SlideShare una empresa de Scribd logo

2010 Secure World Boston Nist

C
candy_alexander

The document summarizes a presentation on using the NIST Risk Management Framework to meet requirements for FISMA, HIPAA, and data privacy laws. It outlines the 6 steps of the NIST RMF: 1) categorize information assets, 2) select security controls, 3) implement controls, 4) assess controls, 5) authorize systems, and 6) continuously monitor security. NIST publications provide guidance for each step. Following the NIST RMF allows organizations to efficiently comply with multiple regulatory requirements through a standardized process.

1 de 18
Descargar para leer sin conexión
NIST, FISMA, HIPAA and Data Privacy – Where to Begin Candy Alexander, CISSP CISM SecureWorld Expo Boston March 24, 2010 Room 104 SecureWorld Expo - Boston - March 24, 2010 - Room 104
Topics Setting the stage for a Case Study Understanding the requirements How can NIST help Closer look at NIST Summary SecureWorld Expo - Boston - March 24, 2010 - Room 104
Setting the Stage Organization driven by multiple requirements FIMSA HIPAA* Data Privacy (45 states and the Feds) MA 201 CMR17 Small organization with minimal resources Need to work smart Identify 1 size to fit all requirements (framework) Existing work based on HIPAA Privacy & Security rules Redirect into the NIST framework to meet *all* requirements * Additional push with new HITECH Act – Summary of changes at end of slides SecureWorld Expo - Boston - March 24, 2010 - Room 104
Understanding the Requirements… Need to understand business requirements Compliance (just enough or to protect) Big budget or barely enough Frameworks available ISO ($$$) COBIT ($$) NIST (free) Do it yourself ($?) All of these + Notification process* Federal Contractor, we used NIST Risk Management Framework (RMF) for SP800-53 SP800-66-Rev.1 SecureWorld Expo - Boston - March 24, 2010 - Room 104
Using the NIST Risk Management Framework (RMF)* SecureWorld Expo - Boston - March 24, 2010 - Room 104 * NIST SP800-66 Rev. 1 October 2008
Step 1 – Categorize Information and Assets FIPS199 to identify CIA (confidentiality, Integrity and Availability) rating score Great tool for communicating risk to businesses. PHI (Protected Health Information) the “C” and “I” should be high – availability is up to process owner Identify PII (Personal Identifiable Information) and business owner (supports data privacy requirements) Identify “where” in the organization PII/PHI is (applications, folders, etc.) Supports the PHI tracking requirement for HIPAA Use NIST SP800-60 for guidance SecureWorld Expo - Boston - March 24, 2010 - Room 104
Step 2 – Security Controls Use FIPS 200 to identify the minimum baseline Select controls to be used Identified in SP800-53 (Rev.3) that are appropriate to the environment (risk approach) Document controls/requirements into a security plan for each IT System. NIST SP800-18 Guide for Developing Security Plans for Federal Information Systems SecureWorld Expo - Boston - March 24, 2010 - Room 104
Step 3 – Implement Security Controls Uses various automated tools and manual processes Operating system controls Application controls System Development Life Cycle Full array of publications available to provide guidance to the specific topic/requirement See http://csrc.nist.gov Special Pubs, FIPS pubs, IR (internal reports), and ITL (Info Tech Lab) Bulletins SecureWorld Expo - Boston - March 24, 2010 - Room 104
Step 4 - Assess Controls Evaluate the controls with SP800-53A Internal Audits External Audits SecureWorld Expo - Boston - March 24, 2010 - Room 104
Step 5 – Authorize Information System Authorization to Operate (ATO) Primarily for FISMA compliance Essentially Designation Authority reviews controls and evaluation of controls – then authorizes use with an explicit decision to accept the risk Not a BAD idea for getting executives to understand, review and accept the risk SecureWorld Expo - Boston - March 24, 2010 - Room 104
Step 6 – Monitor Security Continuous monitoring Threats & vulnerabilities Controls put into place to mitigate risk Ensure all is effective and as intended Ensure documentation is updated Conduct impact analysis SecureWorld Expo - Boston - March 24, 2010 - Room 104
FISMA… Certification & Accreditation What is Certification and Accreditation? Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized. 1 Sound a little like MA 201 CMR17? Obtaining the C&A removes the uncertainty of compliance Much like a ISO, PCI and SAS70 Type II? Auditors appreciate the structure 1 e-Articles.info on ask.com SecureWorld Expo - Boston - March 24, 2010 - Room 104
FISMA/NIST C&A C&A guidance available through SP800-37 Provides accrediting authority ( and auditors) high degree of confidence that the managerial, technical and op security controls work as intended & that the information processed, stored and transmitted with the system is protected. Controls based on FIPS 199, 200 and NIST SP800-66 (HIPAA) and SP800-53 C&A should be completed prior to production and re-accredited when significant change occurs, as directed by the agency contract/ authorizing official or at minimum every three years. SecureWorld Expo - Boston - March 24, 2010 - Room 104
C & A Phases Consists of 4 distinct phases 1. Initiation Phase 2. Security Certification Phase 3. Security Accreditation Phase 4. Continuous Monitoring Phase Each phase has a detailed list of tasks and subtasks, documents and artifacts that are used to support the next phase SecureWorld Expo - Boston - March 24, 2010 - Room 104
Certification Package* 1. Updated System Security Plan 2. Completed Security Risk Assessment 3. Updated Config. Mgmt Plan 4. Contingency Mgmt Plan(s) 5. Security Test & Eval. Report 6. User Manuals 7. Interconnection Security Agreements or MOUs (Business Associates Agreements for HIPAA) 8. Privacy Impact Assessments 9. Federal Register System of Record Notice 10. Plan of Action & Milestones *Exact contents are defined by Information System Owner SecureWorld Expo - Boston - March 24, 2010 - Room 104
Accreditation Package 1. Security Assessment Report 2. Security Accreditation Decision Letter 3. System Security Plan 4. Plan of Action & Milestones SecureWorld Expo - Boston - March 24, 2010 - Room 104
HITECH Act - Tougher HIPAA From Privacy/Security Perspective: Breach Notification (tougher requirements) Wider scope – including BAs (2/17/10) Account of disclosures (more rigorous) Enforcement (2/17/10) – increased $$$ State AG’s enforcement SecureWorld Expo - Boston - March 24, 2010 - Room 104
Questions? Candy Alexander, CISSP CISM calexander@ltcpartners.com SecureWorld Expo - Boston - March 24, 2010 - Room 104

