1

MISA Model MISA Model

Douglas PetryDouglas Petry

Manager Information Security ArchitectureManager Information Security Architecture

Methodist Health SystemMethodist Health System

Doug.Petry@nmhs.orgDoug.Petry@nmhs.org

402.354.4894402.354.4894

Managed Information Security ArchitectureManaged Information Security Architecture

2

Introduction to MISAIntroduction to MISA

The goal of the MISA model is to provide:The goal of the MISA model is to provide:

Tool to assess the security architectureTool to assess the security architecture 16 Areas of Security16 Areas of Security

Dashboard executive overviewDashboard executive overview Current state of security capabilities. Current state of security capabilities.

3

Introduction to MISAIntroduction to MISA

Additional tools were developed to :Additional tools were developed to :

Provide a method to identify /document the future state of Provide a method to identify /document the future state of our security capabilities.our security capabilities.

Define efficient implementation approaches across the 16 Define efficient implementation approaches across the 16 security areas within the assessment tool.security areas within the assessment tool.

Map and crosswalks to new and existing regulations to Map and crosswalks to new and existing regulations to refine the architecture and align with organizational refine the architecture and align with organizational requirements.requirements.

Provide a metrics or baseline to enable us to modularize Provide a metrics or baseline to enable us to modularize and focus on the levels of security capabilities / and focus on the levels of security capabilities / deficiencies. deficiencies.

Define efficient implementation approaches across the 16 Define efficient implementation approaches across the 16 security areas within the assessment tool.security areas within the assessment tool.

4

Gap Analysis Model Gap Analysis Model

Web

Ser

vers

Web

Ser

vers

App

licat

ion

App

licat

ion

Syst

ems

Syst

ems

e-M

ail

e-M

ail

Net

wor

kN

etw

ork

Infr

astr

uctu

reIn

fras

truc

ture

Ope

ratin

g O

pera

ting

Syst

ems

Syst

ems

Dat

abas

esD

atab

ases

Intr

usio

n In

trus

ion

Det

ectio

nD

etec

tion

Fire

wal

lsFi

rew

alls

Ant

iviru

sA

ntiv

irus

Educ

ate

Educ

ate

Adm

inis

ter

Adm

inis

ter

Mon

itor

Mon

itor

Res

pond

Res

pond

Aud

itA

udit

DocumentationDocumentationPolicies and ProceduresPolicies and Procedures

Essential andEssential andBest PracticesBest Practices

Knowledge GapKnowledge Gap

Compliance GapCompliance Gap

Technology GapTechnology Gap

5

Information Security ArchitectureInformation Security Architecture

What is ISA?What is ISA?

Way to bridge the gapsWay to bridge the gaps

Manage the processesManage the processes

Alignment to business needsAlignment to business needs

Minimize risks without impeding the Minimize risks without impeding the

quality of care to the customerquality of care to the customer

6

ISA –vs.– Managed ISA (MISA)ISA –vs.– Managed ISA (MISA)

Managed ISA, or MISA, provides:Managed ISA, or MISA, provides:

Ongoing review and quality assurance Ongoing review and quality assurance of an ISA with a metrics to track ISA of an ISA with a metrics to track ISA capabilities from a current state to a capabilities from a current state to a future statefuture state

ISA provides system-based ISA provides system-based assessments -- MISA assesses the ISA assessments -- MISA assesses the ISA methodologiesmethodologies

7

ISA –vs.– Managed ISA (MISA)ISA –vs.– Managed ISA (MISA)

ISA provides the framework within which our ISA provides the framework within which our security program aligns with our business security program aligns with our business objectives and involves:objectives and involves:

Organizational InfrastructureOrganizational Infrastructure Policies, Standards, and ProceduresPolicies, Standards, and Procedures Security Baselines and AssessmentsSecurity Baselines and Assessments Training and AwarenessTraining and Awareness ComplianceCompliance

MISA provides the managerial, operational, and MISA provides the managerial, operational, and technical controls necessary to help ensure technical controls necessary to help ensure security.security.

8

Managed ISAManaged ISA

Manage

Measure

Document

MIS

A

ISA

Most security Most security architectures provide architectures provide ample documentation ample documentation on controls, policies, on controls, policies, and procedures. In some and procedures. In some case, metrics are case, metrics are identified for specific identified for specific systems or capabilities.systems or capabilities.

