Continuous Risk Analysis

brokenroomNetworking and Communications

Nov 21, 2013 (3 years and 6 months ago)

98 views


Facility
:







Continuous

Risk Anal
ysis

Month/
Year

I
nitiated
:


Controlled Unclassified Information

This information is intended for IHS
internal
use only.
Once information
is
added to this template, d
isclosure
outside of IHS is prohibited without
prior authorization
and consent of

the
IHS
Chief Information Security Officer
.


Template Date:

March 04
, 201
1
, Revision
2





Indian Health Service



Ongoing Risk Analysis for Meaningful Use


ii

Record of Changes


Change No.

Date

Name

Subject

Page No.

1

02/24/2011

TRD

Added
Section 16

33

2

02/24/2011

NMS

Revised
Appendix Headings

24, 25, 27

3

02/24/2011

TRD

Revised Section 5.2

16

4

02/24/2011

TRD

Revised Template Title

i

5

03/04/2011

TRD

Revised Security Review

33

























































Indian Health Service



Ongoing Risk Analysis for Meaningful Use


iii

Table of Contents

1.0

EXECUTIVE SUMMARY

................................
................................
..................

4

2.0

RISK
ASSESSMENT METHODOLO
GY

................................
...........................

5

3.0

INTRODUCTION

................................
................................
...............................

8

3.1

Purpose

................................
................................
................................
.....

8

3.2

Scope
................................
................................
................................
.........

8

3.3

System Characterization

................................
................................
............

8

3.
4

Diagram of Network Architecture

................................
.............................

10

4.0

THREAT IDENTIFICATIO
N

................................
................................
............

11

5.0

VULNERABILITY IDENTI
FICATION

................................
..............................

15

5.1

SecureFusion Scans


(Continuous monitoring/monthly reports)

............

15

5.2

Penetration Testing


(Performed annually)

................................
............

16

5.3

TippingPoint


(Continuous monitoring by

HQ OIT)

................................
.

17

5.4

VisiWave


(Performed annually for sites utilizing wireless networks)

.....

17

5.5

Network Threat Response


(Continuous monitoring by HQ OIT)

...........

18

5.6

ArcSight Log Management


(Periodic review of logs)

............................

18

5.7

Other Tools

................................
................................
..............................

18

6.0

CONTROL ANALYSIS

................................
................................
...................

18

7.0

RISK MITIGATION STRA
TEGIES

................................
................................
..

23

8.0

APPENDIX A: NETWORK
DIAGRAM(S)

................................
.......................

24

9.0

APPENDIX B: MONTHLY
SECUREFUSION REPORTS

...............................

25

10.0

APPENDIX C: ANNUAL P
ENETRATION TEST

................................
............

26

11.0

APPENDIX D: TIPPINGP
OINT (MONITORED BY H
Q OIT)
...........................

27

12.0

APPENDIX E: ANNUAL V
ISIWAVE SITE SURVEY

................................
......

28

13.0

APPENDIX F: KEY ROLE
S IN A RISK ASSESSME
NT

................................
.

29

14.0

APPENDIX G:
-

RISK MITIGATION WORK
SHEET

................................
.......

31

15.0

APPENDIX H:
-

SECUREFUSION MITIGAT
ION PLAN

................................
.

32

16.0

SECURITY REVIEW AND
ATTESTATION

................................
....................

33


Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


4

1.0

E
xecutive Summary

This

R
isk
A
nalysis

(RA) is designed to assess the sec
urity posture of a system or
application from the manager’s viewpoint with the purpose of raising the manager’s
awareness of the major security risks in their infrastructure
,

to propose
recommendations for mitigation of these risks
, and to ensure that IHS
meets the
federal requirements for Meaningful Use

(MU)
. Further
,

a RA is a procedure used to
estimate potential losses that may result from system and environmental
vulnerabilities and to quantify the damage that may result if certain threats occur.
The
ultimate goal of the RA is to help select cost
-
effective safeguards that will reduce
the risks to an acceptable level. Once quan
tified, the manager is able to
determine if
the cost for
a proposed

safeguard is reasonable; doesn’t exceed the financial and
a
dministrative cost of recovering the information or replacing the system; compl
ies
with Federal mandates; or endanger the life of a patient or the interests of the U.S.
Government.
Risk management is a management responsibility.

Securing IT

systems and phy
sical assets is a never
-
ending cycle as new technologies
and threats present themselves. Protecting systems and data is a daunting task
given

the
new and emerging threats

to
Information Technology (
IT
)

resources
. Since
threats are constantly changing, conducting
a
n

RA on a continuous basis helps to
ensure that
adequate

security controls are
up
-
to
-
date

and o
p
e
rating as
designed

to
minimize the risk to IHS and other
interconnected
government systems.

The objectiv
e of
the
MU RA

is to enable the facility to ac
c
omplish its mission by
ensuring
increased

security
of
the Resource
and
Patient Management System
(RPMS)
,

E
lectronic Health Record

(EHR)
and
other interconnected
IT

system
s

which

store, process, or transmit pat
ient health information. An additional benefit
is that

this
document

can assist
management
in making
well informed risk management
decisions to justify the expenditures that are part of
the

overall
IT

systems budget.
Finally
,

this
process
will help meet th
e following Meaningful Use Stage

1
r
equirement for
IHS
, Tribal and Urban

facilities desiring
to
meet federal mandates as
described below
:



Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and
implement security updates as necessary and
correct identified security
deficiencies as part of its risk management process
.


It should be noted that although the completion of this document
will
assist

facilities
in
meet
ing

the
MU Stage 1 Measure for conducting

a Risk Analysis
,
facilities must
continually strive to
“. . . implement security updates as necessary and correct
identified security deficiencies as part
of its risk management process”.

Facilities

must

work to minimize risk
AND

mitigate vulnerabilities on a
continuous

and
ongoing
basis
.

