How To Control A System

Similar documents
Security Control Standard

Security Control Standard

Security Control Standard

Security Control Standard

Security Control Standard

EPA Classification No.: CIO P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

A Role-Based Model for Federal Information Technology/ Cybersecurity Training

Security Controls Assessment for Federal Information Systems

Publication Number: Third Draft Special Publication Revision 1. A Role Based Model for Federal Information Technology / Cyber Security Training

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

5 FAM 620 INFORMATION TECHNOLOGY (IT) PROJECT MANAGEMENT

INFORMATION DIRECTIVE GUIDANCE GUIDANCE FOR MANUALLY COMPLETING INFORMATION SECURITY AWARENESS TRAINING

IT Security Handbook. Security Awareness and Training

FISMA Implementation Project

HHS Information System Security Controls Catalog V 1.0

Security Control Standards Catalog

POSTAL REGULATORY COMMISSION

2012 FISMA Executive Summary Report

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition

Computing. Federal Cloud. Service Providers. The Definitive Guide for Cloud. Matthew Metheny ELSEVIER. Syngress is NEWYORK OXFORD PARIS SAN DIEGO

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

IT Compliance in Acquisition Checklist v3.5 Page 1 of 7

Get Confidence in Mission Security with IV&V Information Assurance

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Information Security for Managers

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

NOTICE: This publication is available at:

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

FSIS DIRECTIVE

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

Review of the SEC s Systems Certification and Accreditation Process

2014 Audit of the Board s Information Security Program

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Seeing Though the Clouds

Federal Trade Commission Privacy Impact Assessment. Conference Room Scheduling PIA

SECURITY ASSESSMENT AND AUTHORIZATION

Department of Veterans Affairs VA Handbook Information Security Program

FREQUENTLY ASKED QUESTIONS

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

December 8, Security Authorization of Information Systems in Cloud Computing Environments

Bellingham Control System Cyber Security Case Study

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

United States Department of Agriculture. Office of Inspector General

Continuous Monitoring Strategy & Guide

Baseline Cyber Security Program

Security and Privacy Controls for Federal Information Systems and Organizations

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

National Information Assurance Certification and Accreditation Process (NIACAP)

Section 37.1 Purpose Section 37.2 Background Section 37.3 Scope and Applicability Section 37.4 Policy... 5

Information Security for IT Administrators

Dr. Ron Ross National Institute of Standards and Technology

CMS Policy for Information Security and Privacy

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

System Security Certification and Accreditation (C&A) Framework

Department of Defense INSTRUCTION

Information Security and Privacy Policy Handbook

Security Authorization Process Guide

Federal Risk and Authorization Management Program (FedRAMP)

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

NARA s Information Security Program. OIG Audit Report No October 27, 2014

CTR System Report FISMA

Minimum Acceptable Risk Standards for Exchanges Exchange Reference Architecture Supplement

EPA Classification No.: CIO P-04.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Federal Trade Commission Privacy Impact Assessment

COORDINATION DRAFT. FISCAM to NIST Special Publication Revision 4. Title / Description (Critical Element)

Overview. FedRAMP CONOPS

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Document Control SOP. Document No: SOP_0103 Prepared by: David Brown. Version: 10

Office of Inspector General Corporation for National and Community Service

U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT INFORMATION TECHNOLOGY SECURITY POLICY. HUD Handbook REV4.1

FedRAMP Standard Contract Language

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

FITSP-M. Lab Activity Guide

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

for Information Security

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

Incident Management. Verdis Spearman

Department of Homeland Security

Enterprise Audit Management Instruction for National Security Systems (NSS)

NASA Information Technology Requirement

VIRGINIA DEPARTMENT OF MOTOR VEHICLES IT SECURITY POLICY. Version 2.

