Assignment 7.

1: Final Project
Post Assessment Report & Continuous Monitoring for BioHuman Payroll System

Nicholas Wicker

Program of Cyber Security Operations & Leadership, University of San Diego

CSOL 530-03-SU22: Cyber Security Risk Management

Professor Nikolas Behar

August 15, 2022

Table of Contents
Abstract......................................................................................................................................................1
Overview....................................................................................................................................................1
Background................................................................................................................................................2
RMF Process and Alignment....................................................................................................................3
Step 1. Categorization of Information System.....................................................................................4
Step 2. Selection of Security Controls..................................................................................................4
Step 3. Implementation of Security Controls.......................................................................................5
Step 4. Assessment of Security Controls..............................................................................................5
Step 5. Authorization of Information System......................................................................................6
Step 6. Monitoring All Security Controls............................................................................................6
Continuous Monitoring.............................................................................................................................6
Changes to Personnel............................................................................................................................7
Changes to Hardware, Software, and Firmware.................................................................................8
Changes to the Physical Environment.................................................................................................9
Conclusion..................................................................................................................................................9
References................................................................................................................................................10
 1

Abstract
This report provides leadership with an overview of the Risk Management Framework process

and how applicable security guidelines are aligned to BioHumans’ payroll system upgrade. The

tools assist cyber practitioners and security personnel in identifying potential weaknesses and

then assist with planning mitigation or resolution responses that harden the environment and

boundaries making it challenging for an attacker to penetrate or compromise the system and data.

Security categorization integrates security into the business and information technology

management functions and sets up the foundation for security standardization. The result is

cohesion between mission and information systems with cost-effective security

Overview

Connected systems are vulnerable to threats. These threats are to personnel and

businesses who store or share files when performing daily operations regardless of if the data is

considered sensitive or proprietary. Any system or device that uses web services has an Internet

Protocol (IP) address. This IP is equivalent to an address of a business or residence. Like

safeguarding a residence or business, devices too must be protected. The surface threat vector of

malicious activities becomes larger as more devices connect to the Internet of Things (IoT).

Proper protection protocols must be implemented that safeguard BioHuman’s corporate assets

and employees. A compromise of its systems or data can potentially cause extensive damage or

disruption to services, including harming our reputation. A 2021 Data Risk Report of Financial

Services (Varonis, 2021) reported that on average, a financial services employee has access to

13% of the company’s total files. Put into perspective, this means that even employees in the

smallest firms have unrestricted freedom to view, copy, move, change, and delete data for over

half a million files, including almost 20% of all files containing sensitive employee and customer

data. The number of exposed files doubles as company size increases; the largest financial
 2

services organizations average over 20 million files open to every employee. To help safeguard

systems and data, establishing a defense-in-depth environment architecture can help thwart

malicious activity and mitigate exploits.

Figure 1. 2021 Data Risk Report: Financial Services - (Varonis, 2021)

 3

Background

BioHumans’ Financial Management System (FMS), which handles payroll and other

benefits for employees, required a system upgrade. To benefit from the opportunity of this

requirement and implement security measures to protect the information system and data, the

Information Technology department utilized the Risk Management Framework (RMF) process

which, overall is a tool to minimize or mitigate the threat surface from attacks and potential

compromise of assets and data. The process is used in initializing, upgrading, or integrating

secure solutions both physically and logically (network). Therefore, utilizing the framework as

part of a holistic cyber risk development lifecycle helped decision-makers and leadership identify

risk, and respond to mitigate or minimize any adverse effect.

Confidentiality, Integrity, and Availability (CIA) are the pillars of protecting data within

the RMF process (Cawthra, Ekstrom, Lusty, Sexton, Sweetnam, & Townsend, 2020). These

pillars provide cybersecurity practitioners on how to safeguard critical sources from attacks or

threats. Therefore, cyber practitioners utilize the pillars to identify areas of vulnerability. The

process adheres to the procedural guidelines set forth by the National Institute of Standards and

Technology (NIST) and the NIST Federal Information Publication (FIPS).

RMF Process and Alignment

Initially designed for federal agencies, the NIST in its partnership with the Department of

Defense, the Office of the Director of National Intelligence, and the Committee on National

Security Systems, developed RMF to improve information security, strengthen risk management

processes, and encourage reciprocity among organizations. The RMF emphasizes risk

management by promoting the development of security and privacy capabilities into information

systems throughout the system development life cycle (SDLC); by maintaining situational
 4

awareness of the security and privacy posture of those systems on an ongoing basis through

continuous monitoring processes; and by providing information to senior leaders and executives

to facilitate decisions regarding the acceptance of risk to organizational operations and assets,

individuals, other organizations (NIST 800-37, 2018). Today, this process can be used for

businesses such as BioHuman that want to build a defensive perimeter and protect information

systems and data not specific to federal agencies.

Figure 2. Risk Management Framework Hierarchy - (NIST 800-37, 2018)

As shown in figure 2, each step has a major milestone that can be used as a checkpoint

for decision-makers and stakeholders. A critical factor of the RMF process is to include

leadership in the process to understand what challenges may be present or resource constraints

that may delay or hinder the implementation of security controls. The process will assist with

developing the continuous monitoring requirements to maintain the applications' serviceability

and security.

Step 1. Categorization of Information System

Assignment of a security role is created based on the project’s mission and business

objectives. This role must be consistent with the organization’s existing risk management

strategy. This step creates a foundation for the framework, its documentation of all processes,
 5

and its security plan. To help categorize a system, FIPS 199 and FIPS 200 provide information

type categories aligned to system features.

Step 2. Selection of Security Controls

Controls adapted from the NIST SP 800-53 are selected and tailored to the system by the

security assessor to include key leadership roles and development departments. These security

controls apply to all the hardware, software, and technical processes that are considered

necessary to fulfill the basic compliance requirements of the project. These assurance

requirements are also a part of the risk assessment strategy. Security controls need to be

monitored regularly and the application processes to do so should be undertaken in this step.

Security categories are selected on the potential impact on an organization should certain events

occur. These events could jeopardize the information system needed by the organization to carry

out its mission, fulfill legal responsibilities, and protect assets and individuals.

Step 3. Implementation of Security Controls

Involves implementing the security controls that have been selected in the previous step.

Once these controls have been identified and implemented, they need to be monitored to

understand whether they have achieved the minimum assurance and compliance requirements

that were set. This step selects all the right ways in which the information system is being used

along with all the methodologies of security engineering. Implementing the right security

controls for the organization is necessary to mitigate risk appropriately.

Step 4. Assessment of Security Controls

Once all the security controls are in place and the assurance and compliance requirements

have been met, an independent assessor is invited to the organization to review and approve

these controls. The reviewer will try to find any discrepancies in the security controls. In case
 6

any weaknesses or deficiencies are found, the organization will remedy the errors and then

continue to document the security plan accordingly.

The POA&M document identifies the vulnerabilities identified from the assessment

which require remediation. The document details resources required to accomplish the elements

of the plan, any milestones in meeting the tasks, and scheduled completion dates for the

milestones. Upon completion of an activity, the assessment team will review the specific controls

to confirm the compliance and effectiveness of the control fix implemented. Any ongoing

vulnerabilities need to be monitored and reviewed periodically to ensure their vulnerability

category has not escalated or led to any compromise of the system or data.

Step 5. Authorization of Information System

After all the assessment processes have been completed, the organization needs to present

a package for authorization that will take care of all the risk assessments and risk determination

for the business. The person in charge of this process will submit the authorization decision to all

required stakeholders. The final determination from the AO will be either an Authority to

Operate (ATO) or a Denial of Authority to Operate (DATO). In specific cases, an AO may allow

a system to operate conditionally based on high-risk vulnerabilities that a) have mitigations

implemented to reduce the risk and surface threat level or b) the system is not connected to a

network or another information system that would present a threat. All ongoing open-risk actions

are recorded in the POA&M.

Step 6. Monitoring All Security Controls

The last step in the process of RMF is continuous monitoring. The security status of the

RMF needs to be updated regularly. The reports are made and sent out periodically to find out if

any weaknesses need to be mitigated. The organization will maintain ongoing situational
 7

awareness about the security and privacy posture of the system and organization to support risk

management decisions.

Continuous Monitoring

The objective of Continuous Monitoring (CM) is to determine if the security and privacy

controls implemented by an organization continue to be effective over time considering the

changes that occur in the environment. An effective CM process integrated with the SDLC is

required to determine if the security controls in the information system continue to be effective

over time considering the inevitable changes that occur in the system as well as in the

environment in which it operates. Conducting a thorough point-in-time assessment of the

security controls in an organizational information system is a necessary but not sufficient

condition to demonstrate security due diligence. A CM program allows an organization to (i)

track the security state of an information system continuously, and (ii) maintain the security

authorization for the system. The information owner/information system owner is responsible for

monitoring their information systems, ensuring that the system authorization remains current,

and updating critical security documents as changes to the system or operating environment

occur (University of San Diego, 2022). Other benefits of CM include (ISC², n.d.).

