the security and compliance plan for maxistar medical supplies company
TRANSCRIPT
The Security and Compliance Plan for Maxistar Medical
Supplies Company
Abdulrahman H. Alamri
Compliance and Legal Issues
Spring 2016
Table of ContentsSummary..............................................................................................................................................2
Known Risks........................................................................................................................................3
Change control process:..........................................................................................................3
Access controls:........................................................................................................................3
Flat network architecture........................................................................................................3
The company has one data center in Puerto Rico.................................................................4
No encryption of the data in the database:............................................................................4
Implementing Risk Management Framework..................................................................................5
The New Security and Compliance Programs...................................................................................7
References..........................................................................................................................................10
Table of Figures Figure 1..................................................................................................................................................5Figure 2..................................................................................................................................................6
1
Summary
Maxistar is dealing with sensitive customers’ data such as credit card and patients’
information which increases the risk for us as security professionals in the company. We have
discovered some problems in the last assessment that IT need to solve as soon as possible for
two reasons. First, Maxistar is a well-known company in the medical industry and the
company needs to be secure to satisfy its customers. Second, the company needs to comply
with the Payment Card Industry (PCI) Data Security Standards (DSS), Health Insurance
Portability and Accountability Act (HIPAA), and NIST 800-53 standards. In this documents
we have identified few known risks and we have organized this documents as the following:
List of Known Risks.
Implementation of a Risk Management Framework.
Overview of the new IT Security and compliance Strategy
2
Known Risks
Change control process:
It is important to set a clear change control process because there is a strong relation
between changing and security. Unplanned changes in the system would involve security
threats. The application development group should have clear plans and processes which also
should be approved by a committee from the risk management, Security and Compliance and
development team. That should answer at least the basic questions “who, what, when, why
and how”.
Access controls:
One of the major security threats is not implementing a strong access control method.
Actually security analysts show that about 80 percent of all malicious activities come from
current or former employees (Hirschhorn, 2007). So no employee should gain privileges
more than what he or she needs. We suggest that Maxistar implement some of the known
control access methods and processes (i.e., ACL, SOD, etc.)
Flat network architecture.
Keeping the network simple as possible is a great thing for the network director. Since
that makes it easier for him to manage and monitor the network. In the other hand, it is an
issue for security because Maxistar has only one firewall between the company’s network
and the internet. So we need a secondary firewall to create a DMZ network. That will
3
increase the security of the network and decrease the threats of unwanted access and traffic in
the network.
The company has one data center in Puerto Rico.
Single consolidating data center is a high risk for the company. Even though Maxistar
would save some money by doing so, they would also lose a lot if anything happened to the
single data center. The acceptable solution for that problem is either create more than one
data center that are geographically separated or operate some functions virtually.
No encryption of the data in the database:
The lack of the data encryption is a dangerous problem that need to be fixed as soon
as possible. A company like Maxistar that deals with health and credit card information
should encrypt their data in the database “data at rest”. This Issue is one of the important
standards of PCI which protect the data more and also help the company legally if any
cybercrime occurred.
4
Implementing Risk Management Framework
The cyber threats are always changing, so any company who wants to be in good
position to face those threats has to have a risk management framework. The risk
management framework would help the businesses to define the risks first. For Maxistar, risk
management framework would enable them to combine the IT security programs with their
risk management programs to meet the desire goal for the company. In this case we have
chosen NIST framework 2014, which is easy to use and officiant to implement Maxistar’s
new programs. There are three approaches in this framework as below:
Figure 1
As we see in the figure (1). the approaches address risk at the: (i)organization level; (ii)
mission/business process level; and (iii) information system level. The risk management will
be procced throughout the three tiers with allowing inter-tier and intra-tier communications
and feedback loop to improve the risk management. (i) the organization level provides a
5
prioritization of organizational missions/business functions. (ii) mission/business process
level defining the mission/business processes needed to support the organizational
mission’s/business functions. While (iii) information system level incorporating information
security requirements into the mission/business processes. As IT professionals our concern at
this point is Tier 3 which is the information system level. In this level we will use The Risk
Management Framework (RMF) as “security life cycle” as below:
Figure 2
Continues feedback is very important to keep assessing and managing risks. Which is what
we are going to implement at Maxistar to enhance our security and compline programs.
6
The New Security and Compliance Programs
Phase 1Need: immediately
This phase has Maxistar's IT Group immediately implement access controls for software and hardware systems based on employee job roles.
Steps:1.) Implement access control to limit the use of equipment, software and systems to employees
on a "least privileged" basis.2.) Updates of the employees’ privileged must be sent monthly from the human resources
monthly.3.) Review the access controls at least quarterly to avoid unwanted accesses.
Phase 2Need: immediately
This phase has Maxistar's IT Group immediately set a clear change control processes and polices.
Steps:1.) Create a team of four (at least) to manage the change control processes and polices.2.) Set up monthly meetings to review and approve the suggested changes. 3.) The team is responsible for setting up an emergency change plan.
Phase 3Need: Eventual
This phase has Maxistar's network team overhaul the network architecture to make it more complex and also secondary firewall.
Steps:1.) Implement a secondary firewall and separate DMZ. 2.) Move the web and email servers to the zone between the two firewalls, creating a
demilitarized zone for internet-facing traffic.3.) Implement a testing infrastructure that shares access controls and a baseline with the current
infrastructure.Phase 4
Need: Eventual
This phase Maxistar's IT Group immediately establish Encryption and Database security controls on their databases. The security and compliance team must run penetration tests and vulnerability scans
Steps:1.) Encrypt all the databases (data at rest) which include sensitive customers’ information
immediately. 2.) Run different type of tests and scans to make sure that the system is vulnerability free. 3.) Based on the test the team has to report any vulnerability or weaknesses in the system to the
management to make a decisions based on that.
7
Overview:
Overview:
Overview:
Overview:
This plan above is mainly focus on the implementation of the new security group. They are using the
NIST risk management framework to do this job based on NIST 800-53, PCI and HIPPA standards. In
order to be compliant with the NIST 800-53, PCI and HIPPA, we have chosen the following five
slandered (as required) using the “Common Authorities on Information Assurance” (CAIA)
spreadsheet. From the spreadsheet we were able to choose the common elements between NIST
800-53, PCI and HIPPA. The table below shows the chosen five that Maxistar’s needs to meet in its
journey to be compliant:
ASSESSMENT OBJECTIVE: Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Verify that access to privileged user IDs is: Assigned only to roles that specifically require such privileged access, and restricted to least privileges necessary to perform job responsibilities.].
Interview: [SELECT FROM: Interview personnel responsible for assigning access].
Compliance Elements:NIST 800-53: AC-6(4).1
PCI DSS: 7.1.1
HIPAA: 164.308(a)(3)(i)
164.308(a)(4)(i)
164.308(a)(4)(ii)(A)
164.312(a)(1)
8
ASSESSMENT OBJECTIVE: (i) Use IDS/IPS to detect and/or prevent intrusions into the network. (ii) Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. (iii) Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Examine (i) System configurations and network diagrams to make sure that IDS/IPS are in place to monitor all traffic: at the perimeter of the cardholder data environment, and at critical points in the cardholder data environment; and(ii) Vendor documentation to verify IDS/IPS techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection].
Interview: [SELECT FROM: Responsible personnel to confirm techniques IDS/IPS alert personnel of suspected compromises].
Compliance Elements :
NIST 800-53 : AC-2, AC-13, AU-, 2, AU-6
PCI DSS: 4.11
HIPAA: 164.308(a)(5)(ii)(C)
ASSESSMENT OBJECTIVE: Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Review the security awareness program to verify it provides awareness to all personnel about the importance of cardholder data security].
Interview: [SELECT FROM: Random personnel in the organization to verify if they are aware of the importance of cardholder data security].
Compliance Elements:
NIST 800-53: AT-1
PCI DSS: 12.6
HIPAA: 164.308 (a)(5)(i)
164.308 (a)(5)(ii)(A)
9
ASSESSMENT OBJECTIVE: The organization establishes an alternate storage site including necessary agreements to permit the storage and recovery of information system backup information
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: The organization identifies an alternate storage site that is separated from the primary storage site so as not to be susceptible to the same hazards, the organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives, and the organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
Compliance elements:NIST 800-53: CP-6
HIPAA: 164.310(a)(2)(i)
ASSESSMENT OBJECTIVE: Verify that security alerts and information are monitored, analyzed and distributed toappropriate personnel.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Verify that responsibility for monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel is formally assigned.]
Compliance elements:
NIST 800-53: IR-2, IR-6, IR-7
PCI DSS: 12.5.2
HIPAA: 164.312(a)(6)(ii), 318.3(a)(New), 318.5(a)(New)
10
References
An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule . (2018 , October ). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
Assessing Security and Privacy Controls in Federal Information Systems and Organizations. (2014 December 4). Retrieved March 11, 2016, from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf
Data Security Standard - Requirements and Security Assessment Procedures. (2013, November ). Retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
11