an "ne sa!eguard is identi!ied !"r t&e same t&reat  vulnera$ility pair, list t&em in t&is c"lumn in separate r")s and c"ntinue )it& t&e analysis steps. %&e residual risk level must $e evaluated during t&is p&ase "! t&e assessment and may $e !urt&er evaluated in risk management activities "utside t&e sc"pe "! t&is pr"ect.

I! t&e rec"mmended sa!eguard cann"t $e c"mpletely implemented in t&e envir"nment due t" c"st, management, "perati"nal "r tec&nical c"nstraints, d"cument t&e circumstances and c"ntinue )it& t&e analysis.

("nsider c"ntr"l elements implemented as p"licies and pr"cedures, training, and impr"ved p"licy en!"rcement.

(ask 3,%& (reate a list "! current, planned "r availa$le sa!eguards and c"ntr"ls suita$le !"r pr"tecting t&e in!"rmati"n

'ey (eam )em*er  s&

System administrat"r  System tec&nical ")ner  %ec&nical revie)er 

+ut!ut& /ist "! sa!eguards and c"ntr"ls, )it& implementati"n c"nsiderati"ns. ("mplete t&e BRec"mmended Sa!eguardC c"lumn in 3#0 Safeguard Determination ta$le in

 Appendi .

3,2 Determine Residual 0ikelihood of +ccurrence

-"ll") t&e directi"ns in secti"n 2.: "! t&e Risk eterminati"n p&ase, )&ile assuming t&e selected sa!eguard &as $een implemented.

(ask 3,2& (ateg"ri7e t&reat  vulnera$ility pairs $y likeli&""d "! "ccurrence, assuming t&e selected sa!eguard &as $een implemented.

'ey (eam )em*er  s& System administrat"r  %ec&nical revie)er  System tec&nical ")ner 

+ut!ut& ("mplete t&e BResidual /ikeli&""d "! EccurrenceC c"lumn "! 3#0 Safeguard Determination ta$le in Appendi .

3,3 Determine Residual Se#erity of Im!act

-"ll") t&e directi"ns in secti"n 2.; "! t&e Risk eterminati"n p&ase )&ile assuming t&e selected sa!eguard &as $een implemented.

(ask 3,3& (ateg"ri7e t&reat  vulnera$ility pairs $y severity "r magnitude "! impact "! a success!ul epl"itati"n, assuming t&e selected sa!eguard &as $een implemented. 'ey (eam )em*er  s& System administrat"r  %ec&nical revie)er  System tec&nical ")ner  System $usiness ")ner 

+ut!ut& ("mplete t&e BResidual Impact SeverityC c"lumn "! 3#0 Safeguard Determination ta$le in Appendi .

3, Determine Residual Risk 0e#els

etermine t&e residual risk level !"r t&e t&reatvulnera$ility pair and its ass"ciated risk "nce t&e rec"mmended sa!eguard is implemented. %&e residual risk level is determined $y eamining t&e likeli&""d "! "ccurrence "! t&e t&reat epl"iting t&e vulnera$ility and t&e impact severity !act"rs in categ"ries "! ("n!identiality, Integrity and Availa$ility.

-"ll") t&e directi"ns in Secti"n 2.< "! t&e Risk eterminati"n p&ase t" determine t&e residual risk level "nce t&e rec"mmended sa!eguard is implemented.

epending "n t&e nature and circumstances "! t&reats and vulnera$ilities, a rec"mmended sa!eguard may reduce t&e risk level t" B/").C 4ake a n"te "! t&e situati"n )it& a descripti"n $el") t&e ta$le, i! needed, i! suc& special c"nditi"ns eist.

-"r ne) systems, t&e net steps )"uld include creating a sensitivity assessment, system security re'uirements, risk assessment rep"rt, and system security plan in t&e S/(.

(ask 3,& Repeat t&e derivati"n t&e risk level !"r eac& t&reat  vulnera$ility pair !r"m task 2.<, t&is time assuming t&e selected sa!eguard &as $een implemented.

'ey (eam )em*er  s& System administrat"r  %ec&nical revie)er  System tec&nical ")ner  System $usiness ")ner 

+ut!ut& ("mplete t&e BResidual Risk /evelC c"lumn "! 3#0 Safeguard Determination ta$le in  Appendi .

A!!endi A& Information Security 0e#els

System $usiness and tec&nical ")ners must determine t&e appr"priate security levels $ased "n t&e "rgani7ati"n3s c"n!identiality, integrity and availa$ility re'uirements !"r t&e in!"rmati"n, as )ell as its criticality t" t&e "rgani7ati"n3s $usiness missi"n. %&ese re'uirements are usually c"ntained in t&e agency3s statut"ry, regulat"ry and p"licy !rame)"rks. %&is is t&e $asis !"r assessing t&e risks t" $usiness "perati"ns and assets and in selecting appr"priate security c"ntr"ls and tec&ni'ues.

