Controlled Unclassified Information (CUI) : (When Filled IN)

Controlled Unclassified Information (CUI) (When Filled In)
Controlled Unclassified Information (CUI)

(When Filled IN)
This document contains information that may be exempt from public release under the Freedom of Information Act (FOIA) (5 U ! C 55")# exemption " applies Appro$al by the Centers for %isease Control and &re$ention %ocument Control Officer# Office of !ecurity and 'mer(ency &reparedness# and the C%C FOIA Officer# prior to public release $ia the FOIA Office is re)uired Controlled Unclassified Information (CUI) (When Filled In)
Centers for Disease Control and Prevention

<System Name> Draft Risk Assessment Report
!ubmitted to Tom *adden# CI!O %++!,C%C,CIO,OCI!O -../ 0uford +i(h1ay 2345 Atlanta# 6A 7/7"8
!ubmitted9 # "//.
Controlled Unclassified Information (CUI) (When Filled In) Draft C%C :!ystem ;ame< =is> Assessment =eport Template =e$ /5,/5,"//.
Version Control
Date Author Version
EXEC !"VE S ##AR$ The Centers for %isease Control and &re$ention (C%C) reco(ni?es the best# most up3to3 date health information is 1ithout $alue unless it is pertinent and accessible to the people it is meant to ser$e @oc>heed *artin Information Technolo(y has been tas>ed to conduct a ris> assessment of the <System Name and A%ronym> for the purpose of certification and accreditation (CAA) of <System Name> under DHHS Information Security Program Policy. This =is> Assessment =eport# in conBunction 1ith the !ystem !ecurity &lan# assesses the use of resources and controls to eliminate and,or mana(e $ulnerabilities that are exploitable by threats internal and external to C%C The successful completion of the CAA process results in a formal Authori?ation to Operate of <System Name>. The scope of this ris> assessment effort 1as limited to the security controls applicable to the <System Name> systemCs en$ironment relati$e to its conformance 1ith the minimum DHHS Information Technology Security Program: Baseline Security Requirements Guide These baseline security re)uirements address security controls in the areas of computer hard1are and soft1are# data# operations# administration# mana(ement# information# facility# communication# personnel# and contin(ency The <System Name> ris> assessment 1as conducted in accordance 1ith the methodolo(y described in ;ational Institute of !tandards and Technolo(y (;I!T) !pecial &ublication (!&) 4//37/# Risk anagement Guide for Information Technology Systems The methodolo(y used to conduct this ris> assessment is )ualitati$e# and no attempt 1as made to determine any annual loss expectancies# asset cost proBections# or cost3 effecti$eness of security safe(uard recommendations The ris> assessment of <System Name> identified (DED) $ulnerabilities in the areas of *ana(ement# Operational and Technical !ecurity Fulnerabilities are 1ea>nesses that may be exploited by a threat or (roup of threats These $ulnerabilities can be miti(ated by (DED) recommended safe(uards !afe(uards are security features and controls that# 1hen added to or included in the information technolo(y en$ironment# miti(ate the ris> associated 1ith the operation to mana(eable le$els (DED) $ulnerabilities 1ere rated &i'h# (DED) 1ere rated #oderate and (DED) 1ere rated as (o) A complete discussion of the $ulnerabilities and recommended safe(uards are found in !ection G of this report The o$erall <System Name> system security cate(ori?ation is rated as :(o)* #oderate* &i'h< in accordance 1ith Federal Information &rocessin( !tandards 588 (FI&! 588) The '3Authentication Assurance @e$el ('AA@) 1as rated as ('AA@ 5#"#7#-) The follo1in( table pro$ides an o$er$ie1 of the $ulnerabilities and recommended safe(uards for <System Name>+ The $ulnerabilities are listed by ris> le$el
ii
<System Name> Risk #atri, Vulnera-ility Risk (evel .&i'h* #oderate* (o)/ F35 F3" @o1 *oderate EAA( !ransa%tion 0 EAA( .1*2*3*4/ Re%ommended Safe'uard
;,A "
;,A "
!35 !3"
If the safe(uards recommended in this ris> assessment are not implemented# the result could be modification or destruction of data# disclosure of sensiti$e information# or denial of ser$ice to the users 1ho re)uire the information on a fre)uent basis
iii
!a-le of Contents
1 INTRODUCTION..............................................................................1
1.1 Purpose.........................................................................................................1 1.2 Scope............................................................................................................1 1.3 Mission..........................................................................................................1
RISK ASSESSMENT APPROACH...................................................2

