1.    Abstract

US CDC coordinates all the public agencies in matters of public health. It plays a very important role in ensuring public awareness to health issues such as epidemics, bioterrorism and disease outbreaks. As a result of its significance to the public, its information systems are interesting to closely look at. CDC information systems should be efficiently maintained. This is to ensure accuracy in the public health information. Citizens make their health decisions based on the information given by the public officials. This research assesses the risks and vulnerabilities in the CDC information systems. In this risk assessment, analysis will be limited to scope of confidentiality (Safeguard of information against illegal disclosure), integrity (Maintenance of information in its intended meaning and reduction of chances of alteration by an unauthorized party) and accessibility (availability of the information to the users of the system at any time) of their information management system, MISO. The reason for choice of this scope is that the accuracy in the health information delivered to the public is very crucial and should be free from any interference by unauthorized persons. The information should be ready at any time for accessibility. Bidding information which is maintained in this system should be as confidential as possible; out of unauthorized interference. This research will identify the vulnerabilities, sources of threat and their levels of risk to the three factors of the study; confidentiality, integrity and accessibility. The assessment research methodology will be based on NIST 800-30 manual for information systems management. Information shall be obtained from academic journals and other legitimate electronic sources. Detailed analysis of the identified threats and system flaws (vulnerabilities) will be done and represented in tabular forms for clarity. The research expects to come up with practical recommendations for risk mitigation at CDC information system. The management may either implement these recommendations directly or use this assessment to define more applicable solutions to these vulnerabilities. The assessment does not include the risk mitigation stage in its methodology.

 

 

 

 

 

 

 

 

 

 

Keywords: Vulnerabilities, Risks, CDC, MISO, Assessment.

 

 

Contents

1.      Abstract 1

2.      INTRODUCTION.. 5

2.1 Purpose. 5

2.2        Scope. 5

3.      METHODOLOGY AND APPROACH.. 5

3.1 Risk assessment 6

3.1.1 Phase I 6

3.1.2 Phase II 7

4.      SYSTEM CHARACTERIZATION.. 13

4.1 System Functional Description. 13

4.2 System environment 13

4.3 System Users. 14

4.4 System dependencies. 14

4.5 Information sensitivity. 15

4.6 Protection requirements. 17

5.      THREAT STATEMENT.. 18

6.      ANALYSIS.. 21

6.1 Sample Analysis. 23

6.2 Recommendations. 24

7.      REFERENCES.. 26

LIST OF TABLES

Table 1: Likelihood Determination. 9

Table 2: Impact Analysis. 10

Table 3: Risk Levels. 11

Table 4: Confidentiality, Integrity and Accessibility descriptions. 15

Table 5: List of threat sources, actions and motivation. 18

Table 6: Vulnerability Identification. 20

Table 7: Threat Analysis. 21

Table 8: Risk Assessment 22

Table 9: Risk levels. 23

 

 

 

 

 

 

 

 

 

 

 

 

 

2.    INTRODUCTION

2.1 Purpose

The objective of this assessment is to carry out a qualitative evaluation of the security efficiency of CDC information system, MISO. With the role to support CDC’s information systems for maintenance of public health (CDC, 2011), MISO security has to be sufficiently monitored. The assessment identifies the potential risks, their likelihood of occurrence, threat sources, MISO’s vulnerability and their impact. The report then recommends on the possible mitigation methods of these risks.

2.2 Scope

In order to eliminate vulnerable threats (either internal or external) to the MISO this risk assessment involved investigation into the control and use of resources by the system, MISO (CDC, 2011). The assessment identified that attack of the system by these threats could result into three conditions: Data access to/by unauthorized persons, System’s illegal alteration and interference of data, and Inability to data or service accessibility by the officials and the authorized persons of CDC.

As a result of the potential threats above, the assessment will be based on: system’s confidentiality, integrity and accessibility.

3.    METHODOLOGY AND APPROACH

The methodology of this assessment, as required, was conducted under the guidelines of NIST 800-30. According to NIST 800-30, risk assessment is an intensive scope. In this assessment, the methodology addresses the scope of confidentiality, integrity and accessibility of the MISO information systems. The assessment addresses three main system’s controls: Management, operational and technical controls.

