Information Assurance: EN.695.601 Final Examination: Healthcare Case: Standards-Based Approach to Cybersecurity, 9.0, April 7, 2021 Final Examination: Question and Grading Template: Ten Steps 1. Step 1: Final Examination Question (Updated April 7, 2021) Question: Build a Plan for an ABAC Pilot Case: Please develop using NCCoE (NIST National Cybersecurity Center of Excellence) use cases a plan for an ABAC (Attribute Based Access Control) Pilot Case. The ABAC Pilot Case provides a suggested transition program for a hypothetical hospital healthcare electronic healthcare records (EHR) system. An objective of the pilot EHR system is provide the planning steps to transition from role based access control (RBAC) to an attribute based access control system (ABAC). ABAC is additive to RBAC. Question Scope: Build a Plan for an ABAC Pilot Case for a Hypothetical Inova Fairfax Hospital Transplant Center: Please consider using actual Inova Fairfax references for a Hypothetical Inova Fairfax Hospital: Transplant Center use case for the pilot EHR. ABAC Pilot Case: Building on Two NCCoE Use Cases: Integrating Selected NCCoE Use Case Analysis Please consider using with attribution the work of the NIST NCCoE (National Institute of Standards and Technology National Cybersecurity Center of Excellence) as presented in two use cases: NCCoE Use Case: RBAC: NIST Special Publication 1800-1B: Securing Electronic Health Records on Mobile Devices, July 27, 2018. (RBAC: Role Based Access Control)NCCoE Use Case: ABAC: NIST Special Publication 1800-3B, C: Attribute Based Access Control, Second Draft, September 20, 2017. (ABAC) Plan for an ABAC Pilot Case: We Provide a Suggested Ten Step Grading Template to Build a Plan for an ABAC Pilot Case Please consider a Suggested Ten Step Grading Template for developing the plan for your ABAC Pilot Case. We define the scope of your ABAC Pilot Case to be a hypothetical Inova Fairfax Hospital: Transplant Center. The test case includes a transition for three components in the hypothetical Inova Fairfax Hospital for its EHR system from RBAC to ABAC. We are integrating in the ABAC Pilot Case three “To Be” silos into a proposed target pilot system. These components are defined in NIST SP 1800-1B. The three components for this hypothetical case (silos) are: 1) Radiology Department: 2) Dr. Jones Orthopedics; and 3) VPN. Final Examination Scope: Management Approval for an ABAC Pilot Case For this final examination, we start our ABAC Pilot Case planning and analysis after management approval. An ABAC Pilot Case is suggested to reduce patient safety risk for the hypothetical Fair INOVA hospital complex. Patient safety risk is dependent in part on a use for an ABAC Pilot Case of an optimization of cost/benefit/risk. [1] A fixed system budget for this optimization approach my include optimization of five factors: 1) safety; 2) reliability; 3) resilience; 4) security; and 5) privacy. [2] We adapt for this case the NISTIR 8170: Approaches for Federal Agencies to Use NIST Cybersecurity Framework, March 19, 2020. Figure 2: Federal Cybersecurity Approaches (see figure 1 below). Please consider the Hypothetical Inova Fairfax organization decision-making process for this final exam, Figure 1 (NISTIR 8170: Figure 2). We suggest the following interpretation of Figure 1 (NISTIR 8170: Figure2): NISTIR 8170: Figure 2: Federal Cybersecurity Approaches: 1) NIST Level 1: Organization: CEO and top management policies pertaining the ABAC Pilot; 2) NIST Level 2: Mission/Business Processes: Management Procedures: Management procedures pertaining the ABAC Pilot: For example, receive ABAC Pilot updates and exception reports. Analyze the ABAC Pilot updates and 1) provide guidance to Level 3: ABAC Implementation; and 2) report on ABAC progress to Level 1: CEO and top management. 3) NIST Level 3: System (ABAC Pilot): Implementation. Figure 1:Hypothetical INOVA Pilot Case: Transition from RBAC to ABAC[3] Final Examination Format: Please consider a suggested format that is provided in this document, e.g., ten steps in this grading template. A typical final examination is about 20 pages, single space, with attribution, e.g., footnotes for citations for figures/tables. Please consider using the interpretation NISTIR 8170: Figure 2: Federal Cybersecurity Approaches above: 1) NIST Level 1: Organization: CEO policies; 2) Mission/Business Processes: Management Procedures; and 3) System (ABAC Pilot) Implementation. Final Examination Suggested Format Title page is suggested. Step 1: Final Examination Question Contents Steps 2-10 Final Examination Research Since this is an introductory course, we provide for your review selected cybersecurity risk management guidance and concepts in a ten-step process. This ten-step process helps you work through the analysis. For example, we provide guidance, figures/tables, and sources for the steps. In addition, we also offer for your review conceptual views (Appendix I) and selected prior students’ guidance (Appendix II). Contents Final Examination: Question and Grading Template: Ten Steps. 1 1. Step 1: Final Examination Question (Updated April 7, 2021). 1 Question: Build a Plan for an ABAC Pilot Case: 1 Question Scope: Build a Plan for an ABAC Pilot Case for a Hypothetical Inova Fairfax Hospital Transplant Center: 1 ABAC Pilot Case: Building on Two NCCoE Use Cases: Integrating Selected NCCoE Use Case Analysis. 1 Plan for an ABAC Pilot Case: We Provide a Suggested Ten Step Grading Template to Build a Plan for an ABAC Pilot Case. 1 Final Examination Scope: Management Approval for an ABAC Pilot Case. 2 Final Examination Format: 3 Final Examination Suggested Format. 3 Final Examination Research. 3 Since this is an introductory course, we provide for your review selected cybersecurity risk management guidance and concepts in a ten-step process. This ten-step process helps you work through the analysis. For example, we provide guidance, figures/tables and sources for the steps. 