1.4 Risk Assessment Process.............................................................................2
2 SYSTEM CHARACTERIZATION....................................................7
2.1 System Stewards and Designated Approving Authority............................... 2.2 !unctiona" Description................................................................................... 2.3 System #nvironment.....................................................................................$ 2.4 System %sers..............................................................................................1& 2.' System Dependencies................................................................................1& 2.( Supported Programs and App"ications.......................................................11 2. )n*ormation Sensitivity.................................................................................11
3 THREAT STATEMENT..................................................................15
3.1 +verview......................................................................................................1' 3.2 #nterprise ,hreat -ector.............................................................................1'
E-Authenti !ti"n.............................................................................17
3.3 +verview......................................................................................................1 3.4 Determining Potentia" )mpact o* Authentication #rrors...............................1 3.' #.Authentication Ana"ysis...........................................................................1/
# RISK ASSESSMENT $ EAA% RESU%TS......................................21 5 SUMMARY.....................................................................................22 APPENDI& A Ente'('i)e Th'e!t St!te*ent....................................1 APPENDI& + NIST SP ,---53. Re/i)i"n 2. Se u'it0 +!)e1ine 2"'3)heet..........................................................................................1 APPENDI& C Ri)3 C!1 u1!ti"n 2"'3)heet.....................................1 APPENDI& D Ri)3 Miti4!ti"n 2"'3)heet.......................................1
1 INTRODUCTION
1.1 Pu'(")e The purpose of this ris> assessment is to e$aluate the ade)uacy of the :System Name and A%ronym< security This ris> assessment pro$ides a structured )ualitati$e assessment of the operational en$ironment It addresses sensiti$ity# threats# $ulnerabilities# ris>s and safe(uards The assessment recommends cost3effecti$e safe(uards to miti(ate threats and associated exploitable $ulnerabilities 1.2 S "(e
The scope of this ris> assessment assessed the systemCs use of resources and controls (implemented or planned) to eliminate and,or mana(e $ulnerabilities exploitable by threats internal and external to the Centers for %isease Control and &re$ention (C%C) If exploited# these $ulnerabilities could result in9

Unauthori?ed disclosure of data Unauthori?ed modification to the system# its data# or both %enial of ser$ice# access to data# or both to authori?ed users
This =is> Assessment =eport e$aluates the %onfidentiality (protection from unauthori?ed disclosure of system and data information)# inte'rity (protection from improper modification of information)# and availa-ility (loss of system access) of the system =ecommended security safe(uards 1ill allo1 mana(ement to ma>e decisions about security3related initiati$es 1.3 Mi))i"n
The <System Name> mission is to H
RISK ASSESSMENT APPROACH

