The Common Criteria 559 Evaluation—assessment of an IT product or system against defined security functional and assurance criteria, performed by a combination of testing and analytic techniques Evaluation Assurance Level (EAL)—one of seven increasingly rigorous packages of assurance requirements from CC Part 3. Each numbered package represents a point on the CCs predefined assurance scale. An EAL can be considered a level of confidence in the security functions of an IT product or system. Package—a reusable set of either functional or assurance components (e.g., an EAL), combined together to satisfy a set of identified security objectives Product—IT software, firmware and/or hardware, providing functions designed for use or incorporation within a multiplicity of systems Protection Profile (PP)—an implementation-independent set of security functional and assurance requirements for a category of IT products that meet specific consumer needs Security Functional Requirements—requirements, preferably from CC Part 2, that when taken together specify the security behavior of an IT product or system Security Objective—A statement of intent to counter specified threats and/or satisfy specified organizational security policies and assumptions Security Target (ST)—a set of security functional and assurance requirements and specifications to be used as the basis for evaluation of an identified product or system System—a specific IT installation, with a particular purpose and operational environment Target of Evaluation (TOE)—another name for an IT product or system described in a PP or ST. The TOE is the entity that is subject to security evaluation. For More Information REFERENCES: NIST CSL Bulletin, April 1996 Common Criteria for IT Security v.2.0 ISO FDIS 15408, Parts 1-2-3 Common Criteria Mutual Recognition Arrangement, October 1998 560 The CISSP Prep Guide: Gold Edition WEB SITES: Common Criteria Project: http://csrc.nist.gov/cc NIAP: http://niap.nist.gov CC PROJECT ORGANIZATIONS: ■■ CANADA: Communications Security Establishment E-mail: criteria@cse-cst.gc.ca WWW: www.cse-cst.gc.ca/cse/english/cc.html ■■ FRANCE Service Central de la Securité‚ des Systémes d’Information (SCSSI) E-mail: ssi20@calva.net ■■ GERMANY: Bundesamt für Sicherheit in der Informationstechnik (BSI) German Information Security Agency (GISA) E-mail: cc@bsi.de WWW: www.bsi.bund.de ■■ NETHERLANDS: Netherlands National Communications Security Agency E-mail: criteria@nlncsa.minbuza.nl WWW: www.tno.nl/instit/fel/refs/cc.html ■■ UNITED KINGDOM: Communications-Electronics Security Group E-mail: criteria@cesg.gov.uk WWW: www.cesg.gov.uk/cchtml ■■ UNITED STATES—NIST: National Institute of Standards and Technology E-mail: criteria@nist.gov WWW: http://csrc.nist.gov/cc ■■ UNITED STATES—NSA: National Security Agency E-mail: common_criteria@radium.ncsc.mil WWW: www.radium.ncsc.mil/tpep/ 561 A P P E N D I X E BS7799 Considered by some as the leading Information Security Management System (ISMS), the Code of Practice for Information Security Management (BS7799) has been developed by the British Standards Institute. A group of leading companies joined, first, to develop the Code of Practice for Information Security Management, now known as BS7799 Part 1, Code of Practice, then, in 1998, to develop BS7799 Part 2, Specification for Information Security Management Systems. The United Kingdom Department of Trade and Industry commissioned the BS 7799 certification scheme in 1998. BS7799 is geared to assuring integrity, availability, and confidentiality of information assets. Assurance is attained through controls that management creates and maintains within the organization. BS7799 requires that company management address 10 specific areas: ■■ Security policy ■■ Security organization ■■ Assets, classification, and control ■■ Personnel security ■■ Physical and environmental security ■■ Computer and network management 562 The CISSP Prep Guide: Gold Edition ■■ System access control ■■ System development controls ■■ Business continuity planning ■■ Compliance and auditing The scheme requires that participating certification bodies be accredited by recognized national accreditation bodies. The United Kingdom Accreditation Service has accredited six bodies under ISO Guide 62 (EN 45012) to perform certification to BS7799: ■■ BSI Quality Assurance ■■ Bureau Veritas Quality International Ltd. ■■ Det Norske Veritas Quality Assurance Ltd. ■■ Lloyd’s Register Quality Assurance Ltd. ■■ National Quality Assurance Ltd. ■■ SGS Yarsley International Certification Service Ltd. A drive to gain worldwide acceptance of BS7799 has been the primary thrust of the Joint Information Technology Committee of the ISO and the Inter- national Electrotechnical Commission (IEC). These organizations are transition- ing BS7799 into an international standard known as ISO 17799. 563 A P P E N D I X F HIPAA Updates Scope HIPAA Public Law 104-191, the Kennedy-Kassebaum Health Insurance Porta- bility and Accountability Act of 1996, is designed to: ■■ Provide for greater access to personal health care information ■■ Enable portability of health insurance ■■ Establish strong penalties for health care fraud ■■ Administrative simplification Title II of HIPAA, Administrative Simplification, contains the Security and Privacy requirements and, therefore, the remainder of this discussion focuses on Administrative Simplification. 