U.S. Department of Health and Human Services Information Security for Executives v1.0 1 MAY 2011.

U.S. Department of Health and Human Services

Information Security for Executives v1.0

1

MAY 2011


Information Security for Executives

Course Introduction

Information Security Overview

Security Policy and Governance

Privacy Protection

Security and Your Business

Course Summary

Appendix

2


Course Introduction

Executive Introduction

Welcome to Information Security for Executives

“As an executive of the Department of Health and Human Services (HHS), securing the Department’s information and protecting the privacy of the citizens we serve should be one of your top priorities.”

3

Mike CarletonChief Information Officer (CIO), HHS


Course Introduction

The HHS Executive’s Security Role

• Help employees understand why security and privacy are important and empower them to make protecting the information, health, safety, and well-being of the American people their personal mission.

• Incorporate security into your management philosophy – make it a routine topic in staff meetings and when making management decisions.

• Allocate resources to ensure that systems are adequately protected to prevent compromise of sensitive information.

• Ensure that employees receive the training they need and are held accountable for protecting sensitive information.

• Heighten awareness on how to quickly identify sensitive data and how to handle this data on a day-to-day basis.

• Ensure that information security and privacy are integrated into all information systems development activities.

4


Course Introduction

Course Objectives

At the end of this course you will be able to:•Define information security and emerging threats.•Identify governing bodies and legislative drivers for protecting information security.•Define privacy and why it is important to protect your assets and investments.•Understand your role and responsibilities as an HHS executive in the areas of information security and privacy.•Identify where to locate HHS information security resources.

5



What is Information Security?

Information Security – The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.•Achieved through implementing technical, management, and operational measures designed to protect the confidentiality, availability, and integrity of information.•The goal of an information security program is to reduce, manage, and understand the risk to information under the control of the organization.

In the 21st century, information assets have become a great source of value and wealth for individuals with malicious intent. Therefore, protection of our

information at HHS must be a priority in your day-to-day actions.

6



Key Items to Information Security

• Confidentiality – Protecting information from unauthorized disclosure to people or processes.

• Availability – Defending information and resources from unauthorized or malicious use to ensure information resources are accessible.

• Integrity – Assuring the reliability and accuracy of information and information technology (IT) resources.

7



Information Security Threats

• Threat – The potential to cause unauthorized disclosure, changes, or destruction to an asset.– Impact: potential breach in confidentiality,

unavailability of information, and integrity failure

– Types: natural, environmental, and man-made

8



What is a Cyber Attack?

• Cyber attacks – Attacks that are malicious with the intent to cause major disruptions to our everyday government operations.

• The Department of Defense (DoD) detects three million unauthorized “scans”- or attempts by possible intruders to access official networks every day.

• The Department of Homeland Security (DHS) received 37,000 reports of attempted breaches on government and private systems within Fiscal Year (FY) 2007 – an increase of 54 percent from FY2006.

9



Potential Impacts Resulting from the Loss of Sensitive Information

Failure to exercise due diligence in protecting sensitive information can result in:

– Reputation damage for HHS;– Loss of trust in HHS;– Legal ramifications for HHS;– Loss/misuse of sensitive information;– Injury or damage for those who have had

their private information exposed; and– Potential financial ramifications for those

affected.

10


Federal Government Governance

11

The following governing bodies are responsible for providing legislative guidance to protect Federal information and systems.

*See Appendix for a list of HHS security and privacy information resources.

US Congress Office of Management and Budget (OMB)

National Institute of Standards and Technology (NIST)

• Created the E-Government Act of 2002 (H.R. 2458/S.803)

• Title III of the E-Government Act of 2002 (Public Law 107-347, 116 Stat. 2899), details the Federal Information Security Management Act (FISMA) of 2002

• Evaluates agency effectiveness of programs, policies, and procedures

• Improves administration management through developing performance measures

• Develops and issues standards, guidelines, and other publications to assist federal agencies in implementing security requirements


Federal Government Governance



Departmental Governance – HHS Cybersecurity Program

• HHS Cybersecurity Program is our Department’s information security program.

• HHS Headquarters (HQ) sets programmatic direction by developing standards guidance, providing an enterprise-wide perspective, facilitating coordination among key stakeholders, setting standards and providing guidance, and supporting streamlined reporting and metrics capabilities.

• Operating Divisions (OPDIVs) implement programs that meet specific business needs, provide business/domain expertise, participate in establishing an enterprise-wide baseline, manage implementation at the OPDIV level, and manage ongoing operations.

