Elamb Cybersecurity

Blog

  • Training and Certification: 800-66 – HIPPA

    Guidance for Health Insurance Portability and Accountability Act (HIPPA)

    NIST Special Publication 800-66 offers guidance for HIPPA. HIPPA is broken up into (5) different Titles:
    Title 1) Healthcare accessibility, portability and renewability
    Title 2) Healthcare Fraud and abuse prevention; Healthcare Liability; Administrative Simplicity
    Title 3) Tax-related healthcare provisions
    Title 4) Group Health plan
    Title 5) Revenue Offset

    The focus of NIST SP 800-66 is Title 2 Administrative Simplification, HIPPA Security Rule. The HIPPA Security Rule is broken into Electronic Data Interchange (code set, identifiers, transactions), Privacy, Security.
    Security includes all efforts to protect the confidentiality, integrity & availability of electronic protected health information (EPHI). HIPPA Security is applicable to covered entities. Covered entities include: Covered Healthcare providers, health plans, Healthcare Clearinghouses, and Medicare prescription drug card sponsors.

    This involves physical, administrative, technical safeguards, organizational requirements, policy, procedure and documentation requirements. The controls are used to meet these controls are required or addressable.

    Physical security safeguards: all security controls needed to physically protect electronic protection health information (EPHI) and resources. These controls reduce physical access to the EPHI systems and their resources by isolating and limiting and locking areas in which the resources housing EPHI is located.
    Administrative safeguards: administrative controls include documentation, procedures that reflect the security of systems containing EPHI.
    Technical safeguards: technical security features that protect EPHI. This includes access control lists, least functionality on ports, protocols & services and other logical protection mechanisms over a network.
    Organizational requirements: organizational requirements include policies, standards and guidelines that the organization must adhere to. This may include federal, state law and healthcare best practice.
    Policy, procedure and documentation requirements: physical, administrative, technical controls are captured in documentation to establish a baseline, have consistency and act as a blueprint for future employees and/or managers.

  • Training and Certification: NIST SP 800-39 Manage Information Security Risk

    NIST SP 800-39, Manage Information Security Risk

    NIST 800-39 is a federal document that talks about risk management of information system and their security. It is cited as one of the sources for the ISC2 Certified Authorization Professional (CAP) certification. For study of the document go to Chapters 2 and 3 of 800-39. Chapter 2 talks about the fundamentals of risk management & chapter 3 breaks down the process of applying risk management across and organization.

    The Fundamentals of Risk Management (Chapter 2, 800-39)
    800-39 goes into the philosophy (or “the why”) and the how of managing information security at multiple levels (or multitier risk management approach). The three layers (or tiers) of risk management addressed in the 800-39 are:
    Tier 1: Organization level
    Tier 2: Mission/Business Process level
    Tier 3: Information System level

    Tier 1: Organization Level risk management
    Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

    Tier 2: Mission/Business Process Level risk management

    Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

    Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organization’s resilience to such an attack that can be achieved with a given mission/business process

    Tier 3: Information System risk management

    From the information system perspective, tier 3 addresses the following tasks:
    1) Categorization of the information system
    2) Allocating the organizational security control
    3) Selection, implementation, assessment, authorization, and ongoing

    Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
    Risk Framing
    Risk Assessing
    Risk Response
    Risk Monitoring

    Risk Framing
    Risk framing are the assumptions, constraints, risk tolerance and priorities that shape an organization’s managing risk. Risk framing is created based on organizational governance structure, how much money is available, regulations imposed, environment, culture and trust relationships.
    In order to “frame” risk (or get an organizational context of the risk) the organization must determine: Risk assumptions, risk constraints, risk tolerance and priorities/trade-offs

    Risk Assumptions
    Risk assumption has to do determining how to risk will be assessed for an organization. Assumptions are based on identification of threats, vulnerabilities, the impact to the organization if attacks are successful and likelihood of attacks.

    Risk Constraints
    Risk constraints have to do with accepted limits of risk assessments, risk monitoring & risk response. Those limitation might be financial, cultural, the need to rely on legacy systems, or regulations imposed on the organization.

