Guidelines for the Prevention and Control of Carbapenem-Resistant Enterobacteriaceae, Acinetobacter baumannii and Pseudomonas aeruginosa in

that it will recur.

Whatever the response is, the risks will have to be continuously reviewed and monitored to maintain the security of the system to an acceptable level, which leads to part three of the Risk Management components.

Evaluation and Assurance

Risk assessments are not just done at the beginning of the information system’s lifecycle; they must be done throughout the lifecycle of the system to ensure that the level of risk is monitored and corrective actions are taken. Conducting a risk assessment should be done on an event basis and a time basis:

■ Event Basis – The risk assessment is conducted when significant changes occur to the system, environment (e.g., physical, threat, vulnerabilities, personnel, etc.), business, mission, competition, and so forth. The significant change does not have to be something that requires more security; it could be something that downsizes the need for security. Remember, security is

Securit y L eadership & M anagemen t

50

supposed to be cost effective. Retaining a costly security measure that is no longer required is not in the best interest of the organization. Also, the risk assessment could be a full assessment as described above or a subset, depending on the extent of the change.

■ Time Basis – It is good to do a periodic risk assessment just to ensure that changes have not been overlooked. Many compliance regulations also require that risk assessments be conducted and documented for this reason.

Most require one to be conducted once a year.

The Risk Management Framework (RMF) provided in the initial release of NIST 800 37 is represented in Figure 1.7, which puts the RMF in perspective with respect to the SDLC and the nine steps discussed previously.

Figure 1.7 – Risk Management Framework

The key to conducting continuous risk assessments is how to report the results to senior management. It is recommended that this also be conducted as events occur on the system and in the media and conducted on a periodic basis, preferably timed with an important action, like a budget submission, regulatory report, senior management review, and so forth.

More on how to provide reports will be discussed later.

Assurances are those activities that provide management with the confidence that something is providing or will provide the security that is expected. Assurances can be gained by review, audit, evaluation, certification and contract, and other methods. This activity provides due diligence.

The perfect examples of the first two, review and audit, are conducting periodic risk assessments (the time-based risk assessments mentioned above) or having audits conducted on the system and organization.

Evaluation and certification can provide assurance for solutions and services. To gain assurance that security products will be working in accordance with marketing literature, the government created the Common Criteria Evaluations. Product vendors pay Common Criteria Testing Laboratories (CCTLs), which are approved and licensed by NIST, to evaluate their security products against Product Protection Profiles in order to gain a Common Criteria certificate. The certificate, with the associated validation report, confirms that an IT product or protection profile has been evaluated at an accredited laboratory using the Common Evaluation Methodology for conformance to the Common Criteria. The National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme (CCEVS), which is managed and staffed by the National Security Agency (NSA), issues the certificate in the United States. More can be found on Common Criteria at http://www.niap ccevs.org/cc scheme/.

To gain some assurance that a company can provide developing products and services to its clients, Carnegie Mellon’s Software Engineering Institute (SEI) created a process improvement approach, CMMI (Capability Maturity Model Integration, Figure 1.8). Similar to the Common Criteria concept, CMMI provides organizations with the essential elements of effective processes and provides customers with an understanding of the maturity of an organization’s ability to provide quality of services and products. As organizations grow, they should be improving and formalizing the processes in the company by learning from past efforts and instituting changes that increase the quality of their output and the effectiveness of their processes. As time moves on, these review and change processes become institutionalized and the reviews become less qualitative and more quantitative (measurable metrics) based, thus improving on the fine-tuning and timely analysis of the metrics in support of the improvement processes.

0 1 2 3 4 5

Not Performed Performed

Internally Planned and Tracked Well Defined Quantitatively

Controlled Continuously

Appraisals are conducted to evaluate an organization’s processes to determine how they conform to the CMMI requirements, which are defined in the Appraisal Requirements for CMMI (ARC) document. The appraisals focus on identifying improvement opportunities and comparing the organization’s processes to CMMI best practices. Appraisal teams use a CMMI model and ARC conformant appraisal method to guide their evaluation of the organization and their reporting of conclusions. The appraisal results are used (e.g., by a process group) to plan improvements for the organization and provide their clients with a level of assurance.

