Week 7 Assignment Ricardo Nevarez

Executive Summary

The goal of this paper is to infer upon you the CEO of fictitious healthcare company FC. Inc.,

the use of security industry recognized guidelines provided by the National Institute of Standards

and Technology (NIST) including NIST 800-137 of which involves Continuous Monitoring

(Dempsey, et al., 2011), and its applicability to secure the Confidentiality, Availability, and

Integrity (CIA triad) of this organization’s data regardless to change of personnel, hardware,

software, firmware, or changes to the environment. The intention here is not only to explain the

what, and how, but also why in regard to the steps within the NIST Risk Management

Framework (RMF) process. This paper is an attempt to show you how we can manage, mitigate

the risk by using continuous monitoring, and determine the level of risk based on risk goals, and

knowable threats to the organization’s computer network infrastructure.

NIST Risk Management Framework

The Risk Management Framework is the selection of applicable security controls applied to the

network system, and provides an effective framework to ensure the Confidentiality, Availability,

and Integrity to this organization’s data. The RMF includes six steps which include 1)

Categorize, 2) Select, 3) Implement, 4) Assess, 5) Authorize, and 6) Monitor (NIST, 2018). Not

having working knowledge of the RMF, how it relates to the network information system, the

selection of security controls, its implementation, effectiveness (Boyens & Paulsen), and the

overall lack of continuous monitoring, will put this organization in an unwarranted disadvantage

of which means a weaken overall security infrastructure.

Risk Management Framework Steps Defined

1|Page
Week 7 Assignment Ricardo Nevarez

Step 1) Categorize – refers to defining what information data onto the system is critical as it

applies to the worst case scenario, and what negative impact this will have on the organization.

NIST FIPS 199 (NIST, 2004), and SP 800-60 (Stine, Kissel, Barker, Fahlsing, & Gulick, 2008)

provide us guidelines to which we can determine the security categorization of our information

system, and the Type respectively. The guidelines given help to identify a high watermark with

regard to what plausible impacts are, whether Low, Moderate, or High on the data within the

information system when a data breach occurs. The security objectives are to identify the

potential impacts, and apply this high watermark on the CIA Triad regarding a potential data

breach, how it will hurt the system, and the mission of this organization. Also, knowing what the

high watermark is will help us with choosing the proper security controls, the implementation of

the security controls on the data, and how well these work within the system. To determine the

overall security categorization we will need to determine the Type of information system we

have, and the impact level in regard to the Confidentiality, Integrity, and Availability of the data

we are protecting. The security objectives as they apply to the CIA Triad are defined as follows:

Confidentiality – “Preserving authorized restrictions on information access and disclosure,

including means for protecting personal privacy and proprietary information.”

Integrity – “Guarding against improper information modification or destruction, and includes

ensuring information non-repudiation and authenticity.“

Availability – “Ensuring timely and reliable access to and use of information.”

From the NIST Special Publication 800-60 Volume 11 the Type of which applies to our

organization’s information system is the IT Infrastructure Maintenance Type (Stine, Kissel,

Barker, Fahlsing, & Gulick, 2008). System maintenance applies to our servers, firewalls,

2|Page
Week 7 Assignment Ricardo Nevarez

workstations, Windows OS, LAN printers, fax, programs, and teleconferencing. This is the

system’s description of our information system of which our highest watermark will be applied.

We determined, the internal information data of which we have previously labeled secure needs

to be protected, and the following security categorizations describes the impact it may have on

our organization should this data become compromised. Should there be a breach on our secure

data, the Confidentiality of the compromised data is classified as HIGH because if there is

breach, and the data is exposed to unauthorized employees, this will have a negative impact

internally to the organization, which could result in lawsuits, and disgruntled employees if they

see their coworkers making more money, etc. Confidentiality has been deemed to be HIGH, and

so highest watermark level will be HIGH impact. Integrity will be MODERATE because if the

secure data is deleted, corrupted in some way, we can always go to the backups to retrieve a

copy. Availability is set to HIGH because the secure data is used by authorized employees to

work on Grants, presentations, contract deadlines, finance, HR, etc. If the secure data is not

available, this will hinder business functions causing this organization potential loss of money.