3 In addition, we also offer for your review conceptual views (Appendix I) and selected prior students’ guidance (Appendix II). 3 2. Step 2: Use the NIST Three-Level Framework for Cybersecurity Risk Management. 5 2.1 NIST Level 1: Organization: Hypothetical Inova Fairfax organization management: Assume approval for a pilot case for a transition to ABAC is given by hypothetical CEO Inova Fairfax. 5 NIST Level 3: System: Hypothetical Inova Fairfax mission/business systems plan for a pilot case for a transition to ABAC is implemented. 7 Step 2.2: ABAC: Systems Security Engineering: Integrated Examples. 7 Step 3: Final Examination: NIST Security Control Maps 7 3.1 NIST Security Control Maps. 7 4. Step 4: Apply NIST Security Control Maps and Architectures to the Final Examination. 8 Analytical Note: A suggested analytical observation for Tables 1 and 2: EHRs access control may be viewed as 1) PR.AC (RBAC); and 2) PR.AC-1, 3 and 4 (ABAC) for more fine -grained access. 8 Step 4.1 NIST Healthcare Use Case Architecture and Security Control Maps. 8 5. Step 5: Cybersecurity Framework: Improving a Cybersecurity Program: NIST Seven-Step Gap Analysis. 11 Note: This where grading decisions between B and A depend on how well you develop/analyze for the final examination the NIST seven-step gap analysis for this case. The NIST seven-step gap analysis is more formally defined in the CSF, Section 3.2: 11 6. Step 6: Pilot Case: Key Inova Fairfax Cybersecurity Guidance. 13 6.1 Inova Fairfax Access Control Policy – Inova. 13 Web Policies | Inova. 14 Remote and Extended Access | Inova. 14 6.2 Mobile Device Management Policy – Inova. 14 6.3 Remote and Extended Access | Inova. 14 6.4 Other INOVA Access Control Issues. 14 6.4.1 For Employees | Inova. 14 6.5.1 Prior searches: 15 Please update any additional links that you wish to use for your final examination. 15 7. Step 7: Analysis. 15 8. Step 8. Conclusions. 15 9. Step 9. Matters for Consideration (Updated November 8, 2019). 16 10. Step 10. References. 16 Appendix I: IA Final Examination: Conceptual Interpretation of Selected RBAC/ABAC Issues, Version 2.0. August 1, 2020. 17 Step 1: Final Examination Question. 17 Step 4: Apply NIST Security Control Maps and Architectures to the Final Examination. 20 Step 4.1: NIST Healthcare Use Case Architecture and Security Control Maps: 20 Step 6: Pilot Case: Key INOVA Cybersecurity Guidance: 20 Step 7: Analysis: 20 Appendix II: Strategic Rubric: Based on Student Comments. 22 Tactical Rubric: Based in part on a review of prior examinations, we update a Tactical Rubric. 24 2. Step 2: Use the NIST Three-Level Framework for Cybersecurity Risk Management 2.1 NIST Level 1: Organization: Hypothetical Inova Fairfax organization management: Assume approval for a pilot case for a transition to ABAC is given by hypothetical CEO Inova Fairfax. Responsibility: Hypothetical CEO (Chief Executive Officer) and Hospital Officers) are responsible for deciding go/no-go for cases that require Integrate enterprise and cybersecurity risk management (Area 1). The go/no-go decision in this case is for the hypothetical CEO to approve/disapprove a theoretical request from the hypothetical Level 2: Mission/Business Systems: For example, review an optimum set of scenarios for a pilot case for the Hypothetical Inova Fairfax Hospital: Transplant Center. Each scenario for the pilot could include cost/benefit/risk.[4] For example, NIST suggests consideration for cost/benefit/risk of an optimization approach, e.g., integrating three silos. In a hospital optimization environment, such as our Hypothetical Inova Fairfax Hospital use case, there may be financial budget constraints for a pilot case to extend EHR from “RBAC” to “RBAC extended to ABAC.” One interpretation of a NIST CPS (Cyber-Physical Systems)[5] risk optimization guidance is for the final examination Step 5.4: Conducts a Risk Assessment. An overarching NIST view for CPS risk assessment is to optimize three factors (silos)—cost/benefit/risk. In Step 5.4, we could consider a NIST suggestion for a CPS “risk budget.” [6] For example, a “risk budget” may be a fixed financial amount that is optimized by balancing five properties for the pilot case described in this examination (see Step 5.4: Conducts a Risk Assessment). The five properties or silos are 1) safety; 2) security; 3) reliability; 4) resilience; and 5) privacy. Possibly, the above priority sequence may apply to the final examination pilot case. NIST provides systems security engineering analysis[7] that could be interpreted for our pilot case to extend EHR to ABAC for 1) Radiology Dept; 2) Dr. Jones: Orthopedics; and 3) VPN (Virtual Private Network). For example, we could analyze three silos: 1) Radiology; 2) Dr. Jones: Orthopedics; and 3) VPN. These three silos could be viewed from an integrated risk budget viewpoint using a CPS “risk budget; NIST Level 2: Mission/Business Processes: Hypothetical Inova Fairfax organization management: Assume approval to plan for a pilot case for a transition to ABAC. Responsibility: The Hypothetical Inova Fairfax Hospital: Transplant Center plans for implementation of the pilot. Figure 2:Hypothetical INOVA Pilot Case: Transition from RBAC to ABAC[8] NIST Level 3: System: Hypothetical Inova Fairfax mission/business systems plan for a pilot case for a transition to ABAC is implemented. The focus for the pilot case is categories 1) Radiology Department: 2) Dr. Jones Orthopedics; and 3) VPN (Integrating secure access for three To-Be silos for a pilot). Step 2.2: ABAC: Systems Security Engineering: Integrated Examples Please note that ABAC may be considered as a logical subset of NIST Special Publication 800-207: Zero Trust Architecture, August 2020. For example, Section 3.1.1: ZTA Using Enhanced Identity Governance; and Section 4.4: Collaboration Across Enterprise Boundaries. For example: Similar to Use Case 1, a PE [Policy Engine] and PA [Policy Administrator] hosted as a cloud service my provide availability to all parties without having to establish a VPN or similar. Further, attribute guidance is discussed in NIST Special Publication 800-210, General Access Controls Guidance for Cloud System July 2020. Section 5.6: Guidance for Attribute and Role Management. Step 3: Final Examination: NIST Security Control Maps 3.1 NIST Security Control Maps Please introduce a NIST concept of NIST security control maps that apply to NIST Cybersecurity Risk Management cases. For example, we highlight the five iterative functions from the Cybersecurity Framework Core—identify, protect, detect, respond, recover9 (see figure 2). Conceptually, NIST Figure 2, which is a high-level view of the NIST Cybersecurity Framework, V1.1, March 2018. Appendix Table 2: NIST Core, introduces two concepts 1) NIST five iterative functions assist in integrating functional silos, and 2) mapping of NIST iterative functions to information references. For example: NIST Special Publication 800-53 Rev. 4/5 (Draft): Security and Privacy Controls for Information Systems and Organizations (Final Public Draft), March 16, 2020– security controls. Figure 2: NIST Security Control Map: Function and Category Unique Identifiers Source: NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, Draft 2, December 5, 2017 Note: Current version is 1.1, April 16, 2018. 4. Step 4: Apply NIST Security Control Maps and Architectures to the Final Examination Here the suggested Steps 4.1-8: Analytical Note: A suggested analytical observation for Tables 1 and 2: EHRs access control may be viewed as 1) PR.AC (RBAC); and 2) PR.AC-1, 3 and 4 (ABAC) for more fine -grained access. Step 4.1 NIST Healthcare Use Case Architecture and Security Control Maps Here for your review are suggested steps for this section: First: “As Is” Use Case Architecture: Please consider reviewing NIST: Special Publication 1800-1B: Securing Electronic Health Records on Mobile Devices: Approach, Architecture, and Security Characteristics, July 2018, Section 3: Approach, Figure 3-1: Security Characteristics Required to Securely Perform the Transfer of Electronic Health Records Among Mobile Devices; and Section 4.2: Architecture Description, Figure 4-1: Architecture for the Secure Exchange of Electronic Health Records on Mobile Devices in a Healthcare Organization.Second: Security Control Maps: A NIST security control map example of the process for determining which security characteristics apply to the SP 1800-1B is presented in Table 3-2: Mapping Security Characteristics to the NIST Cybersecurity Framework and HIPAA (Health Insurance Portability and Accountability Act). i. Please consider (Note: This is a NIST Security Control Map) b. Third: Please consider using the above figures and tables to introduce the “As Is” Profile in your final examination. Fourth: Please consider developing a version of this “As Is” NIST Security Control Map for your final examination. For example, see table 1. Table 1 remaining entries are not provided, i.e., …: Table 1: Sample: Mapping Security Characteristics of NIST CSF, HIPAA Security Controls—“As Is” Profile Source: NIST SP 1800-1B Draft: Securing Electronic Health Records on Mobile Devices: Approach, Architecture, and Security Characteristics, July 2018, Table 3-2; and NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018, Appendix A, Table 2 Fifth: “To Be” Profile: Please prepare a table, which represents a NIST Security Control Map: Extract for a “Target Profile”—“To Be” for the final examination healthcare use case.An issue for the final examination is that step 5 is adding ABAC to RBAC. Therefore, just an ABAC table and ABAC architecture is not sufficient for “To Be.” The “Target Profile” could be a figure, such as a NIST security control map, that you develop to add attribute-based access control (ABAC) to: The Radiology Department; 2) Dr. Jones Orthopedics, and 3) VPN (Virtual Private Network) external access point for remote users (as defined in NIST SP 1800-1B: Table 4-1 [also listed as Table 2 [ABAC] above). [Emphasis added] NIST provides an example of ABAC mapping to the NIST CSF security characteristics (see Table 2: [ABAC] Use Case Security Characteristics Mapped to Relevant Standards and Controls). Table 2:[ ABAC] Use Case Security Characteristics Mapped to Relevant Standards and Controls[–Additive “To Be” Profile] Source: NIST SP 1800-3B Draft: Attribute Based Access Control: Approach, Architecture, and Security Characteristics, September 2017, Table 4.1: Use Case Security Characteristics Mapped to Relevant Standards and Controls; and NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018, Appendix A, Table 2 f. Sixth: The two baseline architectures are presented in SP 1800-1B: Figure 4-1—“As Is”; and SP 1800-3B: Figure 5.1—“To Be” g. Seventh: Your assignment includes adapting SP 1800-3B: Figure 5.1: ABAC Build 1 Architecture— Additive “To Be” to meet the ABAC security requirements for three users in SP 1800-1B: Figure 3–1) the Radiology Department, 2) Dr. Jones Orthopedics, and 3) VPN external access point for remote users. The basic access controls, such as RBAC (Role Based Access Control), in “As Is” are extended to ABAC for “To Be.” h. Eighth: In summary, ABAC supports a fine-grained access control upgrade for RBAC. Review: Analytical Note: A suggested analytical observation for Tables 1 and 2: EHRs access control may be viewed as 1) PR.AC (RBAC);and 2) PR.AC-1, 3 and 4 (ABAC) more fine -grained access. 