Securit y L eadership & M anagemen t

52

(Source – Software Engineering Institute, A Systems Engineering Capability Maturity Model [SE CMM] Version 1.1, SECMM 95 01, SEI, Carnegie Mellon University, Pittsburgh, 1995. Also see CMMI^® for Development, Version 1.3, for further info).

Procedures and Processes

CMMI evaluates an organization on the maturity of its procedures and processes because no matter how great the company’s technology and environment are, limited or ineffective procedures and processes impact how successful an organization will be. The same applies to the success of an IT security program. The best encryption, anti-virus, access control, and firewalls will soon become vulnerabilities unless the proper product updates and patches are applied, operators are trained, physical security controls protect them, audits are conducted, and deficiencies are corrected.

In all of the documents identified above that provide lists of controls that should be applied to systems, almost all of the controls are or require specific procedures and processes to ensure security is maintained. Some examples are:

■ Visitors are required to go through a check-in process, there are procedures for visitor control in the facility, and visitor logs are maintained in high value environments.

■ Access controls require that the Access Control Lists (ACLs) be reviewed periodically against the list of employees and that the specific permission per individual be validated.

■ Contingency plans and emergency response plans must be exercised on a quarterly or annual basis, and employees must be trained on the procedures and their responsibilities.

■ Background and drug checks are conducted on new hires, and new hires must be trained, tested, and read and sign a Rules of Behavior document prior to being given a new IT responsibility or account.

■ Maintenance must be conducted on the system components and supporting systems (e.g., UPS, emergency power generator, air conditioning, fire suppression, monitoring systems, etc.).

The process for conducting annual risk assessments evaluates whether the current threats, vulnerabilities, and controls status still represents an acceptable risk to management.

Procedures and processes are critical to ensuring the systems remain secure.

Outsourcing provides another example of how the concept of assurance can be applied.

Frequently, organizations find that money can be saved by outsourcing functions to professional organizations, like security monitoring, maintenance, auditing, personnel augmentation, off-site backup or storage, and so forth. Prior to procuring and implementing these services, the organization must take actions that will provide it with an assurance that the provider’s integrity and operations do not add additional risk to the organization. In other words, the organization must exercise due diligence. These actions should include the following:

■ Approval – Senior officials determine whether outsourcing is consistent with the organization’s goals and objectives and is an acceptable risk.

■ Background Checks – Contact all references provided by the provider, business, and client. Conduct a review of publicly available information on any criminal, financial, and legal actions related to the provider. This review should include a review of the provider’s Dun and Bradstreet reports.

■ Financial Reviews – Review the provider’s financial statements to determine the provider’s fiscal strength. For public companies, be sure to include the provider’s reports to the Securities and Exchange Commission (SEC).

■ Site Reviews – Conduct an initial and periodic review of the provider’s operations to ensure that the personnel are knowledgeable and the capabilities are operational.

■ Business or Liability Insurance – Check if the provider has business or liability insurance to cover matters like errors and omissions, property and casualty losses, and fraud and dishonesty. Also, check if the organization will have to take on similar insurance due to the potential of taking on additional liability when outsourcing.

■ Contract – Contractually require that providers implement specific security protection measures, report violations to the organization on a timely basis, and allow for periodic audits of the protection measures. Additionally, consideration should be given to the outsourcer’s business partners should they process, handle, or transmit any or all of the organization’s data.

■ Legal Reviews – The organization’s attorneys should review all contracts and ensure that the rights and responsibilities of both parties are clear and in the best interest of the organization.

All of the above provide increased assurance that outsourcing with a specific provider will have a high potential to be a successful, low risk alternative for the system.