Information System Security Plan Completion Date - NCI Wiki

mexicanmorningΔιαχείριση Δεδομένων

16 Δεκ 2012 (πριν από 4 χρόνια και 10 μήνες)

715 εμφανίσεις




October 20, 2009


1





Information System Security Plan

for
D
evelopment of
the PRO
-
CTCAE

Software System

Last Update:
October 2
0
, 2009


-
DRAFT CURRENTLY UNDER REVIEW
-















Prepared
by:

SemanticBits LLC
,
13921 Park Center Road,
Herndon, VA,
20171


(Tel 703.787.
9656
)

Under subcontract to:

Memorial Sloan
-
Kettering Cancer Center, 307 East 63 Street, New York, NY 10065

(Tel 646
-
422
-
4426)

Table of Contents



October 20, 2009


2

Table of Contents


INFORMATION SYSTEM S
ECURITY PLAN

................................
................................
................................
.......

1

TABLE OF CONTENTS

................................
................................
................................
................................
............

2

INFORMATION SYSTEM N
AME/TITLE:

................................
................................
................................
............

3

INFORMATION SYSTEM C
ATEGORIZATION:
................................
................................
................................
.

3

INFORMATION SYSTEM O
WNER:

................................
................................
................................
......................

3

AUTHORIZING OFFICIAL
:

................................
................................
................................
................................
....

4

OTH
ER DESIGNATED CONTAC
TS:

................................
................................
................................
.....................

4

ASSIGNMENT OF SECURI
TY RESPONSIBILITY:

...........................

ERROR! BOOKMARK NOT
DEFINED.

INFORMATION SYSTEM O
PERATIONAL STATUS:

................................
................................
........................

4

INFORMATION SYSTEM T
YPE:

................................
................................
................................
...........................

4

GENER
AL SYSTEM DESCRIPTIO
N/PURPOSE:
................................
................................
................................
.

4

SYSTEM ENVIRONMENT:

................................
................................
................................
................................
......

4

SYSTEM INTERCONNECTI
ONS/INFORMATION SHAR
ING

................................
................................
.........

5

RELATED LAWS/REGULAT
IONS/POLICIES

................................
................................
................................
.....

5

MIN
IMUM SECURITY CONTRO
LS

................................
................................
................................
......................

6

A
CCESS
C
ONTROL
(AC)

................................
................................
................................
................................
.............

6

A
WARENESS AND
T
RAINING
(AT)

................................
................................
................................
..............................

7

A
UDIT AND
A
CCOUNTABILITY
(AU)

................................
................................
................................
..........................

8

C
ERTIFICATION
,

A
CCREDITATION
,

A
ND
S
ECURITY
A
SSESSMENT
(CA)

................................
................................
......

8

C
ONFIGURATION
M
ANAGEMENT
(CM)

................................
................................
................................
......................

9

C
ONTINGENCY
P
LANNING
(CP)

................................
................................
................................
................................
..

9

I
DENTIFICATION AND
A
UTHENTICATION
(IA)

................................
................................
................................
...........

10

I
NCIDENT
R
ESPONSE
(IR)

................................
................................
................................
................................
.........

10

M
AINTENANCE
(MA)

................................
................................
................................
................................
...............

11

M
EDIA
P
ROTECTION
(MP)

................................
................................
................................
................................
........

11

P
HYSICAL AND
E
NVIRONMENTAL
P
ROTECTION
(PE)
................................
................................
................................

12

P
LANNING
(PL)

................................
................................
................................
................................
........................

13

P
ERSONNEL
S
ECURITY
(PS)

................................
................................
................................
................................
......

13

R
ISK
A
SSESSMENT
(RA)

................................
................................
................................
................................
...........

13

S
YSTEM AND
S
ERVICES
A
CQUISITION
(SA)

................................
................................
................................
..............

14

S
YSTEM AND
C
OMMUNICATIONS
P
ROTECTION
(SC)

................................
................................
................................

14

S
YSTEM AND
I
NFORMATION
I
NTEGRITY
(SI)

................................
................................
................................
............

16

IMPLEMENTATION PLAN

................................
................................
................................
................................
...

16

INFORMATION SYSTEM S
ECURITY PLAN COMPLET
ION DATE

................................
............................

17

INFORMATION SYSTEM S
ECURITY PLAN APPROVA
L DA
TE

................................
................................
..

17

REVISION HISTORY

................................
................................
................................
................................
..............

17

Information System Name/Title:



October 20, 2009


3

Information System Name/Title:

PRO
-
CTCAE

Information System Categorization:

Moderate

In
troduction to System and Stakeholders
:

This document pertains to security considera
tions during the deve
lopment
and initial
patient testing of the PRO
-
CTCAE Software S
ystem
.

The purpose of the PRO
-
CTCAE
Software System is to electronically administer symptom questionnaires to patients
enrolled in NCI
-
sponsored clinical trials. This doc
ument only pertains to security
considerations during software development and initial patient testing, and does not
pertain to actual deployment of the system.

