Memorandum for Department of Health and Human Services Management
Insert Name
CSIA 412Memorandum for Department of Health and Human Services Management 8 March 2015
From: Cybersecurity Program Manager
Subject: Department of Health and Human Services (HHS) Cybersecurity Recommendation
As a dedicated team member and Project Manager of the Cybersecurity Division of Department of Health and Human Services, I have identified pertinent security areas that require immediate attention. The recommendations listed in this memorandum are in the best interest of HHS’ operations, Intel, and security. Please take some time to review the recommendations developed by a small cluster of experts in the Cybersecurity Division of HHS.
Presently, HHS is not in full compliance with PPD-21, Executive Order 13636, or the May 2011 Cybersecurity Legislative Proposal. Though various standards of each mandate have been met, there are some aspects that still need to be addressed in order to decrease the amount of vulnerability HHS leaves itself susceptible to. In order to strengthen the infrastructure and lessen the chances of unauthorized access, HHS needs to instill password protection procedures, data encryption, and increase collaboration with governing organizations. Our team has created a plan for more stringent password policies as well as a plan of action that our governing organizations can assist us in implementing. Data encryption is a work in progress as we seek to employ the level of encryption that best fits the needs of the organization without interrupting the flow of business.
HHS has met the policy standards and guidelines required in order to be in compliance with the Federal Information Processing Standards Publication (FIPS PUB) 200 and ISO 27001. Both of these policies provide foundational standards from which organizations are encouraged to continue to improve their practices in order to increase their standard of care/service. ISO 27001 and 27002 has become the central focus of the Cybersecurity Division as it provides the standards and guidelines necessary to create a full functioning, efficient, and effective method of risk assessment that addresses both the targeted risk and any residual risks that are identified as well. It is the goal of our division to completely eliminate all risks that currently threaten the network. To ensure future compliance, the Cybersecurity Division is prepared to provide regular trainings to staff and outside partners in order to reduce human error and promote efficiency.
The full evaluation and audit security system that is in use is one of the best as it provides HHS with the ability to not only scan for vulnerabilities but also provides the Cybersecurity Division with a detailed report that can be used to respond more effectively to incidents that occur. While this a great tool to have, it is undermined by the lack of automatic reset as it pertains to application and systems passwords, and is undermined by the remote access policy which has not been modified in over 14 years. The Cybersecurity Division is currently reviewing and revising (as necessary) the remote access policy, as well as preparing a sequence of training for those who access the network remotely. It is the suggestion of this Division that the organization consider the use of periodic password resets system-wide.
It is the mission of vision of the Cybersecurity Division of HHS to foster an enterprise-wide secure and trusted environment in support of HHS’ commitment to better health and well-being of the American people. The greatest way to fulfill this mission is to continue to provide strategic updates and recommendations for change that will support the organization and maintain its reputation. If there are any questions, please feel free to contact me at 301-555-8872 or email me at dvanwright@student.umuc.edu.
