1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November...
-
Upload
kylie-east -
Category
Documents
-
view
215 -
download
0
Transcript of 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November...
![Page 1: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/1.jpg)
1
System Security Plan (SSP) Training
Conducted by Centers for Medicare & Medicaid Services
November 4 - 7, 2002
![Page 2: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/2.jpg)
2
Faculty
List instructors contact information
![Page 3: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/3.jpg)
3
Describes steps to produce IS RA Report
The Information Security Risk Assessment process is presented as the following three phases:
System Documentation Phase
Risk Determination Phase
Safeguard Determination Phase
Risk Assessment (RA) Methodology
![Page 4: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/4.jpg)
4
System Documentation Phase1.1 System Identification
![Page 5: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/5.jpg)
5
System Documentation Phase1.1 System Identification (con’t)
![Page 6: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/6.jpg)
6
System Documentation Phase1.1 System Identification (con’t)
![Page 7: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/7.jpg)
7
1.2 Asset Identification
1.2.1 System Environment and Special
Considerations
1.2.2 System Interconnection/Information Sharing
1.3 System Security Level
System Documentation Phase1.1 System Identification (con’t)
![Page 8: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/8.jpg)
8
1) Identify potential dangers to information and systems (threats).2) Identify the system weakness that could be exploited
(vulnerabilities) associated to generate the threat/vulnerability pair.3) Identify existing controls to reduce the risk of the threat to exploit
the vulnerability.4) Determine the likelihood of occurrence for a threat exploiting a
related vulnerability given the existing controls.5) Determine the severity of impact on the system by an exploited
vulnerability.6) Determine the risk level for a threat/vulnerability pair given the
existing controls.This six step process for Risk Determination is conducted for each
identified threat/vulnerability pair.
Risk Determination Phase
![Page 9: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/9.jpg)
9
Item No.
Threat Name
Vulnerability Name
Risk Description Existing Controls
Likelihood of
Occurrence
Impact Severity
Risk Level
Risk Determination Phase (con’t)Risk Determination Table
![Page 10: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/10.jpg)
10
Risk Determination Phase (con’t)Likelihood of Occurrence Levels
![Page 11: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/11.jpg)
11
Impact Severity Description
Insignificant
Will have almost no impact if threat is realized and exploits vulnerability.
Minor
Will have some minor effect on the system. It will require minimal effort to repair or reconfigure the system.
Significant
Will result in some tangible harm, albeit negligible and perhaps only noted by a few individuals or agencies. May cause political embarrassment. Will require some expenditure of resources to repair.
Damaging
May cause damage to the reputation of system management, and/or notable loss of confidence in the system’s resources or services. It will require expenditure of significant resources to repair.
Serious
May cause considerable system outage, and/or loss of connected customers or business confidence. May result in compromise or large amount of Government information or services.
Critical May cause system extended outage or to be permanently closed, causing operations to resume in a Hot Site environment. May result in complete compromise of Government agencies’ information or services.
Risk Determination Phase (con’t)Impact Severity Levels
![Page 12: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/12.jpg)
12
Impact Severity Likelihood of
Occurrence Insignificant Minor Significant Damaging Serious Critical
Negligible Low Low Low Low Low Low
Very Low Low Low Low Low Moderate Moderate
Low Low Low Moderate Moderate High High
Medium Low Low Moderate High High High
High Low Moderate High High High High
Very High Low Moderate High High High High
Extreme Low Moderate High High High High
Risk Determination Phase (con’t)Risk Levels Table
![Page 13: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/13.jpg)
13
1) Identify the controls/safeguards to reduce the risk level of an identified threat/vulnerability pair, if the risk level is moderate or high.
2) Determine the residual likelihood of occurrence of the threat if the recommended safeguard is implemented.
3) Determine the residual impact severity of the exploited vulnerability once the recommended safeguard is implemented.
4) Determine the residual risk level for the system.
Safeguard Determination Phase(4-steps)
![Page 14: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/14.jpg)
14
Use Table 5 to summarize the analysis performed during the Safeguard Determination Phase.
