ABAC Plan Instructions

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 30

Key Section: Final Examination Question and Grading Template

Key Section: Question: Build a Plan for an ABAC (Attribute Based Access Control)
Pilot Case:

Please develop using NCCoE (NIST National Cybersecurity Center of Excellence) use cases a plan
for an ABAC (Attribute Based Access Control) Pilot Case. The ABAC Pilot Case provides a
suggested transition program for a hypothetical hospital healthcare electronic healthcare records
(EHR) system. An objective of the pilot EHR system is provide the planning steps to transition
from role based access control (RBAC) to an attribute based access control system (ABAC).
ABAC is additive to RBAC.

Key Section: Question Building on Structured Discussions 1 and 2.

Key Section: Question: Suggested Student Overview of the Final


Examination Issues
IA students,

Thank you.

In brief, the final examination is a “worked example” of applying NIST cybersecurity risk
management guidance and metrics to a healthcare case. For example, we include an
application of the NIST seven-step gap analysis that could be applied to cybersecurity case
analyses. For example, potentially extending Structured Discussions 1 and/or 2 (This
examination uses a NIST seven-step gap analysis is defined in NIST Cybersecurity Framework,
Version 1.1, April 16, 2018. Section 3.2 Establishing or Improving a Cybersecurity
Program). https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

We also adapt from Structured Discussion 2 a NISTIR 8170 three level analysis of a Boeing 737
MAX case: 1) Organization; 2) Mission/Business Processes; and 3) System.

Hopefully, this is helpful.

Best regards,

Harold

Key Section: Question Scope: Build a Plan for an ABAC Pilot Case for
a Hypothetical Inova Fairfax Hospital Transplant Center:
Please consider using actual Inova Fairfax references for a Hypothetical Inova Fairfax Hospital:
Transplant Center use case for the pilot ABAC case. For example, Fairfax Hospital IT security
policy.

Key Section: ABAC Pilot Case: Building on Two NIST NCCoE Use Cases: Integrating
Selected NCCoE Use Case Analysis

Please consider using with attribution the work of the NIST NCCoE (National Institute of
Standards and Technology National Cybersecurity Center of Excellence) as presented in two use
cases:

1. NCCoE Use Case 1: RBAC: NIST Special Publication 1800-1B: Securing Electronic Health
Records on Mobile Devices, July 27, 2018. (RBAC: Role Based Access Control)
2. NCCoE Use Case 2: ABAC: NIST Special Publication 1800-3B, C: Attribute Based Access
Control, Second Draft, September 20, 2017. (ABAC)

Key Section: Plan for an ABAC Pilot Case: We Provide a Suggested Outline to Build a
Plan for an ABAC Pilot Case

Please consider a suggested development plan for your ABAC Pilot Case. We define the scope of
your ABAC Pilot Case to be a hypothetical Inova Fairfax Hospital: Transplant Center. The test
case includes a transition for three components in the hypothetical Inova Fairfax Hospital for its
EHR system from RBAC to ABAC.

We are integrating in the ABAC Pilot Case three “To Be” silos into a proposed target pilot system.
These components are defined in NIST SP 1800-1B. The three components for this hypothetical
case (silos) are: 1) Radiology Department: 2) Dr. Jones Orthopedics; and 3) VPN.

Key Section: Final Examination Scope: Management Approval for an


ABAC Pilot Case
For this final examination, we start our ABAC Pilot Case planning and analysis after management
approval. An ABAC Pilot Case is suggested to reduce patient safety risk for the hypothetical Fair
INOVA hospital complex. Patient safety risk is dependent in part on a use for an ABAC Pilot Case
of an optimization of cost/benefit/risk. 1 A fixed system budget for this optimization approach my
include optimization of five factors: 1) safety; 2) reliability; 3) resilience; 4) security; and 5)
privacy. 2

1
Note: Mobile devices may be considered as CPS. Therefore, NIST SP 1500-202, Section 2.3.3 may be considered as
applying to the final examination (e.g., NIST SP 1800-1: RBAC EHR authentication upgrading to NIST SP 1800-3: ABAC
EHR authentication).
2
Ibid. Note: Mobile devices may be considered as CPS. Therefore, NIST SP 1500-202, Section 2.3.3 may be
considered as applying to the final examination (e.g., NIST SP 1800-1: RBAC EHR authentication upgrading to NIST SP
1800-3: ABAC EHR authentication).
2
We adapt for this case the NISTIR 8170: Approaches for Federal Agencies to Use NIST
Cybersecurity Framework, August 17, 2021. Figure 2: Federal Cybersecurity Approaches (see
Figure 1 below).

Key Section: Final Examination Scope: Management Approval for an ABAC Pilot
Case: Building on Structured Discussion 2: Boeing 387 MAX: Three Management
Levels: 1) Organization, 2) Mission/Business Systems; and 3) System.

Please consider the Hypothetical Inova Fairfax organization decision-making process for this final
exam, Figure 1 (NISTIR 8170: Figure 2).

Note: NISTIR 8170: Approaches for Federal Agencies to Use the Cybersecurity Framework,
August 17, 2021.

We suggest the following interpretation of Figure 1 (NISTIR 8170: Figure2):

NISTIR 8170: Figure 2: Federal Cybersecurity Approaches:

1) NIST Level 1: Organization: CEO and top management policies pertaining the ABAC Pilot;
2) NIST Level 2: Mission/Business Processes: Management Procedures: Management procedures
pertaining the ABAC Pilot: For example, receive ABAC Pilot updates and exception reports.
Analyze the ABAC Pilot updates and 1) provide guidance to Level 3: ABAC Implementation; and
2) report on ABAC progress to Level 1: CEO and top management.

3) NIST Level 3: System (ABAC Pilot): Implementation.

Figure 1:Hypothetical INOVA Pilot Case: Transition from RBAC to ABAC3

3
NISTIR 8170: Approaches for Federal Agencies to Use NIST CSF, August 17, 2021. Figure 2: Federal Cybersecurity
Approaches.
3
Key Section: Final Examination Format:

Please consider a suggested format that is provided in this document. A typical final examination is
about 20 pages, single space, with attribution, e.g., footnotes for citations for figures/tables.
Please consider using the interpretation NISTIR 8170: Figure 2: Federal Cybersecurity Approaches
above: 1) NIST Level 1: Organization: CEO policies; 2) Mission/Business Processes: Management
Procedures; and 3) System (ABAC Pilot) Implementation.

Key Section: Final Examination: Suggested Student Outline

Please consider the Key Issues to be your primary focus for the final examination. Grading issues are in
Bold. The grading emphasis is on Analysis, Conclusions and use of figures/tables with footnotes.

Key Issue 1: Title Page


Key Issue 2: Preface
Key Sections 1-7
Section 1: Question
Key Issue: Section 2: Interpretation of Question
Table of Contents
Key Issue: List of Figures: Note: Footnotes in text for figure captions
Key Issue: List of Tables: Note: Footnotes in text for table captions
Section 3: Introduction
Key Issue: Section 3.1: NIST Approach

3.1.1 NISTIR 8170 Figure 2: Three organization levels


3.1.2 NISTIR 8170: Figure 2: Area 1: Integrate enterprise and cybersecurity risk
3.1.3 NIST SP 1500-202: Section 2.3.3 Optimize Cyber Physical System risk budget (safety, resilience,
reliability, security, privacy)
3.2: Hypothetical Inova Fairfax Transplant Center Use Case: RBAC “As-Is”
Key Issue: Section 4: NIST Seven Step Gap Analysis (NIST CSF Section 3.2: Establishing or Improving a
Cybersecurity Program)
Step 1: Prioritize and Scope
Step 2: Orient
Key Issue: Step 3: Create a Current Profile “As Is”: Use existing RBAC architecture
Key Issue: Step 4: Conduct a Risk Assessment
Key Issue: Step 5: Create a Target Profile “To Be”: Use planned ABAC architecture
Key Issue: Step 6: Determine, Analyze and Prioritize Gaps
 Consider an ZTA/ABAC cloud provider to replace VPN
 Consider Identity Candidate Cloud Provider That Supports Nist Special Publication 800-207: Zero
Trust Architecture, Section 2: Figures 1 and 2
 Consider “To Be” Gaps when compared to baseline “As Is”
4
o Cloud to replace VPN: NIST SP 800-210: For example, find a cloud provider that can integrate
access control for three silos (Dr. Jones, Radiology, and VPN)
o Cloud Zero Trust Architecture: Consider a cloud provider that can support NIST SP 800-207: Zero
Trust Architecture, August 2020
o Cloud support for ZTA: ABAC: PDP/PEP (Policy Decision Point/Policy Enforcement Point) NIST SP
800-207: Section 2: Zero Trust Basics and Figure 1: Zero Trust Architecture
Key Issue: Step 7: Implement an Action Plan
Key Issue: Section 5: Analysis [with respect to your interpretation of the question and gap analysis]
Key Issue: 5.1: Challenges of building and testing a candidate ABAC pilot program vs NISTIR 8170 Figure
2: Three organization levels: 1) Organization; 2) Mission/Business Processes; and 3) System: ABAC pilot
program
Key Issue: Section 6: Conclusions [based on your Analysis]
Key Issue: Section 7: References [Complete references: For example, author, title, organization,
document number, date, etc.]

5
Contents
Key Section: Final Examination Question and Grading Template (Updated November 3, 2021)...............................
Key Section: Final Examination Question: Build a Plan for an ABAC (Attribute Based Access Control) Pilot
Case:........................................................................................................................................................1
Key Section: Question Building on Structured Discussions 1 and 2.........................................................1
Key Section: Question: Suggested Student Overview of the Final Examination Issues..............................................
Key Section: Question Scope: Build a Plan for an ABAC Pilot Case for a Hypothetical Inova Fairfax Hospital
Transplant Center:......................................................................................................................................................
Key Section: ABAC Pilot Case: Building on Two NIST NCCoE Use Cases: Integrating Selected NCCoE Use
Case Analysis...........................................................................................................................................2
Key Section: Plan for an ABAC Pilot Case: We Provide a Suggested Outline to Build a Plan for an ABAC
Pilot Case.................................................................................................................................................2
Key Section: Final Examination Scope: Management Approval for an ABAC Pilot Case.............................................
Key Section: Final Examination Scope: Management Approval for an ABAC Pilot Case: Building on
Structured Discussion 2: Boeing 387 MAX: Three Management Levels: 1) Organization, 2)
Mission/Business Systems; and 3) System...............................................................................................3
Key Section: Final Examination Format:.....................................................................................................................
Key Section: Final Examination: Suggested Student Outline......................................................................................
Key Issue 1: Title Page................................................................................................................................................
Key Sections 1-7.........................................................................................................................................................
Research: Background................................................................................................................................................
Final Examination Research Background: Ten Step Analysis to Provide Detailed Research to Support Final
Examination...............................................................................................................................................................
Research Step 1/10: Since this is an introductory course, we provide for your review selected
cybersecurity risk management guidance and concepts in a ten-step process. This ten-step process
helps you work through the analysis. For example, we provide guidance, figures/tables, and sources for
the steps..................................................................................................................................................8
In addition, we also offer for your review conceptual views (Appendix I) and selected prior students’
guidance (Appendix II).............................................................................................................................8
2. Research Step 2/10: Use the NIST Three-Level Framework for Cybersecurity Risk Management..........................
2.1 Step 2.1/2.1 NIST Level 1: Organization: Hypothetical Inova Fairfax organization management:
Assume approval for a pilot case for a transition to ABAC is suggested for the hypothetical CEO Inova
Fairfax......................................................................................................................................................9
NIST Level 3: System: Hypothetical Inova Fairfax mission/business systems plan for a pilot case for a
transition to ABAC is implemented........................................................................................................10
Research Step 2.2/2.2: ABAC: Systems Security Engineering: Integrated Examples.................................................
Research Step 3/10: Final Examination: NIST Security Control Maps..............................................................................
Research Step 3.1/3.1 NIST Security Control Maps.......................................................................11

4. Research Step 4/10: Apply NIST Security Control Maps and Architectures to the Final Examination...................

6
Analytical Note: A suggested analytical observation for Tables 1 and 2: EHRs access control may be
viewed as 1) PR.AC (RBAC); and 2) PR.AC-1, 3 and 4 (ABAC) for more fine -grained access..................11
Research Step 4.1/4.1 NIST Healthcare Use Case Architecture and Security Control Maps..................11
5. Research Step 5/10: Cybersecurity Framework: Improving a Cybersecurity Program: NIST Seven-Step
Gap Analysis.............................................................................................................................................................
Note: This where grading decisions may occur between B and A depend on how well you
develop/analyze for the final examination the NIST seven-step gap analysis for this case and refer
to figures/tables with footnotes for the captions. The NIST seven-step gap analysis is more
formally defined in the CSF, Section 3.2:.......................................................................................14
6. Research Step 6/10: Pilot Case: Key Inova Fairfax Cybersecurity Guidance........................................................
6.1 Research Step 6.1/6.5.1 : Inova Fairfax Access Control Policy - Inova......................................17
Web Policies | Inova.................................................................................................................17
Remote and Extended Access | Inova..................................................................................17
Research Step 6.2/6.5.1 Mobile Device Management Policy - Inova..................................................17
Research Step 6.3/6.5.1 Remote and Extended Access | Inova...........................................................17
Research Step 6.4/6.5.1 Other INOVA Access Control Issues...............................................................17
Research Step 6.4.1/6.5.1 For Employees | Inova.......................................................................18
Research Step 6.5.1/6.5.1 Prior searches:....................................................................................18
Please update any additional links that you wish to use for your final examination.....................18
7. Research Step 7/10: Analysis............................................................................................................................
8. Research Step 8/10. Conclusions.........................................................................................................................
9. Research Step 9/10. Matters for Consideration (Updated November 8, 2019)...................................................
Research10. Research Step 10/10. References........................................................................................................
Appendix I: IA Final Examination: Conceptual Interpretation of Selected RBAC/ABAC Issues, Version 2.1,
November 2, 2021....................................................................................................................................................
Research: Step 1: Final Examination Question.........................................................................................................
Research Step 4: Apply NIST Security Control Maps and Architectures to the Final Examination........................
Research Step 4.1: NIST Healthcare Use Case Architecture and Security Control Maps:.......................................
Research Step 6: Pilot Case: Key INOVA Cybersecurity Guidance:............................................................................
Research Step 7: Analysis:........................................................................................................................................
Appendix II: Strategic/Tactical Rubric: Based on Student Comments.......................................................................
Strategic Rubric........................................................................................................................................................
Tactical Rubric: Based in part on a review of prior examinations, we update a Tactical Rubric..............................