NOTE:
This

risk analysis is based on the

guidelines provided
through

the
Federal
Information Processing Standards
(FIPS)
Publication FIPS
-
199
,

Standards for
Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


5

Security C
ategorization of Federal Information and Information Systems
, and
the

National Institute of Standards and Technology (NIST) Special Publication

(SP)
800
-
30
,
Risk Management
Guide for Information Technology System
s
.
The reader is also
referred to
NIST
(
SP
)

800
-
37
, Rev 1
,

Guide for Applying the Risk Management
Framework to Federal Inf
ormation Systems
for more detailed understanding of the
overall risk management process.


2.0

Risk
Assessment
Methodology

Risk m
anagement
is the process of identifying
, assessing
, and taking
appropriate
steps to reduce
threats

to an acceptable level.

This

assessment is the first
step in
determining
potential
risk
s

to a facility’s

information resources.


The overall objective
of the RA is to identify
IT security
weakness
es

and to
implement

adequate cost
-
effective controls
designed to

reduce risks to
IHS own
ed
assets as well as other

interconected
systems
that may affect the integrity

or availability of
sensitive

patient
data.

The RA sho
uld consider all physical asse
ts including the buildings, workstations,
portable media, informatio
n systems and their compo
nents, along with the
information created, transmitted, maintained or received by the
facility
. The review
should look at the various types of information t
o determine how important it is, how
vulnerable it is,

the

cost of losing the information,

and the
cost of protecting it. It
should be noted that it is difficult to attach a cost to the loss of public
trust

when
patient data is lost or compromised but is a critical factor

in

the evaluation process.
The cost of securing a system should not exceed the t
otal cost of recovering the
information or replacing the system unless it is in the interest
of
national defense or
some other federal mandate.

There are

many methods
available to

conduct a r
isk assessment. One me
thod would
be to assign a facili
tator(s) and
staff members

representing key aspects of the system
or applications being assessed for risk. The makeup of the group will vary depending
on the systems and applications involved but may include
business and functional

program management,
sys
tem and information owners, senior management, security
representative
s
,
privacy

officers
, general users of the system
(s)

or

app
lication
(s)
,
system administrators,

and approving officials
.

This team sh
ould work together to
identify the assets of the
facili
ty
, a common set of threats, vulnerabilities and
countermeasures for each of the systems, information and applications being
evaluated
as part of the assessment
.
The team will also define the current state of the
system’s security and develop suggestions f
or additional security requirements as
appropriate. The team’s ultimate goal is to produce
a

working document in the form
of a risk analysis that will assist management in allocating
appropriate
resources.

Appendix F
shows examples of the key personnel th
at should support and participate
in the risk assessment and management process.

Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


6

In a
ddition, the team should use a combination

of the following information gathering
techniques to
collect

information relevant to the IT system
within its operational
bounda
ry.

These techniques can be used in all phases of the risk assessment

process.



Questionnaire

-

Develop
a
questionnaire concerning the management and
operational controls planned for the system. Distribute
the
questionnaire

to the
applicable technical and
non
-
technical management personnel who are designing
or supporting the IT system.




On
-
Site Interviews

-

Interviews with IT system support and management
personnel can assist
the
risk assessment team in collecting useful information
about how the IT system is operated and managed as well as allow
the
gathering
of information from observation about the physical, environmental, and
operation
al security of

IT system
s
.
NIST
(SP) 800
-
30

contain
s

sample interview
questions.




Document Review



T
he Risk Assessment T
eam should review policy documents
(legislative, directives, agency policy, etc), system documenta
tion (user guides,
system administration manuals, system design, and requirements documents,
acquisition documents,) and security related documentation (system security plan,
audit reports, previous RAs, security policy, security test results) which will h
elp
identify required controls
as well as those protective measures already

in place or
planned for the system. The agency’s mission impact analysis or asset criticality
assessment will provide information regarding system and information criticality
and
sensitivity.





Use of Automated Scanning Tools



Provide
s

technical information about the
system

and may also identify risks not yet remediated
.

These tools are discussed
in depth in Section 5.0.



Details of each of the risk a
ctivities can be found in
NIST
(SP) 800
-
30
,
or from other
resources on Risk Assessments
found via

an online

web
search.
The following is an
illustration
of

NIST identified
risk assessment activities
:

Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


7


Figure 01: Risk Assessment Methodology

Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


8

3.0

Introduction

3.1

Purpose

This
document

identifies
a variety of

known
threats and vulnerabilities
that may be
applicable to
IT system
(s)
,
as well as the facility’s physical and environmental
controls
.

The list of threats and
vulnerabilities

is not considered
to be
a complete
listing and the assessors should consider all potential threats
to patient data
.

It also
evaluates the likelihood that an identified vulnerability can be exploited, assesses the
imp
act associated with these threats and vulnerabilities, and identifies the overall risk
level.

The overarching goal
of this RA
is to
leverage IHS
automate
d tools

to
enhance IT security across IHS. An automated approach will also reduce the burden
and lev
el of effort by IT support staff in the field.

3.2

Scope

The

local IT
system
s are

part of a lar
ger
infrastructure

managed
by

IHS
.

This

Risk
A
ssessment is focused on

local

electronic health record
system
s
, overarching IT
assets

and the
facility’s
physical/environmental controls

that may affect
the integrity
and availability of critical health care systems
.

The scope of this risk analysis includes the potential risks and vulnerabilities to the
confidentiality,
integrity and availability
(CIA)

of all

of
the facility’s e
lectronic
Patient He
alth Information (e
-
PHI) that they create, receive, maintain
, or transmit.
Risks to
IT systems

should be

evaluated in the managerial, operational, and technical
security domains

as defined in
FIPS
-
200
,
Minimum Security Requirements for
Federal Information and Information
Systems

and

NIST
(
SP
)

800
-
53
, Rev 3
,
Recommended Security Controls for Federal Information Systems and Organizations
.


This report documents the findings and appropriate controls implemented at the local
IHS facility
and will

assist

management
in
understand
ing

the
security posture

of
both
local and interconnected
IT systems
across IHS
.

This
RA is ongoing and
should

be
updated on a continuous basis.

The
ongoing analysis

of findings
will be
attached in
the appropriate
Appendices

to

this document.

3.3

System Characterization

In this Section, the boundaries of the IT system are identified, a
long with the
resources and
information that constitute the system. Characterizing an IT system
establishes the scope of the risk assessment
effort

and provides information essential
to
safeguarding Agency resources
.

This step consists of reviewing system documentation and conducting interviews to
gather
critical
information necessary to develop
a

system characterization. The
information collected be
low is used to gain an overall understanding

of the
ownership
Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


9

and
functionality of the local information technology resources
.

This listing
may need
to

be

modified to reflect the local environment as appropriate
.


IT System Inventory and Definition Documen
t

I. IT System Identification and Ownership

IT System

Name

Infrastructure, Office Automation and Telecommunications (IOAT);
Resource and Patient Management System (RPMS); Electronic Health
Record (EHR)

Facility

Name &
Location


IT Systems

Overview

IOAT is the network architecture that supports the interconnection of the IHS
Area Offices and facilities into a single
interconnected
network.

IOAT
includes the Wide Area Network (WAN), Local Area Network (LAN), and
workstations used by the Office of Info
rmation Technology (OIT) to support
the administration and operations of the Indian Health Service.


One of the key functions of IOAT is to

provide basic network services;

namely, network layer transportation of IP packets for basic services to the
clients
. These services include a logon domain,
electronic mail,
internet and
intranet information services, basic IP transportation services, router
interconnection, and desktop support.

IOAT also provides access to the
Internet to support access to medical info
rmation, sharing of medical data and
imagery, sharing of administrative and financial data, distance learning,
teleconferencing, and other mission related data access.


Management controls for IT systems focus on system security risk
management.


The manag
ement
, operational and technical

controls
identified
and discussed in
NIST
(
SP
)

800
-
18,

Rev 1
,

Guide for Developing Security
Plans for Information Technology Sys
tems
,

and
NIST
(
SP
)

800
-
53
, Rev 3
,
assist the IOAT in meeting the requirements for Confidentiality, Integrity,
and Availability

of IHS data
.


The types of control measures are consistent
with the need for protection of IHS applications and data.

The RPMS

application,
including

EH
R
,

is intended to
provide for
the

comprehensi
ve

management
of IHS patient records
.


It is designed to
m
anage
all aspects

of patient care electronically

by providin
g a full range of
functionality and access to a wide range of patient information accessible by
health care providers across the Agency.
By moving
medical data

to the
electronic environment, pati
ent care activities are able to occur
simultaneously at multiple locations without
a dependence or availability of
paper chart
s
. Moreover, point
-
of
-
service data entry ensures that the record is
always up to date for all users. The RPMS EHR combines the pow
erful
database capabilities of RPMS with a familiar and comfortable presentation
layer, or graphical user interface (GUI). Integration of various RPMS
Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


10

components into the user interface allows providers to obtain a more
comprehensive view of the clinical p
rocess. Access to patient information

via
EHR
is available via "point and click", rather than the user having to log in
and out of separate RPMS applications to retrieve different types of data.

Risk Assessment
Team Members

(
if team approach
utilized
)



Phone Number
s


(list each phone number)







II. IT System Boundary and Components

Description
of IT
Systems
and
Components

(Attach a copy of the local inventory from SecureFusion in Appendix B)

System
Interfaces

All

IT
access to facility resources
are
limited to internal

IHS connections

or
are approved through an Inter
connection Security Agreement.
Yes

No


(
IF NO
-

All external connections
are prohibited to facility resources unless the
connections are approved and documented
in Section III below

and
on file with
the
IHS, Tribal or
Urban
facility
)

IT System
Boundary

(Attach a network diagram in
Appendix A showing all external connections
into the local facility’s internal network)

III. IT System Interconnections

Agency

or
Organization

IT System
Name

IT System Owner

ISA

Status

Provide details

of any
external connections to facility resources if an
Interconnection

Security

Agreement

(ISA)
has not been executed
.


No entry needed if
Agreements
are already

on file with HQW,
Brandon
Begaye
.













IT

Sensitivity
Rating and
Classification

The security cate
gory of the IT

system is determined based
upon the impact

to Confidentiality, Integrity, and

Availability of all system data
, per
FIPS
-
199
.
Based upon storage and access to patient data, all IHS facilities are
categorized at a Sensitivity Rating of

High

and a Classification of

Sensitive
.

3.4

Diagram of
Network Architecture

Insert a diagram or provide a d
escription

o
f
the overarching
network architecture

in
Appendix A
. This should include

all
routers, switches, servers and
other
devices that
contain
, transmit, or
receive patient

data or other sensitive information.
This must
also include communications links to your facility
, e.g
.
,
outside
connection
s

to IHS,
Internet Service Provider
(s)

or 3
rd

party vendor
(s)
.


If
the facility does not have a
Network Architecture Diagram, the f
ollowing are some tools
,

both free and for a fee

(prices are approximate only
)

which will
assist in creating one
:



Microsoft Visio

($160)




The Dude
Network Monitor

(Freeware)

Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


11



Solar Winds
LAN Surveyor

($1,995)


4.0

Threat Identification

A threat is the potential for a particular
threat
-
source to successfully exercise
(accidentally trigger or
intentionally exploit) a speci
fic vulnerability. A threat
-
source
is
defined as any circumstance or event with the potential to cause harm to a
n IT
system. The common threat
-
sources can be natural, human, or environmental and can
be intentional or acciden
tal
.
Vulnerability

is a weakness that can be accidentally
triggered or intentionally exploited. A threat
-
source does not present a risk when
there is no vulnerability that can be exercised. In determining likelihood of a threat,
one must consider threat
-
sources, potential vulnerabilities, and existing controls.