    Risk Tolerance
    Risk tolerance is how much risk the organization is willing to take.
    Priorities/Tradeoffs
    Risk is experienced at different levels, in different forms, and in different time frames. At Tier
    1, organizations make trade-offs among and establish priorities for responding to such risks. Organizations tend to have multiple priorities that at times conflict, which generates potential risk. Approaches employed by organizations for managing portfolios of risks reflect organizational culture, risk tolerance, as well as risk-related assumptions and constraints. These approaches are typically embodied in the strategic plans, policies, and roadmaps of organizations which may indicate preferences for different forms of risk response. For example, organizations may be willing to accept short-term risk of slightly degraded operations to achieve long-term reduction in information security risk.
    However, this trade-off could be unacceptable for one particularly critical mission/business function (e.g., real-time requirements in many industrial/process control systems). For that high-priority area, a different approach to improving security may be required including the application of compensating security controls.

    Risk Assessment
    Risk assessment is threat & vulnerability identification and risk determination. Organizaitonal risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.

    Risk Response
    Risk response identifies, evaluates, decides on, and implements appropriate courses of action to
    accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals,
    other organizations, and the Nation, resulting from the operation and use of information systems.
    Risk identification is key to risk response. Risk types include:
    Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.

    Risk avoidance– Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk.

    Risk mitigation-adding management, technical, administrative safeguards to minimize identified risks to the system.
    Risk share & transfer- Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance
    companies).

    Risk Monitoring – Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.

  • Where To Find a Job (part 1)

    It is 2011 and the economy is still limping along. Despite the slump in economic prosperity around the word, there is still a demand for jobs. Here are some tricks that have allowed me to not be affected at all by the recession.

    I have put together a quick list of 5 things I have done to get jobs quickly.

    1) Advertise yourself! – Post your resume on indeed.com, monster.com, simplyhired.com, linkedin.com. Create a blog and talk about your industry.

    There are a few job search engines that allow you to search the web for decent jobs in ANY career field. And these sites are equal or better than monster.com:
    http://www.indeed.com
    http://www.simplyhired.com

    2) Use keywords related to the field on your resume and put in online – Employers searching through resumes are focusing on keyword/phrases.

    3) Talk to job recruiters – Employers often use job recruiters to find workers. So, these recruiters have constant access to many different opportunities.

    4) Check the current trend in your industry – Be aware of what is going on in the industry you are in. Use indeed.com/jobtrends to search keywords

    5) Be willing to travel & negotiate travel – being willing to give a little to an employer can make you more attractive to an employer.

  • Benefits of Being a CISSP

  • Training & Certification: CAP – Security Authorization of Federal Information Systems

    Understanding the Security Authorization of federal information systems

    The ISC2 CAP candidate needs to understand the multitier approach to evaluating strategic & tactical risk across an organization/enterprise. This is discussed thoroughly in NIST SP 800-39, Managing Information Security Risk. 800-39 explains risk management from the organization, mission, and system perspective.

    800-39 explains how and organization does risk framing by making risk assumptions, knowing risk constraints, risk tolerance, priorities & tradeoffs. Implementation of an organization’s risk management strategy is also based it’s governance structure.

    Security Authorization is a risk management process that based on identification of threats, vulnerabilities and countermeasures. 800-39 and 800-37 explains what must be included in a risk assessments that will evaluated residual risks and determine if they are acceptable or unacceptable to the organization as whole. Unacceptable risks can be reduced by implementing security controls.

    Understanding the Security Authorization of federal information systems covers the following key areas:

    Understand the Risk Management Approach to Security Authorization
    Understanding and distinguishing among the Risk Management Framework (RMF) steps
    Define and Understand Roles & Responsibilities
    Understand the Relationship between the RMF and SDLC
    Understand Legal, Regulatory, and Other Requirements for Security Authorization
    Understand Common Controls and Security Control Inheritance
    Understand Ongoing Monitoring Strategies
    Understand How the Security Authorization Process Relates to:

    1. Organization-wide risk management
    2. System Development Life Cycle (SDLC)
    3. Information system boundaries
    4. Authorization decisions

  • putting in work in germany

    In Germany on business. Driving in Germany is easier than driving in Colorado!

  • Training and Certification: certified authorization professional (1)

    The Certified Authorization Professional (CAP) is a certification that indicates a professional level of knowledge/skill on the subject of federal information system authorization (formerly certification & accreditation). In the US federal government, “Authorization” to operate a federally owned information system is a formal acceptance of risk from an Authorization Officer (AO). An AO is a high ranking official granted the authority to make major risk related decisions for an entire branch/or unit within a federal organization. The AO accepts or rejects the risks that information systems poses to his or her organization based on the recommendations of a security control assessors audit and accompanied Security Authorization Package.

    The CAP is based almost entirely on federal information security/protection laws, National Institute of Standards & Technology (NIST), and Office of Management & Budget regulations.

    There are seven domains the CAP exam focuses on:
    1. Understanding the Security Authorization of Information Systems
    2. Categorize Information Systems
    3. Establish the Security Control Baseline
    4. Apply Security Controls
    5. Assess Security Controls
    6. Authorize Information System
    7. Monitor Security Controls

  • Spotify

    is awesome.

    Its the netflix of music!

  • NIST 800: DoD Risk Management Framework

    There are a couple defense policy reflecting the DoD’s move to NIST 800 standards: Defense Acquisition Regulation Supplement (DFARS 2011-D039) & CJCSI 6510.01, Information Assurance and Support to Computer Network Defense

    Defense Acquisition Regulation Supplement (DFARS 2011-D039)
    Defense contractors will have to meet the NIST Special Publication 800-53 security controls. Most large defense contractor have already started meeting defense controls for DIACAP (which are very similar to NIST 800 controls).
    more info @ firegovernment IT

    CJCSI 6510.01, Information Assurance and Support to Computer Network Defense
    The new 6510.01F replaces the old 6510.01E. The document refers to changes in the name of the Information Assurance Manager (IAM) to Information System Security Manager (ISSM) and the Information Assurance Officer (IAO) to Information System Security Officer (ISSO). The name Designated Accreditation Authority (DAA) is changed to Authorizing Official (AO). The former DIACAP term “certification” is changed to 800-37 term “assessment”.

    Updates titles for Designated Accrediting Authority (DAA) to Authorizing Official; Information Assurance Manager (lAM) to Information Systems Security Manager (ISSM); and Information Assurance Officer (IAO) to Information Systems Security Officer (ISSO) to align with CNSSI No. 4009 (reference e) terms. Replaces term certification with assessment and accreditation with authorization (to operate) in alignment with CNSSI No. 4009 (reference e) terminology. The new terms are followed by legacy terms in parentheses throughout instruction.

    The document also refers to the coming changes to DoD 8500 policies. The changes will focus on NIST 800:

    Select security controls lAW DODI 8500.2 (reference g). Note: The next update to DODI 8500.2 (reference g) and DODI 8510.01 (reference i) will direct DOD IS categorization and security control selection lAW CNSSI No. 1253, “Security Categorization and Control Selection for National Security Systems” (reference ill) with additional specific guidance on the DIACAP Knowledge Service. DODI 8500.2 (reference g) and DODI 8510.01 (reference i) will also direct the use of security controls in NIST SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations” (reference kkk) with supporting validation procedures in NIST SP 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems and Organizations” (reference 111), and additional DOD guidance published in the DIACAP Knowledge Service.

    The ultimate goal will be to move away from “Certification & Accreditation” and to a Risk Management Framework” as in NIST SP 800-37:

    NIST 800-37 SP, “Guide for Applying the Risk Management Framework to Federal Information Systems” (reference mmmmm), provides guidelines for applying the Risk Management Framework to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring.

  • Google to Provide the World’s Social Network

    Google is no Joke!!

    Google+ seems to bring everything together. All Google’s products and services are being reigned in the the power of +You.

    For example, if you use Google’s Picasa, Google+ enhances the service by fully integrating the content of Picasa into the their social network. If you use Android, you’ll be able to take a picture, load it into Picasa, then make it available to your “Circle” in Google+. The name Picasa supposedly changing to “Google Photos” but for now its just a rumor.

    Other fully integrated services and products include (but are not limited to): Gmail & Youtube.

    Facebook has some major competition brewing!