Security

NIST National Vulnerability Database (NVD): 18 Low-Security Impact Controls for a University’s Administration Office

Abstract

In this paper, I will discuss the various methods of planning, securing, reviewing, and documenting the information and physical assets of the Bellevue University Administration Department utilizing the 18 low-security impact controls from the NIST National Vulnerability Database (NVD). With each security control, I will define what the control is, what it will do, as well as how the Administration Office will ensure it remains compliant. I will also explain who will be responsible for each control’s implementation and continued maintenance, whether it be general Administration Office staff, IT, InfoSec, or the CSO, CTO, or CEO.

Scenario 1: Bellevue University Administration Office

  1. AC – Access Control

AC-2 Account Management

The AC-2 control will identify and control the various faculty, admin, student, guest, and vendor accounts that will be utilized for day-to-day activities. By carefully deciding who needs/doesn’t need access to a system, what level of permission they require, and managing, providing, and removing authorization to a system, the Bellevue Administration Office can ensure high confidentiality, integrity, and availability of their IT operations. The Administration Office will ensure compliance with this control by ensuring that the network/system admin, as well as other IT staff, continually review active and inactive accounts, restrict access to those who don’t need it, and perform security monitoring for unauthorized logins or attempts. The IT manager will oversee the IT department’s responsibilities in this matter, with the CTO managing InfoSec’s role in AC-2. We will be compliant with this control.

  1. AU – Audit and Accountability

AU-1   Audit and Accountability Policy and Procedures

The AU-1 control will ensure that policies, controls, and procedures regarding security audits and accountability are created, maintained, and enforced. By implementing and mandating the various security controls/enhancements concerning the proper and continued use of auditing each system’s accountability procedures, the Administration Office’s IT network and systems can ensure compliance with AU-1, as well as the rest of the AU family; this task will be managed by both IT and InfoSec, along with the Administration Office staff. The IT manager will oversee the IT department’s responsibilities in this matter, with the CTO managing InfoSec’s role in AU-1. We will be compliant with this control.

  1. AT – Awareness and Training

AT-2    Security Awareness Training

The AT-2 control will ensure that proper and continuous training in various information/organization security areas, in the goal of providing all staff, students, and vendors the tools required to safeguard all data, systems, and networks. By utilizing AT-2, new staff hires will have immediate training on infosec best practices, as well as continued training for staff when a new software/software/procedure gets introduced, or whenever there is a security incident. The application and continuous development of AT-2 will be charged to both IT and InfoSec staff. The IT manager will oversee the IT department’s responsibilities in this matter, with the CTO managing InfoSec’s role in AT-2. We will be compliant with this control.

  1. CM – Configuration Management

CM-4  Security Impact Analysis

The CM-4 control will evaluate any proposed changes to an information system to decide upon the possible impacts of the changes before they are made. By thoroughly analyzing the system before the changes are introduced, the proposed changes, how the system will act after the changes are made, and finally, what necessary steps must be made to accommodate for the changes (before and after implementation), IT and Infosec staff will be able to formulate all possible security impacts. The Administration Office staff will comply with IT and Infosec staff’s programs, policies, and procedures regarding the necessary steps and paperwork involved in the Security Impact Analysis, under supervision from the CTO. We will be compliant with this control.

  1. CP – Contingency Planning

CP-3   Contingency Training

The CP-3 control will ensure proper contingency training for all staff. In the event of a natural/unnatural disaster or unplanned event which disrupts the office’s ability to operate, staff should/will be informed on what to do to securely, safely, and quickly restore operations. In the Administration Office, extensive pre-hire training will be administered for all employees, as well as quarterly safety/contingency briefings. In addition to in-person meetings, company newsletters and emails will be sent to staff via the InfoSec department, under supervision form the CSO. To ensure compliance, testing of the contingency plans will exist at random times, simulating a fire, power outage, etc. Proper documentation of the results of the pre-hire and quarterly training, as well as the simulation tests, will be collected by InfoSec and reviewed/signed-off by the CSO.

