Nuclear Regulatory Commission Computer Security Office Enterprise Security Architecture Working Group Charter



Similar documents
Nuclear Regulatory Commission Computer Security Office CSO Office Instruction

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

CALIFORNIA GIS COUNCIL CHARTER

U.S. Department of Education. Office of the Chief Information Officer

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

CHARTER OF SUCCESSION PLANNING COMMITTEE

Federal Office of Small and Disadvantaged Business Utilization (OSDBU) Directors Interagency Council. CHARTER

Data Center Consolidation Task Force DATA CENTER CONSOLIDATION TASK FORCE CHARTER

DIRECTIVE TRANSMITTAL

1. Purpose. 2. Membership and Organization. 3. Meetings. Canadian Imperial Bank of Commerce Risk Management Committee Mandate

Table of Contents. 1. Purpose/Policy

HALOGEN SOFTWARE INC. HUMAN RESOURCES COMMITTEE CHARTER

Corporate Governance Guidelines. Cathay General Bancorp. As adopted March 15, 2012, and amended March 20, 2014

State of Minnesota IT Governance Framework

Board Risk & Compliance Committee Charter

Federal Reserve System Secure Payments Task Force

U.S. Department of Education Federal Student Aid

Information Technology Governance Overview and Charter

Committee Approved: January 6, 2014 FNC Board Approved: January 8, Compensation and Governance Committee Charter

HUMAN RESOURCES & COMPENSATION COMMITTEE CHARTER

South East Water Corporation Finance Audit and Risk Management Committee Charter. October 2012

IT Governance Charter

U.S. Department of Education Federal Student Aid

ALIBABA GROUP HOLDING LIMITED NOMINATING AND CORPORATE GOVERNANCE COMMITTEE OF THE BOARD OF DIRECTORS CHARTER

Charter of the Human Resources and Compensation Committee of the Board of Directors of MasterCard Incorporated

I. Purpose MD #

FIRST COAST HEALTH ALLIANCE, LLC CHARTER AUDIT, FINANCE, AND NETWORK CONTRACTS COMMITTEE

BYLAWS OF THE ALUMNI ASSOCIATION COLUMBIA UNIVERSITY MAILMAN SCHOOL OF PUBLIC HEALTH

Peninsular Florida Landscape Conservation Cooperative. Charter. Background

BROCK UNIVERSITY FINANCIAL PLANNING AND INVESTMENT COMMITTEE CHARTER

Cerner Corporation Corporate Governance Guidelines

Audit, Business Risk and Compliance Committee Charter

MD 12.5 NRC CYBER SECURITY PROGRAM DT-13-15

Value to the Mission. FEA Practice Guidance. Federal Enterprise Architecture Program Management Office, OMB

UNIVERSITY OF DENVER STURM COLLEGE OF LAW STUDENT BAR ASSOCIATION CONSTITUTION (Last updated April 17, 2016)

The Procter & Gamble Company Board of Directors Audit Committee Charter

2.0 ROLES AND RESPONSIBILITIES

The City of Nottingham and Nottinghamshire Economic Prosperity Committee. Constitution (terms of reference, membership and procedure rules)

BOARD MANDATE. an Audit Committee, and a Governance, Nominating & Compensation Committee.

Global Data Synchronisation Network User Group Charter

Rules of Organization and Bylaws Gladys A. Kelce College of Business

ARTICLES OF INCORPORATION AND BYLAWS NEW MEXICO CONSORTIUM OF ACADEMIC LIBRARIES

EVERCHINA INT L HOLDINGS COMPANY LIMITED (the Company ) Audit Committee

STATE UNIVERSITY OF NEW YORK HEALTH SCIENCE CENTER AT BROOKLYN (Downstate Medical Center)

BOARD CHARTER. Its objectives are to: provide strategic guidance for the Company and effective oversight of management;

Institute of Electrical and Electronics Engineers (IEEE) FIPA Standards Committee (FIPA SC) Policies and Procedures

