Rationale

Security and Privacy intersect all aspects of NIEHS I&IT systems and data. NIEHS I&IT systems and data are diverse and rapidly changing, and demand fit-to-need security and privacy practices. NIEHS has a customized local approach to I&IT security and privacy directed at improving user experience while maintaining compliance. A significant component of NIEHS security and privacy design includes trusted internal accessibility and controlled external accessibility. This design is aligned with collaborative scientific needs, including data sharing and remote systems access. Increased systems migration to externally hosted (cloud) infrastructure demands new I&IT security and privacy policy and practices. Security and privacy compliance frequently imposes change mandates, including forced end of life of applications, platforms, and operating systems.

Goals

The NIEHS I&IT security and privacy program supports the NIEHS mission by collaborating with scientists and administrators in the design of the I&IT security and privacy ecosystem. These collaborations optimize systems design and policy implementation and provide balanced security and privacy risk management. Goals of the program include:

  • Minimize I&IT security and privacy risks by reducing impact and time to resolution.
  • Provide the NIEHS ISSO and privacy coordinator with the necessary reporting and policy parameters and data.
  • Provide internal auditing functions that monitor directly managed systems for policy and procedural compliance, including risk-based accreditations.
  • Ensure I&IT security and privacy training and consulting are key components of the NIEHS culture.

Strategic Capability Priorities

Security and Privacy Strategy Alignment

SEC-01

The I&IT security and privacy program will provide controls that support the NIEHS mission and enable science. Enabling collaborative science in alignment with overall NIH, NIEHS, and I&IT strategic plans will be obtained through careful planning beginning early in projects. The success of this capability will be understood by user satisfaction with a fit-to-design collaborative approach. Enhanced communication with the security and privacy program is needed.

Operate a Secure I&IT Infrastructure

SEC-02

NIEHS will operate and maintain core security and privacy infrastructure tools, including firewalls, intrusion prevention systems, vulnerability scanners, and event auditing and logging systems. Many of these tools and techniques are both centralized at NIH and implemented locally. NIEHS will continue to reduce the impact and time to resolution for I&IT security and privacy incidents. Security and privacy tools are operational, and incidents are tracked.

Protect Sensitive Data

SEC-03

Sensitive NIEHS data will be protected. Systems that collect, maintain, or share data with sensitive PII or Protected Medical Information will meet all I&IT security and privacy requirements. The security and privacy program will comply with NIH privacy requirements and appropriate NIST controls. NIEHS has devoted resources to protect sensitive data.

Early Security and Privacy Design

SEC-04

abstract image with hadn holding out work governance The I&IT security and privacy program will review and advise on all system designs hosted internally where the confidentiality, integrity, or availability of NIEHS data is at potential risk. Security and privacy requirements will be vetted in the early phases of projects. Acquisition plans involving I&IT components and externally hosted systems will include appropriate security and privacy sections. The ISSO is involved in development of contract clauses and application consulting.

Internal Security Verification

SEC-05

Security and privacy policy and implementation will oversee, advise, and audit compliance with HHS, NIH, OMB, and other mandates. The level of compliance is managed by results on the NIH Dashboard for IT security. Improving the NIEHS Dashboard score for the compliance section is a measure of success. The current level of staffing does not support sufficient verification and correction.

Security Incident Handling

SEC-06

Security and privacy staff will investigate and respond to all reported, discovered, or suspected threats to NIEHS infrastructure or data. Incidents are tracked monthly by NIH. Success is defined by keeping the outstanding (greater than 15 days) incident level low, responding to each in a timely manner, and resolving the incident efficiently. The staff keeps the NIEHS I&IT security incident count very low.

Security and Privacy in Acquisitions

SEC-07

The security and privacy program will collaborate with the Office of Acquisitions to provide presolicitation guidance and regulation clarity for all acquisitions involving I&IT. Within a compliance framework, balance between scientific need and security and privacy will be maintained. Staff will evaluate and determine baseline requirements to be incorporated into all contracts and acquisitions containing I&IT components. Contracts will be audited for appropriate clauses. NIEHS is not aware if all contracts go through this process.

Risk Management Lifecycle

SEC-08

The security and privacy program will be integrated with risk management systems, including lifecycle planning. Hardware and software systems require end-of-life planning to ensure vulnerabilities can be managed and patches are available. The I&IT security program will monitor out-of-date hardware and software. Risk management lifecycle success will be ensured using automated reports that find no out-of-support software or hardware to ensure security in I&IT architecture. Limited resources impact completion.

NIEHS Authorization to Operate

SEC-09

The security and privacy program will provide the needed information to secure a full IT ATO for the network and IT. NIEHS will produce and maintain adequate documentation necessary to sustain the ATO. The NIH tracked GSS is current and ATO-approved for 2019.

Information Support for Administrative Matters

SEC-10

The security and privacy program will collect, process, and preserve data as required for ethical, civil, personnel, and criminal proceedings involving NIEHS staff. This will include assistance in locating and gathering records from respective systems in response to FOIA requests, in coordination with the NIEHS FOIA and Privacy Office. The success of this activity is management satisfaction for the required activities. Workload is very high.

Privacy Impact Assessment Support

SEC-11

The security and privacy program will collaborate with the NIEHS FOIA and Privacy Office to ensure existing measures for collecting, maintaining, and sharing PII for all human research study participants are sufficient and in accordance with NIH and NIEHS requirements (Privacy Impact Assessments, OMB clearance, and Records Management requirements). The program is tracked by NIH. Data calls and NIH-required submissions will be met. Workload is very high.

I&IT Security and Privacy Theme Map

I&IT Landscape Agility Analytics Communications & Transparency Foster Collaboration Governance Optimize Resources Workforce Development

I&IT Security and Privacy

SEC-01

SEC-02

SEC-03

SEC-05

SEC-07

SEC-09

SEC-10

SEC-11

SEC-04

SEC-06

SEC-08

See Appendix A: I&IT Priorities Support NIEHS Strategic Themes