Step 2) Select – This step involves choosing the correct baseline applicable security controls of

which are unique to this organization’s system secure data, also selected are supplemental

security controls based on the risk assessment. The applicable security controls are taken from

NIST SP 800-53 rev 5 (Force, 2017). These are the controls of which will be in place to mitigate

the risk of unauthorized users accessing the data, and reducing the footprint risk. The three (3)

baseline security controls selected are AC-1 Access Control Policy and Procedure, AC-2

Account Management, and AC-6 Least Privilege. These controls will enforce policy of which is

applied to access to secured data, and only allowing authorized users access to those data

3|Page
Week 7 Assignment Ricardo Nevarez

resources respective to their job role. I have already identified the watermark level to be HIGH

and explained the reason earlier. The AC-1 security control baseline is set to HIGH because it

requires, and enforces policies, and procedures to be adhered to with periodic reviews/ and

updates so that they remain in compliance (OSA, 2018). For example, if there were no access

control in place, anyone regardless of the job role would have access to all data. AC-2 the

account management control is HIGH. When, there is not a designated employee to manage all

aspects of managing individual user accounts this negatively affects Confidentiality of the data

(OSA, 2018). Remained unmanaged will allow employees to have access to confidential data

otherwise restricted. Because Confidentiality is impacted, thus so is the Integrity of the data.

Since there is no accountability of permissions on the user accounts, anyone can inadvertently or

purposely manipulate the data, and in turn affect decisions of those who rely, and trust the data to

be good. The AC-6 Least Privilege is a way to enforce the most restrictive set of rights/

privileges or access needed by users (OSA, 2018). We use this security control because this

control will mitigate opportunities to access restrictive confidential data, and minimize the threat

to the Integrity, and Availability on this data. Ultimately, the Least Privilege control allows our

organization to be selective as to who has access to what data, when and from where. The

implementing of these security controls will mean a stronger, safer, and trustworthy data system.

Step 3) Implement – Security controls from Step 2 have been identified, and selected, next they

are implemented, and their respective security settings are configured. Also, these security

controls are in line with compliance and applicable laws as they apply to this organization with

processing and protection of electronic data, data at rest, and data in transit (Force, 2017). Once

the implementation of these security controls are in place, this enforces and requires only

4|Page
Week 7 Assignment Ricardo Nevarez

authorized user’s access to data respective to their permissions and job role. Specifically,

implementation of AC-1 security control will force the employee in their respective job role

assigned with a unique ID to change their login every 60/90 day, and requiring password length

to be at least 9 characters, including special characters. After three (3) failed attempts, the system

locks out the account. All authorized access will be managed within Active Directory (AD).

Also, auto logoff is enforced preventing unauthorized access if the employee walks away from

the screen. The AC-2 security control enforces AC-1 in that a responsible individual is

responsible for granting access rights to data resources, activate, and deactivate accounts of

employees in AD. A secondary control is in place to authorize, and grant permissions only per a

submitted request by Human Resources to the account administrator. This same security control

manages employees who no longer are with the organization. Furthermore, those employees

requiring additional access to confidential data will receive it with the approval of the

employee’s immediate manager/ supervisor. AC-6 rounds out the security controls selected as it

controls who has access to what confidential data, when, and from where. Benefits of this

security control ensures the Confidentiality that no unauthorized individual gains access, and the

Integrity that no unauthorized employee can modify data, and the Availability that data is

protected from becoming unavailable.

