Independent Security Assessors and Baseline Security Controls
DATE: February 24, 2017
TO: Tribal Agencies Administering Child Support Enforcement Plans under Title IV-D of the Social Security Act and Other Interested Parties
SUBJECT: Identifying Independent Security Assessors and Examples of Minimum Baseline Security Controls
BACKGROUND: In order for a tribal child support agency to gain access to the Federal Parent Locator Service (FPLS), the first requirement is to submit an independent assessment to the Office of Child Support Enforcement (OCSE). The assessment is required so OCSE can get an accurate account of the state of the tribe’s IT system and ensure that the tribe has the required security controls in place.
OCSE will accept an independent assessment completed by the Internal Revenue Service (IRS), Social Security Administration (SSA), or an independent tribal auditing organization within the last three years. If you have not had an independent assessment completed by one of these three organizations, you can hire an independent firm or assessor outside of your tribe to complete the assessment.
The independent assessment must be performed by a competent, independent, and unbiased evaluator who has expertise in information assurance and IT cybersecurity technology, processes, and methodology to validate existing security controls and make a determination of a general security posture of an IT system. The assessment must include information on the security controls defined within the security agreement and detailed findings (if any) and recommendations to improve the tribal child support agency’s plans, procedures, and practices so the system can be deemed secured and meeting federal requirements. The tribal child support agency must provide an independent assessment to OCSE for review and approval before obtaining access to the FPLS.
CONTENT: This Information Memorandum addresses how to identify an appropriate and qualified independent assessor and provides examples of security controls. OCSE has developed technical assistance to help tribes identify the best ways to search for an independent assessor and identify the minimum baseline for security controls that must be in place. Our goal is to make this process clearer so all interested tribes can access the FPLS. Please remember that once OCSE accepts your initial assessment, you must submit a new assessment every three years. In addition, if major organizational or system framework changes take place after your most recent independent assessment, you must conduct a new independent assessment and submit it to OCSE within six months of the change.
Qualifications of an Independent Assessor
The independent assessor should use industry best practices and guidelines, such as those published by the National Institute of Standards and Technology (NIST) and outlined by the Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB), and IRS Publication 1075 to conduct the security assessment.
The assessor should be certified to perform independent assessments. Acceptable certifications include the following:
- Certified Information Systems Security Professional (CISSP) - CISSP recognizes information security leaders with the knowledge and experience to design, develop, and manage the overall security posture of an organization. The CISSP certification also has concentrations that recognize CISSPs who expand their knowledge into specific subject matter areas such as architecture, engineering, and management.
- Certified Information Security Manager (CISM) - The management-focused CISM is the globally accepted standard for individuals who design, build, and manage enterprise information security programs. CISM is the leading credential for information security managers.
- Certified Authorization Professional (CAP) - This credential applies to those responsible for formalizing processes used to assess risk and establish security requirements and documentation. Their decisions will ensure that information systems possess security commensurate with the level of exposure to potential risk, as well as damage to assets or individuals.
- CompTIA Security+ - This is the certification globally trusted to validate foundational, vendor-neutral IT security knowledge and skills. As a benchmark for best practices in IT security, this certification covers the essential principles for network security and risk management, making it an important stepping stone of an IT security career.
Security+ is a basic-level certification, but based on the assessor’s technical experience, he or she may be able to conduct an effective assessment. CAP, CISSP, and CISM fall on the more advanced side of certifications and are the preferred ones, with CISSP and CISM being the most highly respected. Always verify that the assessor you select has the proper certifications and credentials.
Searching for a Qualified Independent Security Assessor
Research various IT security companies in your area to determine if they perform security control assessments. Google searches are very effective in finding appropriate companies.
In addition, agencies like International Information Systems Security Certification Consortium, Inc. (ISC²) and Information Systems Audit and Control Association (ISACA) certify security assessors. Once you locate the chapters in your area, you can contact them to help you identify a certified independent security assessor. Please note that OCSE neither endorses nor recommends a specific independent security assessor.
Tribal Child Support Security Self-Assessment Tool
OCSE developed the Tribal Security Self-Assessment Tool to help tribal child support agencies assess and document compliance with OCSE’s security requirements. The tool includes assessment questions addressing the requirements in the OCSE tribal security agreement with tribal child support agencies as well as NIST SP 800-53 Rev 4 security controls from the moderate catalog. However, depending on the level of a tribe’s computing systems and technology, not all tribal child support agencies will be able to provide responses to all of the controls within the tool. The tool provides two important functions to tribal agencies:
- It can be used by an independent assessor or assessment team(s) to conduct an impartial assessment of the tribal agency’s information systems.
- It can strengthen the tribal agencies’ security program by identifying weaknesses and vulnerabilities.
While OCSE does not require tribal child support agencies to use this tool or submit this assessment to us, we recommend that you use the tool as a guide to assess your security posture through an independent assessor or assessment team that conducts impartial assessments of organizational information systems. “Impartial” implies that assessors are free from any perceived or actual conflicts of interest with regard to development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. The tool can be found in IM-16-03, Information for Tribal Access to the FPLS.
Understanding your agency’s security posture is extremely important in safeguarding data. The following list is not exhaustive because security controls should be commensurate with the level of complexity of your IT system; however, these are examples of some of the controls you should have in place.
|Documented System Security Control Plan||NIST publication 800-18 Rev. 1
Reference: NIST publication
|System Boundary Document or Diagram||Document or Diagram highlighting the overall design of your network.|
|Identify critical assets, partition network into zones, test segmentation effectiveness.
Reference: NIST publication 800-53 SC-2
|User Authentication/Access Control||Multi-factor authentication where possible, strong password policies, audit password policies regularly.
Reference: NIST publication 800-53 AC control family
Exploit Mitigation/Vulnerability Management
|Open-source vulnerability scan tools, POAM management, independent assessments.
Reference: NIST publication 800-53 CA-5, RA-5, SI-2
|Secure Configurations||Standard system images, check for deviations overtime, continuous improvement.
Reference: NIST publication 800-53 CM control family
|Restrict Administrator Privileges||Limit on business need, monitor accounts, detect abnormal behavior.
Reference: NIST publication 800-53 AC control family, IA control family
|Application Whitelisting||Software inventories, list of allowed applications, monitor unauthorized software.
Reference: NIST publication 800-53 CM-8
|Patch management||Prioritize based on risk, have a patch schedule.
Reference: NIST publication 800-53 CM-6, SI-2
|Physical controls||Door locks, clean desk policies, security systems.
Reference: NIST publication 800-53 PE control family
Every tribe that seeks access to the FPLS must have and implement the federally required security controls. It is not just a matter of being able to show written processes; the processes must be in practice. We hope these tips will be helpful to you in preparing for and identifying an appropriate independent security assessor.
Donna J. Bonar
Office of Child Support Enforcement
cc: ACF/OCSE Regional Program Managers