The following organization
s are involved with these processes
:



Memorial Sloan
-
Kettering Cance
r

Center/
MSKCC

(System Owner
)
:
MSKCC has
been contracted by the
National Cancer Institute

(NCI)
to
oversee
develop
ment
and initial patient testing
of

the PRO
-
CTCAE Software System
.
Although MSKCC
is considered the System Owner for the purpose of this docu
ment, it is noted
that the software is being created under contract and is the intellectual property
of the NCI.



SemanticBits, LLC

(System Developer)
: SemanticBits
has
been
subcontracted
by
MSKCC
to be

the system developer.
SemanticBits
will

host the syst
em during
the
parts of the development process which
do not

involve collection of patient
data.

This includes creation of the software and review of the software with
representatives of MSKCC and NCI, prior to testing in patients.




N
ational Cancer Instit
ute/
NCI

(Hosting Organization)
:
The National Cancer
Institute will host the system
on its servers
during the parts of the development
process which involve collection of patient data

(i.e., testing in patients)
.
This
will include clinical studies in which

patients are entering information about their
symptoms into the system, as a part of the refinement process of the
questionnaires used in the PRO
-
CTCAE.



Testing sites
:

A number of clinical sites will be involved with testing during which
patients will ent
er data into the system. These data will be stored at the hosting
organization.

As the system developer, SemanticBits will be primarily responsible for the security
considerations described in this document

while

the system is
being
created

and
refined
.


W
hen the
NCI takes over hosting of the system for patient testing,
we
anticipate

conducting

r
isk analyse
s involv
ing

st
akeholders from MSKCC, SemanticB
its,
and NCI to dictate control settings and assure compliance with

NIST SP 800
-
53
standards.

The system

owner, system developer, and hosting organization will remain
involved with ongoing security assessments
throughout

the patient testing period
(anticipated to last approximately 2 years, beginning in Q4 2009).


Authorizing Official for MSKCC:



October 20, 2009


4

Authorizing Official for MSKCC
:

Name

Ethan
Basch

Title

PRO
-
CTCAE Project Principal Investigator

Institution

MSKCC

Address

307 East 63 Street

New York, NY 10065

Phone

646
-
422
-
4426

Email

basche@mskcc.org

Authorizing Official for SemanticBits:

Name

Ram Chi
lukuri

Title

CTO

Institution

SemanticBits, LLC

Address

13921 Park Center Road

Suite 420

Herndon, VA 20171

Phone

703.787.9656

x247

Email

ram.chilukuri@semanticbits.com


Information System Operation
al Status:

Under Development

Information System Type:

Major Application

General System Description/Purpose:

The Patient
-
r
eported Outcomes version of the Common Terminology Criteria for Adverse
Events (PRO
-
CTCAE) system will collect cancer patient responses

to questions about
symptoms
.

Once deployed,
this

system
is planned to
electronically integrate the
se

patient response
data with the clinician AE data reported in AdEERS or other NCI
-
supported adverse event
reporting system. The data collected by patient
s will be through electronic assessment
(e.g., laptops, computers, or handhelds) but options for paper versions will also be provided
in case patients lack access to computers.

System Environment:

The PRO
-
CTCAE system will be hosted as a web application, w
hich will be accessed via
Internet and i
ntranet.

The system will expose web/grid service interfaces
, which will be

accessed via HTTPS
.

The data from this system will be accessed us
ing the UI and web/grid
service interfaces
. This system will communicate w
ith other

systems like caAERS and
AdEERS as well as a back
-
end database.

Following is the initial list of software components that we anticipate using in this
environment. This list will be updated during the elaboration phase of the project.

System Interconnections/Information Sharing



October 20, 2009


5

JDK 5.0

Tomca
t 6.x

Spring 2.5

Common Security Module (CSM) 4.0

DWR 2.0

caGrid 1.2

MySQL 5+ and/or PostgreSQL 8+


During
parts of
development

which do not include collection of patient data

(i.e., patient
testing)
, the system will be hosted at SemanticBits, LLC offices
in Herndon, VA.

During
parts of development which include
patient testing,

the system
will

be hosted by the
National Cancer Institute.

System Interconnections/Information Sharing

System
Name

Organization

Type

Agreement
(ISA/MOU/MOA)

Date

FIPS 199
Category

C&A
Category

Auth.
Official

caAERS

NCI

Major

No

N/A

TBD

TBD

TBD

AdEERS

NCI

Major

No

N/A

TBD

TBD

TBD

PSC

NCI

Major

No

N/A

TBD

TBD

TBD


Related Laws/Regulations/Policies

We will investigate what laws/regulations/policies apply during the elaboration pha
se of the
project.

Minimum Security Controls



October 20, 2009


6


Minimum Security Controls


According to the
NCI’s
RFP

for the contract to develop the PRO
-
CTCAE
, the information and
functionality that PRO
-
CTCAE will provide has been categorized according to the Federal
Information Processing Standar
ds (FIPS) Publication 199 as follows:




Confidentiality: Low



Integrity: Moderate



Availability: Low



Overall: Moderate


Given the overall
Moderate

categorization, the PRO
-
CTCAE system will need to address the
153 security controls that are in the
moderate
-
imp
act

security control baseline for minimum
security controls.

