C726 PA ACP2 TASK 1 Notes PDF

Preview

Summary

lecture notes for c275, part one of assignemnt...

Description

C726 PA 1

B - Business Process Overview ●

Guidance Describe the current business processes at HBWC and the proposed process(es), including the interactions between systems and various business units. Include visual process flow diagrams to further illustrate the processes the new product will replace or enhance. Use Section 4 of the attached “Business Requirements Document Template” to record your responses for each aspect. ○ The submission accurately describes current business processes at HBWC and proposed processes derived from the case study and security assessment report. The submission includes interactions between systems and various business units and includes viable process flow diagrams illustrating the processes the new project will replace or enhance. All responses are recorded in Section 4 of the “Business Requirements Document Template.” Questions ○ Are the current and the proposed business process(es) described? ■ derived from the case study and security assessment report ○ Have flow diagrams been created that show the interactions between systems and various business units? ○ Have visual process flow diagrams been created to illustrate the processes the new product will replace or enhance? ○ Have the responses for each aspect been recorded in Section 4 of the attached “Business Requirements Document Template”? Answers ○

●

●

2

Artifacts ● ●

3

HBWC Case Study HBWX Security Assessment

HBWX Security Assessment ●

Prepared by Endothon Security Consulting multimillion-dollar company specializing in the security of grants and the grant process for companies and the U.S. federal government, such as the National Institutes of Health (NIH). Key findings ○ indicate HBWC needs specialized support in updating and modernizing their network, grant process, and internal controls ○ HBWC needs to address ■ 1. Lack of controls and policy covering system administration, governance, training, accountability, and other identified processes in this report. ■ 2. Systems design is outdated, requiring immediate attention to rectify ■ 3. Web server and web-based services lack of cryptographic controls, auditing, accountability, and user accounts do not meet business or security objectives for HBWC. ○

●

a. There is no attached database. Rather, each grant is processed as a text file, saved on a network share that is then delivered to NIH via inbuilt polling software looking for hard drive changes. This is unsuited to the current grant process developed by the U.S. federal government and must be updated. ■ 4. Lack of cryptographic controls is impeding the growth of HBWC and its ability to compete in the block grant process from NIH. ■ 5. Environmental concerns must be addressed, including disaster recovery and data center and backup concerns. ■ 6. Conduct a thorough analysis of existing technology and applications. ■ 7. Which elements already in place are no longer able to support the operations. ■ 8. Synthesizing business, technical, security, and regulatory requirements for fitness in ongoing operations. ■ 9. Conducting a threat analysis of the applications and infrastructure to understand network- and application-security needs. ■ 10. Design a replacement network to the existing LAN to support ● • Secure employee remote access ● • Secure ACH data transmissions ● • Secure NPI and Patient data to the required levels ● • Third-party extranet connections to cloud-based SaaS providers of services to Office of Grants Giveaway (OGG) Overview ○ Governance / Guidance ■ NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems ■ Government Act of 2002 ● Title III, Section 3544 ○ requires agencies to conduct periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency ■ Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources ● Appendix III ○ • Review the security controls in each system when significant modifications are made to the system, but at least every three years. §3(a)(3) ○ • Protect government information commensurate with the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of such information. §8(a)(1)(g); §8(a)(9)(a) ○ • Demonstrate specific methods used to ensure that risks and the potential for loss are understood and continually assessed, that steps are taken to maintain risk at an acceptable level, and that procedures are in place to ensure that controls are implemented effectively and remain effective over time. §8(b)(3)(b)(iv) ●

