Week 7 Assignment
Week 7 Assignment
Week 7 Assignment
Executive Summary
The goal of this paper is to infer upon you the CEO of fictitious healthcare company FC. Inc.,
the use of security industry recognized guidelines provided by the National Institute of Standards
and Technology (NIST) including NIST 800-137 of which involves Continuous Monitoring
(Dempsey, et al., 2011), and its applicability to secure the Confidentiality, Availability, and
Integrity (CIA triad) of this organization’s data regardless to change of personnel, hardware,
software, firmware, or changes to the environment. The intention here is not only to explain the
what, and how, but also why in regard to the steps within the NIST Risk Management
Framework (RMF) process. This paper is an attempt to show you how we can manage, mitigate
the risk by using continuous monitoring, and determine the level of risk based on risk goals, and
The Risk Management Framework is the selection of applicable security controls applied to the
network system, and provides an effective framework to ensure the Confidentiality, Availability,
and Integrity to this organization’s data. The RMF includes six steps which include 1)
Categorize, 2) Select, 3) Implement, 4) Assess, 5) Authorize, and 6) Monitor (NIST, 2018). Not
having working knowledge of the RMF, how it relates to the network information system, the
selection of security controls, its implementation, effectiveness (Boyens & Paulsen), and the
overall lack of continuous monitoring, will put this organization in an unwarranted disadvantage
1|Page
Week 7 Assignment Ricardo Nevarez
Step 1) Categorize – refers to defining what information data onto the system is critical as it
applies to the worst case scenario, and what negative impact this will have on the organization.
NIST FIPS 199 (NIST, 2004), and SP 800-60 (Stine, Kissel, Barker, Fahlsing, & Gulick, 2008)
provide us guidelines to which we can determine the security categorization of our information
system, and the Type respectively. The guidelines given help to identify a high watermark with
regard to what plausible impacts are, whether Low, Moderate, or High on the data within the
information system when a data breach occurs. The security objectives are to identify the
potential impacts, and apply this high watermark on the CIA Triad regarding a potential data
breach, how it will hurt the system, and the mission of this organization. Also, knowing what the
high watermark is will help us with choosing the proper security controls, the implementation of
the security controls on the data, and how well these work within the system. To determine the
overall security categorization we will need to determine the Type of information system we
have, and the impact level in regard to the Confidentiality, Integrity, and Availability of the data
we are protecting. The security objectives as they apply to the CIA Triad are defined as follows:
From the NIST Special Publication 800-60 Volume 11 the Type of which applies to our
Barker, Fahlsing, & Gulick, 2008). System maintenance applies to our servers, firewalls,
2|Page
Week 7 Assignment Ricardo Nevarez
workstations, Windows OS, LAN printers, fax, programs, and teleconferencing. This is the
system’s description of our information system of which our highest watermark will be applied.
We determined, the internal information data of which we have previously labeled secure needs
to be protected, and the following security categorizations describes the impact it may have on
our organization should this data become compromised. Should there be a breach on our secure
data, the Confidentiality of the compromised data is classified as HIGH because if there is
breach, and the data is exposed to unauthorized employees, this will have a negative impact
internally to the organization, which could result in lawsuits, and disgruntled employees if they
see their coworkers making more money, etc. Confidentiality has been deemed to be HIGH, and
so highest watermark level will be HIGH impact. Integrity will be MODERATE because if the
secure data is deleted, corrupted in some way, we can always go to the backups to retrieve a
copy. Availability is set to HIGH because the secure data is used by authorized employees to
work on Grants, presentations, contract deadlines, finance, HR, etc. If the secure data is not
available, this will hinder business functions causing this organization potential loss of money.
Step 2) Select – This step involves choosing the correct baseline applicable security controls of
which are unique to this organization’s system secure data, also selected are supplemental
security controls based on the risk assessment. The applicable security controls are taken from
NIST SP 800-53 rev 5 (Force, 2017). These are the controls of which will be in place to mitigate
the risk of unauthorized users accessing the data, and reducing the footprint risk. The three (3)
baseline security controls selected are AC-1 Access Control Policy and Procedure, AC-2
Account Management, and AC-6 Least Privilege. These controls will enforce policy of which is
applied to access to secured data, and only allowing authorized users access to those data
3|Page
Week 7 Assignment Ricardo Nevarez
resources respective to their job role. I have already identified the watermark level to be HIGH
and explained the reason earlier. The AC-1 security control baseline is set to HIGH because it
requires, and enforces policies, and procedures to be adhered to with periodic reviews/ and
updates so that they remain in compliance (OSA, 2018). For example, if there were no access
control in place, anyone regardless of the job role would have access to all data. AC-2 the
account management control is HIGH. When, there is not a designated employee to manage all
aspects of managing individual user accounts this negatively affects Confidentiality of the data
(OSA, 2018). Remained unmanaged will allow employees to have access to confidential data
otherwise restricted. Because Confidentiality is impacted, thus so is the Integrity of the data.
Since there is no accountability of permissions on the user accounts, anyone can inadvertently or
purposely manipulate the data, and in turn affect decisions of those who rely, and trust the data to
be good. The AC-6 Least Privilege is a way to enforce the most restrictive set of rights/
privileges or access needed by users (OSA, 2018). We use this security control because this
control will mitigate opportunities to access restrictive confidential data, and minimize the threat
to the Integrity, and Availability on this data. Ultimately, the Least Privilege control allows our
organization to be selective as to who has access to what data, when and from where. The
implementing of these security controls will mean a stronger, safer, and trustworthy data system.
Step 3) Implement – Security controls from Step 2 have been identified, and selected, next they
are implemented, and their respective security settings are configured. Also, these security
controls are in line with compliance and applicable laws as they apply to this organization with
processing and protection of electronic data, data at rest, and data in transit (Force, 2017). Once
the implementation of these security controls are in place, this enforces and requires only
4|Page
Week 7 Assignment Ricardo Nevarez
authorized user’s access to data respective to their permissions and job role. Specifically,
implementation of AC-1 security control will force the employee in their respective job role
assigned with a unique ID to change their login every 60/90 day, and requiring password length
to be at least 9 characters, including special characters. After three (3) failed attempts, the system
locks out the account. All authorized access will be managed within Active Directory (AD).
Also, auto logoff is enforced preventing unauthorized access if the employee walks away from
the screen. The AC-2 security control enforces AC-1 in that a responsible individual is
responsible for granting access rights to data resources, activate, and deactivate accounts of
employees in AD. A secondary control is in place to authorize, and grant permissions only per a
submitted request by Human Resources to the account administrator. This same security control
manages employees who no longer are with the organization. Furthermore, those employees
requiring additional access to confidential data will receive it with the approval of the
employee’s immediate manager/ supervisor. AC-6 rounds out the security controls selected as it
controls who has access to what confidential data, when, and from where. Benefits of this
security control ensures the Confidentiality that no unauthorized individual gains access, and the
Integrity that no unauthorized employee can modify data, and the Availability that data is
Step 4) Assess – Security controls from Step 3 will be implemented, and the effectiveness of
these security controls are assessed here. The security controls require that they function as
intended, and meet or exceed security requirements per security policies, and the goals of the
organization. Should the security controls fail, there needs to be a secondary control to step up,
and alert the account manager of the initial failed main control. It is important to be aware of that
5|Page
Week 7 Assignment Ricardo Nevarez
direct risks to data resource within our organization are not only due to the lack of security
controls, but also how effective the implemented security control is in its role (Boyens &
Paulsen). I have explained why these security controls are important, and how they function
when functioning properly. The other side of this is its failures that need to be assessed. The
failure of AC-1 will allow any employee from any department to have permission to access all
data. A failure in AC-2 will allow for potentially inaccurate accountability of user accounts due
to the lack of a central control. A direct failure of security control AC-6 will result in allowing
data resources to be used by unauthorized users. It is also during this step of the Risk
Management Framework we will use a Plan of Actions & Milestone. This will benefit our
organization by mitigating deficiencies within my suggested three security controls, and that
these are reasonably attainable (Force, 2017). Next, AC-1 is having the proper documentation,
and accountability of each employee’s access in a database to all resources. This enforces policy
and procedure implementation. A suggested time frame for this implementation should be no
longer than 90 days. Security AC-2 is suggested to train a selected employee within the
organization into this account management role. This improves accountability of accounts within
AD. HR can easily begin the interview process to fill this position. This particular milestone
could take up to 30 days. Lastly, security AC-6 requires having the proper procedures in place
where employee’s requiring additional access to data resources know to reach out to their
managers/ supervisors who will request access on behalf of the requesting employee. This
control prevents an employee simply asking and being granted access to data resources. This
security control will require like the others to be signed off by the policy, and compliance
department. Also, the implementation of this control should not take longer than 90 days. To
6|Page
Week 7 Assignment Ricardo Nevarez
keep these security controls current, and its respective policies, and procedures, will require to be
Step 5) Authorize – An authorized selected member of the organization determines whether the
operational security controls are acceptable as they apply to the operations and data assets within
the system. Once deemed acceptable as it applies to risk, this individual accepts responsibility for
the system by authorizing the overall information system (Metivier, 2017). This is part of the
Security Authorization Package and is required to be presented to the Authorizing Official (AO)
of the organization. The AO’s conclusion from the information presented, knows that the
responsibility of the plan of action and milestones, overall risk of the system, and review of any
and all recommendations falls on the AO. The AO will use this to check the progress, and correct
any weaknesses during the security control assessment (Officer, 2015). Accepting responsibility
to the overall risk of the system, the AO knows that policy and procedure is everything. Not
understanding this will weaken the security posture of this information system. Any one of my
suggested security controls fail will guarantee the perpetrator access to create unauthorized
Step 6) Monitor – Requires continuous monitoring on all security controls, and also
reauthorization is needed as the computer network system is upgraded over time, and new
security controls are implemented. Reassessment is also performed to reauthorize the ongoing
acceptance of risk.