564 The CISSP Prep Guide: Gold Edition Title II Administrative Simplification The goals of Title II are to: ■■ Improve the efficiency and effectiveness of the U.S. health care system by standardizing the exchange of administrative and financial data. ■■ Protect Security and Privacy of individually identifiable health information Covered Entities under HIPAA are health plans, health care clearinghouses, insurers to include corporate employers’ self-insured plans, and health care providers who transmit health information electronically in connection with standard transactions. The principle areas addressed under Administrative Simplification are: ■■ Transaction Standards and Code Sets for claims, enrollment, premium payments and others as adopted by HHS ■■ Unique Health Identifiers for health care providers, health plans, employers and individuals ■■ Security and Electronic Signatures ■■ Privacy for individually identifiable health information Dates Publication dates of the proposed rules and final rules vary for the major areas addressed by Title II. Also, some of the rules have set compliance dates and, as of this writing, some do not. The important dates are summarized in the follow- ing sections. Security HHS published proposed Security standards on August 12, 1998 and as of this writing, the final security rule has not been published. Privacy The final Privacy rule was published on December 28, 2000 with a compliance date of April 14, 2003. Changes were proposed to the final Privacy rule by HHS and published in the Federal Register on March 28, 2002. The purpose of the proposed changes was to “maintain strong protections for Privacy of individu- ally identifiable health information while clarifying misinterpretations, address- ing the unintended negative affects of the Privacy rule on health care quality or access to health care, and relieving unintended administrative burden created by the Privacy rule.” The changes were subject to a 30-day pubic comment period that ended on April 26, 2002. These proposed changes would not affect the April 14, 2003 deadline for compliance with the final Privacy rule. These changes were finalized by HHS and went into effect in August 2002. HIPAA Updates 565 Transactions and Code Sets The final rule for electronic transactions and code sets was published on August 17, 2000, with a compliance date of October 16, 2002. On December 27, 2001, Pres- ident Bush amended HIPAA with the Administrative Simplification Compliance Act, Public Law 107-105. This act gave organizations the option of applying for a one-year delay in implementing the transactions and code sets standards if the organization applied for an extension before October 16, 2002. Thus, the new deadline for an organization requesting a delay will be October 16, 2003. Unique Health Identifiers Proposed rules for a national provider identifier and national employer identi- fier were published in 1998. Proposed rules for a national health plan identifier have not been released as of this writing, and plans for a national individual identifier are on hold because of privacy concerns. Summary of Administrative Simplification Rules A description of the standards described in Title II will provide the reader with the requirements associated with achieving HIPAA compliance. Security The HIPAA Security rule mandates the protection of the confidentiality, integrity, and availability of protected health information (PHI) through: ■■ Administrative procedures such as awareness training, chain of trust agreements, policies and internal auditing. ■■ Physical safeguards to include physical protection of workstations and media, facility access control, and disposal of magnetic media. ■■ Technical services and mechanisms such as authentication and access controls. ■■ Electronic Signatures when an industry standard can be agreed upon. They are not currently required. ■■ Appointment of a security officer. Privacy The HIPAA Privacy rule covers PHI that is transmitted or stored in electronic, paper or oral form. The final Privacy rule of December 28, 2000, stated that PHI cannot be disclosed unless: 566 The CISSP Prep Guide: Gold Edition ■■ Disclosure is approved by the individual ■■ Permitted by the legislation ■■ For treatment ■■ For payment ■■ For health care operations ■■ As required by law When the practical day-to-day health care operations were considered, there were a number of concerns about the details of the Privacy rule that may affect the delivery of health care. As a result, changes were proposed to the Privacy rule, published on March 28, 2002, that severely relaxed the consent require- ments of the December 28, 2002 version of the rule. Privacy advocates have expressed strong concerns about these and other proposed changes. The changes, which went into effect in August 2002, are summarized as follows: Removal of the Mandatory HIPAA Consent Requirement Concerns focused on the impracticality of providers’ obtaining consent before the initial encounter with the patient. Pharmacies commented on the need to allow individuals other than the patient to pick up the patient’s prescription, and so on. The amendment removes the consent requirement and would permit covered entities to use and disclose a patient’s PHI for their own treatment, payment or health care operations and for treatment, payment, and certain health care oper- ations of other parties without prior