FISMA 101 AGENDA FISMA Project Overview The

FISMA 101 AGENDA  FISMA Project Overview  The

FISMA 101 AGENDA FISMA Project Overview The Basics: FISMA and NIST RMF The Details: Six specific processes Portable Computing Devices and Media Getting Help Next Steps: Timeline, Rules of Behavior, HIPAA FISMA PROJECT

OVERVIEW The UF contract with the State of Texas requires compliance with FISMA and NIST standards for work supporting this project In response to the contract requirements: UFIT sponsored and invested in a significant project to support this contract ($1.5M/70-80 UFIT employees) On-track to complete the initial build-out by June 30th, 2015 The new FISMA environment replaces the current SAS and SQL environments used for Texas contract deliverables and research FISMA @ UF Enables $40M State of Texas Contract UF will be eligible for additional contracts and grants via the FISMA-compliant, multi- tenant environment Requires End-users/Researchers: Heightened security requirements Office of Research: Revised contract /negotiation process UFIT:

Additional compliance requirements THE BASICS FISMA AND NIST RMF WHAT IS FISMA? Federal Information Security Management Act (FISMA) of 2002 Included by Congress as part of the E-Government Act of 2002 Establishes security guidelines for federal agencies

or those providing services to federal agencies Sets forth: Specific requirements for security programs Specific documentation, policies and procedures Defined processes required to be in place in accordance with NIST 800-53 a national security standard NIST RISK MANAGEMENT FRAMEWORK (RMF) Prepare the POA&M Submit Security Authorization Package

(Security Plan, SAR, and POA&M) to AO AO conducts final risk determination AO makes authorization decision RMF ALIGNED WITH INFORMATION SYSTEM Authorization Package SECURITY PLAN


SELECT Security State Security Controls Risk Management Framework AUTHORIZE IMPLEMENT Information System

Security Controls ASSESS Security Controls THE DETAILS SIX SPECIFIC PROCESSES 1. GETTING AN ACCOUNT Non-FISMA Accounts were provided on an

ad hoc basis (phone, email, etc.): maintained as necessary accounts FISMA Accounts have to be formally authorized and approved by management: processes need to ensure account list is current and appropriate Why

Additional controls implement appropriate accountability and assurance of minimum necessary access rights 2. REMOTE ACCESS & LOGGING IN Non-FISMA Access was available through a variety of means and mechanisms simply requiring a user name and password (RDP, telnet, SSH, web portals, etc.)

FISMA Remote access into the environment has to be secured with both something you know (a password) and something you have (a token) Why Passwords are easily stolen (Target, Home Depot, Anthem, Premera, etc.), so best practices and compliance require additional verification 3. DATA TRANSFERS Non-FISMA Systems allow whatever means for data users transfer most convenient or available to FISMA Sensitive data are regulated and therefore must have controlled mechanisms to allow data in and out

Why Complexity and lack of control provide opportunities for loss or misuse 4. CHANGE MANAGEMENT Non-FISMA Changes are made on an ad hoc basis, not formally tracked or reviewed for security impact (updates to applications, databases, etc.) FISMA

Changes must be formally reviewed, approved and tracked Why Oversight is necessary to ensure changes do not impact the integrity of the systems security and tracking is necessary for audit purposes 5. LOGGING AND MONITORING

Non-FISMA Logs and review of logs are performed on an ad hoc basis FISMA All systems enforce required logging measures to ensure they remain secure Why Logs are necessary to both detect adverse events (breaches, misuse of data, etc.) and for audit purposes 6. SECURITY ASSESSMENTS Non-FISMA No formal security assessments are performed FISMA Regular security assessments for vulnerabilities and compliance are Why environment To ensure ongoing security of the conducted PORTABLE COMPUTING DEVICES AND MEDIA DATA PROTECTION AND PRIVACY PORTABLE COMPUTING DEVICES Must comply with current UF policy which requires full disk

encryption to protect the confidentiality and integrity of systems and data The FISMA environment is designed such that data is contained fully within the protected environment Users traveling to areas deemed as high risk are advised not to access the FISMA environment from those locations Portable devices taken to high risk areas will be completely erased and restored to the baseline configuration upon return and before being allowed to access the FISMA environment again MEDIA ACCESS

No ability is provided for users to use or access data on removable media as part of the ResShield system Privileged users are authorized to use removable media for the purpose of system installation and maintenance activities, as approved by the Change Advisory Board (CAB) No restricted data is stored on removable media, and media is scanned for malware before use with the ResShield system MEDIA LABELING External labels are affixed to all removable media used with the ResShield system. Labels identify the data or software

included and the note Not for use with Restricted Data If Restricted Data is stored on removable media, it is labeled as UF ResShield and UF Restricted Data MEDIA STORAGE Privileged users store removable media used for system installation and maintenance in locked and controlled office facilities when not in use to prevent tampering MEDIA TRANSPORT

Privileged users keep all removable media in their possession during transport to locked and controlled office facilities and the data center Transport of removable media that does not contain Restricted Data does not need to be documented and logged If Restricted Data is stored on removable media, the FISMA Operations Manager will individually authorize and document transport of such media outside of locked and controlled office facilities MEDIA ENCRYPTION

