This risk assessment report evaluates the Information Assurance (IA) infrastructure of the Centers for Disease Control and Prevention's (CDC) Public Health Informatics and Technology Program, housed within the Office of Surveillance, Epidemiology, and Laboratory Services (OSELS) in Atlanta, GA. Conducted in accordance with NIST Special Publication 800-30 and DHHS Information Security Program Policy, the assessment identifies vulnerabilities across three domains β management, operational security, and technical security β and rates them as high, moderate, or low using Federal Information Processing Standards (FIPS) 199. The report evaluates confidentiality, integrity, and availability of the IT infrastructure and proposes safeguards to mitigate identified risks toward certification and accreditation of the program's IT systems.
This Risk Assessment Report was formulated for the IT department staff of the Centers for Disease Control and Prevention (CDC) located in Atlanta, GA. The specific CDC department targeted is the Office of Surveillance, Epidemiology, and Laboratory Services (OSELS). Due to the major role the CDC plays in regulating and advising U.S. citizens on matters of health, it became necessary for OSELS to undergo a thorough risk assessment. It is considered best practice for the organization to provide the most up-to-date health information to U.S. citizens as well as the wider world.
The risk assessment was tailored to target the Public Health Informatics and Technology Program Office. The purpose of this assessment is to evaluate the Information Assurance (IA) infrastructure for the sole purpose of producing a certification and accreditation (C&A) of their Information Technology (IT) system, as outlined by the DHHS Information Security Program Policy. The risk assessment report is to be prepared in conjunction with the System Security Plan, which is intended to serve as an assessment of the level of utilization of CDC resources as well as the control of their usage, so as to eliminate and manage the various system vulnerabilities that can pose both internal and external threats to the CDC. After the C&A procedure is successfully executed, the result would be an authorization to operate the Public Health Informatics and Technology Program without risk of unwanted security incidents.
The scope of the risk assessment is limited to the various applicable security controls used in the Public Health Informatics and Technology Program's IT department and is to be tailored in conformity with the steps prescribed in the DHHS Information Technology Security Program: Baseline Security Requirements Guide. The guide provides a baseline to be used in developing the most appropriate combination of requirements for designing security controls to protect the IT infrastructure at the CDC β the infrastructure used by the CDC in handling its key operations regarding the management of facilities, employees, communication channels, and other contingencies.
The Public Health Informatics and Technology Program risk assessment was carried out in line with the methodology prescribed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems. This methodology is quantitative in nature, meaning there was no need to calculate costs of running the organization at present or in the future β elements such as annualized expected losses or projections of asset costs were not required.
The risk assessment of the Public Health Informatics and Technology Program's IA system revealed various vulnerabilities affecting the following three major areas of the CDC:
Vulnerability can be defined as "a set of conditions that leads or may lead to an implicit or explicit failure of the confidentiality, integrity, or availability of an Information System" (Chambers & Thomson, 2004). The vulnerabilities identified in the system can be mitigated by adhering to the recommendations provided in this report. The recommendations are presented as safeguards β controls of an administrative, technical, managerial, or legal nature β put in place to manage the various risks associated with the identified vulnerabilities (Praxiom, 2010). The vulnerabilities are to be mitigated to manageable levels.
Before embarking on the mitigation process, it is fundamental to classify the vulnerabilities into three main levels: High, Moderate, and Low. These ratings are in accordance with the standards referred to as Federal Information Processing Standards (FIPS) 199.
The system on which the risk assessment was carried out is the IT system whose IA vulnerability rating was evaluated. The specific CDC program targeted is the Public Health Informatics and Technology Program, which is mandated to carry out the following key functions:
The scope of the risk assessment was based on a thorough assessment of all resources within the information system as well as their controls, in order to develop viable means of mitigating identified vulnerabilities. If left unmitigated, these vulnerabilities could result in both internal and external exploits targeting the CDC's Information System (IS). The consequences of unmitigated vulnerabilities would include:
Since the risk assessment report evaluates Information Assurance at the CDC, it focuses on a thorough evaluation of its three basic tenets:
After the above three basic tenets of Information Assurance are evaluated, appropriate mitigation is undertaken to address the causes. All actions taken are contained in this Risk Assessment Report, together with recommendations to management that would help safeguard the CDC from both internal and external system attacks.
The methodology adopted for the execution of this Risk Assessment Report is outlined in NIST SP 800-30, Risk Management Guide for Information Technology Systems (NIST, 2004). The guide contains the steps for assessing and evaluating the various security parameters aimed at improving the confidentiality, integrity, and availability of IT systems.
The results of the assessment take the form of recommendations for security safeguards that enable management to initiate and realize solutions based on informed understanding of IT security issues. This methodology is tailored to establish the following countermeasures and controls:
In this part of the risk assessment, the various IT system boundaries as well as the resources that constitute the system are analyzed. Other elements necessary for the description of the system are noted, and all system dependencies are clarified (Madden, 2007).
The CDC's Public Health Informatics and Technology Program relies heavily on the Acquisition Management Automation System (AMAS). The system must be secure at all times given its importance to the basic operation of the program. It must therefore be appropriately updated and maintained by appointed System Stewards, who are drawn from the Management Information Systems Branch (MISB) as well as the Procurement Grants Office (PGO).
The Public Health Informatics and Technology Program's IT system was developed by the Office of Surveillance, Epidemiology, and Laboratory Services (OSELS). The CDC division responsible for its deployment and maintenance is the Division of Informatics Research and Development (DIRD), whose role is to advance the frontiers of public health informatics through appropriate research and development. The DIRD division collaborates with other CDC programs to develop innovative technologies that positively impact health practices on both a short-term and long-term basis (CDC, 2010).
"System users, stewards, and IT infrastructure dependencies"
"Confidentiality, integrity, and availability ratings"
"Threat definitions, sources, and attack methods"
You’re 47% through this paper. Sign up to read the remaining 3 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.