Cyber Security Management and Policy

Prof. Reinford
PreviousProject.docx

Student

Campus

Security Plan Recommendation Memorandum

Dr. Allen Hughes

August 8, 2020

SECURITY PLAN RECOMMENDATION MEMORANDUM

The Executive summary

The various assessments made clear that Anthem needs improvements and advancements in its security systems and the overall information technology infrastructure. Because the organization deals with PII (Personal Identifiable Information) and PHI (Protected Health Information), there is an increasing threat of cyber-attack as threat vectors continuously working to take advantage of every possible vulnerability. The procedures outlined in this document provides direction in identifying and mitigating potential compromise, loss, or exploitation of information that would be detrimental to the Agency's mission.

Problem statement

Despite Anthem's recent data breach, there has been an overwhelming increasing threat to Anthem's data and information systems. When analyzed, Anthem's security breach resulted from vulnerabilities in its information system and poor management decisions. This paper will outline the need for the organization to make the necessary changes in the security architecture to avoid any future cyber-attacks.

Recommended solution

As one of Anthem's main initiatives is a protective initiative to ensure the security of sensitive information, avoid unnecessary cost through court sues in relation to data breaches and ensuring business continuity and compliance. Anthem needs to advance its technology infrastructure by buying more effective and secured technologies to protect maximum protection to its data. Also, the company needs to make cybersecurity their number one priority. By doing this, much emphasis will be placed on protecting information security by complying with the various security policies set by the organization and the National Institute of Standard Technology. This area will also ensure that security vulnerabilities are reported and timely mitigated by the security team. The company should also staff cybersecurity personnel and make every necessary change in the top-level management when necessary.

Problem analysis and financial overview

Anthem's data breach is a massive nightmare to the company, where cybercriminal hackers assessed nearly 37.5 million records containing personally identifiable information from its servers. This led to the fear that compromised data, including medical ID cards, date of birth, names, social security numbers, emails, and street addresses, may be used for identity theft. The healthcare industry accounts for 50% of all bigger data breaches. The data breach led to several lawsuits being filed against the organization, which lead to a vast deficit where Anthem has to make a settlement at the cost of $115 million. By conducting risk versus cost analysis, Anthem's likelihood of falling into data breach is 50% or higher; due to this high possibility, immediate action must be taken. Besides the financial losses Anthem could face in any future data breach, there will be a lot of legal action taken against them due to PHI and PII being involved, which could affect the company's reputation and negatively impact their business operation. Anthem's average cost of compliance is estimated to be $250,000, with the average cost of a data breach in the healthcare industry is $300,000. From the above-estimated analysis, the total impact of Anthem's likelihood of a cyber-attack amounted to $400,000.

On the other side, the total cost involved for Anthem to avoid any future data breach, including taking measures like meeting their staffing needs, security systems, and infrastructure upgrades, adopting the necessary security models, and getting an external auditing firm to audit their operations is estimated to $100,000. Therefore, it's clear that the cost involved in a possible data breach far superseded the total cost of insuring a safe information system architecture.

Implementation Plan

· Build an Information Security Team: The first step in the implementation plan is to ensure that all cybersecurity roles and personnel the organization lacks are restored with the most qualified employees by effectively and closely working with Anthem's human resources team. After the appointment, a strong team will be created, including the organization's top-level management, to decide who sits at the table. One side of the table holds the executive team, made up of senior-level associates responsible for crafting the mission and goals of the security program, setting security policies, risk limitations, and more

·  Assets Inventory Management: The overall assets of the organization, including software, hardware, applications, and employees, will be monitored by tracking and analyzing issues such as maintenance requirements, physical location, depreciation, performance, and eventual disposal of the asset.

· Risk Assessment and Management: Below is the Anthem risk assessment report supporting management decision-making in budgeting, policies, and procedures. The main concept of information assurance is to reduce the impact of a possible threat or attack but not to eliminate it completely. By applying the various recommended decisions will enable Anthem to reduce every associated risk and its impact to the organization's missions.