●

• Ensure that a management official authorizes in writing use of the application by confirming that its security plan as implemented adequately secures the application. Results of the most recent review or audit of controls shall be a factor in management authorizations. The application must be authorized prior to operating and re-authorized at least every three years thereafter. Management authorization implies accepting the risk of each system used by the application. §(3)(b)(4) Laws and Regulations applicable to NIH ● • Computer Fraud and Abuse Act [PL 99-474, 18 USC 1030] ● • E-Authentication Guidance for Federal Agencies [OMB M-0404] ● • Federal Information Security Modernization Act (FISMA) of 2014 ● • Freedom of Information Act as Amended in 2016 ● • Guidance on Inter-Agency Sharing of Personal Data, Protecting Personal Privacy [OMB Memo M-01-05] ● • Homeland Security Presidential Directive-7, Critical Infrastructure Identification, Prioritization, and Protection [HSPD7] ● • Homeland Security Presidential Directive-12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2005 ● • Implementation of Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors [OMB Memo M-05-24] ● • Internal Control Systems [OMB Circular A-123] ● • Management of Federal Information Resources [OMB Circular A-130] ● • Management’s Responsibility for Internal Control [OMB Circular A-123, Revised 12/21/2004] ● • Privacy Act of 1974 as amended [5 USC 552a] ● • Protection of Sensitive Agency Information [OMB M-06-16] ● • Records Management by Federal Agencies [44 USC 31] ● • Responsibilities for the Maintenance of Records About Individuals by Federal Agencies [OMB Circular A-108, as amended] ● • Security of Federal Automated Information Systems [OMB Circular A-130, Appendix III] Applicable Standards and Guidance applicable to the organization ● • A NIST Definition of Cloud Computing [NIST SP 800-145] ● • Computer Security Incident Handling Guide [NIST SP 800—61, Revision 1] ● • Contingency Planning Guide for Federal Information Systems [NIST SP 800-34, Revision 1] ● • Engineering Principles for Information Technology Security (A Baseline for Achieving Security) [NIST SP 800-27, Revision A] ● • Guide for Assessing the Security Controls in Federal Information Systems [NIST SP 800-53A] ● • Guide for Developing Security Plans for Federal Information Systems [NIST SP 800-18, Revision 1] ○

■

■

• Guide for Developing the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach [NIST SP 800-37, Revision 1] ● • Guide for Mapping Types of Information and Information Systems to Security Categories [NISP SP 800-60, Revision 1] ● • Guide for Security-Focused Configuration Management of Information Systems [NIST SP 800-128] ● • Information Security Continuous Monitoring for Federal Information Systems and Organizations [NIST SP 800-137] ● • Managing Information Security Risk [NIST SP 800-39] ● • Minimum Security Requirements for Federal Information and Information Systems [FIPS Publication 200] ● • Personal Identity Verification (PIV) of Federal Employees and Contractors [FIPS Publication 201-1] ● • Recommended Security Controls for Federal Information Systems [NIST SP 800-53, Revision 4] ● • Risk Management Guide for Information Technology Systems [NIST SP 800-30] ● • Security Considerations in the System Development Life Cycle [NIST SP 800-64, Revision 2] ● • Security Requirements for Cryptographic Modules [FIPS Publication 140-2] ● • Standards for Security Categorization of Federal Information and Information Systems [FIPS Publication 199] ● • Technical Guide to Information Security Testing and Assessment [NIST SP 800-115] Purpose ■ summary of the risks Scope ■ mission of the HBWC’s Office of Grants Giveaway (OGG) is to promote improvements in the quality and usefulness of medical grants through federally supported NIH research, evaluation, and sharing of information ■ distributes a variety of medical grants, with the majority of grants disbursed to small hospitals ■ Small Hospital Grant Tracking System (SHGTS) is the primary application used to manage this data ■ funding takes place using Automated Clearing House (ACH) processing ■ contains the hospital-specific banking data needed to process ACH payments ●

○ ○

○ ●

System Overview System Name ○ General System Description and Purpose ○ System Interfaces ○ Data ○ Criticality ○ Security Categorization Assessment Methodology ○ Overall Security Findings ○ Overall Findings Across All Connected Systems ○

●

● ● ●

Security Assessment Results Nonconforming Controls Authorization Recommendation

4

Scenario

4.1 You are the newly hired LAN administration and security manager at Healthy Body Wellness Center (HBWC). The HBWC includes the Office of Grants Giveaway (OGG), a growing department responsible for distributing hospital research grants. 4.1.1

