HHS Information System Security Controls Catalog V 1.0

Size: px
Start display at page:

Download "HHS Information System Security Controls Catalog V 1.0"

Transcription

1 Information System Security s Catalog V 1.0

2 Table of Contents DOCUMENT HISTORY Purpose Security s Scope Security s Compliance Security s Catalog Ownership Security Framework... 5 Security Class Areas... 5 Core Principles of Information Security... 8 Defining Potential Impact on Organizations and Individuals Security s Management s (CA) Security Assessment and Authorization Policy and Its s (PL) Planning Policy and Its s (PM) Program Management Policy and Its s (RA) Risk Assessment Policy and Its s (SA) System and Services Acquisition Policy and Its s Operational s (AT) Awareness and Training Policy and Its s (CM) Configuration Management Policy and Its s (CP) Contingency Planning Policy and Its s (IR) Incident Response Policy and Its s (MA) Maintenance Policy and Its s (MP) Media Protection Policy and Its s (PE) Physical and Environmental Protection Policy and Its s (PS) Personnel Security Policy and Its s (SI) System and Information Integrity Policy and Its s Technical s (AC) Access Policy and Its s (AU) Audit and Accountability Policy and Its s (IA) Identification and Authentication Policy and Its s (SC) System and Communications Protection Policy and Its s Privacy s (AP) Authority and Purpose Policy and Its s (AR) Accountability, Audit, and Risk Management Policy and Its s (DI) Data Quality and Integrity Policy and Its s (DM) Data Minimization and Retention Policy and Its s (IP) Individual Participation and Redress Policy and Its s (SE) Security Policy and Its s (TR) Transparency Policy and Its s (UL) Use Limitation Policy and Its s Security s Catalog Exceptions Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 2 of 84

3 DOCUMENT HISTORY Revision History: Numbering convention: Version. Revision as n.xx. Pre-publication drafts are 0.xx; first published version is 1.00; for minor revisions to a published document, increment the decimal number (ex. 1.01); for major content upgrades to a published document, increment the leading whole number (ex.2.00). Revision Date Description First published version of the document distributed by the Office of the Chief Information Security Officer (CISO). Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 3 of 84

4 1. Purpose The Security s contained in this document are the safeguards or countermeasures that when implemented and enforced will satisfy the information security requirements defined in the Enterprise Information Security Standards and Guidelines (EISSG v5.1) document. A comprehensive set of security controls protect not only information and systems, but also individual employees and C as a whole. As such, these security controls represent the organizations strong commitment to information systems security. 2. Security s Scope All employees, contractors, and third party users, and all physical, software, and information assets (whether standalone or attached to the local and wide area networks), that store, process, or transmit data, as well as all services that support or otherwise handle those physical, software, and information assets, are required to comply with the information systems security controls contained within this document. 3. Security s Compliance Compliance with the security controls contained within this security controls catalog document is mandatory. Reviews to ensure compliance are undertaken at established intervals using authorized methods. Noncompliance is managed according to published security controls. 4. Security s Catalog Ownership The CISO is the sponsor and issuing authority for this Information Systems Security s Catalog document. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 4 of 84

5 5. Security Framework Security Class Areas The security program makes extensive use of the information security guidance found in the National Institute of Standards and Technology (NIST) Special Publications (SP) , Revision 3 and Appendix J document. This guidance has been adapted to the unique environment and provides the fundamental security principles on which this security control framework is built. The security program framework is divided into four program class areas: Management, Operational, Technical, and Privacy. Each program class area is further divided into a set of security families. There are a total of 26 control families each producing a high level security policy. Each family has a two letter identifier that is the prefix of the ; see the column labeled Family in Table 1 on page 5. Management Class Area Focuses on policies that relate to the management of risk and the management of the security program. This class consists of five security policies: Security Assessment and Authorization, Planning, Program Management, Risk Assessment, System Services and Acquisition. Operational Class Area Focuses on policies that are primarily implemented and executed by people, rather than the information system. This class consists of nine security policies: Awareness and Training, Configuration Management, Contingency Planning, Incident Response, Maintenance, Media Protection, Physical and Environmental Protection, Personnel Security, and System and Information Integrity. Technical Class Area Focuses on policies that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. This class consists of four security policies: Access, Audit and Accountability, Identification and Authentication, and System and Communications Protection. Privacy Class Area Focuses on policies that define the administrative, technical, and physical safeguards employed to protect Restricted and Confidential Information. Each one of the security policies has a number of supporting security controls that when implemented and enforced will satisfy the requirements of the security policy. There are a total of 197 s, including the Security and Privacy s. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 5 of 84

6 Class Area Item Number Table 1 Organization of Policies and s Family Policy Family Management 1. CA Security Assessment and Authorization (formerly Certification, Accreditation, and Security Assessment) Number of Security s 6 2. PL Planning 5 3. PM Program Management RA Risk Assessment 4 5. SA System Services and Acquisitions 11 Operational 6. AT Awareness and Training 4 7. CM Configuration Management 9 8. CP Contingency Planning 9 9. IR Incident Response MA Maintenance MP Media Protection PE Physical and Environmental Protection PS Personnel Security SI System and information Integrity 11 Technical 15. AC Access AU Audit and Accountability IA Identification and Authentication SC System and Communications Protection 21 Privacy 19. AP Authority and Purpose AR Accountability, Audit, and Risk Management DI Data Quality and Integrity DM Data Minimization and Retention IP Individual Participation and Redress SE Security TR Transparency UL Use Limitation 3 TOTAL 197 Table 1: Lists the four program class areas, the security policies families, and the number of controls in each family. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 6 of 84

7 Figure 1 is a graphical representation of the information in Table 1. Information Security Framework Management Class Area Operational Class Area Technical Class Area Privacy Class Area Security Assessment and Authorization Policy Awareness and Training Policy Access Policy Authority and Purpose Policy CA s - 6 AT s - 4 AC s - 16 AP s - 2 Planning Policy Configuration Management Policy Audit and Accountability Policy Accountability, Audit, and Risk Management Policy PL s - 5 CM s - 9 AU s - 13 AR s - 6 Program Management Policy Contingency Planning Policy Identification and Authentication Policy Data Quality and Integrity Policy PM s - 11 CP s - 9 IA s - 8 DI s - 2 Risk Assessment Policy Incident Response Policy System and Communications Protection Policy Data Minimization and Retention Policy RA s - 4 IR s - 8 SC s - 21 DM s - 2 System Services and Acquisition Policy Maintenance Policy Individual Participation and Redress Policy SA s - 11 MA s - 6 IP s - 4 Media Protection Policy Security Policy MP s - 6 SE s - 2 Physical and Environmental Protection Policy Transparancey Policy PE s -18 TR s - 2 Personnel Security Policy Use Limitation Policy PS s - 8 System and Information Integrity Policy UL s - 3 SI s - 11 Figure 1 Security Framework For the definition of each security control, see Section 5 on page 4. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 7 of 84

8 Core Principles of Information Security The selection and employment of appropriate security controls for an information system are important tasks that can have major implications on the operations and assets of an organization. Security controls are designed to prevent a breach of security by protecting the core principles of information security: confidentiality, integrity, and availability of the system and its information. Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information [44 U.S.C., Sec. 3542]. A loss of confidentiality is the unauthorized disclosure of information. Integrity Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity [44 U.S.C., Sec. 3542]. A loss of integrity is the unauthorized modification or destruction of information. Availability Ensuring timely and reliable access to and use of information [44 U.S.C., SEC. 3542]. A loss of availability is the disruption of access to or use of information or an information system. Defining Potential Impact on Organizations and Individuals FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security, a loss of confidentiality, integrity, or availability. The application of these definitions takes place within the context of each organization and the overall national interest. The potential impact is: Low When the loss of confidentiality, integrity, or availability is expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Moderate When the loss of confidentiality, integrity, or availability is expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. High When the loss of confidentiality, integrity, or availability is expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. The security program team, working with the Chief Information Security Officer (CISO), has determined that the information systems operating within the environment are assigned a Security Category of Moderate Impact. The controls defined in this document are the minimum set of controls required to secure moderate impact information systems and are identified as Minimum Baseline Security s for the moderate impact information systems within. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 8 of 84

9 6. Security s Section 5 lists all of the security controls that could be used to protect the information systems that process, store or transmit data. A subsection contains the controls for each of program class areas: 6.1 Management, 6.2 Operational, 6.3 Technical, and 6.4 Privacy. Table 2 is an example of a control table. Table 3 explains the information in the controls tables. CM-7 (1) Least Functionality Table 2 Example of s Table Description of The organization configures the information systems to provide only essential capabilities and specifically prohibits or restricts the use of functions, ports, protocols, and/or services. (1) Reviews information systems within annually to identify and eliminate unnecessary functions, ports, protocols, and/or services. {i} A list of specifically needed system services, ports, and network protocols should be maintained and documented in the system security plan; all others are disabled. Any functions installed by default that are not required by the information systems are disabled. Services and or software that are not needed should not be present on the server. Column Number/ Description AA Composed Of Table 3 How to Read the s Tables Definition Example from Table 2 Two letter family identifier that specifies the policy that the control belongs to. -# Arbitrary sequential number that makes each unique. (#) One or more control Enhancements that are defined in the Description of column. Not applicable A unique descriptive name for each specific control. through P3 See Table 30. Description The specific criteria for the control that is testable and auditable and when implemented and enforced mitigates the risks and threats to the information system. CM -7 (1) Least Functionality The organization configures the information systems to provide only essential capabilities and specifically prohibits or restricts the use of functions, ports, protocols, and/or services. (#) A control Enhancement that adds (1) Reviews information systems Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 9 of 84

10 Additional Criteria extra security control criteria to make the control more robust. Provides instructions from authoritative sources to the control owner on how to implement. [i] This is for criteria from IRS Publication The criteria is preceded by [and Roman numerals and followed by]. {i} This is for criteria from Center for Medicare and Medicaid Services (CMS) The criteria is preceded by {and Roman numerals and followed by}. within annually to identify and eliminate unnecessary functions, ports, protocols, and/or services. {i} A list of specifically needed system services, ports, and network protocols should be maintained and documented in the system security plan; all others are disabled. Any functions installed by default that are not required by the information systems are disabled. Services and or software that are not needed should not be present on the server. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 10 of 84

11 6.1 Management s The Management program class of controls (safeguards or countermeasures) for an information system is focused on the management of risk and the management of information system security. This class has five control families: Security Assessment and Authorization (CA), Planning (PL), Program Management (PM), Risk Assessment (RA), and System and Services Acquisition (SA) (CA) Security Assessment and Authorization Policy and Its s Policy: The organization requires that (i) an initial assessment of the security controls for key information systems is performed to determine if the controls are effective in their application; (ii) controls are monitored on an ongoing basis to ensure their continued effectiveness; (iii) information systems containing potential vulnerabilities due to deficiencies in their controls are documented and acknowledged by the CISO and/or his designee and (iv) plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities are developed and implemented. Table 4 lists the Security Assessment and Authorization (CA) controls for moderate impact systems. Table 4 Security Assessment and Authorization s Policy Description of CA-1 Security Assessment and Authorization Policies and Procedures The organization develops, disseminates, and reviews/updates annually: a. Formal, documented security assessment and authorization policies that address purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorization controls. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 11 of 84

12 Table 4 Security Assessment and Authorization s Policy Description of CA-2 (1) Security Assessments a. Develops a security assessment plan that describes the scope of the assessment including: - Security controls and control enhancements under assessment; - Assessment procedures to be used to determine security control effectiveness; - Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in information systems annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system; c. Produces a security assessment report that documents the results of the assessment; and; d. Provides the results of the security control assessment in writing to the authorizing official who is responsible for reviewing the assessment documentation. (1) Employs an independent assessor or assessment team to conduct an assessment of the security controls in the information systems. {i} A security assessment of all security controls must be conducted for all newly implemented systems. {ii} The system owner notifies the appropriate personnel as defined within applicable business requirement document and change requests whenever updates are made to system security authorization artifacts or significant role changes occur (e.g.: system developer/maintainer, information system security analyst). CA-3 Information System Connections a. Authorizes connections from the information systems to other information systems outside of the authorization boundary through the use of Data Sharing Agreements; b. Documents for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and; c. Monitors the component connections on an ongoing basis verifying enforcement of security requirements. {i} Record each system interconnection in the Information Systems Security Plan document and the Information Systems Security Risk Assessment document for the component that is connected to the remote location. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 12 of 84