However, since the system has a
Low

potential impact for the
confidentiality and availability security objectives, we see opportunities to
downgrade

the
following security controls from
Moderate

to
Low
:




C
onfidentiality: AC
-
15, MA
-
3 (3), MP
-
2 (1), MP
-
3, MP
-
4, MP
-
5 (1) (2) (3), MP
-
6, PE
-
5, SC
-
4, SC
-
9



Availability: CP
-
2, CP
-
3, CP
-
4, CP
-
6, CP
-
7, CP
-
8, MA
-
6, PE
-
9, PE
-
10, PE
-
11, PE
-
13, PE
-
15, SC
-
6


Furthermore, since PRO
-
CTCAE

constitute
s

new developm
ent, much of the information that
is needed to determine the appropriate scope of each control (e.g. operational/

environmental, physical infrastructure, policy/regulatory) and responsibility (i.e. common
vs. hybrid vs. information system owner) has yet to

be determined.


Therefore, we will initially describe each of the seventeen security control families (as
defined in NIST SP 800
-
53) in a high
-
level way, listing and calling attention to individual
controls for which we have specific information.

Then,
in accordance with the guidance
provided in NIST PS 800
-
18, we will treat the System Security Plan (SSP) as a living
document that we revise periodically as the system evolves.

As noted above, these issues
will be revisited when the NCI takes on hosting o
f the system for patient testing.


1.
Access Control (AC)

The system developer will work with the system owner and
hosting organization

representatives
to develop access control policies and procedures for implementing them.

Based on these policies and p
rocedures, the use of caBIG components such as CSM, CLM
and, GAARDS

will be evaluated
, in addition to other components, to implement each of the
security controls related to access control. The CSM component is 21 CFR Part 11 compliant
and supports many of

these security controls including the ability to create and manage
individual and group accounts, integrate with existing identity management components
such as LDAP, express both individual
-

and group
-
based authorization policy, implement
flexible unsucc
essful login policies, grouping privileges to support special roles such as
system administrator.

An
authorization policy
will be designed and enforced
that applies to
the operating system, databases, file systems, as well as at multiple layers of the PRO
-
CTCAE application.

P
rocedures
are planned
to use the principle of least privilege, partition
Minimum Security Controls



October 20, 2009


7

privileges so as to mitigate the risk of a single user being able to engage in illicit activities
without collusion, verify the physical identity of users before

granting privileges, manage
the flow of information securely by setting up appropriate routing and proxy configuration,
and review audit logs with a frequency that is appropriate to the level of impact of the
system.

As PRO
-
CTCAE evolves
,

the following co
ntrols will be addressed
individually:



AC
-
1: Access Control Policy and Procedures



AC
-
2: Account Management



AC
-
3 (1): Access Enforcement



AC
-
4: Information Flow Enforcement



AC
-
5: Separation of Duties



AC
-
6: Least Privilege



AC
-
7: Unsuccessful Login Attempts



AC
-
8: System Use Notification



AC
-
11: Session Lock



AC
-
12: Session Termination



AC
-
13 (1): Supervision and Review


Access Control



AC
-
14: Permitted Actions without Identification or Authentication



AC
-
17 (1) (2) (3) (4): Remote Access



AC
-
18: Wireless Access Rest
rictions



AC
-
20 (1): Use of External Information Systems

2.
Awareness and Training (AT)

A

security awareness and training program

is planned

in accordance to NIST SP 800
-
16 and
SP 800
-
50.

The security policies and procedures will be prepared in accordance

with NIST
SP 800
-
12.

Specifically, t
he
system developer and/or the
hosting organization will provide
security awareness training to all information system users before authorizing access to the
system.

The security training program will be prepared in a
ccordance with C.F.R Part 5
Subpart C

(5 C.F.R 930.301) and with SP 800
-
50.

The hosting organization will be provided with system security roles by
the
system
developer
.



The personnel who will assume these roles for this system will be identified and
wi
ll complete security training before accessing the system.

The same procedure will be
followed if any system change occurs after it is being deployed. The security training
program will be prepared in accordance with C.F.R Part 5 Subpart C (5 C.F.R 930.30
1) and
with SP 800
-
50.

The
system developer and/or
hosting organization

will document and monitor individual
information system security training activities including basic security awareness training
and specific information system security training.

Thi
s control has a
hybrid

status.
T
he
system developer and
hosting organization

will need to
work to harmonize their respective policies and procedures documents.


As PRO
-
CTCAE evolves, these stakeholders
will address each of the following controls
individual
ly:



AT
-
1: Security Awareness and Training Policy and Procedures



AT
-
2: Security Awareness



AT
-
3: Security Training



AT
-
4: Security Training Records

Minimum Security Controls



October 20, 2009


8

3.
Audit and Accountability (AU)

A
udit and accountability policy and procedures

will be developed

by the syste
m developer
and the hosting organiztion
.


The policies and procedures will be prepared in accordance
with NIST SP 800
-
12.

The hos
ting organization

and
system
development team will identify the auditable events in
the system keeping the performance factor i
n mind.