7
Research: Background
Final Examination Research Background: Ten Step Analysis to
Provide Detailed Research to Support Final Examination
Here for your review is a sample ten-step research analysis to provide background for using the
above Suggested Student Outline.

Research Step 1/10: Since this is an introductory course, we provide for your review
selected cybersecurity risk management guidance and concepts in a ten-step process.
This ten-step process helps you work through the analysis. For example, we provide
guidance, figures/tables, and sources for the steps.

In addition, we also offer for your review conceptual views (Appendix I) and selected
prior students’ guidance (Appendix II).

8
2. Research Step 2/10: Use the NIST Three-Level Framework for
Cybersecurity Risk Management

2.1 Step 2.1/2.1 NIST Level 1: Organization: Hypothetical Inova Fairfax organization
management: Assume approval for a pilot case for a transition to ABAC is suggested
for the hypothetical CEO Inova Fairfax.
Responsibility: Hypothetical CEO (Chief Executive Officer) and Hospital Officers) are responsible for deciding
go/no-go for cases that require Integrate enterprise and cybersecurity risk management (Area 1).
The go/no-go decision in this case is for the hypothetical CEO to approve/disapprove a theoretical request
from the hypothetical Level 2: Mission/Business Systems: For example, review an optimum set of scenarios
for a pilot case for the Hypothetical Inova Fairfax Hospital: Transplant Center. Each scenario for the
pilot could include cost/benefit/risk.4 For example, NIST suggests consideration for cost/benefit/risk
of an optimization approach, e.g., integrating three silos. In a hospital optimization environment,
such as our Hypothetical Inova Fairfax Hospital use case, there may be financial budget constraints
for a pilot case to extend EHR from “RBAC” to “RBAC extended to ABAC.”

One interpretation of a NIST CPS (Cyber-Physical Systems)5 risk optimization guidance is for the
final examination Research Step 5.4: Conducts a Risk Assessment.

An overarching NIST view for CPS risk assessment is to optimize three factors
(silos)—cost/benefit/risk.

In Research Step 5.4, we could consider a NIST suggestion for a CPS “risk budget.” 6 For example, a
“risk budget” may be a fixed financial amount that is optimized by balancing five properties for the
pilot case described in this examination (see Research Step 5.4: Conducts a Risk Assessment). The
five properties or silos are 1) safety; 2) security; 3) reliability; 4) resilience; and 5) privacy. Possibly,
the above priority sequence may apply to the final examination pilot case.

NIST provides systems security engineering analysis7 that could be interpreted for our pilot case to
extend EHR to ABAC for 1) Radiology Dept; 2) Dr. Jones: Orthopedics; and 3) VPN (Virtual Private
Network). For example, we could analyze three silos: 1) Radiology; 2) Dr. Jones: Orthopedics;

4
NIST Special Publication 1500-202, Vol. 2, Working Group Reports, Version 1.0, June 2017. Section 2.3.3: The need
for cross-property risk analysis for CPS. and figure 3.
5
Note: Mobile devices may be considered as CPS. Therefore, NIST SP 1500-202, Section 2.3.3 may be considered as
applying to the final examination (e.g., NIST SP 1800-1B, 3B):
6
Ibid. Note: Mobile devices may be considered as CPS. Therefore, NIST SP 1500-202, Section 2.3.3 may be
considered as applying to the final examination (e.g., NIST SP 1800-1: RBAC EHR authentication upgrading to NIST SP
1800-3: ABAC EHR authentication).
7
For example:
a. NIST Special Publication 800-160, Vol. 1: Systems Security Engineering: Considerations for a
Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, November 2016/March 21,
2018. Figure 4: System Life Cycle Processes and Life Cycle States: Technical Management Processes: Risk
Management.
b. NIST Special Publication 800-160, Vol. 2: Developing Cyber Resilient Systems: A Systems Security
Engineering Approach, November 2019. Table 1: Cyber Resiliency Constructs. Definition, Purpose, an
Application at the System Level [for Goal (for example: high-level statement focusing on each aspect [of
cyber resiliency]: anticipate, withstand, recover, adapt), Objective, Sub-Objective, Activity or Capability]
9
and 3) VPN. These three silos could be viewed from an integrated risk budget viewpoint using a
CPS “risk budget;
NIST Level 2: Mission/Business Processes: Hypothetical Inova Fairfax organization management: Assume
approval to plan for a pilot case for a transition to ABAC.

Responsibility: The Hypothetical Inova Fairfax Hospital: Transplant Center plans for
implementation of the pilot.

Figure 2:Hypothetical INOVA Pilot Case: Transition from RBAC to ABAC8

NIST Level 3: System: Hypothetical Inova Fairfax mission/business systems plan for a
pilot case for a transition to ABAC is implemented.

The focus for the pilot case is categories 1) Radiology Department: 2) Dr. Jones Orthopedics; and
3) VPN (Integrating secure access for three To-Be silos for a pilot).

Research Step 2.2/2.2: ABAC: Systems Security Engineering:


Integrated Examples
Please note that ABAC may be considered as a logical subset of NIST Special
Publication 800-207: Zero Trust Architecture, August 2020. For example, Section 3.1.1: ZTA
Using Enhanced Identity Governance; and Section 4.4: Collaboration Across Enterprise Boundaries. For
example:

Similar to Use Case 1, a PE [Policy Engine] and PA [Policy Administrator] hosted as a cloud service
may provide availability to all parties without having to establish a VPN or similar.

