IT Security Plan Governance and Risk Management Processes Address Cybersecurity Risks ID.GV-4

Transcription

1 IT Security Plan Governance and Risk Management Processes Audience: NDCBF Staff Implementation Date: January 2018 Last Reviewed/Updated: January 2018 Contact: Overview... 2 Applicable Controls and Compliance... 2 NIST SP R HIPAA/Texas HB PCI DSS SAQ A/B-IP... 6 NDCBF Implementation... 6 Risk Management Model... 8 Risk Rating/Level of Risk... 8 Risk Management Dashboard RACI Work Product and Outcomes Implementation Status Authorizations Document Location... 15

2 Overview Governance and risk management processes address cybersecurity risks. Applicable Controls and Compliance NIST SP R4 Control - PM-9 RISK MANAGEMENT STRATEGY NDCBF: Is developing a comprehensive strategy to manage risk to the church s operations and assets, individuals (staff, volunteers, and church community), and other partner organizations, associated with the operation and use of information systems Is implementing the risk management strategy consistently across the organization Will review and update the risk management strategy annually or as required, to address organizational changes Supplemental Guidance: The church-wide risk management strategy will include: An unambiguous expression of the risk tolerance for the church Acceptable risk assessment methodologies Risk mitigation strategies A process for consistently evaluating risk across the church with respect to the NDCBF IT Security Plan Confidential Page 2 of 15

3 NDCBF s risk tolerance Approaches for monitoring risk over time NDCBF is defining and assigning a risk executive function to facilitate consistent, church-wide application of the risk management strategy. The church-wide risk management strategy will be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive. Control - PM-11MISSION/BUSINESS PROCESS DEFINITION NDCBF: Is defining mission/business processes with consideration for information security and the resulting risk to church operations, organizational assets, staff, volunteers, church community, partner organizations, and vendors Is determining information protection needs arising from the defined mission/business processes and revising the processes as necessary, until achievable protection needs are obtained Supplemental Guidance: For NDCBF, information protection needs are technologyindependent capabilities required to counter threats through the compromise of information (i.e., loss of confidentiality, integrity, or availability). This applies to NDCBF, staff, volunteers, community members, partner organizations, and vendors with which sensitive information is shared. Information protection needs are derived from: NDCBF IT Security Plan Confidential Page 3 of 15

4 The mission/business needs defined by the church The mission/business processes selected to meet the stated needs NDCBF s risk management strategy Information protection needs determine the required security controls for NDCBF and the associated information systems supporting the mission/business processes. Inherent in defining information protection needs is an understanding of the level of adverse impact that could result if a compromise of information occurs. An information security categorization process is used to make potential impact determinations (see the Data Inventory and Classification section of ID.AM-1 and 2). Mission/business process definitions and associated information protection requirements are being documented by the NDCBF IT Security Team in accordance with organizational policy and procedure. HIPAA/Texas HB 300 Under the current plan for the Eldred McClean Counseling Center, NDCBF is a Covered Entity as defined by HIPAA and Texas House Bill 300. HIPAA requirements focus on Covered Entities and Business Associates that transmit certain Electronic Protected Health Information (EPHI). Texas House Bill 300 expands the application of HIPAA to any organization that houses Protected Health Information (PHI). Source: Department of Health and Human Services, HIPAA Security Series Security Standards: Administrative Safeguards 1. RISK ANALYSIS (R) (a) (1) (ii) (A) NDCBF IT Security Plan Confidential Page 4 of 15