13 Table 4 Security Assessment and Authorization s Policy Description of CA-5 Plan of Action and Milestones a. Develops a plan of action and milestones (POA&M) for the information system to document the organization s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and; b. Updates and submits existing POA&M on monthly bases until all the findings are resolved based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. CA-6 Security Authorization a. Identifies the CISO, Agency IRM, Agency ISO s as the approving officials for the environment; b. Ensures that the approving official authorizes the information system for processing before commencing operations; and; c. Updates the security authorization: - At least annually for high risk assets; - When substantial changes are made to the system; - When changes in requirements result in the need to process data of a higher sensitivity; - When changes occur to authorizing legislation or federal/state requirements; - After the occurrence of a serious security violation which raises questions about the validity of an earlier security authorization; and; - Prior to expiration of a previous security authorization. CA-7 Continuous Monitoring The organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes: a. A configuration management process for and its constituent components; b. A determination of the security impact of changes to information systems and environment of operation; c. Ongoing security control assessments in accordance with the continuous monitoring strategy; and; d. Reporting the security state of the information systems to appropriate organizational officials within annually. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 13 of 84

14 6.1.2 (PL) Planning Policy and Its s Policy: The organization requires the development, documentation, periodic update, and implementation of security plans for information systems within the environment. organization requires that those security plans describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems. Table 5 lists the Planning (PL) controls for moderate impact systems. PL-1 Security Planning Policy and Procedures Table 5 Planning s Policy Description of organization develops, disseminates, and reviews/updates within annually: a. A formal, documented security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the security planning policy and associated security planning controls. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 14 of 84

15 PL-2 System Security Plan Table 5 Planning s Policy Description of a. Develops security plans for information systems that: - Are consistent with s enterprise architecture; - Explicitly define the authorization boundary for the information systems; - Describe the operational context of information systems in terms of missions and business processes; - Provide the security categorization of the information systems including supporting rationale; - Describe the operational environment for information systems; - Describe relationships with or connections to other information systems; - Provide an overview of the security requirements for ; - Describe the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and; - Is reviewed and approved by the authorizing official or a designated representative prior to plan implementation. b. Reviews the security plan for information systems within annually; and; c. Updates the plan, minimally every three (3) years, to address current conditions or whenever: - There are significant changes to the information system/environment of operation that affect security; - Problems are identified during plan implementation or security control assessments: - When the data sensitivity level increases; - After a serious security violation due to changes in the threat environment; or; - Before the previous security authorization expires. {iii} (For IRS FTI only) Develop and submit a Safeguard Procedures Report (SPR) that describes the procedures established and used by the organization for ensuring the confidentiality of the information received from the IRS. This report is provided every six years or when significant changes occur in the safeguard program. A Safeguard Activity Report (SAR advises the IRS of minor changes to the procedures or safeguards described in the SPR. It also advises the IRS of future actions that will affect 's current efforts to ensure the confidentiality of IRS FTI, and finally, certifies that is protecting IRS FTI pursuant to IRC Section 6103(p)(4) and 's own security requirements. This report is provided annually by September 30 th. (Reference IRS Publication 1075, sections 7 & 8). PL-4 Rules of Behavior a. Establishes and makes readily available to all users the rules that describe their responsibilities and expected behavior with regard to information, the information system, and network use. (Reference: Acceptable Use Policy (AUP)); and; b. Receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. (Reference: Computer Use Agreement (CUA)). Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 15 of 84

16 PL-5 PL-6 Privacy Impact Assessment Security- Related Activity Planning P3 P3 Table 5 Planning s Policy Description of The organization conducts a privacy impact assessment on information systems in accordance with OMB Memorandum The organization plans and coordinates security-related activities affecting the information systems before conducting such activities in order to reduce the impact on operations (e.g.: its mission, functions, image, and reputation), assets, and individuals. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 16 of 84

17 6.1.3 (PM) Program Management Policy and Its s Policy: The organization employs information security requirements that are independent of any particular information system and considered essential for managing the security program. Table 6 lists the Management (PM) controls for moderate impact systems. Table 6 Program Management s Policy PM-1 PM-2 PM-3 PM-4 Description of Information Security Program Plan Senior Information Security Officer Information Security Resources Plan of Action and Milestones Process a. Develops and disseminates an organization-wide information system security program plan that: i. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements. ii. Provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended. iii. Includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance. iv. Is approved by the CISO, Agency IRM, and ISO with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, and individuals. b. Reviews the -wide information security program plan annually; and; c. Revises the plan to address organizational changes and problems identified during plan implementation or security control assessments. The organization appoints a Chief Information Security Officer (CISO) with the mission and resources to coordinate, develop, implement, and maintain a -wide information security program. a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; b. Employs a business case and/or Exhibit 300/Exhibit 53 to record the resources required (Ref: SA-2); and c. Ensures that information security resources are available for expenditure as planned. The organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained and documents the remedial information security actions to mitigate risk to organizational operations, assets, and individuals. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 17 of 84

