cybersecurity-risk-management-implementation-plan-2017-08 ... · august 10, 2017 version...

ImplementationPlan

fortheUW-MadisonCybersecurityRiskManagementPolicy

August10,2017version

WORKINGDOCUMENT

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy

August10,2017version ImplementationPlan-Page1of5

ThisworkingdocumentistheimplementationplanfortheCybersecurityRiskManagementPolicy.Theplanwillbereviewedbythecommunity,ITgovernance,andtheITC.

IMPLEMENTATION

TheOfficeofCybersecuritywillmaintainaseparateanddetailedimplementationplanthatisjointlydevelopedwiththeSystemOwner,alsoknownasaSystemSecurityPlan,foreachinformationsystem.TheOfficeofCybersecuritywillassistdistributedInformationTechnologygroupswithdevelopingimplementationplanstailoredtotheirgroup’sneeds.

DataClassifications1

UW-Madisonhasclassifieditsinstitutionaldataassetsintoriskbasedcategoriesfordeterminingwhoisallowedtoaccessinstitutionaldataandwhatsecurityprecautionsmustbetakentoprotectitagainstunauthorizedaccessanduse.

Restricted DatashouldbeclassifiedasRestrictedwhentheunauthorizeddisclosure,alteration,lossordestructionofthatdatacouldcauseasignificantlevelofrisktotheUniversity,affiliatesorresearchprojects.DatashouldbeclassifiedasRestrictedif:

• protectionofthedataisrequiredbylaworregulationor• UW-Madisonisrequiredtoself-reporttothegovernmentand/or

providenoticetotheindividualifthedataisinappropriatelyaccessed

Sensitive DatashouldbeclassifiedasSensitivewhentheunauthorizeddisclosure,alteration,lossordestructionofthatdatacouldcauseamoderatelevelofrisktotheUniversity,affiliatesorresearchprojects.DatashouldbeclassifiedasSensitiveifthelossofconfidentiality,integrityoravailabilityofthedatacouldhaveaseriousadverseeffectonuniversityoperations,assetsorindividuals.

Internal DatashouldbeclassifiedasInternalwhentheunauthorizeddisclosure,alteration,lossordestructionofthatdatacouldresultinsomerisktotheUniversity,affiliates,orresearchprojects.Bydefault,allInstitutionalDatathatisnotexplicitlyclassifiedasRestricted,SensitiveorPublicdatashouldbetreatedasInternaldata.

Public DatashouldbeclassifiedasPublicpriortodisplayonweb-sitesoroncepublishedwithoutaccessrestrictions;andwhentheunauthorizeddisclosure,alterationordestructionofthatdatawouldresultinlittleornorisktotheUniversityanditsaffiliates.

1 From https://data.wisc.edu/data-governance/data-classifications/

WORKINGDOCUMENT



Timeline

WiththevolumeofsystemsandnetworksatUW-Madison,afullimplementationoftheRiskManagementFrameworkwilltakefiveyearstocomplete.ImplementationwillinitiallyfocusonsystemshandlingorstoringdataclassifiedasRestricted,thenSensitive.SinceexposureorlossofInternalorPublicdatadoesnotposeanimmediateoperationalimpactorsignificantfinancialrisk,thoseinformationsystemswillbereviewedasresourcesallow.

1. SystemswithRestrictedData(SSN’s,FinancialAccounts,HIPAA,…) 2017+

2. Researchsystemswheregrantfundingistiedtosecurityrequirements 2017+

3. NeworsignificantlyupdatedsystemswithSensitiveData 2019+

4. RemainingsystemswithSensitiveData 2020+

5. SystemsthatonlyhandleInternalData 2021+

6. SystemsthatonlyhandlePublicData 2022+

Throughouttheimplementationperiod,systemsofallkindswillbenefitfromadvancedfirewallsandnetworkprotectionsasthosecapabilitiesarefurtherdeployed.Publicfacingwebserverswillbemonitoredonamonthlybasisforunwantedtraffic,evidenceofcyber-attackorpotentiallyharmfuldatalossactivitytoensureopenlyaccessibledataisprotected.

Training

Trainingontheprocesses,toolsanduseoforcompletionofartifactswillbeprovidedbytheOfficeofCybersecuritywiththedetailsconsideredtobeoutofscopeforthisdocument.OngoingsecurityawarenesstrainingwillbeprovidedandaccesstotrainingtoolswillbewidelypublicizedontheOfficeofCybersecuritywebpages(https://it.wisc.edu/about/office-of-the-cio/cybersecurity/risk-management-framework/).

