Nuclear Regulatory Commission Computer Security Office Enterprise Security Architecture Working Group Charter

Transcription

1 Nuclear Regulatory Commission Computer Security Office Enterprise Security Architecture Working Group Charter Title: CSO Enterprise Security Architecture Working Group Charter Revision Number: 1.0 Effective Date: April 10, 2013 Primary Contacts: Responsible Organization: Summary: ADAMS Accession No.: Kathy Lyons-Burke, SITSO CSO/PST The CSO Enterprise Security Architecture Working Group Charter provides the formal written statement of the aims, principles, and procedures of the working group. ML13093A047 Primary Office Owner Policies, Standards, and Training Approvals Signature Responsible SITSO Kathy Lyons-Burke /RA/ 4/ 3 /13 DAA for Non-Major IT Investments Director, CSO Tom Rich /RA/ Jonathan Feibus for 4/ 3 /13 Date Director, OIS Jim Flanagan /RA/ 4/ 3 / 13

2 CHARTER FOR THE CSO ENTERPRISE SECURITY ARCHITECTURE WORKING GROUP Cyber security is an essential component of the NRC s Information Technology (IT) infrastructure, and is necessary to ensure the secure introduction and maintenance of technologies that support evolving mission and business objectives and to enable the agility that is required by the rapid advancement of technology. To provide the agency with a standardized, cost-effective, and secure framework for conducting mission and business operations, the Computer Security Office (CSO) has determined that development of an Enterprise Security Architecture (ESA), as part of the NRC Enterprise Architecture (EA), is necessary to improve the agency s overall cyber security posture. The CSO ESA Working Group (WG) Charter provides the formal written statement of the aims, principles, and procedures of the working group. 1 PURPOSE The purpose of the ESA-WG is to identify the architectural principles and requirements for NRC cyber security and to document those principles and requirements as the ESA component of the NRC EA. The NRC ESA shall be developed to: Provide the agency with a common, cost-effective security protection framework (including processes, procedures, and governance structures) that enables the infrastructure to securely support the introduction of new technologies that support agency mission and business objectives; Provide enterprise/programmatic requirements that allow business and IT communities to securely develop methods for producing and sharing information required to support NRC operations; Improve security information, enabling the provision of active information to manage, govern, and effectively report on and improve the security posture of the agency; and Provide cyber security requirements aligned with enterprise technology enablement standards such as the OMB 21st Century Digital Government and NRC Strategic Plans. 2 APPROACH The ESA-WG shall work to develop a consistent, well-defined ESA that supports the business and cyber security needs and objectives of the agency. The ESA-WG shall meet to identify, prioritize, and define security goals, business and functional requirements, processes and/or standards as needed to define the ESA. The ESA-WG meets to review current, proposed, and updates to cyber security architectural requirements. Meetings may occur on a bi-weekly basis or per another schedule deemed appropriate for the group. The ESA-WG will communicate requirements, approaches and other deliverables to NRC governance bodies, including the IT/IM Architecture Council, the Information Technology Board, and the IT/IM Portfolio Executive Council, on a periodic basis. The ESA-WG reviews proposed cyber security architectural requirements and makes recommendations concerning the requirements to the NRC Designated Approving Authority (DAA) for non-major IT investments. Recommendations may take the form of corrections,

