...©iStockphoto/Ljupco 36 June 2015 | practicallaw.com © 2015 Thomson Reuters. All rights reserved. The NIST Cybersecurity Framework Data breaches in organizations have rapidly increased in recent years. In 2014, the National Institute of Standards and Technology (NIST) issued a voluntary framework that is fast becoming the de facto standard for organizations to assess their cybersecurity programs. RICHARD RAYSMAN JOHN ROGERS PARTNER HOLLAND & KNIGHT LLP CHIEF TECHNOLOGIST BOOZ ALLEN HAMILTON INC. Richard’s practice concentrates on computer law, outsourcing, complex technology transactions and intellectual property. He has significant experience in structuring technology transactions and has represented clients in billions of dollars of outsourcing transactions in addition to litigating reported cases. Richard is a guest contributor to The Wall Street Journal on technology issues, and Chambers has selected him as a leading technology attorney. Prior to practicing law, Richard was a systems engineer for IBM Corporation. © 2015 Thomson Reuters. All rights reserved. John has extensive information security experience in a variety of industries including financial services, retail, healthcare, higher education, insurance, non-profit and technology services. He focuses on improving client cybersecurity programs, assessing these programs against industry standards, designing secure solutions and performing cost/benefit analyses. ...
Words: 4438 - Pages: 18
...White Paper Understanding NIST 800‐37 FISMA Requirements Contents Overview ................................................................................................................................. 3 I. The Role of NIST in FISMA Compliance ................................................................................. 3 II. NIST Risk Management Framework for FISMA ..................................................................... 4 III. Application Security and FISMA .......................................................................................... 5 IV. NIST SP 800‐37 and FISMA .................................................................................................. 6 V. How Veracode Can Help ...................................................................................................... 7 VI. NIST SP 800‐37 Tasks & Veracode Solutions ....................................................................... 8 VII. Summary and Conclusions ............................................................................................... 10 About Veracode .................................................................................................................... 11 © 2008 Veracode, Inc. 2 Overview The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E‐...
Words: 2451 - Pages: 10
...NIST Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View JOINT TASK FORCE TRANSFORMATION INITIATIVE INFORMATION SECURITY Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 March 2011 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Director Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View ________________________________________________________________________________________________ Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL’s research, guidelines...
Words: 1680 - Pages: 7
...CATEGORY A-GOODS AND GENERAL SERVICES NIST/001 /2015/2016 - supply of fresh meat NIST/002/2015/2016 - supply of fresh bread (block) NIST/003/2015/2016 - supply of fresh milk NIST/004/2015/2016 supply of dry beans, dry maize and Ndengu green-Women & Disability NIST/005/2015/2016 - supply of sugar -Youth NIST/006/2015/2016 - supply of fresh fruits, potatoes and vegetables-Women NIST/007/2015/2016 - Supply of rice, tea leaves, cooking fat, blue band- NIST/008/2015/2016 Supply of maize flour and wheat flour-Women NIST/009/2015/2016 - supply of cleaning material, toiletries, detergents and soaps-Disability NIST/ 010/2015/2016 - supply of sanitary, and fumigation materials (pest control) NIST/011/2015/2016 - Supply of newspaper, journals and magazines-Youth NIST/012/2015/2016 - Supply of IT equipment, computers, laptop, printers, and scanners NIST/013/2015/2016 - Supply of general office stationary & printing services-Youth NIST/014/2015/2016 - Supply of Hardware materials, tools and paints. NIST/015/2015/2016 - Supply of electrical materials, and appliances NIST/016/2015/2016 - Supply of uniforms, protective clothes and equipment NIST/017/2015/2016 - Supply of games and sports equipment NIST/018/2015/2016 - Supply of building materials (sand, stones, hardcore, etc) NIST/019/2015/2016 - Supply of farm inputs (fertilizers...