The list of the auditable events will be
maintained at the organization site.

This list will be periodically reviewed and updated.

The
system
development team will embed the capability to provide the needed information
in the logs for the auditab
le events.

The audit records will be in accordance with the
guidelines of NIST SP 800
-
92.

The hosting organization will allocate sufficient audit record
storage capacity for the audit records.

The storage capacity will be managed by hosting
organization
.

The hosting organizations will regularly review/analyze information system audit records for
indications of inappropriate or unusual activity, investigate suspicious activity or suspected
violations, report findings to appropriate officials and take nece
ssary actions.

The development team will introduce the capability for audit reduction and report
generation in the system.

The hosting organization
and/or system owner and/or system
developer
will be able to generate reports based on the event criteria.

The development team will make sure that the audit records have the time stamps as a part
of the content of the record.

This will be achieved during the code implementation of the
system.

The hosting organization will retain the audit records
unti
l such t
ime which is deemed
necessary.

A policy will be put in place in accordance with NIST SP 800
-
61.

This control has a
hybrid

status.
The
system developer and

hosting organization

will

need to
work to harmonize their respective policies and procedures documen
ts.


As
the
PRO
-
CTCAE
system
evolves
,

these stakeholders will
address each of the following
controls individually:



AU
-
1: Audit and Accountability Policy and Procedures



AU
-
2 (3): Auditable Events



AU
-
3 (1): Content of Audit Records



AU
-
4: Audit Storage Capaci
ty



AU
-
5: Response to Audit Processing Failures



AU
-
6 (2): Audit Monitoring, Analysis, and Reporting



AU
-
7 (1): Audit Reduction and Report Generation



AU
-
8 (1): Time Stamps



AU
-
9: Protection of Audit Information



AU
-
11: Audit Record Retention

4.
Certification, A
ccreditation, and Security Assessment (CA)

The hosting organization will develop, disseminate,
and periodically review
/update
: (i)
formal, documented, security assessment and certification and accreditation policies that
address purpose, scope, roles, res
ponsibilities, management commitment, coordination
among organizational entities, and compliance; and (ii) formal, documented procedures to
facilitate the implementation of the security assessment and certification and accreditation
policies and associated

assessment, certification, and accreditation controls.

The
hosting
organization will conduct an assessment of the security controls in the
information system to determine the extent to which the controls are implemented
Minimum Security Controls



October 20, 2009


9

correctly, operating as intended, a
nd producing the desired outcome with respect to
meeting the security requirements for the system.

The communication with other systems
will also be monitored to check the security control implementation.


As
the
PRO
-
CTCAE
system
evolves
,

the

system devel
oper

and hosting organization will
address each of the following controls individually:



CA
-
1: Certification, Accreditation, and Security Assessment Policies and Procedures



CA
-
2: Security Assessments



CA
-
3: Information System Connections



CA
-
4 (1): Security C
ertification



CA
-
5: Plan of Action and Milestones



CA
-
6: Security Accreditation



CA
-
7: Continuous Monitoring

5.
Configuration Management (CM)

C
onfiguration management policies and procedures documents
will be developed
in
accordance with NIST SP 800
-
12

by th
e development team and hosting organization
.

A

baseline deployment configuration document

will be
updated before and after each
installation.

The logical deployment design will be in accordance with the Federal Enterprise
Architecture.


The system develo
per

will work with the hosting organization to establish
procedures to review proposed configuration changes. These procedures will include an
impact analysis and running of security
-
related test cases as well as executing a battery of
known exploits at ea
ch interface.

Access to configuration files will be restricted to specific
personnel and all changes to configuration, whether for emergency or routine purposes, will
be recorded.

We

will define the base set of configuration settings for each component (
e.g.
application server) in accordance with NIST SP 800
-
70.

In general, the principle of least
privilege
will be used
to establish baseline configuration setting.

A

software component
inventory
will be

updated before and after each installation.

As the P
RO
-
CTCAE system evolves, the

system developer

and hosting organization will
address each of the following controls individually:



CM
-
1: Configuration Management Policy and Procedures



CM
-
2 (1): Baseline Configuration



CM
-
3: Configuration Change Control



CM
-
4:
Monitoring Configuration Changes



CM
-
5: Access Restriction for Changes



CM
-
6: Configuration Settings



CM
-
7: Least Functionality



CM
-
8 (1): Information System Component Inventory

6.
Contingency Planning (CP)

The hosting organization will develop a

contingency
plan for the information system
addressing contingency roles, responsibilities, assigned individuals with contact information,
and activities associated with restoring the system after a disruption or failure

will be
develop
ed

and implement
ed
. Designated
officials
will
review and approve the contingency
plan and distribute copies of the plan to key contingency personnel. The plan will be
prepared in accordance with NIST Special Publication 800
-
12.


The hosting organization

will train personnel in their c
ontingency roles and responsibilities
with respect to the information system and will provide refresher training. The
hosting
organization will coordinate contingency plan testing and/or exercises with organizational
elements responsible for related plans
.