Step 4) Assess – Security controls from Step 3 will be implemented, and the effectiveness of

these security controls are assessed here. The security controls require that they function as

intended, and meet or exceed security requirements per security policies, and the goals of the

organization. Should the security controls fail, there needs to be a secondary control to step up,

and alert the account manager of the initial failed main control. It is important to be aware of that

5|Page
Week 7 Assignment Ricardo Nevarez

direct risks to data resource within our organization are not only due to the lack of security

controls, but also how effective the implemented security control is in its role (Boyens &

Paulsen). I have explained why these security controls are important, and how they function

when functioning properly. The other side of this is its failures that need to be assessed. The

failure of AC-1 will allow any employee from any department to have permission to access all

data. A failure in AC-2 will allow for potentially inaccurate accountability of user accounts due

to the lack of a central control. A direct failure of security control AC-6 will result in allowing

data resources to be used by unauthorized users. It is also during this step of the Risk

Management Framework we will use a Plan of Actions & Milestone. This will benefit our

organization by mitigating deficiencies within my suggested three security controls, and that

these are reasonably attainable (Force, 2017). Next, AC-1 is having the proper documentation,

and accountability of each employee’s access in a database to all resources. This enforces policy

and procedure implementation. A suggested time frame for this implementation should be no

longer than 90 days. Security AC-2 is suggested to train a selected employee within the

organization into this account management role. This improves accountability of accounts within

AD. HR can easily begin the interview process to fill this position. This particular milestone

could take up to 30 days. Lastly, security AC-6 requires having the proper procedures in place

where employee’s requiring additional access to data resources know to reach out to their

managers/ supervisors who will request access on behalf of the requesting employee. This

control prevents an employee simply asking and being granted access to data resources. This

security control will require like the others to be signed off by the policy, and compliance

department. Also, the implementation of this control should not take longer than 90 days. To

6|Page
Week 7 Assignment Ricardo Nevarez

keep these security controls current, and its respective policies, and procedures, will require to be

reassessed once every six months if time permits.

Step 5) Authorize – An authorized selected member of the organization determines whether the

operational security controls are acceptable as they apply to the operations and data assets within

the system. Once deemed acceptable as it applies to risk, this individual accepts responsibility for

the system by authorizing the overall information system (Metivier, 2017). This is part of the

Security Authorization Package and is required to be presented to the Authorizing Official (AO)

of the organization. The AO’s conclusion from the information presented, knows that the

responsibility of the plan of action and milestones, overall risk of the system, and review of any

and all recommendations falls on the AO. The AO will use this to check the progress, and correct

any weaknesses during the security control assessment (Officer, 2015). Accepting responsibility

to the overall risk of the system, the AO knows that policy and procedure is everything. Not

understanding this will weaken the security posture of this information system. Any one of my

suggested security controls fail will guarantee the perpetrator access to create unauthorized

administrative accounts, and allow full control of the information system.

Step 6) Monitor – Requires continuous monitoring on all security controls, and also

reauthorization is needed as the computer network system is upgraded over time, and new

security controls are implemented. Reassessment is also performed to reauthorize the ongoing

acceptance of risk.

The implementation of the suggested security controls, and the suggested guideline from the

NIST Risk Management Framework, altogether is what will secure the information system. It is

7|Page
Week 7 Assignment Ricardo Nevarez

important to keep in mind that as technology evolves so does the information system. Policies,

procedures, hardware, firmware, software do become outdated creating a vulnerability that could

potentially turn into a high risk if permitted. Once the security controls are in place we need to

continuously monitor the information system to determine the effectiveness of the security

controls and their response. We will need to continue identifying changes to the information

systems, and the environment it resides in, and continuously very that we are in compliance with

local, state and federal policies, and guidelines as they directly pertain to us here. Continuous

monitoring will include detecting the changes, how we report, and respond to those changes, and

how to mitigate the changes within the information system. This is all done through analyzing

the logs created by our hardware, and software of which includes our firewalls, IDS/ IPS,

antivirus on our local machines, and servers, virus scanners, routers, switches, and mobile

devices. To analyze all this data will require a SIEM to bring it all together, and this can be used

for continuous monitoring (Institute, 2015). This can allow us to monitor what is going on and to

determine the level of risk based on risk goals, and the knowledge of threat we have, and

mitigate an appropriate response. SP 800-137, and SP 800-53A will provide the guidance we

seek.