PROCESSFORMANAGINGCYBERSECURITYRISK

ThissectiondescribesprocessspecificactivitiesnecessarytocarryouttheCybersecurityRiskManagementPolicy.Theprocessstepssummarizedbelowarerequiredbythepolicy.AmplificationofprocessstepsandahelpfulbackgroundontheRiskManagementFramework(RMF)areintheAppendixtothisImplementationPlan.

RiskRegister

InformationsystemsproposedtoundergoRiskAssessmentareenteredintotheRiskRegistermanagedbytheOfficeofCybersecurity.ARiskAnalystwillbeassignedasresourcesbecomeavailable.OrganizationsdesiringtoacceleratetheprocesscancontacttheChiefInformationSecurityOfficerforguidanceandoptionsformeetingRiskAnalystresourcerequirements.

WORKINGDOCUMENT



AssessRisk(RMFStep4)

Theacademic/functionalunitandtheOfficeofCybersecuritycooperativelyassessthecybersecurityriskassociatedwithasystem.

CertifyRisk(RMFStep5)

TheUW-MadisonChiefInformationSecurityOfficer(CISO)signstheRiskAssessmenttocertifythattherepresentedriskisaccurate.TheCISOmayincluderecommendedriskreductionstrategies.

AcceptRisk(RMFStep5)

TheriskofoperatingthesystemisacceptedbytheRiskExecutiveonbehalfofUW-Madison.Thisisaleadershipdecisionandshouldbebasedonthefollowing:

a. AssessedriskandimpacttotheUniversityshouldasystembecompromisedordatalostb. Recommendedremediationtoincludeconsiderationforcosttoimplementc. Impactonthebusinessprocessshouldthesystem,whileinoperation,loseavailabilityof

thesystemordata,encounterdataintegrityissues,orbreachconfidentialityofRestrictedorSensitivedata.

d. TheRiskExecutiveroleisguidedbythefollowing:(1) RiskExecutiveswillbenamedwithin60daysoftheCybersecurityRiskManagement

Policybeingfinalized.(2) TheRiskExecutiveshouldbeanexecutiveordirector(e.g.,Deanortheirappointee,

departmentchair,directorofaresearchlab,etc.)withintheacademic/functionalunit,orinthelineofauthorityabovethatunit.TheRiskExecutivemusthavetheauthoritytoaccepttheriskofoperatingthesystemonbehalfoftheinstitutionandshouldbeintheunitwhowillultimatelyberesponsibleforpayingforabreech(i.e.,Deanortheirappointee,department,researchlab,etc.).

(3) TheRiskExecutivebalancesthebusinessneeds,thepotentialfinancialandreputationalcostofadverseevents,andthecostofreducingthelikelihoodandseverityofthoseevents.

(4) DelegationoftheRiskExecutiveroleisnotencouraged.IfdelegationoftheworkismadeundertheRiskExecutive’sauthority,theresponsibilitywillnot.

(5) RiskExecutivesmayaccesstheexpertise,trainingandsupportavailablefromtheOfficeofCybersecurityforadviceinmakingtheirriskdeterminationorforadditionalguidance.

(6) TheRiskExecutivemustbeaffordedasufficientunderstandingoftheinformationsystemthroughthetechnicalexpertsandmanagersassociatedwiththesystem.AfterreviewingtheRiskAssessmentandrecommendationsoftheOfficeofCybersecurity,theRiskExecutivewill:

a) accepttheriskascertified,orb) assurethatrecommendedactionistakentoreducetherisktoanacceptable

level,orc) declinetoauthorizethesystemtooperate.

WORKINGDOCUMENT



ReduceRisk(RMFStep5and6)

Theacceptablelevelofriskmaybeconstrainedbylegal,regulatoryorcontractualrequirements,andissubjecttoreviewbyuniversityleadership.

Ifthecertifiedlevelofriskisunacceptable:

a. TheRiskExecutiveassuresthatchangesaremadetothesystemthatreducetherisktoanacceptablelevel.

b. TheassessmentandcertificationdescribedinAssessRiskandCertifyRiskarerevisedfollowingconfirmationofcorrectiveactions.ThereducedlevelofriskisthenacceptedasdescribedinAcceptRisk.