The
hosting
organization will review the contingency
Minimum Security Controls



October 20, 2009


10

plan for the information system and will revise the plan to address system/organizational
changes or problems encountered during plan implementation, execution, or testing.

The
hosting
organization w
ill conduct backups of user
-
level and system
-
level information
contained in the information system and will protects backup information at the storage
location.


The
hosting
organization will employ
a
mechanism with sup
porting procedures to allow the
info
rmation system to be recovered and reconstituted to a known secure state after a
disruption or failure.


As the PRO
-
CTCAE system evolves, the system developer and hosting organization will
address each of the following controls individually



CP
-
1: Contingen
cy Planning Policy and Procedures



CP
-
2 (1): Contingency Planning



CP
-
3: Contingency Training



CP
-
4 (1): Contingency Plan Testing and Exercises



CP
-
5: Contingency Plan Update



CP
-
6 (1) (3): Alternate Storage Site



CP
-
7 (1) (2) (3): Alternate Processing Site



CP
-
8

(1) (2): Telecommunications Services



CP
-
9 (1) (4): Information System Backup



CP
-
10: Information System Recovery and Reconstitution

7.
Identification and Authentication (IA)

The system developer and hosting organization will develop p
olicies and procedure
s
documents for identifying and authenticating system users, processes acting on behalf of
users, and devices.

These documents will be in accordance with, or take into account, FIPS
2001 and NIST SPs 800
-
73, 800
-
76, 800
-
78, 800
-
12, and 800
-
63.

The system

will uniquely
identify and authenticate system users that access non
-
public areas.

Each user of the
system will be provisioned with personal identity verification (PIV) credentials.

Before
establishing a connection to another device, the device will be
identified and authenticated
using an appropriate authentication solution.

User identifiers will be managed in accordance
with the identification and authorization policies and procedures documents.

The system
owner will work with the organization to imp
lement procedures for managing authenticators
(credentials) such as passwords or PKI certificates to ensure that they are safeguarded.
The system will be reviewed to ensure that no user interface or logging exposes
authenticators.

Cryptographic authentic
ation will be in compliance with FIPS 140
-
1 and
140
-
2.

As
the
PRO
-
CTCAE evolves
,

the system
developer and hosting organization

will address
each of the following controls individually:



IA
-
1: Identification and Authentication Policy



IA
-
2 (1): User Identifi
cation and Authentication



IA
-
3 (3): Device Identification and Authentication



IA
-
4: Identifier Management



IA
-
5: Authenticator Management



IA
-
6: Authenticator Feedback



IA
-
7: Cryptographic Module Authentication

8.
Incident Response (IR)

The system developer a
nd the hosting organization

will develop, disseminate, and
periodically review/update: (i) a formal, documented, incident response policy that
Minimum Security Controls



October 20, 2009


11

addresses purpose, scope, roles, responsibilities, management commitment, coordination
among organizational entit
ies, and compliance; and (ii) formal, documented procedures to
facilitate the implementation of the incident response policy and associated incident
response controls.


The incident response handling and reporting will be done in accordance with NIST Spec
ial
Publication 800
-
61.


A
n incident handling capability
will be implemented
for security incidents that include
preparation, detection and analysis, containment, eradication, and recovery.

Each

organization will provide an incident response support reso
urce that will offer advice and
assistance to users of the information system for the handling and reporting of security
incidents.


As PRO
-
CTCAE evolves
, the system developer and the hosting organization

will address
each of the following controls indivi
dually
:



IR
-
1: Incident Response Policy and Procedures



IR
-
2: Incident Response Training



IR
-
3: Incident Response Testing and Exercises



IR
-
4 (1): Incident Handling



IR
-
5: Incident Monitoring



IR
-
6 (1): Incident Reporting



IR
-
7 (1): Incident Response Assistance

9
.
Maintenance (MA)

The system developer and the hosting organization

will work to identify or develop
documents that describe the system maintenance policies and standard procedures for
implementing those policies. These documents will be in accordance wi
th NIST SP 800
-
12.

All maintenance will be performed in a controlled manner and records of sufficient detail will
be created for each maintenance event.

Only approved maintenance and diagnostic tools
will be used.

Any remote maintenance will be monitore
d and controlled in accordance with
the maintenance policy.

Only authorized personnel will be involved in maintenance
activities. Maintenance will be performed in a timely manner so as to avoid predictable
system failures.

As
the
PRO
-
CTCAE
system
evolves
,

the system developer and the hosting organization

will
address each of the following controls individually:



MA
-
1: System Maintenance Policy and Procedures



MA
-
2 (1): Controlled Maintenance



MA
-
3: Maintenance Tools



MA
-
4 (1) (2): Remote Maintenance



MA
-
5: Mai
ntenance Personnel



MA
-
6: Timely Maintenance

10.
Media Protection (MP)

The media protection policy will be included as a part of the general information security
policy.

The hosting organization will restrict access to information system media to
authoriz
ed individuals.


The hosting organization may employ automated mechanisms to restrict access to media
storage areas and to audit access attempts and access granted.

