Primetime Healthcare Services

Inc.

Enterprise Risk
Management Process

Prepared for: Mark Johnson (CEO)

Prepared by: Antony Kung’u

Sr. Cyber Security Director
Date: March 12th, 2018
1
Antony Kungu CSOL530 – Final White Assignment

Table of Contents
Abstract........................................................................................................................................................ 2
Keywords ..................................................................................................................................................... 2
Risk Management Framework .................................................................................................................. 3
i. Tier 1 (Primetime HealthCare Servicesal level)............................................................................... 4
ii. Tier 2 (mission and business process level) ..................................................................................... 4
iii. Tier 3 (information system level) ................................................................................................. 4
Step 1: Information System Categorization ............................................................................................. 5
Step 2: Information System Security Controls Selection ........................................................................ 5
Step 3: Implementing System Security Controls ..................................................................................... 6
Step 4: Asses System Security Controls .................................................................................................... 7
Step 5: Information System Authorization ............................................................................................... 8
Step 6: Information System Continuous Monitoring .............................................................................. 8
Conclusion ................................................................................................................................................... 9
Bibliography ................................................................................................................................................ 9

CONFIDENTIAL: For Internal Use Only.

2
Antony Kungu CSOL530 – Final White Assignment

Abstract

This document will provide guidelines for applying the Risk Management Framework (RMF) to

Primetime HealthCare Systems Inc. There are six-steps in the RMF process; this includes

security categorization, security control selection, security control implementation, security

control assessment, information system authorization, and security continuous monitoring. The

main function of RMF is to promote the concept of near real-time risk management and ongoing

information system authorization through the implementation of strong continuous monitoring

processes. Conversely, providing senior leadership necessary information to make cost-effective,

risk-based decisions with regard to Primetime HealthCare Services information systems.

Moreover, support senior leadership core missions and business functions, while integrating

sound information security practices into the secure enterprise systems architecture development

life cycle (baking in security).

Applying the RMF within Primetime HealthCare Services Inc links risk management

processes at the information system level to risk management processes. Consequently, helps to

establishes lines of responsibility and accountability for security controls deployed within the

Primetime HealthCare Services production environment and inherited by those systems (i.e.,

common controls).

Keywords

Risk management, risk assessment, security authorization, system development life cycle,

security control assessment, continuous monitoring, system authorization, security

categorization, security control selection, security plan, security assessment report, authorization

to operate, information system owner (ISO), Authorizing officer (AO), security control assessor

(SCA), Information owner (IO), information system owner (ISO), Information system security

CONFIDENTIAL: For Internal Use Only.

3
Antony Kungu CSOL530 – Final White Assignment

manager (ISSM), Information system security officer (ISSO) common control provider,

authorizing official

Risk Management Framework

Managing information systems related security risks is an intricate, multilayered undertaking that

requires the involvement of the entire Primetime HealthCare Services employees. This ranges

from executive leadership that provide the strategic vision and top-level goals and objectives for

the Primetime HealthCare Services, to mid-level leaders planning and managing projects, to

employees on the front lines developing, implementing, and operating the security systems and

supporting Primetime HealthCare Services core missions and business process (NIST F. P.,

2004). RMF can be viewed as a holistic activity that is fully integrated into every aspect of

Primetime Healthcare Services. There are three different tiers when it comes to enterprise risk

management. This are; Organizational level, mission and business process level and information

system level as shown in the image below;

CONFIDENTIAL: For Internal Use Only.

4
Antony Kungu CSOL530 – Final White Assignment

i. Tier 1 (Organizational level)

This tier deals with the development of a comprehensive governance structure and enterprise

wide risk management strategy.

ii. Tier 2 (mission and business process level)

This tier deals with mission and business processes and is guided by the risk decisions addressed

or mentioned in tier 1.

iii. Tier 3 (information system level)

This tier deals with information system perspective and is guided by the risk decisions at tier 1

and tier 2.

Risk management framework (RMF) provides an organized and stream lined process that

incorporates security and risk management in the secure systems architecture. This helps to

ensure that security is baked into the system rather than added on. The RMF process has 6 steps

that are sequential as shown in the image below;

CONFIDENTIAL: For Internal Use Only.

