Scribd
Upload
178 views

Fisma Assignement (Template)

The document provides details for a FISMA assessment of the Clinical Research Technology (CRT) system, which allows doctors to access and share clinical research data. It includes artifacts to complete like a system security plan, security assessment report, and plan of action and milestones. The analyst is to update templates for these artifacts with information from the CRT system and assessment.

Uploaded by

ChaiLatte
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
178 views

Fisma Assignement (Template)

The document provides details for a FISMA assessment of the Clinical Research Technology (CRT) system, which allows doctors to access and share clinical research data. It includes artifacts to complete like a system security plan, security assessment report, and plan of action and milestones. The analyst is to update templates for these artifacts with information from the CRT system and assessment.

Uploaded by

ChaiLatte
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 3

FISMA ASSIGNEMENT

I-System Information
a. System Name: Clinical Research Technology(CRT)

b. Type of Application: Major Application

c. System Description: Clinical Research Technology (CRT), a FileZilla FTP server, is a


remotely accessible system which allows doctors employed by the Center of Information
Technology (CIT) to upload, download and view clinical research data aim to cure
cancer. It stores demographic information (Patient name, address and social security
number) and medical records. Users access CRT through an FTP client (FileZilla)
installed on their laptops by entering the Hostname/Host IP, Username, Password and
Port.

d. Information Type: Health Care Administration Information Type; Health Care Delivery
Services Information Type, Health Care Research and Practitioner Education Information
Type

e. System Owner: John Dumelo

f. Authorizing Official: Kossi Akoto

g. Information Owner: Thomas Tete

h. Information System Security Officer: Kwaku Mensah

i. CA/SA&A Analyst: You (You work for Smart Think and assisting the ISSO)

j. IC: Center for Information Technology(CIT)

II-Artifact to Create
Below are the artifacts or report you need to create. I have also explained under each artifact
what you need to do. All the necessary templates to create these reports/artifacts are attached to
the email.

a. Kick Meeting Email: Update the sections highlighted in blue of the “Kick Off Meeting
CRT” template with the correct information.

b. Kick Off Meeting Agenda: Update the sections highlighted in blue of the “CRT Annual
Assessment Kick-Off Agenda” template with the correct information.
c. FIPS 199/ System Categorization report: Update the sections highlighted in blue of the
“CRT System Security Categorization” template with the correct information. You also
have to select the correct System Type and the Overall System Security Category.

d. Privacy Threshold Analysis/ Privacy Impact Analysis: Update the sections highlighted
in blue of the “CRT PTA PIA” template with the correct information. Answer only
questions 1 to 5 under section 2.1 Qualifying Questions of the document for PTA related
questions on page 7.

e. System of Record Notice: Do we need a SORN? Explain why your response is Yes or
NO.

f. E-Authentication: Update the sections highlighted in blue of the “CRT E-


authentication” template with the correct information. You also must fill table 3.1
Potential Impacts for Assurance Levels on page 6 by selecting the correct Assurance
Level Impact Profile for the Potential Impact Categories for Authentication Errors. Base
on your response from table 3.1 Potential Impacts for Assurance Levels select the best
EAuthentication Level in table 4.1 EAuthentication Level on page 6.

g. Control Selection: Base on the categorization of CRT, select the appropriate controls
from the CRT “Security control baseline template” using NIST SP -800-53 rev 4 (Table
D-2: Security Control Baselines on page D-2) as a guide. Only the AC, AT, AU, IA and
CP families are considered for this assignment. Highlight applicable controls in green.
You also have to select the appropriate answer for the Inheritance and To be Tested
Column for each selected control.

h. Security Assessment Plan: Update the sections highlighted in blue of the “CRT Security
Assessment Plan” template with the correct information. You also have to fill table 3
Assessment Plan with the correct information. You can use SP 800-53A or the document
ST&E Guidance which was prepared based on SP -800-53A (This document will
extremely help you to fill the Control Number, Control Name, Procedure and Potential
Validation columns). You are only required to do the following 17 controls: AC-1, AC-6,
AC-7, AC-8, AC-10, AC-14, AT-1, AT-2, AT-4, IA-1, IA-6, IA-2, AU-1, AU-3, AU-6,
CP-1 and CP-3. ST&E Guidance document is attached to the email or on the USB.

i. ST&E Report: Update the sections highlighted in blue of the “CRT Security Test and
Evaluation” template with the correct information. Fill table 3 Findings Matrix with the
correct information base on the interview we had with the system owner in class and the
evidence provided to you. Use the document ST&E Guidance for possible assessment
results language (This is located on the USB or attached to the email).

j. System Security Plan: Update the sections highlighted in blue of the “CRT System
Security Plan” template with the correct information. You also have to update tables 3.1
Potential Impacts for Assurance Levels and 4.1 EAuthenctication level in the section e-
Authentications on page 9 with the information you created in question d Privacy
Threshold Analysis/ Privacy Impact Analysis. In addition, fill out the table in section
3.0 Security Controls on page 12.You are only required to do AC-1, AC-6, AC-7, AC-8,
AC-10, AC-14, AT-1, AT-2, AT-4, IA-1, IA-6, IA-2, AU-1, AU-3, AU-6, CP-1 and CP-
3 controls. Use the document ST&E Guidance attached to the email for possible
compliance description language to fill table in section 3.0.You can also use some of the
answers the system owner gave in class during the assessment to fill out the compliance
description. In addition you can use the General Policy Note document provided as part
of CRT evidence.

Hint: There is a difference between compliance description and assessment result.


Assessment results must be validated by evidence, compliance descriptions are not. See
example below:

Compliance Description: AC-7: CRT application enforces a limit of 3 consecutive invalid access
attempts by a user in a 15-minute period. The application automatically locks the account for one hour. The
account must be released by an administrator to be unlocked before one hour.

Assessment Results: AC-7: Per interview and demonstration by the system owner CRT application
enforces a limit of 3 consecutive invalid access attempts by a user in a 15-minute period. The application
automatically locks the account for one hour. The account must be released by an administrator to be
unlocked before one hour.

k. Security Assessment Report: Update the sections highlighted in blue of the “CRT
Security Assessment Report” template with the correct information. You also have to
update table 4.0 Security Assessment Results on page 11.Remember you only fill this
table if you have any weaknesses identify during your assessment as documented in the
ST&E report in question i.

l. Plan of Action and Milestones: Update all columns within the “CRT POAM” template
with the appropriate information. Remember you only create a POAM report if you have
weaknesses.

m. Authorization Letter: Update the sections highlighted in blue of the “CRT ATO Letter”
template with the correct information.

You might also like