[Case Study] Information Assurance/Information System Security Support
Updated: Feb 23, 2021
In the face of rapidly evolving and persistent cyber threats to U.S. interests from criminals, hackers, and foreign adversaries, information assurance offers network security and resiliency to protect data from intrusion, while maintaining its confidentiality, integrity, and availability.
A U.S. Government customer was developing a moderate-level public-facing web-based application to identify safety issues. The system would contain both Personally Identifiable Information and business confidential/proprietary data requiring protection.
COMPLIANCE: The project had been fast tracked due to public pressure and subsequently required changes to the system requirements, system design and information architecture to meet National Institute of Standards and Technology and Office of Management and Budget security standards.
SCHEDULE: Meeting the security compliance requirements threatened significant project schedule delays, which the customer could not afford.
CRI leveraged our experience solving similar challenges for other Government agencies to develop a custom solution to the customer’s challenges.
STAKEHOLDER ENGAGEMENT FOR REQUIREMENTS MANAGEMENT: Our staff joined the development team and created an Information System Security Program by identifying system security requirements, associated artifacts and security program activities to ensure the secure architecture, design, development, operations and maintenance of the system during its life cycle.
SECURE CODING/VULNERABILITY MITIGATION: We implemented The Open Web Application Security Project’s secure coding practices to ensure our code mitigated the occurrence of common software vulnerabilities. CRI performed a complex evaluation of each component of the web-based application from the hardware, operating system, applications, source code, database network, and endpoint (client machine) for vulnerabilities and risks.
RISK-BASED APPROACH: The evaluation led to close collaboration with the technical team to implement system-specific technical, operational and management controls that remedied system vulnerabilities and risks to acceptable levels. CRI’s risk-based approach based on industry standards was key to ensuring that the system was prepared for assessment, authorization, and subsequent Authority to Operate.
CRI’s solution incorporated federal and industry standards to implement a secure and resilient public-facing web-based application – all while remaining within the original program schedule. From an enterprise perspective, we provided an integrated risk-based process that the customer used as a foundation for an enterprise Risk Management Framework to comprehensively secure their informational assets.
Contact us to learn how we can deliver information assurance/information system security support solutions to solve your challenges at 703-245-4120 or BD@cri-solutions.com .