5 The Risk Analysis implementation specification requires covered entities to: Governance and Risk Management Processes Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. In general, a risk analysis can be viewed as: The process of identifying potential security risks, and Determining the probability of occurrence and magnitude of risks. Sample questions for covered entities to consider: How does EPHI flow throughout the organization? This includes EPHI that is created, received, maintained or transmitted by the covered entity. What are the less obvious sources of EPHI? Has the organization considered portable devices like PDAs? What are the external sources of EPHI? For example, do vendors or consultants create, receive, maintain or transmit EPHI? What are the human, natural, and environmental threats to information systems that contain EPHI? 2. RISK MANAGEMENT (R) (a) (1) (ii) (B) Risk Management is a required implementation specification. It requires an organization to make decisions about how to address security risks and vulnerabilities. The Risk Management implementation specification states that covered entities must: Implement security measures sufficient to reduce risks and vulnerabilities to a NDCBF IT Security Plan Confidential Page 5 of 15

6 reasonable and appropriate level to comply with (a). Governance and Risk Management Processes Risk management is the process used to identify and implement security measures to reduce risk to a reasonable and appropriate level within the covered entity based on the covered entity s circumstances. The measures implemented to comply with this required implementation specification must also allow the covered entity to comply with (a) of the Security Standards: General Rules. Covered entities will want to answer some basic questions when planning their risk management process. Sample questions for covered entities to consider: What security measures are already in place to protect EPHI (i.e., safeguards)? Are executive leadership and/or management involved in risk management and mitigation decisions? Are security processes being communicated throughout the organization? Does the covered entity need to engage other resources to assist in risk management? PCI DSS SAQ A/B-IP Researching - Could not find a relevant requirement NDCBF Implementation NDCBF s approach towards cybersecurity governance and risk management is to integrate an acquired model within the components of the NIST Cybersecurity Framework adapted to NDCBF s requirements. The risk management model used by NDCBF IT Security Plan Confidential Page 6 of 15

7 NDCBF was purchased in 2015 as part of a PCI DSS compliance package. The NIST Cybersecurity Framework is the foundation for the NDCBF IT security plan. The NIST Cybersecurity Framework (CSF) presents a well designed model that is rapidly gaining acceptance throughout private and public industry segments. Elements of the CSF that apply to NDCBF are identified and vulnerabilities for each element rated for their impact on NDCBF and likelihood of occurring. The combination of impact and likelihood reflects the risk level. The third component of the risk management model is a determination of how NDCBF desires to manage the risk. The model is illustrated in the following section: Risk Management Model. With this information, the NDCBF IT Security Team can rank the risks of each element and recommend risk management strategies for leadership decision. Each element of the CSF has an associated work instruction, similar to this document. The work instructions present the issues, controls, compliance factors, NDCBF s plan of action, responsibility matrix, risk rating, and a management status. A dashboard has been developed and is addressed in the next section, Risk Management Model. NDCBF IT Security Plan Confidential Page 7 of 15

8 Risk Management Model Risk Rating/Level of Risk The process of determining the overall risk rating and level of risk is a direct reflection of the likelihood that the event would occur, and the impact that it would have. From a matrix perspective, overall risk, one that assigns a risk rating and level of risk, is best expressed in the chart below: Impact: The impact can best be stated as the harm done to the organization. More NDCBF IT Security Plan Confidential Page 8 of 15

9 specifically, the United States Federal Information Processing Standards Publication 199 (FIPS PUB 199), "Standards for Security Categorization of Federal Information and Information Systems", details the following three (3) security categories (i.e. "potential impact") that correspond to each one of the respective CIA objectives (confidentiality, integrity, and availability): Impact LOW: The unauthorized disclosure, modification, destruction, deletion, and removal of information along with the disruption of access to information results in a LIMITED adverse effect on the organization. Impact MODERATE: The unauthorized disclosure, modification, destruction, deletion, and removal of information along with the disruption of access to information results in a SERIOUS adverse effect on the organization. Impact HIGH: The unauthorized disclosure, modification, destruction, deletion, and removal of information along with the disruption of access to information results in a SEVERE CATASTROPHIC adverse effect on the organization. Likelihood: Simply stated, the likelihood is essentially the probability and frequency that the actual event would occur. Or, in more technical terms, according to the NIST publication, SP , Guide for Conducting Risk Assessments, it is a weighted risk factor based on an analysis of a probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities). Additionally, it s important to note the likelihood is often expressed in terms of time specifically when will the event occur. As for assigning various degrees of likelihood, the NDCBF IT Security Plan Confidential Page 9 of 15