The recommendations on the above security controls will be made for the management of MISO systems management to set informed strategies of curbing the vulnerability of their systems to threats (Waxman, 2008). These will help in knowledge based decisions by the system administrators.

3.1 Risk assessment

According to Gary et al (2002), risk assessment forms the first part of methodology in risk assessment. It encompasses nine steps which can be categorized into three main phases: I, II and III. For the sake of the relevance of this course phase III was not included as part of the assessment. However it is very crucial stage in risk assessment; in practical field. This stage basically deals with the implementation of the recommendations made to the information technology security management. This step could not be applicable for this exercise.

3.1.1 Phase I

In this stage, pre-assessment preparations were carried out in the following manner;

1. Risk assessment nature definition

This assessment seeks to establish extend of vulnerability of the MISO information system. A system plan should be developed by the MISO management to ensure confidentiality, integrity and readily accessible MISO system (CDC, 2011). The information given in this assessment is based on documents obtained from the online materials about system management and information technology of CDC.  As GAO (2010) notes, there is a need to ensure real-time information sharing within the public health in order to prepare for public catastrophes such as bioterrorism and disease outbreaks. This risk assessment therefore recommends mitigation solutions to threats identified for these information systems in public health.

2. Collection of Data

Information about the information systems of CDC was obtained through online articles, journals, and other electronic sources. Reviews of other risk assessment documents to acquaint the assessor with the standard policies and procedures were also done.

3.1.2 Phase II

1. Review of Documents

The electronic information obtained about MISO was reviewed in detail in order to understand the operating environment of the system. This enabled the assessor to identify the potential threats to the system.

1. System characterization

The boundaries of the information system was defined in order to clearly cut the ‘study area’ necessary for the assessment. In this step, the scope of the analysis was established.

1. Threat diagnosis

The information obtained about the information system was used to identify threats based NIST 800-300. Other general information obtained about the CDC and public health was used to identify other likely threats to the systems.

1. Vulnerability Identification

A list of weaknesses or loopholes identified in the information system that could be exploited by the potential threats was developed. The vulnerabilities were listed by the category of suspected impacts.

1. Valuation of Risk

The analyst evaluated/calculated extends of risk to the information system through examination of the identified vulnerabilities. Threat in causing risk was determined as a function of: Likelihood, Impact analysis and risk determination.

a)    Likelihood determination

The stochastic determination that a threat is likely to exploit the said vulnerabilities was based on the definition represented in table (1).

 

 

 

 

Table 1: Likelihood Determination

Standard of likelihood

Definition of the standard of likelihood

High A highly motivated source of threat which is sufficiently capable.

The management is unaware of the threat; no control/ineffective mechanisms in place to prevent the threat from exploiting the vulnerability.

Moderate A motivated source of threat which is capable.

The management is aware of the threat; control/ineffective mechanisms in place to prevent the threat from exploiting the vulnerability.

Low A no motivated source of threat which is incapable.

The management is aware of the threat; control/ineffective mechanisms in place which prevent the threat from exploiting the vulnerability/ there is at least a successful impede of the exploitation.

b)    Impact Analysis: Determination of the effect or causes of the successful exercise of threats to the vulnerabilities was the next step. The impacts were valuated based on the three objectives of this assessment:

• Confidentiality loss of the system
• Integrity loss through alteration of data illegally
• Inaccessibility of the system by the authorized personnel as a result of operational interference.

The valuation was done using the classification in table 2 below

Table 2: Impact Analysis

Magnitude

Impact description likely to occur

High Exploitation of the vulnerability may result into: Loss of resources including tangible assets, Significant interference of the goals of the organization, and human injuries/catastrophic effects or human death. Moderate Exploitation of the vulnerability may result into: Loss of resources including tangible assets, Significant interference of the goals of the organization, and human injuries Low Exploitation of the vulnerability may result into: Loss of resources including tangible assets, and  Significant interference of the goals of the organization

c)    Actual determination of the risk:

The next step was to determine the risk level to MISO information technology system. This was based on the following concepts:

• The ability of a threat source to exploit a given vulnerability and its likelihood to do so. This was obtained from the likelihood determined earlier in the methodology.
• The intensity of the impact caused on the information system by the threat after it successfully exploits the vulnerability.
• The security control mechanisms employed in preventing or reducing the level of the risk should it occur. It will also be based on the sufficiency of the planned mechanisms of risk control by the management of the information system.