This section e
valuate
s the

potential for
a particular threat source to successfully
exercise a particular
vulnerability
, the impact to the facility, and corresponding
response
using a

hazard spec
ific scale. In assessing
threats,

it is important t
o consider
all potential threat
-
sources that

could cause harm to the
IT systems
,
the

processing
environment

and potentially the government network
. In the following pages,
common threats have already been

listed.
These
have been listed

regardless of their
likelihood, geographic impact, or potential outcome. Certain items may be removed if
not applicable to the geographical area
. For example
,

if the facility is located in the
desert, they may choose not to
include “
hurricane
” because of the low likelihood of
such an event occurring
.


Likewise, other items can be added that are specific to the
geographical
a
rea
.
The goal is develop a list that is as comprehensive as possible

and
applicable to the local internal and external environment.


Instructions for included spreadsheet:

I
n the following pages a spreadsheet has
been inserted.
Double Click the spreadsheet to enter your answers. C
hoose “0” “1”
“2” or “3” for each category
.

The last c
olumn
titled
“Risk”

will automatically
calculate your ri
sks
based on the probability (likelihood) and impact
.

In determining
your answer
,

the
following
issues
listed in the Table below
should be considered.

As
you are answering the questions
,

a
ssume ea
ch
threat
-
source

occurs at the worst
possible time (e.g.
,

during peak patient loads).

For more details on Threat and
Vulnerability Identification
,

refer to
NIST
(
SP
)

800
-
30

and
NIST (SP)
800
-
37
, Rev 1
.



Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


12

Issues to consider for
probability

(likelihood)

include, but are not limited to:



Known risk



Historical data




Manufacturer/vendor statistics




Incident reports



Security Reports



Information gathering

Issues to consider for
human impact

include, but are not
limited to:





Potential for staff death or injury




Potential for patient death or injury (includes
visitors)



Issues to consider for
property impact

include, but
are not limited to:





Cost to replace




Cost to set up temporary replacement



Cost to repair




Time to recover

Issues to consider for
service impact

include, but are not
limited to:





Service interruption




Employees unable to report to work




Customers unable to reach facility




Facility in violation of contractual agreements




Imposition of fines and penalties or legal costs




Interruption of critical supplies




Interruption of product distribution




Reputation a
nd public image




Financial impact/burden



Violation of Federal mandates

Issues to consider for
preparedness

include, but
are not limited to:






Status of current
emergency
plans





Freq
uency of drills





Training status





Availability of alternate sources
for critical
supplies/services

Issues to consider for
emergency
response

include, but
are not limited to:




Time to marshal an on
-
scene response



Scope of response capability




Historical evaluation of response success



Indian
Health Service



Ongoing Risk Analysis for
Meaningful Use


13

SEVERITY = (MAGNITUDE - MITIGATION)
Threat Source
PROBABILITY
HUMAN
IMPACT
PROPERTY
IMPACT
SERVICE
IMPACT
PREPARED-
NESS
INTERNAL
RESPONSE
EXTERNAL
RESPONSE
RISK
Likelihood this
will occur
Possibility of
death or injury
Physical losses
and damages
Interuption of
services
Preplanning
Time,
effectivness,
resouces
Community/
Mutual Aid staff
and supplies
(Relative threat increases with
percentage)
SCORE
0 = N/A
1 = Low
2 = Moderate
3 = High
0 = N/A
1 = Low
2 = Moderate
3 = High
0 = N/A
1 = Low
2 = Moderate
3 = High
0 = N/A
1 = Low
2 = Moderate
3 = High
0 = N/A
1 = High
2 = Moderate
3 = Low or none
0 = N/A
1 = High
2 = Moderate
3 = Low or none
0 = N/A
1 = High
2 = Moderate
3 = Low or none
0 - 100%
Hurricane
0%
Tornado
0%
Severe
Thunderstorm
0%
Snow Fall
0%
Blizzard
0%
Ice Storm
0%
Earthquake
0%
Tidal Wave
0%
Temperature
Extremes
0%
Drought
0%
Flood, External
0%
Wild Fire
0%
Landslide
0%
Dam Inundation
0%
Volcano
0%
Epidemic
0%


Indian
Health Service



Ongoing Risk Analysis for
Meaningful Use


14

Electrical Failure
0%
Generator Failure
0%
Communications
Failure
0%
HVAC Failure
0%
Hazmat Exposure
0%
Structural Damage
0%
Inadvertent Data
Entry
0%
Network Based
Cyber Attack
0%
Malicious Software
Upload
0%
Hacker, Cracker
0%
Terrorist
0%
Terminated
Employee
0%
Disgruntled
Employee
0%
Industrial Espionage
0%
Unauthorized Access
to Patient Data
0%


Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


15

5.0

V
ulnerability Identification

The purpose

of this section is to develop a list of system vulnerabilities (flaws or
weaknesses) that could be exploited.

This section contains various tools available to a
facility to identify
technical
vulnerabilities.

If a facility
chooses not
to
utilize one of
the t
ools in this section
,

it can be deleted. Likewise, if a facility has other tools
to
identify vulnerabilities
, sections

should
be added
.
The facility should also identify
other
vulnerabilities as part of the identification
process
keeping in mind that a
vulnerability is a flaw or weakness in system security procedures, design,
implementation, or internal controls

that could be exercised (accidentally triggered or
intentionally exploited) and result in a security breach or a violation
of
a

system
security policy. Some examples of vulnerabilities that may not be picked up by the
automated tools would be
:



S
ocial engi
neering of users, the hel
p desk,
or the
user support tea
m



M
isconfiguration of
hardware,
software

or operating system




T
erminated employee accoun
ts not removed from the system



W
ater sprinklers to suppress fire in a data center



C
ontrols/measure
s

not in plac
e to
physically
protect

equipment and information


5.1

Secure
Fusion

Scans



(Continuous
monitoring/
monthly reports)

DESCRIPTION:

Gideon SecureFusion is an automated security configuration
compliance and vulnerability scanning tool.

