Running Header: Cyber Security Risk Management: Final Project 1

Micah Geertson
CSOL 530
08/22/2019

Cyber Security Risk Management:

Final Project
Final Project 2

Table of Contents
ACME Inc. Risk Management Framework Strategy .............................................................................. 3
Risk Management Framework Cycle ........................................................................................................ 3
Impact to ACME INC.’s Payment System ............................................................................................... 4
Selected Security Controls ......................................................................................................................... 5
Access Control ................................................................................................................................ 5
Awareness and Training................................................................................................................ 6
Audit and Accountability .............................................................................................................. 7
Configuration Management .......................................................................................................... 7
Identification and Authentication ................................................................................................ 8
Security Assessment Report Findings ....................................................................................................... 8
Access Control ................................................................................................................................ 8
Awareness and Training................................................................................................................ 9
Audit and Accountability .............................................................................................................. 9
Configuration Management .......................................................................................................... 9
Identification and Authentication .............................................................................................. 10
Overall Risk ............................................................................................................................................... 10
Progress to Date ........................................................................................................................................ 10
Authorization Decision ............................................................................................................................. 11
Monitoring ................................................................................................................................................. 11
References .................................................................................................................................................. 13
Final Project 3

ACME Inc. Risk Management Framework Strategy

The purpose of this document is to outline the process behind securing ACME Inc.

critical systems by utilizing the Risk Management Framework (RMF) in accordance with the

National Institute of Technology and Standard’s Special Publication 800-37 Risk Management

Framework for Information Systems and Organizations. The following diagram (Figure 1)

taken from NIST 800-37 outlines the RMF cycle:

Figure 1 – Risk Management Framework Cycle

It is critical to conceive and implement an this RMF cycle effectively. According to NIST,

“Without adequate risk management preparation at the organizational level, security and privacy

activities can become too costly, demand too many skilled security and privacy professionals,

and produce ineffective solutions” (NIST 800-37, 2018). The remainder of this document will

be dedicated towards highlighting the RMF cycle’s application to ACME Inc.’s Payroll System.

Risk Management Framework Cycle

One of the most critical systems in operation at ACME Inc. is the payments system which

is used to collect and disburse funds. The funds are either received or used to procure goods and

services. As with any monetary system, there are risks associated with operations. These risks
Final Project 4

can be categorized by applying a value of low, moderate, or high to one of three overarching

categories: Confidentiality, Integrity, and Availability (CIA). The CIA Triad is formally defined

by the Federal Information Security Management Act (FISMA), Chapter 35 Section 3542 and

the Security Categorization Standards in the National Institute for Standards and Technology’s

(NIST) Special Publication 800-60 Version 2 Revision 1.

In order to properly identify and implement a risk management framework to protect the

ACME Inc. payments system, it is important to identify the components that comprise the system

and properly evaluate them according to the Federal Information Processing (FIPS) Standard 199

and the NIST Special Publication 800-62 Volume II Revision 1. To begin, FIPS 199 defines

three categories of risk that are used to define “three levels of potential impact on an organization

or individuals should there be a breach of security (i.e. loss of confidentiality, integrity, or

availability)” (FIPS 199, 2004).

Impact to ACME INC.’s Payment System

While it is extremely unlike that any attack on the payment system at ACME INC. will

result in a major operational halt or severe injury, it should always be considered when applying

a risk assessment to any business asset. Based on the aforementioned criteria, the following

security categorization has been applied to the ACME INC. payment system:

Overall Security Categorization: {(confidentiality, LOW), (integrity, MODERATE),

(availability, LOW)} – LOW

Final Project 5

Selected Security Controls

The following sections will provide an overview of the implementation of the selected

security controls based on the security categorization of low: access control, awareness and

training, audit and accountability, configuration management, and identification and

authentication.

Access Control

This control will limit both physical and logical access to the payroll system. Proper

implementation of this control will ensure that unauthorized users will be unable to access

business and customer data, be unable manipulate or delete payroll data, and be unable to cause

physical damage to the systems hosting the payroll service.

Physical Access Control:

- Locks and Proxy Identification Card Scanners will be used to secure the

rooms that house the servers running the payroll system services and

applications.

- Closed Circuit TVs will be used to record personnel entering and exiting the

server rooms. These recordings will also reveal if personnel enter the room by

tailgating authorized users.

- Roving Security Guards will be used to ensure that rooms are continually

secure and equipment appears to be undamaged.