8
NISTIR 8170: Approaches for Federal Agencies to Use NIST CSF, August 17, 2021. Figure 2: Federal Cybersecurity
Approaches.
10
Further, attribute guidance is discussed in NIST Special Publication 800-210, General Access Controls
Guidance for Cloud System July 2020. Section 5.6: Guidance for Attribute and Role Management.

Research Step 3/10: Final Examination: NIST Security Control Maps


Research Step 3.1/3.1 NIST Security Control Maps

Please introduce a NIST concept of NIST security control maps that apply to NIST Cybersecurity
Risk Management cases.

For example, we highlight the five iterative functions from the Cybersecurity Framework Core—
identify, protect, detect, respond, recover9 (see figure 2).

Conceptually, NIST Figure 2, which is a high-level view of the NIST Cybersecurity Framework, V1.1,
March 2018. Appendix Table 2: NIST Core, introduces two concepts 1) NIST five iterative functions
assist in integrating functional silos, and 2) mapping of NIST iterative functions to information
references. For example: NIST Special Publication 800-53 Rev. 4/5 (Draft): Security and Privacy Controls
for Information Systems and Organizations (Final Public Draft), March 16, 2020-- security controls.

Figure 2: NIST Security Control Map: Function and Category Unique Identifiers
Source: NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, Draft 2, December 5, 2017
Note: Current version is 1.1, April 16, 2018.

4. Research Step 4/10: Apply NIST Security Control Maps and


Architectures to the Final Examination
Here the suggested Research Steps 4.1-8:

Analytical Note: A suggested analytical observation for Tables 1 and 2: EHRs access
control may be viewed as 1) PR.AC (RBAC); and 2) PR.AC-1, 3 and 4 (ABAC) for more
fine -grained access.

Research Step 4.1/4.1 NIST Healthcare Use Case Architecture and Security Control
Maps

Here for your review are eight suggested steps for this section:

11
a. First/Eight: “As Is” Use Case Architecture: Please consider reviewing NIST: Special
Publication 1800-1B: Securing Electronic Health Records on Mobile Devices:
Approach, Architecture, and Security Characteristics, July 2018, Section 3: Approach,
Figure 3-1: Security Characteristics Required to Securely Perform the Transfer of
Electronic Health Records Among Mobile Devices; and Section 4.2: Architecture
Description, Figure 4-1: Architecture for the Secure Exchange of Electronic Health
Records on Mobile Devices in a Healthcare Organization.
b. Second/Eight: Security Control Maps: A NIST security control map example of the
process for determining which security characteristics apply to the SP 1800-1B is
presented in Table 3-2: Mapping Security Characteristics to the NIST Cybersecurity
Framework and HIPAA (Health Insurance Portability and Accountability Act).
i. Please consider (Note: This is a NIST Security Control Map)
b. Third/Eight: Please consider using the above figures and tables to introduce the “As
Is” Profile in your final examination.

c. Fourth/Eight: Please consider developing a version of this “As Is” NIST Security Control
Map for your final examination. For example, see table 1. Table 1 remaining entries are not
provided, i.e., …:

Table 1: Sample: Mapping Security Characteristics of NIST CSF, HIPAA Security Controls—“As Is” Profile

12
Source: NIST SP 1800-1B Draft: Securing Electronic Health Records on Mobile Devices: Approach, Architecture, and
Security Characteristics, July 2018, Table 3-2; and NIST: Framework for Improving Critical Infrastructure Cybersecurity,
Version 1.1, April 16, 2018, Appendix A, Table 2

d. Fifth/Eight: “To Be” Profile: Please prepare a table, which represents a


NIST Security Control Map: Extract for a “Target Profile”—“To Be” for the
final examination healthcare use case.
e. An issue for the final examination is that step 5 is adding ABAC to RBAC. Therefore,
just an ABAC table and ABAC architecture is not sufficient for "To Be."

The “Target Profile” could be a figure, such as a NIST security control


map, that you develop to add attribute-based access control (ABAC) to:
The Radiology Department; 2) Dr. Jones Orthopedics, and 3) VPN (Virtual
Private Network) external access point for remote users (as defined in NIST SP
1800-1B: Table 4-1 [also listed as Table 2 [ABAC] above). [Emphasis added]
NIST provides an example of ABAC mapping to the NIST CSF security characteristics (see Table 2:
[ABAC] Use Case Security Characteristics Mapped to Relevant Standards and Controls).

13
Table 2:[ ABAC] Use Case Security Characteristics Mapped to Relevant Standards and Controls[--Additive "To Be" Profile]

Source: NIST SP 1800-3B Draft: Attribute Based Access Control: Approach, Architecture, and Security Characteristics,
September 2017, Table 4.1: Use Case Security Characteristics Mapped to Relevant Standards and Controls; and NIST:
Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018, Appendix A, Table 2

f. Sixth/Eight: The two baseline architectures are presented in SP 1800-1B: Figure 4-1—“As
Is”; and SP 1800-3B: Figure 5.1—“To Be”
g. Seventh/Eight: Your assignment includes adapting SP 1800-3B: Figure 5.1: ABAC Build 1
Architecture—
14
Additive “To Be” to meet the ABAC security requirements for three users in SP 1800-1B:
Figure 3--1) the Radiology Department,
2) Dr. Jones Orthopedics, and 3) VPN external access point for remote users. The basic
access controls, such as RBAC (Role Based Access
Control), in “As Is” are extended to ABAC for “To Be.”

h. Eighth/Eight: In summary, ABAC supports a fine-grained access control upgrade for


RBAC.

Review: Analytical Note: A suggested analytical observation for Tables 1 and 2: EHRs access control may be viewed as 1)
PR.AC (RBAC);and 2) PR.AC-1, 3 and 4 (ABAC) more fine -grained access.

5. Research Step 5/10: Cybersecurity Framework: Improving a


Cybersecurity Program: NIST Seven-Step Gap Analysis
Note: This where grading decisions may occur between B and A
depend on how well you develop/analyze for the final examination
the NIST seven-step gap analysis for this case and refer to
figures/tables with footnotes for the captions. The NIST seven-
step gap analysis is more formally defined in the CSF, Section 3.29:
Please consider developing a NIST seven-step gap analysis10 for the final examination case. As
introduced, this case defines three users for this pilot healthcare system: 1) Radiology Department;
2) Dr. Jones Orthopedics (specialty practice); and 3) remote users via VPN (Virtual Private
Network) external access point for remote users.

Note: Section 5: The pilot case introduces a “worked example” of healthcare systems technology.
For example, Inova Fairfax Hospital/Epic is based on Epic healthcare technology.

This pilot case is for adding ABAC--fine-grained access control--to NIST Cybersecurity Practice Guide:
SP 1800-3B, Figure 4-1: Architecture for the secure exchange of electronic health records on mobile
devices in a healthcare organization.

