NIST, FISMA, HIPAA and
          Data Privacy –
         Where to Begin
          Candy Alexander, CISSP CISM
            ...
Topics
 Setting the stage for a Case Study
 Understanding the requirements
 How can NIST help
 Closer look at NIST
 Summar...
Setting the Stage
     Organization driven by multiple requirements
       FIMSA
       HIPAA*
       Data Privacy (45 sta...
Understanding the
Requirements…
 Need to understand business requirements
   Compliance (just enough or to protect)
   Big...
Using the NIST Risk Management Framework (RMF)*




                                      SecureWorld Expo - Boston - Marc...
Step 1 – Categorize
Information and Assets
 FIPS199 to identify CIA (confidentiality, Integrity and
 Availability) rating ...
Step 2 – Security Controls
 Use FIPS 200 to identify the minimum baseline

 Select controls to be used
   Identified in SP...
Step 3 – Implement Security
Controls
 Uses various automated tools and manual
 processes
   Operating system controls
   A...
Step 4 - Assess Controls

 Evaluate the controls with SP800-53A
   Internal Audits
   External Audits




                ...
Step 5 – Authorize Information
System
 Authorization to Operate (ATO)
   Primarily for FISMA compliance
     Essentially D...
Step 6 – Monitor Security
 Continuous monitoring
   Threats & vulnerabilities
   Controls put into place to mitigate risk
...
FISMA… Certification &
Accreditation
 What is Certification and Accreditation?
     Certification and Accreditation is a p...
FISMA/NIST C&A
 C&A guidance available through SP800-37

 Provides accrediting authority ( and auditors) high degree of
 c...
C & A Phases
 Consists of 4 distinct phases
 1.   Initiation Phase
 2.   Security Certification Phase
 3.   Security Accre...
Certification Package*
1.    Updated System Security Plan
2.    Completed Security Risk Assessment
3.    Updated Config. M...
Accreditation Package
1.   Security Assessment Report
2.   Security Accreditation Decision Letter
3.   System Security Pla...
HITECH Act - Tougher HIPAA
 From Privacy/Security Perspective:
   Breach Notification (tougher requirements)
   Wider scop...
Questions?



Candy Alexander, CISSP CISM
calexander@ltcpartners.com




    SecureWorld Expo - Boston - March 24, 2010 -
...
Upcoming SlideShare
Loading in...5
×

2010 Secure World Boston Nist

648

Published on

Presentation on using the NIST Risk Mgmt Framework to comply with FISMA, HIPAA and State Data Privacy Requirements

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
648
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2010 Secure World Boston Nist

