System Security Certification - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

System Security Certification

Description:

Understand when to use the System Security Certification process including: ... Assignee: leave blank. Group: SIT. Summary: Security Certification for 'system name' ... – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 34
Provided by: steveh123
Category:

less

Transcript and Presenter's Notes

Title: System Security Certification


1
System Security Certification
  • Steve Herber
  • IT Services Security Infrastructure Team
  • Who
  • What
  • When
  • Where
  • Why
  • How

2
Who Are You in the right Class?
  • Audience
  • Anyone installing a new computer
  • Anyone upgrading an old system
  • Your boss told you to go
  • Purpose
  • Understand when to use the System Security
    Certification process including
  • Who What When Where Why How

3
Who performs a System Security Certification?
  • You do
  • System Owner sometimes
  • System Operater most of the time

4
Who Owns a System?
  • Whoever
  • Authorizes the purchase/budget
  • Authorized use/users
  • Goes to jail
  • details in the SOSO training

5
Who Signs the System Security Certification?
  • The System Owner
  • Not SIT. We just review the documentation for
    you.

6
What is a System?
  • What is a System?
  • One or more related computers
  • Covered in SOSO class

7
What is a System Security Certification?
  • Documentation for
  • Policy/HIPAA compliance
  • CYA paperwork (iCr Yet Again)?
  • Similar to the ICR

8
What is in a System Security Certification?
  • Documentation
  • ICR
  • Certification Form
  • System Diagram
  • Firewall Rules
  • Supplemental Documentation
  • Certification Worksheet
  • Details covered under How

9
When do you perform a System Security
Certification?
  • Whenever a system is
  • Created
  • Changed
  • a CYA need is discovered
  • When you are audited if you don't have one

10
Where do you do a System Security Certification?
  • Anywhere in UW Medicine
  • Any other group with IRB approval?
  • Anywhere in UW Medicine

11
Where is the System Security Certification Web
site?
  • Security web sitehttps//security.uwmedicine.org/
  • Certification page, under Assesment
    https//security.uwmedicine.org/assess/ss_cert

12
Why do a System Security Certification?
  • Meet Policy requirements
  • CYA Audit preparation
  • Boss tells you to do one
  • Training information
  • System Documentation

13
How do you write a Server Security Certification?
  • funny picture goes here
  • Best way - Hard way
  • Fast way - Slow way
  • Documentation
  • ICR
  • Certification Form
  • System Diagram
  • Firewall Rules
  • Supplemental Documentation
  • Certification Worksheet

14
ICR
  • You need an ICR for
  • Server placement
  • Server Security Certification
  • Policy compliance
  • The ICR is very similar to the Server Security
    Certification
  • ICR web sitehttps//security.uwmedicine.org/icr/

15
Certification Form
  • Used by the System Owner to delcare that their
    system meets policy requirements on a certain
    date.
  • Please fill in all the fields.
  • Just attach the doc version to the ticket.
  • No need for a paper or pdf version.
  • Good example
  • Bad example

16
System Diagram
  • Reality No one else knows anything about your
    system. They probably don't want to know
    anything. Make it clear
  • Prepare a simple diagram showing
  • Users
  • Networks
  • Firewalls - IP's, subnets, and ports allowed or
    rejected
  • Servers IP, Hostname, Firewall rules
  • Examples

17
Firewall Rules
  • Source, Destination IP
  • Ports
  • Allowed, rejected
  • Examples

18
Supplemental Documentation
  • Department policies
  • System build documentation
  • Vendor documentation MDS2
  • MBSA output
  • SOP
  • Anything that helps someone understand how the
    system is built or used and shows attention to
    policy concerns.
  • Examples

19
Certification Worksheet
  • Used by the System Operator to document
  • System Name and ICR
  • System Purpose
  • People involved with the system
  • A hardware inventory
  • A software inventory
  • How this system meets policy requirements
  • Please fill in all the fields

20
System Name and ICR
  • This is why you need an ICR
  • Many computers make up a system
  • mscape1,2,3,4,test
  • Subali
  • System Name Mindscape
  • ICR 24157

21
System Purpose
  • Remember Most people have never heard about
    your system. Help them.
  • Example
  • Mindscape is an electronic medical record
    application

22
SO/SO Requirements
  • Document who owns and runs the system.
  • System Owner, System Operator, and System
    Administrator. Others.
  • Remember, you are documenting your policy
    compliance. Details count.
  • Example
  • Peter Ghavami, System Operator, May 4, 2004
  • Jerry Gritrsch(GE), System Admin, ?

23
Hardware Inventory
  • Example
  • Server Mscape1
  • Description Mindscape front end server
  • Location NEC 205

24
Application Inventory
  • Example
  • Application Centricity Web 2.1
  • Descriptions Web applicatin for Centricity 2.1
  • Vendor GE
  • Department Radiology

25
Policy Compliance
  • Used by the System Operator to document how this
    system meets UW Medicine policies
  • Should reflect ICR notes
  • Please fill in all the fields
  • Read the policy really
  • Document how the system meets the policy
  • Yes is not an answer
  • NA is an answer for wireless
  • Meets UW Medicine guidelines - No

26
Policy Compliance
  • Examples
  • Bad
  • Good

27
How do you submit a review?
  • Create a USD ticket
  • Category Security.Certification
  • Assignee leave blank
  • Group SIT
  • Summary Security Certification for system name
  • Security Certification for TSO Mindscape Servers
  • Security Certification for HMC Radiology PACS
    Backup System
  • Request Please review system name
  • Attach ALL the documentation
  • At least 4 documents do not waste time

28
How do you submit a review?
  • If you don't have a helpdesk account
  • Send completed forms to helpdesk
  • Please have ALL the forms ready

29
Then?
  • SIT on-call person will assign the ticket to a
    SIT engineer.
  • The engineer will store the documents in a
    directory based on the ticket number and 'system
    id'.
  • The engineer will review each document and update
    a tracking spreadsheet.
  • Server placement looks at the spreadsheet for
    status.
  • The engineer may request updates and
    clarifications.

30
How do you submit revisions?
  • Send updates directly to the SIT engineer.
  • If you attach them to the ticket, we may never
    see them. Send email to the engineer.

31
What is the SIT engineer looking for?
  • Are the forms complete?
  • Do they make sense?
  • Do the policy responses supply information that
    an auditor can use to audit?
  • 'Yes' and 'follows policy' answers are hard to
    audit.
  • Does the system seem right?

32
OK?
  • If the SIT engineer thinks everything is OK
  • An email will be sent to the System Owner,
    Operator, Administrator, and anyone else
    mentioned in the Form and Worksheet saying that
    the certification review is complete.
  • The tracking spreadsheet is updated.
  • The ticket is closed.

33
Question?
  • security.uwmedicine.org
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "System Security Certification" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!