This ris> assessment methodolo(y and approach 1as conducted usin( the (uidelines in ;I!T !& 4//37/# Risk anagement Guide for Information Technology Systems The assessment is broad in scope and e$aluates security $ulnerabilities affectin( confidentiality# inte(rity# and a$ailability The assessment recommends appropriate security safe(uards# permittin( mana(ement to ma>e >no1led(e3based decisions about security3related initiati$es The methodolo(y addresses the follo1in( types of controls9 #ana'ement Controls5 *ana(ement of the information technolo(y (IT) security system and the mana(ement and acceptance of ris> 6perational Controls5 !ecurity methods focusin( on mechanisms implemented and executed primarily by people (as opposed to systems)# includin( all aspects of physical security# media safe(uards# and in$entory controls !e%hni%al Controls5 +ard1are and soft1are controls pro$idin( automated protection to the system or applications (Technical controls operate 1ithin the technical system and applications ) Ri)3 A))e))*ent P'" e))
1.#
This section details the ris> assessment process performed durin( this effort The process is di$ided into pre3assessment# assessment# and post3assessment phases 1.#.1 Ph!)e I 5 P'e-A))e))*ent Step 15 Define the Nature of the Risk Assessment This initial ris> assessment pro$ides an independent re$ie1 to help C%C determine the appropriate le$el of security re)uired for the system to support the de$elopment of a !ystem !ecurity &lan for <System Name> The re$ie1 also pro$ides the information re)uired for the Chief Information !ecurity Officer (CI!O) and %esi(nated Appro$in( Authority (%AA (also >no1n as the Authori?in( Official)) to ma>e an informed decision about authori?in( the system to operate The ris> assessment is based on inter$ie1s# documentation and# as necessary# some automated technical re$ie1 Step 25 Data Colle%tion The data collection phase included identifyin( and inter$ie1in( >ey personnel 1ithin the or(ani?ation and conductin( document re$ie1s Inter$ie1s focused on the operatin( en$ironment %ocument re$ie1s pro$ided the ris> assessment team 1ith the basis on 1hich to e$aluate compliance 1ith policy and procedure Step 35 !emplates The follo1in( templates 1ere used by the ris> assessment team and are included in the appendices9
N"S! SP 7889:3* Revision 2* Se%urity ;aseline <orksheet5 Completed by the analysts usin( information extracted from )uestionnaires and inter$ie1s
"
Risk Cal%ulation <orksheet5 Con$erts the ra1 $ulnerabilities into ris>s based on the follo1in( methodolo(y9
Cate(ori?in( $ulnerabilities &airin( 1ith threat $ectors Assessin( the probability of occurrence and possible impact
'3authentication assessment
%eterminin( e3authentication 'AA@ threat $ectors
Risk #iti'ation <orksheet5 @ists the ris>s and the associated recommended controls to miti(ate these ris>s for the 0usiness !te1ard to re$ie1 The 0usiness !te1ard is responsible for formally acceptin( each recommended control or reBectin( it and pro$idin( an alternati$e For each reBected recommendation# the C%C 0usiness !te1ard must note that the ris> is to be accepted as residual ris> The Certification A(ent (CA) (for the C%C this is the C%C CI!O) 1ill# at the same time or shortly thereafter# e$aluate the 0usiness !te1ardCs selections and a(ree to each (e ( # acceptin( the ris>s and chosen recommended controls) or 1ill ne(otiate an alternati$e miti(ation# 1hile reser$in( the ri(ht to o$erride the 0usiness !te1ardCs decision and incorporate the proposed recommended control into the &lan of Action and *ilestones (&OAA*)
1.#.2 Ph!)e II 5 A))e))*ent Step 15 Do%ument Revie) The assessment phase be(an 1ith the re$ie1 of documents pro$ided by the members of the C%C <System Name> system team %etailed inter$ie1s 1ith members of the C%C <System Name> system team allo1ed completion of the system )uestionnaire and identification of specific threats inade)uately identified in the 'nterprise Threat !tatement Step 25 System Chara%teri=ation In this step# the analyst defined the boundaries of the IT system# alon( 1ith the resources that constitute the system# its connecti$ity# and any other elements necessary to describe the system %ependencies 1ere clarified !ensiti$ity of the system and data 1as discussed in the final section of the characteri?ation Step 35 !hreat "dentifi%ation The ris> assessment team used the C%C 'nterprise Threat !tatement and the ;I!T !& 4//37/ as a basis for threat identification Throu(h the inter$ie1 process# it also identified Imost li>elyJ system and location3specific threats Step 45 Vulnera-ility "dentifi%ation In this step# the ris> assessment team de$eloped a list of system $ulnerabilities (fla1s or 1ea>nesses) that could be exploited by the potential threat $ectors The ;I!T !& 4//357# =e$ision "# !ecurity 0aseline Wor>sheet (Appendix 0 of the =is> Assessment =eport)
documents $ulnerabilities extracted from inter$ie1s and documents# and lists them by cate(ory Step :5 Risk Determination .Cal%ulation>Valuation/ In this step# the ris> assessment team determined the de(ree of ris> to the system In some cases# a series of $ulnerabilities combined to create the ris> In other cases# a sin(le $ulnerability created the ris> The determination of ris> for a particular threat source 1as expressed as a function of the follo1in(9 (ikelihood Determination5 The follo1in( (o$ernin( factors 1ere considered 1hen calculatin( the li>elihood of the probability that a potential $ulnerability mi(ht be exploited in the context of the associated threat en$ironment9
Threat source moti$ation and capability ;ature of the $ulnerability 'xistence and effecti$eness of current controls
The follo1in( table defines the li>elihood determinations !a-le .?/+ (ikelihood Definition (evel &i'h (ikelihood Definition The threat source is hi(hly moti$ated and sufficiently capable# and controls to pre$ent the $ulnerability from bein( exercised are ineffecti$e
#oderate The threat source is moti$ated and capable# but controls are in place that may impede successful exercise of the $ulnerability (o) The threat source lac>s moti$ation or capability# or controls are in place to pre$ent# or at least si(nificantly impede# the $ulnerability from bein( exercised
"mpa%t Analysis5 The next maBor step in measurin( le$el of ris> 1as to determine the ad$erse impact resultin( from successful exploitation of a $ulnerability The ad$erse impact of a security e$ent can be described in terms of loss or de(radation of any# or a combination of any# of the follo1in( three security (oals9 @oss of Confidentiality K Impact of unauthori?ed disclosure of sensiti$e information (e ( # &ri$acy Act) @oss of Inte(rity K Impact if system or data inte(rity is lost by unauthori?ed chan(es to the data or system @oss of A$ailability K Impact to system functionality and operational effecti$eness
!a-le .?/+ "mpa%t Definition #a'nitude of "mpa%t &i'h "mpa%t Definition 'xercise of the $ulnerability (5) may result in the hi(hly costly loss of maBor tan(ible assets or resourcesL (") may si(nificantly $iolate# harm# or impede an or(ani?ations mission# reputation# or interestL or (7) may result in human death or serious inBury 'xercise of the $ulnerability (5) may result in the costly loss of tan(ible assets or resourcesL (") may $iolate# harm or impeded an or(ani?ationCs mission# reputation# or interestL or (7) may result in human inBury 'xercise of the $ulnerability (5) may result in the loss of some tan(ible assets or resourcesL (") may noticeably affect an or(ani?ationCs mission# reputation# or interest
#oderate
(o)
Risk Determination5 The follo1in( 1ere used to assess the le$el of ris> to the IT system9
The li>elihood of a (i$en threat sourceCs attemptin( to exercise a (i$en
$ulnerability
The ma(nitude of the impact should a threat3source successfully exercise the
$ulnerability
The ade)uacy of planned or existin( security controls for reducin( or eliminatin(
ris> The follo1in( table pro$ides a definition for the ris> le$els+ These le$els represent the de(ree or le$el of ris> to 1hich an IT system# facility# or procedure mi(ht be exposed if a (i$en $ulnerability 1ere exercised !a-le .?/+ Risk (evel Definition #a'nitude of "mpa%t &i'h Risk (evel Definition There is a stron( need for correcti$e measures An existin( system may continue to operate# but a correcti$e action plan must be put in place as soon as possible Correcti$e actions are needed and a plan must be de$eloped to incorporate these actions 1ithin a reasonable period of time The systemCs Authori?in( Official must determine 1hether correcti$e actions are still re)uired or decide to accept the ris>
#oderate (o)
Step @5 Risk #iti'ation Re%ommendations %urin( this step of the process# controls that could miti(ate or eliminate the identified ris>s# as appropriate to the or(ani?ationCs operations# 1ere pro$ided The (oal of the recommended controls is to reduce the le$el of ris> to the IT system and its data to an acceptable le$el The ris> assessment team considered the follo1in( factors 1hen recommendin( controls and alternati$e solutions to minimi?e or eliminate identified ris>s9

!ensiti$ity of the data and the system 'ffecti$eness of recommended options @e(islation and re(ulations Or(ani?ational policy Operational impact !afety and reliability
The recommendations 1ere the results of the ris> assessment process# and pro$ide a basis by 1hich the CI!O and Authori?in( Official can e$aluate and prioriti?e controls The 0usiness !te1ard 1ill 1or> 1ith the CI!O to ne(otiate the implementation of the recommended controls At this point# the !ystem !te1ard can ne(otiate 1ith the CI!O to accept the recommendations for ris> miti(ation# pro$ide alternati$e su((estions# or reBect the recommendations and accept the ris> as residual ris> Their Boint decision 1ill form the basis of the &OAA* 1.#.3 Ph!)e III 5 P")t A))e))*ent Step 15 Risk #iti'ation The completed &OAA* is the product from the preparation of the =is> *iti(ation Wor>sheet and specific remedial recommendations to miti(ate ris> 0ecause the elimination of all ris> is usually impractical# senior mana(ement and business ste1ards should assess control recommendations# determine the acceptable le$el of residual ris># and implement those miti(ations 1ith the most appropriate# effecti$e# and hi(hest paybac> Step 25 6n'oin' #onitorin' The a(reed3upon milestones to miti(ate the ris>s are reportable to the Office of *ana(ement and 0ud(et (O*0) and the &OAA* is the reportin( $ehicle The &OAA* 1ill be used by the CI!O to monitor the successful completion of the milestones
2 SYSTEM CHARACTERIZATION
2.1 S0)te* Ste6!'7) !n7 De)i4n!te7 A(('"/in4 Auth"'it0 !"am#le: The <System Name> system $ecame o#erational in %anuary &''& after $eing renamed from (cquisition anagement (utomation System )( (S*. It is continuously u#dated and is #resently maintained $y System Ste+ards )Ta$le ,* in $oth the anagement Information Systems Branch ) ISB* and Procurement Grants -ffice )PG-*. The follo1in( is contact information for <System Name> !ystem !te1ards and %AA !a-le ?+ System Ste)ards and Desi'nated Approvin' Authority .DAA/ ;usiness Ste)ard Name !itle Address Phone E9mail 2.2 8un ti"n!1 De) 'i(ti"n Se%urity Ste)ard DAA
'xample9 The <System Name> system maintains information on the C%CCs contracts# bids for ser$ices# procurement# and bid a1ard data 0iddin( information from contractors is >ept pri$ate until a contract is a1arded The <System Name> system is a client,ser$er pac>a(e that enables processin( of both lar(e contracts and simplified ac)uisition procurements (!A&) This 6o$ernment Off3 the3!helf (6OT!) soft1are pac>a(e has replaced the !mall &urchases &rocessin( !ystem (!&&!) and the Automated =ecei$in( !ystem (A=!) The system 1as ori(inally de$eloped for the %epartment of %efense# but 1as customi?ed for C%C by the 0ayTech Consultin( 6roup of Annapolis# *%# bet1een 5884 and "//7 Currently# C%C has a contract 1ith %0 Consultin( 6roup on site at &6O for further de$elopment and maintenance of the system as its full functionality is reali?ed The ori(inal system name# A*A!# 1as chan(ed to <System Name> to reflect functionality added for C%C <System Name> is a stand alone system that has no current real3time interfaces <System Name> has the follo1in( batch interfaces9
2.3
S0)te* En/i'"n*ent
M'xample9 The <System Name> system en$ironment is a client,ser$er en$ironment consistin( of a *icrosoft (*!) !tructured Nuery @an(ua(e (!N@) database built 1ith &o1er0uilder pro(rammin( code <System Name> contains production data files# application code# and executables The production data files# consistin( of stored procedures and tables# reside on a Clarion stora(e area net1or> (!A;) attached to a %ell ser$er runnin( on Windo1s "/// and *! !N@ "/// operatin( systems The application code resides on a different %ell ser$er runnin( on Windo1s "/// 0oth ser$ers are housed in the 0uildin( 5G %ata Center at the C%C Clifton =oad campus in Atlanta# 6A The <System Name> executables reside on a fileser$er runnin( Windo1s "/// or a local 1or>station dependin( upon the location and Bob functionality Users are physically located in multiple locations (multiple campuses in Atlanta# Cincinnati# &ittsbur(h# *or(anto1n# Ft Collins# %en$er# Anchora(e# =esearch Trian(le &ar># and !an Ouan) Their des>top computers are physically connected to a 1ide area net1or> (WA;) !ome users connect $ia secured dial3up,%!@ connection usin( a Citrix ser$er ;ormally# a user connects to an application ser$er in their city that hosts the <System Name> application# and to the shared database ser$er located in Atlanta All CIOs throu(hout C%C,AT!%= are users of <System Name>A Insert system diagram(s) Bi'ure 1+ <System Name> Dia'ram
Controlled Unclassified Information (CUI) (When Filled In) Draft C%C :!ystem ;ame< =is> Assessment =eport
Template =e$ 8,5,"//G
Table D lists host characteri?ation components for the <System Name> production system !a-le ?+ <System Name> &ost Chara%teri=ation Components &ost Name 'xample9 Aop3irm3msb" (o%ation Clifton Status Operational "P Address ;ot pro$ided Platform Windo1s Soft)are *! Windo1s "/// !er$er &o1er3builder Comments
Controlled Unclassified Information (CUI) (When Filled In) Draft C%C :!ystem ;ame< =is> Assessment =eport Template =e$ 8,5,"//G
2.#
S0)te* U)e')
M'xample9 The primary <System Name> users are customers in &6OL ho1e$er# <System Name> customers also include the C%C Centers# Offices# and Chief Information Officers (CIOs) The <System Name> system users are listed in Table DL details include the <System Name> system userCs name (title)# description and responsibilities# and the sta>eholders that represent each userCs interest in the systemP !a-le ?+ <System Name> System sers ser Cate'ory A%%ess (evel Read > <rite>Bull =ead,Write Num-er .Estimate/ 5/ &ome 6r'ani=ation A0C 6roup Ceo'raphi% (o%ation Atlanta
'xample9 %e$elopers
2.5
S0)te* De(en7en ie)
.ist s#ecific de#endencies 0eyond these dependencies# a set of common dependencies 1as defined to enable boundary definition A dependency is a telecommunication or information technolo(y interconnection or resource on 1hich the system under re$ie1 relies for processin(# transport# or stora(e The relationship bet1een the system in )uestion and the dependencies can directly affect the confidentiality# inte(rity# or a$ailability of the system or its data Whene$er a system has a dependency# the system inherits the intrinsic ris>s of the dependent asset The follo1in( C%C information technolo(y resources can be considered dependencies9 C%C 'nterprise &olicies C%C 'nterprise *id3Tier %ata Center C%C ;et1or> Infrastructures9 Center or Information Technolo(y !er$ices Office (IT!O) @ocal Area ;et1or>s Atlanta *etropolitan Area ;et1or> C%C Wide Area ;et1or> Internet Connecti$ity %*Q Connecti$ity C%C 'nterprise !ecurity !er$ices9 C%C 0order Fire1all C%C 0order =outer Access Control @ists ;et1or>30ased Intrusion %etection !ystems
Controlled Unclassified Information (CUI) (When Filled In) 5
'3*ail 6ate1ay Firus !cannin( and Attachment =emo$al =!A !ecurI% Authentication !ystem Technical Fulnerability !cannin( !er$ice (*ost Commonly Used for +osts %eployed to the %*Q) C%C Computer =oom !taff# &hysical# and 'n$ironmental Controls C%C 'xchan(e !er$ices9 'nterprise '3*ail 6ate1ay Infrastructure 1ith 6ate1ay Firus &rotection IT!O or Center *ana(ed @ocal '3*ail !tores 1ith !er$er Firus &rotection =emote Access Web *ail !er$ices 1ith =!A !ecurI% Authentication 2.9 C%C 'nterprise Continuity of Operations and %isaster =eco$ery &lannin( C%C 'nterprise *ainframe C%C 'nterprise Windo1s %omain,Acti$e %irectory 'n$ironment Su(("'te7 P'"4'!*) !n7 A((1i !ti"n)
The follo1in( systems depend on <System Name> to perform or fulfill their function9 2.7 In:"'*!ti"n Sen)iti/it0
This section pro$ides a description of the types of information handled by <System Name> and an analysis of the sensiti$ity of the information The sensiti$ity of the information stored 1ithin# processed by or transmitted by <System Name> pro$ides a basis for the $alue of the system and is one of the maBor factors in ris> mana(ement FI&! 588 establishes three potential impact le$els (@o1# *oderate# +i(h) for each of the security obBecti$es (confidentiality# inte(rity# and a$ailability) The impact le$els focus on the potential impact and ma(nitude of harm that the loss of confidentiality# inte(rity# or a$ailability (C,I,A) 1ould ha$e on C%CCs operations# assets# or indi$iduals FI&! 588 reco(ni?es that an information system may contain more than one type of information (e ( # pri$acy information# medical information# financial information)# each of 1hich is subBect to security cate(ori?ation !ection 7 4 5 discusses the security cate(ori?ation, information type(s) for <System Name> 2.7.1 Se u'it0 C!te4"'i;!ti"n$In:"'*!ti"n T0(e<)= The security cate(ory of an information system that processes# stores# or transmits multiple types of information should be at least the hi(hest impact le$el that has been determined for each type of information for each security obBecti$e of C,I,A The follo1in( table depicts the security cate(ory,information type for <System Name> as identified in the <System Name> =is> Assessment =eport
!a-le .?/+ <System Name> "nformation !ype "nformation !ype N"S! SP Confidentiality "nte'rity Availa-ility 7889@8 (o)>#oderate> (o)>#oderate> (o)>#oderate> Referen%e &i'h &i'h &i'h
6verall Ratin' Note9 If C,I,A ratin(s differ from ;I!T !& 4//3G/# pro$ide Bustification and obtain appro$al from OCI!O 2.7.2 Sen)iti/it0 The follo1in( table pro$ides the definitions for C,I,A ratin(s for <System Name> !a-le .?/+ Confidentiality* "nte'rity* and Availa-ility Defined
Se%urity 6-De%tive Confidentiality
&reser$in( authori?ed restrictions on information access and disclosure# includin( means for protection personal pri$acy and proprietary information M-- U!C# !'C 75-"P
(o)
The unauthori?ed disclosure of information could be expected to ha$e a limited ad$erse effect on or(ani?ational operations# or(ani?ational assets# or indi$iduals
#oderate
The unauthori?ed disclosure of information could be expected to ha$e a serious ad$erse effect on or(ani?ational operations# or(ani?ational assets# or indi$iduals
&i'h
The unauthori?ed disclosure of information could be expected to ha$e a se$ere or catastrophic ad$erse effect on or(ani?ational operations# or(ani?ational assets# or indi$iduals
Integrity
6uardin( a(ainst improper information modification or destruction# and includes ensurin( information non3repudiation and authenticity M-- U!C# !'C 75-"P
The modification or destruction of information could be expected to ha$e a limited ad$erse effect on or(ani?ational operations# or(ani?ational assets# or indi$iduals
The modification or destruction of information could be expected to ha$e a serious ad$erse effect on or(ani?ational operations# or(ani?ational assets# or indi$iduals
The modification or destruction of information could be expected to ha$e a se$ere or catastrophic ad$erse effect on or(ani?ational operations# or(ani?ational assets# or indi$iduals
Availability
'nsurin( timely and
The disruption of access to or use of information or an
reliable access to and use of information M-- U!C# !'C 75-"P information system could be expected to ha$e a limited ad$erse effect on or(ani?ational operations# or(ani?ational assets# or indi$iduals information system could be expected to ha$e a serious ad$erse effect on or(ani?ational operations# or(ani?ational assets# or indi$iduals information system could be expected to ha$e a se$ere or catastrophic ad$erse effect on or(ani?ational operations# or(ani?ational assets# or indi$iduals
The sensiti$ity desi(nation of information processed by <System Name> is .&i'h* #oderate* (o)/+ This .&i'h* #oderate* (o)/ desi(nation is based upon the C,I,A desi(nation of the information type for <System Name> 2.7.3 P'"te ti"n Re>ui'e*ent) 0oth information and information systems ha$e distinct life cycles It is important that the de(ree of sensiti$ity of information be assessed by considerin( the re)uirements for the C,I,A of the information9 the need for system data to be >ept confidentialL the need for the data processed by the system to be accurate# and the need for the system to be a$ailable Confidentiality focuses on the impact of disclosure of system data to unauthori?ed personnel Inte(rity addresses the impact that could be expected should system data be modified or destroyed A$ailability relates to the impact to the or(ani?ation should use of the system be denied 2.7.# P'"te ti"n Re>ui'e*ent 8in7in4)1 Confidentiality5 /!"am#le: <System Name> contains sensiti0e information that could identify a sur0ey #artici#ant. This data requires #rotection from unauthori1ed disclosure. If information contained in <System Name> +ere released to the #u$lic it could result in a loss of #u$lic confidence in the sur0ey2 affect #artici#ation2 and cause a great deal of em$arrassment to the 3D3P Therefore# the unauthori?ed disclosure of <System Name> information could be expected to ha$e a (limited* serious* or severe) ad$erse effect on or(ani?ational operations# or(ani?ational assets# or indi$iduals and the information and protection measures are rated as .(o)* #oderate* &i'h/ "nte'rity5 /!"am#le: <System Name> collects and #rocesses health and nutritional information annually from a re#resentati0e sam#le of the 4. S. #o#ulation. Because #u$lic health trends and #olicies de#end on the accuracy of the data collected2 unauthori1ed and unantici#ated modification +ould seriously reduce the accuracy of the sur0ey results5 Therefore# the unauthori?ed modification of <System Name> information could be expected to ha$e a (limited* serious* or severe) ad$erse effect on or(ani?ational operations# or(ani?ational assets# or indi$iduals and the information and protection measures are rated as .(o)* #oderate* &i'h/ Availa-ility5 /!"am#le: If <System Name> +ere una0aila$le for e0en a short #eriod of time2 it +ould ha0e an immediate im#act and +ould affect the efficiency