The hosting organization
will physically control and securely store information system med
ia within controlled areas.
Minimum Security Controls



October 20, 2009


12

Information system media includes both digital media (e.g., diskettes, magnetic tapes,
external/removable hard drives, flash/thumb drives, compact disks, digital video disks) and
non
-
digital media (e.g., paper, microfilm). The
h
osting
organization will sanitize information
system media, both digital and non
-
digital, prior to disposal or release for reuse.


As
the
PRO
-
CTCAE

system evolves, the system developer and the hosting organization
will
address each of the following control
s individually
:




MP
-
1: Media Protection Policy and Procedures



MP
-
2 (1): Media Access



MP
-
4: Media Storage



MP
-
5 (1) (2): Media Transport



MP
-
6: Media Sanitization and Disposal

11.
Physical and Environmental Protection (PE)

The system developer and the hosti
ng organization
will

identify or develop documents that
describe the physical and environmental policies and standard procedures for implementing
those policies.

These documents will be developed in accordance with NIST SP 800
-
12.
Personnel will require a
ppropriate authorization credentials in order to gain physical access
to any non
-
public location. Access to display medium will be controlled.

Physical access logs
and records will be periodically reviewed.

Real
-
time alarms and surveillance equipment wil
l
be monitored.

Power equipment and cabling will be protected.

The
hosting
organization
will provide an emergency shutoff device, short
-
term uninterruptible power supply,
emergency lighting, fire suppress/detection/notification devices, temperature and h
umidity
controls, and water damage controls.

Delivery and removal will be controlled. Appropriate
physical and environmental controls will be employed at alternate work sites. An
appropriate location for information system resources will be selected in o
rder to minimize
physical and environmental hazards.

Essentially all of the physical and environmental protection security controls have a
common

status.

As PRO
-
CTCAE evolves
the system developer and the hosting organization
will address each
of the follow
ing controls individually:



PE
-
1: Physical and Environmental Protection Policy and Procedures



PE
-
2: Physical Access Authorizations



PE
-
3: Physical Access Control



PE
-
5: Access Control for Display Medium



PE
-
6 (1): Monitoring Physical Access



PE
-
7 (1): Visitor C
ontrol



PE
-
8: Access Records



PE
-
9: Power Equipment and Power Cabling



PE
-
10: Emergency Shutoff



PE
-
11: Emergency Power



PE
-
12: Emergency Lighting



PE
-
13 (1) (2) (3): Fire Protection



PE
-
14: Temperature and Humidity Controls



PE
-
15: Water Damage Protection



PE
-
16:
Delivery and Removal



PE
-
17: Alternate Work Site



PE
-
18: Location of Information System Components

Minimum Security Controls



October 20, 2009


13

12.
Planning (PL)

Security planning procedures will be developed
by the system developer and the hosting
organization
for t
he security program in general
an
d
for PRO
-
CTCAE in particular.

The
security planning will be governed by the guidance provided in NIST Special Publication
800
-
18.


The security plan will be aligned with the
hosting
organization’s information system
architecture and information security a
rchitecture. Any significant changes will be defined
in advance by the
hosting
organization and identified in the configuration management
process.

The
hosting
organization will plan and coordinate security
-
related activities
affecting the information sy
stem before conducting such activities in order to reduce the
impact on organizational operations organizational assets, and individuals.


As
the
PRO
-
CTCAE evolves
,

the
system developer and the hosting organization

will address
each of the following contro
ls individually:



PL
-
1: Security Planning Policy and Procedures



PL
-
2: System Security Plan



PL
-
3: System Security Plan Update



PL
-
4: Rules of Behavior



PL
-
5: Privacy Impact Assessment



PL
-
6: Security
-
Related Activity Planning

13.
Personnel Security (PS)

The sy
stem developer and the hosting organization
will identify or develop documents that
describe the personnel security policies and standard procedures for implementing those
policies.

These documents will be developed in accordance with NIST SP 800
-
12.

R
is
k
designations
will be established
in accordance with 5 CFR 731.106(a) and
will be
review
ed

and revise
d

periodically.

Personnel will be screen
ed

before authorizing access. Upon
termination or transfer, personnel authorizations will be reviewed and removed

in a timely
manner.


Personnel will be required to sign access agreements periodically.

Third
-
party
personnel must comply with security requirements in accordance with NIST SP 800
-
35. The
failure of any personnel to comply with security policy must res
ult in appropriate sanctions
being applied.

Essentially all of the personnel security controls have a
common

status.

As
the
PRO
-
CTCAE evolves
,

the system
developer and hosting organization

will address
each of the following controls individually:



PS
-
1: Per
sonnel Security Policy and Procedures



PS
-
2: Position Categorization



PS
-
3: Personnel Screening



PS
-
4: Personnel Termination



PS
-
5: Personnel Transfer



PS
-
6: Access Agreements



PS
-
7: Third
-
Party Personnel Security



PS
-
8: Personnel Sanctions


14.
Risk Assessment (
RA)

The risk assessment policy will be included as a part of the general information security
policy for the hosting organization. Risk assessment procedures will be developed for the
security program in general, and will be tailored for this particular
information system. The
Minimum Security Controls



October 20, 2009


14

risk assessment policies and procedures will be governed in accordance with NIST Special
Publications 800
-
30.