  1. IA – Identification and Authentication

IA-2     Identification and Authentication (Organizational Users)

The IA-2 control will determine the systems of identifying, authenticating, and managing employees, guests, contractors, and students’ access to Bellevue’s information assets, regarding both local and network access. Under the supervision of the CSO, the CTO will create and oversee the policies and procedures for determining each user’s access and authentication, which will be enforced by the CSO (in terms of security impacts), thus allowing IT staff to assign or remove permissions. Additionally, each endpoint, wireless device, etc., will be required to undergo the same level of identification, authentication, and management under the same supervision as each beforementioned staff. Due to IA-2’s specific (organizational users) specification, many of the policies regarding identification and authentication concerning non-company users will not be addressed, although many of the same principles are followed. We will be compliant with this control.

  1. IR – Incident Response

IR-2     Incident Response Training

The IR-2 control will ensure that proper incident training is provided and that it will be individually tailored to each user’s position/role/responsibility. In the Administration Office, IT staff will determine the individual’s required level of sophistication of their training regarding what to do in the event of an information incident, such as an attack or unforeseen downtime. After IT staff determine the appropriate training required for each Administration Office employee, they will (under the direction of InfoSec staff) administer the training created by InfoSec, under the supervision of the CSO/CTO. The IR-2 control will undergo constant maintenance and monitoring, as changes in positions, personnel, and technology can render older policies obsolete. We will be compliant with this control.

  1. MA – Maintenance

MA-1   System Maintenance Policy and Procedures

The MA-1 control will ensure that necessary procedures and policies for implementing security control and enhancements are established, aligned with federal laws, orders, standards, and regulations. InfoSec staff at the Administration Office will create and administer MA-1 controls, with assistance from IT staff, and under supervision from the CSO/CTO. To ensure Bellevue is compliant, this control will need to be audited and reviewed at regular intervals, confirming that the Administration Office’s security controls and asset protection is up to standards set in place by the CSO. We will be compliant with this control.

  1. MP – Media Protection

MP-2   Media Access

The MP-2 control will limit access to both non-digital and digital media to those who are not authorized to view, edit, or delete the media in question. Due to the sensitive nature of data stored and handled at the Administration Office, including student and faculty tax, health, academic, and financial records, the MP-2 control system will need to be sophisticated and continuously monitored and reviewed. The IT staff will make periodic audits. Infosec staff will control access and verify the authentication of users, under the direction of the CSO. We will be compliant with this control.

  1. PS – Personnel Security

PS-3   Personnel Screening

The PS-3 control will instruct and manage the screening process for users during the initial authorization process, as well as rescreening users in regular intervals, per local, state, and federal laws and regulations, as well as meeting the requirements enforced by InfoSec and IT. Depending on the role, function, and responsibility of the user, varying screening methods will be utilized under the direction from the CSO. While InfoSec will handle the screening process, IT will manage the day-to-day supervision of the intensity or type of screens, as well as initiating periodic reviews. We will be compliant with this control.

  1. PE – Physical and Environmental Protection

PE-3   Physical Access Control

The PE-3 control will create, manage, enforce, and review physical security measures within the Administration Office. Due to the sensitive information, expensive equipment, and rising level of, for example, school shootings, access to the building needs to be limited, documented, escorted, and challenging to access without proper authorization. Key physical security-focused InfoSec staff members will develop the access control systems, procedures, and policies, with Bellevue’s Security Force handling day-to-day security operations, patrols, documentation, key storage, and credential authorizations. To be compliant with the PE-3 control, the CSO and head of the Security Force will need to carefully develop methods to audit the physical access systems periodically, as well as perform test scenarios, both while documenting any issues or necessary improvements. Communication with local police and fire departments will need to be facilitated throughout the process. We will be compliant with this control.

  1. PL – Planning

PL-2    System Security Plan

The PL-2 control will develop, implement, maintain, safeguard, and review the Administration Office’s security plan, per the organization’s architecture, information systems, relationships/connections with other information systems, and authorizing officials/representatives. Bellevue’s InfoSec staff, along with the Security Force team, will handle all system security plan activities, with direct supervision from the CSO and communication for local police and fire departments. To maintain compliance with the PL-2 control, the system must be sophisticated enough to prevent access or damage to information systems, as well as be tested continuously, reviewed, and updated as the systems change, and adapt to added systems, buildings, regulations, or personnel. We will be compliant with this control.