SecureFusion is Security Content
Automation Protocol (SCAP) compliant and currently aids
IHS

in

providing
enterprise
-
wide reports on security
vulnerabilities,
configuration compliance

and
asset inventory
. For exampl
e, SecureFusion fully automates
the enter
prise
-
wide
measurement and reporting of compliance with the Federal Desktop Core
Configuration (FDCC)

standard.


All
IHS
federal
sites

are required to use SCAP
-
validated tools to certify compliance
with FDCC standards
. If a facility chooses to utilize Secu
reFusion they will have
access to the following

functions:



Asset Discovery: Rapidly discovers and inventories all networks and network
assets, including managed and unmanaged devices
,



Configuration Management: Maintains an accurate inventory of system
conf
igurations, including technical controls, software, user accounts and system
changes
,



Vulnerability Management: Conducts ongoing vulnerability detection and
reporting for operating systems, infrastructure, network applications and
databases
, and



Policy Man
agement: Continuously evaluates system configuration and
compliance with standards and policies
.

Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


16

The four functions highlighted above provide continuous funneling of information
in
to the centralized SecureFusion
Portal. As a result,
IHS

leverages the strea
mlined,
automated, and end
-
to
-
end measurement process to

more accurately measure and
ensure compliance with
many
federal mandates, including FDCC, and
NIST
(
SP
)

800
-
53
, Rev 3
.

Point of Contact:

ITThreats@ihs.gov


INPUT for RA
:
Vulnerability s
cans are conducted on a
continuous basis with
monthly
r
eports of
findings provided to each facility
.
The facility
must

w
ork toward
mitigating existing and
new vulnerabilities on a continual basis.


During the initial
(12) month period, facilities must
maintain an average Risk Mitigation
and Risk
Aging
score of “C” or better
. All subsequent (6
) month peri
ods m
ust be at an average
score of “A


or better for both rating factors
.
Failure to maintain adequate scoring
metrics may result in decertification for Meaningful Use and/or Authorization to
Operate IT systems

at your facility
. Other actions may be
taken as appropriate
based upon severity or risk to IHS resources.

High Risk Aging


High Risk Mitigation

< 30 days

A+


80
-

100%

A+

31
-
45 days

A


70
-

79%

A

46
-
60 days

B


60
-

69%

B

61
-
75 days

C


50
-

59%

C

76
-
90 days

D


40
-

49%

D

> 90 days

F


< 40%

F


Vulnerability findings

and copies of approved on
-
line mitigation plans should be
attached
as

Appendix B
.

An example on
-
line mitigation plan is included as Appendix
H.

5.2

Penetration Testing



(Performed annually)

DESCRIPTION

Penetration testing is a
method of evaluating the security of
computer systems and networks by simulating an attack from a

malicious source. IHS

has
established an internal penetration testing program as part of the IHS Three
-
Year
Cyber

Security Plan
. The program seeks to simulate

malicious attacks from both
i
nternal and external entities.
Penetration testing, when employed in the risk
assessment process, can be used to assess an IT system’s ability to withstand
intentional attempts to circumvent system security. Its objective is t
o test the IT
system

from the viewpoint of a threat
-
source
,

identify potential failures and
vulnerabilities in the IT system protection schemes

and to provide IT staff with
recommendations to address each security risk
.

The findings of the penetration test

detai
l the approach, methodology
, procedures and
results of the test. The

facility will receive
a written report based
up
on the Rules of
Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


17

Engagement

which will include High; Medium; and Low Risk Findings. Each finding
will also include the following inform
ation:



Description



Affected Hosts



Impact



Recommendation



Sources for Corrective Action


Point of Contact:

Dan Largo (505
-
248
-
4137
)
;

daniel.largo
@ihs.gov

or Shad Malloy
(505
-
248
-
4413
)
;

shad.malloy@ihs.gov

INPUT for RA:

Penetration test

reports and

mitigation plan
s

or
progress reports
should

be attached
as

Appendix C
.

5.3

TippingPoint



(Continuous monitoring

by HQ OIT
)

DESCRIPTION
:

TippingPoint
is an intrusion prevention system (IPS) that
looks for
malicious and unwanted traffic

to detect attacks (worms, viruses, Trojans, blended
threats, Phishing, Spyware, VoIP Threats, DoS, DDoS, Backdoors, Walk
-
in Worms,
Bandwidth Hijacking) before damage occu
rs.


TippingPoint addresses many
compliance program objectives including vulnerability ma
nagement and network
monitoring and
provides automated enforcement of network security policies.
Facilities will receive a written report of findings.

Point of

Contac
t:

David Patterson (505
-
248
-
4464
)
;

david.patterson@ihs.gov

INPUT to RA:
TippingPoint has the flexibility to create a variety of customizable
reports.
Insert any findings and corresponding information in
Appendix D.

5.4

VisiWave



(Performed annually for sites utilizing wireless

networks
)

DESCRIPTION
:

VisiWave
is a
Site Survey tool that
provides a visualization of
wireless devices within a facility. VisiWave can identify signal interference with
medical devic
es, reveal areas with weak or non
-
existent coverage, discover the
existence and location of rogue access points, and map signal leakage out of a facility
into the public domain
.

VisiWave provides
three

effective methods for capturing data (
one point at a
time,
survey
through a continuous
area,
or
GPS positioning for outdoor surveys
)
.

IHS OIT/DIS has purchased and installed VisiWave on rugged laptops that may be
loaned out to the field upon request. Typically,
they will be loaned

out for a
maximum period o
f seven

days.