LAN administrator

4.1.2

Security Manager

4.2 The HBWC currently relies on a local area network (LAN), but plans to expand their services and hire more employees this year. It is evident the current cybersecurity architecture is limited and unable to meet current needs. In addition, HBWC’s cybersecurity architecture will need to transition to a wide area network (WAN). 4.2.1 current cybersecurity architecture is limited and unable to meet current needs 4.2.2 HBWC’s cybersecurity architecture will need to transition to a wide area network (WAN). 4.3 Using the attached “Healthy Body Wellness Center Case Study” and “Healthy Body Wellness Center Security Assessment Report,” conduct a security analysis of HBWC’s current technologies and applications and identify threats to the company’s existing architecture. You will use the findings from your analysis to complete the attached “Business Requirements Document Template.” 4.3.1

conduct security analysis

4.3.2

identify threats to the existuing architecture

4.3.3

Use findings to complete the BRD

5

A - Introduction

5.1 Guidance

5.1.1 Summarize each aspect of the project summary, project scope, and system perspective based on the attached “Healthy Body Wellness Center Case Study” and “Healthy Body Wellness Company Security Assessment Report.” Use Section 3 of the attached “Business Requirements Document Template” to record your responses.z 5.1.2 The submission accurately summarizes each aspect of the project summary, the project scope, and the system perspective using details provided in the case study and security assessment report. All responses are recorded in Section 3 of the “Business Requirements Document Template.” 5.2 Questions 5.2.1 Are the project summary, scope, and the system perspective accurately summarized? Use details from the case study and security assessment report

5.2.2 Are all responses recorded in Section 3 of the “Business Requirements Document Template.”? 5.3 Answers 6

C - Business Requirements ●

Guidance The submission includes viable business requirements based on the case study and assessment report that are categorized by priority and areas of functionality. Both functional and nonfunctional requirements accurately represent the business requirements provided and can be followed throughout the project. All responses are recorded in Section 5 of the “Business Requirements Document Template.” ○ The submission includes viable business requirements based on the case study and assessment report that are categorized by priority and areas of functionality. Both functional and nonfunctional requirements accurately represent the business requirements provided and can be followed throughout the project. All responses are recorded in Section 5 of the “Business Requirements Document Template.” Questions ○ Have viable business requirements been included? ■ based on the case study and assessment report ○ Are the business requirements categorized by priority and areas of functionality? ○ Do both the functional and nonfunctional requirements accurately ○

●

●

7

represent the business requirements provided and can be followed throughout the project? ○ Are all responses recorded in Section 5 of the “Business Requirements Document Template.”? Answers

HBWC Case Study

7.1 HBWC 7.1.1

Mission and vision

help patients take responsibility for their overall wellbeing educate members of the local community in the practice of wellness

7.1.2

Plans

moderniztion of employee payroll and benefits management across the company ● Outsourced ○ Potential vendors are Workday, ADP, or Peoplesoft upgrade its research database develop a cloud-based grant tracking system

7.1.3 Wants analysis of the feasibility and planning for conversion to be added for consideration to the overall design for HBWC’s future infrastructure and services 7.1.4

Office of Grants Giveaway (OGG)

distributes medical grants designed to investigate multiple facets of community wellness majority go to small hospitals 250 beds or less Mission and Vision ● promote improvements in the quality and usefulness of medical grants through federally supported National Institutes of Health (NIH) research, evaluation, and sharing of information Small Hospital Grant Tracking System (SHGTS) used to manage data assignment and tracking of small hospital grants tracks the initial delivery of the grant funds, stores pertinent information, and then follows the grant through the next five hospital facilities contains the hospital-specific banking data needed to process ACH payments single-user system running on a desktop computer Use Cases all principal investigators must complete their grant evaluations in the application Only executive OGG staff can assign grant funds, Reports Each week the OGG executive officer receives a grant status report h month, each principal investigator is briefed on the status of their current

grants Future concern Paper Reduction Act, the federal government is moving their application from paper-based to an online submission system Grant funding takes place using automated clearing house (ACH) processing Future Needs Expecting more medical grants from the NIH Needed growth of the office’s staff Upgrade the infrastructure to support the current workforce part-time workers, work-from-home employees, and contractors creation of remote office branches collecting the requirements for a new, web-based portal use by recipients of grants and researchers will contain patient-sensitive and other nonpublic information (NPI) managed by OGG staff