Logical Access Control:

Final Project 6

- Role Based Access Controls (RBAC) will be used to ensure that only

authorized personnel are able to log into and interact with the payroll system.

- User accounts will become deactivated upon role changes that no longer have

a business requirement to interact with the payroll system.

Awareness and Training

This control will allow ACME Inc. personnel to become familiar with commonly used

malicious cyber tactics to gain trust or access to areas or systems. Proper implementation of this

security control should minimize user susceptibility to social engineering attacks conducted by

malicious third parties that include phishing email campaigns, unscheduled technicians

attempting to perform system maintenance, and several other common styles of attack (NIST

800-53, F-37).

Social Engineering Training:

- Awareness training will include verification of all email attachments and links

directed at personnel within ACME Inc. Users will be made aware of how

common phishing attacks are carried out through malicious links and email

attachments that can compromise both user credentials and networks.

- ACME Inc. personnel will be trained to report any suspicious activity or

insider threats that they see in a timely fashion. This includes unknown

personnel roaming the facility and unlocked or propped open doors to

equipment rooms.
Final Project 7

Audit and Accountability

This control will be used to ensure that proper and adequate access is available to all

those who need it in order to interact with the ACME Inc. payroll system. Additionally, this will

provide non-repudiation in accessing the system (NIST 800-53, F-41).

Auditing:

- Login and session events will be recorded to have a record of personnel who

access and interact with the payroll system.

- Timestamps will be applied to all records to allow for event correlation should

an incident occur.

Accountability:

- Non-repudiation will hold personnel accountable for all actions taken utilizing

their credentials. This should also prevent account sharing.

Configuration Management

This control will help to provide both an initial level of “known good” system states and

continuous management of the payroll system. By properly configuring the system, the attack

surface of the system and application will be greatly reduced (NIST 800-53, F-64).

Configurations:

- Baseline configurations will be made to all new systems that will utilize the

payroll system. These systems will be properly modified to ensure they meet

the minimum-security configuration standards used by ACME Inc.

Final Project 8

- Change control management will be utilized to ensure that all changes made

to the payroll system that can affect functionality must be approved by

leadership prior to execution.

Identification and Authentication

This control will ensure that all those that interact with the payroll system are properly

identified through authentication means prior to granting access(NIST 800-53, F-90).

Authentication:

- The payroll system will utilize LDAP/Active Directory to ensure that users

are part of the organization and proper access group prior to interaction with

the payroll system being granted.

- Session timeouts will be enabled to ensure that users must log in after periods

of inactivity to prevent others from gaining access to the system from

unsupervised accounts.

Security Assessment Report Findings

During a previous assessment, there was an overall positive review of each of the security

controls in place. However, several inadequacies resulted in a non-compliance rating which

requires remediation and reassessment. The following section will describe the results of the

assessment.

Access Control

Examination of Access Control using NIST 800-53A Section A revealed several positive

marks and two marks against compliance.

Final Project 9

Compliant: Access Control Policy and Procedures, Account Management, Information

Flow Enforcement, Separation of Duties, Unsuccessful Logon Attempts, System Use

Notification, Remote Access.

Non-Compliant: Access Enforcement – AC-3(8) Revocation of Access Authorizations,

Least Privilege – AC-6(7) Review of User Privileges

Awareness and Training

Examination of Awareness and Training using NIST 800-53A Section A revealed several

positive marks and one mark against compliance.

Compliant: Awareness and Training Policy and Procedures, Role-Based Training,

Training Records

Non-Compliant: Awareness Training – AT-2(3) Social Engineering and Mining

Audit and Accountability

Examination of Audit and Accountability using NIST 800-53A Section A revealed several

positive marks and one mark against compliance.

Compliant: Audit and Accountability Policy and Procedures, Audit Events, Audit

Storage Capacity, Time Stamps, Protection of Audit Information, Non-repudiation

Non-Compliant: Audit Record Retention – AU-11(1) Long-Term Retrieval Capability

Configuration Management

Examination of Configuration Management using NIST 800-53A Section A revealed several

positive marks and no marks against compliance.

Final Project 10

Compliant: Configuration Management Policy and Procedures, Baseline Configuration,

Configuration Change Control, Configuration Settings, Least Functionality

Identification and Authentication

Examination of Identification and Authentication using NIST 800-53A Section A revealed

several positive marks and no marks against compliance.

Compliant: Identification and Authentication Policy and Procedures, Identification and

Authentication (Organizational Users), Device Identification and Authentication,

Authenticator Management

Overall Risk

Despite there being several non-compliant security controls, the risk to the ACME Inc.