18 Table 6 Program Management s Policy PM-5 PM-6 PM-7 PM-8 PM-9 PM-10 PM-11 Description of Information System Inventory Information Security Measures of Performance Enterprise Architecture Critical Infrastructure Plan Risk Management Strategy Security Authorization Process Mission/Business Process Definition P3 P3 The organization develops and maintains inventories of Agency information systems. The organization develops, monitors, and reports on the results of information security measures of performance. The organization develops enterprise architecture with consideration for information security and the resulting risk to operations, assets, and individuals. The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. a. Develops a comprehensive strategy to manage risk to organizational operations and assets, and individuals associated with the operation and use of information systems; and; b. Implements that strategy consistently across the organization. a. Manages (i.e. documents, tracks, and reports) the security state of information systems through security authorization processes; b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and; c. Fully integrates the security authorization processes into the -wide risk management program. a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, and individuals; and; b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained. [i] (For Federal Tax Information (FTI) only) Organizations are not allowed to make further disclosures of FTI to their agents or to a contractor unless authorized by statute. (See, IRS Publication 1075 Section. 11.1) Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 18 of 84

19 6.1.4 (RA) Risk Assessment Policy and Its s Policy: The organization requires that risks to operations (including its mission, functions, image, or reputation), assets, and individuals, resulting from the operation of information systems and the associated processing, storage, or transmission of information, are assessed. Table 7 lists the Risk Assessment (RA) controls for moderate impact systems. RA-1 RA-2 RA-3 Risk Assessment Policy and Procedures Security Categorization Risk Assessment Table 7 Risk Assessment s Policy Description of The organization develops, disseminates, and reviews/updates within annually: a. A formal, documented risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. a. Categorizes information and information systems in accordance with applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the System security plan for the information system; and; c. Ensures the security categorization decision is reviewed and approved by the approving official or a designated representative. a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information systems and the information it processes, stores, or transmits; b. Documents risk assessment results in accordance in a risk assessment report; c. Reviews risk assessment results annually; and; d. Updates the risk assessment annually or whenever there are significant changes to information systems or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security or authorization state of the system. [i] Risk assessment should be conducted for the information system based on the Agency defined methodology that includes the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, modification, or destruction of the information system and the information it processes, stores, or transmits. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 19 of 84

20 RA-5 (1) Vulnerability Scanning Table 7 Risk Assessment s Policy Description of a. Scans for vulnerabilities in environment within every ninety (90) days and when new vulnerabilities potentially affecting the components are identified and reported; b. Employs vulnerability scanning tools and techniques that promote interoperability among tools and automates parts of the vulnerability management process by using standards for: - Enumerating platforms, software flaws, and improper configurations; - Formatting and making transparent checklists and test procedures; - Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities based on the Agency defined risk prioritization in accordance with an organizational assessment of risk; and; e. Shares information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout organization on a "need to know" basis to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (1) Employs vulnerability scanning tools that include the capability to readily update the list of component vulnerabilities scanned. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 20 of 84

21 6.1.5 (SA) System and Services Acquisition Policy and Its s Policy: The organization (i) requires sufficient allocation of resources to adequately protect information systems; (ii) employs system development life cycle processes that incorporate information security considerations; (iii) employs software usage and installation restrictions; and (iv) requires that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from. Table 8 lists the System and Services Acquisition (SA) controls for moderate impact systems. SA-1 SA-2 SA-3 Table 8 System and Services Acquisition s Policy Description of System and Services Acquisition Policy and Procedures Allocation of Resources Life Cycle Support The organization develops, disseminates, and reviews/updates annually: a. A formal, documented system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. a. Includes a determination of information security requirements for the information systems in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information systems as part of its capital planning and investment control process; and; c. Establishes a discrete line item in programming and budgeting documentation for the implementation and management of information systems security. a. Manages the information systems using a system development life cycle methodology that includes information security considerations; b. Defines and documents component security roles and responsibilities throughout the system development life cycle; and; c. Identifies individuals having component security roles and responsibilities. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 21 of 84

22 SA-4 (1) (4) Table 8 System and Services Acquisition s Policy Description of Acquisitions The organization includes the following requirements and/or specifications, explicitly or by reference, in component acquisition contracts based on an assessment of risk and in accordance with applicable federal/state laws, executive orders, directives, policies, regulations, and standards: a. Security functional requirements/specifications; b. Security-related documentation requirements; and; c. Developmental and evaluation-related assurance requirements. (1) Requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls to be employed within the information system, information system components, or information system services in sufficient detail to permit analysis and testing of the controls. (4) Ensures that each component acquired is explicitly assigned to an information system, and that the owner of the system acknowledges this assignment. {i} Each contract and Statement of Work (SOW) that requires development or access to information includes language requiring adherence to security policies and standards, defines security roles and responsibilities, and receives approval from the CISO, Agency IRM and Agency ISO s. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 22 of 84

23 SA-5 (1) (3) Table 8 System and Services Acquisition s Policy Description of Information System Documentation P3 a. Obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes: - Secure configuration, installation, and operation of the information system; - Effective use and maintenance of security features/functions; and; - Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; b. Obtains, protects as required, and makes available to authorized personnel, user documentation for the information systems that describes: - User-accessible security features/functions and how to effectively use those security features/functions; - Methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and; - User responsibilities in maintaining the security of the information and information system; and; c. Documents attempts to obtain component documentation when such documentation is either unavailable or nonexistent. (1) Obtains, protects as required, and makes available to authorized personnel vendor/manufacturer documentation that describes the functional properties of the security controls employed within information systems with sufficient detail to permit analysis and testing. (3) Obtains, protects as required, and makes available to authorized personnel vendor/manufacturer documentation that describes the high-level design of the information systems in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing. {i} Develop and update system documentation as necessary to describe the system and to specify the purpose, technical operation, access, maintenance, and required training for administrators and users. {ii} Update documentation when system functions and processes change and include date and version number on all formal system documentation. {iii} (For Protected Health Information (PHI) only) Retain documentation of policies and procedures relating to HIPAA for six (6) years from the date of its creation or the date when it was last in effect, whichever is later. (See: HIPAA (b). and SP800-66). {iv} (For Federal Tax Information (FTI) only) When FTI is incorporated into a data warehouse, apply the controls described in IRS Pubulication.1075, Exhibit 7, in addition to those specified in other controls. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 23 of 84