Words: 459 - Pages: 2
...Background 3 NIST SP 800-94 3 Intrusion Detection and Prevention Principles 4 Key Functions of IDPS Technologies 4 Detection Options 4 Types of IDPS Technologies 5 IDPS Technologies 5 Proper Installation 6 Testing and Deployment 6 Securing the IDPS 6 IDPS Updates 6 Building and Maintaining Skills – Additional Resources Required to Support 6 Using and Integrating Multiple IDPS Technologies 7 Review of the IDPS Marketplace 8 Comparison of IPS Products 9 Summary 9 Background The National Institute of Standards and Technology commonly known and referred to as NIST, is a government funded agency. NIST defines their mission statement as “NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” (NIST General Information, 2014). NIST is involved in mostly every area of Information Technology from the latest Trusted Identity (Leithauser & Curran, 2012) standards formatting to the handling and processing of DNA (DNA research, 2013). In recent years the President of the United States signed a Memorandum implementing a Digital Government Strategy. The government recognizing mobile device vulnerabilities and the high risk of data loss assigned NIST to implement IDS and other security standards. In a recent Mobile Security Report published NIST highlights “As a part of the strategy, NIST was asked to report...
Words: 2456 - Pages: 10
...issue that non-authorized users were able to access the EHR system. HIPAA has included provision in the Security Rule that allows for remote access, but with certain limitations. I have included provision that restricts remote access based on Job Role and Job Necessity(ISO 27002:2005, 7.1.1), and restricted to assets that are owned by the hospital which have enhanced security (ISO 27002:2005, 7.1.1) (NIST, 164.312(a)(1))(ISO 27002:2005, 11.4.2). The Application Deployment policy aims to close security loop holes that appear to have been open for months before the EHR system was even deployed. There were no check on accounts when importing, and no alerts when permissions were escalated. Some of the key standards that I see as aiding in creating this policy is better change management (ISO 27002:2005, 10.1.2) (NIST, 164.308(a)(5)(ii)), operating system auditing after patching (ISO 27002:2005, 12.5.2), a better separation of development systems (ISO 27002:2005, 10.1.4)(ISO 27002:2005, 11.4.5)(ISO 27002:2005, 12.4.2), and better security on the production system (NIST, 164.312(a)(1))(NIST, 164.308(a)(5)(ii)(D)). The Routine Maintenance policy aims to take care of the loose ends that may have...
Words: 1416 - Pages: 6
...HIPAA COW Risk Analysis & Risk Management Toolkit Networking Group Guide for the HIPAA COW Risk Analysis & Risk Management Toolkit Disclaimers This Guide and the HIPAA COW Risk Analysis & Risk Management Toolkit (Toolkit) documents are Copyright by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). They may be freely redistributed in their entirety provided that this copyright notice is not removed. When information from this document is used, HIPAA COW shall be referenced as a resource. They may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This Guide and the Toolkit documents are provided “as is” without any express or implied warranty. This Guide and the Toolkit documents are for educational purposes only and do not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Guide and the Toolkit documents. Therefore, these documents may need to be modified in order to comply with Wisconsin/State law. The Toolkit provides an example HIPAA Security Risk Assessment and documents to support completing a Risk Analysis and Risk Mitigation Implementation Plan. While it covers a broad spectrum of the requirements under the HIPAA Security Rule and HITECH, it may not cover all measures needed to secure your patients’ electronic protected health information (ePHI). It...