Because we have done our due diligence, our information system is adaptable to a changing

environment where when we have a contractor work within our office space for a specified

amount of time. The group of selected security controls I have suggested will secure our

proprietary confidential data while allowing the contractor onto our system, including the use of

the LAN printer/fax. The secure use of the LAN printer/fax is achieved by using “secure print”.

Because the proper security controls, and policies have been put in place, and all respective

security controls, the system can continue to be managed, and monitored whether there is a

8|Page
Week 7 Assignment Ricardo Nevarez

change of personnel on the information system. Policy, and procedures will dictate how the

system is managed, and maintained by anyone who takes on the responsibility, and challenges of

the information system.

Conclusion

Using the NIST Risk Management Framework as I have suggested will help with a preemptive

approach towards securing our computer network information system, rather than being in a

reactive state of mind. Having a risk management plan also allows for a structured approach to

minimizing and managing the threats. I mentioned the security control selection and why these

security controls were selected. These were selected to identify, and to manage our employee’s

access to data in respect to the roles, and to ensure the confidentiality, integrity, and availability

to data at rest, and the data in transit. It was also my intention to highlight three (3) security

controls because these same controls will strengthen the security posture of this organization. I

also explained why it is important to maintain the CIA triad. I also highlighted threats of which

are vulnerabilities that require these same security controls to be properly implemented to

mitigate this, and suggested remediation, and estimated completion date through the Plan of

Action and Milestones. The overall hardening of the infrastructure, and protection of the data

resources will rely on following the suggestions I have mentioned. Adherence will also ensure

that the Confidentially, Integrity, and Availability of this organization’s overall data resources.

Thus, allowing for a stronger, safer, and trustworthy data system for all who use it.

9|Page
Week 7 Assignment Ricardo Nevarez

References
Boyens, J., & Paulsen, C. (n.d.). NIST 800- 161. Retrieved February 26, 2018, from NIST .

Dempsey, K., Chawla, N. S., Johnson, A., Johnson, R., Jones, A., Orebaugh, A., et al. (2011,

September). NIST Special Publication 800-137. Retrieved March 09, 2018, from NIST:

https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-137.pdf

Force, J. T. (2017, August). NIST SP 800-53 Ar5. Retrieved March 10, 2018, from NIST:

https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-

53r5-draft.pdf

Institute, I. (2015, November 24). What is a SIEM. Retrieved March 09, 2018, from Infosec

Institute: http://resources.infosecinstitute.com/what-is-a-siem/#gref

Metivier, B. (2017, April 11). 6 Steps to a Cybersecurity Risk Assessment. Retrieved January 27,

2018, from Sage Data Security: https://www.sagedatasecurity.com/blog/6-steps-to-a-

cybersecurity-risk-assessment

NIST. (2004, February). FIPS PUB 199. Retrieved March 10, 2018, from NIST:

https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

NIST. (2018, February 09). Risk Management Framework Overview. Retrieved March 09, 2018,

from NIST: https://csrc.nist.gov/projects/risk-management/risk-management-framework-

(RMF)-Overview

Officer, O. o. (2015, March 16). Security Authorization Process Guide. Retrieved March 05,

2018, from DHS:

https://www.dhs.gov/sites/default/files/publications/Security%20Authorization%20Proce

ss%20Guide_v11_1.pdf

OSA. (2018). AC-01 Access Control Policies and Procedures. Retrieved February 12, 2018,

from OpenSecurityArchitecture:

10 | P a g e
Week 7 Assignment Ricardo Nevarez

http://www.opensecurityarchitecture.org/cms/library/08_02_control-catalogue/23-

08_02_AC-01

Stine, K., Kissel, R., Barker, W. C., Fahlsing, J., & Gulick, J. (2008, August). NIST SP 800-60.

Retrieved March 10, 2018, from NIST:

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf

11 | P a g e