Advancing Access to Restricted Data: Regulations, Compliance, Continuous Monitoring. OH MY!!! Cornell Institute for Social and Economic Research and Cornell Restricted Access Data Center
CISER s Mission:.anticipate and support the evolving computational and data needs of Cornell social scientists and economists throughout the entire research process and data life cycle. 2
CISER s Suite of Services: Hardware High-performance Windows computing environment Software Complete range of software applications Data Extensive archive; supplemented by ICPSR and ROPER memberships Data Use Support Training, consultations, research support, data programming services Secure Data Services Tiered secure environments, including administrative support 3
CRADC Cornell Restricted Access Data Center Established in 1999 as a pilot project Sponsored by National Science Foundation Secure computing environment with remote access 4
CRADC exists to: Deliver a high level of customized support House and protect restricted research data Help PIs comply with requirements of data distributors Provide a computing platform as flexible as data use agreements permit 5
Multiple Modes of Secure Access Secure Rooms/Dedicated Stand-alone computers Secure Rooms/Thin-client access to remote-servers Cornell Census Research Data Center (RDC) Institut für Arbeitsmarkt- und Berufsforschung (IAB) Secure Remote Access 6
Declining use of Public Data in Research http://obs.rc.fas.harvard.edu/chetty/admin_data_trends.pdf 7
Increasing use of Restricted Data in Research http://obs.rc.fas.harvard.edu/chetty/admin_data_trends.pdf 8
9
Secure research project stages: Proposal development Security Plan, data agreement process Project setup Data procurement, account creation Ongoing project support Continuous monitoring, audit support Project closeout processing De-provisioning, disposal of data 10
11
FIPS 199 SP 800-137 FIPS 200 SP 800-53 SP 800-37 SP 800-160 SP 800-53A 12
13
NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. 14
FIPS 199 Standards for Security Categorization of Federal Information and Information Systems 15
NIST SP 800-160 16
FIPS 200 Minimum Security Requirements for Federal Information and Information Systems 17
NIST SP 800-53 Rev 4 Security and Privacy Controls for Federal Information Systems and Organizations The security controls in NIST Special Publication 800-53 are designed to facilitate compliance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Compliance is not about adhering to static checklists or generating unnecessary FISMA reporting paperwork. Rather, compliance necessitates organizations executing due diligence with regard to information security and risk management. Information security due diligence includes using all appropriate information as part of an organization-wide risk management program to effectively use the tailoring guidance and inherent flexibility in NIST publications so that the selected security controls documented in organization security plans meet the mission and the business requirements of organizations. Using the risk management tools and techniques that are available to organizations is essential in developing, implementing, and maintaining the safeguards and countermeasures with the necessary and sufficient strength of mechanism to address the current threats to organizational operations and assets, individuals, other organizations, and the Nation. Employing effective risk-based processes, procedures, and technologies will help ensure that all federal information systems and organizations have the necessary resilience to support ongoing federal responsibilities, critical infrastructure applications, and continuity of government. 18
19
20
NIST SP 800-160 (Draft) Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems This publication addresses the engineering-driven actions necessary for developing a more defensible and survivable information technology (IT) infrastructure including the component products, systems, and services that compose the infrastructure. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronic Engineers (IEEE) and infuses systems security engineering techniques, methods, and practices into those systems and software engineering processes. The ultimate objective is to address security issues from a stakeholder requirements and protection needs perspective and to use established organizational processes to ensure that such requirements and needs are addressed early in and throughout the life cycle of the system. 21
22
NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems The purpose of this publication is to provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring. The guidelines have been developed: To ensure that managing information system-related security risks is consistent with the organization s mission/business objectives and overall risk strategy established by the senior leadership through the risk executive (function); To ensure that information security requirements, including necessary security controls, are integrated into the organization s enterprise architecture and system development life cycle processes; To support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk managementrelated information, and reciprocity; and To achieve more secure information and information systems within the federal government through the implementation of appropriate risk mitigation strategies. 23
24
NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance (i.e., is the control implemented in accordance with the security plan to address threats and is the security plan adequate). 25
CRADC gateway to restricted access data at Cornell University. 26
Questions? ciser@cornell.edu cradc@cornell.edu ciser.cornell.edu 27