5. Step 5: Cybersecurity Framework: Improving a Cybersecurity Program: NIST Seven-Step Gap Analysis Note: This where grading decisions between B and A depend on how well you develop/analyze for the final examination the NIST seven-step gap analysis for this case. The NIST seven-step gap analysis is more formally defined in the CSF, Section 3.2[9]: Please consider developing a NIST seven-step gap analysis[10] for the final examination case. As introduced, this case defines three users for this pilot healthcare system: 1) Radiology Department; 2) Dr. Jones Orthopedics (specialty practice); and 3) remote users via VPN (Virtual Private Network) external access point for remote users. Note: Section 5: The pilot case introduces a “worked example” of healthcare systems technology. For example, Inova Fairfax Hospital/Epic is based on Epic technology. This pilot case is for adding ABAC–fine-grained access control–to NIST Cybersecurity Practice Guide: SP 1800-3B, Figure 4-1: Architecture for the secure exchange of electronic health records on mobile devices in a healthcare organization. Please follow the NIST instructions for NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2: Establishing or Improving a Cybersecurity Program: Step 5.1: Prioritize and Scope Step 5. 2: Orient Step 5. 3: Create a Current Profile—“As Is” a. Table 1: NIST Special Publication 1800-1b: Draft: Securing Electronic Health Records on Mobile Devices, Approach, Architecture, and Security Characteristics, July 2015: Table 2: Mapping Security Characteristics to the CSF [NIST Cybersecurity Framework] and HIPAA [Health Insurance Portability and Accountability Act]. b. Table 2: NIST Special Publication 1800-1d: Draft: Securing Electronic Health Records on Mobile Devices: Standards and Controls Mapping, July 2015: Table 2: Security Characteristics Mapped to Cybersecurity Standards and Best Practices and HIPAA. [An extract is fine.] c. Figure 1: NIST Special Publication 1800-1b: Draft: Securing Electronic Health Records on Mobile Devices, Approach, Architecture, and Security Characteristics, July 2015: Figure 3: Architecture for the secure exchange of electronic health records on mobile devices in a health care organization. Please consider figures/tables and captions with a footnote. Step 5.4: Conducts a Risk Assessment (Review: See section 2.1) For example: Hypothetical Inova Fairfax Hospital: Transplant Center. Each scenario for the pilot could include cost/benefit/risk.[11] For example, NIST suggests consideration for cost/benefit/risk of an optimization approach, e.g., integrating three silos. In a hospital optimization environment, such as our Hypothetical Inova Fairfax Hospital use case, there may be financial budget constraints for a pilot case to extend EHR from “RBAC” to “RBAC extended to ABAC.” One interpretation of a NIST CPS (Cyber-Physical Systems)[12] risk optimization guidance is for the final examination Step 5.4: Conducts a Risk Assessment. An overarching NIST view for CPS risk assessment is to optimize three factors (silos)—cost/benefit/risk. In Step 5.4, we could consider a NIST suggestion for a CPS “risk budget.” [13] For example, a “risk budget” may be a fixed financial amount that is optimized by balancing five properties for the pilot case described in this examination (see Step 5.4: Conducts a Risk Assessment). The five properties or silos are 1) safety; 2) security; 3) reliability; 4) resilience; and 5) privacy. Possibly, the above priority sequence may apply to the final examination pilot case. NIST provides systems security engineering analysis[14] that could be interpreted for our pilot case to extend EHR to ABAC for 1) Radiology Dept; 2) Dr. Jones: Orthopedics; and 3) VPN (Virtual Private Network). For example, we could analyze three silos: 1) Radiology; 2) Dr. Jones: Orthopedics; and 3) VPN. These three silos could be viewed from an integrated risk budget viewpoint using a CPS “risk budget. Step 5.5: Create a Target Profile—“Target Profile”—“To Be” Please consider figures/tables and captions with footnotes. For example, the two additive “To Be” figures/tables are: SP 1800-3B: Table 4.1; and Figure 5.1. Your assignment includes proposing one or more tables and figures that show your proposed ABAC architecture upgrade for SP 1800-1B: Figure 4-1. Our focus is on access control for the three users for this healthcare case: 1) the Radiology Department; 2) Dr. Jones Orthopedics; and 3) VPN external access point for remote users. a. Note: ABAC is an additive architecture. In this case, ABAC is added to SP 1800-1 RBAC (Rule Based Access Control) systems. b. Table 3: NIST Special Publication 1800-3B: Attribute Based Access Control: Approach, Architecture, and Security Characteristics: Second Draft, September 2015: Table 4.1: Use Case Security Characteristics Mapped to Relevant Standards and Controls. c. Figure 2: NIST Special Publication 1800-3B: Attribute Based Access Control: Approach, Architecture, and Security Characteristics: Second Draft, September 2017: Figure 5.1: ABAC Build 1 Architecture. d. Figure 3: ABAC Extension to RBAC SP 1800-1B: Figure 4-1: Architecture for the Secure Exchange of Electronic Health Records on Mobile Devices in a Healthcare Organization. The additive issue may be viewed as adding ABAC specificity to RBAC authentication in SP 1800-1B: Figure 3-1: Security Characteristics Required to Securely Perform the Transfer of Electronic Health Records Among Mobile Devices. Step 5.6: Determine, Analyze, and Prioritize Gaps Step 5.7: Implement Action Plan 6. Step 6: Pilot Case: Key Inova Fairfax Cybersecurity Guidance Key Issue: If Inova Fairfax cybersecurity guidance is RBAC oriented, we could suggest that RBAC oriented guidance be considered for an upgrade to ABAC cybersecurity guidance. Please include consideration of the following Inova Fairfax access documents. These documents provide guidance for Inova Fairfax 1) Access Control Policy; 2) Mobile Device Management Policy; 3) Remote and Extended Access; and 4) Other Inova Fairfax Access Issues. 6.1 Inova Fairfax Access Control Policy – Inova Web Policies | Inova www.inova.org › about-inova › web-policies … of the internet, Inova Health Foundation (Inova) does not warrant that access to any Inova web property or any of its pages will be uninterrupted or error free. Remote and Extended Access | Inova www.inova.org › for-employees › remote-extended-acc… For Inova employees: This webpage has links to Citrix applications (Inova remote network access), referring physician PACS access, InovaNet, and MyTime . 6.2 Mobile Device Management Policy – Inova https://www.inova.org › sites › default › files › mobile-device-mgmt Page 1 of 4. The Mobile Device Management Policy provides the standards and rules of behavior for the use of all “Mobile … http://inovanet.net.inova.org/policies/view.aspx?id=2281&sid=1&categoryId=586. •. Inova IT … and limited personal communication or recreation, such as reading or game playing. … o Documents. 6.3 Remote and Extended Access | Inova https://www.inova.org › for-employees › remote-extended-access 6.4 Other INOVA Access Control Issues For Inova employees: This webpage has links to Citrix applications (Inova remote network access), referring physician PACS access, InovaNet, and MyTime … [PDF] 6.4.1 For Employees | Inova https://www.inova.org › for-employees Prior Searches Check the links below, and on the left- and right-hand sides of the page, for ways to access Inova email accounts, the network, policies and information on the … Missing: Control 6.5.1 Prior searches: Please update any additional links that you wish to use for your final examination. Prior INOVA search results were found for these key words: Other INOVA links for INOVA EpicCare include: 1. Physicians. 2. Patient: MyChart Video; 5. Employee Remote Access; 6. EpicCare Link; 7. Step 7: Analysis Please answer the Analysis aspect of the Final Examination Question. When developing your analysis with respect to the examination question, please consider including comparison of your “To Be” security architecture with the hypothetical Inova Fairfax Case Epic/EpicCare baseline case—“As Is” Profile. For example, Inova Fairfax EpicCare is an operational system; and an ABAC pilot for a healthcare system applies to “designing in security”11 for future healthcare systems. During the pilot, the hypothetical Inova Fairfax has to maintain operations and patient safety levels. Analysis Levels: Hypothetical Inova Fairfax Hospital Case 1. NIST Level 1: Organization [Hypothetical Inova Fairfax Hospital Policy, such as Mobile Device Management Policy: Assume CEO approves this pilot.] 2. NIST Level 2: Mission/Business Processes [Hypothetical Inova Fairfax Hospital Procedures, such as Transplant Center Procedures. Assume Manager of Transplant Center approves the procedures for this pilot ] 3. NIST Level 3: System [Hypothetical Inova Fairfax system implementation, such as VPN, Radiology, and Dr. Jones: Assume that a case manager is assigned for this pilot.] 8. Step 8. Conclusions Please answer the Conclusions aspect of the Final Examination Question. Please develop your Conclusions based on your Analysis: Please consider a second level of specificity. Conclusions Levels 1. NIST Level 1: Organization. For example, assume CEO decision to approve this pilot. 2. NIST Level 2: Mission/Business Processes. For example, assume the Transplant Center manager provides the NIST seven-step gap analysis instructions for this pilot. 3. NIST Level 3: System. For example, assume that the Pilot team implements the NIST seven-step gap analysis for the completed pilot. 9. Step 9. Matters for Consideration (Updated November 8, 2019) Mobile devices may be considered from a unified CPS/IoT (Cyber-Physical Systems/IoT (Internet of Things)[15] systems perspective (see figure 1). For example, we may analyze CPS/IoT issues such as access and authorization, data security, and privacy concerns. Figure 2: CPS/IoT Unified View for Autonomous Vehicles Source: NIST: Special Publication 1900-202: Cyber-Physical Systems and Internet of Things, March 2019. Section 6.1: Components Model: Linked Logical and Physical Elements. In addition, there are unified CPS/IoT ‘system risk budget’ issues.[16] 10. Step 10. References Please consider complete references, e.g., author, title, organization, date, link. Appendix I: IA Final Examination: Conceptual Interpretation of Selected RBAC/ABAC Issues, Version 2.0. August 1, 2020 IA students, Perhaps, you may be interested in this Version 2.0 of selected comments to students concerning an interpretation of the final examination. The comments apply in part to the Final Examination Steps 1, 4, 4.1, 6 and 7. Hopefully, this is helpful. Best regards, Harold Step 1: Final Examination Question Perhaps, the following conceptual view of the final examination could be helpful: Conceptually, the final examination is concerned with developing a hypothetical pilot case for the Inova Fairfax Hospital, Transplant Center. The case is may viewed as adding specificity (Attribute Based Access Control) to access control (Role Based Access Control): Figure 1 (below): RBAC may be mapped to NIST Cybersecurity Framework Identity Management Authentication and Access Control (PR.AC) security function. Please see Final Examination Step 4: Apply NIST Security Control Maps and Architectures: Table 1: Sample: Mapping Security Characteristics of NIST CSF, HIPAA Security Controls—“As Is” Profile. Figure 2 (below): ABAC may be mapped to NIST Cybersecurity Framework Identity Management Authentication and Access Control (PR.AC-1,3 and 4). A key issue is that ABAC has more specificity than RBAC, e.g., PR.AC-1, 3 and 4 for ABAC vs. PR.AC for RBAC. (See Final Examination Table 2: [ABAC] Use Case Security Characteristics Mapped to Relevant Standards and Controls [–Additive “To Be” Profile]. Source: NIST Special Publication 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations, January 2014/August 2, 2019 Figure 1: Traditional (Non-ABAC, such as RBAC [Role Based Access Control]) Multi-Organizational Access Method may be interpreted with respect to the final examination question (Step 1: Final Examination Question [“As Is” Architecture]): Organization A’s Subjects (Users)Users accessing the Radiology Department using RBAC.Dr. Jones Orthopedics accessing EHRs (Electronic Health Records) using RBAC.Access RequestUsing a VPN (Virtual Private Network) Source: NIST Special Publication 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations, January 2014/August 2, 2019 Figure 2: Basic ABAC Scenario [“To Be” Architecture] may be interpreted with respect to the final examination question (Step 1: Final Examination Question): Organization A’s Subjects (Users)Users accessing the Radiology Department using ABAC.Dr. Jones Orthopedics accessing EHRs (Electronic Health Records) using ABAC.Access Request: ABAC Step 1: Subject requests access to objectUsing a VPN (Virtual Private Network)ABAC Step 2: ABAC Access Control Mechanism evaluates a) Rules; b) Subject Attributes; c) Object Attributes, and d) Environment Conditions to compute a decision.ABAC Step 3: Subject [User request to Radiology Department and/or Dr. Jones Orthopedics accessing EHRs] is given access to object if authorized. Step 4: Apply NIST Security Control Maps and Architectures to the Final Examination Step 4.1: NIST Healthcare Use Case Architecture and Security Control Maps: Fourth: One interpretation of step Fourth (“As Is” NIST Security Control Map in Table 1) is to 1) copy Table 1: Sample: Mapping Security Characteristics of NIST CSF, HIPAA Security Controls–“As Is” Profile; and 2) explain the importance of Access Control (PR.AC) for RBAC to the design of the Inova Fairfax pilot. d. Fifth: One interpretation of step Fifth (“To Be: Profile) is to 1) copy Table 2: [ABAC] Use Case Security Characteristics Mapped to Relevant Standards and Controls [Additive “To Be” Profile]; and 2) explain the importance of Access Control (PR.AC) added specificity for ABAC to the design of a transition from 1) RBAC to 2) RBAC extended to ABAC for the INOVA pilot. For example, Table 2, rows 1-3, column 5 identifies at a second level of specificity–PR.AC-1, 3, and 4 that is defined in NIST SP 800-53 rev 4 [Note: Current version is SP 800-53 rev 5 (Final Public Draft), March 16, 2020]. Step 6: Pilot Case: Key INOVA Cybersecurity Guidance: One view of the INOVA 1) Access Control Policy, 2) Mobile Device Management Policy, 3) Remote and Extended Access; and 4) Other INOVA Access Issues, is that Steps 1-5 for the Pilot should be compatible with Step 6 INOVA Access Policy Issues. For example, Steps 1-5: Step 1: Final Examination Question;Step 2: Use the NIST Three-Level Framework for Cybersecurity Risk Management; Step 3: Final Examination: NIST Security Control Maps;Step 4: Apply NIST Security Control Maps and Architecture to the Final Examination; Step 5: Cybersecurity Framework: Improving a Cybersecurity Program: NIST Seven-Step Gap Analysis;Step 6: Pilot Case: Key INOVA Cybersecurity Guidance). In brief, Step 6: Pilot Case may include a focus on ABAC issues that is beyond the scope of INOVA RBAC access policy. Therefore, this situation could require consideration in Step 7. Step 7: Analysis: Yes. The expectation includes stating and describing potential policy Inova Fairfax updates to accommodate ABAC. For example, these updates could be considered for each NIST level: 1) Organization; 2) Mission/Business Processes; and 3) System. Hopefully, this is helpful. Best regards, Harold Appendix II: Strategic Rubric: Based on Student Comments Question Strategy: Please place your emphasis on analysis and conclusions. This helps demonstrate your understanding of the final examination issues. Question Visualization: To help with visualization of a scenario for this examination, here as a hypothetical ABAC pilot case for a hypothetical Inova Fairfax hospital. Inova Fairfax uses an integrated healthcare system called EpicCare.Please consider Inova Fairfax access control policy: A theoretical INOVA Mobile Device Management Policy, Version 2.0, April 21, 2016; https://www.inova.org/upload/docs/Education%20and%20Research/GME/mobile-device-mgmt.pdf .We suggest for this examination consider that a theoretical Inova Fairfax Transplant Center is considering evaluation of an ABAC pilot EHR system for its potential application to its transplant patient EHRs.The ABAC pilot EHR system is introduced in NIST Special Publication 1800-1: Securing Electronic Health Records on Mobile Devices, July 2018. Figure 4-1: Architecture for the Secure Exchange of Electronic Health Records on Mobile Devices in a Healthcare Organization.The ABAC architecture to be added to the pilot is introduced in NIST Special Publication 1800-3: Attribute Based Access Control, Second Draft, September 2017.The Inova Fairfax Transplant Center will use NIST cybersecurity risk management guidance to assess the potential impact of the ABAC pilot Suggested strategy: Please consider the Inova Fairfax Transplant Center as the organization that is evaluating the ABAC case. A central issue for this examination is to consider NIST SP 1800-1B, July 2018, Figure 4-1: Architecture for the Secure Exchange of Electronic Health Records on Mobile Device in a Healthcare Organization. The three data center access categories for this ABAC case are 1)Radiology Department: 2) Dr. Jones Orthopedics; and 3) VPN. The Inova Fairfax Transplant Center could be considering updating their RBAC (Role Based Access Control) system architecture to ABAC (Attribute Based Access Control). Role based access control assigns users into groups. For example, patients, doctors, nurses, pharmacy, radiology, and external users. ABAC is additive and provides more fine-grained access control. For example, a transplant surgeon may have to use fingerprint, one-time code verification and access to his/her