3 CSO Enterprise Architecture Working Group Charter Page 2 additions (if specific requirements have been omitted), and requests to remove specific requirements. The ESA-WG shall establish Integrated Project Teams (IPTs) to support specific subject areas (e.g., network security, software assurance) of the ESA (see Section 4 Integrated Project Teams ). IPT subject areas shall be identified by the ESA-WG and IPTs established to develop proposed components of the ESA that address the subject areas. The ESA-WG shall determine whether the IPTs should operate concurrently, sequentially, or overlapping in time. IPTs shall present at ESA-WG meetings periodically to ensure alignment and to ensure issues are addressed to permit effective operation of each IPT. 3 ESA-WG COMPOSITION, ROLES, AND RESPONSIBILITIES Each member office except CSO shall submit the CSO-TEMP-3050, Enterprise Security Architecture Working Group Appointment Memo, to designate a technical representative to participate in the ESA-WG. 3.1 ESA-WG MEMBERSHIP The following NRC member offices shall be permanent voting members of the ESA-WG: 1) Computer Security Office (CSO) a) CSO representatives shall include the Senior Information Technology Security Officer (SITSO) for PST or his/her designee as the Chair and CSO voting member. 2) Office of Information Services (OIS) division where the EA role resides a) OIS shall be represented by one technical representative. 3) Regional Offices a) The Regional Offices shall be represented by one technical representative. This representative s role must include cyber security responsibilities of a technical nature. The representative shall be agreed upon collectively by all Regional Offices. Up to two non-permanent members from other NRC offices can be selected to participate in the ESA-WG. The involvement of program offices as non-permanent members is desired to provide a business and mission point of view to the working group. All members must have technical cyber security responsibilities at the agency as part of their job. The total number of ESA-WG members, to include permanent and non-permanent members, cannot exceed five. Each ESA-WG member may identify an alternate representative to participate in ESA-WG meetings and activities (including voting if the primary representative is not available). The alternate must meet the same requirements specified for the primary representative (e.g., must have technical cyber security responsibilities; must be part of a specific organization within the member office). A complete ESA-WG member listing, including non-permanent member offices, can be found on the CSO web site. The SITSO for PST must approve all changes to NRC member offices and office representatives. 3.2 ESA-WG VOTING Each ESA-WG member office, whether permanent or non-permanent, shall only have one vote. A population of over half of the ESA-WG member offices is required in order to create a quorum for voting to occur.

4 CSO Enterprise Architecture Working Group Charter Page 3 A simple majority of votes in favor of a deliverable is required in order for the document to proceed to the ISSO Forum for review and comment. All ISSO Forum comments are considered by the ESA-WG, and the ESA-WG shall provide a written comment response to the reviewer. The ESA-WG shall cast an additional vote to approve the resolution of the ISSO Forum comment(s) before the deliverable proceeds to the DAA for non-major IT investments for approval. If a tie occurs while voting, then the affected deliverable shall be tabled for discussion and set to be voted on for a second time during the next ESA-WG meeting. If a tie occurs during the second time that a deliverable is voted on, the ESA-WG Chair shall cast the tie-breaking vote. The intent of this tie-breaking process is to ensure that the ESA-WG is able to continue to move forward with a clear decision (approval or otherwise) on proposed deliverables. 3.3 ESA-WG ATTENDANCE Attendance at meetings may be in person or via teleconference. As situations dictate, documents may be voted on via . If a vote is taken during a meeting, a voting member must attend in person or via teleconference to vote; if a voting representative cannot attend and misses a vote, that representative may provide an with his/her stated position on the proposed deliverable after the vote is cast. Votes and comments are not anonymous, and comments supporting each member s vote are encouraged to inform the ESA-WG as to the rationale for support or opposition to a proposed deliverable. 3.4 ESA-WG ROLES AND RESPONSIBILITIES The following sections describe the roles and responsibilities associated with the ESA-WG ESA-WG CHAIR The CSO SITSO for PST or his/her designee serves as the ESA-WG Chair and provides vision, leadership, direction, and oversight of the ESA-WG. The ESA-WG Chair appoints the ESA-WG executive secretary from his/her staff, and facilitates the ESA-WG meetings. The ESA-WG Chair provides updates on relevant security events as they impact the IPTs, and facilitates the ESA-WG meetings. The ESA-WG Chair shall review the office membership of the ESA-WG on a periodic basis to adjust non-permanent member offices and/or member office representation. The ESA-WG Chair casts tie-breaking votes to enable progress by the ESA-WG ESA-WG EXECUTIVE SECRETARY The ESA-WG executive secretary is appointed by the Chair and serves as the PST point of contact for ESA-WG members. He/she performs the following functions: Arranges for meeting dates, space, and necessary conferencing services; Develops meeting agendas; Documents meeting minutes; Tallies votes; Compiles input received from the membership and provides the input to the Chair; and s information to ESA-WG members.