ASSETS

THREATS

VULNERABILITY

IMPACT

LIKELYHOOD OF AN INCIDENT

RISK

CONTROL RECOMMENDATION

· Software

Critical

Computer Viruses

Insufficient log in and monitoring, Broken authentication, broken access control

Service unavailability

High

Potential loss up to $80,000 as per hours of downtime

Software auditing, authentications, continuous monitoring permission changes.

· Hardware

High

Hardware failure

Directory traversal, foreshadow, Bad USB

Unavailability of hardware

High

Potential loss up to $80,000 as per hours of downtime

Hardware auditing, regular upgrades and monitoring

· Data

Critical

Malicious behavior

Missing data encryption, missing authorization, Buffer overflow

Unavailability or loss of critical data

High

Potential loss up to $100,000 per occurrence

Data Encryption, access control

· IT security policies

High

Outdated Policies & Procedures

Lack of security, personnel

Company operating under no or outdated policies

Medium

Security shortfall, cyber hacks and downtime

Audit trails

· Information storage protection

Critical

Unauthorized access

Insecure data storage, Inadequate restrictions, too many users privileges

Seizing of company’s data

High

Unauthorized disclosure of information, disruption of computer services

intrusion detection systems

Physical security environment

Medium

Natural events

Tailgating, theft of documents, stolen identification

Unavailable company’s assets and information

Low

Potential loss up to $100,000 per occurrence

Secure workstation, surveillance, secure backup files

Employees

High

Insider Threat, cyber-Crime

Disgruntled employee, access privilege abuse

Inadequate trusted and reliable employees

High

Exposure of company’s sensitive data, creating of hostile work environment

Adequate access policies, least privileges and least functionality

Company’s website

Critical

Threat actor

Lack of properly configured firewall

Unavailability of website resources

High

Potential loss up to $100,000 per hours of downtime

Properly configure firewall, monitor firewall

Incidence Management

To provide the required levels of security to Anthem's cyber networks and systems, we must ensure the confidentiality, integrity, and availability (CIA) of the Agency's information resources, the reliability and availability of our information systems, and the continued protection of our personal and identifiable information. The Incident Response Team (IRT) will be created and be responsible for reviewing and updating this plan and the Incident Response procedures annually. An audit log of the updates will be maintained in the changelogs for each document. In case of any unforeseeable circumstances like IT system crashes, hacking, supply chain problems, and even pandemics like COVID-19. The Incidence response process is comprised of six steps, which is listed below;

· Detection of Event: Detection specifics of Anthem incidents and events are conducted according to the organization policies and procedures as outlined in their SOP. Detection of an incident or event by a user or cybersecurity service provider (CSSP) as part of monitoring and detection functions, developing the initial documentation for the incident, and providing detailed incident/event analysis and supporting documentation. Assess the event against the incident criteria to determine if it is a reportable event or incident.

· Preliminary Analysis and Identification of Incidents: The incidence response team will conduct the preliminary analysis and identification of incidents and events. Prepare and submit the initial report to the respective Tier one organization. If a suspected criminal activity is involved, the IRT notifies the SISO and coordinates law enforcement assistance with the Security Operation Branch.

· Preliminary Response Actions: The incidence response team will verify that all the requisite information provided by the user or the cybersecurity service provider is accurate. Then the team will conduct a preliminary analysis to identify the appropriate stakeholders that require involvement.

· Incident Analysis: The incidence response team will coordinate, direct, and conduct a detailed analysis with close cooperation with the organization's cybersecurity service provider. The CSSP analyzes and identifies relationships and trends between incidents in the short term and patterns across incidents in the long term.

· Response and Recovery: The incidence response team will respond to IRT direction, document response actions, report progress until incident closure, and elevate to the CIO if assistance is required. Afterward, the IRT will ensure that documentation is updated continuously throughout the IR and close the incident with the CSSP upon completion. 

· Post-Incident Analysis: The CSSP and IRT will Coordinate and conduct a post-incident analysis on the incident to review the effectiveness and efficiency of incident handling per the organizational policy. The CSSP closes the incident with the Tier One organization.

Inventory and Third-Party Management

To avoid any possible bias in the organization's risk assessments, an independent third-party vendor will be hired to conduct inventory, assessments. A third-party company will be hired to carefully manage and monitor all the interactions and operations by acting as a contractual party. The third-party vendor risk manager will also be responsible for the overall monitoring of performance an risks in Anthem’s working environment. The main focus of the third-party vendor is to reduce risks in relation the organizational operation. 