9el") are sample in!"rmati"n security levels t&at esta$lis& c"mm"n criteria !"r security $y in!"rmati"n categ"ry. %&e !irst ta$le de!ines t&e in!"rmati"n security levels. %&e sec"nd ta$le pr"vides security level eamples !"r t&e vari"us in!"rmati"n categ"ries. In cases )&ere

in!"rmati"n "! varying security levels are c"m$ined in "ne system, t&e &ig&est security level takes precedence.

It is each agency6s res!onsi*ility to determine information security le#els for each information category *ased on its !articular *usiness and legal re7uirements, (he eam!les *elo5 are !ro#ided for illustration !ur!oses only,

Examples of Information Security Levels

Security %eve& 

Description '(p&anation /") 4"derately

seri"us

?"ticea$le impact "n an agency3s missi"ns, !uncti"ns, "r reputati"n. A $reac& "! t&is security level )"uld result in a negative "utc"me "r )"uld result in damage, re'uiring repairs, t" an asset "r res"urce.

4"derate Dery seri"us Severe impairment t" an agency3s missi"ns, !uncti"ns, image, and reputati"n. %&e impact )"uld place an agency at a

signi!icant disadvantage "r )"uld result in ma"r damage, re'uiring etensive repairs t" assets "r res"urces.

Hig& (atastr"p&ic ("mplete l"ss "! missi"n capa$ility !"r an etended peri"d "r )"uld result in t&e l"ss "! ma"r assets "r res"urces and c"uld p"se a t&reat t" &uman li!e.

Examples of Information Security Levels by Information

Category

In!ormation )ate$ory 

'(p&anation and '(amp&es System Security

%eve&* 

/a) en!"rcement and state security in!"rmati"n

In!"rmati"n related t" investigati"ns !"r la) en!"rcement purp"ses security plans, c"ntingency plans, emergency

"perati"ns plans, incident rep"rts, rep"rts "! investigati"ns, risk "r vulnera$ility assessments certi!icati"n rep"rts d"es n"t include general plans, p"licies, "r re'uirements.

Hig&

/i!e#critical in!"rmati"n

In!"rmati"n critical t" li!e#supp"rt systems +i.e., in!"rmati"n )&ere inaccuracy, l"ss, "r alterati"n c"uld result in l"ss "! li!e.

Hig& In!"rmati"n a$"ut

pers"ns

In!"rmati"n related t" pers"nnel, medical, and similar data +e.g., salary data, s"cial security in!"rmati"n, pass)"rds, user

identi!iers +Is, **E, pers"nnel pr"!ile +including &"me address and p&"ne num$er, medical &ist"ry, empl"yment &ist"ry +general and security clearance in!"rmati"n, and arrestcriminal investigati"n &ist"ry.

4"derate -inancial, $udgetary, c"mmercial, pr"prietary and trade secret in!"rmati"n

In!"rmati"n related t" !inancial in!"rmati"n and applicati"ns, c"mmercial in!"rmati"n received in c"n!idence, "r trade secrets +i.e., pr"prietary, c"ntract $idding in!"rmati"n, sensitive

in!"rmati"n a$"ut empl"yees "r citi7ens. Als" included is in!"rmati"n a$"ut payr"ll, aut"mated decisi"n making,

pr"curement, invent"ry, "t&er !inancially related systems, and site "perating and security ependitures.

4"derate

Pu$lic in!"rmati"n Any in!"rmati"n t&at is declared !"r pu$lic c"nsumpti"n $y "!!icial aut&"rities. %&is includes in!"rmati"n c"ntained in press releases. It als" includes in!"rmati"n placed "n pu$lic access )"rld#)ide#)e$ servers.

/")

A!!endi 8& Security in the System De#elo!ment 0ife

/ycle

+!r"m CMS Information Security RA Methodology 

 Alt&"ug& in!"rmati"n security must $e c"nsidered in all p&ases "! t&e li!e "! a system, t&e System evel"pment /i!e (ycle identi!ies !"ur speci!ic steps t&at are needed t" ensure t&at in!"rmati"n at (4S is pr"perly pr"tected. %&ese include t&e In!"rmati"n Sensitivity Assessment +Secti"n 10.; "! t&e 9usiness (ase Analysis, System Re'uirements "cument, t&e RA Rep"rt and t&e System Security Plan.