24 SA-6 SA-7 Table 8 System and Services Acquisition s Policy Description of Software Usage Restrictions User-Installed Software a. Uses software and associated documentation in accordance with contract agreements and copyright laws; b. Employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution; and; c. s and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. enforces explicit rules governing the installation of software by users. {i} Prohibits users from downloading or installing software, unless explicitly authorized, in writing, by the Agency IRM, ISO or the CISO or his/her designated representative. If authorized, explicit rules govern the installation of software by users. {ii} If user-installed software is authorized, enforce the documented authorizations and prohibitions. SA-8 Security Engineering Principles The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the networking, operating system, and database components. [i] A documented set of security design principles and coding standards exists and shall be followed by developers. [ii] The documented set of security design principles shall be consistent with NIST SP [iii] The design documentation covers many aspects of the design but also documents the minimal security requirements for FTI, external interfaces, roles, access for the roles defined, and any unique security requirements. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 24 of 84

25 SA-9 Table 8 System and Services Acquisition s Policy Description of External Information System Services a. Requires that providers of external information system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance; b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and; c. Monitors security control compliance by external service providers. {i} Prohibits service providers from outsourcing any system function outside the U.S. or its territories for Medicaid Data. {ii}(for Protected Health Information (PHI) only) A covered entity under HIPAA may permit a business associate to create, receive, maintain, or transmit ephi on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with HIPAA regulations. Such assurances must be documented and meet the requirements set forth in HIPAA regulations. (See HIPAA (b) and (a).) SA-10 Developer Configuration Management The organization requires that developers/integrators: a. Perform configuration management during information system design, development, implementation, and operation; b. Manage and control changes to information systems; c. Implement only organization-approved changes; d. Document approved changes to information systems; and; e. Track security flaws and flaw resolution. SA-11 Developer Security Testing The organization requires that information system component developers/integrators, in consultation with associated security personnel (including security engineers): a. Create and implement a security test and evaluation plan in accordance with, but not limited to, the current procedures; b. Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and; c. Document the results of the security testing/evaluation and flaw remediation processes. ([i]) information systems should be tested for security flaws on a periodic basis using automated vulnerability scanning methods, or manual control testing, or a combination of both. [ii] Test results are documented and security flaws found during the test should be entered into a tracking system and monitored for mitigation. [iii] Agency systems/applications should be tested for security flaws prior to release in production using manual or automated techniques or a combination of both. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 25 of 84

26 6.2 Operational s The Operational program class of controls (safeguards or countermeasures) for an information system is primarily controls that are implemented and executed by people, as opposed to systems. This class has nine control families: Awareness Training (AT), Configuration Management (CM), Contingency Planning (CP), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical and Environmental Protection (PE), and System and Information Integrity (SI) (AT) Awareness and Training Policy and Its s Policy: The organization(i) requires that users of information systems are made aware of the security risks associated with their activities and of the applicable laws, executive orders, directives, policies, standards, instructions, regulations, or procedures related to the security of information systems; and (ii) requires that personnel are complying with Agency security awareness training requirements. Table 9 lists the Awareness and Training (AT) controls for moderate impact systems. Table 9 Awareness and Training s Policy Description of AT-1 Security Awareness and Training Policy and Procedures The organization develops, disseminates, and reviews/updates annually: a. A formal, documented security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. AT-2 Security Awareness The organization verifies that users (including managers, senior executives, and contractors) receive basic security awareness training provided by C as part of initial training for new users prior to accessing any system s information, when required by system changes, and annually thereafter. AT-3 Security Training The Organization provides role-based security-related training: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) refresher training annually thereafter. AT-4 Security Training Records The Organization: a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and; b. Retains individual training records for three (3) years. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 26 of 84

27 6.2.2 (CM) Configuration Management Policy and Its s Policy: The organization (i) establishes and maintains baseline configurations and inventories of information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establishes and enforces security configuration settings for information technology products employed in information systems. Table 10 lists the Configuration Management (CM) controls for moderate impact systems. Table 10 Configuration Management s Policy Description of CM-1 Configuration Management Policy and Procedures The organization develops, disseminates, and reviews/updates annually: a. A formal, documented configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. CM-2 (1) (3) (4) Baseline Configuration a. Develops, documents, and maintains under configuration control, a current baseline configuration of the information systems. (1) Reviews and updates the baseline configuration of information systems: (a) At least once annually; (b) When required due to major system changes/upgrades and; (c) As an integral part of component installations and upgrades. (3) Retains older versions of baseline configurations as deemed necessary to support rollback. (4) (a) Develops and maintains an Agency-defined list of software programs not authorized (black list) to execute on the information system. (b) Employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on information security components. CM-3 (2) Configuration Change a. Determines the types of changes to the information systems that are configuration controlled; b. Approves configuration-controlled changes to with explicit consideration for security impact analyses; c. Documents approved configuration-controlled changes to the system; d. Retains and reviews records of configuration-controlled changes to the system; e. Audits activities associated with configuration-controlled changes to the system; and; f. Coordinates and provides oversight for configuration change control activities through change control board that convenes at least monthly or as needed. (2) The organization tests, validates, and documents changes to before implementing the changes on the operational system. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 27 of 84

CTR System Report - 2008 FISMA

CTR System Report - 2008 FISMA CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control

More information

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS POLICY FOR THE INFORMATION SECURITY PROGRAM FINAL Version 4.0 August 31, 2010 Document Number: CMS-CIO-POL-SEC02-04.0

More information

Security Control Standard

Security Control Standard Department of the Interior Security Control Standard Risk Assessment January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information

More information

Get Confidence in Mission Security with IV&V Information Assurance

Get Confidence in Mission Security with IV&V Information Assurance Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving

More information

IT Security Management Risk Analysis and Controls

IT Security Management Risk Analysis and Controls IT Security Management Risk Analysis and Controls Steven Gordon Document No: Revision 770 3 December 2013 1 Introduction This document summarises several steps of an IT security risk analysis and subsequent

More information

NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems Samuel R. Ashmore Margarita Castillo Barry Gavrich CS589 Information & Risk Management New Mexico Tech Spring 2007

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

Minimum Security Requirements for Federal Information and Information Systems

Minimum Security Requirements for Federal Information and Information Systems FIPS PUB 200 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Minimum Security Requirements for Federal Information and Information Systems Computer Security Division Information Technology Laboratory