written patient permission. Use and Disclosure with an Authorization Under the Privacy Rule, covered entities must obtain a written authorization for the use or disclosure of PHI for purposes other than treatment, payment or operations. The amendments consolidate the various essential elements for authorizations into a single set of criteria. Accounting of Disclosures of PHI The Privacy Rule provides individuals with the right to obtain an accounting of any disclosures of their PHI made by a covered entity pursuant to an authoriza- tion during the six years preceding the request for accounting. HHS exempts from the accounting requirement all disclosures made pursuant to an individ- ual’s authorization. Minimum Necessary and Oral Communications The Privacy Rule requires that covered entities disclose only that amount of PHI that is necessary to fulfill the purpose of the disclosure. HHS explicitly permits incidental use or disclosure of PHI. HIPAA Updates 567 Business Associates The business associate (BA) provisions of the Privacy Rule require a covered entity to impose, through contracts, the Privacy standards of the Privacy Rule on parties who access and use PHI. HHS amended the transition provisions of the Privacy Rule to give covered entities (other than small health plans, which currently have a 2004 compliance date) at least another year, until April 14, 2004, in which to modify existing written (but not oral) agreements or amendments of their PHI if the BA does not have the PHI in a “designated record set,” as defined by the Privacy Rule. Marketing The Privacy Rule defines marketing as the making of a communication “about a product or service a purpose of which is to encourage recipients of the commu- nication to purchase or use the product or service.” The amendments to the Pri- vacy Rule require a patient authorization for any use or disclosure of PHI for marketing purposes, unless the marketing occurs in a face-to-face communica- tion between the covered entity and the patient or the covered entity is merely providing a promotional gift of nominal value. Parents/Minors Under the Privacy Rule, a covered entity must treat a person with the authority to act on behalf of an unemancipated minor as that minor’s personal represen- tative for purposes of use and disclosure of the minor’s PHI. The amendments permit a covered entity to disclose PHI to a parent if a specific provision of state or other law, including case law, permits such a disclosure. Conversely, if such law prohibits such a disclosure, the covered entity would not be permitted to make it. Finally, the amendments require a covered entity, consistent with state or other applicable law, to disclose the minor’s PHI to a parent or other personal representative of the minor, to the minor, or to both. Research The amendment makes significant changes to research authorizations by simpli- fying and clarifying the requirements. HHS defines a single set of essential ele- ments that apply generally to any authorization regardless of the purpose for the use or disclosure. Uses and Disclosures for FDA-Regulated Products or Activities Public health organizations have expressed concern that the Privacy Rule stifles current public health reporting activities. In addition, some covered entities have expressed fear of liability for disclosing PHI to a manufacturer’s employee who is not a person subject to FDA jurisdiction. The amendment clarifies that a covered entity may disclose protected health information to representatives of manufacturers or other companies, who are subject to FDA jurisdiction. 568 The CISSP Prep Guide: Gold Edition Research Transition Provisions The research community is also concerned that the Privacy Rule does not address transition for studies that will continue after the compliance date but for which patient consent or authorization had not been sought. The amend- ments eliminate the distinction between research involving treatment and other research for purposes of transition. De-Identification of PHI The Privacy Rule provides two ways by which a covered entity can ensure that PHI has been adequately de-identified: It may obtain an expert opinion that there is a statistically small risk that the released information could be used to identify the individual subject; or it may strip from all disclosed information the 18 identifiers that are enumerated in the Privacy Rule’s safe harbor provision. Hybrid Entities The Privacy Rule defines covered entities that primarily engage in non-covered functions as “hybrid entities” and applies the Privacy standards only to their health care components. HHS eliminates the term “primary functions” from its definition of “hybrid entity” and effectively permits covered entities, such as many universities and insurance companies, that engage in both covered func- tions and non-covered functions to elect to be treated as either a hybrid entity or a single entity. Transactions and Code Sets This portion of Title II requires the adoption of ANSI (American National Stan- dards Institute) ASC X12N (Accredited Standards Committee X12) version 4010 EDI (Electronic Data Interchange) Standard for transactions. This requirement specifies standards for the “enveloping” of data for successful message routing. This rule also mandates the use of standard code sets for diagnoses and inpa- tient services, professional services, dental services (replaces ‘D’ codes), drugs (instead of ‘J’ codes) and eliminates “local” codes. HIPAA EDI Transactions The HIPAA EDI Transaction Standards specifically apply to: ■■ Health claims or similar encounter information ■■ Health care payment and remittance advice ■■ Coordination of benefits ■■ Health claim status ■■ Enrollment and dis-enrollment in a health plan ■■ Eligibility for a health plan ■■ Health plan premium payments ■■ Referral certification and authorization [...]