FollowingtheRiskAssessmentandsubsequentacceptancebytheRiskExecutive,informationsystemswithvulnerability,threatandimpactchangesthatelevatethelevelofriskwillhavetobecorrectedormitigatedbacktotheassessedlevel(orlower)withinthefollowingtimelimits:

a. IssuesthatelevatetheriskleveltoCriticalshouldbecorrectedormitigatedtonogreaterthanHighwithin72–96hoursorthesystemshouldbedisconnected.

b. IssuesthatelevatetherisktoHighshouldbecorrectedormitigatedtoModeratewithin15calendardays.

c. IssuesthatelevatetherisktoModerateshouldbecorrectedormitigatedtoLowwithin90calendardays.

d. IftheissueoccursonasystemevaluatedatLowrisk,butdoesnotelevatetherisktoMedium,itshouldbecorrectedwithinoneyear.

Inallcases,theRiskRegistermaintainedbytheofficeofCybersecurityshouldbeupdatedalongwithadjustingtheexistingriskassessmentandplanofactionandmilestones.

MonitorRisk(RMFStep6)

Theacademic/functionalunitandtheOfficeofCybersecuritycontinuallymonitorthesystemtoassurethatthelevelofriskremainsatorbelowthelevelacceptedinAcceptRisk.

a. Theremustbepolicyandproceduralsafeguardstoassurethatmonitoringactivityrespectsprivacyandacademicfreedom.

b. ThedesignandimplementationofmonitoringisincludedintheassessmentandcertificationdescribedinAssessRiskandCertifyRisk.Monitoringmustbedesignedandimplementedto,ataminimum:

(1) detectknownsecurityvulnerabilitiesandthreats,and(2) detectknownindicationsthatthesystemmaybecompromised;

c. WheretheidentifiedproblemsareindividuallyorcollectivelysignificantenoughtoincreasethelevelofriskabovethelevelacceptedinAcceptRisk.IdentifiedproblemsmustbesufficientlymitigatedtoreturnthelevelofrisktothelevelacceptedinAcceptRisk.

Re-evaluateRisk(RMFStep6)

Riskevaluationoccursthroughoutthesystemlifecycleasfollows:

WORKINGDOCUMENT



a. ThescheduleforriskevaluationispartoftheassessmentandcertificationdescribedinAssessRiskandCertifyRisk.Atypicalscheduleincludesaformalevaluationeverythreeyearsandaninformalevaluationannually.

b. ChangemanagementispartoftheassessmentandcertificationdescribedinAssessRiskandCertifyRisk.Changestothesystemthatincreaseriskmayrequiremoreimmediateevaluation.

c. Followinganevaluation,theassessmentandcertificationdescribedinAssessRiskandCertifyRiskarerevised,theriskisacceptedorreducedasdescribedinAcceptRiskandReduceRisk,andmonitoringcontinuesasdescribedinMonitorRisk.

Specialcases

Non-UW-Madison-owneddevicesandservicesusedforuniversitybusinessmaybetreatedaspartofaUW-Madisoninformationsystem,andifso,aresubjecttothispolicy.Theremustbepolicyandproceduralcontrolsinplacetoassurerespectforpropertyandprivacy.

CONTACT

QuestionsandcommentstothisdocumentcanbedirectedtotheOfficeofCybersecurityatcybersecurity@cio.wisc.edu.

HELPFULREFERENCES

UW-MadisonCybersecurityRiskManagementProcedureswebsite[underdevelopment],https://it.wisc.edu/about/office-of-the-cio/cybersecurity/risk-management-framework/]

NationalInstituteforStandardsandTechnologySpecialPublication800-37Revision1,GuideforApplyingtheRiskManagementFrameworktoFederalInformationSystems:ASecurityLifeCycleApproach,http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf

NationalInstituteforStandardsandTechnologySpecialPublication800-53Revision4,SecurityandPrivacyControlsforFederalInformationSystems,andOrganizations,http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

NationalInstituteforStandardsandTechnologySpecialPublication800-171,ProtectingControlledUnclassifiedInformationinNonfederalInformationSystemsandOrganizations,http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf

ControlledUnclassifiedInformation(32CFRPart2002),https://www.gpo.gov/fdsys/pkg/FR-2015-05-08/pdf/2015-10260.pdf

FINALDRAFT(forITSCEndorsementtoITC)

Appendix - UW-Madison Cybersecurity Risk Management Framework

August10,2017version RMFAppendix-Page1of5

BACKGROUND

Riskisdefinedasthemeasureoftheextenttowhichanentityisthreatenedbyapotentialcircumstanceorevent,andtypicallyafunctionof:(i)theadverseimpactsthatwouldariseifthecircumstanceoreventoccurs;and(ii)thelikelihoodofoccurrence2.