More information

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat Centers for Disease and Prevention National Center for Chronic Disease Prevention and Health

More information

FSIS DIRECTIVE 1306.3

FSIS DIRECTIVE 1306.3 UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.3 REVISION 1 12/13/12 CONFIGURATION MANAGEMENT (CM) OF SECURITY CONTROLS FOR INFORMATION SYSTEMS

More information

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-510 GENERAL (Office of Origin: IRM/IA) 5 FAH-11 H-511 INTRODUCTION 5 FAH-11 H-511.1 Purpose a. This subchapter implements the policy

More information

Security Controls Assessment for Federal Information Systems

Security Controls Assessment for Federal Information Systems Security Controls Assessment for Federal Information Systems Census Software Process Improvement Program September 11, 2008 Kevin Stine Computer Security Division National Institute of Standards and Technology

More information

Security and Privacy Controls for Federal Information Systems and Organizations

Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems JOINT TASK FORCE TRANSFORMATION INITIATIVE This document contains excerpts from NIST Special Publication

More information

Security Control Standard

Security Control Standard Department of the Interior Security Control Standard Program Management April 2011 Version: 1.1 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information

More information

Looking at the SANS 20 Critical Security Controls

Looking at the SANS 20 Critical Security Controls Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of

More information

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including

More information

Security Control Standards Catalog

Security Control Standards Catalog Security Control Standards Catalog Version 1.2 Texas Department of Information Resources April 3, 2015 Contents About the Security Control Standards Catalog... 1 Document Life Cycle... 1 Revision History...

More information

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE August 31, 2010 Version 1.1 - FINAL Summary of Changes in SSP

More information

Deriving Software Security Measures from Information Security Standards of Practice

Deriving Software Security Measures from Information Security Standards of Practice Deriving Software Measures from Standards of Practice Julia Allen Christopher Alberts Robert Stoddard February 2012 2012 Carnegie Mellon University Copyright 2012 Carnegie Mellon University. This material

More information

Information Security for Managers

Information Security for Managers Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize

More information

System Security Certification and Accreditation (C&A) Framework

System Security Certification and Accreditation (C&A) Framework System Security Certification and Accreditation (C&A) Framework Dave Dickinson, IOAT ISSO Chris Tillison, RPMS ISSO Indian Health Service 5300 Homestead Road, NE Albuquerque, NM 87110 (505) 248-4500 fax:

More information

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Information Technology Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program Report.

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored

More information

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL Clifton Gunderson LLP s Independent Audit of the Federal Housing Finance Agency s Information Security Program - 2011 Audit Report: AUD-2011-002

More information

Security Self-Assessment Tool

Security Self-Assessment Tool Security Self-Assessment Tool State Agencies Receiving FPLS Information, 7/15/2015 Contents Overview... 2 Access Control (AC)... 3 Awareness and Training (AT)... 8 Audit and Accountability (AU)... 10 Security

More information

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 Audit Report The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 A-14-13-13086 November 2013 MEMORANDUM Date: November 26,

More information

Security Control Standard

Security Control Standard Department of the Interior Security Control Standard Security Assessment and Authorization January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,

More information

COORDINATION DRAFT. FISCAM to NIST Special Publication 800-53 Revision 4. Title / Description (Critical Element)

COORDINATION DRAFT. FISCAM to NIST Special Publication 800-53 Revision 4. Title / Description (Critical Element) FISCAM FISCAM 3.1 Security (SM) Critical Element SM-1: Establish a SM-1.1.1 The security management program is adequately An agency/entitywide security management program has been developed, An agency/entitywide

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12 Evaluation Report Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review April 30, 2014 Report Number 14-12 U.S. Small Business Administration Office of Inspector General

More information

Dr. Ron Ross National Institute of Standards and Technology

Dr. Ron Ross National Institute of Standards and Technology Managing Enterprise Risk in Today s World of Sophisticated Threats A Framework for Developing Broad-Based, Cost-Effective Information Security Programs Dr. Ron Ross National Institute of Standards and

More information

Written Information Security Program (WISP)

Written Information Security Program (WISP) Your Logo Will Be Placed Here Written Information Security Program (WISP) ACME Consulting, LLC Copyright 2014 Table of Contents WRITTEN INFORMATION SECURITY PROGRAM (WISP) OVERVIEW 10 INTRODUCTION 10 PURPOSE

More information

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Security Language for IT Acquisition Efforts CIO-IT Security-09-48 Security Language for IT Acquisition Efforts CIO-IT Security-09-48 Office of the Senior Agency Information Security Officer VERSION HISTORY/CHANGE RECORD Change Number Person Posting Change Change Reason

More information

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation

More information

Requirements For Computer Security

Requirements For Computer Security Requirements For Computer Security FTA/IRS Safeguards Symposium & FTA/IRS Computer Security Conference April 2, 2008 St. Louis 1 Agenda Security Framework Safeguards IT Security Review Process Preparing

More information

Standards for Security Categorization of Federal Information and Information Systems

Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 199 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Standards for Security Categorization of Federal Information and Information Systems Computer Security Division Information Technology

More information

WRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Consulting Services, Inc.

WRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Consulting Services, Inc. WRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents WRITTEN INFORMATION SECURITY PROGRAM (WISP) OVERVIEW 10 INTRODUCTION 10 PURPOSE 10 SCOPE & APPLICABILITY

More information

EPA Classification No.: CIO-2150.3-P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: 12-003 Review Date: 08/06/2015

EPA Classification No.: CIO-2150.3-P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: 12-003 Review Date: 08/06/2015 Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 INFORMATION SECURITY INTERIM MAINTENANCE PROCEDURES V1.8 JULY 18, 2012 1. PURPOSE The purpose of this procedure

More information

DIVISION OF INFORMATION SECURITY (DIS)

DIVISION OF INFORMATION SECURITY (DIS) DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new

More information

Security Control Standard

Security Control Standard Department of the Interior Security Control Standard Maintenance January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information Officer

More information

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA AND PACIFIC OFFICE ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT DRAFT Second Edition June 2010 3.4H - 1 TABLE OF CONTENTS 1.