Step 1 # %&e In!"rmati"n Sensitivity Assessment +ISA

Prior to !roject initiation" the system o5ner !re!ares a 8usiness /ase Analysis 98/A:" 5hich includes the ISA 9section %;, of the 8/A:, In this ste!" the system o5ner categori<es the data according to sensiti#ity and identifies high$le#el security re7uirements that a!!ly to the system under consideration for de#elo!ment, Information from the ISA is one of the factors considered in determining if the system 5ill go for5ard into de#elo!ment and 5hat le#el of

information security 5ill *e needed, -lements from the ISA !ro#ide the initial in!ut to the RA,

Step 2 FSystem Re'uirements "cument +speci!ically Security Re'uirements

As an initial ste! of the de#elo!ment !rocess" system re7uirements are

documented for e#ery system, (he security re7uirements ser#e as a *aseline for security 5ithin the system, (he /)S )inimum Information Security Standards is a tool to assist in defining security re7uirements, +ther re7uirements may *e

determined *y *usiness or functional re7uirements, Step  F Risk Assessment Rep"rt

During the de#elo!ment !rocess" a risk assessment is conducted and the result RA Re!ort documents the #ulnera*ilities that ha#e *een identified in the system" the risks to the system resulting from the #ulnera*ilities and the efforts designed to reduce those risks" through the use of safeguards, (he RA Re!ort !ro#ides in!ut to the System Security Plan and other risk management acti#ities, Step : F System Security Plan

(he System Security Plan incor!orates all of the elements re7uired for the system o5ner to determine if the system should *e certified as meeting *oth /)S !olicy and *usiness re7uirements, Information from the RA Re!ort is incor!orated into the System Security Plan in Section 2 = )anagement /ontrols,

Security steps als" c"rresp"nd t" p&ases in t&e Integrated I% Investment 4anagement R"ad 4ap +REA4AP !"r system devel"pment. %&e REA4AP is (4S3s implementati"n standard !"r S/( and Investment 4anagement and can $e !"und at cms.&&s.g"vitr"admap. In -igure 9#1, t&e system devel"pment li!e cycle and REA4AP are s&")n "n t&e rig&t and le!t sides )it& t&e in!"rmati"n security delivera$les and t""ls entered in t&e center secti"n $et)een t&em. %&is !"rmat illustrates t&e relati"ns&ip "! t&e in!"rmati"n security tasks t" $"t& pr"cesses.

Figure B-1. Security in the System evelopment Life Cycle an! C"S#s $oa!map

I( In#estment )anagement

Road )a!

System Security in the SD0/

Security Deli#era*les 9rectangle: > Resources 9o#al:

Pre#evel"pment

1._{*press need !"r system}

2._{Assess?determine data sensiti#ity} 3._{Define initial security re7uirements}

9usiness (ase Analysis 10.; # In!"rmati"n Sensitivity  Ac'uisiti"ns # 9(A 10.; F In!"rmati"n Sensitivity Assessment evel"pment

1. Identi!y detailed system security re'uirements during system design.

2. evel"p appr"priate security c"ntr"ls )it& evaluati"n  test pr"cedures pri"r pr"curement acti"ns . evel"p s"licitati"n d"cuments t" include security re'uirements  evaluati"ntest pr"cedures :. pdate security re'uirements as tec&n"l"gies are implemented

;. Identi!y security re'uirements !"r pr"curement "! (E%S applicati"ns c"mp"nents <. Per!"rm design revie) t" ensure security c"ntr"ls are c"nsidered pri"r t" pr"ducti"n

=. *nsure security !eatures are c"n!igured, ena$les, tested, and d"cumented during devel"pment 8. pdate, design, per!"rm and d"cument ne)ly devel"ped security c"ntr"ls

@, Document system security tests and risk assessment

10. *nsure c"mpliance )it& -ederal la)s, regulati"ns, p"licies and standards %%, /ertify system and o*tain system accreditation

12. Pr"vide security training

Re'uirements e!initi"n

$ Define System Re7uirements # In!"rmati"n Security Risk  Assessment

4inimum Security Standards

esign and *ngineering

# Security %est Plan(ases

System Re'uirements "cument +includes

security

evel"pment

# S"!t)are %est Plan # Pr"gram S"!t)are nit and Integrati"n

# %est (ase Scenari"s # %est ata

%&reat Identi!icati"n

Res"urce

%esting and Implementati"n

# Per!"rm System Acceptance %esting $ (est or 1alidation Result Re!ort # Security %est Results

P"st#evel"pment

1. "cument all security activities

2. Per!"rm security "perati"ns and administrati"n a. Per!"rm $ackups

$. Pr"vide security training

c. 4aintain  revie) user admin  access privileges d. pdate security s"!t)are as re'uired

e. pdate security pr"cedures as re'uired . Per!"rm "perati"nal assurance

a. Per!"rm  d"cument peri"dic security audits $. Per!"rm  d"cument m"nit"ring "! system security c. *valuate  d"cument results "! security m"nit"ring d. Per!"rm  d"cument c"rrective acti"ns

e. %est c"ntingency plans "n a regular $asis

f.Perform Risk Assessment and u!date Security Plan" as needed" 5ith each configuration change or e#ery year  :. "cument disp"sal "! in!"rmati"n