@o1 K a limited ad$erse effect *oderate K a serious ad$erse effect +i(h K a se$ere or catastrophic ad$erse effect
+ith +hich 6System 7ame8 ty#ically o#erates5. Therefore# the una$ailability of <System Name> information could be expected to ha$e a (limited* serious* or severe) ad$erse effect on or(ani?ational operations# or(ani?ational assets# or indi$iduals and the information and protection measures are rated as .(o)* #oderate* &i'h/
3 THREAT STATEMENT
3.1 O/e'/ie6 ;I!T !& 4//37/ describes the identification of the threat# the threat source and threat action for use in the assessment process The follo1in( is a definition for each9 !hreat K The potential for a particular threat3source to successfully exercise a particular $ulnerability )9ulnera$ility is a +eakness that can $e accidentally triggered or intentionally e"#loited* !hreat Sour%e K Any circumstance or e$ent 1ith the potential to cause harm to an IT system The common threat sources can be natural# human or en$ironmental !hreat A%tion K The method by 1hich an attac> mi(ht be carried out (e ( # hac>in(# system intrusion) Ente'('i)e Th'e!t ?e t"' A%ts of Nature+ 'arth)ua>es# rain# 1ind# ice# etc # that threaten facilities# systems# personnel# utilities# and physical operations &a=ardous Conditions+ Fire# chemical and nuclear spills# biolo(ical e$ents# structural instability# etc # that threaten facilities# systems# personnel# and operations *ay be the result of natural e$ents# en$ironmental control failures# human errors# and,or $iolent acts Dependen%y Bailures+ Failure of a system or ser$ice outside the direct control of the system o1ners that harms the system and,or affects its ability to perform Also includes system 1or>er termination and reassi(nment actions 'xamples include utility failures# do1nstream processin( failures# system administrator or subBect matter expert Bob termination# or the failure of a ser$ice or control o1ned by another part of the or(ani?ation System and Environmental Bailures+ Failure of a computer# de$ice# application# communication ser$ice# or en$ironmental or protecti$e control that disrupts# harms# or exposes the system to harm 'xamples include system hard1are failures# en$ironmental control failures# and soft1are or data corruption Violent A%ts of #an+ &hysical attac> or threat of attac> on a national# re(ional# or local le$el that directly impacts the system and,or its personnel or that results in indirect harm or dependency failure Errors and 6missions+ Accidental or ill3ad$ised actions ta>en by personnel (typically insiders) that result in unintended physical dama(e# system disruption# and,or exposure "nsider Atta%k+ Actions ta>en by insiders to harm the or(ani?ation and its personnel# systems# and,or data and,or that of other parties 'xamples include system compromise# escalation of pri$ile(es# electronic ea$esdroppin(# pass1ord (uessin(# denial of ser$ice# and social en(ineerin(
Controlled Unclassified Information (CUI) (When Filled In) 5
3.2
"nsider A-use and nauthori=ed A%ts+ Unauthori?ed# ille(al# or inappropriate insider acts that cause disruption and,or harm Althou(h these actions are intentional# computin( resources are typically the $ehicle used to commit the act rather than its tar(et 'xamples include sharin( or distribution of copyri(hted material# in$asion of pri$acy# exploration of unauthori?ed computer systems# use of computin( resources to harass others# and disre(ard for security controls E,ternal Atta%k+ Actions ta>en by outside parties see>in( to harm the or(ani?ation# its personnel# systems# and,or data and,or that of other parties 'xamples include system compromise# data and account har$estin(# defacement# computer crime# pass1ord (uessin(# denial of ser$ice# and social en(ineerin( Autonomous Systems and #ali%ious Code+ Automated actions ta>en by pro(ram code or systems that result in harm to the or(ani?ation# its systems# and,or its data and,or that of other parties 'xamples include $iruses# 1orms# and artificial intelli(ence control or response systems Physi%al "ntrusion and>or !heft+ Facility compromise and,or theft of physical resources (data# hardcopy output# laptops# systems# access to>ens# pass1ords# etc ) that could directly or indirectly result in harm to the or(ani?ation or the system (e'al and Administrative A%tions+ Actions ta>en by la1 enforcement# re(ulatory# administrati$e# and,or other parties as a result of ille(al acts and failures in due dili(ence and,or due care# or in see>in( recompense for dama(es incurred by others 'xamples include re(ulatory penalties# criminal and ci$il proceedin(
E-AUTHENTICATION
3.3 O/e'/ie6 ;I!T !& 4//3G7 describes the cate(ories of harm and impact as9 Incon$enience# distress# or dama(e to standin( or reputation Financial loss or a(ency liability +arm to a(ency pro(rams or public interests Unauthori?ed release of sensiti$e information &ersonal safety Ci$il or criminal $iolations =e)uired assurance le$els for electronic transactions are determined by assessin( the potential impact of each of the abo$e cate(ories usin( the potential impact $alues described in FI&! 588# I!tandards for !ecurity Cate(ori?ation of Federal Information and Information !ystems J The three potential impact $alues are9 @o1 impact *oderate impact +i(h impact The next section defines the potential impacts for each cate(ory ;ote9 If authentication errors cause no measurable conse)uences for a cate(ory# there is InoJ impact 3.# Dete'*inin4 P"tenti!1 I*(! t ": Authenti !ti"n E''"') 3.#.1 P"tenti!1 I*(! t ": In "n/enien e. Di)t'e)). "' D!*!4e t" St!n7in4 "' Re(ut!ti"n@