Please follow the NIST instructions for NIST: Framework for Improving Critical Infrastructure
Cybersecurity, Version 1.1, April 16, 2018. Section 3.2: Establishing or Improving a Cybersecurity Program:
Seven step gap analysis:

Research Step 5.1: Prioritize and Scope


Research Step 5. 2: Orient
Research Step 5. 3: Create a Current Profile—“As Is”
a. Table 1: NIST Special Publication 1800-1b: Draft: Securing Electronic Health Records
on Mobile Devices, Approach, Architecture, and Security Characteristics, July 2015:

9
NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2:
Establishing or Improving a Cybersecurity Program.
10
Ibid. NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2:
Establishing or Improving a Cybersecurity Program.
15
Table 2: Mapping Security Characteristics to the CSF [NIST Cybersecurity
Framework] and HIPAA [Health Insurance Portability and Accountability Act].
b. Table 2: NIST Special Publication 1800-1d: Draft: Securing Electronic Health
Records on Mobile Devices: Standards and Controls Mapping, July 2015: Table 2:
Security Characteristics Mapped to Cybersecurity Standards and Best Practices and
HIPAA. [An extract is fine.]
c. Figure 1: NIST Special Publication 1800-1b: Draft: Securing Electronic Health Records
on Mobile Devices, Approach, Architecture, and Security Characteristics, July 2015:
Figure 3: Architecture for the secure exchange of electronic health records on mobile
devices in a health care organization.

As introduced, please consider figures/tables and


captions with a footnote.

Research Step 5.4: Conduct a Risk Assessment


(Review: See Research section 2.1) For example:
Hypothetical Inova Fairfax Hospital: Transplant Center. Each scenario for the pilot could include
cost/benefit/risk.11 For example, NIST suggests consideration for cost/benefit/risk of an optimization
approach, e.g., integrating three silos. In a hospital optimization environment, such as our
Hypothetical Inova Fairfax Hospital use case, there may be financial budget constraints for a pilot
case to extend EHR from “RBAC” to “RBAC extended to ABAC.”

One interpretation of a NIST CPS (Cyber-Physical Systems)12 risk optimization guidance is for the
final examination Research Step 5.4: Conducts a Risk Assessment.

An overarching NIST view for CPS risk assessment is to optimize three factors
(silos)—cost/benefit/risk.

In Research Step 5.4, we could consider a NIST suggestion for a CPS “risk budget.” 13 For example,
a “risk budget” may be a fixed financial amount that is optimized by balancing five properties for the
pilot case described in this examination (see Research Step 5.4: Conducts a Risk Assessment). The
five properties or silos are 1) safety; 2) security; 3) reliability; 4) resilience; and 5) privacy. Possibly,
the above priority sequence may apply to the final examination pilot case.

11
NIST Special Publication 1500-202, Vol. 2, Working Group Reports, Version 1.0, June 2017. Section 2.3.3: The need
for cross-property risk analysis for CPS. and figure 3.
12
Note: Mobile devices may be considered as CPS. Therefore, NIST SP 1500-202, Section 2.3.3 may be considered as
applying to the final examination (e.g., NIST SP 1800-1B, 3B):
13
Ibid. Note: Mobile devices may be considered as CPS. Therefore, NIST SP 1500-202, Section 2.3.3 may be
considered as applying to the final examination (e.g., NIST SP 1800-1: RBAC EHR authentication upgrading to NIST SP
1800-3: ABAC EHR authentication).
16
NIST provides systems security engineering analysis14 that could be interpreted for our pilot case to
extend EHR to ABAC for 1) Radiology Dept; 2) Dr. Jones: Orthopedics; and 3) VPN (Virtual Private
Network). For example, we could analyze three silos: 1) Radiology; 2) Dr. Jones: Orthopedics;
and 3) VPN. These three silos could be viewed from an integrated risk budget viewpoint using
a CPS “risk budget.

Research Step 5.5: Create a Target Profile—“Target Profile”—“To Be”


Please consider figures/tables and captions with footnotes.

For example, the two additive “To Be” figures/tables are: SP 1800-3B: Table 4.1; and Figure
5.1.
Your assignment includes proposing one or more tables and figures that show your
proposed ABAC architecture upgrade for SP 1800-1B: Figure 4-1. Our focus is on access
control for the three users for this healthcare case: 1) the Radiology Department; 2)
Dr. Jones Orthopedics; and 3) VPN external access point for remote users.
a. Note: ABAC is an additive architecture. In this case, ABAC is added to SP1800-1
RBAC (Rule Based Access Control) systems.
b. Table 3: NIST Special Publication 1800-3B: Attribute Based Access
Control: Approach, Architecture, and Security Characteristics: Second Draft,
September 2015: Table 4.1: Use Case Security Characteristics Mapped to Relevant
Standards and Controls.
c. Figure 2: NIST Special Publication 1800-3B: Attribute Based Access Control:
Approach, Architecture, and Security Characteristics: Second Draft, September
2017: Figure 5.1: ABAC Build 1 Architecture.
d. Figure 3: ABAC Extension to RBAC SP 1800-1B: Figure 4-1: Architecture
for the Secure Exchange of Electronic Health Records on Mobile Devices in a
Healthcare Organization.

An ABAC additive issue may be considered as adding ABAC specificity to RBAC


authentication in SP 1800-1B: Figure 3-1: Security Characteristics Required to Securely
Perform the Transfer of Electronic Health Records Among Mobile Devices.

Research Step 5.6: Determine, Analyze, and Prioritize


Gaps
Research Step 5.7: Implement
Action Plan

14
For example:
c. NIST Special Publication 800-160, Vol. 1: Systems Security Engineering: Considerations for a
Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, November 2016/March 21,
2018. Figure 4: System Life Cycle Processes and Life Cycle States: Technical Management Processes: Risk
Management.
d. NIST Special Publication 800-160, Vol. 2: Developing Cyber Resilient Systems: A Systems Security
Engineering Approach, November 2019. Table 1: Cyber Resiliency Constructs. Definition, Purpose, an
Application at the System Level [for Goal (for example: high-level statement focusing on each aspect [of
cyber resiliency]: anticipate, withstand, recover, adapt), Objective, Sub-Objective, Activity or Capability]
17
6. Research Step 6/10: Pilot Case: Key Inova Fairfax Cybersecurity
Guidance
Key Issue: If Inova Fairfax cybersecurity guidance is RBAC oriented, we could suggest that
RBAC oriented guidance could be considered for an upgrade to ABAC cybersecurity guidance.

Please include consideration of the following Inova Fairfax access documents. These documents
provide guidance for Inova Fairfax 1) Access Control Policy; 2) Mobile Device Management
Policy; 3) Remote and Extended Access; and 4) Other Inova Fairfax Access Issues.
6.1Research Step 6.1/6.5.1 : Inova Fairfax Access Control Policy - Inova

Web Policies | Inova


www.inova.org › about-inova › web-policies

1.
... of the internet, Inova Health Foundation (Inova) does not warrant that access to any Inova web
property or any of its pages will be uninterrupted or error free.

