Published on 2014/11/12

Cybersecurity: Assessment and Authorization

Cybersecurity: Assessment and Authorization
Assessment and authorization of an institution’s security infrastructure is critical to minimizing the threat of breaches.
Federal agencies are required by law to undergo a detailed and systematic security assessment process to demonstrate compliance with security standards. This process is known as the assessment and authorization—or certification and accreditation (C&A)—which gives government agencies and commercial vendors greater assurance that their shared data are stored and processed on a secure and reliable system. Similarly, the assessment and authorization process can be implemented on universities’ systems to give students and scholars greater assurance that their sensitive personal and research data are processed securely.

Prior to exchanging data between federal agencies, Chief Information Security Officers (CISOs) generally ask for the accreditation letter that declares the security categorization of the system. CISOs then determine if the system is safe to store or process data at specific security levels. Likewise, universities should adhere to this security categorization policy prior to exchanging information with other universities.

Security assessment and authorization is the fourth measure that can be applied to protect students’ information and universities’ assets. Assessment and authorization is a two-step process that ensures security of information systems. Assessment is the process of evaluating, testing, and examining security controls that have been pre-determined based on the data type in an information system. The evaluation process, on the other hand, compares the current system’s security posture with specific standards. The assessment process ensures that security weaknesses are identified and plans for mitigation strategies are in place. Authorization, on the other hand, is the process of accepting the residual risks associated with the continued operation of a system and granting approval to operate for a specified period of time.

The assessment and authorization process consists of seven major components, which act as a comprehensive framework that integrates information security risks into the organization’s security infrastructure:

1. Assessment and Authorization Policy

The first component is developing a policy that addresses the purpose, scope, responsibilities and management commitment to the C&A initiatives. Procedures then need to be developed to facilitate the implementation of the policy.

2. System Assessment

Assess the overall security posture of the system to determine the impact of the data type and the security holes in the system. Security categorization is also covered in this phase. Security categorization is the process of categorizing the information system and the information processed, stored and transmitted based on impact and severity of data. The integrity of law enforcement data, for example, would be categorized as high, which means additional security controls must be applied.

3. Security Controls

Select a preliminary set of security controls for the information system based on the security categorization above. Security controls can be customized and enhanced as needed based on the organization’s assessment of risks. For example, systems that process sensitive data should use two factors for authentication, such as common access card and password. Systems with low security categorization, on the other hand, may choose to implement one factor for authentication, such as password only.

4. Interconnect Security Agreement (ISA)

ISA is a signed agreement between entities, which lays out the connection characteristic, security requirements for exchanging information, incident handling procedures, user community, roles and responsibilities, and costs incurred under the agreement.

5. Plan of Action and Milestone (POA&M)

POA&M is developed to document the residual risks associated with the continued operation of a system. It documents the assigned resources to complete the security findings in a specific time frame.

6. Certification Letter

Once all steps above have been completed and verified, a certification agent signs a letter, addressed to the CIO, acknowledging that all steps above have been completed and reviewed.

7. Accreditation Letter

The authorizing official grants Authorization to Operate (ATO) to authorize the system operation based on a severity of the residual risks to organizational operations. The letter usually indicates the acceptance of the residual risks with condition of continuous monitoring and diagnostics of systems’ vulnerabilities.

These seven components encompass the security assessment and authorization process. Once again, universities’ CISOs are highly encouraged to apply and practice the assessment and authorization process prior to exchanging information with other universities or organizations; as a result of applying these processes, students and researchers are granted greater assurance that their sensitive personal and research data are processed, transmitted and stored on secure systems.

To see the other articles in the Cybersecurity series, please click here.

Print Friendly, PDF & Email

Readers Comments

Anne K. 2014/11/12 at 11:37 am

I’d be interested to know just what is an acceptable level of risk after an assessment process like this. Is this similar to the “five nines” attitude, wherein leftover risk is minuscule? Or are there problems that just come along with managing such vast quantities of data?

    Sam Musa 2014/11/18 at 5:38 pm

    Great question Anne. The acceptable level of risk is totally up the authorizing official, as he/she is taking all the responsibilities for accepting that risk. Usually the risk level is low, but I have seen CIOs accepting high risks; so, as I said, it is totally up to the authorizing official.

    There is a risk factor matrix that can be used to tell you exactly the risk level. This risk matrix is usually presented by the certifying agent, and again, the authorizing official may accept or deny the system to operate. Usually, authorizing officials like to see some form of compensating controls to the risks, and a well-defined plan on how the residual risk will be totally mitigated.

Brendan Morrow 2014/11/13 at 9:34 am

It’s true, but incidents like the one at Carleton University in Ottawa a couple years ago wherein a students hacked into the system and then informed the administration exactly how he did it illustrate the need for constantly improving security systems. In that case, they expelled the student for hacking instead of thanking him for letting them know just how faulty their security system was. Sad.

    Sam Musa 2014/11/18 at 5:42 pm

    They should have thanked him for discovering the security hole :). In fact, many organizations hire teams just to keep trying to hack into their systems. I have seen other organizations, where they give prizes for people that discover security vulnerabilities in their system – Facebook just did recently.

Leave a Reply

Your email address will not be published. Required fields are marked *