5 CSO Enterprise Architecture Working Group Charter Page ESA-WG MEMBER RESPONSIBILITIES Members are responsible for attending meetings, providing input, and voting on recommendations concerning: Enterprise-wide architectural requirements; Future state ( to-be ) architectural requirements; and Other documents as necessary (e.g., Analysis of Alternatives, Transition Plans), which support the operations of the ESA-WG and respective IPTs. 4 INTEGRATED PROJECT TEAMS The IPTs shall provide cyber security architecture requirements that support the IPT subject areas to the ESA-WG. Each IPT shall leverage resources developed during existing NRC efforts such as the Systems and Technology Analytical Research Team (START), the Standards Working Group (SWG), the Portfolio Councils, and other ongoing NRC IT modernization initiatives. In addition, the IPTs shall incorporate lessons learned from other federal government initiatives such as the Federal Enterprise Architecture (FEA). The SWG may serve as the ESA IPT for architecture related cyber security standards at the discretion of the ESA-WG Chair. In this case, the SWG Chair shall serve the role of the IPT Chair. 4.1 IPT MEMBERSHIP The following NRC member offices shall be permanent voting members of each IPT: 1) Computer Security Office (CSO) a) CSO representatives shall include the SITSO for PST or his/her designee as the Chair and CSO voting member. 2) Office of Information Services (OIS) a) OIS shall be represented by one technical representative. 3) Regional Offices a) The Regional Offices shall be represented by one technical representative. This representative s role must include cyber security responsibilities of a technical nature. The representative shall be agreed upon collectively by all Regional Offices. The IPT chair can select up to four non-permanent members from other NRC offices to participate in each IPT. Each IPT should contain members that have a level of technical expertise relevant to the subject area. All members must have technical cyber security responsibilities at the agency as part of their job. The total number of IPT members for each IPT, to include permanent and non-permanent members, cannot exceed seven. Each IPT member may identify an alternate representative to participate in IPT meetings and activities (including voting if the primary representative is not available). The alternate must meet the same requirements specified for the primary representative. ESA-WG members may also serve as IPT members. A complete member listing for each active IPT, including non-permanent member offices, can be found on the CSO web site. The SITSO for PST must approve all changes to NRC member offices and office representatives.

6 CSO Enterprise Architecture Working Group Charter Page IPT VOTING Each IPT member office, whether permanent or non-permanent, shall only have one vote. A population of over half of the IPT member offices is required in order to create a quorum for voting to occur. A simple majority of votes in favor of a deliverable is required in order for the document to proceed to the ESA-WG for review and comment. If a tie occurs while voting, then the affected deliverable shall be tabled for discussion and set to be voted on for a second time during the next IPT meeting. If a tie occurs during the second time that a document is voted on, the IPT Chair shall cast the tie-breaking vote. The intent of this tie-breaking process is to ensure that the IPT is able to continue to move forward with a clear decision (approval or otherwise) on proposed deliverables. 4.3 IPT ATTENDANCE Attendance at meetings may be in person or via teleconference. As situations dictate, documents may be voted on via . If a vote is taken during a meeting, a voting member must attend in person or via teleconference to vote; if a voting representative cannot attend and misses a vote, that representative may provide an with his/her stated position on the proposed deliverable after the vote is cast. Votes and comments are not anonymous, and comments supporting each member s vote are encouraged to inform the IPT as to the rationale for support or opposition to a proposed deliverable. 4.4 IPT ROLES AND RESPONSIBILITIES Each IPT shall be responsible for developing and delivering cyber security architectural requirements for designated subject areas to the ESA-WG. IPTs may lead or assist the ESA-WG with the development of future ( to-be ) capabilities and requirements. IPTs may produce other documents including whitepapers, guidance, processes, and other documents, as needed, pertaining to the ESA subject area(s) IPT CHAIR The CSO SITSO for PST or his/her designee serves as the IPT Chair and provides vision, leadership, direction, and oversight of the IPT. The IPT Chair provides updates on relevant security events as they impact the IPTs, and facilitates the IPT meetings. The IPT Chair shall review the office membership of the IPT on a periodic basis to adjust non-permanent member offices and/or member office representation. The IPT Chair casts tie-breaking votes to enable progress by the IPT. 5 ADMINISTRATIVE CHANGES TO DOCUMENTS ESA-WG voting and approval is not required for administrative changes to ESA-WG approved documents. Administrative changes include, but are not limited to, updates for the following: Errors; Formatting; Grammar;

7 CSO Enterprise Architecture Working Group Charter Page 6 Spelling; References to other documents (e.g., references to another NRC standard, process, or template; references to external standards or architectural frameworks); Addition of or changes to Uniform Resource Locators (URLs); and Names and signatures associated with NRC positions when different individuals are appointed to those positions. 6 CHARTER REVIEW AND REVISION The ESA-WG Charter will be reviewed at least annually. If an update to the ESA-WG Charter is required, the update must be voted on and approved subject to the voting process described in Section 3.2, ESA-WG VOTING.

8 CSO Enterprise Architecture Working Group Charter Page 7 7 ESA-WG CHARTER CHANGE HISTORY Date Version Description of Changes 14-Mar Initial version