The risk level of the information system was valuated based on the information of table 3.

Table 3: Risk Levels

Intensity of the Impact

Level of risk description

High Measures for correction of the risk are seriously needed. Although the existing mechanism may be kept to operate, an alternative plan for correction should be developed and implemented as soon as possible. Moderate Measures for correction of the risk are needed though not so fast. There is need to develop an alternative plan for correction whose effect should be put in place for control within a considerable time period. Low It is in the hands of the management and the operating official to determine whether an alternative corrective measure is required. It is also left for the management to decide whether to keep up with the threats. This magnitude of the threat is not very severe and the system can operate comfortably in it. However the management should be on the alert as this may be a manifestation of a high magnitude risk still to come.

 

1. Recommendations for solutions to control the risks

The controls to mitigate the identified risks were recommended for the information technology management and security officials. The importance of these recommendations is to provide the management with solutions to either reduce the risks to manageable levels or to entirely eliminate them. These recommendations are left to the organization to decide which to adopt. They will also help the company to explore more options to solve the problems. In coming up with these recommendations the analyst made the following considerations in risk management:

• Relevance MISO system and its database to the CDC.
• The policies of CDC concerning information management
• The effectiveness of the solutions offered by this assessment in this report
• Other factors considered were: Reliability of the system, safety requirements, regulations and legislation (concerning risk and information technology) and operational impact.

The output of a risk assessment is to reduce or eliminate level of risk. The recommendations made here represent the results of this assessment.

4.    SYSTEM CHARACTERIZATION

            4.1 System Functional Description

MISO is an information support system for CDC. It provides data management for the department. It maintains the bidding information for the organization. This includes information such as CDC’s contracts, contract awards data and the procurement information.

It is also the information system that maintains the surveillance information in the public health (Human health & Services, 2002). In order to protect the public from bioterrorism and epidemics the information about the public health should be orderly maintained (GAO, 2010). It coordinates this information between all the departments in the public health.

This package has improved the government responses to the epidemic and increased its transaction rates. The bidders are able to do offer their services off the counter and receive the track of events of the award process.

4.2 System environment

As mentioned, the system has a client/server environment. It consists of MSQL database developed by PowerBuilder language of programming. The package is made up of data files, the package code and executables. The data files include already installed tables and figures. The package operates in server (Dell) into which a Windows 2000 operating system has been installed. The application program operates in a different server with which window 2000 has been installed. These servers are located in CDC data centre in United States, Atlanta. The executables which operates on window 2000 is located according to functionality of the job.

The consumers of this system connect through either WAN or DSL. WAN involves physical connection to the network through the desktops. All information shared from the main server (Atlanta) can be accessed by the legal users through the networks.

4.3 System Users

MISO users include the customers who wish to make their bids to the government offers. It is also useable by all the employees and staff of the CDC, all the CDC centers and public health in US, and Information technology officers.

4.4 System dependencies

The CDC information package is interconnected with the following other resources which are also significance in assessing the risk of this system: Computer room for CDC staff, enterprise policies, Its network infrastructure (Internet connectivity, office of information technology and services, Atlanta network, and CDC WAN), CDC Data Center, DMZ connectivity, Enterprise mainframe, CDC services of exchange (ITSO, Stores for Local E-mail, and Remote web access), Security services (Border firewall, list of router control, Network detection systems for system intrusion), A scanning device for vulnerability, and the enterprise data center.

4.5 Information sensitivity

The sensitivity of information handled by the system is a very important factor in risk management. As mentioned earlier this package keeps very important information about CDC. Therefore loss of this information by any means would significantly affect the organization.

For each of the objectives set for this assessment, confidentiality, integrity, and accessibility of the system, there are three levels of impact which are; low, moderate and high. These levels of impact emphasize on the intensity and effect of the harm which is likely to be caused by confidentiality loss, integrity loss and system inaccessibility to the organization, operation, employees and assets of the company. All the information contained in the information system should be categorized for security purposes.