Cybersecurityriskmaybepresentedfromexternalsourcesorbyindividualactionsofthoseworkinginsidethenetworkorinformationsystems.Theconceptofcybersecurityriskincludesoperationalrisktoinformationandtechnologyassetsthathaveconsequencesaffectingtheavailability,integrityorconfidentiality,ofinformationorinformationsystems.Thisincludestheresultingimpactfromphysicalortechnicalthreatsandvulnerabilitiesinnetworks,computers,programsanddata.Thedatafocusincludesinformationflowingfromorenabledbyconnectionstodigitalinfrastructure,informationsystems,orindustrialcontrolsystems,includingbutnotlimitedto,informationsecurity,supplychainassurance,informationassurance,andhardwareandsoftwareassurance3.Theprocessdescribedinthispolicyisatoolusedtoarriveatanunderstandingofriskinvolvinginformationsystems.Riskcanbemodeledasthelikelihoodofadverseeventsoveraperiodoftime,multipliedbythepotentialimpactofthoseevents.Riskisneverreducedtozero.Thereisalwaysalevelofriskthatmustbeacceptedasacostofdoingbusiness.Reducingtherisktoanacceptablelevelisalsoacostofdoingbusiness.

Systemsaremonitoredtoassurethatthelevelofcybersecurityriskismaintainedatorbelowanacceptablelevel.Therearepolicyandproceduralsafeguardstoassurethatpersonalprivacyandacademicfreedomarerespected.Thecontentoruseofthedataisonlyofinteresttotheextentthatitindicatesthepresenceofavulnerabilityorthreat,suchasincomingdatathatispartofanattackonuniversitysystems,oroutgoingdatathatindicatesasystemhasalreadybeencompromised.Universityorpersonaldatathatisstolenbyanattackerisnolongerprivate.Scrupulousmonitoringhelpsprotectdatafromunscrupuloususe.

THEINFORMATIONSYSTEM

Aninformationsystemcanbedefinedasdiscretesetofinformationresourcesorganizedforthecollection,processing,maintenance,use,sharing,dissemination,ordispositionofinformation.Informationsystemsalsoincludespecializedsystemssuchasindustrial/processcontrolssystems,telephoneswitchingandprivatebranchexchange(PBX)systems,andenvironmentalcontrolsystems.4Eachinformationsystemshouldincludeasecurityboundarywhichclearlydefinestheperimeterofthesystemandtheextentofapplicablesecuritycontrols

2FromNISTIR7298Revision2,GlossaryofKeyInformationSecurityTerms,datedMay20133FromATaxonomyofOperationalCyberSecurityRisksbyJamesCebulaandLisaYoung,Carnegie-MellonUniversitySoftwareEngineeringInstitute,datedDecember2010.4FromNISTIR7298Revision2,GlossaryofKeyInformationSecurityTerms,datedMay2013




tobedefinedandbuiltintothesystem.Figure1below5showsasimpleclient-serverbasedsystemwiththesecurityboundaryshowningreen.

Figure1:TheSystemSecurityBoundary

TheSystemSecurityPlanshouldaddressthehardware,software,securitycontrols,andadministrativeorconfigurationissuesassociatedwithsecuritythesystemandthedatawithinthatboundary.Theplanshouldalsodescribetheinteractionswithadjacentsystemsandnetworksand,wherenecessary,describethesecuritycontrolsthatprotectaccessandsecurethedata.

RISKMANAGEMENTFRAMEWORK

TheRiskManagementFramework,alsocalledtheRMF,isderivedfromtheNationalInstituteforStandardsandTechnologySpecialPublication800-37Revision1,GuideforApplyingtheRiskManagementFrameworktoFederalInformationSystems:ASecurityLifeCycleApproachandspecificallytailoredtomeettherequirementsandcultureatUW-Madison.ThisdocumentdescribestheRMFprocessesandimplementationdetailsandservesasaguidetodeterminingcybersecurityrisktoinformationsystemsandnetworkarchitectures.TheUW-MadisonCybersecurityRiskManagementFrameworkisdesignedtoprovidedepartmentaldirectors,researchers,andinformationtechnologistswithatooltodeterminerisktodataandoperationsofeachnetworkorsystemconnectedtoorservicedbythecampusinformationtechnologyarchitecture.TheRMFconsistsofsixstepsthatguidethedevelopmentofasystemwithinformationsecuritycontrolsbuiltin.Oncedevelopmentiscompleted,aformalrisk

5FromUniversityofFloridaarticleCreatinganInformationSystem/DataFlowDiagramfoundathttps://security.ufl.edu/it-workers/risk-assessment/creating-an-information-systemdata-flow-diagram/




assessmentandcontinuedoperatingchecksensuremaintenanceofdefinedrisklevels.Thetablesandgraphicbelowdescribethesteps:

Step ActivityTitle Description

Pre PlanningConductingdiscoverywiththeSystemOwnertoaidintheirunderstandingofthe RMF and associated tools and processes. Identification of time andresourcesoccurshere.