Apply Security Controls and Model Application

In this step, the various security controls and model attributes will be applied and the overall organization operations. By considering the risks and vulnerabilities associated with Anthem's information systems, the applicable security controls and models will be implemented in accordance with the organizational policies. This include appointing individuals who will be managing and implementing the organizations systems throughout the system development lifecycle. It is necessary to consider the short-term and long-term goals needs of the organization when implementing the necessary measures. The selected models or controls should suit the healthcare environment which Anthem operates. And lastly, the controls should help to meet the current organizational needs in terms of network capabilities, system stability and network/system architecture.

Establish Security Awareness Training

After all the necessary measures and models have been in place and applied accordingly, it becomes imperative for the organization to train their employees to adjust and maintain every possible change. Employee training will help to reduce risks and other mistakes that could happen in their field of work. Anthem will establish mandatory monthly, quarterly, semi-annual, and annual employee security awareness and training on the company's security policies. To ensure the effectiveness of security training and awareness, an individual's training tracker will be created to ensure each employee partake in the training schedule.

Security Model Attributes

The confidentiality, integrity, and availability of information systems and data is always a priority in ensuring Anthem's patient information safeguard. After conducting the various analysis, these are the various security attributes to ensure the maximum protection of Anthem's architecture infrastructure.

· Informed Consent/ ACL Access Log: This attribute of the Clinical information system security model ensures that patient data confidentiality is protected and ensures maximum accountability of all access to patient records. This ensured patient's authorization when a single subject on the ACL made a unique responsibility for the ACL, which will lead to modification, but there is a need to provide notification of changes on the other on the ACL. Because Anthem operates under the healthcare industry and deals with PHI and PII, this attribute becomes applicable to protect patient information confidentiality.

· Fundamental modes of access: This refers to a file attribute providing essential access control levels with the primary goal of minimizing the security risks of unauthorized access to data. This Bell-LaPadula model attribute provides different access such as read-only, write-only, read and write to access a file but restricts any modification or writings to the file. This attribute can help Anthem maintain the confidentiality and integrity of patient's information and prevent any untheorized person from making any changes.

· Bell-LaPadula confidentiality policy: This attribute of the Bell-LaPadula model strictly focuses on providing control access and data confidentiality by putting in place a state machine-based multilevel security policy. This model compares the security level of users with that of data they accessed. The confidentiality policy provides simple security and substantial star property, which restrict a subject to read/write objects of higher/lower sensitivity. This security attribute will help Anthem divide their computer system entities into objects and subjects that each state transmission will maintain maximum security through a movement from one secure state to another. 

· Biba security policy: It is highly expected from a healthcare organization to possess the quality of being fair, honest, and a high moral principle. This attribute of Biba's Strict integrity policy model applies to Anthem's operation because it deals with a large volume of data, from patient admissions to insurance reimbursement. Decision-makers, executives, and clinicians will use this valuable information for making vital decisions which makes the integrity of this information very necessary. The Biba security policy provides conditions that prevent subjects from reading objects of lesser integrity and prohibit a subject from sending messages to objects of higher integrity. The information flow and access balance will help Anthem to improve the integrity level in the organization. 

· Multilevel security: This Non-interference model attribute ensures that higher-level activities do not determine what lower-level can gain access to by providing strict separation of different security levels. The effectiveness of this model is through the assertion of a non-interference security policy. One of Anthem's principal vulnerabilities is the lack of security policies in place to control the actions of employees, systems, and overall security operations. 

· Levels of protection: The attributes by the Graham-Dinnel model provide guidance on how subjects and objects should be securely created and deleted. In view of this, issues associated with the definition of basic rights on how a specific subject can carry out security functions on an object. The level of protection provided includes no sharing at all, sharing copies and original program/data files, and programming subsystems and systems. This attribute applies to Anthem's security systems because weak information protection levels will allow easy access of data by threat actors. 