5
Antony Kungu CSOL530 – Final White Assignment

Step 1: Information System Categorization

The security categorization of an information system is carried out by the system owner and the

Chief information security officer (CISO) in cooperation with various Primetime HealthCare

Services personnel. An Information system is basically categorized based on the assigned

mission that the system will support (NIST F. P., 2004). During this categorization process,

leadership and involved Primetime HealthCare Services officers determine who will be a part of

the project, users who will use the system, the boundaries in which the system will operate, ports,

protocols and services to be configured on the system. Environmental concerns are also

addressed in this stage depending on the threat levels inherent in different environmental options

available.

Information system categorization also determines levels of identification and

authentication, besides system data types that the system will process and the system security

parameters and testing that will be performed as prescribed in the FIPS 199 security

categorization. Categorization of an information system is based on the impact due to a loss of

confidentiality (moderate/high), integrity (low/moderate/high), and availability

(low/moderate/high) as determined by threat assessment (NIST F. P., 2004).

Step 2: Information System Security Controls Selection

Information system categorization identifies security objectives as prescribed by FIPS199 and

Information system security manager selects the security controls baseline applicable to the

information system based upon results from the categorization stage and tailors the controls as

needed by implementing, modifying or tailoring out controls to effectively manage risk for any

unique system conditions. The ISSM and the system owner can begin planning for continuous

monitoring (NIST, Assesing Security and Privacy Controls in Federal Information Systems and

CONFIDENTIAL: For Internal Use Only.

6
Antony Kungu CSOL530 – Final White Assignment

Organizations: Building effective Assesment plans, 2014). The selected security controls are

documented in the specific security plan which contains an overview of the security

requirements for that system. Conversely, the security requirements are matched with the

selected controls to ensure compliance to laws and regulations like HIPAA, GLBA, and SOX.

Security controls assessor confirms that the security requirements are matched with the selected

security controls and informs the ISSM (Stine, Kissel, Barker, Lee, & Fahlsing, 2008).

Step 3: Implementing System Security Controls

Security controls selected in the previous stage based on the threat assessment are hereby

implemented as described in the security plan acting as a functional description of the control

that includes planned inputs, expected behavior and outputs. All the security controls are

implemented as documented in the security plan. In this stage, threat assessment helps to

determine the cost, benefit and risk tradeoffs when selecting one technology over the other in

order to meet security control objective. In this stage also, the system owner and the information

system security manager ensure that mandatory configuration settings are established and

implemented on information technology products as stipulated by the security plan. Security

controls at the bare minimum should address the what, where, who, and how of the security

controls (Stine, Kissel, Barker, Lee, & Fahlsing, 2008).

In this stage, equipment groups are defined depending on the location and scope of the

project through equipment inventory creation. Security plan document is a breathing document

that is always changing and needs reviewing, modification and plans of action and milestones for

implementing security controls. The security plan helps to address the security concerns that

arise due to changes in personnel, hardware and software upgrades or when operational factors

change. Information system security officer can ensure that system security plans are developed

CONFIDENTIAL: For Internal Use Only.

7
Antony Kungu CSOL530 – Final White Assignment

and reviewed before any security certification and accreditation of a system takes place.

Contingency planning is also addressed in this stage by outlining specific controls for any

emergency situation based on the information system security categorization. Threat assessment

is an integral part of security planning and security controls implementation and calls for reviews

to address new threats as they arise.

Step 4: Asses System Security Controls

Conducting security control assessments in parallel with the development/acquisition and

Implementation phases of the life cycle permits the identification of weaknesses and deficiencies

early and provides the most cost-effective method for initiating corrective action. Security

assessment plan reflects the types of assessment Primetime HealthCare Services will conduct e.g.

developmental testing and evaluation, independent verification and validation, assessments

supporting security authorizations, audits, continuous monitoring assessments and subsequent

remediation actions (Rochford, 2017). Risk analysis is an integral part of this stage as it shows if

the security is implemented correctly, operating as intended and producing the desired outcome

and if they are meeting security requirements.

Risk assessment conducts analysis on risk elements and documents the results as a report

of the tests performed on the system. All the risk assessment results are documented in the

security assessment report. Security assessment report contains recommendations for correcting

any weaknesses or deficiencies in the implemented security controls (Rochford, 2017). Security

assessment report is a very important document that determines if a system will be authorized to

operate or not. System owner in this case prepares a plan of action and milestones and combines

it with other necessary documents as part of the system authorization package for the designated

authorization officer.

