Information Assurance

    Healthcare Case: Standards-Based Approach to Cybersecurity, v10.6, November 3, 2021 Key Section: Final Examination Question and Grading Template (Updated November 3, 2021) Note: Key Sections are the Key Sections for a Grading Template for completing the final examination. Key Section: Final Examination Question: Build a Plan for an ABAC (Attribute Based Access Control) Pilot Case: Please develop using NCCoE (NIST National Cybersecurity Center of Excellence) use cases a plan for an ABAC (Attribute Based Access Control) Pilot Case. The ABAC Pilot Case provides a suggested transition program for a hypothetical hospital healthcare electronic healthcare records (EHR) system. An objective of the pilot EHR system is provide the planning steps to transition from role based access control (RBAC) to an attribute based access control system (ABAC). ABAC is additive to RBAC. Key Section: Question Building on Structured Discussions 1 and 2. Key Section: Question: Suggested Student Overview of the Final Examination Issues IA students, Thank you. In brief, the final examination is a “worked example” of applying NIST cybersecurity risk management guidance and metrics to a healthcare case. For example, we include an application of the NIST seven-step gap analysis that could be applied to cybersecurity case analyses. For example, potentially extending Structured Discussions 1 and/or 2 (This examination uses a NIST seven-step gap analysis is defined in NIST Cybersecurity Framework, Version 1.1, April 16, 2018. Section 3.2 Establishing or Improving a Cybersecurity Program). https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf. We also adapt from Structured Discussion 2 a NISTIR 8170 three level analysis of a Boeing 737 MAX case: 1) Organization; 2) Mission/Business Processes; and 3) System. Hopefully, this is helpful. Best regards, Harold Key Section: Question Scope: Build a Plan for an ABAC Pilot Case for a Hypothetical Inova Fairfax Hospital Transplant Center: Please consider using actual Inova Fairfax references for a Hypothetical Inova Fairfax Hospital: Transplant Center use case for the pilot ABAC case. For example, Fairfax Hospital IT security policy. Key Section: ABAC Pilot Case: Building on Two NIST NCCoE Use Cases: Integrating Selected NCCoE Use Case Analysis Please consider using with attribution the work of the NIST NCCoE (National Institute of Standards and Technology National Cybersecurity Center of Excellence) as presented in two use cases: 1. NCCoE Use Case 1: RBAC: NIST Special Publication 1800-1B: Securing Electronic Health Records on Mobile Devices, July 27, 2018. (RBAC: Role Based Access Control) 2. NCCoE Use Case 2: ABAC: NIST Special Publication 1800-3B, C: Attribute Based Access Control, Second Draft, September 20, 2017. (ABAC) Key Section: Plan for an ABAC Pilot Case: We Provide a Suggested Outline to Build a Plan for an ABAC Pilot Case Please consider a suggested development plan for your ABAC Pilot Case. We define the scope of your ABAC Pilot Case to be a hypothetical Inova Fairfax Hospital: Transplant Center. The test case includes a transition for three components in the hypothetical Inova Fairfax Hospital for its EHR system from RBAC to ABAC. We are integrating in the ABAC Pilot Case three “To Be” silos into a proposed target pilot system. These components are defined in NIST SP 1800-1B. The three components for this hypothetical case (silos) are: 1) Radiology Department: 2) Dr. Jones Orthopedics; and 3) VPN. Key Section: Final Examination Scope: Management Approval for an ABAC Pilot Case For this final examination, we start our ABAC Pilot Case planning and analysis after management approval. An ABAC Pilot Case is suggested to reduce patient safety risk for the hypothetical Fair INOVA hospital complex. Patient safety risk is dependent in part on a use for an ABAC Pilot Case of an optimization of cost/benefit/risk. A fixed system budget for this optimization approach my include optimization of five factors: 1) safety; 2) reliability; 3) resilience; 4) security; and 5) privacy. We adapt for this case the NISTIR 8170: Approaches for Federal Agencies to Use NIST Cybersecurity Framework, August 17, 2021. Figure 2: Federal Cybersecurity Approaches (see Figure 1 below). Key Section: Final Examination Scope: Management Approval for an ABAC Pilot Case: Building on Structured Discussion 2: Boeing 387 MAX: Three Management Levels: 1) Organization, 2) Mission/Business Systems; and 3) System. Please consider the Hypothetical Inova Fairfax organization decision-making process for this final exam, Figure 1 (NISTIR 8170: Figure 2). Note: NISTIR 8170: Approaches for Federal Agencies to Use the Cybersecurity Framework, August 17, 2021. We suggest the following interpretation of Figure 1 (NISTIR 8170: Figure2): NISTIR 8170: Figure 2: Federal Cybersecurity Approaches: 1) NIST Level 1: Organization: CEO and top management policies pertaining the ABAC Pilot; 2) NIST Level 2: Mission/Business Processes: Management Procedures: Management procedures pertaining the ABAC Pilot: For example, receive ABAC Pilot updates and exception reports. Analyze the ABAC Pilot updates and 1) provide guidance to Level 3: ABAC Implementation; and 2) report on ABAC progress to Level 1: CEO and top management. 3) NIST Level 3: System (ABAC Pilot): Implementation.   