MISA manages and MISA manages and measures the security measures the security capabilities and the capabilities and the architecture.architecture.

9

MISA – Documentation MISA – Documentation

DocumentDocumentManagement ControlsManagement Controls

Operational ControlsOperational Controls

Technical ControlsTechnical Controls

System Security Plan – NIST 800-18System Security Plan – NIST 800-18Business Contingency Plan – NIST 800-34Business Contingency Plan – NIST 800-34Incident Response Capability – NIST 800-3Incident Response Capability – NIST 800-3

10

MISA – Measurement MISA – Measurement

MeasureMeasureAssessmentsAssessments

Internal / External AuditInternal / External Audit

Operational MetricsOperational Metrics

Security Metrics Guide – NIST 800-55Security Metrics Guide – NIST 800-55Security Self Assessment Guide – NIST 800-26 Security Self Assessment Guide – NIST 800-26 CSI – IPAK, NSA IAM, BS 7799, ISO 17799CSI – IPAK, NSA IAM, BS 7799, ISO 17799

11

MISA – Management MISA – Management

ManageManageReview / RefineReview / Refine

CertificationCertification

AccreditationAccreditation

URACURACBS 7799 / ISO 17799BS 7799 / ISO 17799

12

MISA - OverviewMISA - Overview

MISA requires you to :MISA requires you to :

Determine Security CapabilitiesDetermine Security Capabilities Determine Current StateDetermine Current State Determine Future StateDetermine Future State

Develop Route Map to Future StateDevelop Route Map to Future State Identify Key InitiativesIdentify Key Initiatives

Continuous Quality ImprovementContinuous Quality Improvement Re-Assess Current State/Future StateRe-Assess Current State/Future State

13

Security Capability IdentificationSecurity Capability Identification

NIST

Review of Security Controls

Life Cycle

System Secuiryt Plan

Authorized Processing C/A

Risk Management

Physical / Environmental Protection

Production Input/Output Control

Hardware and System Software Maintenance

Contingency Planning

Personnel Security

Documentation

Security Awareness, Training, Education

Identification and Authorization

Incident Response

Data Integrity

Audit Trails

Logical Access Controls

Security Strategy

Security Program Structure

Security Policies, Standards & Guidelines

User Security Awareness

Security Sponsorship

User Security Management

Contingency Planning & Controls

Security Operations

Physical & Environmental Controls

Security Program Resources & Skill Sets

Host Based Security

Internal Network Security

Application Security

Network Perimeter Security

Security Monitoring

Database/Datasets Security

NSA

Information Security Roles & Responsibilities

Identification & Authentication

Session Controls

Account Management

Information Security Documentation

Telecommunications

Auditing

Contingency Planning

Virus Protection

External Connectivity

Configuration Management

Back-ups

Media Sanitization/Disposal

Labeling

Maintenance

Personnel Security

Physical Controls

HIPAA

Security Responsibility

Workforce Security

Security Awareness & Training

Information Access Management

Security Management Process

Contingency Plan

Evaluation

Facility Access Controls

Business Associate Contracts & Agreements

Security Incident Response Procedures

Workstation Security

Device & Media Controls

Audit Controls

Access Controls

Workstation Use

Person or Entity Authentication

Integrity

Sponsorship/Responsibiility

Certification/Accreditation/Evaluation

Documentation

Risk Management

Charter/Plan

End User Controls

Training/Awareness

Audit Controls

Integrity Controls

Information Management

Network/Telecommunications

Contingency Controls

Access Controls

Encryption

Physical/Environmental

Incident Response

Baylor

MISASecurity

Capabilities

Training & Awareness

Transmission Security

14

Security CapabilitiesSecurity Capabilities

C / A – Evaluation

End User Controls Training / Awareness

Integrity Controls

Charter / Plan

Contingency Controls

Incident Response

Physical / Environmental

Encryption

Network / Telecom

Access Controls

Audit Controls

Sponsorship / Responsibility

Information Mgmt

Risk Management

Documentation

Strategic

Tactical

15

ManageManage

MeasureMeasure

DocumentDocument

MISAMISA

16

Information Service Policy StructureInformation Service Policy Structure

Tier 3 PolicySystem Specific

Tier 2 PolicyBusiness Unit / Service

Tier 1 PolicyCorporate

Sys

tem

Adm

inis

trat

or H

andb

ook

Ris

k M

anag

emen

t Gui

de

Sys

tem

Sec

urity

Pla

n

Sys

tem

Con

tinui

ty P

lan

Sys

tem

Inci

dent

Res

pons

e P

lan

17

MISA – TopologyMISA – TopologySystem Security

Plan

BusinessContingency Plan

Incident ResponsePlan

Security Charter

Security Policy

Vision

Mission

Values

CapabilityAssessment

CurrentState

FutureState

Charter / Plan

Audit Controls

Access Controls

Encryption

Integrity Controls

Networks & Telecommunication

Physical / Environmental

Incident Response

Contingency Controls

Training / Awareness

End User Controls

Information Management

Documentation

Risk Management

Certification / Accreditation

Sponsorship / Responsibility

Bas

elin

e /

Ong

oing

Met

rics

SecurityCertification and

Accreditation of ITSystem

Security Handbook

Admin

User

18

ManageManage

MeasureMeasure

DocumentDocument

MISA – TopologyMISA – TopologySystem Security

Plan

BusinessContingency Plan

Incident ResponsePlan

Security Charter

Security Policy

Vision

Mission

Values

CapabilityAssessment

CurrentState

FutureState

Charter / Plan

Audit Controls

Access Controls

Encryption

Integrity Controls

Networks & Telecommunication

Physical / Environmental

Incident Response

Contingency Controls

Training / Awareness

End User Controls

Information Management

Documentation

Risk Management

Certification / Accreditation

Sponsorship / Responsibility

Bas

elin

e /

Ong

oing

Met

rics

SecurityCertification and

Accreditation of ITSystem

Security Handbook

Admin

User

Foundations for Security ProgramFoundations for

Security Program

The DocumentationThe Documentation

19

MISA – TopologyMISA – TopologySystem Security

Plan

BusinessContingency Plan

Incident ResponsePlan

Security Charter

Security Policy

Vision

Mission

Values

CapabilityAssessment

CurrentState

FutureState

Charter / Plan

Audit Controls

Access Controls

Encryption

Integrity Controls

Networks & Telecommunication

Physical / Environmental

Incident Response

Contingency Controls

Training / Awareness

End User Controls

Information Management

Documentation

Risk Management

Certification / Accreditation

Sponsorship / Responsibility

Bas

elin

e /

Ong

oing

Met

rics

SecurityCertification and

Accreditation of ITSystem

Security Handbook

Admin

User

Security Capabilities

Security Capabilities

The MeasurementThe Measurement

ManageManage

MeasureMeasure

DocumentDocument

20

Implementation Road MapImplementation Road Map

I nformation Management

First Month

Assess curent practices

Gather best practiceguides

Determine gaps ininformation managementpractices

Assign members to sub-committee to developdocumentation policy &procedures

Determine gaps interminated employeeremoval process

Second Month

Draft changes made toConfidentiality & NetworkSecurity policies

Update System Accessforms

Update System AccessAuthorization Procedure

Draft informationclassification guide

Third Month

Approve policy changeswith the InformationSystems Committee

Put new System Accessforms on the intranet

Communicate newSystem AccessAuthorization Procedureto Directors & Managers

Finalize informationclassification guide

Fourth Month

Implement training forInformation Systems onnew policies & procedures

Implement training forInternal Audit on newpolicies & procedures

Distribute informationclassification guide to alldepartments

Six Months

Implement inspection ofpolicies & procedures byInternal Audit

Revise procedures &policies as needed

Information ManagementCurrent State

Network SecurityPolicy

System AccessAuthorization Forms

No InformationClassification Guide

System AccessAuthorization Procedure

ConfidentialityPolicy

Future State

Policies updated toreflect best practices

Procedures updated

Classification Guidedeveloped

Information is labeled &disposed of under IAWpolicies & procedures

Information is stored& handled under IAWpolicies & procedures

21

Capability AssessmentCapability Assessment

Metrics Low

Med

ium

Hig

h

Doe

s N

ot A

pply

Not

hing

in P

lace

A L

ittle

in p

lace

Acc

epta

ble

Leve

l

A lo

t in

plac

e

Ful

ly In

tegr

ated

Deposits and withdrawals of tapes and other storage media from the library authorized and logged.

X X X

Audit trails used for receipt of sensitive inputs/outputs. X X X xControls in place for transporting or mailing media or printed output.

X X X

Audit trails kept for inventory management. X X X xActivity involving access to and modification of sensitive or critical files logged, monitored, and possible security violations investigated.

