Technological Issues and Risk Analysis
Phase 2 of the OCTAVE Method requires an organization to examine its computing infrastructure in relation to the organizational information in Phase 1, setting the scope for a technological evaluation of the infrastructure. The activities of Phase 2 reflect what most people think of when they hear the term security evaluationan assessment of the computing infrastructure. However, OCTAVE increases the effectiveness of a traditional, technology-focused vulnerability assessment by positioning it in the context of the organization's critical assets.
Two staff members from the contracting organization led the technological examination of the computing infrastructure's key components. The examination yielded about 150 technological weaknesses, including two high-severity vulnerabilities on the PIDS server.
These two weaknesses, if exploited, could give an attacker administrative access to the PIDS server, providing that attacker with the means to view, change, or destroy information on PIDS. The staff members from the contracting organization were assigned an action item to immediately fix the two high-severity vulnerabilities on the PIDS server.
After examining the organizational and technological issues related to security, the team was in a position to identify risks. Risk is the possibility of suffering harm or loss. An information-security risk specifically refers to a situation in which a person or an event could cause an undesirable outcome (a threat to a critical asset), resulting in a negative result or consequence to the business (the resulting impact on the organization). Thus, an information-security risk links a security threat to its ultimate effect on the organization's mission and business objectives.
The team considered a broad range of threats to each critical asset. The following list includes the top three risks for PIDS:
People external to the organization (attackers) could exploit technological weaknesses and interrupt access to PIDS. The hospital has become computer-dependent in order to function and is rendered virtually helpless without PIDS capability. Disruptions to PIDS could affect a provider's ability to treat a patient. Ultimately, this could affect the health of patients, result in lawsuits, and affect the reputation of the hospital.
The IT contractor is unfamiliar with the hospital's needs and requirements and has not responded to interruptions to PIDS in a timely manner. The consequences due to this threat are identical to those listed in the first risk above.
Disgruntled staff members could use their access to PIDS to deliberately modify patient information. A patient's life and health could be affected due to improper changes to treatment plans or medical records.
Notice that the first two risks focus on the availability of PIDS, while the third addresses integrity of the patient information on PIDS. This is consistent with how the team ranked the security requirements for PIDS. After identifying risks to all critical assets, the team was in a position to create strategies for improving the organization's security posture.
After reviewing the risks to all critical assets in relation to the organizational and technological issues identified during evaluation, the team identified the following as the top four areas for improvement for the hospital:
Security awareness and training. The analysis team viewed that a lack of IT skills led to misconfigurations of workstations and other devices. In addition, there was a general lack of awareness of security policies throughout the organization. These issues were linked to the risk of someone exploiting technological or procedural weaknesses to access critical systems and information. To resolve such issues, the analysis team recommended that the IT staff receive training in the technologies that they support and that the hospital's security awareness training be updated.
Collaborative security management. The analysis team noted that the hospital didn't have formal procedures for working with the IT contracting organization. This issue was at the center of the second risk listed in the preceding section. To address this risk, the team recommended defining formal procedures for working with the contracting organization and for expressing requirements related to information security.
Vulnerability management. This area is tied to the first two. Since the contractor is responsible for ongoing vulnerability evaluations, the hospital's IT staff needs to coordinate vulnerability-management activities with the contractor. In addition, the staff members assigned by the hospital to help manage vulnerabilities in the computing infrastructure need to develop skills in this area through training and educational activities.
Authentication and authorization. One organizational issue identified during Phase 1 was that the hospital didn't effectively implement role-based access to information. Over time, staff members inherit privileges as they move from job to job, providing any staff member with access to more information than necessary. This directly relates to the third risk listed earlier, because disgruntled staff members could abuse this increased access to modify information. The analysis team recommended that hospital management enforce its authentication and authorization policies and procedures.
In addition to the four areas of improvement listed above, the analysis team also identified the following action items:
Immediately correct all high-severity vulnerabilities identified during OCTAVE.
Develop a plan in the next 90 days for addressing all medium-severity vulnerabilities identified during OCTAVE.
Document all staff members' security roles and responsibilities (for example, "X controls virus management") and distribute the document to all staff.
Determine how and where personal digital assistants (PDAs) are linking into systems. The IT contracting organization will work with the physicians who have begun using PDAs. (To provide the medical staff with easier access to patients' medical information, the IT staff was making PDAs available to medical personnel, beginning with physicians. However, the IT staff had not considered security issues when implementing this initiative.)
Coordinate a physical security audit to evaluate the security of paper medical records.