The table below shows the sensitivity rating for the MISO system

Table 4: Confidentiality, Integrity and Accessibility descriptions

Security objective High Moderate Low Confidentiality

Restrictions to access of private information

Disclosure of private information illegally could result into adverse effects (catastrophic) on the operations of the company. It can also injure individuals and assets of the organization. Disclosure of information could have serious repercussions to the organization, individuals and assets. Disclosure of information illegally can have limited effect to the company’s assets, operations and individuals. Integrity

Protection of information from malicious modification by illegal users

The modification results into catastrophic severe effects on the operations, individuals and assets of the organization. The modification can result into serious severe effect to the operations, individuals and assets of the organization. The modification can result into limited severe effect to the operations, individuals and assets of the organization. Accessibility

Ensuring reliability and availability of the system by legal users

 

Access disruption could result into catastrophic severe effects to the operations, individuals and assets of the organization. Access disruption could result into serious/moderate severe effects to the operations, individuals and assets of the organization. Access disruption could result into limited/low severe effects to the operations, individuals and assets of the organization.

4.6 Protection requirements

The sensitivity for information system should be assessed based on the requirements as specified in table 4 above. There is need to ensure information is protected from unauthorized disclosure, guarded from illegal modification and ensure there is no accessibility disruptions to the information in the system.

Protection findings

• Confidentiality: The bidding information and contracts award is confidential information which should be protected from illegal disclosure. If this information is released to the public there would be controversies on some matters which require technical interpretation. It is therefore imperative that this information would have catastrophic repercussions to the operations and assets of the organization. The information confidentiality is therefore rated as High.
• Integrity: As mentioned earlier this system keeps information of bioterrorist and epidemics on public. The government planning on public health depends on the accuracy of this data. Unauthorized modification of the information could therefore affect the logistics in public health. Logically alteration of the information on this system would therefore result into catastrophic severe effect to the CDC operations. The rating is of MISO integrity is therefore High.
• Accessibility: The disruption of access to the system would deny the public health officials chance to identify the health alerts. It would also cut down the transactions between the bidders and the CDC. Therefore unavailability of MISO could result into catastrophic severe repercussions of the operation, individuals and assets of CDC. The information accessibility of the MISO system can therefore be rated as High.

5.    THREAT STATEMENT

According to Gary et al (2002), threat is defined as the potential of a source of threat to exploit, successfully, a weakness in the information system, while threat source is the circumstance which might cause harm to the information system. Threat action is the way in which attack to information system may take place.

The table 5 below gives a list of threats identified in this assessment as per NIST 800-30 management guide.

Table 5: List of threat sources, actions and motivation

Source of Threat

Motivation

Actions of the threats

Insiders (Negligent and malicious employees, and terminated employees) Revenge

Monetary gain

Intelligence

Unintentional errors

Computer abuse

Malicious code for example virus  Illegal access of the system

 

Computer criminal Illegal change of data in the system

Unauthorized disclosure of system information

Monetary gain

Intrusion of the system

Acts of fraudulent

Crimes related to computers

 

System cracker Ego

Challenge

Opposition to company’s rules

Break-ins

System access by illegal means

Hacking

Terrorists Revenge

Destruction

Terrorism

Tempering with the information

Attacks into the system

External attack Destruction

Hatred

Social engineering

Denial of system accessibility

Disclosure of the company’s information illegally

Nature uncontrollable by man System operational environment Destruction of the system

Interference with the access to the system environment

Human fear

 

Vulnerability Identification

The table below lists vulnerabilities that are likely to be exploited by the threats identified from the organization.

Table 6: Vulnerability Identification

Vulnerability Source of threat Threat Action The area around the data centre is surrounded by Many enterprises

Fire protection equipment are located inside a locked room

Fire

Acts of the neighbors

Negligent acts from the surroundings likely to cause damage to the system

Fire extinguishers inaccessible incase of fire.

The ID of the terminated employees still in the system CDC former employees Unauthorized access into the company’s information There are no bomb screening tools at the entrance of the data centre Terrorists Terrorism to the data center

 

The server has enabled guest user’s account Hackers, Unauthorized users and criminals Access into the information illegally 6.    ANALYSIS

Table 7 summarizes the analysis of the above risks in terms of likelihood of occurrence, Impact of the threat and the risk level to the system.