(o)Eat 1orst# limited# short3term incon$enience# distress or embarrassment to any party #oderateRat 1orst# serious short term or limited lon(3term incon$enience# distress or dama(e to the standin( or reputation of any party &i'hRse$ere or serious lon(3term incon$enience# distress or dama(e to the standin( or reputation of any party (ordinarily reser$ed for situations 1ith particularly se$ere effects or 1hich affect many indi$iduals) (o)Rat 1orst# an insi(nificant or inconse)uential unreco$erable financial loss to any party# or at 1orst# an insi(nificant or inconse)uential a(ency liability #oderateRat 1orst# a serious unreco$erable financial loss to any party# or a serious a(ency liability
3.#.2 P"tenti!1 I*(! t ": 8in!n i!1 %"))

&i'hRse$ere or catastrophic unreco$erable financial loss to any partyL or se$ere or catastrophic a(ency liability (o)Rat 1orst# a limited ad$erse effect on or(ani?ational operations or assets# or public interests 'xamples of limited ad$erse effects are9 (i) mission capability de(radation to the extent and duration that the or(ani?ation is able to perform its primary functions 1ith noticeably reduced effecti$eness# or (ii) minor dama(e to or(ani?ational assets or public interests #oderateRat 1orst# a serious ad$erse effect on or(ani?ational operations or assets# or public interests 'xamples of serious ad$erse effects are9 (i) si(nificant mission capability de(radation to the extent and duration that the or(ani?ation is able to perform its primary functions 1ith si(nificantly reduced effecti$enessL or (ii) si(nificant dama(e to or(ani?ational assets or public interests &i'hRa se$ere or catastrophic ad$erse effect on or(ani?ational operations or assets# or public interests 'xamples of se$ere or catastrophic effects are9 (i) se$ere mission capability de(radation or loss of to the extent and duration that the or(ani?ation is unable to perform one or more of its primary functionsL or (ii) maBor dama(e to or(ani?ational assets or public interests (o)Rat 1orst# a limited release of personal# U ! (o$ernment sensiti$e or commercially sensiti$e information to unauthori?ed parties resultin( in a loss of confidentiality 1ith a lo1 impact as defined in FI&! &U0 588 #oderateRat 1orst# a release of personal# U ! (o$ernment sensiti$e or commercially sensiti$e information to unauthori?ed parties resultin( in loss of confidentiality 1ith a moderate impact as defined in FI&! &U0 588 &i'h F a release of personal# U ! (o$ernment sensiti$e or commercially sensiti$e information to unauthori?ed parties resultin( in loss of confidentiality 1ith a hi(h impact as defined in FI&! &U0 588 (o)Rat 1orst# minor inBury not re)uirin( medical treatment #oderateRat 1orst# moderate ris> of minor inBury or limited ris> of inBury re)uirin( medical treatment &i'hRa ris> of serious inBury or death (o)Rat 1orst# a ris> of ci$il or criminal $iolations of a nature that 1ould not ordinarily be subBect to enforcement efforts #oderateRat 1orst# a ris> of ci$il or criminal $iolations that may be subBect to enforcement efforts
3.#.3 P"tenti!1 I*(! t ": H!'* t" A4en 0 P'"4'!*) "' PuA1i Inte'e)t)
3.#.# P"tenti!1 i*(! t ": Un!uth"'i;e7 Re1e!)e ": Sen)iti/e In:"'*!ti"n
3.#.5 P"tenti!1 i*(! t t" Pe')"n!1 S!:et0

