The NIEHS I&IT security and privacy program supports the NIEHS mission by collaborating with scientists and administrators in the design of the I&IT security and privacy ecosystem. These collaborations optimize systems design and policy implementation and provide balanced security and privacy risk management. Goals of the program include:
- Minimize I&IT security and privacy risks by reducing impact and time to resolution.
- Provide the NIEHS ISSO and privacy coordinator with the necessary reporting and policy parameters and data.
- Provide internal auditing functions that monitor directly managed systems for policy and procedural compliance, including risk-based accreditations.
- Ensure I&IT security and privacy training and consulting are key components of the NIEHS culture.
Strategic Capability Priorities
Security and Privacy Strategy Alignment
The I&IT security and privacy program will provide controls that support the NIEHS mission and enable science. Enabling collaborative science in alignment with overall NIH, NIEHS, and I&IT strategic plans will be obtained through careful planning beginning early in projects. The success of this capability will be understood by user satisfaction with a fit-to-design collaborative approach. Enhanced communication with the security and privacy program is needed.
Operate a Secure I&IT Infrastructure
NIEHS will operate and maintain core security and privacy infrastructure tools, including firewalls, intrusion prevention systems, vulnerability scanners, and event auditing and logging systems. Many of these tools and techniques are both centralized at NIH and implemented locally. NIEHS will continue to reduce the impact and time to resolution for I&IT security and privacy incidents. Security and privacy tools are operational, and incidents are tracked.
Protect Sensitive Data
Sensitive NIEHS data will be protected. Systems that collect, maintain, or share data with sensitive PII or Protected Medical Information will meet all I&IT security and privacy requirements. The security and privacy program will comply with NIH privacy requirements and appropriate NIST controls. NIEHS has devoted resources to protect sensitive data.
Early Security and Privacy Design
The I&IT security and privacy program will review and advise on all system designs hosted internally where the confidentiality, integrity, or availability of NIEHS data is at potential risk. Security and privacy requirements will be vetted in the early phases of projects. Acquisition plans involving I&IT components and externally hosted systems will include appropriate security and privacy sections. The ISSO is involved in development of contract clauses and application consulting.
Internal Security Verification
Security Incident Handling
Security and privacy staff will investigate and respond to all reported, discovered, or suspected threats to NIEHS infrastructure or data. Incidents are tracked monthly by NIH. Success is defined by keeping the outstanding (greater than 15 days) incident level low, responding to each in a timely manner, and resolving the incident efficiently. The staff keeps the NIEHS I&IT security incident count very low.
Security and Privacy in Acquisitions
The security and privacy program will collaborate with the Office of Acquisitions to provide presolicitation guidance and regulation clarity for all acquisitions involving I&IT. Within a compliance framework, balance between scientific need and security and privacy will be maintained. Staff will evaluate and determine baseline requirements to be incorporated into all contracts and acquisitions containing I&IT components. Contracts will be audited for appropriate clauses. NIEHS is not aware if all contracts go through this process.
Risk Management Lifecycle
The security and privacy program will be integrated with risk management systems, including lifecycle planning. Hardware and software systems require end-of-life planning to ensure vulnerabilities can be managed and patches are available. The I&IT security program will monitor out-of-date hardware and software. Risk management lifecycle success will be ensured using automated reports that find no out-of-support software or hardware to ensure security in I&IT architecture. Limited resources impact completion.
NIEHS Authorization to Operate
The security and privacy program will provide the needed information to secure a full IT ATO for the network and IT. NIEHS will produce and maintain adequate documentation necessary to sustain the ATO. The NIH tracked GSS is current and ATO-approved for 2019.
Information Support for Administrative Matters
The security and privacy program will collect, process, and preserve data as required for ethical, civil, personnel, and criminal proceedings involving NIEHS staff. This will include assistance in locating and gathering records from respective systems in response to FOIA requests, in coordination with the NIEHS FOIA and Privacy Office. The success of this activity is management satisfaction for the required activities. Workload is very high.
Privacy Impact Assessment Support
The security and privacy program will collaborate with the NIEHS FOIA and Privacy Office to ensure existing measures for collecting, maintaining, and sharing PII for all human research study participants are sufficient and in accordance with NIH and NIEHS requirements (Privacy Impact Assessments, OMB clearance, and Records Management requirements). The program is tracked by NIH. Data calls and NIH-required submissions will be met. Workload is very high.
I&IT Security and Privacy Theme Map
|I&IT Landscape||Agility||Analytics||Communications & Transparency||Foster Collaboration||Governance||Optimize Resources||Workforce Development|
I&IT Security and Privacy