Select Agent Program Workshop November 2012

Similar documents
Information Systems Security Control Guidance Document

HIPAA Security COMPLIANCE Checklist For Employers

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Data Management Policies. Sage ERP Online

Wellesley College Written Information Security Program

HIPAA Security Alert

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

How To Set Up A National Biological Laboratory Safety And Security Monitoring Program

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Select Agent Program Workshop November 16, Agricultural Select Agent Program (USDA/APHIS) CDC Select Agent Program (HHS/CDC)

The Ministry of Information & Communication Technology MICT

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

How are we keeping Hackers away from our UCD networks and computer systems?

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Office of Inspector General

CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

INFORMATION SECURITY PROGRAM

Policy Title: HIPAA Security Awareness and Training

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Excerpt of Cyber Security Policy/Standard S Information Security Standards

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Click to edit Master title style

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Better secure IT equipment and systems

University of Aberdeen Information Security Policy

Five keys to a more secure data environment

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Supplier Information Security Addendum for GE Restricted Data

HIPAA Security. assistance with implementation of the. security standards. This series aims to

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

National Cyber Security Month 2015: Daily Security Awareness Tips

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

Silent Safety: Best Practices for Protecting the Affluent

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

The Protection Mission a constant endeavor

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

System Security Plan University of Texas Health Science Center School of Public Health

Hengtian Information Security White Paper

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Cyber Self Assessment

Utica College. Information Security Plan

Computer Security: Principles and Practice

Ovation Security Center Data Sheet

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

A Systems Approach to HVAC Contractor Security

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

PCI Data Security and Classification Standards Summary

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

Information Security Addressing Your Advanced Threats

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

OCIE CYBERSECURITY INITIATIVE

Guide to Vulnerability Management for Small Companies

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

HIPAA Information Security Overview

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

So the security measures you put in place should seek to ensure that:

California State University, Sacramento INFORMATION SECURITY PROGRAM

Security Guidance for Select Agent or Toxin Facilities

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

SECURITY CONSIDERATIONS FOR LAW FIRMS

How To Write A Health Care Security Rule For A University

HIPAA Compliance Evaluation Report

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Best Practices For Department Server and Enterprise System Checklist

Small Business Cybersecurity Dos and Don ts. Helping Businesses Grow and Succeed For Over 30 Years. September 25, 2015 Dover Downs

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

Common Cyber Threats. Common cyber threats include:

Responsible Access and Use of Information Technology Resources and Services Policy

Information Security for Managers

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

Transcription:

Select Agent Program Workshop November 2012 Agricultural Select Agent Program (USDA/APHIS) CDC Select Agent Program (HHS/CDC) Bioterrorism Risk Assessment Group (FBI/CJIS)

Information Systems Security Control Robert L. Rice Security Manager U.S. Department of Agriculture Animal and Plant Health Inspection Service Veterinary Services Agricultural Select Agent Program November 16, 2012 Atlanta, GA 2

Agenda Background for Change Key Points Previous Rule Provisions Game Changer The New Look Cyber-security or Information Systems What Information Should be Controlled? The Responsible Official- What to Consider? What is a deficiency? Review Material and Tools Questions 3

Background for Change Executive Order 13486, Strengthening Laboratory Biosecurity in the United States, Working Group, July 2009: Chapter 4- Physical Security. BMBL, 5 th Edition, December 2009: Section VI- Principles of Laboratory Biosecurity (new). Information Security Responsible Research with Biological Select Agents and Toxins, National Research Council, 2009: Chapter 2. Executive Order 13546, Optimizing the Security of Biological Select Agents and Toxins in the United States, July 8, 2010. Federal Experts Security Advisory Panel Recommendations for standards in cyber-security, November 2, 2010, as amended 4

Key Points Information systems control applies to all select agents and toxins. Information systems control is found in Section 11- Security. Sections 11(c) and (c)(1) remain unchanged Must be in the site-specific Security Plan Requires written procedures equal to Physical Security and Inventory control Information systems control is part of Section 14- Incident Response. Section 14(b) remains unchanged 5

Key Points Information systems control is part of Section 15- Training. Section 15(a) remains unchanged Information systems control is part of Section 17- Records. Section 17(b) remains unchanged Regulated Community manages the disposition of Biological Select Agent and Toxin (BSAT) information that is under their control. Application will vary from entity to entity. No right or wrong on how an entity implements its information systems program. 6