Figure 1:Hypothetical INOVA Pilot Case: Transition from RBAC to ABAC Key Section: Final Examination Format: Please consider a suggested format that is provided in this document. A typical final examination is about 20 pages, single space, with attribution, e.g., footnotes for citations for figures/tables. Please consider using the interpretation NISTIR 8170: Figure 2: Federal Cybersecurity Approaches above: 1) NIST Level 1: Organization: CEO policies; 2) Mission/Business Processes: Management Procedures; and 3) System (ABAC Pilot) Implementation. Key Section: Final Examination: Suggested Student Outline Please consider the Key Issues to be your primary focus for the final examination. Grading issues are in Bold. The grading emphasis is on Analysis, Conclusions and use of figures/tables with footnotes. Key Issue 1: Title Page Key Issue 2: Preface Key Sections 1-7 Section 1: Question Key Issue: Section 2: Interpretation of Question Table of Contents Key Issue: List of Figures: Note: Footnotes in text for figure captions Key Issue: List of Tables: Note: Footnotes in text for table captions Section 3: Introduction Key Issue: Section 3.1: NIST Approach 3.1.1 NISTIR 8170 Figure 2: Three organization levels 3.1.2 NISTIR 8170: Figure 2: Area 1: Integrate enterprise and cybersecurity risk 3.1.3 NIST SP 1500-202: Section 2.3.3 Optimize Cyber Physical System risk budget (safety, resilience, reliability, security, privacy) 3.2: Hypothetical Inova Fairfax Transplant Center Use Case: RBAC “As-Is” Key Issue: Section 4: NIST Seven Step Gap Analysis (NIST CSF Section 3.2: Establishing or Improving a Cybersecurity Program) Step 1: Prioritize and Scope Step 2: Orient Key Issue: Step 3: Create a Current Profile “As Is”: Use existing RBAC architecture Key Issue: Step 4: Conduct a Risk Assessment Key Issue: Step 5: Create a Target Profile “To Be”: Use planned ABAC architecture Key Issue: Step 6: Determine, Analyze and Prioritize Gaps • Consider an ZTA/ABAC cloud provider to replace VPN • Consider Identity Candidate Cloud Provider That Supports Nist Special Publication 800-207: Zero Trust Architecture, Section 2: Figures 1 and 2 • Consider “To Be” Gaps when compared to baseline “As Is” o Cloud to replace VPN: NIST SP 800-210: For example, find a cloud provider that can integrate access control for three silos (Dr. Jones, Radiology, and VPN) o Cloud Zero Trust Architecture: Consider a cloud provider that can support NIST SP 800-207: Zero Trust Architecture, August 2020 o Cloud support for ZTA: ABAC: PDP/PEP (Policy Decision Point/Policy Enforcement Point) NIST SP 800-207: Section 2: Zero Trust Basics and Figure 1: Zero Trust Architecture Key Issue: Step 7: Implement an Action Plan Key Issue: Section 5: Analysis [with respect to your interpretation of the question and gap analysis] Key Issue: 5.1: Challenges of building and testing a candidate ABAC pilot program vs NISTIR 8170 Figure 2: Three organization levels: 1) Organization; 2) Mission/Business Processes; and 3) System: ABAC pilot program Key Issue: Section 6: Conclusions [based on your Analysis] Key Issue: Section 7: References [Complete references: For example, author, title, organization, document number, date, etc.] Contents Key Section: Final Examination Question and Grading Template (Updated November 3, 2021) 1 Key Section: Final Examination Question: Build a Plan for an ABAC (Attribute Based Access Control) Pilot Case: 1 Key Section: Question Building on Structured Discussions 1 and 2. 1 Key Section: Question: Suggested Student Overview of the Final Examination Issues 1 Key Section: Question Scope: Build a Plan for an ABAC Pilot Case for a Hypothetical Inova Fairfax Hospital Transplant Center: 2 Key Section: ABAC Pilot Case: Building on Two NIST NCCoE Use Cases: Integrating Selected NCCoE Use Case Analysis 2 Key Section: Plan for an ABAC Pilot Case: We Provide a Suggested Outline to Build a Plan for an ABAC Pilot Case 2 Key Section: Final Examination Scope: Management Approval for an ABAC Pilot Case 2 Key Section: Final Examination Scope: Management Approval for an ABAC Pilot Case: Building on Structured Discussion 2: Boeing 387 MAX: Three Management Levels: 1) Organization, 2) Mission/Business Systems; and 3) System. 3 Key Section: Final Examination Format: 4 Key Section: Final Examination: Suggested Student Outline 4 Key Issue 1: Title Page 4 Key Sections 1-7 4 Research: Background 8 Final Examination Research Background: Ten Step Analysis to Provide Detailed Research to Support Final Examination 8 Research Step 1/10: Since this is an introductory course, we provide for your review selected cybersecurity risk management guidance and concepts in a ten-step process. This ten-step process helps you work through the analysis. For example, we provide guidance, figures/tables, and sources for the steps. 8 In addition, we also offer for your review conceptual views (Appendix I) and selected prior students’ guidance (Appendix II). 8 2. Research Step 2/10: Use the NIST Three-Level Framework for Cybersecurity Risk Management 9 2.1 Step 2.1/2.1 NIST Level 1: Organization: Hypothetical Inova Fairfax organization management: Assume approval for a pilot case for a transition to ABAC is suggested for the hypothetical CEO Inova Fairfax. 9 NIST Level 3: System: Hypothetical Inova Fairfax mission/business systems plan for a pilot case for a transition to ABAC is implemented. 10 Research Step 2.2/2.2: ABAC: Systems Security Engineering: Integrated Examples 10 Research Step 3/10: Final Examination: NIST Security Control Maps 11 Research Step 3.1/3.1 NIST Security Control Maps 11 4. Research Step 4/10: Apply NIST Security Control Maps and Architectures to the Final Examination 11 Analytical Note: A suggested analytical observation for Tables 1 and 2: EHRs access control may be viewed as 1) PR.AC (RBAC); and 2) PR.AC-1, 3 and 4 (ABAC) for more fine -grained access. 11 Research Step 4.1/4.1 NIST Healthcare Use Case Architecture and Security Control Maps 11 5. Research Step 5/10: Cybersecurity Framework: Improving a Cybersecurity Program: NIST Seven-Step Gap Analysis 14 Note: This where grading decisions may occur between B and A depend on how well you develop/analyze for the final examination the NIST seven-step gap analysis for this case and refer to figures/tables with footnotes for the captions. The NIST seven-step gap analysis is more formally defined in the CSF, Section 3.2: 14 6. Research Step 6/10: Pilot Case: Key Inova Fairfax Cybersecurity Guidance 17 6.1 Research Step 6.1/6.5.1 : Inova Fairfax Access Control Policy - Inova 17 Web Policies | Inova 17 Remote and Extended Access | Inova 17 Research Step 6.2/6.5.1 Mobile Device Management Policy - Inova 17 Research Step 6.3/6.5.1 Remote and Extended Access | Inova 17 Research Step 6.4/6.5.1 Other INOVA Access Control Issues 17 Research Step 6.4.1/6.5.1 For Employees | Inova 18 Research Step 6.5.1/6.5.1 Prior searches: 18 Please update any additional links that you wish to use for your final examination. 