UF Policy allows the use of unencrypted removable media only when encryption interferes with the medias essential function As removable media is only used with ResShield for system installation and maintenance (which is usually not possible with encrypted media) encryption is not required for removable media If Restricted Data is stored on removable media, the media will be fully encrypted with FIPS 140-2 compliant products OUTPUT DEVICE PHYSICAL SECURITY

UFIT staff with privileged access work in physically secured areas without public access Screen guards must be used with any monitors removed from the secure office area INSIDER THREATS INSIDER THREATS What is an Insider Threat? An insider threat is a malicious threat to an organization that comes

from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organizations security practices, data and computer systems What are some signs of this type of behavior and/or activities that you may encounter? Job dissatisfaction that may be in the form of verbal complaints against the university Harassment of fellow co-workers (which should be reported immediately) Violations of other university policies What should you do if you suspect Insider Threat Activity? Report it!!

Call the Privacy Hotline 866-876-HIPA Use the web form: GETTING HELP WHAT IF I NEED HELP? Nothing changes with your workstation support Contact UFHealth AHC-IT as you normally do UFHealth AHC-IT will route FISMA

support requests to the FISMA team Additionally, for a few weeks after go-live, UFIT FISMA staff will rotate at 3 locations for user support services: CTRB 1329 Bldg. 2020 Bldg. (HOP Modular) NEXT STEPS NEXT STEPS

Timeline: 6-8-15 to 6-30-15 3rd Party Assessment Organization (3PAO), Excentium is performing their Independent Verification and Validation (IV&V) 6-15-15 to 6-26-15 6-30-15 LIVE TX EQRO testing TX Data is inside the FISMA bubble, TX FISMA is 7-1-15 to 8-15-15

45 day parallel validation period Rules of Behavior Verify HIPAA is up-to-date APPENDIX NIST REFERENCES FIPS Publication 199 (Security Categorization)

FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication 800-18 (Security Planning) NIST Special Publication 800-30 (Risk Assessment) NIST Special Publication 800-39 (Risk Management) NIST Special Publication 800-37 (Certification & Accreditation) NIST Special Publication 800-53 (Recommended Security Controls) NIST Special Publication 800-53A (Security Control Assessment) NIST Special Publication 800-60 (Information Types Mapping) INFORMATION SECURITY PROGRAMS 1 of 2 The information security programs are centered around the security control families: Access Control Awareness and Training Audit and Accountability Certification, Accreditation, & Security Assessments Configuration Management Contingency Planning

Identification & Authentication Incident Response INFORMATION SECURITY PROGRAMS 2 of 2 The information security programs are centered around the security control families: System Maintenance Media Protection Security Planning Risk Assessment System & Services Acquisition System & Communication

System & Information Integrity

Recently Viewed Presentations

  • PowerPoint-Präsentation


    & Mahoney advised that an analysis of the individual items should be conducted additionally to allow for a pinpoint identification of the deficits. ... Hoogerduijn JG, Schuurmans MJ, Duijnstee MSH, de Rooij SE, Grypdonck MFH (2006) A ...
  • 2011-2012 Special Education Paraprofessional After-School Training Series Adaptations

    2011-2012 Special Education Paraprofessional After-School Training Series Adaptations

    * Answer: Response Jacob answers questions orally and paraprofessional scribes his response. Jacob is permitted to use a computer to type his responses. Jacob's quiz provides a larger space for him to write his responses. ... Pennsylvania System of School...
  • Master of Arts - Memorial University of Newfoundland

    Master of Arts - Memorial University of Newfoundland

    On June 25, 2007, Zoellick was approved by the World Bank's executive board.[4][5] Who is the current IMF Managing Director? Christine Lagarde, French finance minister replaced Dominique Strauss-Kahn, (former French finance minister . . . .

    Competition Format. Matches will be played under "old"Continuum rules! Matches will kick off from 09:30 - 10:30 depending on pool size with the aim of having all matches com
  • Practical Design to Eurocode 2

    Practical Design to Eurocode 2

    Practical Design to Eurocode 2. Lecture 7 - Detailing. The webinar will start at 12.30. EC2 Section 8 - Detailing of Reinforcement - General Rules Bar spacing, Minimum bend diameter. Anchorage of reinforcement
  • Cost Accounting- an Introduction

    Cost Accounting- an Introduction

  • [title] Name: Affiliation: Email: Project status: Idea/work in

    [title] Name: Affiliation: Email: Project status: Idea/work in

    Name: … Affiliation: … Email: … [photo] Project status: Idea/work in progress/finished. Research . questions + hypotheses: … … … Physiological. indicators:


    Additional questions AGENDA OVERVIEW OF UBC SURVEY TOOL BACKGROUND OF FLUIDSURVEYS AGREEMENT With BCNET, UBC established its agreement with FluidSurveys in spring 2015 for a three year contract An important element of FluidSurveys selection was that FluidSurvey's cloud infrastructure was...