Cybersecurity: Assessment and AuthorizationSam Musa | Cyber Security Adjunct Professor, University of Maryland University College
Prior to exchanging data between federal agencies, Chief Information Security Officers (CISOs) generally ask for the accreditation letter that declares the security categorization of the system. CISOs then determine if the system is safe to store or process data at specific security levels. Likewise, universities should adhere to this security categorization policy prior to exchanging information with other universities.
Security assessment and authorization is the fourth measure that can be applied to protect students’ information and universities’ assets. Assessment and authorization is a two-step process that ensures security of information systems. Assessment is the process of evaluating, testing, and examining security controls that have been pre-determined based on the data type in an information system. The evaluation process, on the other hand, compares the current system’s security posture with specific standards. The assessment process ensures that security weaknesses are identified and plans for mitigation strategies are in place. Authorization, on the other hand, is the process of accepting the residual risks associated with the continued operation of a system and granting approval to operate for a specified period of time.
The assessment and authorization process consists of seven major components, which act as a comprehensive framework that integrates information security risks into the organization’s security infrastructure:
1. Assessment and Authorization Policy
The first component is developing a policy that addresses the purpose, scope, responsibilities and management commitment to the C&A initiatives. Procedures then need to be developed to facilitate the implementation of the policy.
2. System Assessment
Assess the overall security posture of the system to determine the impact of the data type and the security holes in the system. Security categorization is also covered in this phase. Security categorization is the process of categorizing the information system and the information processed, stored and transmitted based on impact and severity of data. The integrity of law enforcement data, for example, would be categorized as high, which means additional security controls must be applied.
3. Security Controls
Select a preliminary set of security controls for the information system based on the security categorization above. Security controls can be customized and enhanced as needed based on the organization’s assessment of risks. For example, systems that process sensitive data should use two factors for authentication, such as common access card and password. Systems with low security categorization, on the other hand, may choose to implement one factor for authentication, such as password only.
4. Interconnect Security Agreement (ISA)
ISA is a signed agreement between entities, which lays out the connection characteristic, security requirements for exchanging information, incident handling procedures, user community, roles and responsibilities, and costs incurred under the agreement.
5. Plan of Action and Milestone (POA&M)
POA&M is developed to document the residual risks associated with the continued operation of a system. It documents the assigned resources to complete the security findings in a specific time frame.
6. Certification Letter
Once all steps above have been completed and verified, a certification agent signs a letter, addressed to the CIO, acknowledging that all steps above have been completed and reviewed.
7. Accreditation Letter
The authorizing official grants Authorization to Operate (ATO) to authorize the system operation based on a severity of the residual risks to organizational operations. The letter usually indicates the acceptance of the residual risks with condition of continuous monitoring and diagnostics of systems’ vulnerabilities.
These seven components encompass the security assessment and authorization process. Once again, universities’ CISOs are highly encouraged to apply and practice the assessment and authorization process prior to exchanging information with other universities or organizations; as a result of applying these processes, students and researchers are granted greater assurance that their sensitive personal and research data are processed, transmitted and stored on secure systems.
To see the other articles in the Cybersecurity series, please click here.
Author Perspective: Educator