Use the item numbers created for Table 1 as reference in Table 5 to correlate the analysis summarized in both tables to the same threat/vulnerability pair and associated risk level.
Item No.
Recommended Safeguard Description
Residual Likelihood of Occurrence
Residual Impact Severity
Residual Risk Level
Safeguard Determination PhaseSafeguard Determination Phase Table
![Page 15: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/15.jpg)
Risk Assessment Process Flow
![Page 16: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/16.jpg)
16
RA Methodology
Questions ?Questions ?
![Page 17: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/17.jpg)
17
Course Objectives
Understand SSP methodology Version 3.0 (DRAFT) Certification & Documentation Requirements for
SSPs SSPs within the Information Systems Security
Program
![Page 18: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/18.jpg)
18
Legal Requirements
Computer Security Act of 1987 OMB A-130, Appendix III Government Information Systems Reform Act
(GISRA) of 2000 Contractual
![Page 19: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/19.jpg)
19
CMS Requirements
CMS SSP Methodology Version 3.0 (DRAFT) CMS Risk Assessment (RA) Methodology
Version 1.1
![Page 20: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/20.jpg)
20
CMS SSP Architecture
3-Tier Architecture CMS Systems Master General Support System (GSS) Major Application (MA)
SSP Methodology SSP Methodology
Section 1.2 Section 1.2
![Page 21: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/21.jpg)
21
General Support Systems
Defined elements of the infrastructure that provide support for a variety of users and/or applications under the same direct management control
Normally includes hardware, software, information, data, applications, communication, facilities, and people
Users may be from the same or different organizations
Physical platform and infrastructure with environmental software SSP MethodologySSP Methodology
Section 1.4.1 Section 1.4.1
![Page 22: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/22.jpg)
22
Major Applications
Systems, usually software applications, that support clearly defined business function for which there are readily identifiable security considerations and needs
Application code Examples include: MCS, FISS, CWF
SSP MethodologySSP Methodology
Section 1.4.2 Section 1.4.2
![Page 23: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/23.jpg)
23
BP SSP Documentation
Tab A: Certification Form Tab B: Accreditation Form Tab C: System Security Plan with Appendices &
Attachments Tab D: Summaries and References
SSP MethodologySSP Methodology
Section 4.3 Section 4.3
![Page 24: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/24.jpg)
24
BP SSP Formal Submission
Original Certification Form with all signatures must be forwarded to:
[address]
SSP with a copy of the Certification Form must be filed in your Security Profile.
SSP Methodology SSP Methodology
Section 4.3 Section 4.3
![Page 25: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/25.jpg)
25
Reviewing and Updating an SSP
Security may degrade over time as technology changes
Changes occur to authorizing legislation or requirements
People and procedures change
SSP MethodologySSP Methodology
Section 4.5 Section 4.5
![Page 26: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/26.jpg)
26
Certification
Acceptance of the security risk by the system ownerAcceptance of the security risk by the system owner
Requirement for all CMS systems Based on technical evaluation of a system to see how well
it meets security requirements System Owners/Manager, ISSO/SSO, and System
Maintainer/Manager must sign the certification form
SSP MethodologySSP Methodology
Section 4.6 Section 4.6
![Page 27: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/27.jpg)
27
Re-Certification
Major system modification Change in security profile Serious security violation occurs Changes to threat environment Every year Expiration of Certification
SSP MethodologySSP Methodology
Section 4.6 Section 4.6
![Page 28: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/28.jpg)
28
Accepts the risk of the system as it impacts the rest of the agency as Accepts the risk of the system as it impacts the rest of the agency as certified by the system ownercertified by the system owner
CMS Internal Systems - formal accreditation by CIO or Sr. Systems Security Advisor (SSA) Must authorize in writing the use of each system based on the
SSP documentation, certification and the level of risk
SSP MethodologySSP Methodology
Section 4.7 Section 4.7
Accreditation Accreditation
![Page 29: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/29.jpg)
29
BP SSP Development Hints
The SSP is not: a future planning document an opportunity to educate the reader on security
terminology, controls, best practices, etc. a document to restate the CMS views on SSP methodology
The SSP is: a document that describes the current operation states what is and what is not in place, with any rational or
compensating measures for what is not in place Does not need to be developed from scratch
![Page 30: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/30.jpg)
30
SSP Development Hints
Refer to/use existing system documentation Must contain high-level summary of technical information
about the system, its security requirements, and the controls implemented to provide protection against its vulnerabilities
Where possible provide references to policy/procedures, responsible component, and how it can be reviewed
Must be dated to allow ease of tracking modifications and approvals
Use a 3-ring binder for certified SSP Maintain a history of all documentation and sign-offs
![Page 31: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/31.jpg)
31
Questions ?Questions ?
![Page 32: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/32.jpg)
32
System Security Plan Sections
An Executive Summary is OPTIONAL. If included provide a summary of each of the first four sections of the SSP
Section 1: System Identification
Section 2: Management Controls
Section 3: Operational Controls
Section 4: Technical Controls
![Page 33: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/33.jpg)
33
Section 1: System Identification
1.1 System Name/Title
1.2 Responsible Organization
1.3 Information Contact(s)
1.4 Assignment of Security Responsibility
1.5 System Operational Status
1.6 General Description / Purpose
![Page 34: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/34.jpg)
34
1.1 System Name/Title
Official name and title of the system, including acronym (example:) Fiscal Intermediary Standard System (FISS)
SOR # Financial Management Investment Board(FMIB)
N/A Web Support Team (WST) # N/A
![Page 35: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/35.jpg)
35
1.2 Responsible Organization
Name of Organization, address, city, state, zip, contract number, contractor name (if applicable)
![Page 36: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/36.jpg)
36
1.3 Information Contact(s)
Title, organization, address, city, state, zip, e-mail address, and phone number for: SSP Author System Owner/Manager System Maintainer/Manager Business Owner/Manager
![Page 37: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/37.jpg)
37
1.4 Assignment of Security Responsibility
Title, organization, address, city, state, zip, email address, and phone number for: Individual(s) responsible for security from BP Component Information System Security
Officer/System Security Officer (ISSO/SSO) Emergency contact information (name and phone
number of different person for backup) NOTE - This section must contain 4 different individuals
![Page 38: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/38.jpg)
38
1.5 System Operational Status
New Operational Undergoing a major modification
![Page 39: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/39.jpg)
39
1.6 General Description / Purpose
New “check one only” block for CMS On-site systems, CMS off-site system or External Business Partners (Medicare Contractors)
Brief description (1-3 paragraphs) on the purpose of the system and the organizational processes supported (include major inputs/outputs, users and major business functions performed)
If GSS, include all applications supported, including functions and information processed
![Page 40: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/40.jpg)
40
1.6.1 System Environment and Special Considerations
Brief (1-3 paragraphs) general description of the technical system describing the flow of data and processes through the infrastructure covered by the SSP.
Describe environmental factors that raise special security concerns
Document the physical location of the system Provide a network diagram or schematic to help
identify, define, and clarify the system boundaries
![Page 41: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/41.jpg)
41
1.6.2 System Interconnection / Information Sharing
Describe any system interconnections and/or information sharing(inputs and outputs) outside the scope of this plan
Include information on the authorization for connection to other systems or the sharing of information
Written management authorization must be obtained prior to connection
Document any written management authorizations (MOA/MOU or Data Exchange Agreement)
![Page 42: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/42.jpg)
42
1.6.2 System Interconnection / Information Sharing (cont’d)
For GSSs describe various components and sub-networks connections and /or interconnections to LAN or WAN
For MAs provide description of the major application and sub-applications along with other software interdependencies
![Page 43: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/43.jpg)
43
1.6.3 Applicable Laws or Regulations
List the laws and regulations not already listed in the CMS Master Plan
Any laws or regulations that establish system specific requirements for confidentiality, integrity, availability, audit ability, and accountability of information in the system
![Page 44: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/44.jpg)
44
1.6.4 General Description of Information Security Level
Appendix B, SSP Methodology Information Security Levels Table Information Security Levels by Information
Categories Information Owner (CMS) must define the
Information Security Level Claims processing systems have a Information Security
Level of …
![Page 45: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/45.jpg)
45
Section 1
Questions ?Questions ?
![Page 46: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/46.jpg)
46
2.0 Management Controls
Management controls focus on the management of the computer security system and the management of risk for a system
2.1 Risk Assessment and Risk Management
2.2 Review of Security Controls
2.3 Rules of Behavior
2.4 Planning for Security in the Life Cycle
![Page 47: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/47.jpg)
47
Attach the risk assessment to the SSP and provide a summary in this section including: Value of the system or application (ie. assets) ?? Threats Vulnerabilities Effectiveness of current or proposed safeguards Describe the methods used to assess the nature and level of risk to
the GSS or MA Identify the risk assessment methodology used
Complete chart in Section 2.1 of SSP
2.1 Risk Assessment and Risk Management
![Page 48: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/48.jpg)
Sample RA Charts for 2.1
RISK ASSESSMENT RISK MANAGEMENTVulnerability Risk
LevelRecommended
SafeguardResidual
RiskStatus of
SafeguardUpdated
RiskV1: The assignedISSO to the DSRDSGSS lacks thetechnical knowledgespecific to thissystem
HIGH Ensure the ISSOassignedresponsibility tothe DSRDS GSShas completeunderstanding ofthe system andreceivesappropriate levelsof training
Low Continuoustraining for theISSO will bescheduled astraining fundsbecomeavailable
HIGH
V2: Backup tapes arenot stored off-site
HIGH Store backuptapes off-site, aswell as on-site
Low 3 cycles ofweekly anddaily backuptapes are storedoff-site
Low
![Page 49: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/49.jpg)
49
2.2 Review of Security Controls
Summarize any/all security evaluation conducted within the last 12 months on the system (e.g.SAS-70, GAO, IG, Internal Revenue Service, Self Assessments, CAST,audits) for each review Who performed the review When the review was performed The findings and actions taken as a result of the review Where the final report is located and who to contact for
review of the final report
![Page 50: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/50.jpg)
50
2.3 Rules of Behavior
Provide summary of ROB, reference policy and how it can be reviewed Describe and document the system specific rules of
behavior or “code of conduct” of users of the GSS or MA Must include the consequences of non-compliance Must clearly state the exact behavior expected of each
person Include appropriate limits on interconnections to other
systems Cover such matters as work at home, dial-in access,
connection to the Internet, the assignment and limitation of system privileges
![Page 51: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/51.jpg)
51
2.4 Planning for Security in the Life Cycle
Summarize how security is handled by your corporation/business entity for each phase of the life cycle, reference policy and where it can be found Phase 1: Pre-Development Phase 2: Development Phase 3: Post-Development
![Page 52: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/52.jpg)
52
Section 2
Questions ?Questions ?
![Page 53: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/53.jpg)
53
3.0 Operational Controls
Operational controls are the day-to-day procedures and mechanisms
3.1 Personnel Security
3.2 Physical and Environmental Protection
3.3 Production, I/O Controls
3.4 Incident Response Capability
3.5 Contingency Planning
3.6 Hardware, Operating Systems and System Software Maintenance Controls
![Page 54: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/54.jpg)
54
3.0 Operational Controls - con’t
3.7 Data Integrity/Validation Controls3.8 Documentation3.9 Security Awareness and Training
![Page 55: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/55.jpg)
55
3.1 Personnel Security
Provide a detailed summary of personnel security requirements of your corporation/business entity, reference policy/procedures, the responsible component, and how it can be reviewed IT related positions require evaluation and sensitivity
level designations and screening Mechanisms in place for holding users accountable for
their actions (individual accountability) User access restrictions (least privilege) Are critical functions divided among different
individuals (separation of duties)
![Page 56: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/56.jpg)
56
3.2 Physical & Environmental Protection
Provide a detailed summary of physical and environmental protections, reference policy/procedures, the responsible component, and how it can be reviewed Describe and document the physical security and
environmental controls List attributes of the physical protection afforded the
area where processing of the MA system takes place Access Controls Fire Safety Factors Water sensors
Plumbing Raised floor access Emergency exits
![Page 57: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/57.jpg)
57
3.3 Production, I/O Controls
Summarize hardcopy and media controls in place, reference policy/procedures, the responsible component, and how it can be reviewed Handling, processing, storage, and disposal of media System unique production rules, if any Describe Help-Desk support, if any is provided
![Page 58: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/58.jpg)
58
3.4 Incident Response
Summarize the following information, reference policy and how it can be reviewed Detail the preventative measures in place (automated
intrusion detection tools, automated audit logs, penetration testing)
Describe the procedures for recognizing, handling, and reporting incidents
Document who responds to alerts/advisories Describe and document the formal incident response
capability and the capability to provide users with help when an incident occurs
Applies to GSS system security plans only, for MAs refer to the GSSApplies to GSS system security plans only, for MAs refer to the GSS
![Page 59: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/59.jpg)
59
Provide a detailed summary of the contingency plan, reference policy and how it can be reviewed Discuss the arrangement and planned safeguards to
ensure the alternate processing site will provide an adequate level of security
Describe any documented backup procedures Describe coverage of backup procedures and physical
location of stored backups Describe the generations of backups kept
3.5 Contingency Planning
![Page 60: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/60.jpg)
60
3.6 Hardware, Operating System, and System Software Maintenance Controls
Summarize security controls used to monitor the installation and updates to hardware, operating system software, and other system software to ensure that the hardware and software functions as expected and that a historical record is maintained of system changes 3.6.1 Configuration Management (GSS) 3.6.2 Software Management (GSS) 3.6.3 Application Software Management Controls (MA)
![Page 61: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/61.jpg)
61
Summarize Configuration Management Procedures, reference policy and how it can be reviewed Testing and/or approving system components prior to
production Impact analyses to determine the effect of proposed
changes Change identification, approval, and documentation
procedures
Applies to GSS system security plans only, for MAs refer to the GSSApplies to GSS system security plans only, for MAs refer to the GSS
3.6.1 Configuration Management
![Page 62: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/62.jpg)
62
3.6.2 Software Management (Environmental Software)
Summarize software management, reference policy and how it can be reviwed Coordinate and control updates to environment
software Monitor installation and updates Version Control Describe and document the policies for handling
copyrighted software or shareware
Applies to GSS system security plans only, for MAs refer to the GSSApplies to GSS system security plans only, for MAs refer to the GSS
![Page 63: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/63.jpg)
63
3.6.3 Application Software Management Controls
Summarize Application Software Management Controls, reference policy and how it can be reviewed Describe the application software controls Version control Describe the security controls used to monitor the
installation and updates of the application software Describe: (or summarize and reference procedures)
If the application software is developed in-house or under contract Who owns the software How emergency fixes are handled If test data is “live” data or made-up
Applies to MA security plans onlyApplies to MA security plans only
![Page 64: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/64.jpg)
64
Summarize controls in place to prevent/detect destruction or unauthorized data modification, reference policy and how it can be reviewed Virus detection and elimination software procedures Reconciliation routines used by the system Integrity verification programs used by the application to
look for evidence of data tampering, errors, and omissions
System performance monitoring Message authentication
3.7 Data Integrity/Validation Controls
![Page 65: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/65.jpg)
65
3.8 Documentation
Describe the set of formal materials which support the operation of the GSS or MA, its components, operations, and use
List the existing documentation maintained, including the title, date, and office responsible for maintaining the documentation
![Page 66: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/66.jpg)
66
Hardware and software descriptions
Standard operating procedures
Application requirements Application program
documentation and specs
Security policies, standards, procedures, and approvals
Emergency procedures MOU/MOAs User manuals Backup procedures
3.8 Documentation (con’t)
![Page 67: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/67.jpg)
67
3.9 Security Awareness and Training
List the types and frequency of system-specific security training established, how the training is conducted, attendance is documented and how the system owner ensures that it is conducted prior to allowing access
![Page 68: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/68.jpg)
68
Section 3
Questions ?Questions ?
![Page 69: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/69.jpg)
69
4.0 Technical Controls
Technical and logical in place controls to authorize or restrict users and information. For MAs, describe additional enhancements or modifications of the controls beyond the GSS
4.1 Identification and Authentication4.2 Authorization & Access Controls4.3 Remote Users & Dial Up Controls4.4 Wide Area Network (WAN) Controls4.5 Public Access Controls4.6 Test Scripts/Results4.7 Audit Trails
![Page 70: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/70.jpg)
70
4.1 Identification & Authentication Controls
Provide a detailed summary of the Identification and Authentication controls in place, reference policy and how it can be reviewed Unique identification, e.g., UserId Unique authentication, e.g. password Maintenance of UserId and password Length of password and frequency of password changes For GSS state name of software used to control all
aspects of UserID and password If used, describe biometrics or token controls
![Page 71: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/71.jpg)
71
4.2 Authorization & Access Controls
Provide a detailed summary of procedures, hardware, and/or software used to control access to resources, reference policy and how it can be reviewed Role based access Separation of duties Usage of Access Control Lists (ACL’s) Security software and restricting access How access is restricted between systems Controls for detecting unauthorized access Inactive user activity and automated disconnection System access outside normal working hours
![Page 72: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/72.jpg)
72
4.2 Authorization & Access Controls - con’d
How the access control mechanism supports individual accountability and audit trails
State the number of invalid access attempts that may occur and the actions taken when that limit is exceeded
If cryptography is used, provide a detailed summary of methodology and key management procedures
Provide sample system-specific warning banner
![Page 73: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/73.jpg)
73
4.3 Remote Users & Dial-up Controls
Provide a detailed summary of remote users and dial-up controls, reference policy and how it can be reviewed Describe the type of remote access (dial, Internet)
permitted Functions that may or may not be authorized for remote
use, i.e., differences from internal access permissions
![Page 74: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/74.jpg)
74
4.4 Wide Area Networks (WAN) Controls
Provide a detailed summary of the wide area network controls Protection against unauthorized system penetration,
Internet threats & vulnerabilities Types of network connections, e.g., Internet Describe additional hardware or technical controls to
provide protection e.g., firewalls, proxy servers Network Diagram can be included
![Page 75: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/75.jpg)
75
4. 5 Public Access Controls
Provide detail summary when or if public access is authorized, reference policy/procedures, the responsible component and how it can be reviewed Access controls used to secure the system Controls to prevent public users, if access is authorized, from
modifying information on the system Legal considerations to allowing access to the information Describe rationale for the use or non-use of warning banners
and provide an example of the banners used for this system If no public access state “system does not allow public access”
![Page 76: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/76.jpg)
76
4.6 Test Scripts/Results
Summarize the findings of all tests/results Describe the test scripts and results that were used to
test the effectiveness of the security controls Include title, date, and office responsible for
maintaining the test scripts/results
![Page 77: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/77.jpg)
77
4.7 Audit Trails
Provide a detailed summary of existing audit trails Document the auditing mechanisms Describe what is recorded, who reviews, how often are
they reviewed and what procedures are employed for corrective actions as a result of a finding
Describe when audit trails are employed, e.g., on a given cycle, continuously, when an incident occurs, etc.
Describe audit trail archive procedures including how long they are kept, where stored, and what media type
![Page 78: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/78.jpg)
78
5.0 Appendices & Attachments
Appendix A – Equipment List (Primarily for GSS) Appendix B – Software List Attachments
Risk Assessment (Required)
![Page 79: 1 System Security Plan (SSP) Training Conducted by Centers for Medicare & Medicaid Services November 4 - 7, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5517fee2550346d5568b50e5/html5/thumbnails/79.jpg)
79
Section 4 & 5
Questions ?Questions ?