Previous Rule Provisions Section 11(c)- The security plan must: (c)(1)- Describe procedures for physical security, inventory control, and information systems control Section 14(b)- The incident response plan must fully describe the entities response procedures for..security breaches (including information systems); Section 15(a)-..under this part must provide information and training on biosafety and security [information systems inclusive]. Section 17(b)- The individual or entity must implement a system to ensure that all records and databases.are accurate, have controlled access 7

SECTION 11(c)(9)

Game Changer New Security Plan provision [E.O. 13546]. Connects Information Systems Control with Information Security. Section 11(c)(9)- Contain provisions for information security that: (i) Ensure that all external connections to systems which manage security for registered space are isolated or have controls that permit only authorized and authenticated users; (ii) Ensure that authorized and authenticated users are only granted access to select agent and toxin related information, files, equipment (e.g. servers or mass storage devices), and applications.; 9

Game Changer (iii) Ensure that controls are in place that are designed to prevent malicious code (such as, but not limited to, computer viruses, worms, spyware) from compromising the confidentiality, integrity, or availability of information systems which manage access to spaces..; (iv) Establish a robust configuration management practice for information systems to include regular patching and updates to operating systems and individual applications; (v) Establish procedures that provide back-up security measures in the event that access control systems, surveillance devices, and/or systems that manage the requirements of Section 17 [records] are rendered inoperable. 10

The New Look

Cyber-security or Information Systems Select Agent and Toxin Regulations. Information systems include: Electronic [cyber] Print [hardcopy application] Term cyber-security is not used in the regulations. Misleading Accounts for only one means of recording and storing information Entity applications. Electronic for everything Strictly hardcopy Combination 12

What Information Should be Controlled? BSAT Information or BSAT Security Information. BSAT Information not covered. Research publications; sharing Working laboratory notes or lab books/journals BSAT Security Information requiring controlled access: Inventory access logs Passwords Entry/Exit access logs SRA rosters Access control systems Security system infrastructure [floor plans, IDS, guards] Entity Security Plan Entity Incident Response Plan 13

What Information Should be Controlled? BSAT Security Information can be characterized as: Information security Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, recording or destruction of data. Concerned with the confidentiality, integrity, and availability of data regardless of the form [electronic or print]. Physical Security for Information Technology (IT) Assets Physically protecting data Dumpster Diving Stealing 14

The Responsible Official- What to Consider? Information Security. Confidentiality- Section 11(c)(9)(ii) Who is an authorized individual Not necessarily an SRA approved person Integrity- Section 11(c)(9)(iii) Who has the capability to access and manipulate data IT administrators; PI s; security Availability- Section 11(c)(9)(iv). Are IT systems functioning properly; regular patching and updates File rooms, file cabinets 15

The Responsible Official- What to Consider? Physical Security for Information Technology (IT) Assets. What informational waste is being disposed of through normal business activity? Are CD s; BSAT research notes no longer useful; documents that contain sensitive information, such outdated inventory, SRA rosters, security plans, etc., being properly destroyed. Management and control of physical security access control devices [Section 11(c)(9)(i)/(v)]. Who s responsible? IT information and security usually work on separate platforms 16

The Responsible Official- What to Consider? Responsible Official Focus: Network security Hardware/Downloadable devices/data storage Physical security for IT Assets 17

The Responsible Official- What to Consider? Network security: Key Points Networked or stand-alone IT application Organizations with an IT department more than likely provides overall IT support [policy and procedures] to an entity s BSAT program IT departments are designed to support the collective IT systems infrastructure RO should not rely solely on IT department(s) in maintaining information security control for their BSAT program RO should have an IT liaison to ensure that patching and updates are performed 18

The Responsible Official- What to Consider? Network security: [continued] Key Points [continued] Verify who has access rights to select agent databases and security systems SRA may be required if person can gain access to BSAT through manipulation of the IT system. IT departments should understand the sensitivity of the organizations BSAT program Third-party contractor IT support Small to moderate size BSAT entity s Require the same level of attention 19

The Responsible Official- What to Consider? Hardware/Downloadable Devices/Data Storage: Key Points Entity should have protocols in place to secure desktop and laptop computers Protocols for safeguarding passwords Servers and mainframes are within controlled space Use of encryption for computers containing BSAT security information for laptops Entity should be wary of the inherent insecurity of ipads, notebooks and similar devices that have information storage and wi-fi capabilities 20

The Responsible Official- What to Consider? Hardware/Downloadable Devices/Data Storage: [continued] Key Points [continued] Have well defined policies and procedures in the entity s overall information systems security control program Downloadable devices can pose an unseen threat Can be hidden from sight, i.e. flash drives Viewed as a non-threat, i.e. BlackBerrys/PDA s Data storage devices that are used for archiving BSAT security information, even on a temporary basis, should be handled and secured as if they were paper hardcopy; i.e., stored in a secured cabinet in a location with appropriate physical security measures 21

The Responsible Official- What to Consider? Physical Security for IT Assets: Key Points Entity should place equal importance to physical security and its application to information systems control Especially if servers and mainframes are remotely located Physical security is more about safeguarding information by securing the space where IT devices are used for BSAT activity, including File cabinets Other equipment that maintain BSAT security information 22

The Responsible Official- What to Consider? Physical Security for IT Assets: [continued] Key Points [continued] Physical security IT platforms must meet the confidentiality, integrity and availability criteria as well, because: IT access controlled security systems is an information database Physical Security IT Assets requiring management controls Card-key [PINS] CCTV IDS All maintain some level of information storage 23

The Responsible Official- What to Consider? Physical Security for IT Assets: [continued] Key Points [continued] Records retention. No BSAT regulation for CCTV records Select Agent Program recommends 45 days Security records require 3 year retention RO should know who provides physical security for their BSAT program. Entity security department Third party support Liaison 24

The Responsible Official- What to Consider? Backup Security Measures: Is a requirement of the new regulations Section 11(c)(9)(v) Access control systems [physical security] Records using IT databases [information security control] Focus is on power outages Alternate power sources, generators, not a requirement of the new regulations Entity needs to determine method of providing backup security. Can take many forms: Uninterrupted Power Source (UPS) with sufficient power to allow for computer shutdowns 25

The Responsible Official- What to Consider? Backup Security Measures: [continued] Automatic data backup Backup hard-drives Save BSAT security information on CD s Post security guards at critical locations Policy and procedures need to be covered in the Security Plan Response procedures need to be covered in the Incident Response Plan Disaster Recovery Plan 26

The Responsible Official- What to Consider? Risk and Incident Management: Information systems security control Integral with the Security Plan Site-specific Subject to vulnerabilities and threat Should be factored in when developing the overall vulnerability and threat analysis for the BSAT program More likely insider threat Easy access to databases Possible external hacker 27

The Responsible Official- What to Consider? Risk and Incident Management: [continued] Physical security component is (should) already be covered under the general provisions of Section 11(c)and 11 (d) Information systems are constantly under attack with no obvious trace Well developed incident response and disaster recovery plan Incident Response- Section 14(b) 28

The Responsible Official- What to Consider? Training: Entity is required to provide security training to all persons with BSAT access approval Training goes beyond safeguarding BSAT from theft, loss or release. Should have modules for information systems controls Based on site-specific analysis and the entity s application of information management Information systems control training is no different than that provided for security, biosafety and incident response. All require planning, implementation, maintenance and evaluation. 29

The Responsible Official- What to Consider? Training: [continued] As applied to the BSAT regulations, an information systems control training module should include: Physical security applications Entry access Sharing of unique means of access Inventory control 30

The Responsible Official- What to Consider? Training: [continued] Information systems control Control of external connections, i.e. who s responsible Only authorized users to information, files and equipment is granted access Controls are in place designed to prevent malicious code [who s responsible] Select agent regulations do not make a distinction between IT based information systems application or a paper base [hard-copy] application. 31

What is a Deficiency? No written provisions for Information Security Control in the Security Plan- Section 11(c)(1) Elements not covered in Section 11(c)(9)- Information Security based on a site-specific risk assessment No provisions for information systems security breaches per Section 14(b)- Incident Response No provisions regarding information systems security control in the entity s training program- Section 15(a) No defined system to ensure that all records and databases are accurate, have controlled access, and that their authenticity may be verified- Section 17(b). 32

Review Material and Tools Information Systems Security Control Guidance Document Updated Security Inspection Checklist with new Information Security criteria 33

QUESTIONS? 34

Select Agent Program Workshop November 2012 For more information, please contact the Select Agent Program Telephone: 301-851-3300 (APHIS) or 404-718-2000 (CDC) E-mail: ASAP@aphis.usda.gov (APHIS) or lrsat@cdc.gov (CDC) Web: www.selectagents.gov The findings and conclusions in this report are those of the authors and do not necessarily represent the official position of the Select Agent Program.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information