Payroll system was subjected to minimal risk and received a potential impact rating of low

utilizing the potential impact formula described in Federal Information Processing Standard’s

(FIPS) Publication 199.

Progress to Date

As of this document’s release date, remediation efforts are currently ongoing for each of

the previously specified non-compliant security controls. Audit Control has successfully

implemented automated access auditing and is currently working towards creating valid

acceptance testing procedures to validate the system in compliant by November 1st. A joint

effort by ACME Inc. security analysts and training coordinators has allowed for a quick rollout

of new training material focused on Phishing attacks for the Cyber Awareness Training Program.
Final Project 11

To test the effectiveness of this new material, the security team will conduct a series of internal

phishing attempts scheduled for November. Lastly, historical logging retention has been

increased to maintain records for 6 months. A scheduled test for log availability is scheduled for

November 15th and will validate if logs have successfully been retained past the initial 30 day

retention threshold.

Authorization Decision

The NIST 800-30 Revision 1 publication’s Risk Management Framework (RMF) Step 5

states “Risk assessment results provide essential information to enable authorizing officials to

make risk-based decisions on whether to operate those systems in the current security posture or

take actions to provide additional security controls.” (NIST 800-30, 2012). Based on the

potential impact of the discovered non-compliant security controls and their current remediation

progress, it is suggested that the Authorization Decision be placed at Interim Approval to Test

which will allow for additional testing of the non-compliant security controls to determine their

risks. ACME Inc should continue validation of the remediated security controls until a

reassessment can be conducted in its entirety beginning December 1. Successful completion of

this assessment will suggest that the Authorization Decision then be changed to Authorization

to Operate.

Monitoring

In order to ensure that all of the aforementioned security controls are properly

implemented and continuously operational, an Information Security Continuous Monitoring

(ISCM) strategy needs to be implemented in accordance with NIST 800-137 Information

Final Project 12

Security Continuous Monitoring for Federal Information Systems and Organizations. Key

participants in ensuring effective execution of this monitoring plan include Head of Agency:

John Doe, Chief Information Officer: Jane Doe, Senior Information Security Officer: Micah

Geertson, and Authorizing Official: Micah Geertson. Monitoring of security controls will follow

both a traditional timeline of annually, quarterly, monthly, and daily as well as unannounced and

randomly to ensure minimal bias. It is the goal of the ACME Inc. ISCM strategy to become fully

automated by utilizing automation tools that will conduct testing and be able to recognize

patterns from both a system-level and human behavioral perspective. The exception to this

automation policy will be physical security checks that require human surveillance and

interaction to ensure adequate site protection. Reporting of all results will be conducted on a

weekly basis and sent to the Senior Information Security Officer and Chief Information Officer.

Additionally, any failures to adhere to or comply with ACME Inc. security policy will be

reported to the Authorizing Official who will make a determination as to whether or not the

system is authorized to operate.

Final Project 13

References

Department of Commerce. (2004, February). Standards for Security Categorization of Federal

Information and Information Systems Publication 199. Retrieved from
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

FIPS. (2004, February). FIPS PUB 199 Standards for Security Categorization of Federal
Information and Information Systems. Retrieved July 27, 2019, from
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

FIPS. (2006, March). FIPS PUB 200 Minimum Security Requirements for Federal Information
and Information Systems. Retrieved July 27, 2019, from
https://csrc.nist.gov/csrc/media/publications/fips/200/final/documents/fips-200-final-march.pdf

NIST. (2012, September). NIST SP 800-30 - Guide for Conducting Risk Assessments. Retrieved
from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

NIST. (2018, December). NIST Special Publication 800-37 Revision 2 - Risk Management
Framework for Information Systems and Organizations. Retrieved from
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

NIST. (2017, August). Draft NIST Special Publication 800-53 Revision 5 - Assessing Security
and Privacy Controls in Federal Information Systems and Organizations. Retrieved July 27,
2019, from https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-
53r5-draft.pdf

NIST. (2011, September). NIST SP 800-137 - Information Security Continuous

Monitoring (ISCM) for Federal Information Systems and Organizations. Retrieved from
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf

Stine, K., Kissel, R., Barker, W. C., Lee, A., & Fahlsing, J. (2008, August). NIST Special
Publication 800-62 Version 2 Revision 1 - Volume II: Appendices to Guide for Mapping Types
of Information and Information Systems to Security Categories. Retrieved July 19, 2019, from
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf