Professional Documents
Culture Documents
Csol 510 Final Project
Csol 510 Final Project
Csol 510 Final Project
Final Project
Table of Contents
Assumptions...................................................................................................................... 14
Conclusion ........................................................................................................................ 14
References ......................................................................................................................... 16
Executive Summary
These information security objectives are important safeguards to help organizations maintain
industry standard security policies as well compliance with regulation laws or policies. The
purpose of this paper is to recommend cryptographic controls for the standardized information
security operations of the Placebo, Inc. health insurance company. This will enable the company
secure access to its private corporate and human resources data, while working (in compliance)
with the Protected Health Information (PHI) regulated by the U.S. Health Insurance Portability
The Placebo, Inc. health insurance company business transactions revolve around three
(customers, employees, and providers) parties. The company workers or employees are
categorized into local and virtual (remote) workers. The local workers perform their duties on-site
while the remote or virtual workers perform theirs remotely. The network architecture for the
Placebo, Inc. provides for three types of users: customers (people who buys health insurance from
the company), providers (medical professionals and their staff providing services to the company
customers), and workers (the company employees who perform their duties either locally or
remotely).The above enumerated users who access the Placebo, Inc. systems need to be subjected
of cryptographic mechanisms is one of the strongest ways to provide security services for
communications, data storage, and other applications.” Applying cryptographic controls correctly
is critical in promoting information security and as such industry standards such as the National
Institute of Standards and Technology (NIST) and the PHI regulated by the HIPAA will be adhered
to by the Placebo, Inc. based on the highlighted recommendations in this document. The following
sessions in this document will be addressing the aim of this paper: identify the security goals of
the Placebo, Inc. heath insurance company, determine the company’s regulation laws and
compliance requirements, identify the company’s security policies, identify the chief cyber
security threats and risks faced by the company, explain the recommended cryptographic controls
for the company’s network components, identify all assumptions about company’s network,
Security Goals
The following are the core security goals or objectives of the Placebo, Inc. company:
others).
v. Data backup
The Placebo, Inc. health insurance will be regulated by the HIPAA and as such will
be required to be HIPAA compliant. The HIPAA regulation requires the privacy and
such as the Placebo, Inc. In addition, access to health records must be restricted only to
those mandated to access them as specified under the HIPAA privacy and confidentiality
i. The Placebo, Inc. customers have the right to decide who can access their health
ii. All the workforce members of the Placebo, Inc must be trained on its privacy
policies and procedures, as necessary and appropriate for them to perform their
iii. The customers of the Placebo, Inc. reserve the right to obtain a copy of their
iv. The Placebo, Inc. customers have the right to restrict the use and disclosure of
v. The Placebo, Inc. customers reserve the right to have the use and disclosure of
The following security policies will be required for enforcement by the Placebo, Inc.
i. All Placebo, Inc. system users (customers, providers, and workers) must be
ii. An encrypted connection (e.g. HTTPS) should be employed to secure all logins to
iii. Confidentiality of all data, both Placebo, Inc and subscriber data should me
iv. Data in transit and data at rest must be secured using strong (approved)
v. Regular backup of company data to enable data recovery and retention in the
vi. Encryption of all backups and backups storage should be done in physically and
vii. Encryption of corporate Local Area Network (LAN) and wireless networks using
viii. Personally Identifiable Information (PII) or subscriber (customer) data should not
ix. Physical security of any electronic media and paper containing subscriber data.
xi. Immediate removal of external access to Placebo, Inc databases upon notification
xii. Perform periodic review of users’ access and access rights to make certain that
prevented.
routers, and access control lists should be used to monitor network traffic for
connections to/from the internet or other external network to ensure only properly
The chief cyber security threats against the Placebo, Inc. and against its network
i. Data theft, data modification or alteration, unauthorized data disclosure, and loss
of confidentiality.
ii. Unauthorized Access: an unauthorized user can get access into the network of the
iii. Man-in-the Middle (MITM) Attack: intruders can eavesdrop on or intercept data in
iv. Malware: a malicious code or program can be inserted into the Placebo, Inc
v. Cyber Espionage: Advanced Persistent Threat (APT) groups can spy on or steal
vi. Distributed Denial of Service (DDoS) Attack: The Placebo, Inc network could be
vii. Internet of Things (IoT) attack surface: multiple devices connected to the Placebo,
Inc internal network via wireless access point (WAP) can increase the potential
attack surface.
viii. Possible lawsuits and trust concerns: the Placebo, Inc, as a result of network
compromise, could face possible lawsuits and loss of trustworthiness from the
customers due to possible data theft, data disclosure, data modification (or
The chief cyber security risks in our opinion are listed below:
ii. Malware
iv. Lawsuits/fines
v. Lack of trust
The recommended cryptographic controls for the Placebo, Inc network components,
along with those recommended (or approved) by NIST include the following:
data integrity and the data source (Barker, 2020). Two-factor authentication is
2020).