3.#.9 P"tenti!1 I*(! t ": Ci/i1 "' C'i*in!1 ?i"1!ti"n)
&i'hRa ris> of ci$il or criminal $iolations that are of special importance to enforcement pro(rams E-Authenti !ti"n An!10)i)
3.5
!ransa%tion 15 GE,ampleA VPN>Heyfo- a%%ess does not meet EAA( (evel 4 .N"S! 7889@3/ reIuirements+
!hreat Ve%tor Incon$enience# %istress# or %ama(e to !tandin( or =eputation Financial @oss +arm to A(ency &ro(rams or &ublic Interests Unauthori?ed =elease of !ensiti$e Information &ersonal !afety Ci$il or Criminal Fiolations 6verall Risk (evel (ikelihood "mpa%t Risk EAA(
!ransa%tion 25 GE,ampleA Privile'ed9use a%%ess+

!hreat Ve%tor Incon$enience# %istress# or %ama(e to !tandin( or =eputation Financial @oss +arm to A(ency &ro(rams or &ublic Interests Unauthori?ed =elease of !ensiti$e Information &ersonal !afety Ci$il or Criminal Fiolations (ikelihood "mpa%t Risk EAA(
6verall Risk (evel
"
# RISK ASSESSMENT $ EAA% RESU%TS

Vulnera-ility 15 ('xample K Terminated employeesC userI%Cs are not remo$ed from the system) Paired !hreat.s/ 6verall Risk Ratin' %ependency Failures *oderate
Re%ommended Safe'uard9 ('xample 3 =emo$e employeesC userI%Cs from the system upon notification of termination ) Vulnera-ility 25 Paired !hreat.s/ 6verall Risk Ratin' %ependency Failures *oderate
Re%ommended Safe'uard5 Vulnera-ility 25 F&;,2eyfob access does not meet 'AA@ @e$el - (;I!T !& 4//3G7) re)uirements Paired !hreat.s/ 6verall Risk Ratin' 6verall EAA( Ratin' Incon$enience# %istress or %ama(e to !tandin( or =eputation
Re%ommended Safe'uard9 *i(rate all remote authentication roles to C%C secure data net1or> (!%;) or to another mechanism appro$ed by the OCI!O
"
5 SUMMARY
The follo1in( table pro$ides an o$er$ie1 of the $ulnerabilities and recommended safe(uards for <System Name>+ !a-le .?/+<System Name> Risk #atri, Risk (evel .&i'h* #oderate* (o)/ F35 F3" @o1 *oderate
Vulnera-ility
EAA( !ransa%tion 0
EAA( .1*2*3*4/
Re%ommended Safe'uard
;,A "
;,A "
!35 !3"
Implementin( the recommended safe(uards 1ill reduce the o$erall ris> exposure associated 1ith the (eneral $ulnerabilities listed abo$e to (o)
"
APPENDI& A ENTERPRISE THREAT STATEMENT
APPENDI& + NIST SP ,---53. RE?ISION 2. SECURITY +ASE%INE 2ORKSHEET
APPENDI& C RISK CA%CU%ATION 2ORKSHEET
APPENDI& D RISK MITIBATION 2ORKSHEET
Controlled Unclassified Information (CUI)

(When Filled IN)
This document contains information that may be exempt from public release under the Freedom of Information Act (FOIA) (5 U ! C 55")# exemption " applies Appro$al by the Centers for %isease Control and &re$ention %ocument Control Officer# Office of !ecurity and 'mer(ency &reparedness# and the C%C FOIA Officer# prior to public release $ia the FOIA Office is re)uired Controlled Unclassified Information (CUI) (When Filled In)

Controlled Unclassified Information (CUI) : (When Filled IN)

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Controlled Unclassified Information (CUI) : (When Filled IN)

Загружено:

Авторское право:

Доступные форматы

Controlled Unclassified Information (CUI) (When Filled In)