Point of

Contact:
David Patterson (505
-
248
-
4464
)
;
david.patterson@ihs.gov

Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


18

INPUT to RA:


Site survey reports and mitigation plans or progress reports should

be
attached

as

Appendix E
.

5.5

Network
Threat Response



(Continuous

monitoring

by HQ OIT)

DESCRIPTION:

McAfee® Network Threat Response

(NTR)

discovers zero
-
day
malware that will use or is using

network exploits to attack the IHS

network, and
automatically captures t
h
at malware for analysis and

response.

NTR

enables
IT
professionals

to dig deep into threats and construct forensic analysis to effectively
characterize and respond to malware in the way that’s most effectiv
e for an
organization.

Point of Contact:

David Patterson (505
-
248
-
4464)
;
david.patterson@ihs.gov

INPUT to RA:
Although there is nothing out of NTR that can
be easily added to
this
document
,

the tool can be used to prevent malware and network exploits from
occurring on your network. U
pon request, IHS will provide malware signatures for
inclusion in a facility’s Intrusion Detection System/Intrusion Prevention System.

5.6

ArcS
ight Log Management



(Periodic review of logs)

DESCRIPTION:

ArcSight is a log management tool that includes search
c
apabilities. The tool will provide ability to view and analyze system activity and
provide evidence of various system activities. ArcSight supports collection of raw or
unstructured logs from any syslog or file
-
based log source.

Point of Contact:
Ed Stove
r (505
-
248
-
4209):
edward.stover@ihs.gov

INPUT to RA:

Although there is nothing out of ArcSight which can be easily added
to this document, a facility can utilize the tool to manage the many event and security
lo
gs generated by IT equipment.

5.7

Other Tools


The facility
may have
access to other
security
tools
which are not
included

in this

template
.
The combination of local and enterprise level tools
can significantly
enhance a facilities


security posture and decrease
potent
i
al risk
.


Additional
appendices may be
added to accommodate
facility unique

reporting tools.

6.0

C
ontrol Analysis

The goal of this step is to analyze the controls that have
either been implemented or
are planned for
implementation

by the organization to minimize or eliminate th
e risks
identified through the risk assessment process. By implementing security controls, the
level of risk to the IT systems and the data will be reduced to an acceptable level.

Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


19

To determine

which security controls

are required and appropriate for a facility, a
cost
-
benefit
analysi
s
can

be conducted for any planned controls, to demonstrate that
the costs of implementin
g the controls can be justified

by the reduction in the level or
risk. In a
ddition, the
effect on system performance and feasibility
(e.g., technical
requirements, user a
cceptance) of introducing the p
l
an
ned controls should b
e
evaluated carefully during this process
.

Utilizing
NIST (SP) 800
-
53
, Rev 3

as a checklist is a great way to analyze security
controls in an efficient and systematic manner. Some of the major controls
are
in
cluded in

the table below. Howeve
r, it is essential to modify and update the table in
order to accurately reflect a facility’s IT environment.




Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


20



Control Area

Description

of Controls

1 Risk Management

1.1 IT Security
Roles &
Responsibilities

List the name, title, and role for each employee with facility IT security
responsibilities.


1.2
IT policy and
Procedure

List the facility IT security related policies and/or procedures

Abide by or have adopted
IHS policies and procedures

Other (Provide details)

1.3 IT System &
Data Sensitivity
Classification

Provide the classification of data per FIPS
-
199

High

Moderate

Low

1.4 IT System
Inventory

Explain how the IT systems are inventoried and if the inventory is current

Utilizing SecureFusion for inventory

Utilizing a combination of SecureFusion and IHS Sunflower

Other (Provide details)

1.5

IT Security
Audits

List and describe any IT security audi
ts (such as an IHS Penetration T
est)

Adopted

security audits as described in
Section 5

Other (Provide details)

2 IT Contingency Planning

2.1 Continuity of
Operations
Planning

Discuss the
COOP plan for the facility (A

template
is
available from OIT upon
request


POC:
tautra.romig@ihs.gov
)

COOP Plan complete and alternate facility available

COOP Plan complete but no alternate facility available

No COOP Plan in place

Other (Provide details)

2.2 IT Disaster
Recovery
Planning

Discuss the IT Disaster Recovery Plan

(May be part of the o
verall IT COOP

Plan)

Already included in COOP Plan

Other (Provide details)

2.3 IT System &
Data Backup &
Restoration

Discuss the Data
Backup and Restoration process for IT systems

Already included in COOP Plan

Data backup and restoration addressed separately

Other (Provide details)

3 IT Systems Security

3.1 IT System
Hardening

Discuss IT system hardening such as FDCC settings, patch level, Service Packs,
Firewalls, etc.

System hardening is enforced through Microsoft Group Policy

Other (Provide details)

3.2

Malicious Code
Protection

Discuss Anti
-
Virus software products
in use

Utilizing Symantec Anti
-
virus

Utilizing McAfee Antivirus

Other (Provide details)

Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


21

Control Area

Description

of Controls

4 Logical Access Control

4.1 Account
Management

Discuss how User
Accounts are managed and controlled

Abide by or have adopted IHS policy

Other (Provide details)

4.2 Password
Management

Discuss Password Requirements

Abide by or have adopted IHS policy

Other (Provide details)

4.3 Remote Access

Discuss how remote access is utilized at the facility.

Utilizing the IHS Cisco
VPN solution

Utilizing the IHS Citrix
VPN

solution

Other (Provide details)

4.4 Separation of
Duties

Discuss how the concept of separation of duties is enforced to ensure that no
single individual has control of the entirety of a critical IT
processes.

Abide by or have adopted
policies covered under
DIS
-
SOP 09
-
25

Other (Provide details)

5 Data Protection

5.1

Data Storage
Media
Protection

Discuss how portable media and mobile devices are
controlled and the data stored
on those devices is
protected

Utilizing Guardian
Edge or EndPoint protection for removable media

Other (Provide details)

5.2

Encryption

Discuss the
encryption being utilized on IT devices

(select all that apply)

Utilizing IPSEC for encryption of data in transit

Utilizing VanDyke for encryption of data in transit

Utilizing
Pointsec

for full disk encryption

Utilizing GuardianEdge for full disk encryption

Utilizing Microsoft Bitlocker for full disk encryption

Other (Provide details)

6 Facilities Security

6.1 Facilities
Security

Discuss
physical security of the facility

Physical access is controlled through employee badges and visitor sign
-
in.

Other (Provide details)

6.2 Power

Discuss
controls to ensure power to critical IT systems is maintained during an
outage

(select all that apply)

Critical IT systems are supported by UPS

Critical IT systems are supported by a generator

Other (Provide details)

6.3 Restricted Areas

Discuss how restricted areas such as the “computer room” or “data center” are
secured

Rooms are secured with limited access

Rooms are unsecured but access is monitored

Other (Provide details)

6.4 Temperature
and Humidity

Discuss how Temperature and Humidity are controlled

Temperature and humidity are controlled through
the facility HVAC

Other (Provide details)

7 Personnel Security

Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


22

Control Area

Description

of Controls

7.1 Access
Determination &
Control

Discuss how an employee gains access to the facility, restricted areas, and IT
systems. Discuss what determines
the level of access they receive. Discuss how
and when access is removed

(Select all that apply)

IHS issued PIV or PIVi cards are utilized for physical access

IHS issued PIV or PIVi cards are utilized for logical/lo
gon to IT systems

Removal of access to IHS resources is addressed through IHS policy and/or ITAC

Other (Provide details)

7.2 IT Security
Awareness &
Training

Discuss the IT Security Awareness and Training employees are required to
participate in

Employees and contractors take
IHS’s annual

on
-
line security awareness training

Other (Provide details)

7.3 Acceptable Use

Discuss the Acceptable Use policy

Abide by or have adopted IHS policy as described in the IHS Rules of Behavior
and IHS Manual

Other (Provide details)

8

Threat Management

8.1 Threat Detection

Discuss how IT threats are detected

Utilizing IHS tools as described in Section 5

Other (Provide details)

8.2 Incident
Handling

Discuss how IT incidents are handled

Incidents are reported to the IHS
Incident Response Team

Other (Provide details)

8.3 Security
Monitoring &
Logging

Discuss how security is monitored and the logging capabilities of IT systems

Utilizing IHS tools as described in Section 5

Other (Provide details)

9 IT Asset Management

9.1 IT Asset Control

Discuss how computers are controlled. Such as leaving the premises, connected to
the network, disposal, etc.

IT systems are controlled through the use of property receipts

Other (Provide details)

9.2 Software
License
Management

Discuss the software policy

(select all that apply)

Applications are identified and tracked through SecureFusion

Licensing is tracked manually

Abide by or have adopted IHS policies

Other (Provide details)

9.3 Configuration
Management &
Change Control

Discuss how
configuration management and change control is handled

Utilizing the IHS change control board

Utilizing a ticketing system i.e. Heat to manage and track system changes

Other (Provide details)

10

Other

10
.1
Other

Add rows as needed to document additional security controls

as described in
NIST
(SP) 800
-
53, Rev 3



Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


23

7.0

R
isk Mitigation Strategies

Risk mitigation
involves prioritizing, evaluating, and implementing the
appropriate
risk
-
reducing controls recommended from the risk assessment process. Because the
elimination of all risk is usually impractical or close to impossible, it is the
responsibility of senior management and functional and business managers to use th
e
least
-
cost approach and implement the most appropriate controls to decrease mission
risk to an acceptable level, with minimal adverse impact on the organization’s
resources and mission.

It may not be practical to address all identified risks, so
priority

can be given to the threats and vulnerability that have the potential to cause
significant mission impact or harm.

Appendix G contains a template for documenting
risks and
provides for
recommended controls
for
senior management approval
.

Instructions are

provided on
the
Risk Mitigation Work
sheet.
This template will be utilized for findings identified
through Penetration Testing, VisiWave wireless surveys or other IT security tools.
This form is NOT required for risks identified through SecureFusion as t
here is a built
in Mitigation Plan as shown in Appendix H.
Many of the details of this plan, such as
the device information, list of individual vulnerabilities, and the point of contact
information, are automatically generated. The only fields a facility
is required to
manually complete

are the device description
,

mitig
ation plan, removal impact,
estimated cost and
a planned
remediation date.


Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


24

8.0

Appendix A:
Network Diagram(s)




Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


25

9.0

Appendix B:
Monthly
SecureFusion
Reports




Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


26

10.0

Appendix C
:
Annual
Penetration Tes
t



Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


27

11.0

Appendix D
: TippingPoint

(Monitored by HQ OIT)



Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


28

12.0

Appendix E
:
Annual
VisiWave

Site Survey


Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


29

13.0

Appendix F: Key Roles in a Risk

Assessment

This table shows
examples of
the key personnel that should support and participate in the risk
assessment and management process.
For detailed description of specific roles and additional
roles for the Risk Management Framework, please refer to

NIST
(
SP
)

800
-
30

and
NIST
(
SP
)

800
-
37
, Rev 1
.


Role

Responsibility

Senior
Management

Under the standard of due care and ultimate
responsibility for mission accomplishment,
must ensure that the necessary resources are
effectively applied to develop the capabilities
needed to accomplish the mission. They must
also assess and inco
rporate results of risk
assessment activity into the decision making
process. An effective risk management
program that assesses and mitigates IT
-
related
mission risks requires the support and
involvement of senior management.

Information Technology Dire
ctor or
Chief
Information Officer (CIO)

Responsible for
the facility’s

f吠灬a湮楮nⰠ
扵摧e瑩ngⰠI湤⁰e牦o牭r湣e⁩湣汵摩 g⁩ 猠
楮景i浡瑩潮⁳散畲楴y⁣潭灯湥湴猠慮搠
c潭灬楡湣e⸠⁄ec楳i潮
s

浡摥⁩渠 桥獥⁡牥a猠
獨潵s搠扥⁢ 獥搠潮⁥晦ec瑩癥⁲楳欠浡湡ge浥湴m
灲潧pam
.

py獴敭⁡湤nfn景f浡瑩潮m佷湥牳

oe獰潮獩扬攠b潲⁥湳畲楮朠瑨慴⁰g潰o爠r潮瑲潬猠
a牥⁩渠灬ace⁴漠慤摲e獳⁩湴敧n楴yⰠc潮晩摥湴na汩ty
a湤⁡癡楬a扩b楴y映瑨f f吠sy獴敭猠慮搠sa瑡⁴桥y
潷渮†oy灩ca汬y⁴ e⁳y獴e洠慮搠楮m潲浡瑩潮o

湥牳⁡牥⁲e獰潮獩扬攠b潲⁣桡nges

瑯⁴桥楲if吠
sy獴敭猠⡥.g⸬⁳y獴敭se湨a湣e浥湴猬a橯爠
c桡nge猠瑯⁴桥⁳潦瑷a牥 a湤⁨n牤ra牥⤮†
周T牥景牥Ⱐ瑨Iy畳 ⁵湤e牳瑡湤⁴桥楲⁲潬e⁩渠
瑨攠t楳欠ia湡ge浥湴⁰moce獳⁡湤⁦畬uy⁳異灯牴
瑨t猠灲潣e獳s

B畳楮敳猠u湤nc畮u瑩潮o氠䵡湡ge牳

oe獰潮獩扬攠b潲⁢o獩s
e獳灥sa瑩潮猠o湤nf吠
灲潣畲ume湴⁰牯ne獳sa湤畳 ⁴慫 ⁡渠nc瑩癥
牯汥⁩渠 桥⁲楳欠浡湡geme湴⁰牯ne獳⸠⁔se獥
浡湡ge牳ra牥⁴桥⁩湤楶 d畡汳⁷楴栠瑨攠h畴桯物uy
a湤⁲n獰潮獩扩b楴y⁦潲a歩湧⁴桥⁴ ade
-
潦映
摥c楳i潮猠o獳敮瑩慬⁴漠s楳i楯渠慣c潭灬楳桭e湴⸠n
周T楲i
楮癯i癥浥湴⁩渠m桥⁲楳欠浡湡ge浥湴m
灲潣e獳⁥sa扬敳⁴桥⁡c桩h癥浥湴m⁰牯 e爠
獥c畲楴y⁦潲 fT⁳y獴e浳Ⱐ睨mc栬⁩映浡湡ge搠
灲潰p牬yⰠ睩汬⁰牯 楤攠浩i獩潮⁥s晥c瑩癥ne獳s
睩瑨⁡楮w浡氠mx灥湤楴畲u映 e獯畲se献

Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


30

CISO/ISSO

IT security program managers and comput
er
security officers are responsible for their
organizations’ security programs, including
risk management. Therefore, they play a
leading role in introducing an appropriate,
structured methodology to help identify
,
evaluate, and minimize risks to the IT
systems
that support their organizations missions.
ISSOs also act as major consultants in support
of senior management to ensure that this
activity takes place on an ongoing basis.

IT Security Practitioners

IT

security practitioners (e.g., network, system,
application, and database administrators,
computer specialists, security analysts; security
consultants, developers) are responsible for
proper implementation of security
requirements in their IT systems. As

changes
occur in the existing IT environment (e.g.,
expansion in network connectivity, changes to
existing infrastructure and organizational
policies, introduction of new technologies), the
IT security practitioners must support or use
the risk management

process to identify and
assess new potential risks and implement new
security controls as needed to safeguard their
IT systems.



Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


31

14.0

Appendix
G
:
-

Risk

Mitigation Worksheet

(Instructions:
This worksheet

is designed to document how you are goin
g to handle each of the risks identified during the risk
assessment process. If you identified twenty (20) risks you would have twenty (20) worksheets.
The
Risk Assessment Team should

work together to
complete the worksheet
s
.
The
Facility Director or desig
nee will

evaluate the selections and agree to each (e.g.,
accepting the risks and chosen recommended controls) or will negotiate an alternative mitigation

strategy
.

NOTE: Not required for
risks identified through SecureFusion.


Date Completed:

Date Las
t Modified:




Certifying Authority Signature:








Date: ______________



Risk
#

Risk

(High/Moderate/Low)

Risk
Statement





Recommend
ations

Implement
Recommendation?

Y/N

Proposed Alternatives

Response/Comments






Recommendation That Risk Be
Accepted As Mitigated



Certifying Authority Initials:







Comments:


Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


32

15.0

Appendix
H
:
-

SecureFusion
Mitigation Plan




Figure 02:
Sample
Vulnerability Mitigation Plan



Indian Health Service



Ongoing Risk Analysis for
Meaningful Use


33

16.0

Security Review and Attestation


Initial Year

Both parties agree that
adequate and acceptable IT security measures are in
-
place to protect IHS
/Tribal/Urban

resources under the local control of the facility identified on the cover of this Risk Analysis.






Signature of Facility CEO



Date









Signature of Area ISSO




Date


Year

One Review

Both parties have performed an annual review and have noted any changes below. Adequate security measures
are being maintained to protect
IHS/Tribal/Urban resources.



Avg Aging:




Avg Mitigation:











Signature of Facility CEO




Date









Signature of Area ISSO




Date


Year

Two Review

Both parties have performed an
annual review and have noted any changes below. Adequate security measures
are being maintained to protect IHS/Tribal/Urban resources.



Avg Aging:




Avg Mitigation:











Signature of Facility CEO


Date









Signature of Area ISSO




Date