Words: 3778 - Pages: 16
...PERFORMANCE WORK STATEMENT Table of Contents 1 OVERVIEW 1 2 CONTRACT REQUIREMENTS 1 2.1 Objectives Fulfillment 1 2.1.1 Business Objectives 1 2.1.2 Technical Objectives 2 2.1.3 Management Objectives 3 2.2 Assumptions and Constraints 3 2.2.1 Access Control 4 2.2.2 Authentication 4 2.2.3 HSPD-12 Personnel Security Clearances 4 2.2.4 Non-Disclosure Agreements 5 2.2.5 Accessibility 5 2.2.6 Data 5 2.2.7 Confidentiality, Security, and Privacy 5 2.3 Tasks/Sub-Tasks to Be Performed Related to Initiating the Service 6 2.3.1 Task 1: 6 2.3.2 Task 2: 7 2.4 Period of Performance 7 3 PERFORMANCE MANAGEMENT OF THE DELIVERED SERVICES 8 3.1 Modifications to Service Level Agreements 8 3.2 Changes to Key Performance Measures. 8 3.3 Quality Assurance Evaluation 8 3.4 Government Roles and Responsibilities. 9 3.4.1 Contracting Officer (CO) 9 3.4.2 Contract Specialist 9 3.4.3 Contracting Officer’s Technical Representative (COTR) 10 3.4.4 Other Key Government Personnel 10 3.5 Contractor Roles and Responsibilities 10 4 METHODS OF QUALITY ASSURANCE SURVEILLANCE 11 5 SECURITY REQUIREMENTS 11 5.1 Required Policies and Regulations for GSA Contracts 11 5.2 GSA Security Compliance Requirements 13 5.3 Certification and Accreditation (C&A) Activities 13 5.3...
Words: 7425 - Pages: 30
...Term Paper: Security Regulation Compliance Giancarlos Guerra Strayer University CIS 438 - Information Security Legal Issues Abstract: In this paper I shall provide an overview that will be delivered to senior management of regulatory requirements the agency needs to be aware of, including: i. FISMA; ii. Sarbanes-Oxley Act; iii. Gramm-Leach-Bliley Act; iv. PCI DSS; v. HIPAA; vi. Intellectual Property Law. Describe the security methods and controls that need to be implemented in order to ensure compliance with these standards and regulatory requirements. Describe the guidance provided by the Department of Health and Human Services, the National Institute of Standards and Technology (NIST), and other agencies for ensuring compliance with these standards and regulatory requirements. Term Paper: Security Regulation Compliance Introduction In the day-to-day operations of information security, security professionals often focus the majority of their time dealing with employee access issues, implementing security methods and measures, and other day-to-day tasks. They often neglect legal issues that affect information security. As a result, organizations often violate security-related regulations and often have to pay heavy fines for their non-compliance.” A Chief Information Officer in a government agency should realize the need to educate for senior leadership on some of the primary regulatory requirements, and realize the need to ensure that the employees in the agency...
Words: 2284 - Pages: 10
...NIST The purpose of this publication is to provide organizations with recommendations for improving the Security configuration and monitoring of their IEEE 802.11 wireless local area networks (WLANs) and their devices connecting to those networks. The scope of this publication is limited to unclassified wireless networks and unclassified facilities within range of unclassified wireless networks. This publication supplements other NIST publications by consolidating and strengthening their key recommendations, and it points readers to the appropriate NIST publications for additional information (see Appendix C for the full list of references and Appendix A for a list of major security controls relevant for WLAN security). This publication does not eliminate the need to follow recommendations in other NIST publications, such as [SP800-48] and [SP800-97]. If there is a conflict between recommendations in this publication and another NIST wireless publication, the recommendation in this publication takes precedence. NIST Special Publication 800-53 is part of the Special Publication 800-series that reports on the Information Technology Laboratory’s (ITL) research, guidelines, and outreach efforts in information system security, and on ITL’s activity with industry, government, and academic organizations. Specifically, NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance...
Words: 1201 - Pages: 5
...important employees that have key roles in their operations (NIST, 2010). Incident Recovery focuses on the set of actions that businesses will take after suffering disaster may it be natural or man-made. Its sole purpose is business preservation, meaning, how the businesses would cope and be able to operate again after a disaster occurred like loss of electricity, computer viruses, and thieves. The Incident Recovery is a just a part of BCP (NIST, 2010). Unlike BCP which focuses on how businesses will continue to operate in the midst of disasters like storms, tornados and hurricanes, the Incident Recovery focuses on how to recover from the said events and how to preserve the properties that are integral in their daily operations. The BCP carefully plans the things to make them in order to lessen the amount of damage brought by the whatever natural disaster while the Incident Recovery Plan, as what its name suggests, plans carefully how to restore and set up the business operation back to its normal condition (NIST, 2010). Developing BCP and Incident Recovery is not as simple as it may look. It involves different processes and brain storming to create and maintain these two programs. Funds also play a vital role because businesses and organizations must allocate monthly or annual funds for support. These are usually available in large business corporations and groups wherein they could afford its creation and maintenance (NIST, 2010). In summary, BCP’s main purpose is on how...