cell phone for ABAC identification. For example, the cell phone provides ABAC fine grain GPS location. Caveat: This case is hypothetical: We are using the Inova Fairfax Transplant Center as the basis for evaluation of a hypothetical ABAC case to assist in our final examination analysis. Suggested case setting: For this examination, please consider the Inova Fairfax Transplant Center management as analyzing an ABAC case. The “As Is” architecture for this ABAC case is presented in the Electronic Health Records (EHR) system architecture in Figure 4-1 Architecture for the Secure Exchange of Electronic Health Records on Mobile Device in a Healthcare Organization. The Inova Fairfax Transplant Center may be considering this ABAC case. For example, this ABAC case involves seven steps that are defined in the NIST Cybersecurity Framework,[17] We highlight three key steps from the seven-steps for the analysis of the RBAC case[18]: Create a Current Profile: NIST Cybersecurity Framework Step 3: Identification of the “As Is” RBAC EHR architecture.Conduct a Risk Assessment: NIST Cybersecurity Framework Step 4.A risk assessment of transitioning the “As Is” RBAC EHR architecture for the ABAC pilot to a “To Be” ABAC EHR architecture. The risk assessment involves optimization of cost/benefit/cybersecurity and patient risk.For example, ABAC EHR architecture may reduce the risk of entering incorrect kidney transplant patient anti-rejection medicine doses in a database.Create a Target Profile: NIST Cybersecurity Framework Step 5Identification of the “To Be” ABAC EHR target architecture. Cybersecurity and Safety Risk Optimization: Inova Fairfax Transplant Center management cannot change its EHR architecture within the Inova Fairfax Hospital EpicCare environment without Inova Fairfax Hospital approval. For example, an integrated transition plan would have to be approved to evolve its access control system from RBAC to ABAC. Therefore, we may consider this examination as developing for review by Inova Fairfax Transplant Center management an ABAC pilot that includes a RBAC to ABAC transition program. This transition program could provide a use case for the Transplant Center to consider when assessing cybersecurity and patient safety vs Inova Fairfax Hospital EHR cybersecurity and patient safety in the existing EpicCare hospital environment. NIST Cybersecurity Guidance or Metrics: In summary, please consider the final examination as a project to analyze the cybersecurity risk and patient safety risk management issues of a proposed ABAC pilot. The scope of the ABAC pilot is: Figure 4-1: Architecture for the Secure Exchange of Electronic Health Records on Mobile Device in a Healthcare Organization. The three data center access categories are 1)Radiology Department: 2) Dr. Jones Orthopedics; and 3) VPN Examination strategy: Scenario Example: Please analyze the ABAC pilot as a scenario for the three data center access categories 1)Radiology Department: 2) Dr. Jones Orthopedics; and 3) VPN. Here for your review is a conceptual view of the analysis of the pilot with respect to selected NIST guidance. Focus for Demonstration of Knowledge: Please consider the “big picture” for the final examination. For example, how does Inova Fairfax Hospital management, and the Inova Fairfax Transplant center management analyze this ABAC case. As introduced, a key part of the final examination grade is based on student analysis, such as implementing for the ABAC case the NIST seven-step risk analysis.[19]Consider Using the NIST Three Managerial Levels: For example, the NIST seven-step risk analysis may be viewed from the three NIST managerial levels in the Inova Fairfax hospital. For example: NIST Cybersecurity Risk Management Level 1: Organization: Inova Fairfax HospitalDecisions with respect to the ABAC pilot: Hospital management determines the cost/benefit/cybersecurity and patient safety risk that would result from adopting the ABAC pilot transition from RBAC to ABAC on a hospital wide basis. For example, how would this impact patient safety for Inova Fairfax within the EpicCare hardware/software architecture?NIST Cybersecurity Risk Management Level 2: Mission/Business ProcessesDecisions with respect to the ABAC pilot: Inova Fairfax Transplant Center management determines the cost/benefit/cybersecurity and transplant patient safety risk that would result from adopting the ABAC pilot transition from RBAC to ABAC on a center wide basis. For example, how would this impact patient safety for the Inova Fairfax Transplant Center within the EpicCare hardware/software architecture?NIST Cybersecurity Risk Management Level 3: SystemDecisions with respect to the ABAC pilot: Inova Fairfax Transplant Center management determines the cost/benefit/cybersecurity and transplant patient safety risk that would result from adopting the ABAC pilot transition from RBAC to ABAC within the center for each transplant patient category 1) lung transplant; and 2) kidney and pancreas transplant. For example, how would this impact patient safety for kidney transplant patients within the Inova Fairfax Transplant Center? Patient safety includes preserving the integrity of EHR records for anti-rejection medicine identification and prescription doses. Tactical Rubric: Based in part on a review of prior examinations, we update a Tactical Rubric Authoritative NIST and NISTIR Cybersecurity Risk Management Guidance: Please consider as metrics for your examination the use of NIST cybersecurity risk management guidance. This includes providing footnotes for key issues. RBAC: “As Is” Profile: Please consider for role based access control (RBAC) the hospital healthcare EHR system that is defined in a NIST cybersecurity risk management use case. This case is reported in NIST SP 1800-1B: Securing Electronic Health Records on Mobile Devices, July 2018. Section 4: Architecture: Figure 4-1: Architecture for the Secure Exchange of Electronic Health Records on Mobile Devices in a Healthcare Organization. ABAC: “To Be” Profile: Please consider a transition from a NIST standards based approach for access control, audit controls/monitoring and device integrity[20] that uses RBAC to attribute based access control (ABAC). Please consider for the transition, NIST metrics provided in NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2: Establishing or Improving a Cybersecurity Program [seven step gap analysis]. NIST ABAC Publications: Two NIST ABAC publications are suggested for this examination: NIST Special Publication1800-3B: Attribute Based Access Control, Volume B: Approach Architecture, and Security Characteristics, Second Draft, September 2017.NIST Special Publication 800-205 (Draft): Attribute Considerations for Access Control Systems, February 13, 2019. Figure 1: Scopes of Attributes Used: Authorization, Authentication, and Attribute Proofing of an Access Control System. Please consider footnotes for key issues and for captions for figures/tables. [1] Note: Mobile devices may be considered as CPS. Therefore, NIST SP 1500-202, Section 2.3.3 may be considered as applying to the final examination (e.g., NIST SP 1800-1: RBAC EHR authentication upgrading to NIST SP 1800-3: ABAC EHR authentication). [2] Ibid. Note: Mobile devices may be considered as CPS. Therefore, NIST SP 1500-202, Section 2.3.3 may be considered as applying to the final examination (e.g., NIST SP 1800-1: RBAC EHR authentication upgrading to NIST SP 1800-3: ABAC EHR authentication). [3] NISTIR 8170: Approaches for Federal Agencies to Use NIST CSF, March 19, 2020. Figure 2: Federal Cybersecurity Approaches. [4] NIST Special Publication 1500-202, Vol. 2, Working Group Reports, Version 1.0, June 2017. Section 2.3.3: The need for cross-property risk analysis for CPS. and figure 3. [5] Note: Mobile devices may be considered as CPS. Therefore, NIST SP 1500-202, Section 2.3.3 may be considered as applying to the final examination (e.g., NIST SP 1800-1B, 3B): [6] Ibid. Note: Mobile devices may be considered as CPS. Therefore, NIST SP 1500-202, Section 2.3.3 may be considered as applying to the final examination (e.g., NIST SP 1800-1: RBAC EHR authentication upgrading to NIST SP 1800-3: ABAC EHR authentication). [7] For example: NIST Special Publication 800-160, Vol. 1: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, November 2016/March 21, 2018. Figure 4: System Life Cycle Processes and Life Cycle States: Technical Management Processes: Risk Management.NIST Special Publication 800-160, Vol. 2: Developing Cyber Resilient Systems: A Systems Security Engineering Approach, November 2019. Table 1: Cyber Resiliency Constructs. Definition, Purpose, an Application at the System Level [for Goal (for example: high-level statement focusing on each aspect [of cyber resiliency]: anticipate, withstand, recover, adapt), Objective, Sub-Objective, Activity or Capability] [8] NISTIR 8170: Approaches for Federal Agencies to Use NIST CSF, March 19, 2020. Figure 2: Federal Cybersecurity Approaches. [9] NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2: Establishing or Improving a Cybersecurity Program. [10] Ibid. NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2: Establishing or Improving a Cybersecurity Program. [11] NIST Special Publication 1500-202, Vol. 2, Working Group Reports, Version 1.0, June 2017. Section 2.3.3: The need for cross-property risk analysis for CPS. and figure 3. [12] Note: Mobile devices may be considered as CPS. Therefore, NIST SP 1500-202, Section 2.3.3 may be considered as applying to the final examination (e.g., NIST SP 1800-1B, 3B): [13] Ibid. Note: Mobile devices may be considered as CPS. Therefore, NIST SP 1500-202, Section 2.3.3 may be considered as applying to the final examination (e.g., NIST SP 1800-1: RBAC EHR authentication upgrading to NIST SP 1800-3: ABAC EHR authentication). [14] For example: NIST Special Publication 800-160, Vol. 1: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, November 2016/March 21, 2018. Figure 4: System Life Cycle Processes and Life Cycle States: Technical Management Processes: Risk Management.NIST Special Publication 800-160, Vol. 2: Developing Cyber Resilient Systems: A Systems Security Engineering Approach, November 2019. Table 1: Cyber Resiliency Constructs. Definition, Purpose, an Application at the System Level [for Goal (for example: high-level statement focusing on each aspect [of cyber resiliency]: anticipate, withstand, recover, adapt), Objective, Sub-Objective, Activity or Capability] [15] . NIST Special Publication 1900-202: Cyber-Physical Systems and Internet of Things, March 2019. Section 6: Unified Perspective. Figure 8A: Components Model. 8. NIST Special Publication 1500-202: Framework for Cyber-Physical Systems: Working Group Reports, Vol. 2, Vers. 1, June 26, 2017. Section 2.3.3: The need for cross-property risk analysis for CPS (System ‘risk budget’ [optimization of security, safety, reliability, privacy, and resilience]; and Figure 3: Physical, Analog, and Cyber Components of CPS. [17] NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2: Establishing or Improving a Cybersecurity Program. [18] Ibid. NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2: Establishing or Improving a Cybersecurity Program. [19] Ibid. NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2: Establishing or Improving a Cybersecurity Program. [20] NIST Special Publication 1800-1B. Table 3-2: Mapping Security Characteristics to the NIST Cybersecurity Framework and HIPAA [Health Information Portability and Accountability Act].
- Assignment status: Already Solved By Our Experts
- (USA, AUS, UK & CA PhD. Writers)
- CLICK HERE TO GET A PROFESSIONAL WRITER TO WORK ON THIS PAPER AND OTHER SIMILAR PAPERS, GET A NON PLAGIARIZED PAPER FROM OUR EXPERTS