Corporate Leadership Council Metrics

FISMA NIST (Rev 4) Shared Public Cloud Infrastructure Standards

Audit of the Department of State Information Security Program

Transcription:

Department of the Interior Security Control Standard Awareness and Training April 2011 Version: 1.1

Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information Officer Signature: Date:

REVISION HISTORY Author Version Revision Date Revision Summary Chris Peterson 0.1 December 2, 2010 Initial draft Timothy Brown 0.2 December 3, 2010 Incorporated comments into body text Timothy Brown 0.21 January 07, 2011 Added introductory paragraph Timothy Brown 0.22 February 15, 2011 Checked/added cloud controls to high Chris Peterson 1.0 February 18, 2011 Final review of controls; remove margin notes Lawrence K. Ruffin 1.1 April 29, 2011 Final revisions and version change to 1.1 3

TABLE OF CONTENTS REVISION HISTORY... 3 TABLE OF CONTENTS... 4 SECURITY CONTROL STANDARD: AWARENESS AND TRAINING... 5 AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES... 5 AT-2 SECURITY AWARENESS... 6 AT-3 SECURITY TRAINING... 6 AT-4 SECURITY TRAINING RECORDS... 7 4

SECURITY CONTROL STANDARD: AWARENESS AND TRAINING The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 describes the required process for selecting and specifying security controls for an information system based on its security categorizing, including tailoring the initial set of baseline security controls and supplementing the tailored baseline as necessary based on an organizational assessment of risk. This standard specifies organization-defined parameters that are deemed necessary or appropriate to achieve a consistent security posture across the Department of the Interior. In addition to the NIST SP 800-53 Awareness and Training (AT) control family standard, supplemental information is included that establishes an enterprise-wide standard for specific controls within the control family. In some cases additional agency-specific or Office of Management and Budget (OMB) requirements have been incorporated into relevant controls. Where the NIST SP 800-53 indicates the need for organizationdefined parameters or selection of operations that are not specified in this supplemental standard, the System Owner shall appropriately define and document the parameters based on the individual requirements, purpose, and function of the information system. The supplemental information provided in this standard is required to be applied when the Authorizing Official (AO) has selected the control, or control enhancement, in a manner that is consistent with the Department s IT security policy and associated information security Risk Management Framework (RMF) strategy. Additionally, information systems implemented within cloud computing environments shall select, implement, and comply with any additional and/or more stringent security control requirements as specified and approved by the Federal Risk and Authorization Management Program (FedRAMP) unless otherwise approved for risk acceptance by the AO. The additional controls required for implementation within cloud computing environments are readily identified within the Priority and Baseline Allocation table following each control and distinguished by the control or control enhancement represented in bold red text. AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES Control: The organization develops, disseminates, and reviews/updates annually: a. A formal, documented security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. Supplemental Guidance: This control is intended to produce the policy and procedures that are required for the effective implementation of selected security controls and control enhancements in the security awareness and training family. The policy and procedures are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational 5

policies and procedures may make the need for additional specific policies and procedures unnecessary. The security awareness and training policy can be included as part of the general information security policy for the organization. Security awareness and training procedures can be developed for the security program in general and for a particular information system, when required. The organizational risk management strategy is a key factor in the development of the security awareness and training policy. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-16, 800-50, 800-100. P1 LOW AT-1 MOD AT-1 HIGH AT-1 AT-2 SECURITY AWARENESS Control: The organization provides basic security awareness training to all information system users (including managers, senior executives, and contractors) as part of initial training for new users, when required by system changes, and annually thereafter. Supplemental Guidance: The organization determines the appropriate content of security awareness training and security awareness techniques based on the specific requirements of the organization and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security as it relates to the organization s information security program. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Control Enhancements: None mandated. References: C.F.R. Part 5 Subpart C (5 C.F.R 930.301); NIST Special Publication 800-50. P1 LOW AT-2 MOD AT-2 HIGH AT-2 AT-3 SECURITY TRAINING 6

Control: The organization provides role-based security-related training: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) at least annually thereafter. Supplemental Guidance: The organization determines the appropriate content of security training based on assigned roles and responsibilities and the specific requirements of the organization and the information systems to which personnel have authorized access. In addition, the organization provides information system managers, system and network administrators, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training to perform their assigned duties. Organizational security training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. The organization also provides the training necessary for these individuals to carry out their responsibilities related to operations security within the context of the organization s information security program. Related controls: AT-2, SA-3. Control Enhancements: None. References: C.F.R. Part 5 Subpart C (5 C.F.R 930.301); NIST Special Publications 800-16, 800-50. P1 LOW AT-3 MOD AT-3 HIGH AT-3 AT-4 SECURITY TRAINING RECORDS Control: The organization: a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and b. Retains individual training records for at least 3 years. Supplemental Guidance: While an organization may deem that organizationally mandated individual training programs and the development of individual training plans are necessary, this control does not mandate either. Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Control Enhancements: None. References: None. P3 LOW AT-4 MOD AT-4 HIGH AT-4 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information