The hosting organization will conduct assessments of the risk and magnitude of harm that
could result from the unauthoriz
ed access, use, disclosure, disruption, modification, or
destruction of information and information systems that support the operations and assets
of the agency.

The
hosting
organization will update the risk assessment at particular frequency or
whenever
there are significant changes to the information system, the facilities where the
system resides, or other conditions that may impact the security or accreditation status of
the system. Determination of significant changes will be made by the criteria defi
ned by the
hosting organization.



RA
-
1: Risk Assessment Policy and Procedures



RA
-
2: Security Categorization



RA
-
3: Risk Assessment



RA
-
4: Risk Assessment Update



RA
-
5: Vulnerability Scanning

15.
System and Services Acquisition (SA)

The hosting organization wi
ll identify or develop documents that describe the personnel
security policies and standard procedures for implementing those policies.

These
documents will be developed in accordance with NIST SP 800
-
12.

The organization will
allocate appropriate resour
ces to protect information systems in accordance with NIST SP
800
-
65.

The system development lifecycle employed by the organizations will include
explicit security considerations.

Solicitation documents will explicitly require documentation
of security c
ontrols.


The
hosting
organization will obtain administration, user, and security control
documentation that is necessary to permit analysis of each information system.

All software
that is acquired by the organization is used in accordance with the usag
e restrictions. The
organization will enforce policies regarding types of software that users may install.


The
organization will allocate the resources necessary to apply security
-
engineering principles in
accordance with NIST SP 800
-
27.

The
hosting
orga
nization will require and ensure that
external service provides also allocate resources necessary to implement security controls.
Resources will be allocated to the developers of PRO
-
CTCAE necessary to develop and
implement a security test and evaluation p
lan.

As PRO
-
CTCAE evolves
we

will address each of the following controls individually:



SA
-
1: System and Services Acquisition Policy and Procedures



SA
-
2: Allocation of Resources



SA
-
3: Life Cycle Support



SA
-
4 (1): Acquisitions



SA
-
5 (1): Information System Do
cumentation



SA
-
6: Software Usage Restrictions



SA
-
7: User Installed Software



SA
-
8: Security Engineering Principles



SA
-
9: External Information System Services



SA
-
11: Developer Security Testing

16.
System and Communications Protection (SC)

A

system and commu
nication protection plan
will be drafted
by the hosting organization
in
accordance to NIST Special Publication 800
-
12.

Minimum Security Controls



October 20, 2009


15

The information system physically or logically will separate user interface services (e.g.,
public web pages) from information storage an
d management services (e.g., database
management).

Separation will be accomplished through the use of different computers,
different central processing units, different instances of the operating system, different
network addresses, combinations of these

methods, or other methods as appropriate.

The information system will prevent unauthorized and unintended information transfer via
shared system resources.

Attacks such as denial of service attacks will be handled by using
fi
rewalls as boundary protecto
r
. Boundary protection devices will filter certain types of
packets to protect devices on an organization’s internal network from being directly affected
by denial of service attacks.

Any connections to the Internet, or other external networks or informa
tion systems, will
occur through managed interfaces consisting of appropriate boundary protection devices
(e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels) arranged in an
effective architecture (e.g., routers protecting firewalls and

application gateways residing on
a protected sub network commonly referred to as a demilitarized zone or DMZ).

The hosting organization will employ cryptographic mechanisms to recognize changes to
information during transmission. The organization will e
mploy cryptographic mechanisms to
prevent unauthorized disclosure of information during transmission.

The information system will implement the session time out mechanism which terminates a
network connection at the end of a session or after [Assignment:
organization
-
defined time
period] of inactivity.

For cryptography within

the

PRO
-
CTCAE system, the hosting organization will establish and
manage cryptographic keys using automated mechanisms with supporting procedures or
manual procedures. The procedures

and key management will be defined in accordance
with NIST Special Publication 800
-
56 and NIST Special Publication 800
-
57.

The hosting organization will issue public key certificates under an appropriate certificate
policy.


The PRO
-
CTCAE system will oper
ate in distributed environment and thus will
implement session
-
level protection (e.g., in service
-
oriented architectures providing web
-
based services). For this purpose, PRO
-
CTCAE system will implement transport level
security (TLS).

To implement the tra
nsport level security, the hosting organization will refer
to NIST Special Publication 800
-
52, which provides guidance on the use of transport layer
security (TLS) mechanisms and NIST Special Publication 800
-
77, which provides guidance
on the deployment of

IPsec virtual private networks (VPNs) and other methods of protecting
communications sessions. Since PRO
-
CTCAE will also be using secure web services, the
development team will refer NIST Special Publication 800
-
95, which provides guidance on
secure web
services.