Remote and Extended Access | Inova


www.inova.org › for-employees › remote-extended-acc...

1.
For Inova employees: This webpage has links to Citrix applications (Inova remote network access),
referring physician PACS access, InovaNet, and MyTime .

Research Step 6.2/6.5.1 Mobile Device Management Policy - Inova

https://www.inova.org › sites › default › files › mobile-device-mgmt

Page 1 of 4. The Mobile Device Management Policy provides the standards and rules of behavior for
the use of all “Mobile ... http://inovanet.net.inova.org/policies/view.aspx?
id=2281&sid=1&categoryId=586. •. Inova IT ... and limited personal communication or recreation,
such as reading or game playing. ... o Documents.

Research Step 6.3/6.5.1 Remote and Extended Access | Inova

https://www.inova.org › for-employees › remote-extended-access

Research Step 6.4/6.5.1 Other INOVA Access Control Issues


For Inova employees: This webpage has links to Citrix applications (Inova remote network access),
referring physician PACS access, InovaNet, and MyTime ...
[PDF]

18
Research Step 6.4.1/6.5.1 For Employees | Inova

https://www.inova.org › for-employees

1. Prior Searches
Check the links below, and on the left- and right-hand sides of the page, for ways to access
Inova email accounts, the network, policies and information on the ...
Missing: Control

Research Step 6.5.1/6.5.1 Prior searches:

Please update any additional links that you wish to use for your final examination.

Prior INOVA search results could be augmented with:


Other INOVA links for INOVA EpicCare include:
1. Physicians.
2. Patient: MyChart Video;
5. Employee Remote Access;
6. EpicCare Link;

7. Research Step 7/10: Analysis


Please answer the Analysis aspect of the Final Examination Question.

When developing your analysis with respect to the examination question, please consider
including comparison of your “To Be” security architecture with the hypothetical Inova
Fairfax Case Epic/EpicCare baseline case—“As Is” Profile. For example, Inova Fairfax
EpicCare is an operational system; and an ABAC pilot for a healthcare system applies to
“designing in security”11 for future healthcare systems.

During the pilot, the hypothetical Inova Fairfax has to maintain operations and patient
safety levels.

Analysis Levels: Hypothetical Inova Fairfax Hospital Case


1. NIST Level 1: Organization [Hypothetical Inova Fairfax Hospital Policy, such as Mobile Device
Management Policy: Assume CEO approves this pilot.]
2. NIST Level 2: Mission/Business Processes [Hypothetical Inova Fairfax Hospital Procedures, such
as Transplant Center Procedures. Assume Manager of Transplant Center approves the procedures for this
pilot ]
3. NIST Level 3: System [Hypothetical Inova Fairfax system implementation, such as VPN,
Radiology, and Dr. Jones: Assume that a case manager is assigned for this pilot.]

19
Note: As of November 2, 2021, build on a candidate implementation of Zero Trust Architecture (ZTA)
for ABAC systems, such as the Hypothetical Inova Fairfax Hospital Case:

Note: A formal definition of PDP/PEP (Policy Decision Point/Policy Enforcement


Point) is provided in NIST Special Publication 800-207: Zero Trust Architecture,
August 2020. Section 2: Zero Trust Basics and Figure 1: Zero Trust Access.

PEP could be used to implement ABAC fine grained access control decisions.

8. Research Step 8/10. Conclusions


Please answer the Conclusions aspect of the Final Examination Question.

Please develop your Conclusions based on your Analysis: Please consider a second level of specificity.
Conclusions Levels
1. NIST Level 1: Organization. For example, assume CEO decision to approve this pilot.
2. NIST Level 2: Mission/Business Processes. For example, assume the Transplant Center
manager provides the NIST seven-step gap analysis instructions for this pilot.
3. NIST Level 3: System. For example, assume that the Pilot team implements the NIST seven-
step gap analysis for the completed pilot.

9. Research Step 9/10. Matters for Consideration (Updated


November 8, 2019)
Mobile devices may be considered from a unified CPS/IoT (Cyber-Physical Systems/IoT (Internet
of Things)15 systems perspective (see figure 1). For example, we may analyze CPS/IoT issues such as
access and authorization, data security, and privacy concerns.

15
. NIST Special Publication 1900-202: Cyber-Physical Systems and Internet of Things, March 2019. Section 6: Unified
Perspective. Figure 8A: Components Model.
20
Figure 2: CPS/IoT Unified View for Autonomous Vehicles
Source: NIST: Special Publication 1900-202: Cyber-Physical Systems and Internet of Things, March 2019. Section 6.1:
Components Model: Linked Logical and Physical Elements.
In addition, there are unified CPS/IoT ‘system risk budget’ issues. 16

Research10. Research Step 10/10. References


As introduced, please consider figures/tables with footnotes for captions. Please
consider comprehensive footnotes, such as author, title, organization, document
number, date, etc.

168.
NIST Special Publication 1500-202: Framework for Cyber-Physical Systems: Working Group Reports, Vol. 2, Vers.
1, June 26, 2017. Section 2.3.3: The need for cross-property risk analysis for CPS (System ‘risk budget’ [optimization
of security, safety, reliability, privacy, and resilience]; and Figure 3: Physical, Analog, and Cyber Components of CPS.
21
Appendix I: IA Final Examination: Conceptual Interpretation of
Selected RBAC/ABAC Issues, Version 2.1, November 2, 2021
 IA students,
 
Perhaps, you may be interested in this Version 2.1 of selected comments to students
concerning an interpretation of the final examination. The comments apply in part to the
August 1, 2020, Final Examination Steps 1, 4, 4.1, 6 and 7.

Hopefully, this is helpful.

Best regards,
Harold

Research: Step 1: Final Examination Question


Perhaps, the following conceptual view of the final examination could be helpful:

Conceptually, the final examination is concerned with developing a hypothetical pilot


case for the Inova Fairfax Hospital, Transplant Center. The case may be viewed as
adding specificity (Attribute Based Access Control) to access control (Role Based Access
Control):

Figure 1 (below): RBAC may be mapped to NIST Cybersecurity Framework Identity


Management Authentication and Access Control (PR.AC) security function. Please see
Research: Final Examination Step 4: Apply NIST Security Control Maps and
Architectures: Table 1: Sample: Mapping Security Characteristics of NIST CSF, HIPAA
Security Controls—“As Is” Profile.

Figure 2 (below): ABAC may be mapped to NIST Cybersecurity Framework Identity


Management Authentication and Access Control (PR.AC-1,3 and 4). A key issue is that
ABAC has more specificity than RBAC, e.g., PR.AC-1, 3 and 4 for ABAC vs. PR.AC for
RBAC. (See Final Examination Table 2: [ABAC] Use Case Security Characteristics
Mapped to Relevant Standards and Controls [--Additive “To Be” Profile].