  1. RA – Risk Assessment

RA-3   Risk Assessment

The RA-3 control will ensure that risk assessments are properly researched, created, implemented, reviewed, and enforced; these assessments will be directed at various programs, organizations, defenses, and business practices, including possible vulnerabilities, organizational assets and operations, personnel, service providers, information systems, authentication and authorization procedures, and security controls. By using the RFM (Risk Management Framework), the Administration Office’s InfoSec staff will conduct risk assessments at all three tiers in the risk management hierarchy, under direct supervision from the CSO. To be compliant with the RA-3 control, a sophisticated approach and system must be formulated to administer detailed risk assessments at regular intervals, as well as document all changes to any of the abovementioned areas. We will be compliant with this control.

  1. CA – Security Assessment and Authorization

CA-3   System Interconnections

The CA-3 control will ensure that all connections between information systems will be and remain authorized, documented (the type of communication used, the security of the link, interface characteristics), as well as periodically review and update each information system connections’ security agreements. By considering the risks, security procedures, and protocols of interconnecting information systems between both internal and external organizations, the Administration Office will be compliant with the CA-3 control by utilizing a combination of responsibilities fulfilled by both Bellevue’s IT and InfoSec staff. While the connection, maintenance, vendor relations, and general documentation will be handled by IT staff under supervision from the CTO, all security-related documentation, defenses, and periodic security agreement reviews between multiple information connections will be handled by InfoSec staff, directly supervised by the CSO. We will be compliant with this control.

  1. SC – System and Communications Protection

SC-5   Denial of Service Protection

The SC-5 control will defend the Administration Office from denial of service (DoS) attacks, by utilizing and implementing various technologies and security practices, such as firewalls, increasing/managing bandwidth, hardening systems and hardware, creating sophisticated security policies and procedures, and performing periodic audits and risk assessments. The Administration Office will be compliant with SC-5 by using both IT and InfoSec staff; with InfoSec handling most of the defense-oriented tasks, and IT to enforce day-to-day user, end-user compliance. The SC-5 control will be the responsibility of the CSO. We will be compliant with this control.

  1. SI – System and Information Integrity

SI-4     Information System Monitoring

The SI-4 control will ensure that all information systems are continuously monitored, audited, and per both internal and external (state, federal) policies, orders, laws, and regulations. Due to the various information systems used at the Administration Office, as well as the sensitive nature of the information, the SI-4 control will require constant maintenance and updating by both InfoSec and IT staff. Utilizing a combination of risk assessments, notifications alerts, intrusion protection, and security systems, the Administration Office will be compliant with SI-4 due to the InfoSec and IT staff’s 24/7 monitoring of all information systems, under the direction of the CSO/CTO. We will be compliant with this control.

  1. SA – System and Services Acquisition

SA-2   Allocation of Resources

The SA-2 control will ensure that the security requirements for each information system are met by determining and allocating necessary resources. To keep the Administration Office’s various information systems secure, confidential, and performing at their highest capabilities, the CSO and CTO will need to communicate with the CEO in regular intervals to determine budgets, unforeseeable and foreseeable costs, and discover how and when to allocate resources to both the IT and InfoSec department. For the Administration Office to remain compliant, a system must be developed to facilitate discussion between various managerial staff, as well as follow a set of policies and procedures to handle purchases, vendor relationships, expenses, and future scalability. We will be compliant with this control.

References

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “AC-2 Account Management.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/AC-2.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “AU-1 Audit and Accountability Policies and Procedures.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/AU-1.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “AT-2 Security Awareness Training.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/AT-2.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “CM-4 Security Impact Analysis.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/CM-4.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “CP-3 Contingency Training.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/CP-3.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “IA-2 Identification and Authorization (Organizational users).” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/IA-2.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “IR-2 Incident Response Training.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/IR-2.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “MA-1 System Maintenance Policy and Procedures.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/MA-1.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “MP-2 Media Access.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/MP-2.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “PS-3 Personnel Screening.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/PS-3.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “PE-3 Physical Access Control.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/PE-3.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “PL-2 System Security Plan.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/PL-2.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “RA-3 Risk Assessment.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/RA-3.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “CA-3 System Interconnections.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/CA-3.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “SC-5 Denial of Service Protection.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/SC-5.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “SI-4 Information System Monitoring.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/SI-4.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “SA-2 Allocation of Resources.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/SA-2.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s