 Increase value through improved security and privacy controls.

 Accelerate reporting to support more rapid decision-making and business improvement.

 Detect exceptions in real-time to enable real-time responses.

 Reduce — and minimize — ongoing compliance costs.

 Replace manual preventative controls with automated detective controls.

 Establish a more automated, risk-based control environment with lower costs.

 8

 Heighten competitive advantage and increase value to stakeholders.

Changes to Personnel

A proper personnel security plan will identify actions when requirements are needed to

screen, terminate, or transfer employees. Personnel with elevated permission levels will be vetted

through additional screening and agreement requirements. Proper position designation is the

foundation of an effective and consistent suitability and personnel security program. To ensure a

systematic, dependable, and uniform way of making position designations, BioHuman will

provide position designation via an organization chart for those individuals within departments

charged with position designation responsibilities. Part of the continuous monitoring will be to

review positions with elevated permissions to ensure adequate mechanisms are implemented to

safeguard the environment and network.

The position designation assesses the duties and responsibilities of a position to

determine the degree of potential damage to the efficiency or integrity of the service from the

misconduct of an incumbent of a position. This establishes the risk level of that position. This

assessment also determines if a position’s duties and responsibilities present the potential for

position incumbents to bring about a material adverse effect on the security, and the degree of

that potential effect, which establishes the sensitivity level of a position. The results of this

assessment determine what level of investigation should be conducted for a position.

Changes to Hardware, Software, and Firmware

An information system is typically in a constant state of change in response to new,

enhanced, corrected, or updated hardware and software capabilities, patches for correcting

software flaws and other errors to existing components, new security threats, changing business

functions, etc. Implementing information system changes always results in some adjustments to
 9

the system configuration. To ensure that the required adjustments to the system configuration do

not adversely affect the security of the information system or the organization from the operation

of the information system, a well-defined configuration management process that integrates

information security is needed.

Changes to the Physical Environment

Security-Focused Configuration Management (SecCM) is the management and control of

secure configurations for an information system to enable security and facilitate the management

of risk. SecCM builds on the general concepts, processes, and activities of configuration

management by paying attention to the implementation and maintenance of the established

security requirements of the organization and information systems.

An information system is typically in a constant state of change in response to new,

enhanced, corrected, or updated hardware and software capabilities, patches for correcting

software flaws and other errors to existing components, new security threats, changing business

functions, etc. Implementing information system changes always results in some adjustments to

the system configuration. To ensure that the required adjustments to the system configuration do

not adversely affect the security of the information system or the organization from the operation

of the information system, a well-defined configuration management process that integrates

information security is needed.

Conclusion

The cyber threat landscape is in continuous expansion. Network services and applications

are the backbones of daily operations while providing support to the customer and employee.

Protecting data and systems is ever more important than securing the environment in which these

devices operate. Using the RMF process helps security practitioners identify potential
 10

weaknesses in a system to mitigate. The risk management process must allow decision-makers to

consider the operational and economic costs of protective measures weighed against

requirements for mission accomplishment. Upon authorization of the application, the company

must maintain and be in a dynamic state of mind with the security posture to protect its data.

References

Cawthra, J., Ekstrom, M., Lusty, L., Sexton, J., Sweetnam, J., & Townsend, A. (2020,

December). Data Integrity: Identifying and Protecting Assets against Ransomware and

Other Destructive Events. Retrieved August 12, 2022, from

https://www.nccoe.nist.gov/publication/1800-25/VolA/index.html

ISC². (n.d.). How Continuous Monitoring Drives Risk Management. Retrieved August 12, 2022,

from https://www.isc2.org/Articles/cap-continuous-monitoring

NIST 800-37. (2018, December). Risk Management Framework for Information Systems and

Organizations - NIST. Retrieved August 11, 2022, from

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

University of San Diego. (2022). CSOL 530-Module 7: Continuous Monitoring. San Diego,

California. University of San Diego, Master of Science Cybersecurity Operations and

Leadership, CSOL 530-03-SU22: Cyber Security Risk Management

Varonis. (2021). 2021 Data Risk Report - Financial Services. Retrieved August 11, 2022, from

https://info.varonis.com/hubfs/docs/research_reports/2021-Financial-Data-Risk-Report.pdf