22
Source: NIST Special Publication 800-162: Guide to Attribute Based Access Control (ABAC) Definition and
Considerations, August 2, 2019

Figure 1: Traditional (Non-ABAC, such as RBAC [Role Based Access Control]) Multi-
Organizational Access Method may be interpreted with respect to the final examination
question (Research: Step 1: Final Examination Question [“As Is” Architecture]):

1. Organization A’s Subjects (Users)


a. Users accessing the Radiology Department using RBAC.
b. Dr. Jones Orthopedics accessing EHRs (Electronic Health Records) using
RBAC.
2. Access Request
a. Using a VPN (Virtual Private Network)

23
Source: NIST Special Publication 800-162: Guide to Attribute Based Access Control (ABAC) Definition and
Considerations, August 2, 2019

Figure 2: Basic ABAC Scenario [“To Be” Architecture] may be interpreted with respect to
the final examination question (Step 1: Final Examination Question):

1. Organization A’s Subjects (Users)


a. Users accessing the Radiology Department using ABAC.
b. Dr. Jones Orthopedics accessing EHRs (Electronic Health Records) using
ABAC.
2. Access Request: ABAC Step 1: Subject requests access to object
24
a. Using a VPN (Virtual Private Network)
3. ABAC Step 2: ABAC Access Control Mechanism evaluates a) Rules; b) Subject
Attributes; c) Object Attributes, and d) Environment Conditions to compute a decision.
4. ABAC Step 3: Subject [User request to Radiology Department and/or Dr. Jones
Orthopedics accessing EHRs] is given access to object if authorized.

Research Step 4: Apply NIST Security Control Maps and


Architectures to the Final Examination
Research Step 4.1: NIST Healthcare Use Case Architecture and
Security Control Maps:
Fourth: One interpretation of step Fourth ("As Is" NIST Security Control Map in Table 1) is to 1) copy Table
1: Sample: Mapping Security Characteristics of NIST CSF, HIPAA Security Controls--"As Is" Profile; and 2)
explain the importance of Access Control (PR.AC) for RBAC to the design of the Inova Fairfax pilot.
 
d. Fifth: 
One interpretation of step Fifth ("To Be: Profile) is to 1) copy Table 2: [ABAC] Use Case
Security Characteristics Mapped to Relevant Standards and Controls [Additive "To Be"
Profile]; and 2)  explain the importance of Access Control (PR.AC) added specificity for
ABAC to the design of a transition from 1) RBAC to 2) RBAC extended to ABAC for the
INOVA pilot. For example, Table 2, rows 1-3, column 5 identifies at a second level of
specificity--PR.AC-1, 3, and 4 that is defined in NIST SP 800-53 rev 4 [Note: Current
version is SP 800-53 rev 5, December 10, 2020].

Research Step 6: Pilot Case: Key INOVA Cybersecurity Guidance:


One view of the INOVA 1) Access Control Policy, 2) Mobile Device Management Policy,
3) Remote and Extended Access; and 4) Other INOVA Access Issues, is that Steps 1-5
for the Pilot should be compatible with Step 6 INOVA Access Policy Issues. For example,
Steps 1-5:

 Step 1: Final Examination Question;


 Step 2: Use the NIST Three-Level Framework for Cybersecurity Risk Management; Step
3: Final Examination: NIST Security Control Maps;
 Step 4: Apply NIST Security Control Maps and Architecture to the Final Examination;
Step 5: Cybersecurity Framework: Improving a Cybersecurity Program: NIST Seven-Step
Gap Analysis;
 Step 6: Pilot Case: Key INOVA Cybersecurity Guidance).

In brief, Step 6: Pilot Case may include a focus on ABAC issues that is beyond the scope
of INOVA RBAC access policy. Therefore, this situation could require consideration in
Step 7.
 

Research Step 7: Analysis:

25
Yes. The expectation includes stating and describing potential policy Inova Fairfax
updates to accommodate ABAC. For example, these updates could be considered for
each NIST level: 1) Organization; 2) Mission/Business Processes; and 3) System.
 
Hopefully, this is helpful.
Best regards,
Harold

26
Appendix II: Strategic/Tactical Rubric: Based on Student Comments
Question Strategy: Please place your emphasis on analysis and conclusions. This helps
demonstrate your understanding of the final examination issues.

Strategic Rubric
Question Visualization: To help with visualization of a scenario for this examination, here as a
hypothetical ABAC pilot case for a hypothetical Inova Fairfax hospital.
 Inova Fairfax uses an integrated healthcare system called EpicCare.
 Please consider Inova Fairfax access control policy: A theoretical INOVA Mobile Device
Management Policy, Version 2.0, April 21, 2016;
https://www.inova.org/upload/docs/Education%20and%20Research/GME/mobile-device-
mgmt.pdf .
 We suggest for this examination consider that a theoretical Inova Fairfax Transplant
Center is considering evaluation of an ABAC pilot EHR system for its potential application
to its transplant patient EHRs.
 The ABAC pilot EHR system is introduced in NIST Special Publication 1800-1: Securing
Electronic Health Records on Mobile Devices, July 2018. Figure 4-1: Architecture for the
Secure Exchange of Electronic Health Records on Mobile Devices in a Healthcare
Organization.
 The ABAC architecture to be added to the pilot is introduced in NIST Special Publication
1800-3: Attribute Based Access Control, Second Draft, September 2017.
 The Inova Fairfax Transplant Center will use NIST cybersecurity risk management
guidance to assess the potential impact of the ABAC pilot

Suggested strategic strategy: Please consider the Inova Fairfax Transplant Center as the
organization that is evaluating the ABAC case. A central issue for this examination is to consider
NIST SP 1800-1B, July 2018, Figure 4-1: Architecture for the Secure Exchange of Electronic
Health Records on Mobile Device in a Healthcare Organization. The three data center access
categories for this ABAC case are 1)Radiology Department: 2) Dr. Jones Orthopedics; and 3)
VPN.

The Inova Fairfax Transplant Center could be considering updating their RBAC (Role Based
Access Control) system architecture to ABAC (Attribute Based Access Control). Role based access
control assigns users into groups. For example, patients, doctors, nurses, pharmacy, radiology,
and external users. ABAC is additive and provides more fine-grained access control. For example,
a transplant surgeon may have to use fingerprint, one-time code verification and access to his/her
cell phone for ABAC identification. For example, the cell phone provides ABAC fine grain GPS
location.

Caveat: This case is hypothetical: We are using the Inova Fairfax Transplant Center as the
basis for evaluation of a hypothetical ABAC case to assist in our final examination analysis.