18 7. Research Step 7/10: Analysis 18 8. Research Step 8/10. Conclusions 19 9. Research Step 9/10. Matters for Consideration (Updated November 8, 2019) 19 Research10. Research Step 10/10. References 20 Appendix I: IA Final Examination: Conceptual Interpretation of Selected RBAC/ABAC Issues, Version 2.1, November 2, 2021 21 Research: Step 1: Final Examination Question 21 Research Step 4: Apply NIST Security Control Maps and Architectures to the Final Examination 24 Research Step 4.1: NIST Healthcare Use Case Architecture and Security Control Maps: 24 Research Step 6: Pilot Case: Key INOVA Cybersecurity Guidance: 24 Research Step 7: Analysis: 24 Appendix II: Strategic/Tactical Rubric: Based on Student Comments 26 Strategic Rubric 26 Tactical Rubric: Based in part on a review of prior examinations, we update a Tactical Rubric 29   Research: Background Final Examination Research Background: Ten Step Analysis to Provide Detailed Research to Support Final Examination Here for your review is a sample ten-step research analysis to provide background for using the above Suggested Student Outline. Research Step 1/10: Since this is an introductory course, we provide for your review selected cybersecurity risk management guidance and concepts in a ten-step process. This ten-step process helps you work through the analysis. For example, we provide guidance, figures/tables, and sources for the steps. In addition, we also offer for your review conceptual views (Appendix I) and selected prior students’ guidance (Appendix II). 2. Research Step 2/10: Use the NIST Three-Level Framework for Cybersecurity Risk Management 2.1 Step 2.1/2.1 NIST Level 1: Organization: Hypothetical Inova Fairfax organization management: Assume approval for a pilot case for a transition to ABAC is suggested for the hypothetical CEO Inova Fairfax. Responsibility: Hypothetical CEO (Chief Executive Officer) and Hospital Officers) are responsible for deciding go/no-go for cases that require Integrate enterprise and cybersecurity risk management (Area 1). The go/no-go decision in this case is for the hypothetical CEO to approve/disapprove a theoretical request from the hypothetical Level 2: Mission/Business Systems: For example, review an optimum set of scenarios for a pilot case for the Hypothetical Inova Fairfax Hospital: Transplant Center. Each scenario for the pilot could include cost/benefit/risk. For example, NIST suggests consideration for cost/benefit/risk of an optimization approach, e.g., integrating three silos. In a hospital optimization environment, such as our Hypothetical Inova Fairfax Hospital use case, there may be financial budget constraints for a pilot case to extend EHR from “RBAC” to “RBAC extended to ABAC.” One interpretation of a NIST CPS (Cyber-Physical Systems) risk optimization guidance is for the final examination Research Step 5.4: Conducts a Risk Assessment. An overarching NIST view for CPS risk assessment is to optimize three factors (silos)—cost/benefit/risk. In Research Step 5.4, we could consider a NIST suggestion for a CPS “risk budget.” For example, a “risk budget” may be a fixed financial amount that is optimized by balancing five properties for the pilot case described in this examination (see Research Step 5.4: Conducts a Risk Assessment). The five properties or silos are 1) safety; 2) security; 3) reliability; 4) resilience; and 5) privacy. Possibly, the above priority sequence may apply to the final examination pilot case. NIST provides systems security engineering analysis that could be interpreted for our pilot case to extend EHR to ABAC for 1) Radiology Dept; 2) Dr. Jones: Orthopedics; and 3) VPN (Virtual Private Network). For example, we could analyze three silos: 1) Radiology; 2) Dr. Jones: Orthopedics; and 3) VPN. These three silos could be viewed from an integrated risk budget viewpoint using a CPS “risk budget; NIST Level 2: Mission/Business Processes: Hypothetical Inova Fairfax organization management: Assume approval to plan for a pilot case for a transition to ABAC. Responsibility: The Hypothetical Inova Fairfax Hospital: Transplant Center plans for implementation of the pilot. Figure 2:Hypothetical INOVA Pilot Case: Transition from RBAC to ABAC NIST Level 3: System: Hypothetical Inova Fairfax mission/business systems plan for a pilot case for a transition to ABAC is implemented. The focus for the pilot case is categories 1) Radiology Department: 2) Dr. Jones Orthopedics; and 3) VPN (Integrating secure access for three To-Be silos for a pilot). Research Step 2.2/2.2: ABAC: Systems Security Engineering: Integrated Examples Please note that ABAC may be considered as a logical subset of NIST Special Publication 800-207: Zero Trust Architecture, August 2020. For example, Section 3.1.1: ZTA Using Enhanced Identity Governance; and Section 4.4: Collaboration Across Enterprise Boundaries. For example: Similar to Use Case 1, a PE [Policy Engine] and PA [Policy Administrator] hosted as a cloud service may provide availability to all parties without having to establish a VPN or similar. Further, attribute guidance is discussed in NIST Special Publication 800-210, General Access Controls Guidance for Cloud System July 2020. Section 5.6: Guidance for Attribute and Role Management. Research Step 3/10: Final Examination: NIST Security Control Maps Research Step 3.1/3.1 NIST Security Control Maps Please introduce a NIST concept of NIST security control maps that apply to NIST Cybersecurity Risk Management cases. For example, we highlight the five iterative functions from the Cybersecurity Framework Core—identify, protect, detect, respond, recover9 (see figure 2). Conceptually, NIST Figure 2, which is a high-level view of the NIST Cybersecurity Framework, V1.1, March 2018. Appendix Table 2: NIST Core, introduces two concepts 1) NIST five iterative functions assist in integrating functional silos, and 2) mapping of NIST iterative functions to information references. For example: NIST Special Publication 800-53 Rev. 4/5 (Draft): Security and Privacy Controls for Information Systems and Organizations (Final Public Draft), March 16, 2020-- security controls.   