Continuous Monitoring

Matthew Chiappone

University of San Diego

CSOL 530-01-SU22: Cyber Security Risk Management

Professor Raines

August 15, 2022

 2

Continuous Monitoring

Change is inevitable, and preparation is key. BioHuman relies on the NIST Risk

Management Framework (RMF), which “provides a process that integrates security, privacy, and

cyber supply chain risk management activities into the system development life cycle. (NIST,

2022)” By leveraging the seven steps within the framework, BioHuman can methodically step

through each system, assess risk, obtain authorization, and continually monitor for changes and

risks. BioHuman’s control development and policies create the foundation for the security-

focused culture it has strived to achieve. Continuous monitoring lowers risk, protects assets, and

ensures BioHuman stays a leader within its business sector. The image below illustrates the

seven steps of the RMF.

(Joint Task Force, 2018)

Preparation
 3

The first step of the RMF is preparation. Understanding the business goals and objectives

establishes the boundaries and focus of new implementations within the environment and allows

for layering security throughout the entire development process. Protecting assets requires all

affected stakeholders' input, from system to personnel impact. Determining the roles and

responsibilities, with regards to projects and the RMF, within the organization is necessary for

the correct implementation of each project and allowing for approvals and authorization to occur

on time. Time spent in preparation saves time and money and minimizes confusion and

unforeseen roadblocks. The essential tasks and definitions of the preparation step according to

NIST are (Joint Task Force, 2018):

● Risk Management Roles: Determine key roles organization-wide and project specific.

● Risk Management Strategy: Determine what the current risk tolerance is within

BioHuman.

● Risk Assessment – Organization: Refer to previous or conduct an organization-wide risk

assessment across all systems.

● Common Control Identification: Organization-wide baseline controls enforced across all

systems and infrastructure create consistency and simplified configuration.

● Continuous Monitoring Strategy – Organization: Organization-wide strategy

Categorize

The categorization step focuses on the impact on the overall system and impact on

security. Controls and policies are set by separating and categorizing the risk level and

assessment results. The potential impact is weighed against the Confidentiality, Integrity, and

Availability (CIA) Triad to determine the overall risk of each system. The rating follows the

FIPS 199 scale of potential impact with a rating of low, moderate, or high (U.S. Department of
 4

Commerce, 2004). The scale accounts for system impact, the overall impact on the business, and

external circumstances that may raise or lower the overall rating. The essential tasks and

definitions of the categorize step according to NIST are (Joint Task Force, 2018):

● System Description: This describes the system and its business function. The rating for

the system is a major business function or a support system.

● Security Categorization: The security categorization results from a security assessment

and utilization of the business risk rubric and risk management strategy.

● Security Categorization Review and Approval: Once the risk level and categorization are

complete; the executive leadership team makes the final decision on the overall risk.

Select

The select step involves developing and selecting the appropriate controls for protecting

the system and overall business. The controls are defined within NIST Special Publication 800-

53 Revision 5 (Joint Task Force, 2020). The selected controls are based on the categorization of

assets and system constraints. The process includes the definition of controls through approval.

The essential tasks and definitions of the select step according to NIST are (Joint Task Force,

2018):

● Control Selection: Control baselines are selected and established to monitor changes in

risk. Common business controls are applied according to standards, and supplemental

controls are chosen if necessary.

● Control Tailoring: The controls are altered or tailored to meet the specific requirements

within the system according to capability and relevant factors discovered during

categorization.
 5

● Control Allocation: Controls can be common, hybrid, or system-specific. Hybrid controls

are both system-specific and common in nature.

● Documentation of Planned Control Implementations: Documentation is created to define

the control implementation and information necessary for alterations or tailoring.

● Continuous Monitoring Strategy – System: The specific system continuous monitoring

process is defined and referenced against the overall system monitoring policy. Any

deviation or additional considerations are documented.

● Plan Review and Approval: The final control list is created and submitted for review by

an authorized official designated by BioHuman.