Recomendados

ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Evolution of Security Management
Evolution of Security ManagementEvolution of Security Management
Evolution of Security ManagementChristophe Briguet
 
4 System For Information Security
4 System For Information Security4 System For Information Security
4 System For Information SecurityAna Meskovska
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practiceparves kamal
 
Seguridad de la información
Seguridad de la información Seguridad de la información
Seguridad de la información Isabeloa Cadena
 
Iso 17799
Iso 17799Iso 17799
Iso 17799rcm_007
 

Recomendados

ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Evolution of Security Management
Evolution of Security ManagementEvolution of Security Management
Evolution of Security ManagementChristophe Briguet
 
4 System For Information Security
4 System For Information Security4 System For Information Security
4 System For Information SecurityAna Meskovska
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practiceparves kamal
 
Seguridad de la información
Seguridad de la información Seguridad de la información
Seguridad de la información Isabeloa Cadena
 
Iso 17799
Iso 17799Iso 17799
Iso 17799rcm_007
 
Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesDavid Shepherd
 
HIPAA summit presentation
HIPAA summit presentationHIPAA summit presentation
HIPAA summit presentationSue Popkes, MSM
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer PlatformShanmugavel Sankaran
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfElyes ELEBRI
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework SummaryJason Rusch - CISSP CGEIT CISM CISA GNSA
 
Compliance Framework
Compliance FrameworkCompliance Framework
Compliance Frameworkbarnetdh
 
Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...David Sweigert
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guidemfmurat
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
KSC_FIPS_FISMA101
KSC_FIPS_FISMA101KSC_FIPS_FISMA101
KSC_FIPS_FISMA101Kenneth Silsbee, MS
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life CycleUnderstanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life CycleDonald E. Hester
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)Peter GEELEN ✔
 
AIOTA Certification.pdf
AIOTA Certification.pdfAIOTA Certification.pdf
AIOTA Certification.pdfdemingcertificationa
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdfChunLei(peter) Che
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016Ulf Mattsson
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Sp800 63 v1-0_2
Sp800 63 v1-0_2Sp800 63 v1-0_2
Sp800 63 v1-0_2Hai Nguyen
 
What Data Center Compliance Means for Your Business
What Data Center Compliance Means for Your BusinessWhat Data Center Compliance Means for Your Business
What Data Center Compliance Means for Your BusinessData Foundry
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2Flaskdata.io
 

Más contenido relacionado

Similar a 2010 Secure World Boston Nist

Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesDavid Shepherd
 
HIPAA summit presentation
HIPAA summit presentationHIPAA summit presentation
HIPAA summit presentationSue Popkes, MSM
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer PlatformShanmugavel Sankaran
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfElyes ELEBRI
 
Compliance Framework
Compliance FrameworkCompliance Framework
Compliance Frameworkbarnetdh
 
Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...David Sweigert
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guidemfmurat
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life CycleUnderstanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life CycleDonald E. Hester
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)Peter GEELEN ✔
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdfChunLei(peter) Che
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016Ulf Mattsson
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Sp800 63 v1-0_2
Sp800 63 v1-0_2Sp800 63 v1-0_2
Sp800 63 v1-0_2Hai Nguyen
 
What Data Center Compliance Means for Your Business
What Data Center Compliance Means for Your BusinessWhat Data Center Compliance Means for Your Business
What Data Center Compliance Means for Your BusinessData Foundry
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2Flaskdata.io
 

Similar a 2010 Secure World Boston Nist (20)

Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile Devices
 
HIPAA summit presentation
HIPAA summit presentationHIPAA summit presentation
HIPAA summit presentation
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer Platform
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework Summary
 
Compliance Framework
Compliance FrameworkCompliance Framework
Compliance Framework
 
Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
KSC_FIPS_FISMA101
KSC_FIPS_FISMA101KSC_FIPS_FISMA101
KSC_FIPS_FISMA101
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life CycleUnderstanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)
 
AIOTA Certification.pdf
AIOTA Certification.pdfAIOTA Certification.pdf
AIOTA Certification.pdf
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
 
Sp800 63 v1-0_2
Sp800 63 v1-0_2Sp800 63 v1-0_2
Sp800 63 v1-0_2
 
What Data Center Compliance Means for Your Business
What Data Center Compliance Means for Your BusinessWhat Data Center Compliance Means for Your Business
What Data Center Compliance Means for Your Business
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2
 