Figure 2: NIST Security Control Map: Function and Category Unique Identifiers Source: NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, Draft 2, December 5, 2017 Note: Current version is 1.1, April 16, 2018. 4. Research Step 4/10: Apply NIST Security Control Maps and Architectures to the Final Examination Here the suggested Research Steps 4.1-8: Analytical Note: A suggested analytical observation for Tables 1 and 2: EHRs access control may be viewed as 1) PR.AC (RBAC); and 2) PR.AC-1, 3 and 4 (ABAC) for more fine -grained access. Research Step 4.1/4.1 NIST Healthcare Use Case Architecture and Security Control Maps Here for your review are eight suggested steps for this section: a. First/Eight: “As Is” Use Case Architecture: Please consider reviewing NIST: Special Publication 1800-1B: Securing Electronic Health Records on Mobile Devices: Approach, Architecture, and Security Characteristics, July 2018, Section 3: Approach, Figure 3-1: Security Characteristics Required to Securely Perform the Transfer of Electronic Health Records Among Mobile Devices; and Section 4.2: Architecture Description, Figure 4-1: Architecture for the Secure Exchange of Electronic Health Records on Mobile Devices in a Healthcare Organization. b. Second/Eight: Security Control Maps: A NIST security control map example of the process for determining which security characteristics apply to the SP 1800-1B is presented in Table 3-2: Mapping Security Characteristics to the NIST Cybersecurity Framework and HIPAA (Health Insurance Portability and Accountability Act). i. Please consider (Note: This is a NIST Security Control Map) b. Third/Eight: Please consider using the above figures and tables to introduce the “As Is” Profile in your final examination. c. Fourth/Eight: Please consider developing a version of this “As Is” NIST Security Control Map for your final examination. For example, see table 1. Table 1 remaining entries are not provided, i.e., …: Table 1: Sample: Mapping Security Characteristics of NIST CSF, HIPAA Security Controls—“As Is” Profile Source: NIST SP 1800-1B Draft: Securing Electronic Health Records on Mobile Devices: Approach, Architecture, and Security Characteristics, July 2018, Table 3-2; and NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018, Appendix A, Table 2 d. Fifth/Eight: “To Be” Profile: Please prepare a table, which represents a NIST Security Control Map: Extract for a “Target Profile”—“To Be” for the final examination healthcare use case. e. An issue for the final examination is that step 5 is adding ABAC to RBAC. Therefore, just an ABAC table and ABAC architecture is not sufficient for "To Be." The “Target Profile” could be a figure, such as a NIST security control map, that you develop to add attribute-based access control (ABAC) to: The Radiology Department; 2) Dr. Jones Orthopedics, and 3) VPN (Virtual Private Network) external access point for remote users (as defined in NIST SP 1800-1B: Table 4-1 [also listed as Table 2 [ABAC] above). [Emphasis added] NIST provides an example of ABAC mapping to the NIST CSF security characteristics (see Table 2: [ABAC] Use Case Security Characteristics Mapped to Relevant Standards and Controls). Table 2:[ ABAC] Use Case Security Characteristics Mapped to Relevant Standards and Controls[--Additive "To Be" Profile] Source: NIST SP 1800-3B Draft: Attribute Based Access Control: Approach, Architecture, and Security Characteristics, September 2017, Table 4.1: Use Case Security Characteristics Mapped to Relevant Standards and Controls; and NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018, Appendix A, Table 2 f. Sixth/Eight: The two baseline architectures are presented in SP 1800-1B: Figure 4-1—“As Is”; and SP 1800-3B: Figure 5.1—“To Be” g. Seventh/Eight: Your assignment includes adapting SP 1800-3B: Figure 5.1: ABAC Build 1 Architecture— Additive “To Be” to meet the ABAC security requirements for three users in SP 1800-1B: Figure 3--1) the Radiology Department, 2) Dr. Jones Orthopedics, and 3) VPN external access point for remote users. The basic access controls, such as RBAC (Role Based Access Control), in “As Is” are extended to ABAC for “To Be.” h. Eighth/Eight: In summary, ABAC supports a fine-grained access control upgrade for RBAC. Review: Analytical Note: A suggested analytical observation for Tables 1 and 2: EHRs access control may be viewed as 1) PR.AC (RBAC);and 2) PR.AC-1, 3 and 4 (ABAC) more fine -grained access. 5. Research Step 5/10: Cybersecurity Framework: Improving a Cybersecurity Program: NIST Seven-Step Gap Analysis Note: This where grading decisions may occur between B and A depend on how well you develop/analyze for the final examination the NIST seven-step gap analysis for this case and refer to figures/tables with footnotes for the captions. The NIST seven-step gap analysis is more formally defined in the CSF, Section 3.2 : Please consider developing a NIST seven-step gap analysis for the final examination case. As introduced, this case defines three users for this pilot healthcare system: 1) Radiology Department; 2) Dr. Jones Orthopedics (specialty practice); and 3) remote users via VPN (Virtual Private Network) external access point for remote users. Note: Section 5: The pilot case introduces a “worked example” of healthcare systems technology. For example, Inova Fairfax Hospital/Epic is based on Epic healthcare technology. This pilot case is for adding ABAC--fine-grained access control--to NIST Cybersecurity Practice Guide: SP 1800-3B, Figure 4-1: Architecture for the secure exchange of electronic health records on mobile devices in a healthcare organization. Please follow the NIST instructions for NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2: Establishing or Improving a Cybersecurity Program: Seven step gap analysis: Research Step 5.1: Prioritize and Scope Research Step 5. 2: Orient Research Step 5. 