Implement

The implementation step outlines the tasks necessary for deploying each control

determined in the select step. The common controls are implemented according to the specified

parameters, and documenting any deviation is part of the process. Configuration and deployment

of system-specific controls are tested and verified according to the risk management strategy and

reviewed for necessary changes before live environment deployment. The essential tasks and

definitions of the implement step according to NIST are (Joint Task Force, 2018):

● Control Implementation: The controls are implemented according to security

specifications and system constraints.

● Update Control Implementation Information: After reviewing implementation strategies,

the documentation reflects and updates any changes.

Assess

The assess step is to review and analyze the implementation of the controls selected to

determine if they are implemented correctly and provide the security intended. The assessment
 6

includes specifics determined by laws, regulations, or standards BioHuman is bound by or has

developed. Assessments can be internal or external and are defined before engagement. The

results are gathered and presented to executive leadership and the security team to determine if

risks or vulnerabilities are found. Remediation actions are developed, and a Plan Of Action and

Milestones (POA&M) report is utilized to track individual items through to completion and

saved for historical reference. The essential tasks and definitions of the assess step according to

NIST are (Joint Task Force, 2018):

● Assessor Selection: The assessor or assessment team is determined and comprised of

either internal personnel or an outside entity.

● Assessment Plan: The plan outlines the rules of engagement and resources necessary for

proper assessment. The plan is reviewed and approved by the security and executive

leadership team.

● Control Assessments: Each control will have a specific assessment to validate the correct

implementation and if the control meets the designated security requirement.

● Assessment Reports: The finalized reports are produced to outline findings and highlight

deficiencies, risks, or vulnerabilities.

● Remediation Actions: Any deficiencies or incorrect implementation will have

remediation actions outlined within the POA&M and tracked until complete.

● Plan Of Action and Milestones (POA&M): The POA&M is a document created to

address risks found within each control. The document will be maintained and updated

throughout the life of the system.

 7

Authorize

Authorization is needed from executive leadership to proceed with the usage of any new

system or previous system with newly found risks or vulnerabilities. The Authorization Official

(AO) is the final decision maker. An authorization package is created and submitted to the AO

for approval. The essential tasks and definitions of the authorize step according to NIST are

(Joint Task Force, 2018):

● Authorization Package: The authorization package is developed to submit to the AO for

final approval. The package contains all relevant information and findings, from risk

assessments to controls.

● Risk Analysis and Determination: The final risk analysis is compared against the risk

tolerance matrix for BioHuman.

● Risk Response: If risks are determined, a response plan is created for remediation and

mitigation of the risks.

● Authorization Decision: The final decision is Authorized To Operate (ATO), Interim

Approval to Test (IATT), or Denied Approval to Operate (DATO).

● Authorization Reporting: Final findings are reported to the appropriate persons.

Monitor

Technology and vulnerabilities are constantly changing, and BioHuman must monitor

these changes to determine risk and mitigation techniques. Monitoring the system is the final

step of the RMF and consists of routine analysis of the system controls and risks to BioHuman.

The intervals of auditing and verification of system controls are determined by the overall

importance and potential risk of the system, changes to the environment, or personnel changes.
 8

The essential tasks and definitions of the monitor step according to NIST are (Joint Task Force,

2018):

● System and Environment Changes: If introducing new hardware, software, or technology

to the environment occurs, a risk analysis is conducted to analyze the potential impact.

● Ongoing Assessments: Assessments must be conducted on a regularly scheduled interval

determined by the executive and security team. The frequency is determined by the

potential impact and importance of the system.

● Ongoing Risk Response: Risks determined through monitoring or analysis require

implementing response and mitigation techniques. Once risks are found, they must be

addressed, and subsequent changes are to be monitored for effectiveness and intended

result.

● Authorization Package Updates: Remediation and control changes found during

monitoring are included in the Authorization Package and tracked in the POA&M.

Approved methods for addressing discovered risks are included in all relevant

documentation.

● Security and Privacy Reporting: The final reporting is sent to executive leadership and

appropriate internal teams.

● Ongoing Authorization: Any resulting changes to the environment or system due to

inadequacies found through monitoring must be processed again through the RMF for

final approval.

● System Disposal: Systems that are no longer in use or able to be appropriately secured

must be sunsetted and removed from production.

 9

Maintaining the highest level of security is paramount to BioHuman’s success. The NIST

RMF is a structured framework that methodically steps through each system development and

security aspect. Changes to personnel, environment, laws, and infrastructure are ongoing,

highlighting the importance of continuous monitoring. Information of changes comes from,

“Trend analyses from existing monitoring; organizational risk tolerance information; information

on new laws, regulations, reporting requirements; current threat and vulnerability information;

other organizational information as required, updates to automation specifications. (Joint Task

Force, 2018)” Threats never stop, and being proactive is the only option. BioHuman leverages

automation through scheduled vulnerability scans and reporting tools. The capabilities of our

SIEM and firewall to actively mitigate and report findings are routinely reviewed for emerging

threats. Changes in personnel through the onboarding and offboarding process trigger automated

creation and suspension of accounts throughout BioHuman’s systems. Hardware, software, or

firmware changes are vetted before installation for known vulnerabilities or bugs, and each

change results in the assessment process. All IT and security staff are trained and understand the

importance of creating a culture of actively hunting down risks.

 10

References

Fruhlinger, J. (2022, January 10). What is PII? Examples, laws, and standards. CSO Online.

https://www.csoonline.com/article/3645648/what-is-pii-examples-laws-and-

standards.html

Joint Task Force. (2018, December 2). Risk Management Framework for Information Systems

and Organizations: A System Life Cycle Approach for Security and Privacy. NIST

Technical Series Publications.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

Joint Task Force. (2020, September 5). Security and Privacy Controls for Information Systems

and Organizations. NIST Technical Series Publications.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

NIST. (2022, July 14). NIST Risk Management Framework (RMF). NIST Computer Security

Resource Center. https://csrc.nist.gov/projects/risk-management/about-rmf

U.S. Department of Commerce. (2004, February). FIPS 199, Standards for Security

Categorization of Federal Information and Information Systems. NIST Technical Series

Publications. https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf
 11

Information System Security Plan

1. Information System Name/Title:

● BioHuman Payroll System / BHPS

2. Information System Categorization:

● Current risk level is Moderate, but the potential for High if an extended outage
occurs.
LO X MODERATE HIGH
W

3. Information System Owner:

● Name: Matt Chiappone
● Title: Chief Information Officer
● Agency: BioHuman
● Address: 300 Hidden Figures Way SW Washington D.C.
● Email Address: chip@biohumaninc.com
● Phone Number: (555)638-3647

4. Authorizing Official:
● Name: Leonardo Messer
● Title: System Authorizing Official
● Agency: BioHuman
● Address: 300 Hidden Figures Way SW Washington
D.C.
● Email Address: MesserOfTwoEvils@biohumaninc.com
● Phone Number: (555)638-3655

5. Other Designated Contacts:

● Name: Todd Raines
● Title: Top Dog SCA
● Agency: Evaluate IT
● Address: 1600 Pennsylvania Avenue NW, Washington,
D.C. 20502
● Email Address: BringTheRaine@EvalIT.com
● Phone Number: (555)744-6688
6. Assignment of Security Responsibility:
● Name: Lochit Down
● Title: Chief Information Security Officer
● Agency: BioHuman
● Address: 300 Hidden Figures Way SW Washington D.C.
● Email Address: lochit@biohumaninc.com
● Phone Number: (555)638-4033
7. Information System Operational Status:
 12

● The system is in use and operational

X Operational Under Major
Developme Modificati
nt on

8. Information System Type:

● Indicate if the system is a major application or a general support
system. If the system contains minor applications, list them in Section
9. General System Description/Purpose.

X Major General
Applicati Support
on System
9. General System Description/Purpose
● The function of the payroll system is to facilitate the payment of employee
salaries and calculate their total compensation. This includes tracking and
calculation of longevity, incentives, and bonuses earned yearly. The system holds
user banking account information and budget information for BioHuman. The
system ties into a standalone database within the BioHuman infrastructure that
contains user information relevant to compensation calculations. Direct Deposit
payments to employees are facilitated from within the system.

