Automated Cybersecurity Certification in SPHINX
Cybersecurity certification is a complex process that usually includes security auditing relevant to multiple compliance policies and security tests. Since the SPHINX project is focused on healthcare, it is important to highlight and address compliance policies and conduct audits relevant to healthcare data and the infrastructure of healthcare organizations. However, generic security issues regarding the systems which are used on healthcare organizations still exist.
Most of the information systems are conducting common procedures such as mail handling and document handling. More comprehensive procedures that involve healthcare data are used as well; however, such systems are usually not connected to the common infrastructure.
All the aspects above have to be considered and the cybersecurity certification process has to be deployed according to the requirements and the security environment on which the systems or software components have to be certified.
Defining and addressing the specific rules according to a combination of rulesets is important and the scope of the SPHINX project is to demonstrate such aspects for helping the organizations to comply, providing the basic process for auditing and compliance to a set of rulesets. For defining the compliance and auditing process, key considerations must be applied regarding the ability to monitor and analyze the potential security environment. Key considerations include the following:
- To understand what kind of data are stored and the policies that apply, as well as the location where the data are stored or distributed;
- The importance to enumerate the assets and address the privileges for managing them, such as the users and groups which have access;
- How the data are protected;
- Incident response options;
- Disaster recovery;
- Possible compliance reports.
The final key consideration is directly related to cybersecurity certification; however, the other key considerations affect the process as well. In order to address most of the important procedures, certain aspects must be considered. The following paragraphs describe the main processes of the automated cybersecurity certification in SPHINX.
Cybersecurity certification is conducted on each of the assets which are included in the supported audited systems. Asset management is a process maintained from other components; however, the use of the certification process includes a list of tasks relevant to the asset and to system management. The monitoring includes the retrieval of information of the running services, installed packages, network interfaces and open network ports. The submission could either include a system submission or a specific asset or group of assets that must be audited.
Auditing and Vulnerability Assessment
Auditing is the core process of the cybersecurity certification process. Existing standardized forms of security policies are available. However, there is no universal security policy that could be applied everywhere. The table below concentrates the prominent industry standards for cybersecurity.
To select and apply the appropriate security policy, it is necessary to consider the needs and define internal policies. International standards or national policies could also apply, and so they must be taken into consideration. Audit logs are an important asset for providing compliance evidence. Vulnerability assessment or vulnerability detection is also included in the cybersecurity certification process to present the security environment and address current threat vectors that could affect the system or software in the test.
Visualization, Events, Alerting and Reports
In order to provide convincing and descriptive information regarding the state of the system, it is important to include the appropriate reports in a readable way. Providing reports to describe accurately the system status include visualization options that will help organizations to understand the security environment and highlight the important aspects.
In the following snapshot, an example of a dashboard and report with an understandable summary of the compliance assessments is presented. It is important to have the option to handle the information in a way where discarding any complex data and extracting the required reports is possible.
Similarly, the events must present meaningful information. This can be achieved either by automatically removing any unnecessary details, or by providing the option to generate different views, according to the purpose of the report.
Therefore, this section discusses the options for providing the appropriate reports regarding all the above aspects. In the context of the SPHINX project, it is important to filter the events and provide only the alerts that are important to the certification. Using dashboards, it is possible to present specific information and highlight the events that are directly related to the certification process.
More information about the Automated Cybersecurity Certification in SPHINX can be found in Deliverable 3.5 that publicly available here.