Table 7: Threat Analysis

Threat Likelihood Impact Risk level Overall Computer criminal

 

Moderate High Moderate Moderate Terrorists

 

Low High Low Low External attack

 

High Moderate Moderate Moderate System cracker

 

High High High High

 

Table 8 gives a summary of the risk assessment and the recommendations to curb the vulnerability in the information system.

Table 8: Risk Assessment

Vulnerability Threat-source Rating Recommendations The ID of the terminated employees still in the system External attack-former employees Moderate Strike out the IDs of no longer employees of CDC No bomb screening tools at the entrance of the data centre Terrorist Low Introduce screening tools for bombs The area around the data centre is surrounded by Many enterprises

Fire protection equipment are located inside a locked room

Fire

Negligent acts by neighbors

Moderate Place the extinguishers in accessible positions

Install monitoring systems for external occurrences

The server has enabled guest user’s account Hackers, Unauthorized users and criminals Moderate Disable the IDs and passwords of the former employees and limit external usage. OR disable the account.

 

 

6.1 Sample Analysis

The calculation of risk level was based on risk level matrix (Gary et al, 2002)

1. The probabilities are assigned for high, moderate and low as 0.1, 0.5 and 1 respectively the likelihood analysis (Chemical Bureau of Europe, 2007).
2. The values are assigned for high, moderate and low as 10, 50 and 100 respectively the Impact analysis (Chemical Bureau of Europe, 2007).

Risk-Level Matrix is formed as follows (Table 9);

Table 9: Risk levels

Likelihood of threat

Impact of the threat

Low

(10)

Moderate

(50)

High

(100)

Low (0.1) 0.1×10=1 (Low) 5 (Low) 10 (Low) Moderate (0.5) Low Medium medium High (1) Low Medium High

Classification: Low (1-10)8; Moderate (>10-50); and High (>50-100)

Source: Gary et al, (2002)

From the above table; for analysis of risk level of Computer criminal

We have; Product of Moderate probability for likelihood and high impact value give the moderate risk level

I.e. 0.5×100=50 hence moderate risk level. Table 7 was generated base on these calculations

6.2 Recommendations

Based on the findings of this assessment the CDC information technology management should adopt the following policies in order to reduce the vulnerabilities identified.

1. The MISO management should ensure all the IDs of the no longer employees are removed as soon as possible to avoid the threat of external intrusion and hence enhance confidentiality of the information.
2. The fire extinguishing facilities should be placed where they can be accessed easily in case of fire. This shall reduce the risk of unavailability of the system and denial to access the information of the system.
3. The Guest account should be disabled, or the access to the system hardware and software be granted to authorized users only. The security at the entrance of data offices should be improved. Unnecessary information alterations in the system shall be reduced, hence promote integrity of the system.

Basically the vulnerabilities should be reduced to LOW.

 

 

 

 

 

 

 

 

 

 

 

7.    REFERENCES

Gary, S., Alice, G & Alexis, F. (2002). Risk Management Guide for Information            Technology Systems, Recommendations of the National Institute of Standards          and Technology: Special Publication, 80-300.

The guide provides the standard methodology of carrying out risk assessment.

Department of Health & Human Services. (2002). CMS Information Security Risk      Assessment (RA) Methodology. 1.1, 1-20.

The Human health services collaborates with CDC in provision of Public Health care.

GAO. (2010). Public Health Information Technology. Highlights of GAO-11-99,1-46.

In this Article GAO emphasizes on the need for efficient IT systems.

Waxman, H. (2008). Centers for Disease Control and Prevention: Changes in           Obligations and Activities before and After Fiscal Year 2005 Budget           Reorganization. The United States Government Accountability, Washington, DC,          1-27.

Changes in the IT security management should be effected for confidentiality and Integrity.

European Chemical Bureau. (2007). European Union Risk Assessment Report, 76 (3), 1-274.

This report provided a basis for coming up with this work; The Approach and presentation.

US Center for Disease and Control. January 2011. Retrieved on February 8, 2011from http://www.cdc.gov/

The IT information is presented in this site. The Collaborative agencies in public health are also included.