RMF Control Assignment
docx
keyboard_arrow_up
School
Bellevue University *
*We aren’t endorsed by this school
Course
608
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
6
Uploaded by MajorGoldfishMaster955
The impacts have been artificially set to Low-Low-Low for Brookside Local Clinic. Below
are some of the controls utilized by the clinic.
1.
AC-1 (Access Control Policy and Procedures): the organization must develop, document, and implement an access control policy that addresses the management of access to information systems and facilities. There are established comprehensive policies and procedures for controlling access to its information systems and sensitive data. It ensures that only authorized individuals have appropriate access privileges, reducing the risk of unauthorized access, data breaches, and privacy violations. By implementing Access control policy, the clinic enhances its security posture, protects patient information, and maintains regulatory compliance, ultimately fostering trust among patients and stakeholders. The clinic is compliant.
2.
AC-2, Account Management: requires the clinic to manage user accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts, to ensure authorized access and prevent unauthorized access. AC-2 is applied to Brookside Local Clinic by establishing policies and procedures for the management of user accounts. The clinic ensures that user accounts are created, modified, and removed based on documented procedures and authorized requests. Account permissions are granted based on the principle of least privilege, and regular reviews are conducted to validate access levels. Compliant.
3.
AC-3, Access Enforcement: the application of access enforcement involves implementing robust access control measures to restrict information systems and
service access to authorized users, processes, or devices. This includes implementing strong user authentication mechanisms, role-based access controls, and regular review of user access privileges. The clinic also ensures adherence to the principle of least privilege, granting users access only to necessary resources. Brookside is compliant.
4.
AC-7, Unsuccessful Logon Attempts: AC-7, the control for unsuccessful login attempts, is applied to Brookside Local Clinic by setting a maximum number of consecutive failed login attempts before an account is locked or disabled. The clinic has implemented an account lockout policy, configured authentication systems to enforce it, communicated the policy to users, and established monitoring and review processes. Compliant.
5.
AC-17, Remote Access: involves defining, monitoring, and controlling remote access
to the organization's information systems. AC-17 is implemented with the necessary measures to secure remote access to the systems. This includes establishing policies, procedures, and technical controls to authenticate remote users, encrypt data transmissions, and monitor remote sessions. Not compliant.
6.
AC-18, Wireless Access Control: requires the implementation of controls to secure wireless access points and wireless client devices in an organization. The application of AC-18 involves several steps. First, the clinic deploys strong encryption protocols, such as WPA2 or WPA3, to protect wireless communications. They also implement strong authentication mechanisms, like the use of strong passwords or certificate-based authentication, to ensure authorized access to the wireless network. Compliant.
7.
AC-20, Use of External Information Systems: requires organizations to establish and
maintain formal agreements with external entities that govern the use of their information systems. AC-20 is applied as a control by ensuring the clinic have documented agreements in place with external service providers, such as cloud hosting providers or telehealth platforms, to define the responsibilities and security requirements related to the use of their information systems. The clinic is compliant.
8.
AT-3, Role-Based Training: requires organizations to conduct security awareness training to ensure personnel are aware of the security risks associated with their activities and their responsibilities in protecting organizational information. The clinic applies AT-3 by implementing a comprehensive security awareness training program
for its staff. The program covers topics such as recognizing social engineering attacks, identifying phishing emails, secure password practices, and safe browsing habits. Regular training sessions, online modules, and simulated phishing exercises are conducted to continuously educate employees on security best practices. Compliant
9.
AT-4, Security Training Records: requires organizations to maintain records of security training provided to personnel. The clinic applies this control by implementing a comprehensive system to track and document security training activities for their staff members. This includes maintaining records of completed training sessions, topics covered, and dates of training.
10.CP-9, Incident Response Testing: is applied to Brookside Local Clinic by conducting periodic tests and exercises to evaluate the effectiveness of their incident response capabilities. This includes simulating various types of security incidents to assess
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
their response readiness, identifying areas for improvement, and validating the clinic's incident response plan. By performing these tests, the clinic aims to enhance their incident response capabilities, mitigate potential risks, and minimize the impact of security incidents. Compliant
11. IA-2, Identification and Authentication ensures that users are appropriately identified and authenticated before accessing information systems and data. IA-2 is applicable
to Brookside Local Clinic by implementing robust identification and authentication measures for their staff and patients. This may include the use of unique usernames and strong passwords for user accounts, two-factor authentication for enhanced security, and regular access reviews to ensure authorized access. Compliant
12.MP-2, Media Protection: focuses on protecting and managing physical and digital media containing sensitive information. MP-2 is applied by implementing measures to safeguard their media assets, such as patient records and confidential documents. This includes establishing secure storage areas, implementing access controls, encrypting digital media, and properly disposing of media when it is no longer needed. Compliant
13.PE-8, Physical Access Authorization: ensures that access to facilities and areas within an organization is granted based on authorized roles and responsibilities. The application of PE-8 involves implementing a system to manage physical access authorizations and granting access permissions only to authorized personnel. This control ensures that individuals can only access the areas necessary for their job functions, reducing the risk of unauthorized entry and potential breaches. Compliant
14.PE-13 (Physical Access Authorizations) ensures that physical access to facilities, equipment, and areas within an organization is restricted to authorized individuals. This control would involve implementing measures such as access control systems, ID badges, locks, and surveillance cameras to limit entry to authorized personnel only. The clinic would define access levels based on job roles and responsibilities, grant access credentials accordingly, and regularly review and update the access authorizations as needed. Compliant
15.PS-4, Personnel Termination: requires organizations to establish and implement procedures to ensure the timely termination or modification of system access for individuals who are no longer authorized to have such access. This process would involve promptly revoking system access privileges for employees who leave the organization or change roles, updating access controls, disabling accounts, and removing physical access rights. By doing so, Brookside Local Clinic ensures that former employees do not have unauthorized access to sensitive patient information or other resources.
16.SA-2, Allocation of Resources: requires organizations to allocate resources to effectively implement and manage their security programs. The application of SA-2 would involve allocating the necessary resources, such as funding, personnel, and technology, to support the implementation and maintenance of their security program. This would include activities such as conducting risk assessments, implementing security controls, providing security training and awareness programs for staff, and ensuring ongoing monitoring and improvement of the clinic's security posture. Compliant
17.SI-3, Malicious Code Protection: Brookside Local Clinic applies this control by implementing measures to protect its information systems from malicious code, such
as viruses, worms, and ransomware. This includes deploying antivirus software, regularly updating security patches, and enforcing strict email filtering and web browsing policies. Compliant
Reference
National Institute of Standards and Technology. (2020). Special Publication 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations. Retrieved from https://csrc.nist.gov/Projects/risk-management/sp800-
53-controls/release-search#/controls?version=5.1&security_baseline=Low
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help