As PRO
-
CTCAE evolves the
hosting organization

will address each of the following controls
individually:



SC
-
1: System and Communications Protection Policy and Procedures



SC
-
2: Application Partitioning



SC
-
4: Information Remnance



SC
-
5: Denial of Ser
vice Protection



SC
-
7 (1) (2) (3) (4) (5): Boundary Protection



SC
-
8: Transmission Integrity



SC
-
9: Transmission Confidentiality



SC
-
10: Network Disconnect



SC
-
12: Cryptographic Key Establishment and Management



SC
-
13: Use of Cryptography



SC
-
14: Public Access Pr
otections

Implementation Plan



October 20, 2009


16



SC
-
15: Collaborative Computing



SC
-
17: Public Key Infrastructure Certificates



SC
-
18: Mobile Code



SC
-
19: Voice Over Internet Protocol



SC
-
20: Secure Name/Address Resolution Service (Authoritative Source)



SC
-
22: Architecture and Provisioning for Name
/Address Resolution Service



SC
-
23: Session Authentication

17.
System and Information Integrity (SI)

The hosting organization will identify or develop documents that describe the system and
information integrity policies and standard procedures for impleme
nting those policies.
These documents will be developed in accordance with NIST SP 800
-
12. The organization
will use automated procedures to identity the status of flaws in PRO
-
CTCAE as well as all
software components that are used by it. These flaws will
be reported and corrected
expeditiously in accordance with NIST SP 800
-
40. The organization will employ malicious
code protection measures at all critical points and workstations in accordance with NIST SP
800
-
83. Malicious code protection mechanisms will

be centrally managed and include
automated updates. The organization will use techniques to monitor inbound and outbound
traffic for unusual behavior in order to detect intrusion in accordance with NIST SPs 800
-
61,
800
-
83, 800
-
92 and 800
-
94. The organizat
ion will monitor and produce security alerts and
take appropriate action in accordance with NIST SP 800
-
40. The organization will provide
spam protection in accordance with NIST 800
-
45. Only authorized personnel will be able to
enter information into PRO
-
C
TCAE. PRO
-
CTCAE will check all input information for accuracy,
completeness, validity, and authenticity. Error messages produce by the system will include
only the information that is necessary to diagnose the problem but will not include any
information t
hat would violate privacy restrictions or expose other information to
unauthorized users. Output from PRO
-
CTCAE will be handled in accordance with the system
and information integrity policy and procedures.


As
the
PRO
-
CTCAE
system
evolves
, the hosting org
anization

will address each of the
following controls individually:



SI
-
1: System and Information Integrity Policy and Procedures



SI
-
2 (2): Flaw Remediation



SI
-
3 (1) (2): Malicious Code Protection



SI
-
4 (4): Information System Monitoring Tools



SI
-
5: Security

Alerts and Advisories



SI
-
8: Spam Protection



SI
-
9: Information Input Restrictions



SI
-
10: Information Accuracy, Completeness, Validity, and Authentication



SI
-
11: Error Handling



SI
-
12: Information Output Handling and Retention


Implementation Plan


Informati
on systems are categorized based on the level of impact should the system be
compromised.

This categorization is described in FIPS 199.

The levels of impact are low,
medium, and high.

Low impact systems have to implement less security controls than high

impact systems.

The system developer

plan
s

to

use the highest level of any hosted
application.

At this point, the highest level is moderate.

Each application
-
specific policy
Information System Security Plan Completion Date



October 20, 2009


17

must describe only those security controls that apply to it according to its i
mpact
categorization.


Some of the security controls listed above only make sense in the context of the hosting
institution (e.g. physical security), while others make sense only in the context of an
application (e.g. logging).


Two rounds of usability t
esting are planned. System updates will occur after each iteration.
We do not anticipate having the full Information System Security Plan implemented during
the usability testing, as the testing will contribute to and inform the final Information
System
Security Plan. Participants in the usability testing will sign consent forms before
initiating any interaction with the system. No patient or user level data will be stored during
the usability testing phase. User identification linking use of the syste
m (e.g. web analytics)
will be accomplished via a unique linking identifier; master files connecting the identifier to
personal health information will be maintained at the sites where usability testing is being
performed. Data about usability will be mai
ntained within a study specific database at Duke
University Medical Center, the organization responsible for conduct, analysis and data
coordination of the usability testing. Only aggregate reports from usability testing will be
transferred to Semantic Bi
ts and MSKCC in order to protect individual level, potentially
personally identifying results.

Information System Security Plan Completion Date

This draft was last updated
October 2
0, 2009.

Information System Security Plan Approval Date

Pending

Revision Hi
story


Date

Reviewer

Description

Jan. 11, 2008

Vinay Kumar

Initial draft.

Jan. 16, 2009

Joshua Phillips

Updated to reflect plans to host data at
SemanticBits. Included Implementation Plan
section.

September 29,
2009

Amy Abernethy

Updates to accommodate
usability testing.

September 30,
2009

Ethan Basch

Updates prior to submission of plan to NCI as
deliverable under contract, and reflecting
recent discussions with NCI and SemanticBits
regarding hosting of patient data and pertinent
data security issues du
ring development of the
PRO
-
CTCAE system.

October 20,
2009

Ethan Basch

Modifications reflecting conversations with
MSKCC security officer, and subsequent to NCI
agreement to serve as the hosting
organization.