ii. Providers: Identification and authentication are required to provide for data
iii. Remote Workers: Identification and authentication are required to provide for
data integrity and data source assurance (Barker, 2020). Two-factor authentication
the Placebo, Inc network. The Transport Layer Security- TLS v1.2 is the strongly
iv. Off-Site Backup: Access to the off-site backup requires identification and
integrity and data source assurance (Barker, 2020). Digital signatures are the
archived to allow for key recovery (should the key information be lost) during the
key’s cryptoperiod (Barker & Barker, 2019). Encryption of backup data with
can be employed such that the firewall is able to determine authenticated users as
wells as who has rights or privileges to access specific files or data. In other words,
settings such as the users within the inner firewall can access and modify specific
files while those at the outer firewall are not permitted to have data modification
vi. Web Servers: Identification and authentication are required to provide for data
integrity and data source assurance (Barker, 2020). To access the web servers, the
Placebo, Inc system users need to be identified and authenticated. The use of digital
CRYPTOGRAPHIC CONTROLS RECOMMENDATION 11
(Barker, 2020). The approved digital signatures algorithms are Rivest, Shamir, and
Adleman (RSA): 2048, 3072, 7680, 15360 bits, Elliptic Curve Digital Signature
Algorithm (ECDSA): 256, 384, and 512 bits (Barker, 2020). Encryption is the
The Placebo, Inc data in transit and data at rest require encryption. The NIST
approved encryption algorithms (with key sizes, key life span) include: (i)
Symmetric Algorithm- AES: 128, 192, or 256 bits (Barker, 2020), (ii) Asymmetric
(public-key) Algorithm- Rivest, Shamir, and Adleman (RSA): 2048, 3072, 7680,
and 15360 bits (Barker, 2020), and (iii) Cryptographic Hash Algorithm- SHA-1,
SHA-224, SHA-256, SHA-384, and SHA-512: 160, 224, 256, 384, and 512 bits
(Barker, 2020).
vii. Virtual Private Network (VPN): Transport Layer Security- TLS v1.2 is the
viii. Inner Firewall: Access control (identification and authentication) mechanisms can
be employed such that the firewall is able to determine authenticated users as wells
as who has rights or privileges to access specific files or data. In other words,
settings such as the users within the inner firewall can access and modify specific
files while those at the outer firewall are not permitted to have data modification
ix. User and Private Data: Encryption, the widely used cryptographic control, is
required to ensure data confidentiality and integrity. The Placebo, Inc data in transit
and data at rest require encryption. The NIST approved encryption algorithms (with
key sizes, key life span) include: (i) Symmetric Algorithm- AES: 128, 192, or 256
bits (Barker, 2020), (ii) Asymmetric (public-key) Algorithm- Rivest, Shamir, and
Adleman (RSA): 2048, 3072, 7680, and 15360 bits (Barker, 2020), and (iii)
512: 160, 224, 256, 384, and 512 bits (Barker, 2020). Also, access to company data
2020). The approved digital signatures algorithms are Rivest, Shamir, and Adleman
(RSA): 2048, 3072, 7680, 15360 bits, Elliptic Curve Digital Signature Algorithm
x. Corporate LAN: Transport Layer Security- TLS v1.2 is the strongly recommended
(LUXSCI, 2020). Also, access to company data via corporate local area network
(LAN) requires identification and authentication with the use of digital signatures
approved by NIST.
xi. Wireless Access Point (WAP): Transport Layer Security- TLS v1.2 is the strongly
the network (LUXSCI, 2020). Also, access to company data via WAP requires
CRYPTOGRAPHIC CONTROLS RECOMMENDATION 13
NIST.
xii. Corporate Data: Encryption is the widely used cryptographic control to ensure
data confidentiality and integrity. The Placebo, Inc data in transit and data at rest
require encryption. The NIST approved encryption algorithms (with key sizes, key
life span) include: (i) Symmetric Algorithm- AES: 128, 192, or 256 bits (Barker,
2020). The NIST recommended cryptoperiods (key life span) for private signature
key and symmetric authentication key is a maximum of about one to three years
and no more than two years respectively (Barker, 2020). (ii) Asymmetric (public-
key) Algorithm- Rivest, Shamir, and Adleman (RSA) - 2048, 3072, 7680, and
15360 bits, and Edwards-Curve Digital Signature Algorithm (EdDSA) - 256 bits
verification key and public authentication key is within the private signature key’s
originator usage period and no more than one or two years” (Barker, 2020). (iii)
512 with 160, 224, 256, 384, and 512 bits (Barker, 2020). In addition, access to
Rivest, Shamir, and Adleman (RSA) - 2048, 3072, 7680, 15360 bits, Elliptic Curve
Digital Signature Algorithm (ECDSA) - 256, 384, and 512 bits and Edwards-Curve
Assumptions
The following assumptions are made about the Placebo, Inc network:
i. The firewalls (inner and outer) are secured and employ IDS/IPS capabilities and
ii. All users (customers, provider, and workers) of the Placebo, Inc network are not
iii. Access to the offsite backup by the company vendors and agents requires scan in
and out.
i. Cost: Any risk of data loss, data compromise, or unauthorized data disclosure can
ii. Trust: The trustworthiness of the company will be enhanced because of the
Conclusion
Today, organizations, including Placebo, Inc are faced with numerous data security threats
that directly impact the data confidentiality, integrity, authenticity, and availability. Some of these
threats are unintentional (e.g. human errors), while others are intentional i.e. they are perpetrated
by threat actors with malicious intents, such as data theft, unauthorized network access,
ransomware attacks, DDoS attacks, and so on. Cryptographic controls are essential security
cryptographic controls recommended in this paper, the Placebo, Inc health insurance company
would be equipped with the capabilities necessary to mitigate against the chief cyber security
threats and risks enumerated above and provide for the assurance of the cryptographic services,
while meeting (or in compliance with) the industry’s cyber security standards as specified by the
References
Barker, E. (2020). Recommendation for Key Management: Part1 – General. Retrieved from
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
Barker, E., & Barker, W. (2019). Recommendation for Key Management: Part2 – Best Practices
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt2r1.pdf
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
LUXSCI. (2020, January 2). What Level of SSL or TLS is Required for HIPAA Compliance?
Study.com. (n.d.). System Security: Firewalls, Encryption, Passwords & Biometrics. Retrieved
from https://study.com/academy/lesson/systems-security-firewalls-encryption-passwords-
biometrics.html
CRYPTOGRAPHIC CONTROLS RECOMMENDATION 17