10 following are best practices: 0 - No Event: Event and associated threat is simply Not Applicable (N/A) to control environment. 1 - Unlikely: Rare degree of probability that the event will occur within the stated time period. 2 - Possible: Moderate degree of probability that the event will occur within the stated time period. 3 - Likely: High degree of probability that the event will occur within the stated time period. 4 - Very Likely: Very high degree of probability that the event will occur within the stated time period. 5 - Event will Undoubtedly Occur: Complete certainty that the event will occur within the stated time period. Risk Treatment Strategy: After thoroughly assessing and identifying all risks, it s important to implement comprehensive risk treatment strategies for mitigating the risks to the lowest, acceptable level. It s therefore important to be practical in that completely removing the likelihood of an event occurring is near impossible in today s complex and ever-changing world, thus the goal is risk reduction. With that said, the four (4) primary risk treatment strategies generally consist of the following: Risk Reduction: Putting in place all necessary practices for reducing the risk to its lowest, acceptable level, as just discussed. NDCBF IT Security Plan Confidential Page 10 of 15

11 Risk Sharing Transfer of Risk: In today s growing world of continued outsourcing, organization can effectively share and also transfer risk to other third parties. This type of risk treatment ultimately places a greater burden and responsibility on the actual third-party provider. Risk Avoidance: Simply not engaging in an activity or practice that would result in the actual risk to be present is another way of treating risk. Avoidance is obviously on the best risk treatment strategies, but unfortunately, it s not very practical at all times. Risk Acceptance: Simply accepting the risk because organizations tolerate the risk, or the financial and operational costs and constraints of insuring the risk are greater than the risk itself, is another commonly used risk treatment strategy. NDCBF IT Security Plan Confidential Page 11 of 15

12 Risk Exposure: The plan is to analyze IT risk for each component of the NIST Cybersecurity Framework that applies to NDCBF. NDCBF is in the initial stages developing the church s IT security risk strategy. With that said, the current risk posture is high. The degree and speed with which NDCBF develops and implements its risk management strategy will dictate how long it remains at a high risk posture. Risk Component Impact Level High Likelihood Risk Treatment Strategy Treatment Strategy Status Risk Exposure Very Likely Risk Reduction Under Development High Risk Management Dashboard A dashboard that shows the monthly status of each element is under development. It shows the vulnerability impact, likelihood, risk treatment strategy, status, and current exposure. ID.GV-4 Governance and Risk Management Processes Address Cybersecurity Risks is a member of the NDCBF IT Security Plan Family Identify Governance ID.GV. NDCBF IT Security Plan Confidential Page 12 of 15

13 y/idgv_monthly_risk_management_dashboard.pdf RACI Accountable Responsibility Consult Inform Work Product and Outcomes NDCBF Executive Director Director IT Security Team Elder Board Member Staff Leadership 5K Technical Services Process Delivery Systems Elder Board These are descriptions of expected work products and outcomes. NDCBF Leadership authorization of this document Authorized governance and risk management processes which address cybersecurity risks NDCBF IT Security Plan Confidential Page 13 of 15

14 Risk model to be implemented across the NDCBF IT security plan Implementation Status Supplier Work Product and Outcomes In Progress (Completion Date) or Complete IT Security Team Leadership Document development assistance, finalization, and adoption Authorization and implementation Ongoing NDCBF IT Security Plan Confidential Page 14 of 15

15 Authorizations Signature Director IT Security Team: Print Name and Date: Signature Operations Director: Print Name and Date: Signature Elder Board Member: Print Name and Date: Document Location y/ndcbf_itsecplan_idgv4.pdf NDCBF IT Security Plan Confidential Page 15 of 15