· Accountability: Accountability requires an obligation to justify, explain and take full responsibility for a person's action. This attribute will be a better fit in the anthem's healthcare settings as it ensures all access to patient's records is accurately logged and ensures that individuals with access and privileges to be held with accountable for every adverse action. Also, this attribute requires least privileges and least functionality on the organization's information systems. 

Conclusion

Anthem must take a bold step by improving its information system architecture to ensure a secure working environment. From the various analysis conducted on the organization, there is a higher likelihood of a possible cyber-attack. Therefore, there is the need the Anthem to place much emphasis on the area of cybersecurity. All recommended policies and procedures need to be adopted and enforced by the top-level management. Much attention also needs to be paid to the employee's activities through monitoring and accountability. Making information system security a priority means putting the required and most qualified cybersecurity personnel in place. Anthem also needs to take auditing more seriously by complying with the rules and regulations as a suggested third-party organization is hired. Employee’s training and development should also be a priority; regular weekly employees meeting, monthly, quarterly, semi-annual and annual training should be enforced across all departments and levels in the organization. Mitigation of vulnerabilities discovered either through vulnerability scanning or auditing should be treated as criticality and priority. Changes to crucial top-level management positions like CISO's and CIOs should be made when necessary to bring new ideas and discoveries to the organization's operations. As Anthem focuses on improving its security systems, networks, and mission-critical infrastructure, its maximum protection against every data breach and cyber-attack is guaranteed.

APPENDIX A

The core security principles

The main focus of mitigating security weakness and vulnerabilities is to protect the confidentiality, integrity, and availability of information systems, which is the core security principles. 

Bell LaPadula model 

Bel LaPadula is a state machine model for enforcing access control and information flow. This multi-level security model is geared towards protecting the confidentiality of information. This module was developed by Leonard T. LaPadula and David Elliott Bell with guidance from Roger R as hell. It was developed between 1972 and 1974 to bring to line the U. S Department of Defense multi-security policy. The model serves as a state transition model of computer security policy that outlines access control rules, for the evaluation and production of commercial products and systems approved for operational use. 

Biba's Strict Integrity Policy Model

Biba's strict integrity machine is a state machine module designed to protect integrity and information flow. This integrity module was developed by Kenneth J. Biba in 1975. This strict integrity policy of the state transition system outlines the access control set of rules designed with the main objectives of ensuring data integrity. The creation of this module was to thwart a weakness in the Bell-LaPadula module. 

Clark-Wilson Model

The Clark-Wilson module is a state-machine security module that provides a foundation to analyze and specify integrity goals and information flow. This module was proposed in 1987 by David R. Wilson and David D. Clark which derives from commercial data processing practices. The module was to formalize information integrity notions as compared to the multi-level security requirement. The Clark- Wilson module is applicable to systems that enforce integrity across both the application and operation systems. It has the ability to prevent unauthorized subjects from modifying objects, and also prevents the making of any improper modification of objects which is not authorized. 

Brewer-Nash Model

The Brewer and Nash module which is also known as the Chinese wall module is an information flow security module that is used in the implementation of information security access control which changes dynamically. This security module was first introduced by Dr. David F.C Brewer and Dr. Michael J. Nash in 1989. The module places its priority on confidentiality and finds its application in the commercial world, which also based its principles on Clark Wilson's defined security module. By providing read and write-only access privileges, this security module serves as protecting the integrity and privacy of information systems. Due to the problems of conflict of interest arising in the commercial organization, this security module was established to mitigate every possible conflict of interest by introducing the required security controls. 

Clinical Information Systems Security Model

This security module was created to protect the confidentiality of patient's data and to eliminate the problems of conflict of interest. The clinical information systems security module provides the restrictions of the number of users who access any records and the maximum number of any records users accessed. The implementation of this security control is based on data that hasn't been anonymized and ensures that access to patient's records is documented. This security module was derived from medical ethics which consist of different societies as well as clinicians. 

Noninterference Model

The non-interference model is an evolution of the information flow model designed to ensure that objects and subjects at different security levels don’t interfere with those at other levels (Finjan Blog. 2017). This security module was first put forward by Meseguers and Goyen in 1982 and later heighten in 1984. The non-interference module which is also known as the Goguen-Meseguer model prevents the contamination of information flow. There is a strict separation different of different levels of security and it’s based on their sensitivity being classified as low or higher respectively. Under this module, the security policy controls information flow with noninterference capabilities. 

Deducibility Security

This security module was first established in 1986 by Dr. Sutherland. The security module is applicable to healthcare as it relates to patient's data. The deducibility module focuses on deducing information that concerns data relating to information flow. This module holds many similarities with the noninterference security module in the area of system users to deduced or inter-data information. This security module has the ability to protect a system from leaks caused by malware such as a trojan horse. The development of the deducibility security module is in relation to information security which serves as compartmentalization designed to protect higher level output. The generalization enables the security level of output and input to be dynamically assigned. 

Graham-Denning Model

This computer security was established in 1970 by Peter J. Dinning and G. Scott Graham. Graham-denning modules is a computer security module that shows how securely objects and subjects are deleted and created. A set of objects, a set of subjects, and a set of eight basic protection rules sum up as the three main parts of the information accessed module. Some of the level of protection in this security module includes; sharing copies of programs/data filers, no sharing at all, sharing originals of programs/data file. Also, the module has either basic protection rules which outline how to securely create an object and a subject, how to securely delete an object and a subject. 

APPENDIX B

Executive Summary

This document is designed for Anthem to protect Personal Identifiable Information (PII) and personal health information (PHI) by adopting all the relevant and applicable security models. This plan is set to mitigate threats and security weakness of the organization and protect the confidentiality, integrity, and availability (CIA) of the company's data. Through the security assessments conducted has proven that Anthem is considered vulnerable to a possible cyber-attack. Analysis of the various security models listed below is relevant and applicable to meet the organizational security needs. In addition, operations pertaining to system patch/update management, auditing features, and monitoring are also included. This security plan also comprises Anthem's standard operating procedures (SOP), which contains a comprehensive overview of Anthem's security programs. All instructions and guidance will be in compliance in accordance with security policies and procedures.

Objectives

Anthem has the following objectives

· To protect the confidentiality, integrity, and availability of data and information systems.

· To ensure employees receive the required training and awareness for effective operation.

· To ensure that all cybersecurity positions are filled and with qualified candidates. 

· Adequate funding into the cybersecurity sector of the organization. 

· Ensure all security policies and procedures are enforced across all levels of the organization. 

· To achieve the vision and goals of the organization within the organization’s set time frame. 

System Security

The analysis conducted determined that Anthem's system is a mission-critical system in which cyber attackers will capitalize on any potential vulnerabilities on the system. Anthem will set up an improved IT security policies by putting sufficient funding in IT security to protect their mission-critical system. Information security strategies such as vulnerability scanning, well build email policy, strong password and data encryption will ensure the system's safety. Due to the high risk associated with Anthem's system security, much attention is required to prevent any possible data breach. 

· Strong password: Anthem will enforce access restrictions to all employees' user accounts with password-based authentication, with passwords being set to expire after 35 days. All users will be given a unique username and password for account access. Through authentication management, Anthem will employ an automated tool to determine if password authenticators are adequately strong to eliminate the problems of its employees with a weak password. 

· Vulnerability Scanning: Anthem will ensure a mandatory monthly vulnerability scanning on the information systems. This scanning for vulnerabilities on the organization's systems and hosted applications will ensure that any potential vulnerabilities or weaknesses negatively affect the company's operation are rectified and reported to the head of security to be mitigated. In addition, other issues such as improper configuration and patch levels can be appropriately corrected by the security team.  

· System updates: The security team will ensure that all software and applications on the system are up to date. Automatic updates will be configured on the system to ensure the system applications and software will have the ability for automated periodical update. 

· Confidentiality Protection: The organization will adopt the Bell-LaPadula model to maintain the confidentiality of Anthem's security system. This model will outline the rules and regulations to ensure the use of clearances for subjects and labels for objects. 

· Integrity Protection: The Clark-Wilson security model will be adopted on the Anthem information security systems because this model applies to systems that enforce integrity across both the application and operation systems, which happens to be the utmost priority of Anthem. This model will prevent any unauthorized subjects from modifying objects and prevent any improper modification of objects that are not authorized. 