More information

Minimum Acceptable Risk Standards for Exchanges Exchange Reference Architecture Supplement

Minimum Acceptable Risk Standards for Exchanges Exchange Reference Architecture Supplement Minimum Acceptable Risk Standards for Exchanges Exchange Reference Architecture Supplement Executive Overview The Patient Protection and Affordable Care Act of 2010 1 (hereafter simply the Affordable Care

More information

VIRGINIA DEPARTMENT OF MOTOR VEHICLES IT SECURITY POLICY. Version 2.

VIRGINIA DEPARTMENT OF MOTOR VEHICLES IT SECURITY POLICY. Version 2. VIRGINIA DEPARTMENT OF MOTOR VEHICLES IT SECURITY POLICY Version 2., 2012 Revision History Version Date Purpose of Revision 2.0 Base Document 2.1 07/23/2012 Draft 1 Given to ISO for Review 2.2 08/15/2012

More information

Review of the SEC s Systems Certification and Accreditation Process

Review of the SEC s Systems Certification and Accreditation Process Review of the SEC s Systems Certification and Accreditation Process March 27, 2013 Page i Should you have any questions regarding this report, please do not hesitate to contact me. We appreciate the courtesy

More information

TABLE OF CONTENTS. 2006.1259 Information Systems Security Handbook. 7 2006.1260 Information Systems Security program elements. 7

TABLE OF CONTENTS. 2006.1259 Information Systems Security Handbook. 7 2006.1260 Information Systems Security program elements. 7 PART 2006 - MANAGEMENT Subpart Z - Information Systems Security TABLE OF CONTENTS Sec. 2006.1251 Purpose. 2006.1252 Policy. 2006.1253 Definitions. 2006.1254 Authority. (a) National. (b) Departmental. 2006.1255

More information

FINAL Version 1.0 June 25, 2014

FINAL Version 1.0 June 25, 2014 CENTERS for MEDICARE & MEDICAID SERVICES Enterprise Information Security Group 7500 Security Boulevard Baltimore, Maryland 21244-1850 Risk Management Handbook Volume III Standard 7.2 FINAL Version 1.0

More information

Final Audit Report. Report No. 4A-CI-OO-12-014

Final Audit Report. Report No. 4A-CI-OO-12-014 U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: AUDIT OF THE INFORMATION TECHNOLOGY SECURITY CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S

More information

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS Department of Veterans Affairs VA Directive 6004 Washington, DC 20420 Transmittal Sheet September 28, 2009 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS 1. REASON FOR ISSUE: This Directive establishes

More information

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.2 9/28/11 INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) I. PURPOSE This directive

More information

FISMA NIST 800-53 (Rev 4) Shared Public Cloud Infrastructure Standards

FISMA NIST 800-53 (Rev 4) Shared Public Cloud Infrastructure Standards FISMA NIST 800-53 (Rev 4) Shared Public Cloud Infrastructure Standards NIST CONTROL CLOUDCHECKR SUPPORT ACTIVITY AC-2 ACCOUNT MANAGEMENT Control: The organization: a. Identifies and selects the following

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

FISMA Implementation Project

FISMA Implementation Project FISMA Implementation Project The Associated Security Standards and Guidelines Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive environment

More information

2012 FISMA Executive Summary Report

2012 FISMA Executive Summary Report 2012 FISMA Executive Summary Report March 29, 2013 UNITED STATES SECURITIES AND EXCHANGE COMMISSION WASHINGTON, D.C. 20549 OI'!'ICEOI' lnstfl! C1'0R GENERAt MEMORANDUM March 29,2013 To: Jeff Heslop, Chief

More information

FedRAMP Standard Contract Language

FedRAMP Standard Contract Language FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal

More information

EPA Classification No.: CIO-2150.3-P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: 12-003 Review Date: 08/06/2015

EPA Classification No.: CIO-2150.3-P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: 12-003 Review Date: 08/06/2015 Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 INFORMATION SECURITY INTERIM AWARENESS AND TRAINING PROCEDURES V3.1 JULY 18, 2012 1. PURPOSE The purpose of this

More information

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance WHITE paper Complying with the Federal Information Security Management Act How Tripwire Change Auditing Solutions Help page 2 page 3 page 3 page 3 page 4 page 4 page 5 page 5 page 6 page 6 page 7 Introduction

More information

INFORMATION PROCEDURE

INFORMATION PROCEDURE INFORMATION PROCEDURE Information Security Awareness and Training Procedures Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 INFORMATION SECURITY AWARENESS AND

More information

Legislative Language

Legislative Language Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy

More information

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - 45 min Webinar: November 14th, 2014 The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - www.cunesoft.com Rainer Schwarz Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH PART

More information

Recommended Security Controls for Federal Information Systems

Recommended Security Controls for Federal Information Systems NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Ron Ross Stu Katzke Arnold Johnson Marianne Swanson Gary Stoneburner George Rogers Annabelle Lee I N F O R

More information

Final Audit Report -- CAUTION --

Final Audit Report -- CAUTION -- U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management

More information

Audit of the Board s Information Security Program

Audit of the Board s Information Security Program Board of Governors of the Federal Reserve System Audit of the Board s Information Security Program Office of Inspector General November 2011 November 14, 2011 Board of Governors of the Federal Reserve

More information

INFORMATION TECHNOLOGY POLICY

INFORMATION TECHNOLOGY POLICY COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF PUBLIC WELFARE INFORMATION TECHNOLOGY POLICY Name Of : DPW Information Security and Privacy Policies Domain: Security Date Issued: 05/09/2011 Date Revised: 11/07/2013

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015 Cybersecurity Risk Management Activities Instructions Fiscal Year 2015 An effective risk management program and compliance with the Federal Information Security Management Act (FISMA) requires the U.S.