1 CategorizetheSystem

A data driven processwhere the security requirements of the system aredefinedbythehighestclassificationofdatahandledby,orstoredwithin,thesystemorprocesses

2SelectSecurityControls

Assignmentoftheadministrative,physicalandtechnicalcontrolsrequiredtoprotectthedataaredrawnfromanagreedsecuritycontrolsframework(e.g.,NIST800-53)

3

ImplementandValidateControls

Duringdesignanddevelopment,theselectedcontrolsareincorporatedinthesystemdesign,validatedtoprovidethedesiredprotections,andverifiedasoperational.

Figure2:TheRiskManagementFramework




Step ActivityTitle Description

4 RiskAssessment

Independent to the development team, a documented assessment isperformed to test the selected controls. Residual risk is determined withmitigatingfactorsapplied.Thisstageleadstoaformaldeclarationofriskforthesystemornetwork.

5 AuthorizetheSystem

AfinalriskreviewisconductedwithaformaldeclarationofriskprovidedtotheresponsibleRiskExecutivewhomakesthedeterminationwhetherto(1)operatethesystematthedefinedrisklevel;(2)furthermitigaterisk;or(3)declinetoallowcontinuedoperation.

SystemisOperational

6MonitorandMitigate

Continually assess the operational controls against evolving vulnerability,threatand impact factors. Disruption tooperationsor lossofdataoccurswhencontrolsfail,systemupgradesoccurwithoutpropertestingorexternalfactorsdictate,determineandimplementmitigatingcontrolsorreturnthesystem to an earlier RMF step. This step is also known as ContinuousDiagnosticsandMitigation.

TheRMFalignswiththesystemdevelopmentlifecycleandrequiresinputdocumentationandinformationforeachstep.Outputartifactsareproducedthatareusedinplanning,developmentandtesting,andcertificationofriskleadingtoimplementationasshowninthetablebelow.

Step ActivityTitle

ProjectPhase

Input Documents andActivities

Output Documents andActivities

1 CategorizetheSystem

PlanningandDesign

• DatadefinitionincludingClassification

• FISMAdeterminationfromContract

• Datadescription• Systemdescriptionfrom

SDLC• CISBenchmarks

• CybersecurityProjectCharter

• SystemSecurityPlan(SSP)Questionnairechecklist

• DataSecurityTriageForm• ITSecurityBaselinefor

ResearchandAcademicComputingTemplate

• InterviewChecklist(s):e.g.,FISMAControls,HIPPATestPlan,SAChecklist

2SelectSecurityControls

• CompleteandValidatedSSPQuestionnairechecklist

• SecurityControlsInventory




Step ActivityTitle

ProjectPhase

Input Documents andActivities

Output Documents andActivities

3

ImplementandValidateControls

DevelopandTest

• ConfigureSecurityControlsasdetermined.

• CompletedPackageArtifactso SSPo Topology,DataFlow,

SystemSecurityBoundary

o Ports&ProtocolsTable

• SecurityControlsWorkbook(Pre-Assessment)

• SubmittedCybersecurityRiskAcceptanceRequestForm

4 RiskAssessment

• ProvideAllAuditScan(hostbasedscans&applicationbasedtesting)

• CompletedSecurityControlsChecklistvalidatedbyscanningandmanualreview

• DevelopandExecuteTestingPlans(ArtifactsnotprovidedwillbecreatedbytheOfficeofCybersecurity)

• StepThreeDeliverables

• Scanningtool(i.e.,Qualys)generatedRiskAssessmentReportplusAnalystnotes

• ExecutedCCIandNISTchecklists

• UpdatedsystemsPOAM• ValidatedStepThree

Artifacts• ResidualRiskReport

5 AuthorizeSystem Implement

• ResidualRiskReport• StepFourdeliverables

• ChiefInformationSecurityOfficersignedRiskLetterplusRiskExecutive’sEndorsement/ApprovaltoOperate

ProjectHandofftoOperations

6MitigateandMonitor

Operate

• Approvedscanningtool• ControlValidationPlan• StepFivedeliverables

• ProvideMonthlyRiskReports&POAMupdates

• SecurityControlValidationReport