  1. 1. NIST, FISMA, HIPAA and Data Privacy – Where to Begin Candy Alexander, CISSP CISM SecureWorld Expo Boston March 24, 2010 Room 104 SecureWorld Expo - Boston - March 24, 2010 - Room 104
  2. 2. Topics Setting the stage for a Case Study Understanding the requirements How can NIST help Closer look at NIST Summary SecureWorld Expo - Boston - March 24, 2010 - Room 104
  3. 3. Setting the Stage Organization driven by multiple requirements FIMSA HIPAA* Data Privacy (45 states and the Feds) MA 201 CMR17 Small organization with minimal resources Need to work smart Identify 1 size to fit all requirements (framework) Existing work based on HIPAA Privacy & Security rules Redirect into the NIST framework to meet *all* requirements * Additional push with new HITECH Act – Summary of changes at end of slides SecureWorld Expo - Boston - March 24, 2010 - Room 104
  4. 4. Understanding the Requirements… Need to understand business requirements Compliance (just enough or to protect) Big budget or barely enough Frameworks available ISO ($$$) COBIT ($$) NIST (free) Do it yourself ($?) All of these + Notification process* Federal Contractor, we used NIST Risk Management Framework (RMF) for SP800-53 SP800-66-Rev.1 SecureWorld Expo - Boston - March 24, 2010 - Room 104
  5. 5. Using the NIST Risk Management Framework (RMF)* SecureWorld Expo - Boston - March 24, 2010 - Room 104 * NIST SP800-66 Rev. 1 October 2008
  6. 6. Step 1 – Categorize Information and Assets FIPS199 to identify CIA (confidentiality, Integrity and Availability) rating score Great tool for communicating risk to businesses. PHI (Protected Health Information) the “C” and “I” should be high – availability is up to process owner Identify PII (Personal Identifiable Information) and business owner (supports data privacy requirements) Identify “where” in the organization PII/PHI is (applications, folders, etc.) Supports the PHI tracking requirement for HIPAA Use NIST SP800-60 for guidance SecureWorld Expo - Boston - March 24, 2010 - Room 104
  7. 7. Step 2 – Security Controls Use FIPS 200 to identify the minimum baseline Select controls to be used Identified in SP800-53 (Rev.3) that are appropriate to the environment (risk approach) Document controls/requirements into a security plan for each IT System. NIST SP800-18 Guide for Developing Security Plans for Federal Information Systems SecureWorld Expo - Boston - March 24, 2010 - Room 104
  8. 8. Step 3 – Implement Security Controls Uses various automated tools and manual processes Operating system controls Application controls System Development Life Cycle Full array of publications available to provide guidance to the specific topic/requirement See http://csrc.nist.gov Special Pubs, FIPS pubs, IR (internal reports), and ITL (Info Tech Lab) Bulletins SecureWorld Expo - Boston - March 24, 2010 - Room 104
  9. 9. Step 4 - Assess Controls Evaluate the controls with SP800-53A Internal Audits External Audits SecureWorld Expo - Boston - March 24, 2010 - Room 104
  10. 10. Step 5 – Authorize Information System Authorization to Operate (ATO) Primarily for FISMA compliance Essentially Designation Authority reviews controls and evaluation of controls – then authorizes use with an explicit decision to accept the risk Not a BAD idea for getting executives to understand, review and accept the risk SecureWorld Expo - Boston - March 24, 2010 - Room 104
  11. 11. Step 6 – Monitor Security Continuous monitoring Threats & vulnerabilities Controls put into place to mitigate risk Ensure all is effective and as intended Ensure documentation is updated Conduct impact analysis SecureWorld Expo - Boston - March 24, 2010 - Room 104
  12. 12. FISMA… Certification & Accreditation What is Certification and Accreditation? Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized. 1 Sound a little like MA 201 CMR17? Obtaining the C&A removes the uncertainty of compliance Much like a ISO, PCI and SAS70 Type II? Auditors appreciate the structure 1 e-Articles.info on ask.com SecureWorld Expo - Boston - March 24, 2010 - Room 104
  13. 13. FISMA/NIST C&A C&A guidance available through SP800-37 Provides accrediting authority ( and auditors) high degree of confidence that the managerial, technical and op security controls work as intended & that the information processed, stored and transmitted with the system is protected. Controls based on FIPS 199, 200 and NIST SP800-66 (HIPAA) and SP800-53 C&A should be completed prior to production and re-accredited when significant change occurs, as directed by the agency contract/ authorizing official or at minimum every three years. SecureWorld Expo - Boston - March 24, 2010 - Room 104
  14. 14. C & A Phases Consists of 4 distinct phases 1. Initiation Phase 2. Security Certification Phase 3. Security Accreditation Phase 4. Continuous Monitoring Phase Each phase has a detailed list of tasks and subtasks, documents and artifacts that are used to support the next phase SecureWorld Expo - Boston - March 24, 2010 - Room 104
  15. 15. Certification Package* 1. Updated System Security Plan 2. Completed Security Risk Assessment 3. Updated Config. Mgmt Plan 4. Contingency Mgmt Plan(s) 5. Security Test & Eval. Report 6. User Manuals 7. Interconnection Security Agreements or MOUs (Business Associates Agreements for HIPAA) 8. Privacy Impact Assessments 9. Federal Register System of Record Notice 10. Plan of Action & Milestones *Exact contents are defined by Information System Owner SecureWorld Expo - Boston - March 24, 2010 - Room 104
  16. 16. Accreditation Package 1. Security Assessment Report 2. Security Accreditation Decision Letter 3. System Security Plan 4. Plan of Action & Milestones SecureWorld Expo - Boston - March 24, 2010 - Room 104
  17. 17. HITECH Act - Tougher HIPAA From Privacy/Security Perspective: Breach Notification (tougher requirements) Wider scope – including BAs (2/17/10) Account of disclosures (more rigorous) Enforcement (2/17/10) – increased $$$ State AG’s enforcement SecureWorld Expo - Boston - March 24, 2010 - Room 104
  18. 18. Questions? Candy Alexander, CISSP CISM calexander@ltcpartners.com SecureWorld Expo - Boston - March 24, 2010 - Room 104
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×