More information

DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK 6500.5 INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE

DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK 6500.5 INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK 6500.5 Washington, DC 20420 Transmittal Sheet March 22, 2010 INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE 1. REASON FOR ISSUE: This

More information

POSTAL REGULATORY COMMISSION

POSTAL REGULATORY COMMISSION POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1

More information

CONTINUOUS MONITORING

CONTINUOUS MONITORING CONTINUOUS MONITORING Monitoring Strategy Part 2 of 3 ABSTRACT This white paper is Part 2 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring (CM) and how

More information

TITLE III INFORMATION SECURITY

TITLE III INFORMATION SECURITY H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. ELECTION ASSISTANCE COMMISSION EVALUATION OF COMPLIANCE WITH THE REQUIREMENTS OF THE FEDERAL INFORMATION SECURITY MANAGEMENT

More information

Security Compliance In a Post-ACA World

Security Compliance In a Post-ACA World 1 Security Compliance In a Post-ACA World Security Compliance in a Post-ACA World Discussion of building a security compliance framework as part of an ACA Health Insurance Exchange implementation. Further

More information

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:

More information

Compliance and Industry Regulations

Compliance and Industry Regulations Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy

More information

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter Pennsylvania State System of Higher Education California University of Pennsylvania UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter Version [1.0] 1/29/2013 Revision History

More information

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection Understanding Compliance vs. Risk-based Information Protection 1 Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection Why risk analysis is crucial to HIPAA compliance and

More information

FISMA / NIST 800-53 REVISION 3 COMPLIANCE

FISMA / NIST 800-53 REVISION 3 COMPLIANCE Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Bellingham Control System Cyber Security Case Study

Bellingham Control System Cyber Security Case Study Bellingham Control System Cyber Security Case Study Marshall Abrams Joe Weiss Presented at at 2007 Annual Computer Security Applications Conference Case Study Synopsis Examine actual control system cyber

More information

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION S COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)

More information

Publication 4812. Contractor Security Controls

Publication 4812. Contractor Security Controls Publication 4812 Handling and Protecting Information or Information Systems ***This Publication Pertains to IT Assets Owned and Managed at Contractor Sites*** July 2014 Highlights of Publication 4812

More information

Audit of the Department of State Information Security Program

Audit of the Department of State Information Security Program UNITED STATES DEPARTMENT OF STATE AND THE BROADCASTING BOARD OF GOVERNORS OFFICE OF INSPECTOR GENERAL AUD-IT-15-17 Office of Audits October 2014 Audit of the Department of State Information Security Program

More information

Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer

Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan

More information

How To Check If Nasa Can Protect Itself From Hackers

How To Check If Nasa Can Protect Itself From Hackers SEPTEMBER 16, 2010 AUDIT REPORT OFFICE OF AUDITS REVIEW OF NASA S MANAGEMENT AND OVERSIGHT OF ITS INFORMATION TECHNOLOGY SECURITY PROGRAM OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration

More information

CMS Policy for Configuration Management

CMS Policy for Configuration Management Chief Information Officer Centers for Medicare & Medicaid Services CMS Policy for Configuration April 2012 Document Number: CMS-CIO-POL-MGT01-01 TABLE OF CONTENTS 1. PURPOSE...1 2. BACKGROUND...1 3. CONFIGURATION

More information

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU) Privacy Impact Assessment (PIA) for the Cyber Security Assessment and Management (CSAM) Certification & Accreditation (C&A) Web (SBU) Department of Justice Information Technology Security Staff (ITSS)

More information

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

United States Patent and Trademark Office

United States Patent and Trademark Office U.S. DEPARTMENT OF COMMERCE Office of Inspector General United States Patent and Trademark Office FY 2009 FISMA Assessment of the Patent Cooperation Treaty Search Recordation System (PTOC-018-00) Final

More information

HHS Enterprise. Information Security Standards and Guidelines EISSG v5.1

HHS Enterprise. Information Security Standards and Guidelines EISSG v5.1 HHS Enterprise Information Security Standards and Guidelines EISSG v5.1 March, 2013 Table of Contents Table of Contents... 2 Document History... 5 Revision History:... 5 Reviews... 6 Purpose... 7 Information

More information

Government of Canada Managed Security Services (GCMSS) Appendix D: Security Control Catalogue ITSG-33 - Annex 3 DRAFT 3.1

Government of Canada Managed Security Services (GCMSS) Appendix D: Security Control Catalogue ITSG-33 - Annex 3 DRAFT 3.1 Government of Canada Managed Security Services (GCMSS) Appendix D: Security Control Catalogue ITSG-33 - Annex 3 DRAFT 3.1 Date: June 15, 2012 Information Technology Security Guidance Guide to Managing

More information

Privacy Impact Assessment. For ecampus-based System (e/cb) Date: April 26, 2014. Point of Contact: Calvin Whitaker Calvin.Whitaker@ed.

Privacy Impact Assessment. For ecampus-based System (e/cb) Date: April 26, 2014. Point of Contact: Calvin Whitaker Calvin.Whitaker@ed. For ecampus-based System (e/cb) Date: April 26, 2014 Point of Contact: Calvin Whitaker Calvin.Whitaker@ed.gov System Owner: Keith Wilson Keith.Wilson@ed.gov Author: Calvin Whitaker Office of Federal Student

More information

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES

More information

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security OFFICE OF INSPECTOR GENERAL Audit Report Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security Report No. 08-04 September 26, 2008 RAILROAD RETIREMENT BOARD INTRODUCTION

More information

DATA SECURITY AGREEMENT. Addendum # to Contract #

DATA SECURITY AGREEMENT. Addendum # to Contract # DATA SECURITY AGREEMENT Addendum # to Contract # This Data Security Agreement (Agreement) is incorporated in and attached to that certain Agreement titled/numbered and dated (Contract) by and between the

More information

CMS INFORMATION SECURITY (IS) CERTIFICATION & ACCREDITATION (C&A) PACKAGE GUIDE

CMS INFORMATION SECURITY (IS) CERTIFICATION & ACCREDITATION (C&A) PACKAGE GUIDE Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS INFORMATION SECURITY (IS) CERTIFICATION & ACCREDITATION (C&A) PACKAGE GUIDE August 25, 2009 Version

More information