Security Considerations in Blaise E Environments: Options and - - PowerPoint PPT Presentation

security considerations in blaise e environments options
SMART_READER_LITE
LIVE PREVIEW

Security Considerations in Blaise E Environments: Options and - - PowerPoint PPT Presentation

Aug 19, 2022 270 likes •472 views

Security Considerations in Blaise E Environments: Options and Solutions i t O ti d S l ti Mike Rhoads and Ray Snowden, Westat IBUC 2010 Importance of IT Security p y Sample headlines Sample headlines Virginia (8/27/2010)

slide-1
SLIDE 1

Security Considerations in Blaise E i t O ti d S l ti Environments: Options and Solutions

Mike Rhoads and Ray Snowden, Westat

IBUC 2010

slide-2
SLIDE 2

Importance of IT Security p y

  • Sample headlines

Sample headlines

  • Virginia (8/27/2010) — Virginia's IT operations arm has repaired the cause
  • f a statewide IT system failure that affected online services and network
  • perations of more than 20 of its agencies, including the Department of

Motor Vehicles (DMV).

  • Washington (5/22/2006) — America's veterans were sent scrambling for their

credit reports Monday, as the Veterans Administration announced nearly all of them — and some of their family members — were at heightened risk for y g identity theft.

  • Vulnerabilities and risks for survey data collection
  • Platform-specific (laptops, Internet, etc.)
  • PII and other highly sensitive information
  • Professional and legal ramifications

Professional and legal ramifications

2

slide-3
SLIDE 3

Topics for This Talk p

Quick high level overview of: Quick, high-level overview of:

  • Basic elements of an IT security framework
  • Aspects of Blaise relating to IT security
  • Platform-specific security considerations

3

slide-4
SLIDE 4

Basic IT Security Framework y

4

slide-5
SLIDE 5

Based on “FISMA”

  • Federal Information Security Management Act of 2002

Federal Information Security Management Act of 2002

  • Foundation for IT security of U.S. Government information systems
  • Concepts similar in ISO/IEC 27001 (leading private and

p ( g p international standard)

5

slide-6
SLIDE 6

Three Central Objectives of FISMA j

  • Confidentiality
  • Confidentiality
  • Integrity
  • Availability

(just remember C-I-A)

6

slide-7
SLIDE 7

Risk Management Framework g

  • Two dimensions of risk for possible threats:

Two dimensions of risk for possible threats:

  • Magnitude and prevalence of a threat
  • Amount of harm resulting from the threat
  • Risk Management Framework (RMF) – approach to

security planning developed by NIST

C t i t l d t hi h

  • Categorize system – low, moderate, high
  • Select initial set of baseline security controls
  • Implement the controls and document their deployment
  • Assess the controls
  • Authorize system operation (ATO)
  • Monitor / assess controls on an ongoing basis

Monitor / assess controls on an ongoing basis

7

slide-8
SLIDE 8

Examples of Security Controls p y

AT-2 SECURITY AWARENESS AT-2 SECURITY AWARENESS

  • Control: The organization provides basic security awareness training to

all information system users (including managers, senior executives, and contractors) as part of initial training for new users when required and contractors) as part of initial training for new users, when required by system changes, and [Assignment: organization-defined frequency] thereafter.

PE-5 ACCESS CONTROL FOR OUTPUT DEVICES

  • Control: The organization controls physical access to information

system output devices to prevent unauthorized individuals from system output devices to prevent unauthorized individuals from

  • btaining the output.

8

slide-9
SLIDE 9

Security Control Categories y g

  • Security policies – establishes organizational commitment and

Security policies

establishes organizational commitment and approach

  • Human controls – security training, access agreements, screening
  • Physical controls – fire prevention, secure access, locked cabinets
  • Technical controls – encryption, anti-virus, complex passwords
  • Systems management – development standards, change

management

A diti d it i

  • Auditing and monitoring – record failed logins, web site monitors
  • Systems continuity – data backups, recovery platforms, alternate site

9

slide-10
SLIDE 10

Aspects of Blaise Relating to Aspects of Blaise Relating to Security

10

slide-11
SLIDE 11

Role of Blaise in Project Security Framework j y

  • Blaise application just one of multiple layers of

Blaise application just one of multiple layers of security

  • Provides some built-in security features

Provides some built in security features

  • Must integrate into overall security framework
  • FDCC / USGCB
  • FDCC / USGCB
  • Version control packages
  • Testing
  • Mature product – successful and secure operation
  • n many data collection efforts over the years

11

slide-12
SLIDE 12

Solving a Common Confidentiality Problem g y

  • CAPI interview with some particularly sensitive

CAPI interview with some particularly sensitive items

  • Want to make this section self-administered

Want to make this section self administered

  • Don’t want interviewer to be able to get back to the

answers answers

12

slide-13
SLIDE 13

Blaise Code to the Rescue!

RULES Th kY KEEP ThankYou.KEEP RespondentIntro NEWPAGE IF ThankYou = EMPTY THEN Ticket SmallOffence MajorOffence ELSE Ticket.KEEP SmallOffence.KEEP MajorOffence.KEEP ENDIF ThankYou

13

slide-14
SLIDE 14

Using Relational Databases for Data Storage g g

  • Blaise Datalink – uses Microsoft OLE DB to allow
  • Blaise Datalink – uses Microsoft OLE DB to allow

Blaise to store data in non-native formats (e.g., Oracle, SQL Server)

  • Take advantage of organization’s established

security practices y p

  • Access control
  • Special security zones

14

slide-15
SLIDE 15

Platform-Specific Security C id ti Considerations

15

slide-16
SLIDE 16

Web Surveys y

  • “Public” Internet is just that – need wide range of

safeguards

  • Data storage format – advantages of using relational

database thro gh Datalink database through Datalink

  • User authentication and authorization

Ni it f t h i l t i Bl i d t ti

  • Nice write-up of technical aspects in Blaise documentation
  • Secure communication of credentials to respondents
  • Communications encryption – Secure Sockets Layer

yp y (SSL)

16

slide-17
SLIDE 17

CAPI Surveys y

  • Environment – portable devices, need to synchronize

p , y data and software with home office

  • Encryption (on the laptop, during transmission,

safeguarding keys)

  • User authentication (password policies, other access

protections user training resets) protections, user training, resets)

  • Platform controls (disable unneeded services/devices,

firewalls anti-virus etc ) firewalls, anti virus etc.)

  • Configuration management (need to implement, test,

and log updates) g )

17

slide-18
SLIDE 18

18

slide-19
SLIDE 19

Conclusion

  • Importance of an overall framework for IT security

p y management (such as FISMA)

  • Use broad set of security controls
  • to reduce risks
  • to confidentiality, integrity, and availability of

applications and data applications and data

  • Different survey platforms share some common

issues, but also present unique problems , p q p

  • You’re in good hands with Blaise!

19

slide-20
SLIDE 20

Questions?

20