... implementation cost Answer: b The correct answer is b A Single Loss Expectancy is derived by multiplying the Asset Value with its Exposure Factor The other answers do not exist 577 578 The CISSP Prep Guide: Gold Edition 10 What are the detailed instructions on how to perform or implement a control called? a Procedures b Policies c Guidelines d Standards Answer: a 11 What is the BEST description of risk... of ARO ϫ AV Answer: a The correct answer is a Answer b is the formula for an SLE, and answers c and d are nonsense 575 576 The CISSP Prep Guide: Gold Edition 2 What is an ARO? a A dollar figure assigned to a single event b The annual expected financial loss to an organization from a threat c A number that represents the estimated frequency of an occurrence of an expected threat d The percentage of loss... message The number of times a password should be changed is NOT a function of: a The criticality of the information to be protected b The frequency of the password’s use c The responsibilities and clearance of the user d The type of workstation used Answer: d The correct answer is d The type of workstation used as the platform is not the determining factor Items a, b, and c are determining factors The. .. integrity d Referential integrity Answer: a The correct answer is a Least privilege, in the database context, requires that subjects be granted the most restricted set of access privileges to the data in the database that are consistent with the performance of their tasks Answer b, separation of duties, assigns parts of 591 592 The CISSP Prep Guide: Gold Edition security-sensitive tasks to several... c is incorrect because authentication can be accomplished through the use of a password Answer d is incorrect because authentication is applied to local and remote users 589 590 The CISSP Prep Guide: Gold Edition 25 An example of two-factor authentication is: a A password and an ID b An ID and a PIN c A PIN and an ATM card d A fingerprint Answer: c The correct answer is c These items are something... Answer: c The correct answer is c Answer a is the definition of SLE, b is an ALE, and d is an EF 3 Which choice MOST accurately describes the difference between the role of a data owner versus the role of a data custodian? a The custodian implements the information classification scheme after the initial assignment by the owner b The data owner implements the information classification scheme after the initial... for authentication, as is the case for a synchronous dynamic password token Answer b is a distracter Answer d, a challenge-response token, generates a random challenge string as the owner enters the string into the token along with a PIN Then, the token generates a response that the owner enters into the workstation for authentication 5 In a biometric system, the time it takes to register with the system... control mechanisms correctly implement the security policy for the entire life cycle of an information system are known as: a Accountability procedures b Authentication procedures 593 594 The CISSP Prep Guide: Gold Edition c Assurance procedures d Trustworthy procedures Answer: c The correct answer is c Accountability, answer a, refers to the ability to determine the actions and behaviors of a single... Public keys b Session keys c Passwords d Tokens Answer: b The correct answer is b Session keys are temporary keys assigned by the KDC and used for an allotted period of time as the secret key between two entities Answer a is incorrect because it refers to asym- 5 87 588 The CISSP Prep Guide: Gold Edition 18 19 20 21 metric encryption that is not used in the basic Kerberos protocol Answer c is incorrect because... the difference between qualitative and quantitative risk analysis? a A quantitative RA does not use the hard costs of losses, and a qualitative RA does b A quantitative RA uses less guesswork than a qualitative RA c A qualitative RA uses many complex calculations d A quantitative RA cannot be automated Answer: b The correct answer is b The other answers are incorrect 579 580 The CISSP Prep Guide: Gold . constitute the largest amount of dollar loss due to unauthorized or inappropri- ate computer use. 576 The CISSP Prep Guide: Gold Edition 6. Which choice is the BEST description of authentication. form. The final Privacy rule of December 28, 2000, stated that PHI cannot be disclosed unless: 566 The CISSP Prep Guide: Gold Edition ■■ Disclosure is approved by the individual ■■ Permitted by the. and Training 574 The CISSP Prep Guide: Gold Edition www.nsi.org/compsec.html www.boran.com/security xforce.iss.net www.itpolicy.gsa.gov www.nswc.navy.mil/ISSEC www.dda-ltd.co.uk/bs 779 9.html www.checkpoint.com www.cisco.com www.corbett-tech.com www.strozassociates.com www.tigertesting.com www.misti.com www.securify.com www.kroll-ogara.com www.verisign.com www.rsasecurity.com www.securecomputing.com www.atomictangerine.com www.infosecnews.com www.rdvgroup.com Hacker