• HHS Cybersecurity Program oversight is provided by the Office of the Chief Information Officer (CIO) and Chief Information Security Officer (CISO).

12


Privacy Protection

What is Privacy?

• Privacy – A set of fair information practices to ensure that an individual’s personal information is accurate, secure, and current, and that individuals know about the uses of their date.

• Personally identifiable information (PII) – Any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains.

13


Privacy Protection

HHS’ Role in Protecting Sensitive Information

• Protect the personal information of individuals.

• Protect individuals from harm that might be imposed upon them, if certain information were to be released without their consent.

• Sensitive information in transit should be encrypted.

• Encrypt devices containing PII and all other sensitive information, such as financial and personnel data with federally approved encryption software.

14



How Does Security Have An Impact on My Business?

• Enterprise Performance Lifecycle (EPLC)• Capital Planning and Investment Control (CPIC)• Training & Awareness• Contract Oversight• Inappropriate Behavior• Incident Reporting

15



Enterprise Performance Lifecycle

• EPLC is HHS’ IT project management methodology that incorporates best government and commercial practices through a consistent and repeatable process, and provides a standard structure for planning, managing and overseeing IT projects over their entire life cycle.

• Maximizes project and investment alignment with Departmental and OPDIV strategic goals.

• Security must be incorporated in all phases of EPLC in order to reduce system risk and enhance the confidentiality, integrity and availability of HHS IT systems.

16



Enterprise Performance Lifecycle

• For more information on the EPLC framework see “Appendix E: Security Deliverables” of the Enterprise Performance Life Cycle Framework

17



Security and the Capital Planning and Investment Control (CPIC) Process

• CPIC – the primary process for making investment decisions, assessing investment process, effectiveness, and refining related policies and procedures.

• Ensures fiscal accountability of Exhibit 300 business cases.

• Integrate information security into the CPIC process to avoid budgeting ramifications.

• Utilize the EPLC framework to strengthen measureable results for IT investments.

18



Security Training & Awareness

• All system users must complete mandatory security awareness training and privacy awareness training before receiving system access.

• Security awareness training and privacy awareness training must be taken every year by employees, contractor personnel, interns and other non-government employees conducting business for on behalf of the Department through contractual relationships or memoranda of agreement when using IT resources.

• Role-based training (RBT) is also required for individuals with significant security responsibilities (SSR).

19



Contracts and ContractorsExecutives must ensure that contracts and contractors support the security environment.

•Contracts must include applicable security requirements. See the Security and Privacy Considerations to Guide IT Procurement (in development) for more information.

•Contractors must fulfill security training requirements.

•Non-disclosure agreements (NDA) must be signed by all with access to sensitive information.

•Reference the HHS Contractor Oversight Guide for detailed information pertaining to adaptable oversight directions.

20



What is Inappropriate Behavior?

• Employees are permitted limited personal use of HHS IT resources. This personal use shall not

– result in loss of employee productivity, interference with official duties or other than “minimal additional expense” to HHS.

• Viewing inappropriate websites, gambling online, and installing unauthorized software is considered inappropriate behavior.

• Refer to the HHS Information Resource Management (IRM) Policy for Personal Use of Information Technology Resources for guidance on sanctions for misuse.

• Refer to the HHS Rules of Behavior (HHS Rules) and your local OPDIV procedures.

21



Incident Handling

• Encourage compliance and awareness with applicable Department policies:– HHS Incident Notification Process

– HHS Information Resource Management (IRM) Policy for Establishing an Incident Response Capability

– Updated Departmental Standard for the Definition of Sensitive Information

– Standard for Encryption

• Contact your OPDIV CISO or Incident Response Team (IRT) to verify local incident notification procedures

22


Course Summary

Summary of the HHS Executive’s Security Role

• Help employees understand why security and privacy are important and empower them to make protecting the information, health, safety, and well-being of the American people their personal mission.

• Incorporate security into your management philosophy – make it a routine topic in staff meetings and when making management decisions.

• Allocate resources to ensure that systems are adequately protected to prevent compromise of sensitive information.

• Ensure that employees receive the training they need and are held accountable for protecting sensitive information.

• Heighten awareness on how to quickly identify sensitive data and how to handle this data on a day-to-day basis.

• Ensure that information security and privacy are integrated into all information systems development activities.

• Ensure that security is included in all contracts.

23


Course Summary

You should now be able to:

•Define information security and emerging threats;

•Identify governing bodies and legislative drivers for protecting information security;

•Define privacy and why it is important to protect;

•Understand your role and responsibilities as an HHS executive in the areas of information security and privacy; and

•Identify where to locate HHS information security resources.