;. se c"ntr"ls t" ensure c"n!identiality "! in!"rmati"n

Identify -ulnera.ilitie$

Risk Assessment +Risk eterminati"n

and Sa!eguard *valuati"n

Implementati"n

$ System Security Risk Assessment # System Security Plan

System Security Plan

Risk Assessment and System Security

Plan

Eperati"ns  4aintenance

$ !dated Risk Assessment $ !dated System Security Plan

A!!endi /& Assessment (eam )em*ers and .unctions

-uncti"nal R"le 9ackgr"und Ergani7ati"n *mail P&"ne Risk Assessment

4anager 

rives t&e risk assessment pr"cess, c""rdinates tasks, delivera$les and sc&edule, c"mp"ses t&e rep"rt )it& input !r"m all team mem$ers.

System "r net)"rk administrat"r 

Eperates and maintains t&e system !r"m a tec&nical, day#t"# day standp"int usually t&e BPrimary System ("ntactC in t&e Sy$tem Identification ta$le. %ec&nical

Revie)er 

nderstands t&e tec&nical c"mp"nents "! t&e system, $ut )as n"t inv"lved in designing, $uilding "r "perating t&e system $eing assessed.

System $usiness ")ner 

Resp"nsi$le !"r t&e system, "r t&e services it pr"vides, !r"m a $usiness "r cust"mer

standp"int understands t&e system3s purp"se $ut n"t necessarily t&e details "! its tec&nical implementati"n. System tec&nical

")ner 

Has supervis"ry resp"nsi$ility !"r t&e "perati"n "! t&e system. *ecutive sp"ns"r *ecutive management#level

resp"nsi$ility !"r t&e system. In!"rmati"n

security "!!icer 

Resp"nsi$le !"r t&e agency3s security p"licies and "$ectives, and its "verall risk pr"!ile.

A!!endi D& Information Security Risk Assessment

(em!late

1.0 System Documentation

%,% System Identification  Agency ?ame

E!!icial System ?ame System Acr"nym

System 9usiness E)ner  System %ec&nical E)ner  System Security E)ner 

 Additi"nal System Stake&"lders

System /"cati"n -ull Address

("ntract ?um$er, ("ntract"r names, p&"ne num$ers and emails, i! applica$le

System type+s +main!rame, applicati"n  data$ase  net)"rk  !ile server, )"rkstati"n Primary System ("ntact+s, ?ame and %itle +usually t&e system administrat"r

Ergani7ati"n ?ame -ull Address

*mail Address

P&"ne and pager num$ers

%,2 System Pur!ose and Descri!tion -uncti"n and purp"se "! t&e system

General !uncti"nal re'uirements

9usiness pr"cesses, applicati"ns and services supp"rted

System c"mp"nents *nvir"nmental !act"rs

?et)"rk diagram )it& system $"undaries +attac&

General in!"rmati"n !l")

%ec&nical and $usiness users +list System ")ners&ip +s&ared "r dedicated

%,3 Information Security 0e#els and +#erall System Security 0e#el In!"rmati"n (ateg"ry

In!"rmati"n Security /evel

In!"rmati"n (ateg"ry In!"rmati"n Security /evel

In!"rmati"n (ateg"ry In!"rmati"n Security /evel

Everall System Security /evel

".0 Risk Determination

2,; Risk Determination (a*le

Item No, (hreat Name 1ulnera$ *ility Name Risk Descri!$ tion -isting /ontrols 0ikeli$ hood of +ccur$ rence Im!act Se#erity Risk 0e#el

#.0 Sa!e$uard Determination

3,; Safeguard Determination (a*le Item No, 9from Risk Determination (a*le: Recommended Safeguard Descri!tion Residual 0ikelihood of +ccurrence Residual Im!act Se#erity Residual Risk 0e#el

Si$natures

Su$mitted $y6 55555555555555555555555 ate6 555555555  Risk Assessment 4anager 

Revie)ed $y6 55555555555555555555555 ate6 555555555  %itle

 Appr"ved $y6 55555555555555555555555 ate6 555555555  %itle