3: Create a Current Profile—“As Is” a. Table 1: NIST Special Publication 1800-1b: Draft: Securing Electronic Health Records on Mobile Devices, Approach, Architecture, and Security Characteristics, July 2015: Table 2: Mapping Security Characteristics to the CSF [NIST Cybersecurity Framework] and HIPAA [Health Insurance Portability and Accountability Act]. b. Table 2: NIST Special Publication 1800-1d: Draft: Securing Electronic Health Records on Mobile Devices: Standards and Controls Mapping, July 2015: Table 2: Security Characteristics Mapped to Cybersecurity Standards and Best Practices and HIPAA. [An extract is fine.] c. Figure 1: NIST Special Publication 1800-1b: Draft: Securing Electronic Health Records on Mobile Devices, Approach, Architecture, and Security Characteristics, July 2015: Figure 3: Architecture for the secure exchange of electronic health records on mobile devices in a health care organization. As introduced, please consider figures/tables and captions with a footnote. Research Step 5.4: Conduct a Risk Assessment (Review: See Research section 2.1) For example: Hypothetical Inova Fairfax Hospital: Transplant Center. Each scenario for the pilot could include cost/benefit/risk. For example, NIST suggests consideration for cost/benefit/risk of an optimization approach, e.g., integrating three silos. In a hospital optimization environment, such as our Hypothetical Inova Fairfax Hospital use case, there may be financial budget constraints for a pilot case to extend EHR from “RBAC” to “RBAC extended to ABAC.” One interpretation of a NIST CPS (Cyber-Physical Systems) risk optimization guidance is for the final examination Research Step 5.4: Conducts a Risk Assessment. An overarching NIST view for CPS risk assessment is to optimize three factors (silos)—cost/benefit/risk. In Research Step 5.4, we could consider a NIST suggestion for a CPS “risk budget.” For example, a “risk budget” may be a fixed financial amount that is optimized by balancing five properties for the pilot case described in this examination (see Research Step 5.4: Conducts a Risk Assessment). The five properties or silos are 1) safety; 2) security; 3) reliability; 4) resilience; and 5) privacy. Possibly, the above priority sequence may apply to the final examination pilot case. NIST provides systems security engineering analysis that could be interpreted for our pilot case to extend EHR to ABAC for 1) Radiology Dept; 2) Dr. Jones: Orthopedics; and 3) VPN (Virtual Private Network). For example, we could analyze three silos: 1) Radiology; 2) Dr. Jones: Orthopedics; and 3) VPN. These three silos could be viewed from an integrated risk budget viewpoint using a CPS “risk budget. Research Step 5.5: Create a Target Profile—“Target Profile”—“To Be” Please consider figures/tables and captions with footnotes. For example, the two additive “To Be” figures/tables are: SP 1800-3B: Table 4.1; and Figure 5.1. Your assignment includes proposing one or more tables and figures that show your proposed ABAC architecture upgrade for SP 1800-1B: Figure 4-1. Our focus is on access control for the three users for this healthcare case: 1) the Radiology Department; 2) Dr. Jones Orthopedics; and 3) VPN external access point for remote users. a. Note: ABAC is an additive architecture. In this case, ABAC is added to SP1800-1 RBAC (Rule Based Access Control) systems. b. Table 3: NIST Special Publication 1800-3B: Attribute Based Access Control: Approach, Architecture, and Security Characteristics: Second Draft, September 2015: Table 4.1: Use Case Security Characteristics Mapped to Relevant Standards and Controls. c. Figure 2: NIST Special Publication 1800-3B: Attribute Based Access Control: Approach, Architecture, and Security Characteristics: Second Draft, September 2017: Figure 5.1: ABAC Build 1 Architecture. d. Figure 3: ABAC Extension to RBAC SP 1800-1B: Figure 4-1: Architecture for the Secure Exchange of Electronic Health Records on Mobile Devices in a Healthcare Organization. An ABAC additive issue may be considered as adding ABAC specificity to RBAC authentication in SP 1800-1B: Figure 3-1: Security Characteristics Required to Securely Perform the Transfer of Electronic Health Records Among Mobile Devices. Research Step 5.6: Determine, Analyze, and Prioritize Gaps Research Step 5.7: Implement Action Plan 6. Research Step 6/10: Pilot Case: Key Inova Fairfax Cybersecurity Guidance Key Issue: If Inova Fairfax cybersecurity guidance is RBAC oriented, we could suggest that RBAC oriented guidance could be considered for an upgrade to ABAC cybersecurity guidance. Please include consideration of the following Inova Fairfax access documents. These documents provide guidance for Inova Fairfax 1) Access Control Policy; 2) Mobile Device Management Policy; 3) Remote and Extended Access; and 4) Other Inova Fairfax Access Issues. 6.1 Research Step 6.1/6.5.1 : Inova Fairfax Access Control Policy - Inova Web Policies | Inova www.inova.org › about-inova › web-policies 1. ... of the internet, Inova Health Foundation (Inova) does not warrant that access to any Inova web property or any of its pages will be uninterrupted or error free. Remote and Extended Access | Inova www.inova.org › for-employees › remote-extended-acc... 1. For Inova employees: This webpage has links to Citrix applications (Inova remote network access), referring physician PACS access, InovaNet, and MyTime . Research Step 6.2/6.5.1 Mobile Device Management Policy - Inova https://www.inova.org › sites › default › files › mobile-device-mgmt Page 1 of 4. The Mobile Device Management Policy provides the standards and rules of behavior for the use of all “Mobile ... http://inovanet.net.inova.org/policies/view.aspx?id=2281&sid=1&categoryId=586. •. Inova IT ... and limited personal communication or recreation, such as reading or game playing. ... o Documents. Research Step 6.3/6.5.1 Remote and Extended Access | Inova https://www.inova.org › for-employees › remote-extended-access Research Step 6.4/6.5.1 Other INOVA Access Control Issues For Inova employees: This webpage has links to Citrix applications (Inova remote network access), referring physician PACS access, InovaNet, and MyTime ... [PDF] Research Step 6.4.1/6.5.1 For Employees | Inova https://www.inova.org › for-employees 1. Prior Searches Check the links below, and on the left- and right-hand sides of the page, for ways to access Inova email accounts, the network, policies and information on the ... Missing: Control Research Step 6.5.1/6.5.1 Prior searches: Please update any additional links that you wish to use for your final examination. Prior INOVA search results could be augmented with: Other INOVA links for INOVA EpicCare include: 1. Physicians. 