The implementation of the suggested security controls, and the suggested guideline from the
NIST Risk Management Framework, altogether is what will secure the information system. It is
7|Page
Week 7 Assignment Ricardo Nevarez
important to keep in mind that as technology evolves so does the information system. Policies,
procedures, hardware, firmware, software do become outdated creating a vulnerability that could
potentially turn into a high risk if permitted. Once the security controls are in place we need to
continuously monitor the information system to determine the effectiveness of the security
controls and their response. We will need to continue identifying changes to the information
systems, and the environment it resides in, and continuously very that we are in compliance with
local, state and federal policies, and guidelines as they directly pertain to us here. Continuous
monitoring will include detecting the changes, how we report, and respond to those changes, and
how to mitigate the changes within the information system. This is all done through analyzing
the logs created by our hardware, and software of which includes our firewalls, IDS/ IPS,
antivirus on our local machines, and servers, virus scanners, routers, switches, and mobile
devices. To analyze all this data will require a SIEM to bring it all together, and this can be used
for continuous monitoring (Institute, 2015). This can allow us to monitor what is going on and to
determine the level of risk based on risk goals, and the knowledge of threat we have, and
mitigate an appropriate response. SP 800-137, and SP 800-53A will provide the guidance we
seek.
Because we have done our due diligence, our information system is adaptable to a changing
environment where when we have a contractor work within our office space for a specified
amount of time. The group of selected security controls I have suggested will secure our
proprietary confidential data while allowing the contractor onto our system, including the use of
the LAN printer/fax. The secure use of the LAN printer/fax is achieved by using “secure print”.
Because the proper security controls, and policies have been put in place, and all respective
security controls, the system can continue to be managed, and monitored whether there is a
8|Page
Week 7 Assignment Ricardo Nevarez
change of personnel on the information system. Policy, and procedures will dictate how the
system is managed, and maintained by anyone who takes on the responsibility, and challenges of
Conclusion
Using the NIST Risk Management Framework as I have suggested will help with a preemptive
approach towards securing our computer network information system, rather than being in a
reactive state of mind. Having a risk management plan also allows for a structured approach to
minimizing and managing the threats. I mentioned the security control selection and why these
security controls were selected. These were selected to identify, and to manage our employee’s
access to data in respect to the roles, and to ensure the confidentiality, integrity, and availability
to data at rest, and the data in transit. It was also my intention to highlight three (3) security
controls because these same controls will strengthen the security posture of this organization. I
also explained why it is important to maintain the CIA triad. I also highlighted threats of which
are vulnerabilities that require these same security controls to be properly implemented to
mitigate this, and suggested remediation, and estimated completion date through the Plan of
Action and Milestones. The overall hardening of the infrastructure, and protection of the data
resources will rely on following the suggestions I have mentioned. Adherence will also ensure
that the Confidentially, Integrity, and Availability of this organization’s overall data resources.
Thus, allowing for a stronger, safer, and trustworthy data system for all who use it.
9|Page
Week 7 Assignment Ricardo Nevarez
References
Boyens, J., & Paulsen, C. (n.d.). NIST 800- 161. Retrieved February 26, 2018, from NIST .
Dempsey, K., Chawla, N. S., Johnson, A., Johnson, R., Jones, A., Orebaugh, A., et al. (2011,
September). NIST Special Publication 800-137. Retrieved March 09, 2018, from NIST:
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-137.pdf
Force, J. T. (2017, August). NIST SP 800-53 Ar5. Retrieved March 10, 2018, from NIST:
https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-
53r5-draft.pdf
Institute, I. (2015, November 24). What is a SIEM. Retrieved March 09, 2018, from Infosec
Institute: http://resources.infosecinstitute.com/what-is-a-siem/#gref
Metivier, B. (2017, April 11). 6 Steps to a Cybersecurity Risk Assessment. Retrieved January 27,
cybersecurity-risk-assessment
NIST. (2004, February). FIPS PUB 199. Retrieved March 10, 2018, from NIST:
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
NIST. (2018, February 09). Risk Management Framework Overview. Retrieved March 09, 2018,
(RMF)-Overview
Officer, O. o. (2015, March 16). Security Authorization Process Guide. Retrieved March 05,
https://www.dhs.gov/sites/default/files/publications/Security%20Authorization%20Proce
ss%20Guide_v11_1.pdf
OSA. (2018). AC-01 Access Control Policies and Procedures. Retrieved February 12, 2018,
from OpenSecurityArchitecture:
10 | P a g e
Week 7 Assignment Ricardo Nevarez
http://www.opensecurityarchitecture.org/cms/library/08_02_control-catalogue/23-
08_02_AC-01
Stine, K., Kissel, R., Barker, W. C., Fahlsing, J., & Gulick, J. (2008, August). NIST SP 800-60.
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
11 | P a g e
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies: