History and Background State Government Administration - Overview of the CIS EA&G&G&G&G&C&C Safety & Security System

Similar documents
POSTAL REGULATORY COMMISSION

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Information Security Program Management Standard

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

United States Secret Service Enterprise Architecture Review Board (EARB) Project Briefing for NAME OF PROJECT

Lots of Updates! Where do we start?

How To Check If Nasa Can Protect Itself From Hackers

Intelligent Vendor Risk Management

Information Blue Valley Schools FEBRUARY 2015

Achieving Security through Compliance

Overview. FedRAMP CONOPS

Final Audit Report. Report No. 4A-CI-OO

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

In Brief. Smithsonian Institution Office of the Inspector General

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

BPA Policy Cyber Security Program

Technology Recovery Plan Instructions

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

SMITHSONIAN INSTITUTION

The Protection Mission a constant endeavor

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

COTS/SaaS Acquisition Information Form

Implementing an Information Governance Program CIGP Installment 2: Building Your IG Roadmap by Rick Wilson, Sherpa Software

SECURITY RISK MANAGEMENT

Information Technology Services Project Management Office Operations Guide

FINAL Version 1.0 June 25, 2014

Achieving Security through Compliance

NASA Information Technology Requirement

Mixed Life Cycle FY2002

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Server Management-Scans & Patches

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Fiscal Year 2007 Federal Information Security Management Act Report

Information Security. Rick Aldrich, JD, CISSP Booz Allen Hamilton

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Critical Controls for Cyber Security.

HHS Information System Security Controls Catalog V 1.0

NEIAF June 18, IS Auditing 101

FedRAMP Standard Contract Language

Section 37.1 Purpose Section 37.2 Background Section 37.3 Scope and Applicability Section 37.4 Policy... 5

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Office of the CIO. Department Description. Goals and Objectives

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

FREQUENTLY ASKED QUESTIONS

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Personal Security Practices of the CAO

Security Controls Assessment for Federal Information Systems

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

NOTICE: This publication is available at:

The Intersection of Internal Controls and Cyber Security

Security Management Practices. Keith A. Watson, CISSP CERIAS

CORL Dodging Breaches from Dodgy Vendors

INFORMATION TECHNOLOGY PROJECT REQUESTS

9. Did the Agency's Executive/Investment Committee approve this request?

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

AUDIT REPORT. The Energy Information Administration s Information Technology Program

Building Security In:

State of Oregon. State of Oregon 1

Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP AP-2/03-1

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

Paisley Enterprise GRC Audit Profile. Linda Bergs

Information Security for Managers

Briefing Report: Improvements Needed in EPA s Information Security Program

FSIS DIRECTIVE

Office of Inspector General

DRAFT Publication 4812 State of Security (SoS) Package

State of South Carolina Policy Guidance and Training

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

Evaluation of DHS' Information Security Program for Fiscal Year 2014

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Cyber Security Operations Center (CSOC) for Critical Infrastructure Protection

A Flexible and Comprehensive Approach to a Cloud Compliance Program

ISSA SILICON VALLEY SECURITY METRICS SO WHAT?

Capability Statement (Organizational)

Audit of the Board s Information Security Program

Capabilities Overview

Vulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011

Sample marketing plan template

State of South Carolina Policy Guidance and Training

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Apples to Oranges: SAP s License Administration Workbench (LAW) is NOT a Software Asset Management or License Optimization Solution!

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN

Review of the SEC s Systems Certification and Accreditation Process

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:

U.S. CONSUMER PRODUCT SAFTEY COMMISSION OFFICE OF INSPECTOR GENERAL FY 2015 FEDERAL INFORMATION SECURITY MANAGEMENT ACT REVIEW REPORT

MASSACHUSETTS GAMING COMMISSION: CHIEF INFORMATION OFFICER JOB DESCRIPTION

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

Information System Security Officer (ISSO) Guide

Department of Veterans Affairs VA Handbook Information Security Program

Enterprise Architecture Glossary by Set

HARPER, RAINS, KNIGHT & COMPANY, P.A. CERTIFIED PUBLIC ACCOUNTANTS & CONSULTANTS RIDGELAND, MISSISSIPPI

Internal Control Evaluation Progress Report for Frisco Independent School District. March 7, 2011

Transcription:

September 29, 2015 1

History and Background State policy (SAM Section 5305.1) requires a plan of action and milestone but gives little to no direction or assistance The California Information Security Office (CISO) released a standardized tool for reporting (with procedures) The POAM Tool is purposely simple to complete and submit 2

History and Background Data elements collected will be uniform The Department of Technology and the CISO will be able to aggregate the data and evaluate risks at several organizational levels entity, agency, or statewide Data will reveal and categorize weaknesses - by control/policy, by risk rating, by completion date, and others 3

Mission Simple Meaningful Temporary 4

Instructions and Use Column E (Describe the Weakness or Area of Non- Compliance): Briefly describe the nature and characteristics of the risk. Column B (NIST Families): Select from drop-down one of the NIST families within the drop down menu that best describes the security audit finding, compliance deficiency, security risk, incident remediation activity, or other gap (henceforth referred to as risk ). Column C (SAM & SIMM Policies): Select from the drop-down one of the SAM sections or Sub-section. Your selection in Column C must align with your section in Column B. 5

Instructions and Use Column F (Compensating Controls): Briefly describe any short or long-term compensating controls in play. Column G (Source): Select from drop-down the source activity (how the risk was initially identified). Column H (Describe the Information Asset at Risk): Briefly describe the information asset(s) that may be impacted by this risk. An information asset can be a system, a data element, a person, a facility, a record, a file, a piece of paper, hardware, software, etc. See the definition for this and other terms in SAM Section 5300.4. 6

Instructions and Use Column I (Assigned To): Identify the person(s) responsible for this risk, including name, title and/or classification. By policy, the state entity head (director) is responsible for all risks, but for purposes of the POAM, please indicate who will own the risk and secure the necessary resources (persons or funding) to address the risk. This is the person the CISO may contact for more information. Column J (Plan of Action): Describe the steps the state entity will take to address the risk, including short and longer-term plans. If Plan of Action is significant and includes several major milestones, submit your detailed plan as a separate file. Column K (When First Identified): Record the date when the risk was first identified. 7

Instructions and Use Column L (Start Date): Indicate the date you did or will address the risk. Column M (Completion Date): Indicate the projected completion date. NOTE: CISO will know if it s a projected or actual completion date based on the status of the risk. Column N (Status): Select from one of the four (4) status types. NOTE: Even after a risk is reported as "Completed" it must remain on the tool. Column O (Status Date): Use Column O to record the date for the status selected in Column N. 8

Instructions and Use Column P (Risk Rating): Use the NIST risk categories described in Special Publication 800-30 to determine if the risk is a Very Low, Low, Moderate, High, or Very High value. Column Q (Barriers or Constraints): Briefly describe any constraints to remediating this risk. If necessary, a separate file may be submitted to the CISO. NOTE: All files must begin with your Org Code. 9

Transformation: Raw Data to Actionable Business Intelligence Statewide Risks Training 7% Remote Access 31% Incident Response 12% Access Controls 5% Media Protection 10% Acquisition 10% Governance 25% Sample Data 10

Secure File Transfer (SFT) 11

Case Studies For each of the following Case Studies, we need to provide the following information: Simple Description of the Weakness? NIST Family and/or SAM/SIMM Policy? Compensating Controls? Source? Information Asset at Risk? Assigned To? Plan of Action? Barriers of Constraints 12

Case #1 Case Studies During a routine meeting with your CIO, you are informed that your Admin Division has purchased a dozen new multi-function copiers/printers and the IT shop has been asked to work with the vendor to install them on the network. No consideration was given to information security during the procurement. Simple Description of the Weakness? NIST Family and/or SAM/SIMM Policy? Compensating Controls? Source? Information Asset at Risk? Assigned To? Plan of Action? Barriers of Constraints 13

Case #2 Case Studies An incident is reported that PII was faxed to an out-of-date fax group and 7 of the recipients have no business need to see this PII. Simple Description of the Weakness? NIST Family and/or SAM/SIMM Policy? Compensating Controls? Source? Information Asset at Risk? Assigned To? Plan of Action? Barriers of Constraints 14

Case #3 Case Studies Your department has not updated their TRP in 6 years. As you plan to address this risk and out-of-compliance condition, your list of activities are extensive; including 5 major milestones. You report that this risk will not be fully addressed until you test the new plan in the summer of 2018. Simple Description of the Weakness? NIST Family and/or SAM/SIMM Policy? Compensating Controls? Source? Information Asset at Risk? Assigned To? Plan of Action? Barriers of Constraints 15

Case #4 Case Studies Your budget office has a mission critical financial system running on a Microsoft Server 2003 operating system. The financial application is written in a language that is no longer supported and will not execute on anything but Server 2003. Simple Description of the Weakness? NIST Family and/or SAM/SIMM Policy? Compensating Controls? Source? Information Asset at Risk? Assigned To? Plan of Action? Barriers of Constraints 16

Case #5 Case Studies Examples from the audience Simple Description of the Weakness? NIST Family and/or SAM/SIMM Policy? Compensating Controls? Source? Information Asset at Risk? Assigned To? Plan of Action? Barriers of Constraints 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information