2. Patient: MyChart Video; 5. Employee Remote Access; 6. EpicCare Link;   7. Research Step 7/10: Analysis Please answer the Analysis aspect of the Final Examination Question. When developing your analysis with respect to the examination question, please consider including comparison of your “To Be” security architecture with the hypothetical Inova Fairfax Case Epic/EpicCare baseline case—“As Is” Profile. For example, Inova Fairfax EpicCare is an operational system; and an ABAC pilot for a healthcare system applies to “designing in security”11 for future healthcare systems. During the pilot, the hypothetical Inova Fairfax has to maintain operations and patient safety levels. Analysis Levels: Hypothetical Inova Fairfax Hospital Case 1. NIST Level 1: Organization [Hypothetical Inova Fairfax Hospital Policy, such as Mobile Device Management Policy: Assume CEO approves this pilot.] 2. NIST Level 2: Mission/Business Processes [Hypothetical Inova Fairfax Hospital Procedures, such as Transplant Center Procedures. Assume Manager of Transplant Center approves the procedures for this pilot ] 3. NIST Level 3: System [Hypothetical Inova Fairfax system implementation, such as VPN, Radiology, and Dr. Jones: Assume that a case manager is assigned for this pilot.] Note: As of November 2, 2021, build on a candidate implementation of Zero Trust Architecture (ZTA) for ABAC systems, such as the Hypothetical Inova Fairfax Hospital Case: Note: A formal definition of PDP/PEP (Policy Decision Point/Policy Enforcement Point) is provided in NIST Special Publication 800-207: Zero Trust Architecture, August 2020. Section 2: Zero Trust Basics and Figure 1: Zero Trust Access. PEP could be used to implement ABAC fine grained access control decisions. 8. Research Step 8/10. Conclusions Please answer the Conclusions aspect of the Final Examination Question. Please develop your Conclusions based on your Analysis: Please consider a second level of specificity. Conclusions Levels 1. NIST Level 1: Organization. For example, assume CEO decision to approve this pilot. 2. NIST Level 2: Mission/Business Processes. For example, assume the Transplant Center manager provides the NIST seven-step gap analysis instructions for this pilot. 3. NIST Level 3: System. For example, assume that the Pilot team implements the NIST seven-step gap analysis for the completed pilot. 9. Research Step 9/10. Matters for Consideration (Updated November 8, 2019) Mobile devices may be considered from a unified CPS/IoT (Cyber-Physical Systems/IoT (Internet of Things) systems perspective (see figure 1). For example, we may analyze CPS/IoT issues such as access and authorization, data security, and privacy concerns. Figure 2: CPS/IoT Unified View for Autonomous Vehicles Source: NIST: Special Publication 1900-202: Cyber-Physical Systems and Internet of Things, March 2019. Section 6.1: Components Model: Linked Logical and Physical Elements. In addition, there are unified CPS/IoT ‘system risk budget’ issues. Research10. Research Step 10/10. References As introduced, please consider figures/tables with footnotes for captions. Please consider comprehensive footnotes, such as author, title, organization, document number, date, etc. Appendix I: IA Final Examination: Conceptual Interpretation of Selected RBAC/ABAC Issues, Version 2.1, November 2, 2021 IA students, Perhaps, you may be interested in this Version 2.1 of selected comments to students concerning an interpretation of the final examination. The comments apply in part to the August 1, 2020, Final Examination Steps 1, 4, 4.1, 6 and 7. Hopefully, this is helpful. Best regards, Harold Research: Step 1: Final Examination Question Perhaps, the following conceptual view of the final examination could be helpful: Conceptually, the final examination is concerned with developing a hypothetical pilot case for the Inova Fairfax Hospital, Transplant Center. The case may be viewed as adding specificity (Attribute Based Access Control) to access control (Role Based Access Control): Figure 1 (below): RBAC may be mapped to NIST Cybersecurity Framework Identity Management Authentication and Access Control (PR.AC) security function. Please see Research: Final Examination Step 4: Apply NIST Security Control Maps and Architectures: Table 1: Sample: Mapping Security Characteristics of NIST CSF, HIPAA Security Controls—“As Is” Profile. Figure 2 (below): ABAC may be mapped to NIST Cybersecurity Framework Identity Management Authentication and Access Control (PR.AC-1,3 and 4). A key issue is that ABAC has more specificity than RBAC, e.g., PR.AC-1, 3 and 4 for ABAC vs. PR.AC for RBAC. (See Final Examination Table 2: [ABAC] Use Case Security Characteristics Mapped to Relevant Standards and Controls [--Additive “To Be” Profile]. Source: NIST Special Publication 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations, August 2, 2019 Figure 1: Traditional (Non-ABAC, such as RBAC [Role Based Access Control]) Multi-Organizational Access Method may be interpreted with respect to the final examination question (Research: Step 1: Final Examination Question [“As Is” Architecture]): 1. Organization A’s Subjects (Users) a. Users accessing the Radiology Department using RBAC. b. Dr. Jones Orthopedics accessing EHRs (Electronic Health Records) using RBAC. 2. Access Request a. Using a VPN (Virtual Private Network) Source: NIST Special Publication 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations, August 2, 2019 Figure 2: Basic ABAC Scenario [“To Be” Architecture] may be interpreted with respect to the final examination question (Step 1: Final Examination Question): 1. Organization A’s Subjects (Users) a. Users accessing the Radiology Department using ABAC. b. Dr. Jones Orthopedics accessing EHRs (Electronic Health Records) using ABAC. 2. Access Request: ABAC Step 1: Subject requests access to object a. Using a VPN (Virtual Private Network) 3. ABAC Step 2: ABAC Access Control Mechanism evaluates a) Rules; b) Subject Attributes; c) Object Attributes, and d) Environment Conditions to compute a decision. 