The human element of IA is an important and often overlooked factor. As previously mentioned, training is an important aspect of implementing IA and a vital part of any IA program. Here, you’ll learn how implementing a training program assisted an organization in securing its environment and strengthening its IA.

Acme Tech Systems is one of the largest providers of IT services, systems integration, and training to the U.S. government. Nearly 80% of Acme’s business is with the U.S. Department of Defense and other U.S. federal government agencies.

Due to the nature of its work, Acme always had IA as a priority. The nature of the information Acme deals with is often classified and highly confidential. Unfortunately, in early 2015, Acme’s systems were being targeted at an increasing rate. Acme’s research showed that its network was being attacked over 1,000 times an hour, and a number of those attackers were getting through Acme’s perimeter defenses. Acme recognized that its critical information was being exposed to malicious users all over the world.

Improving the security of Acme’s network was a daunting task, and the small security team was often overwhelmed by the size and complexity of the system. Although a number of initiatives were started to further secure the system, a training program was seen as one of the most successful. Acme decided the best way to assist the security team was to have all of Acme’s systems administrators (SAs) acquire at least a basic knowledge of information security.

This was a challenge, with nearly 3,000 SAs to train. Acme implemented a two-phase program with computer-based training courseware and instructor-led courses, most of which consisted of hands-on labs. In fact, 60% of the course work was lab-based. This gave the SAs invaluable practice preventing hackers from accessing the network. The courses helped Acme’s SAs learn the skills and develop the tools needed to help them identify system vulnerabilities and implement countermeasures.

The results of the training were immediate. Within months of implementing the program, the number of successful attacks decreased by half. The training also provided valuable feedback to help strengthen Acme’s overall network further. Ongoing training allows the SAs to stay current with the tricks malicious users employ as well as with current security trends.

By enhancing the security awareness of all of its SAs, Acme was able to ensure the confidentiality and integrity of its critical information. By maintaining an ongoing training program, Acme is able to verify that it will have a strong IA infrastructure going forward.

A major university medical center recently piloted its new teleradiology program. The program allowed radiologists and physicians to share and view patient images digitally. Due to concerns over the Health Insurance Portability and Accountability Act (HIPAA) compliance, the medical center embarked on an information assurance risk assessment project during the planning phase of the teleradiology program.

The information assurance risk assessment project was carried out in three phases: Organizational View, Technological View, and Strategy and Plan Development. In each of these phases, a multidisciplinary team of senior management, operational management, IT staff, and clinical staff participated in workshops, discussions, and information-gathering activities. The result of this multidisciplinary approach was that the medical center identified areas of its planned teleradiology project that were inherently insecure before those insecurities were introduced into actual practice. The IA process led to better project planning and a more successful end result.

In Phase I, Organizational View, members of the team met to determine the most critical resources involved in the teleradiology project. They initially brainstormed over 30 resources including people, patient images, servers, and laptops. They narrowed the list to the five most critical and focused the rest of their efforts on those resources.

The analysis team gathered opinions on the following:

• Critical assets
• Threats to those assets
• The relative importance of confidentiality, integrity, and availability of those assets
• The medical center’s existing practices that either supported or undermined information assurance

The team met for extensive debate and discussion of these topics and eventually came to a consensus.

In Phase II, Technological View, the IT staff on the team conducted a vulnerability scan on the IT infrastructure and reported its findings back to the rest of the team members.

In Phase III, Strategy and Plan Development, the team integrated and analyzed all of the data gathered in the first two phases. From this analysis, they conducted a formal risk analysis, identifying, categorizing, and prioritizing the impact of various types of breaches on the five critical assets identified in Phase I.

From there, the team created an information security risk management plan. The plan was broken down into three parts: action items, mitigation plans, and protection strategy. The action items were tasks that could be undertaken immediately, with no need for new staff, policies, or funding, which would result in a significant improvement in the overall security outlook for the project. Some examples of action items included changing default passwords and deleting user accounts for former employees.

The mitigation plans focused on high-impact threats to critical assets and included methods to recognize, resist, and recover from a security incident. These plans were designed to have a broad impact on critical assets as well as secondary ones.

The final section of the risk management plan was the protection strategy. This section detailed plans to improve the medical center’s overall information security stance by implementing best practices for information assurance.

The information assurance risk assessment provided valuable insight to the medical center and allowed the teleradiology department to prevent security issues in the planning stages. For example, the team’s original plan had been to instruct radiologists to use their personal computers to manage patient images after hours. During the risk assessment project, the team identified three high-priority concerns surrounding the use of personal computers:

• Technical support: IT staff could not effectively troubleshoot or support equipment privately owned by individual radiologists. This could affect the availability of patient images in the event of a computer crash.
• Threats to confidentiality of patient images: Radiologists’ home computers were often located in public areas of the home where family members and guests could easily look over the radiologists’ shoulder and view protected health information. This constituted a serious breach of HIPAA regulations.
• Threats to integrity of patient images: Because images would be stored on home computer hard drives, there was the potential for those images to be altered using photo manipulation software.

To mitigate these concerns, the medical center decided to purchase dedicated laptops for use by on-call radiologists.

Availability is one of the three components of the C-I-A model of information assurance, and in the case of access controls, it is a vitally important component. Consistent and quick availability of the information allows physical security to work efficiently. Take a look at how the U.S. Coast Guard handles the availability of information to maintain the security of Hawaii’s ports.

To deal with availability of IA, the Coast Guard implemented a centralized, IP network-based access control card system. Through a secure website, many state and federal agencies, including the Coast Guard, Hawaii’s Department of Transportation, and customs and immigration authorities, as well as private maritime organizations and others, can share information related to all activities and data for the port. This allows the Coast Guard to have a centralized clearinghouse for all expected activity and focus its security efforts.

This system, referred to as the Hawaii Integrated Maritime Information System (HIMIS), allows authenticated users to access and update information. This enables quick information sharing and real-time data to enhance the Coast Guard’s security practices. This information can be entered both in flexible custom reports and on nautical charts.

The high availability of the HIMIS system greatly enhances the Coast Guard’s ability to secure the Hawaiian ports.