24


Congratulations

Congratulations!You have completed the Information Security for Executives course.

25


Appendix

HHS Resources

Information pertaining to HHS policy and guidance can be located by accessing the following links:•OCIO Policy•HHS Cybersecurity Program Online

26


Appendix

HHS Resources (Continued)

Federal compliance can be accessed using the following links:•Public Law 93-579, U.S. Code 532(a), the Privacy Act (1974), http://www.justice.gov/opcl/privacyact1974.htm•OMB Circular A-130, Management of Federal Information Resources http://www.whitehouse.gov/omb/circulars_a130_a130trans4/•Public Law 104-106 [40 USC Section 1401 (1996) Information Technology Management Reform Act (Clinger-Cohen Act), http://www.cio.gov/Documents/it_management_reform_act_Feb_1996.html•Health Insurance Portability and Accountability Act (HIPAA), http://www.cms.gov/HIPAAGenInfo/

27


Appendix

HHS Resources (Continued)

Federal compliance can be accessed using the following links:•Health Information Technology for Economic and Clinical Health Act (HITECH),

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf•Public Law 107-347, Federal Information Security Management Act of 2002 (FISMA), supersedes the Computer Security Act (1987), http://csrc.nist.gov/drivers/documents/HR2458-final.pdf•Homeland Security Presidential Directive (HSPD) 7 (2003), http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm•HSPD-12 (2004), http://www.dhs.gov/xabout/laws/gc_1217616624097.shtm

28


Appendix

Privacy Resources

• Privacy Resource Center – A compilation of privacy resources to help all HHS employees understand privacy and what they can do to protect PII at work and home.

• Privacy Breach Frequently Asked Questions – Outlines frequently asked questions about how to identify and report a privacy breach.

• Privacy Impact Assessment (PIA) Standard Operating Procedures – Outlines the standard approach for conducting a PIA for all Department systems (2010).

• Policy for Information Systems Security and Privacy – Establishes comprehensive IT security and privacy requirements for the IT security programs and information systems of OPDIVs and STAFFDIVs within HHS (2010).

• Access the HHS Cybersecurity Program intranet page for additional guidance.

29


Appendix

Information Security Requirements

30

FISMA Statutory Requirements: OMB Budgeting and Reporting Requirements

• OMB Circular A-11, Section 53, Information Technology and E-Government (2007)

• OMB A-130, Appendix III, Security of Federal Automated Information Resources

• OMB Memorandum (M) 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (2003)

• OMB M-04-04, E-Authentication Guidance for Federal Agencies (2003)

• OMB M-05-08, Designation of Senior Agency Officials for Privacy (2005)

• OMB M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management


Appendix

Information Security Requirements (Continued)

31

FISMA Statutory Requirements: NIST Security Standards and Implementation Requirements

• NIST Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems (2002)

• NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems (2010)

• NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems (2010)

• NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations (2009)

• NIST SP 800-65 Revision 1 (DRAFT), Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC) (2009)

*Read the full NIST documents


Appendix

Information Security Requirements (Continued)

32

FISMA Statutory Requirements: NIST Security Standards and Implementation Requirements

• Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems (2004)

• FIPS 200, Minimum Security Requirements for Federal Information and Information Systems (2006)

*Read the full FIPS documents


Appendix

Personnel and Physical Security

• Information, personnel and physical security teams at HHS work hand in hand to ensure the security of our information.

• The Office of Security and Strategic Information (OSSI)

– Leads and manages personnel security/suitability, information security, drug testing, and foreign travel/visitor policy for the Department.

– Ensures HHS’ compliance with Homeland Security Presidential Directive 12 (HSPD-12).

• Physical Security– Protects offices, staff, contractors, visitors, and HHS

assets; the prevention, investigation, and detection of crimes; and the apprehension of offenders.

33


Appendix

Security Authorization

• OMB requires agencies to assess security controls to determine their overall effectiveness and formally authorize and accept the risk associated with their operation.

• Security Authorization (formerly Certification & Accreditation) is initiated when a system is developed or modified in response to mission need business case, operational requirement or significant change.

• NIST SP 800-53 Rev. 1 establishes government-wide responsibilities for federal computer security, and requires agencies to adopt a minimum set of security controls.

34

U.S. Department of Health and Human Services Information Security for Executives v1.0 1 MAY 2011.

Documents

areas of information

information security

protection of information

information assets

integrity of information

departments information

business security

governance security