4. ABAC Step 3: Subject [User request to Radiology Department and/or Dr. Jones Orthopedics accessing EHRs] is given access to object if authorized. Research Step 4: Apply NIST Security Control Maps and Architectures to the Final Examination Research Step 4.1: NIST Healthcare Use Case Architecture and Security Control Maps: Fourth: One interpretation of step Fourth ("As Is" NIST Security Control Map in Table 1) is to 1) copy Table 1: Sample: Mapping Security Characteristics of NIST CSF, HIPAA Security Controls--"As Is" Profile; and 2) explain the importance of Access Control (PR.AC) for RBAC to the design of the Inova Fairfax pilot. d. Fifth: One interpretation of step Fifth ("To Be: Profile) is to 1) copy Table 2: [ABAC] Use Case Security Characteristics Mapped to Relevant Standards and Controls [Additive "To Be" Profile]; and 2) explain the importance of Access Control (PR.AC) added specificity for ABAC to the design of a transition from 1) RBAC to 2) RBAC extended to ABAC for the INOVA pilot. For example, Table 2, rows 1-3, column 5 identifies at a second level of specificity--PR.AC-1, 3, and 4 that is defined in NIST SP 800-53 rev 4 [Note: Current version is SP 800-53 rev 5, December 10, 2020]. Research Step 6: Pilot Case: Key INOVA Cybersecurity Guidance: One view of the INOVA 1) Access Control Policy, 2) Mobile Device Management Policy, 3) Remote and Extended Access; and 4) Other INOVA Access Issues, is that Steps 1-5 for the Pilot should be compatible with Step 6 INOVA Access Policy Issues. For example, Steps 1-5: • Step 1: Final Examination Question; • Step 2: Use the NIST Three-Level Framework for Cybersecurity Risk Management; Step 3: Final Examination: NIST Security Control Maps; • Step 4: Apply NIST Security Control Maps and Architecture to the Final Examination; Step 5: Cybersecurity Framework: Improving a Cybersecurity Program: NIST Seven-Step Gap Analysis; • Step 6: Pilot Case: Key INOVA Cybersecurity Guidance). In brief, Step 6: Pilot Case may include a focus on ABAC issues that is beyond the scope of INOVA RBAC access policy. Therefore, this situation could require consideration in Step 7. Research Step 7: Analysis: Yes. The expectation includes stating and describing potential policy Inova Fairfax updates to accommodate ABAC. For example, these updates could be considered for each NIST level: 1) Organization; 2) Mission/Business Processes; and 3) System. Hopefully, this is helpful. Best regards, Harold Appendix II: Strategic/Tactical Rubric: Based on Student Comments Question Strategy: Please place your emphasis on analysis and conclusions. This helps demonstrate your understanding of the final examination issues. Strategic Rubric Question Visualization: To help with visualization of a scenario for this examination, here as a hypothetical ABAC pilot case for a hypothetical Inova Fairfax hospital. • Inova Fairfax uses an integrated healthcare system called EpicCare. • Please consider Inova Fairfax access control policy: A theoretical INOVA Mobile Device Management Policy, Version 2.0, April 21, 2016; https://www.inova.org/upload/docs/Education%20and%20Research/GME/mobile-device-mgmt.pdf . • We suggest for this examination consider that a theoretical Inova Fairfax Transplant Center is considering evaluation of an ABAC pilot EHR system for its potential application to its transplant patient EHRs. • The ABAC pilot EHR system is introduced in NIST Special Publication 1800-1: Securing Electronic Health Records on Mobile Devices, July 2018. Figure 4-1: Architecture for the Secure Exchange of Electronic Health Records on Mobile Devices in a Healthcare Organization. • The ABAC architecture to be added to the pilot is introduced in NIST Special Publication 1800-3: Attribute Based Access Control, Second Draft, September 2017. • The Inova Fairfax Transplant Center will use NIST cybersecurity risk management guidance to assess the potential impact of the ABAC pilot Suggested strategic strategy: Please consider the Inova Fairfax Transplant Center as the organization that is evaluating the ABAC case. A central issue for this examination is to consider NIST SP 1800-1B, July 2018, Figure 4-1: Architecture for the Secure Exchange of Electronic Health Records on Mobile Device in a Healthcare Organization. The three data center access categories for this ABAC case are 1)Radiology Department: 2) Dr. Jones Orthopedics; and 3) VPN. The Inova Fairfax Transplant Center could be considering updating their RBAC (Role Based Access Control) system architecture to ABAC (Attribute Based Access Control). Role based access control assigns users into groups. For example, patients, doctors, nurses, pharmacy, radiology, and external users. ABAC is additive and provides more fine-grained access control. For example, a transplant surgeon may have to use fingerprint, one-time code verification and access to his/her cell phone for ABAC identification. For example, the cell phone provides ABAC fine grain GPS location. Caveat: This case is hypothetical: We are using the Inova Fairfax Transplant Center as the basis for evaluation of a hypothetical ABAC case to assist in our final examination analysis. Suggested case setting: For this examination, please consider the Inova Fairfax Transplant Center management as analyzing an ABAC case. The “As Is” architecture for this ABAC case is presented in the Electronic Health Records (EHR) system architecture in Figure 4-1 Architecture for the Secure Exchange of Electronic Health Records on Mobile Device in a Healthcare Organization. The Inova Fairfax Transplant Center may be considering this ABAC case. For example, this ABAC case involves seven steps that are defined in the NIST Cybersecurity Framework, We highlight three key steps from the seven-steps for the analysis of the RBAC case : 1. Create a Current Profile: NIST Cybersecurity Framework Step 3: a. Identification of the “As Is” RBAC EHR architecture. 