The Department of Veterans Affairs (V.A.) has implemented an Information Security Policy for all of its major and minor information systems. The V.A. team prepared this Security Assessment Summary Report in accordance with National Institute of Standards and Technology (NIST) Special Publication 800-53A Rev 1, Risk Management Guide for Information Technology Systems. The purpose of this document is to explain security categorizations that are in place as well as explain management, technical and operational controls that are in use to protect the confidentiality, integrity, and availability of the system, as documented in the System Security Plan.
NIST Special Publication 800-53A Rev 1 states that ”security categorization serves as the starting point for the selection of security controls for an agency’s information system controls that are commensurate with the importance of the information and information system to the agency” (NIST 800-53 rev 1, 2010).
The Federal Information Processing Standard Publication 199 (FIPS 199) is a United States Federal Government standard that establishes security categories of information systems used by the Federal Government, one component of risk assessment. This document requires Federal agencies to assess their information systems in each of the categories of confidentiality, integrity and availability. According to Publication 200 “FIPS Publication 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability” (FIPS200, 2006).
The security categories are based on the potential impact on the V.A. in case certain events occur which jeopardize the information and information systems needed by the V.A to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.
The authoritative framework published as part of ISO 27001 and 27002 lists numerous controls, many of which are relevant to enterprises looking to manage information security risks. NIST Special Publication 800-53 Revision 3 states that “Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information”(NIST 800-53 rev3, pg. 9, 2009). Controls are also for the safeguards or countermeasures to avoid, counteract or minimize security risks relating to personal property, or computer software. By utilizing these controls the V.A. is able to project the security risks put security protocols in place. The following security controls are in place by the V.A. for an analysis.
Management Controls. This type of security controls are for an information system that focus on the management of risk and the management of information system security.
Operational Controls. These types of controls are controls that are concerned with security topics and are managed by people rather than systems.
Technical Controls. Technical Controls consist of hardware and software controls used to provide automated protection to the system or applications. Technical controls operate within the technical system and applications. By utilizing these controls the V.A will be able determine risk(s) to its network system and ensure that the confidentiality, integrity,
and availability of its systems are addressed. The V.A. System Security Plan has implemented the following security controls for an analysis.
The system managers and information system management, in close coordination with the ISO, are responsible for ensuring that SSPs developed, reviewed annually, and maintained for each system within their area of responsibility.
Plan of Action and Milestone
The Department continues to face significant challenges in complying with the requirements of FISMA due to the nature and maturity of its information security program k, Including the Plan of Action and Milestone. Successfully remediating high-risk system security issues in its Plans of Action and Milestones, and use that process to improve VA’s information security posture.
Establishing effective processes for evaluating information security controls via continuous monitoring and vulnerability assessments needs to be addressed by the V.A. FISMA audits continued to identify significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems.
Configuration Management Policy
Weaknesses in access and configuration management controls resulted from VA not fully implementing security control standards on all servers and network devices. VA also has not effectively implemented procedures to identify and remediate system security vulnerabilities on network devices, database and server platforms, and Web applications VA-wide.
Improvements to the baseline configuration was noted, the VA has not fully developed and implemented components of its agency-wide information security risk management program to meet FISMA requirements.
Security Impact and Analysis
VA has not ensured that its information security controls are effectively monitored on an ongoing basis to include documenting significant changes to the system, conducting security impact analyses for system changes, and reporting system changes to designated organizational officials.
Technical Controls: The Government Accountability Office (GAO) states that, “Technical security standards should provide consistent implementing guidance for each computing environment. Because security policies are the primary mechanism by which management communicates its views and requirements, it is important to develop and document them” (GAO, 2007).
Access Control Policy and Procedure
According to the last audit conducted on the V.A. Specifically, its operating divisions have not fully implemented elements related to (1) risk assessments, (2) policies and procedures, (3) security plans, (4)security awareness and training, (5) tests and evaluations of control effectiveness, (6)remedial actions, (7) incident handling, and (8) continuity of operation. However the V.A. system security policy does recognize the roles and responsibilities of all individuals.
Organizations accomplish this objective by designing and implementing electronic controls that are intended to prevent, limit, and detect unauthorized access to computing resources, programs, and information.
Organizations secure their networks, in part, by installing and configuring network devices that permit authorized network service requests, deny unauthorized requests, and limit the services that are available on the network. The department had not yet fully implemented its information
Did not consistently configure network services and devices securely to prevent unauthorized access to and ensure the integrity of computer systems operating on its networks.
Unsuccessful Login Attempts
V.A. network did not adequately control user accounts and passwords to ensure that only authorized individuals were granted access to its systems. Passwords for key VA network domains and financial applications were not consistently configured to comply with agency policy.
The department did not effectively implement physical controls. These weaknesses in physical security increase the risk that unauthorized individuals could gain access to sensitive computing resources and data and inadvertently or deliberately misuse or destroy them.
Company did not always sufficiently segregate computer functions. For example, some software developers had full access to both development and production software libraries. Testing of contingency plans for financial management systems at selected facilities was not routinely performed and documented to meet the requirements of VA policy.
VA’s progress in fully implementing the information security program required under FISMA and following the policies issued by OMB has been mixed. For example, from 2006 to 2009, the department has reported a dramatic increase in the percentage of systems for which contingency plan was tested in accordance with OMB policy. The department continues to face challenges in
Resolving long-standing weaknesses in its information security controls and in fully implementing the information security program required under FISMA.
Security Training Records
Personnel are provided training in their incident response roles and will receive refresher training annually. The incident response capability is tested at least annually using tests and exercises to determine the incident response effectiveness. The testing is also documented.
Audit and Accountability Policy and Policy and Procedure
Each Operating Unit regularly review s/analyzes audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.
The Operating Unit of the V.A employs automated mechanisms, when applicable, to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. Each Operating Unit also periodically reviews changes to access authorizations.
Content of Audit Records
System Auditing: System audit logs must record sufficient information to establish what events occurred, the sources, and outcomes of the events. Additional details such as type, location, and subject are also required for moderate and high risk systems. Audit logs will be maintained
In Summary, This policy is aligned with the standards of NIST to achieve the highest possible levels of measurement quality and productivity. This policy includes security categorizations and list three security controls which are: Management, Operational and Technical, and it described how the V.A implemented the controls. The V.A.’s Cyber Security Policies supports real-time decision-taking for information system cyber security and will improve efficiency and the confidentiality, Integrity, and Availability of all security measures.
Guide for Assessing the Security Controls in Federal Information Systems and Technology 800-53A Rev 1. (2010, January). In National Institute of Standards and Technology . Retrieved September 27, 2013
Minimum Security Requirements for Federal Information and Information Systems. (2006, March). In FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION (FIPS 200). Retrieved September 27, 2013, from http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
Recommended Security Controls for Federal Information Systems and Organizations. (n.d.). In NIST Special Publication 800-53 Revision 3. Retrieved August 29, 2009, from http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
Standards for Security Categorization of. (2004, February). In FIPS PUB 199. Retrieved September 25, 2013, from http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf