Professional Documents
Culture Documents
Post Assessment Report & Continuous Monitoring For Biohuman Payroll System
Post Assessment Report & Continuous Monitoring For Biohuman Payroll System
Post Assessment Report & Continuous Monitoring For Biohuman Payroll System
1: Final Project
Post Assessment Report & Continuous Monitoring for BioHuman Payroll System
Nicholas Wicker
Abstract
This report provides leadership with an overview of the Risk Management Framework process
and how applicable security guidelines are aligned to BioHumans’ payroll system upgrade. The
tools assist cyber practitioners and security personnel in identifying potential weaknesses and
then assist with planning mitigation or resolution responses that harden the environment and
boundaries making it challenging for an attacker to penetrate or compromise the system and data.
Security categorization integrates security into the business and information technology
management functions and sets up the foundation for security standardization. The result is
Overview
Connected systems are vulnerable to threats. These threats are to personnel and
businesses who store or share files when performing daily operations regardless of if the data is
considered sensitive or proprietary. Any system or device that uses web services has an Internet
safeguarding a residence or business, devices too must be protected. The surface threat vector of
malicious activities becomes larger as more devices connect to the Internet of Things (IoT).
Proper protection protocols must be implemented that safeguard BioHuman’s corporate assets
and employees. A compromise of its systems or data can potentially cause extensive damage or
disruption to services, including harming our reputation. A 2021 Data Risk Report of Financial
Services (Varonis, 2021) reported that on average, a financial services employee has access to
13% of the company’s total files. Put into perspective, this means that even employees in the
smallest firms have unrestricted freedom to view, copy, move, change, and delete data for over
half a million files, including almost 20% of all files containing sensitive employee and customer
data. The number of exposed files doubles as company size increases; the largest financial
2
services organizations average over 20 million files open to every employee. To help safeguard
systems and data, establishing a defense-in-depth environment architecture can help thwart
Background
BioHumans’ Financial Management System (FMS), which handles payroll and other
benefits for employees, required a system upgrade. To benefit from the opportunity of this
requirement and implement security measures to protect the information system and data, the
Information Technology department utilized the Risk Management Framework (RMF) process
which, overall is a tool to minimize or mitigate the threat surface from attacks and potential
compromise of assets and data. The process is used in initializing, upgrading, or integrating
secure solutions both physically and logically (network). Therefore, utilizing the framework as
part of a holistic cyber risk development lifecycle helped decision-makers and leadership identify
Confidentiality, Integrity, and Availability (CIA) are the pillars of protecting data within
the RMF process (Cawthra, Ekstrom, Lusty, Sexton, Sweetnam, & Townsend, 2020). These
pillars provide cybersecurity practitioners on how to safeguard critical sources from attacks or
threats. Therefore, cyber practitioners utilize the pillars to identify areas of vulnerability. The
process adheres to the procedural guidelines set forth by the National Institute of Standards and
Initially designed for federal agencies, the NIST in its partnership with the Department of
Defense, the Office of the Director of National Intelligence, and the Committee on National
Security Systems, developed RMF to improve information security, strengthen risk management
processes, and encourage reciprocity among organizations. The RMF emphasizes risk
management by promoting the development of security and privacy capabilities into information
systems throughout the system development life cycle (SDLC); by maintaining situational
4
awareness of the security and privacy posture of those systems on an ongoing basis through
continuous monitoring processes; and by providing information to senior leaders and executives
to facilitate decisions regarding the acceptance of risk to organizational operations and assets,
individuals, other organizations (NIST 800-37, 2018). Today, this process can be used for
businesses such as BioHuman that want to build a defensive perimeter and protect information
As shown in figure 2, each step has a major milestone that can be used as a checkpoint
for decision-makers and stakeholders. A critical factor of the RMF process is to include
leadership in the process to understand what challenges may be present or resource constraints
that may delay or hinder the implementation of security controls. The process will assist with
and security.
Assignment of a security role is created based on the project’s mission and business
objectives. This role must be consistent with the organization’s existing risk management
strategy. This step creates a foundation for the framework, its documentation of all processes,
5
and its security plan. To help categorize a system, FIPS 199 and FIPS 200 provide information
Controls adapted from the NIST SP 800-53 are selected and tailored to the system by the
security assessor to include key leadership roles and development departments. These security
controls apply to all the hardware, software, and technical processes that are considered
necessary to fulfill the basic compliance requirements of the project. These assurance
requirements are also a part of the risk assessment strategy. Security controls need to be
monitored regularly and the application processes to do so should be undertaken in this step.
Security categories are selected on the potential impact on an organization should certain events
occur. These events could jeopardize the information system needed by the organization to carry
out its mission, fulfill legal responsibilities, and protect assets and individuals.
Involves implementing the security controls that have been selected in the previous step.
Once these controls have been identified and implemented, they need to be monitored to
understand whether they have achieved the minimum assurance and compliance requirements
that were set. This step selects all the right ways in which the information system is being used
along with all the methodologies of security engineering. Implementing the right security
Once all the security controls are in place and the assurance and compliance requirements
have been met, an independent assessor is invited to the organization to review and approve
these controls. The reviewer will try to find any discrepancies in the security controls. In case
6
any weaknesses or deficiencies are found, the organization will remedy the errors and then
The POA&M document identifies the vulnerabilities identified from the assessment
which require remediation. The document details resources required to accomplish the elements
of the plan, any milestones in meeting the tasks, and scheduled completion dates for the
milestones. Upon completion of an activity, the assessment team will review the specific controls
to confirm the compliance and effectiveness of the control fix implemented. Any ongoing
category has not escalated or led to any compromise of the system or data.
After all the assessment processes have been completed, the organization needs to present
a package for authorization that will take care of all the risk assessments and risk determination
for the business. The person in charge of this process will submit the authorization decision to all
required stakeholders. The final determination from the AO will be either an Authority to
Operate (ATO) or a Denial of Authority to Operate (DATO). In specific cases, an AO may allow
implemented to reduce the risk and surface threat level or b) the system is not connected to a
network or another information system that would present a threat. All ongoing open-risk actions
The last step in the process of RMF is continuous monitoring. The security status of the
RMF needs to be updated regularly. The reports are made and sent out periodically to find out if
any weaknesses need to be mitigated. The organization will maintain ongoing situational
7
awareness about the security and privacy posture of the system and organization to support risk
management decisions.
Continuous Monitoring
The objective of Continuous Monitoring (CM) is to determine if the security and privacy
changes that occur in the environment. An effective CM process integrated with the SDLC is
required to determine if the security controls in the information system continue to be effective
over time considering the inevitable changes that occur in the system as well as in the
track the security state of an information system continuously, and (ii) maintain the security
authorization for the system. The information owner/information system owner is responsible for
monitoring their information systems, ensuring that the system authorization remains current,
and updating critical security documents as changes to the system or operating environment
occur (University of San Diego, 2022). Other benefits of CM include (ISC², n.d.).
Changes to Personnel
A proper personnel security plan will identify actions when requirements are needed to
screen, terminate, or transfer employees. Personnel with elevated permission levels will be vetted
through additional screening and agreement requirements. Proper position designation is the
foundation of an effective and consistent suitability and personnel security program. To ensure a
systematic, dependable, and uniform way of making position designations, BioHuman will
provide position designation via an organization chart for those individuals within departments
charged with position designation responsibilities. Part of the continuous monitoring will be to
review positions with elevated permissions to ensure adequate mechanisms are implemented to
determine the degree of potential damage to the efficiency or integrity of the service from the
misconduct of an incumbent of a position. This establishes the risk level of that position. This
assessment also determines if a position’s duties and responsibilities present the potential for
position incumbents to bring about a material adverse effect on the security, and the degree of
that potential effect, which establishes the sensitivity level of a position. The results of this
enhanced, corrected, or updated hardware and software capabilities, patches for correcting
software flaws and other errors to existing components, new security threats, changing business
functions, etc. Implementing information system changes always results in some adjustments to
9
the system configuration. To ensure that the required adjustments to the system configuration do
not adversely affect the security of the information system or the organization from the operation
secure configurations for an information system to enable security and facilitate the management
of risk. SecCM builds on the general concepts, processes, and activities of configuration
enhanced, corrected, or updated hardware and software capabilities, patches for correcting
software flaws and other errors to existing components, new security threats, changing business
functions, etc. Implementing information system changes always results in some adjustments to
the system configuration. To ensure that the required adjustments to the system configuration do
not adversely affect the security of the information system or the organization from the operation
Conclusion
The cyber threat landscape is in continuous expansion. Network services and applications
are the backbones of daily operations while providing support to the customer and employee.
Protecting data and systems is ever more important than securing the environment in which these
devices operate. Using the RMF process helps security practitioners identify potential
10
weaknesses in a system to mitigate. The risk management process must allow decision-makers to
consider the operational and economic costs of protective measures weighed against
requirements for mission accomplishment. Upon authorization of the application, the company
must maintain and be in a dynamic state of mind with the security posture to protect its data.
References
Cawthra, J., Ekstrom, M., Lusty, L., Sexton, J., Sweetnam, J., & Townsend, A. (2020,
December). Data Integrity: Identifying and Protecting Assets against Ransomware and
https://www.nccoe.nist.gov/publication/1800-25/VolA/index.html
ISC². (n.d.). How Continuous Monitoring Drives Risk Management. Retrieved August 12, 2022,
from https://www.isc2.org/Articles/cap-continuous-monitoring
NIST 800-37. (2018, December). Risk Management Framework for Information Systems and
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
University of San Diego. (2022). CSOL 530-Module 7: Continuous Monitoring. San Diego,
Varonis. (2021). 2021 Data Risk Report - Financial Services. Retrieved August 11, 2022, from
https://info.varonis.com/hubfs/docs/research_reports/2021-Financial-Data-Risk-Report.pdf