CONFIDENTIAL: For Internal Use Only.

8
Antony Kungu CSOL530 – Final White Assignment

Step 5: Information System Authorization

System authorization is an important step and it is based on the recommendations of the security

assessment report conducted on the previous stage. The authorize phase of the risk management

framework (RMF) is where the DAO makes a decision whether or not to authorize the system for

operation based on the security plan, security assessment report, and the plan of actions and

milestones (POA&M) (Rochford, 2017). This provides the DAO, at a minimum, the necessary

information about risk impact. In the ATO Decision task, the Authorizing Official (AO) will

review the accreditation package and make the decision to grant or deny authorization to operate

(ATO). The Project Accreditation (with history) is used to indicate the authorization type granted

to projects based on the results of the assessment effort, as well as to maintain a project’s

authorization history. The ATO Letter provides authorization to deploy an information system.

Step 6: Information System Continuous Monitoring

Moore’s law says that processing power of computers will double every two years.

Consequently, Information systems are in a constant state of change with upgrades to hardware,

software, or firmware and modifications to the surrounding environments where the systems

reside and operate. A well-organized and structured approach to managing, controlling, and

documenting changes to an information system or its environment of operation is an essential

element of an effective security control and continuous monitoring program. Strict configuration

management and control processes are established by Primetime HealthCare services to support

continuous monitoring (Piper, 2015). Conversely, it is important to record any relevant

information about specific changes to hardware, software, or firmware such as version or release

numbers, descriptions of new or modified features/capabilities, and security implementation

guidance. In retrospect, it is also important to record any changes to the environment of

CONFIDENTIAL: For Internal Use Only.

9
Antony Kungu CSOL530 – Final White Assignment

operation for the information system, or changes to the Primetime Healthcare Services risk

management strategy or plan. The information system owner and common control provider use

this information in assessing the potential security impact of the changes (Piper, 2015). The

following table shows the purpose of continuous monitoring and subsequent benefits

Conclusion

Primetime HealthCare Services must now be information security conscious and must develop

and implement proper security controls based on the results of internal risk assessment and

vulnerability assessment. By conducting a risk assessment and vulnerability assessment,

Primetime HealthCare Services can uncover known weaknesses and vulnerabilities in its existing

IT infrastructure, prioritize the impact of these vulnerabilities based on the value and importance

of affected IT and data assets, and then implement the proper security controls and security

countermeasures to mitigate those identified weaknesses. The risk mitigation results will help

increase security and reduce the probability of a threat or vulnerability impacting Primetime

HealthCare Services production environment.

Bibliography
NIST. (2006). Minimum Security Requirements for Federal Information and Information Systems. NIST,

Department of commerce. gaithersburg: Computer Security Division. Retrieved February 12th ,

2018, from http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf

CONFIDENTIAL: For Internal Use Only.

10
Antony Kungu CSOL530 – Final White Assignment

NIST. (2014). Assesing Security and Privacy Controls in Federal Information Systems and Primetime

HealthCare Servicess: Building effective Assesment plans. gaithersBurg: NIST Compouter

Department. Retrieved February 26th, 2018, from

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

NIST, F. P. (2004). Standards for Security Categorization of. NIST, DEPARTMENT OF COMMERCE.

Gaithersburg, MD 20899-8900 : National Institute of St. Retrieved February 4TH, 2018, from

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

Piper, S. (2015). Definitive Guide To Continuous Network Monitoring. Annapolis, MD: CyberEdge

Group LLC. Retrieved March 11th, 2018, from http://www.ten-inc.com/presentations/definitive-

guide-to-continuous-network-monitoring.pdf

Rochford, K. (2017). Security and Privacy Controls for Information Systems and Primetime HealthCare

Servicess. NIST, Department of Commerce. Gaithersburg: Computer Security Division.

Retrieved February 12th, 2018, from https://csrc.nist.gov/CSRC/media//Publications/sp/800-

53/rev-5/draft/documents/sp800-53r5-draft.pdf

Stine, K., Kissel, R., Barker, W., Lee, A., & Fahlsing, J. (2008). VolumeII: Appendices to Guide for

mapping types of information and information systems to security categories. Computer Security

Division - Information Technology lab, Department of Commerce. NIST. Retrieved February 5th,

2018, from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf

CONFIDENTIAL: For Internal Use Only.