2. Conduct a Risk Assessment: NIST Cybersecurity Framework Step 4. a. A risk assessment of transitioning the “As Is” RBAC EHR architecture for the ABAC pilot to a “To Be” ABAC EHR architecture. The risk assessment involves optimization of cost/benefit/cybersecurity and patient risk. b. For example, ABAC EHR architecture may reduce the risk of entering incorrect kidney transplant patient anti-rejection medicine doses in a database. 3. Create a Target Profile: NIST Cybersecurity Framework Step 5 a. Identification of the “To Be” ABAC EHR target architecture. Cybersecurity and Safety Risk Optimization: Inova Fairfax Transplant Center management cannot change its EHR architecture within the Inova Fairfax Hospital EpicCare environment without Inova Fairfax Hospital approval. For example, an integrated transition plan would have to be approved to evolve its access control system from RBAC to ABAC. Therefore, we may consider this examination as developing for review by Inova Fairfax Transplant Center management an ABAC pilot that includes a RBAC to ABAC transition program. This transition program could provide a use case for the Transplant Center to consider when assessing cybersecurity and patient safety vs Inova Fairfax Hospital EHR cybersecurity and patient safety in the existing EpicCare hospital environment. NIST Cybersecurity Guidance or Metrics: In summary, please consider the final examination as a project to analyze the cybersecurity risk and patient safety risk management issues of a proposed ABAC pilot. The scope of the ABAC pilot is: Figure 4-1: Architecture for the Secure Exchange of Electronic Health Records on Mobile Device in a Healthcare Organization. The three data center access categories are 1)Radiology Department: 2) Dr. Jones Orthopedics; and 3) VPN Examination strategy: Scenario Example: Please analyze the ABAC pilot as a scenario for the three data center access categories 1)Radiology Department: 2) Dr. Jones Orthopedics; and 3) VPN. Here for your review is a conceptual view of the analysis of the pilot with respect to selected NIST guidance. 1. Focus for Demonstration of Knowledge: Please consider the “big picture” for the final examination. For example, how does Inova Fairfax Hospital management, and the Inova Fairfax Transplant center management develop an integrated analysis this ABAC case. As introduced, a key part of the final examination grade is based on student analysis, such as implementing for the ABAC case the NIST seven-step risk analysis. We are suggesting the use of NIST three managerial levels to assist in an integrated view of three silos, e.g.,1) Dr. Jones access; 2) Radiology records, and 3) VPN. 2. Consider Using the NIST Three Managerial Levels: For example, the NIST seven-step risk analysis may be viewed from the three NIST managerial levels in the Inova Fairfax hospital. For example: • NIST Cybersecurity Risk Management Level 1: Organization: Inova Fairfax Hospital o Decisions with respect to the ABAC pilot: Hospital management determines the cost/benefit/cybersecurity and patient safety risk that would result from adopting the ABAC pilot transition from RBAC to ABAC on a hospital wide basis. For example, how would this impact patient safety for Inova Fairfax within the EpicCare hardware/software architecture? • NIST Cybersecurity Risk Management Level 2: Mission/Business Processes o Decisions with respect to the ABAC pilot: Inova Fairfax Transplant Center management determines the cost/benefit/cybersecurity and transplant patient safety risk that would result from adopting the ABAC pilot transition from RBAC to ABAC on a center wide basis. For example, how would this impact patient safety for the Inova Fairfax Transplant Center within the EpicCare hardware/software architecture? • NIST Cybersecurity Risk Management Level 3: System o Decisions with respect to the ABAC pilot: Inova Fairfax Transplant Center management determines the cost/benefit/cybersecurity and transplant patient safety risk that would result from adopting the ABAC pilot transition from RBAC to ABAC within the center for each transplant patient category 1) lung transplant; and 2) kidney and pancreas transplant. For example, how would this impact patient safety for kidney transplant patients within the Inova Fairfax Transplant Center? Patient safety includes preserving the integrity of EHR records for anti-rejection medicine identification and prescription doses. Tactical Rubric: Based in part on a review of prior examinations, we update a Tactical Rubric Authoritative NIST and NISTIR Cybersecurity Risk Management Guidance: Please consider as metrics for your examination the use of NIST cybersecurity risk management guidance. This includes providing footnotes for key issues. RBAC: “As Is” Profile: Please consider for role based access control (RBAC) the hospital healthcare EHR system that is defined in a NIST cybersecurity risk management use case. This case is reported in NIST SP 1800-1B: Securing Electronic Health Records on Mobile Devices, July 2018. Section 4: Architecture: Figure 4-1: Architecture for the Secure Exchange of Electronic Health Records on Mobile Devices in a Healthcare Organization. ABAC: “To Be” Profile: Please consider a transition from a NIST standards based approach for access control, audit controls/monitoring and device integrity that uses RBAC to attribute based access control (ABAC). Please consider for the transition, NIST metrics provided in NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018. Section 3.2: Establishing or Improving a Cybersecurity Program [seven step gap analysis]. NIST ABAC Publications: Two NIST ABAC publications are suggested for this examination: 1) NIST Special Publication1800-3B: Attribute Based Access Control, Volume B: Approach Architecture, and Security Characteristics, Second Draft, September 2017. 2) NIST Special Publication 800-205 (Draft): Attribute Considerations for Access Control Systems, February 13, 2019. Figure 1: Scopes of Attributes Used: Authorization, Authentication, and Attribute Proofing of an Access Control System. As introduced, please consider footnotes for key issues and for captions for figures/tables.