Step 4: Elaborate the Context and Strategy.
In the VA 2006 data leakage incident, as we have used the FISCAM as the basis for the decomposition of the goal, the strategy is stated as “Argument over FISCAM”. In this case, since there are some lessons learned that are not covered by the existing goal structure, they are mapped to a newly created goal named “Standard non-existent”.
A new strategy named “Argument over all Missing Security Recommendations” is created and inserted between the top goal and the goal “Standard non-existent”.
The context notation is to provide supplementary information for a specific secu- rity incident. For example, we have explained the “FISCAM” in the strategy notation and the context is stated as “Federal Information Security Controls Audit Manual”.
Based on the steps above, the instance of the Generic Security Template for VA 2006 data leakage incident is presented in Figure 4.1. Five main lessons learned are derived from the VA 2006 data leakage incident report. Four of them were mapped to different levels of security requirements of FISCAM. One of them cannot be mapped to an appropriate security requirement, which indicates a probably missing aspect of the security guideline. The instance of the Generic Security Template for VA 2006 data leakage incident presents a security argument on how the security recommendations are gathered together to address the violated security requirements of the organisation.
Compared to text-based incident reports, it may lose some details such as business impact information. However, it highlights the causes and recommendations, and the supportive relationships with the security requirements, which could help to improve the prevention of similar security incidents in the future.
4.2 Veterans Affairs (VA) data leakage incident 2007
4.2.1 Case description
“On January 22, 2007, a Veterans Health Administration (VHA) Information Tech- nology (IT) Specialist assigned to the Research Enhancement Award Program (Birm- ingham REAP), VA Medical Centre (VAMC), Birmingham, AL, reported that a VA- owned external hard drive was missing from the REAP office. The missing external hard drive is believed to contain numerous research-related files containing personally identifiable information and/or individually identifiable health information for over 250,000 veterans, and information obtained from the Centres for Medicare & Med-
4.2. VETERANS AFFAIRS (VA) DATA LEAKAGE INCIDENT 2007 55
Sensitive Information: Use encryption, or other effective tool, to protect personally identifiable information stored on removable storage . Administrative Action: Take administrative actions against the people involved in this incident for their inappropriate actions.
AC: User Access Control is addressed
Healthcare System (HS) is acceptably secure . SM: Security Management is controlled.
Argument over FISCAMFederal Information Security Controls Audit Manual SM 4.1:Owners, system administrators, and users are aware of security policies.
SM4: Security awareness and other security-related personnel policies are effectively implemented. AC 5.1. An effective incident response program is documented and approved.
AC5: An effective audit and monitoring capabilities is implemented. AC 4.1: Access to sensitive system resources is restricted and monitored.
AC4: Sensitive system resources are adequately protected. Security Training: Provide linkage to all applicable laws and VA policy as part of the security awareness training.
AC 5.1.1. An effective incident-response program has been implemented. Incident Handling: Enhance incident-response program on promptly identification and thoroughly investigation of the incidents.
Healthcare System of VA SM 4.1.1: An on-going security awareness program has been implemented that includes security briefings and training that is monitored for all employees with system access and security responsibilities.
AC 5.3. Incidents are properly analyzed and appropriate actions taken. AC 5.3.3. Appropriate disciplinary actions are taken.
Argument over All Missing Security Recommendations (Standard non-existent): Position Description: Define the position sensitive level.
Figure 4.1: Instance of the Generic Security Template - VA 2006 data leakage incident
4.2. VETERANS AFFAIRS (VA) DATA LEAKAGE INCIDENT 2007 56
icaid Services (CMS), Department of Health and Human Services (HHS), on over 1.3 million medical providers. To date, the missing hard drive has not been recovered and there is no indication that the data on the missing external hard drive has been further compromised or used to commit Medicare fraud. Future investigation is conducted to identify the problem and recommendations are provided by VA office of Inspector General.” [15].
4.2.2 Instance of the Generic Security Template
Step 1: Prepare the goal structure.
Similar to VA 2006 data leakage incident, we have used the structured category of security requirements in FISCAM, specifically the general control section, as the goal structure for this security incident. Those goals form the goal structure for the VA 2007 data leakage incident.
Step 2: Identify the lessons learned.
The process of identification of the lessons learned (security issue and recommen- dation ) is by looking for the learning points in the security incident report. The iden- tified security issues and recommendations can be found in Table 4.5.
Table 4.2: Veterans Affairs (VA) data leakage incident 2007
Security Issues Security Recommendations
Access Control Avoid the abuse of programmer level access control.
Sensitive Information Use encryption, or other effective tool, to protect per- sonally identifiable information stored on removable storage
Security Policy Ensure that data security plans for research projects comply with information security policies.
Security Policy Ensure human subjects in research, compliance with information security requirements.
Security Policy Discontinue storing email on unauthorised system.
Position Description Re-evaluate and correct position sensitivity levels.
4.2. VETERANS AFFAIRS (VA) DATA LEAKAGE INCIDENT 2007 57
Table 4.2: (continued)
Security Issues Security Recommendations
Management Structure Establish a functional description and performance plan to clarify the line authority and reporting rela- tionship.
Administrative Action Take appropriate administrative actions against the people for their inappropriate actions.
Risk Analysis Develop and issue Government-wide risk analysis cri- teria.
Step 3: Map the lessons learned to the goal structure.
The lessons learned identified are mapped to different levels of goals in the goal structure as before. However, we identified some difficulties when mapping the lessons to the security requirements in this security incident. We found that some lessons are related to more than one security requirements. For example, the lesson learned
“Access Control: Avoid the abuse of programmer level access control” is found to be related to the goal “AC-3.1.1. Resource owners have identified authorized users and the access they are authorized to have” and “AC-3.1.2. Security administration personnel set parameters of security software to provide access as authorized and restrict access that has not been authorized. This includes access to data files, load and source code libraries (if applicable), security files, and operating system files. Standard naming conventions are established and used effectively as a basis for controlling access to data, and programs. (Standard naming conventions are essential to ensure effective configuration management identification and control of production files and programs vs. test files and programs) ”. Reflecting all such relationships will make the diagram complicated. To keep the diagram concise, we suggest further guidance for mapping such lessons learned,
Starting from the bottom-level goals in the goal structure, if a lesson learned is related exclusively to a bottom-level goal, it should be mapped to this bottom-level goal. If a lesson learned is related to more than one bottom-level goals in the goal structure, this lesson learned should be mapped to the nearest parent goal where those bottom-level goals share the same parent goal.
According to this newly added guidance, this lesson learned should be mapped to the nearest parent goal where those bottom-level goals share the same parent goal, which is “AC-3.1. User accounts are appropriately controlled”. It indicates if this les-