Suggested case setting: For this examination, please consider the Inova Fairfax Transplant Center
management as analyzing an ABAC case. The “As Is” architecture for this ABAC case is
presented in the Electronic Health Records (EHR) system architecture in Figure 4-1 Architecture
27
for the Secure Exchange of Electronic Health Records on Mobile Device in a Healthcare
Organization.

The Inova Fairfax Transplant Center may be considering this ABAC case. For example, this ABAC
case involves seven steps that are defined in the NIST Cybersecurity Framework,17 We highlight
three key steps from the seven-steps for the analysis of the RBAC case18:

1. Create a Current Profile: NIST Cybersecurity Framework Step 3:


a. Identification of the “As Is” RBAC EHR architecture.
2. Conduct a Risk Assessment: NIST Cybersecurity Framework Step 4.
a. A risk assessment of transitioning the “As Is” RBAC EHR architecture for the ABAC
pilot to a “To Be” ABAC EHR architecture. The risk assessment involves optimization
of cost/benefit/cybersecurity and patient risk.
b. For example, ABAC EHR architecture may reduce the risk of entering incorrect kidney
transplant patient anti-rejection medicine doses in a database.
3. Create a Target Profile: NIST Cybersecurity Framework Step 5
a. Identification of the “To Be” ABAC EHR target architecture.

Cybersecurity and Safety Risk Optimization: Inova Fairfax Transplant Center management
cannot change its EHR architecture within the Inova Fairfax Hospital EpicCare environment
without Inova Fairfax Hospital approval. For example, an integrated transition plan would have
to be approved to evolve its access control system from RBAC to ABAC. Therefore, we may
consider this examination as developing for review by Inova Fairfax Transplant Center
management an ABAC pilot that includes a RBAC to ABAC transition program. This transition
program could provide a use case for the Transplant Center to consider when assessing
cybersecurity and patient safety vs Inova Fairfax Hospital EHR cybersecurity and patient safety in
the existing EpicCare hospital environment.

NIST Cybersecurity Guidance or Metrics: In summary, please consider the final examination as a
project to analyze the cybersecurity risk and patient safety risk management issues of a proposed
ABAC pilot. The scope of the ABAC pilot is:

Figure 4-1: Architecture for the Secure Exchange of Electronic Health Records on Mobile
Device in a Healthcare Organization. The three data center access categories are
1)Radiology Department: 2) Dr. Jones Orthopedics; and 3) VPN

Examination strategy: Scenario Example: Please analyze the ABAC pilot as a scenario for the
three data center access categories 1)Radiology Department: 2) Dr. Jones Orthopedics; and 3)
VPN. Here for your review is a conceptual view of the analysis of the pilot with respect to selected
NIST guidance.

1. Focus for Demonstration of Knowledge: Please consider the “big picture” for the final
examination. For example, how does Inova Fairfax Hospital management, and the Inova
Fairfax Transplant center management develop an integrated analysis this ABAC case. As

17
NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2:
Establishing or Improving a Cybersecurity Program.
18
Ibid. NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2:
Establishing or Improving a Cybersecurity Program.
28
introduced, a key part of the final examination grade is based on student analysis, such as
implementing for the ABAC case the NIST seven-step risk analysis.19 We are suggesting the use
of NIST three managerial levels to assist in an integrated view of three silos, e.g.,1) Dr. Jones
access; 2) Radiology records, and 3) VPN.
2. Consider Using the NIST Three Managerial Levels: For example, the NIST seven-step risk
analysis may be viewed from the three NIST managerial levels in the Inova Fairfax hospital.
For example:

 NIST Cybersecurity Risk Management Level 1: Organization: Inova Fairfax Hospital


o Decisions with respect to the ABAC pilot: Hospital management determines the
cost/benefit/cybersecurity and patient safety risk that would result from adopting the
ABAC pilot transition from RBAC to ABAC on a hospital wide basis. For example,
how would this impact patient safety for Inova Fairfax within the EpicCare
hardware/software architecture?
 NIST Cybersecurity Risk Management Level 2: Mission/Business Processes
o Decisions with respect to the ABAC pilot: Inova Fairfax Transplant Center
management determines the cost/benefit/cybersecurity and transplant patient safety
risk that would result from adopting the ABAC pilot transition from RBAC to ABAC
on a center wide basis. For example, how would this impact patient safety for the
Inova Fairfax Transplant Center within the EpicCare hardware/software
architecture?
 NIST Cybersecurity Risk Management Level 3: System
o Decisions with respect to the ABAC pilot: Inova Fairfax Transplant Center
management determines the cost/benefit/cybersecurity and transplant patient safety
risk that would result from adopting the ABAC pilot transition from RBAC to ABAC
within the center for each transplant patient category 1) lung transplant; and 2)
kidney and pancreas transplant. For example, how would this impact patient safety
for kidney transplant patients within the Inova Fairfax Transplant Center? Patient
safety includes preserving the integrity of EHR records for anti-rejection medicine
identification and prescription doses.

19
Ibid. NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2:
Establishing or Improving a Cybersecurity Program.
29
Tactical Rubric: Based in part on a review of prior examinations, we
update a Tactical Rubric
Authoritative NIST and NISTIR Cybersecurity Risk Management Guidance: Please consider as
metrics for your examination the use of NIST cybersecurity risk management guidance. This
includes providing footnotes for key issues.

RBAC: “As Is” Profile: Please consider for role based access control (RBAC) the hospital
healthcare EHR system that is defined in a NIST cybersecurity risk management use case. This
case is reported in NIST SP 1800-1B: Securing Electronic Health Records on Mobile Devices, July
2018. Section 4: Architecture: Figure 4-1: Architecture for the Secure Exchange of Electronic
Health Records on Mobile Devices in a Healthcare Organization.

ABAC: “To Be” Profile: Please consider a transition from a NIST standards based approach for
access control, audit controls/monitoring and device integrity20 that uses RBAC to attribute based access
control (ABAC). Please consider for the transition, NIST metrics provided in NIST: Framework for
Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2:
Establishing or Improving a Cybersecurity Program [seven step gap analysis].

NIST ABAC Publications: Two NIST ABAC publications are suggested for this examination:
1) NIST Special Publication1800-3B: Attribute Based Access Control, Volume B: Approach
Architecture, and Security Characteristics, Second Draft, September 2017.
2) NIST Special Publication 800-205 (Draft): Attribute Considerations for Access Control
Systems, February 13, 2019. Figure 1: Scopes of Attributes Used: Authorization,
Authentication, and Attribute Proofing of an Access Control System.
As introduced, please consider footnotes for key issues and for captions for
figures/tables.

20
NIST Special Publication 1800-1B. Table 3-2: Mapping Security Characteristics to the NIST Cybersecurity
Framework and HIPAA [Health Information Portability and Accountability Act].
30

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy