NIST special publication 800-53 Application provides the guidelines for organizations in process of system audits to discover security and system needs. The guidelines are formalized and documented to facilitate the implementation of accountability and audit policies.
This paper documents the risk assessment procedures of Maryland Department of Information Technology otherwise known as DoIT. DoIT is an essential department providing technical assistance, advice, and recommendation concerning information technology aspects to the Executive Branch agencies and Government entities.
An audit conducted between 2005 and 2009 reveal that DoIT resources are susceptible to threats. Security controls in place such as firewalls did not adequately secure the DoIT, DBM, Governor’s Office, and networkMaryland networks. Likewise, firewalls were not configured adequately to secure the system. The same applies to networkMaryland management systems local area network in Baltimore thus opening up vulnerabilities to network servers and critical resources.
It therefore calls for technical, operational and management controls. Information security requirements are based on National Institute of Standard and Technology.
Management controls applicable to Maryland DoIT include;
- Certification, accreditation, and Security Assessment
- Risk Assessment
- Systems and Service Acquisition
Given the current state of computer security, Vulnerability assessment is required to ascertain the state of the system. VA determines the security situation in a system and give recommendations. This process can be done through penetration testing and vulnerability scanning. Penetration scanning takes care of the networks ports that are susceptible to attacks. Vulnerability scanning, on the other hand, is directed to the susceptible hosts and applications, therefore, protecting the system.
Operational controls applicable in this case include any one among the following
- Awareness and training
- Contingency planning
- Incident response
- Physical and Environment
Disaster recovery mechanisms are the mechanisms and procedures that an organization engages in while trying to restore the complete functioning of the technical environment including software and tools for meeting production applications to their previous states. In a case of a data center disaster, critical workload need to be restored at the disaster recovery sites considering minimum disruption of services to guarantee data integrity, availability and confidentiality.
Technical controls may include one or more of the following
- Access control
- Identification and Authentication
- Audit and Accountability
Access controls involves the operational and technical measures taken by organizations to control access of information. This is possible through network segregation to grant third parties network privileges according to their needs. Access rights are issued to users according to privileges held by the individual.
Access family controls
Remote diagnostic Port Protection
Modems attached to Maryland systems are protected from unauthorized use by disconnecting diagnostic ports not in use. Third party users must be authenticated before accessing devices through remote ports.
A risk assessment based on the cost and the impact of routing and gateway technology is performed to grant third parties necessary controls to access networks.
New networks that are developed and tested are segregated from the rest of the Maryland internal network through firewalls to eliminate the effects of malfunctioned software’s.
Confidential information should be segregated and assigned different servers.
Wireless network policy
Wireless networks at the government entities should be restricted to lock out intruders and third parties.
Computers connected via wireless technology should be restricted to the Maryland’s public utility resources such as libraries.
Disaster recovery family of controls
Potential disaster scenarios include fire breakouts, cyber attacks, blackouts and system breakdowns. Currently, the controls are implemented to safeguard against adverse damages resulting from disasters. In case of a fire tragedy, an emergency operation centre is immediately set up and manned on a 24 hours shift to ensure continued operation. Personnel are evacuated from the site as soon as possible.
An incident command system was set up to provide integrated response. ICS comprised of personnel from security, health, intelligence, communication, logistic and public relation personnel.
Of consideration in the recovery process is the recovery time objective. RTO is the time period the business is expected to be back to its normal operation. The team should determine the RTO in respect to particular scenarios.
Vulnerability assessment family of controls
Vulnerability assessment is always carried out at the deployment stages to determine the state of security. VA conducted at State of Maryland DoIT involves the following family of controls.
- Component Analysis probes the software components of the whole system
- Privilege Analysis identifies the trust and access issues in the Maryland system
- Architectural analysis probes the contents of the system
- Resource Analysis looks at the resources the system utilizes
Compliance with the Federal Information Security Management Act (FISMA) is critical in order to ensure interoperability and clearance to connect or use federal information technology architecture. FISMA clearly sets out comprehensive to frameworks ensure the protection of government information, assets and operations against manmade and natural threats, with massive implications on private enterprises. The National Institute of Standards and Technology Act , established Title 15, Chapter 7, forms a critical part of both FISMA as well as information security regulations. NIST is mandated to develop standards, guidelines and related methods to ensure that information systems run by federal agencies, their contractors and other enterprises are secure, other mitigating national security risks.
In addition, NIST SP 800-53 provides the much needed agency-level risk evaluation, assessment, and vulnerability scanning. These procedures ensure efficient management of security and proper mitigation of impending threats as a result of exposure. The controls provide the procedures and policies that guide the implementation of the highlighted security controls and enhancements in compliance with the federal laws (NIST, 2013).
Bace, R. (2009). Vulnerability assessment: Computer Security Handbook . John Wiley & Sons.
Kramer, F. S. (2009). Cyberpower and national security. Springer.
Transfer, I. F. (2012). SUPPORTING FISMA AND NIST SP 800 WITH SECURE MANAGED FILE TRANSFER.