7.1.5 ● ● ●

Existing

primarily Microsoft-based programmers fluent in fluent in C# and VB.NET ISP is Pogtech Communications ○ provides broadband access for internal and planned external users of their resources and services.

7.1.6

SHGTS Application details

Microsoft Access 2010 database ● End of Support - Oct 2020 ● Single user application ● customized for group security ● categories of users ○ • Administrative: full control of the application, including the ability to alter code and modify database objects ○ • Executive: access to all reports and the ability to update key fields dealing with the assignment of grants ○ • Basic: access to most forms and the ability to update key fields relating to information about assigned grants Windows 2008 R2 application server ● hardened with built-in security mechanisms ● End of Support Jan 2020 ● three technical support members of the administrator group have administrative rights to server Remote Access ● virtual private network (VPN) firewall appliance ● Authentication uses Pulse Secure software using a token or a personal identity verification (PIV) badge Future ● SQL Server ○ Multiple users ● New infrastructure ● Access from the Internet ○ sharing data among NIH, HBWC, and the hospitals they serve ● persistent link to NIH may be required

System Interfaces ● SHGTS ○ exchanges data with the NIH ○ does not interface with any other system ○ accessed from local application running on HBWC workstations connected to the LAN ■ Remote access through VPN connection ○ ●

QuickBooks database for employee payroll ○ standalone database ○ can be accessed from the client workstations research raw data and reports ○ fileshare ○

●

Data SHGTS database contains private health information (PHI) ○ other healthcare information ○ proprietary data ○ includes specific attributes about the grants ■ control number, grant category, amount, distribution schedule, and sunset date ○ Information detailing grant distribution ■ sponsoring staff, the directing official, and date assigned ○ research data ■ only attributable to an individual if the conversion table is viewed along with the raw data ● QuickBooks ○ contains HBWC employee personally identifiable information (PII) ■ social security numbers, salaries, home addresses, emergency contacts, phone numbers, and next of kin Criticality ● SHGTS ○ includes the research data ■ loss of the research data would require notification to NIH that the results of the research they funded is not available ○ failure of the SHGTS would not preclude the HBWC from accomplishing core business operations in the short to long term ○ failure of the system would have not an impact on the effectiveness or efficiency of day-to-day operations ○ considered mission supportive ● QuickBooks databa ○ could prevent employees from getting paid ○ paper backup is maintained in case the server goes down ■ data may be a day old at minimum. Sensitivity Confidentiality ● SHGTS: Low ○ no Privacy Act or proprietary data to protect ○ No awardee information is tracked on the grants ○ only tracks grant-specific data ○ unauthorized personnel read data ●

○

administrative action (such as grant suspension or a letter of reprimand ○ If competing grant candidates discovered the grant rating system ■ financial impact would be under $100,000 ● Research data: High ○ data contains medical information on research subjects ○ needs to be compliant with HIPAA regulati ■ protected from employees that do not have a need to know ○ only the principle investigator can have access to it for the first year ● QuickBooks: Medium ○ Privacy Act data included ○ should not be shared outside the payroll office Integrity ● SHGTS: Medium ○ does affect recommendations for particular grants ○ financial impact of manipulated ratings could be between $150,000 and $300,000 ○ less than $1,000,000 ○ data manipulation would possibly be sued but not sent to jail ● Research Data: High ○ integrity of the research data must be paramount ○ loss of data or any change in the data may show incorrect results of the research ● QuickBooks: High ○ needs to be accurate to make sure that everyone receives the appropriate salary, based on job title and length of service. Availability SHGTS: Low would be inconvenient if the database were unavailable ...