Words: 387 - Pages: 2
...Risk Management Framework Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Enterprise Risk Key activities in managing enterprise-level risk—risk resulting from the operation of an information system: Categorize the information system Select set of minimum (baseline) security controls Refine the security control set based on risk assessment Document security controls in system security plan Implement the security controls in the information system Assess the security controls Determine agency-level risk and risk acceptability Authorize information system operation Monitor security controls on a continuous basis NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2 Risk Management Framework Starting Point CATEGORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. MONITOR Security State Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. Security Life Cycle AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. IMPLEMENT Security Controls Implement...
Words: 723 - Pages: 3
...sanitization is driven by the information placed intentionally or unintentionally on the media. Electronic media used on a system should be assumed to contain information commensurate with the security categorization of the system’s confidentiality. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure of information. Categorization of an information technology (IT) system in accordance with Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems1 , is the critical first step in understanding and managing system information and media. Based on the results of categorization, the system owner should refer to NIST Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations2 , which specifies that “the organization sanitizes information system digital media using approved equipment, techniques, and procedures. The organization tracks, documents, and verifies media sanitization and destruction actions and periodically tests sanitization equipment/procedures to ensure correct performance. The organization sanitizes or destroys information system digital media before its disposal or release for reuse outside the organization, to prevent unauthorized individuals from gaining access to and using the information contained on the media.” This document will assist organizations in implementing...
Words: 3672 - Pages: 15
...Page 1 June 4, 2014 ABC Company Proposed revision of Information Security Policy Anthony Ronning: Information Security Manager OBJECTIVE: Due to the recent breach of our electronic health record (EHR) systems, it is necessary that policies pertaining to access and control mechanisms of health records be reviewed and/or modified to mitigate future incidents SPECIFIC GOALS: 1.) Implement a standard based on Attribute Based Access Control (ABAC) to ensure that electronic health records (EHR) are protected from unauthorized entities 2.) Implement a standard for the use of remote access methods to information systems 3.) Implement a standard that ensures that access to electronic health records (EHR) is audited and backed up without changes or over writing INFORMATION SECURITY POLICY GOALS: * Confidentiality = data or information is not made available or disclosed to unauthorized persons or processes * Unauthorized access = the INABILITY of unauthorized persons to read, write, modify, or communicate data/information or otherwise use any system resource * Integrity = data or information has not been altered or destroyed in an unauthorized manner * Availability = data or information is made accessible and usable upon demand by authorized users * Legislative and Regulatory Requirements = policies comply with Federal and HIPAA regulatory standards * Business continuity plan integration = policy revisions fall within the business continuity...
Words: 2279 - Pages: 10
...t h a t establishes three basic security principles “maintain reasonable and appropriate administrative, technical, and physical safeguard”. (Smedinghoff, T. (2008)) A r e a s o n a b l e a t t e m p t to provide safeguards and follow excepted standards for security can be found in the HIPAA Security Guidance, National Institute of Standards and Technologies (NIST) documents, and the SANS Institute policies. The security goal is to provide confidentiality, integrity, and availability of EHR i n f o r m a t i o n . (Smedinghoff, T. (2008)) The policies created below are to address weaknesses in the current system and provide direction on how to meet industry standards and legal requirements. A. Create three organizational policy statements: HIPAA suggests a three prone approach; physical security, technical security, and administrative security. This document will cover organizational policies for each of the three categories based on best practices and national standards such as NIST. a. Administrative security: A written policy stating procedures, standards, and guidelines to ensure honest and qualified people are granted access, provide levels of access, and steps to prevent unauthorized access. (U,S. Department of Health and Human Services,...
Words: 1128 - Pages: 5