· Privacy Protection: Privacy protection becomes a higher priority for Anthem because of the health environments settings that deal with PII and PHI. Due to the high risk involved in privacy protection, Anthem will therefore adopt the Brewer-Nash security model on the Anthem security system to ensure the implementation of information security access control. By providing read and write-only access privileges, this security module protects the integrity and privacy of information systems and mitigates every possible conflict of interest by introducing the required security controls. 

· Data Encryption: Due to the high priority placed on the availability of information systems, Anthem will deploy Cryptographic key establishment and management to maintain data availability. The Anthem security systems will establish and manage cryptographic keys for required cryptography employed within their system according to the required key generation. Encryption will be configured during deployment and before sensitive work commences. The Anthem infrastructure will utilize multiple encryption strategies, including vSAN Encryption, Linux Unified Key Setup (LUKS), and encryption of all government off-the-shelf (GOTS) data on the Anthem systems' drive. The application server and software used in Anthem's environment must use encryption strength to categorize the management data during remote access management sessions to protect the confidentiality of remote access sessions.

Employee Training and Management

· Security Awareness and Training: Anthem will establish mandatory monthly, quarterly, semi-annual, and annual employee’s security awareness and training on the company's security policies. To ensure the effectiveness of security training and awareness, an individual’s training tracker will be created to ensure each employee partake in the training schedule. 

· Cybersecurity roles/ Skilled Personnel: Anthem will ensure all required cybersecurity roles in the organization are field with personnel with the required and appropriate qualifications. 

· Insider Threat Programs: Anthem will adopt an effective insider threat program to provide security controls to detect and prevent malicious insider activities through centralized analysis and integration to identify potential insider threats concerns. 

Anthem's Relevant Security Attributes

· Confidentiality: Helps to prevent the unauthorized disclosure of data

· Integrity: Provides assurance that data has not been modified, tampered with, or corrupted through unauthorized or unintended changes. 

· Availability: Ensures that services and data are available when needed and to the rightful recipient. 

· Non-Interference Assertions: This refers to the set of security policies, which are put in place to control information flow.

· Informed Consent/ ACL Access Log: This attribute of the Clinical information system security model ensures that patient data confidentiality is protected and ensures maximum accountability of all access to patient records.

· Fundamental modes of access: This refers to a file attribute providing essential access control levels with the primary goal of minimizing the security risks of unauthorized access to data.

· Bell-LaPadula confidentiality policy: This attribute of the Bell-LaPadula model strictly focuses on providing control access and data confidentiality by putting in place a state machine-based multilevel security policy.

· Biba security policy: It is highly expected from a healthcare organization to possess the quality of being fair, honest, and a high moral principle.

· Multilevel security: This Non-interference model attribute ensures that higher-level activities do not determine what lower-level can gain access to by providing strict separation of different security levels.

· Levels of protection: The attributes by the Graham-Dinnel model provide guidance on how subjects and objects should be securely created and deleted.

· Accountability: Accountability requires an obligation to justify, explain and take full responsibility for a person's action.

References

Finjan Blog. 2017. A Closer Look at Security Models of Control - the Non-Interference Model. [online] Available at: <https://blog.finjan.com/the-non-interference-model/> [Accessed 24 July 2021].

Landwehr, C., 1981. A survey of formal models for computer security. Washington, D.C.: Naval Research Laboratory.

Millen, J. (1996). Editor’s preface to the Bell-LaPadula model. Journal of Computer Security, 4(2/3), 229. https://doi-org.ezproxy.umgc.edu/10.3233/JCS-1996-42-306

Law Insider. 2021. Third Party Inventory Definition | Law Insider. [online] Available at: <https://www.lawinsider.com/dictionary/third-party-inventory> [Accessed 5 August 2021].

ITperfection - Network Security. 2020. Fundamental Concepts of Security Models - CISSP- ITperfection. [online] Available at: <https://www.itperfection.com/cissp/security-architecture-and-engineering/fundamental-concepts-of-security-model/> [Accessed 6 August 2021].

Rapid7. 2021. Information Security Risk Management (ISRI) | Rapid7. [online] Available at: <https://www.rapid7.com/fundamentals/information-security-risk-management/> [Accessed 9 August 2021].