2010 Secure World Boston Nist

  • 1. NIST, FISMA, HIPAA and Data Privacy – Where to Begin Candy Alexander, CISSP CISM SecureWorld Expo Boston March 24, 2010 Room 104 SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 2. Topics Setting the stage for a Case Study Understanding the requirements How can NIST help Closer look at NIST Summary SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 3. Setting the Stage Organization driven by multiple requirements FIMSA HIPAA* Data Privacy (45 states and the Feds) MA 201 CMR17 Small organization with minimal resources Need to work smart Identify 1 size to fit all requirements (framework) Existing work based on HIPAA Privacy & Security rules Redirect into the NIST framework to meet *all* requirements * Additional push with new HITECH Act – Summary of changes at end of slides SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 4. Understanding the Requirements… Need to understand business requirements Compliance (just enough or to protect) Big budget or barely enough Frameworks available ISO ($$$) COBIT ($$) NIST (free) Do it yourself ($?) All of these + Notification process* Federal Contractor, we used NIST Risk Management Framework (RMF) for SP800-53 SP800-66-Rev.1 SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 5. Using the NIST Risk Management Framework (RMF)* SecureWorld Expo - Boston - March 24, 2010 - Room 104 * NIST SP800-66 Rev. 1 October 2008
  • 6. Step 1 – Categorize Information and Assets FIPS199 to identify CIA (confidentiality, Integrity and Availability) rating score Great tool for communicating risk to businesses. PHI (Protected Health Information) the “C” and “I” should be high – availability is up to process owner Identify PII (Personal Identifiable Information) and business owner (supports data privacy requirements) Identify “where” in the organization PII/PHI is (applications, folders, etc.) Supports the PHI tracking requirement for HIPAA Use NIST SP800-60 for guidance SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 7. Step 2 – Security Controls Use FIPS 200 to identify the minimum baseline Select controls to be used Identified in SP800-53 (Rev.3) that are appropriate to the environment (risk approach) Document controls/requirements into a security plan for each IT System. NIST SP800-18 Guide for Developing Security Plans for Federal Information Systems SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 8. Step 3 – Implement Security Controls Uses various automated tools and manual processes Operating system controls Application controls System Development Life Cycle Full array of publications available to provide guidance to the specific topic/requirement See http://csrc.nist.gov Special Pubs, FIPS pubs, IR (internal reports), and ITL (Info Tech Lab) Bulletins SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 9. Step 4 - Assess Controls Evaluate the controls with SP800-53A Internal Audits External Audits SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 10. Step 5 – Authorize Information System Authorization to Operate (ATO) Primarily for FISMA compliance Essentially Designation Authority reviews controls and evaluation of controls – then authorizes use with an explicit decision to accept the risk Not a BAD idea for getting executives to understand, review and accept the risk SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 11. Step 6 – Monitor Security Continuous monitoring Threats & vulnerabilities Controls put into place to mitigate risk Ensure all is effective and as intended Ensure documentation is updated Conduct impact analysis SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 12. FISMA… Certification & Accreditation What is Certification and Accreditation? Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized. 1 Sound a little like MA 201 CMR17? Obtaining the C&A removes the uncertainty of compliance Much like a ISO, PCI and SAS70 Type II? Auditors appreciate the structure 1 e-Articles.info on ask.com SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 13. FISMA/NIST C&A C&A guidance available through SP800-37 Provides accrediting authority ( and auditors) high degree of confidence that the managerial, technical and op security controls work as intended & that the information processed, stored and transmitted with the system is protected. Controls based on FIPS 199, 200 and NIST SP800-66 (HIPAA) and SP800-53 C&A should be completed prior to production and re-accredited when significant change occurs, as directed by the agency contract/ authorizing official or at minimum every three years. SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 14. C & A Phases Consists of 4 distinct phases 1. Initiation Phase 2. Security Certification Phase 3. Security Accreditation Phase 4. Continuous Monitoring Phase Each phase has a detailed list of tasks and subtasks, documents and artifacts that are used to support the next phase SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 15. Certification Package* 1. Updated System Security Plan 2. Completed Security Risk Assessment 3. Updated Config. Mgmt Plan 4. Contingency Mgmt Plan(s) 5. Security Test & Eval. Report 6. User Manuals 7. Interconnection Security Agreements or MOUs (Business Associates Agreements for HIPAA) 8. Privacy Impact Assessments 9. Federal Register System of Record Notice 10. Plan of Action & Milestones *Exact contents are defined by Information System Owner SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 16. Accreditation Package 1. Security Assessment Report 2. Security Accreditation Decision Letter 3. System Security Plan 4. Plan of Action & Milestones SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 17. HITECH Act - Tougher HIPAA From Privacy/Security Perspective: Breach Notification (tougher requirements) Wider scope – including BAs (2/17/10) Account of disclosures (more rigorous) Enforcement (2/17/10) – increased $$$ State AG’s enforcement SecureWorld Expo - Boston - March 24, 2010 - Room 104
  • 18. Questions? Candy Alexander, CISSP CISM calexander@ltcpartners.com SecureWorld Expo - Boston - March 24, 2010 - Room 104