10. System Environment

● The payroll system is cloud-based and accessed through an online
portal. The cloud infrastructure contains redundancy for data and
accessibility with various geographical locations servicing the
platform. Local machines do not require software installed, only
up-to-date browsers. The API connection requires certificate-based
authentication for access to the internal database. The internal
server is located within a segmented DMZ network monitored and
access controlled through the corporate firewall. The database
within the DMZ is a replicated database to protect against
ransomware and minimize recovery efforts. MFA is enabled to
protect against unauthorized access.

11. System Interconnections/Information Sharing

● The payroll system integrates and shares information with a single
database within the BioHuman infrastructure. The internal server’s sole
purpose is to house the relevant internal user information to calculate
compensation and personnel changes. The database contains the
minimal information necessary for optimal performance and security.
The local database is a Microsoft SQL server with appropriate access
for the payroll system only. The firewall is restricted to allow only
 13

traffic between the payroll system and the database and allows on the
necessary ports and applications.
System Organizatio Type Agreeme Date FIPS C&A Auth.
Name n nt 199 Status Official
(ISA/ Categor
MOU/ y
MOA)
Local BioHuman Support 1/1/20 Low ATO and Leo Messer
Microsof Inc for 22 monitoring
t SQL payroll
Server
Payroll Payroll Major 1/1/20 Moderate ATO and Leo Messer
System Online Yes/Yes/Y 22 < 2 weeks monitoring
es High > 2
weeks

Related Laws/Regulations/Policies
● The system contains PII.
• The Federal Trade Commission Act (FTC Act)
protects PII
• OMB M-10-23 protection when utilizing third-party
websites
● FISMA
● Corporate policies for risk assessments and auditing
● Corporate RMF

12. Minimum Security Controls

● The security control baseline is currently Moderate, if an extended outage occurs
system may be raised to High.
● The key controls are
• AC-1 POLICY AND PROCEDURES
• Update annually and when changes or updates occur
• IT Security staff will develop with business Office
• Common Control
• AC-2 ACCOUNT MANAGEMENT
• External payroll system requires manually creation and
deletion of accounts
• Monthly account auditing is performed by IT staff
• Creation/disabling of appropriate accounts
• Business department will determine and authorize privilege
level
• AC-6 LEAST PRIVILEGE
• Accounts are split between read/write depending on
 14

organizational role
• Reviewed during monthly account auditing
• Common control set by IT staff
• AC-12 SESSION TERMINATION
• User can logout manually from system
• System timed logout is set to 15 mins
• Common Control
• Manually set within payroll system by IT staff
• AT-1 POLICY AND PROCEDURES
• Update annually and when changes or updates occur
• IT Security staff will develop with business Office
• Common Control
• AT-3 ROLE-BASED TRAINING
• Personnel Trained on access level read/write access
• Business department trains new hires and annual review
training on updated features
• Common Control for business systems
• AU-1 POLICY AND PROCEDURES
• Update annually and when changes or updates occur
• IT Security staff will develop with business Office
• Common Control
• AU-2 EVENT LOGGING
• All activity within system is logged and reports auto
generated and emailed to management staff
• IT staff will configure event logging within payroll system
• IT staff and business management will work to ensure
appropriate information is included in report.
• Common Control
• IA-1 POLICY AND PROCEDURES
• Update annually and when changes or updates occur
• IT Security staff will develop with business Office
• Common Control
• IA-2 IDENTIFICATION AND AUTHENTICATION
(ORGANIZATIONAL USERS)
• IT staff will enforce MFA for privileged and non-privileged
accounts
• Privileged accounts will leverage company provided
cellphones
• Non-privileged accounts will leverage company managed
devices or hardware keys for MFA functionality
 15

13. Information System Security Plan Completion Date: 8/1/2022

14. Information System Security Plan Approval Date: 8/14/2022