X X X x

Audit trail provide a trace of user actions. X X

Audit trail supporting after-the fact investigations of how, when, and why normal operations ceased to operate.

X X X

Access to online audit logs strictly controlled. X X X

Off-line storage of audit logs retained for a period of time, and if so, is access to audit logs strictly controlled.

X X X x

Separation of duties exist between security personnel who Administer the access control function and those who administer the audit trail.

X X X

Audit trails reviewed frequently X X xAutomated tools used to review audit records in real time or near real time

X X X X x

Suspicious activity investigated and appropriate action taken.X X X

If keystroke monitoring used are users notified of it. X XPhysical security audit team regularly tests and assesses the quality of organization's physical security

X X x

Organization established routine testing, auditing and change management procedures to support the certification process.

X X X

4 8 4 1 0 3 6 5 1 12 1 7

Security Auditing Capabilities Risk Value 28.82%

16. Auditing

Business Implemented Safeguard /

Hig

h P

rio

rity

Bud

gete

d

Doc

umen

tatio

n

Impact AnalysisImpact AnalysisRisk AnalysisRisk Analysis

22

Security CapabilitiesSecurity Capabilities

High Medium Low Capability Risk

1 Charter / Plan 34.25%2 Sponsorship / Responsibility 44.12%3 Certification / Accreditation Evaluation 68.74%4 Risk Management 31.49%5 Documentation 57.11%6 Information Management 48.14%7 End User Controls 74.67%8 Training / Awareness 63.18%9 Contingency Controls 16.41%10 Incident Response 81.44%11 Physical / Environmental Controls 14.51%12 Networks and Telecommunications Controls 11.26%13 Integrity Controls 64.21%14 Encryption 68.49%15 Access Controls 41.71%16 Audit Controls 28.82%

Security CapabilityCurrent Risk Rating

Te

ch

nic

al

Ma

ng

em

en

tO

pe

rati

on

al

23

MISA – TopologyMISA – TopologySystem Security

Plan

BusinessContingency Plan

Incident ResponsePlan

Security Charter

Security Policy

Vision

Mission

Values

CapabilityAssessment

CurrentState

FutureState

Charter / Plan

Audit Controls

Access Controls

Encryption

Integrity Controls

Networks & Telecommunication

Physical / Environmental

Incident Response

Contingency Controls

Training / Awareness

End User Controls

Information Management

Documentation

Risk Management

Certification / Accreditation

Sponsorship / Responsibility

Bas

elin

e /

Ong

oing

Met

rics

SecurityCertification and

Accreditation of ITSystem

Security Handbook

Admin

User

Strategic Initiative Alignment

Strategic Initiative Alignment

The ManagementThe Management

ManageManage

MeasureMeasure

DocumentDocument

24

MISA – TopologyMISA – TopologySystem Security

Plan

BusinessContingency Plan

Incident ResponsePlan

Security Charter

Security Policy

Vision

Mission

Values

CapabilityAssessment

CurrentState

FutureState

Charter / Plan

Audit Controls

Access Controls

Encryption

Integrity Controls

Networks & Telecommunication

Physical / Environmental

Incident Response

Contingency Controls

Training / Awareness

End User Controls

Information Management

Documentation

Risk Management

Certification / Accreditation

Sponsorship / Responsibility

Bas

elin

e /

Ong

oing

Met

rics

SecurityCertification and

Accreditation of ITSystem

Security Handbook

Admin

User

Quality ImprovementQuality Improvement

The RefinementThe Refinement

ManageManage

MeasureMeasure

DocumentDocument

25

Security CapabilitiesSecurity Capabilities

C / A – Evaluation

End User Controls Training / Awareness

Integrity Controls

Charter / Plan

Contingency Controls

Incident Response

Physical / Environmental

Encryption

Network / Telecom

Access Controls

Audit Controls

Sponsorship / Responsibility

Information Mgmt

Risk Management

Documentation

Strategic

Tactical

ManageManage

MeasureMeasure

DocumentDocument

26

Benefit SummaryBenefit Summary

The Bottom Line = MISA provides:The Bottom Line = MISA provides:

A structured approach to a security architectureA structured approach to a security architecture

andand

Consistent tools/methods encourages Consistent tools/methods encourages collaboration and vendor leverage resulting in collaboration and vendor leverage resulting in increased security awareness! increased security awareness!