How To Manage A Company

LAKE COUNTY LOCAL MENTAL HEALTH TASK FORCE BYLAWS ARTICLE I NAME AND DEFINITIONS

Westfield Corporation Human Resources Committee Charter. Westfield Corporation Limited (ABN ) (ABN )

Metro South Independent Insurance Agents Association (MSIIAA)

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF VEEVA SYSTEMS INC. Effective as of March 11, 2015 ARTICLE I PURPOSE

Colorado Integrated Criminal Justice Information System (CICJIS) Program CHARTER and BYLAWS

Audit, Business Risk and Compliance Committee Charter. Spotless Group Holdings Limited ACN

International Interior Design Association Florida Central Chapter Policy and Procedures

CHARTER OF THE AUDIT AND RISK MANAGEMENT COMMITTEE OF THE BOARD OF DIRECTORS OF BLACKBERRY LIMITED AS ADOPTED BY THE BOARD ON MARCH 27, 2014

Network Rail Limited (the Company ) Terms of Reference. for. The Nomination and Corporate Governance Committee of the Board

Hoboken School District The Hoboken Early Childhood Education Advisory Council Bylaws

Equity and High Income Funds Governance and Nominating Committee Charter

A Delaware corporation (the Company ) Nominating and Corporate Governance Committee Charter Amended as of January 21, 2015

Risk Management Committee Charter

GARMIN LTD. Compensation Committee Charter. (Amended and Restated as of July 25, 2014)

FORUM OF FIRMS CONSTITUTION

Humber College Institute of Technology & Advanced Learning. Program Advisory Committee. Procedure Manual

United States Department of Health & Human Services Enterprise Architecture Program Management Office. HHS Enterprise Architecture Governance Plan

AUDIT AND RISK MANAGEMENT COMMITTEE CHARTER

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF MGM RESORTS INTERNATIONAL OVERALL MISSION

California Enterprise Architecture Framework

SLCM Framework (Version ) Roles and Responsibilities As of January 21, 2005

Business Architecture A Balance of Approaches to Implementation. Business Architecture Innovation Summit June 2013 Presenter: Andrew Sommers

SBERBANK OF RUSSIA OPEN JOINT-STOCK COMPANY. REGULATIONS on the Internal Audit Commission of Sberbank of Russia Open Joint-Stock Company

Financial and Cash Management Task Force. Strategic Business Plan

SYSTEM OF HIGHER EDUCATION PROCEDURES AND GUIDELINES MANUAL CHAPTER 17 COMMUNITY COLLEGE INSTITUTIONAL ADVISORY COUNCILS

BRISBANE BRONCOS LIMITED AUDIT AND RISK MANAGEMENT CHARTER

Audit, Business Risk and Compliance Committee Charter

ARTICLES OF INCORPORATION FOR THE TEXAS TECH PHARMACY ALUMNI SCHOOL OF PHARMACY, TEXAS TECH UNIVERSITY HEALTH SCIENCES CENTER

Ally Financial Inc. Board of Directors Governance Guidelines

Sajan, Inc. and Its Subsidiaries. Audit Committee Charter. As of August 1, 2014

BlueScope Steel Limited Audit and Risk Committee Charter

BAHRAIN TELECOMMUNICATIONS COMPANY B.S.C. AUDIT COMMITTEE CHARTER

WEC Energy Group, Inc. Board of Directors Corporate Governance Guidelines (Adopted on August 28, 1996; Revised July 16, 2015)

CATAMARAN CORPORATION CORPORATE GOVERNANCE GUIDELINES

Transcription:

Nuclear Regulatory Commission Computer Security Office Enterprise Security Architecture Working Group Charter Title: CSO Enterprise Security Architecture Working Group Charter Revision Number: 1.0 Effective Date: April 10, 2013 Primary Contacts: Responsible Organization: Summary: ADAMS Accession No.: Kathy Lyons-Burke, SITSO CSO/PST The CSO Enterprise Security Architecture Working Group Charter provides the formal written statement of the aims, principles, and procedures of the working group. ML13093A047 Primary Office Owner Policies, Standards, and Training Approvals Signature Responsible SITSO Kathy Lyons-Burke /RA/ 4/ 3 /13 DAA for Non-Major IT Investments Director, CSO Tom Rich /RA/ Jonathan Feibus for 4/ 3 /13 Date Director, OIS Jim Flanagan /RA/ 4/ 3 / 13

CHARTER FOR THE CSO ENTERPRISE SECURITY ARCHITECTURE WORKING GROUP Cyber security is an essential component of the NRC s Information Technology (IT) infrastructure, and is necessary to ensure the secure introduction and maintenance of technologies that support evolving mission and business objectives and to enable the agility that is required by the rapid advancement of technology. To provide the agency with a standardized, cost-effective, and secure framework for conducting mission and business operations, the Computer Security Office (CSO) has determined that development of an Enterprise Security Architecture (ESA), as part of the NRC Enterprise Architecture (EA), is necessary to improve the agency s overall cyber security posture. The CSO ESA Working Group (WG) Charter provides the formal written statement of the aims, principles, and procedures of the working group. 1 PURPOSE The purpose of the ESA-WG is to identify the architectural principles and requirements for NRC cyber security and to document those principles and requirements as the ESA component of the NRC EA. The NRC ESA shall be developed to: Provide the agency with a common, cost-effective security protection framework (including processes, procedures, and governance structures) that enables the infrastructure to securely support the introduction of new technologies that support agency mission and business objectives; Provide enterprise/programmatic requirements that allow business and IT communities to securely develop methods for producing and sharing information required to support NRC operations; Improve security information, enabling the provision of active information to manage, govern, and effectively report on and improve the security posture of the agency; and Provide cyber security requirements aligned with enterprise technology enablement standards such as the OMB 21st Century Digital Government and NRC Strategic Plans. 2 APPROACH The ESA-WG shall work to develop a consistent, well-defined ESA that supports the business and cyber security needs and objectives of the agency. The ESA-WG shall meet to identify, prioritize, and define security goals, business and functional requirements, processes and/or standards as needed to define the ESA. The ESA-WG meets to review current, proposed, and updates to cyber security architectural requirements. Meetings may occur on a bi-weekly basis or per another schedule deemed appropriate for the group. The ESA-WG will communicate requirements, approaches and other deliverables to NRC governance bodies, including the IT/IM Architecture Council, the Information Technology Board, and the IT/IM Portfolio Executive Council, on a periodic basis. The ESA-WG reviews proposed cyber security architectural requirements and makes recommendations concerning the requirements to the NRC Designated Approving Authority (DAA) for non-major IT investments. Recommendations may take the form of corrections,

CSO Enterprise Architecture Working Group Charter Page 2 additions (if specific requirements have been omitted), and requests to remove specific requirements. The ESA-WG shall establish Integrated Project Teams (IPTs) to support specific subject areas (e.g., network security, software assurance) of the ESA (see Section 4 Integrated Project Teams ). IPT subject areas shall be identified by the ESA-WG and IPTs established to develop proposed components of the ESA that address the subject areas. The ESA-WG shall determine whether the IPTs should operate concurrently, sequentially, or overlapping in time. IPTs shall present at ESA-WG meetings periodically to ensure alignment and to ensure issues are addressed to permit effective operation of each IPT. 3 ESA-WG COMPOSITION, ROLES, AND RESPONSIBILITIES Each member office except CSO shall submit the CSO-TEMP-3050, Enterprise Security Architecture Working Group Appointment Memo, to designate a technical representative to participate in the ESA-WG. 3.1 ESA-WG MEMBERSHIP The following NRC member offices shall be permanent voting members of the ESA-WG: 1) Computer Security Office (CSO) a) CSO representatives shall include the Senior Information Technology Security Officer (SITSO) for PST or his/her designee as the Chair and CSO voting member. 2) Office of Information Services (OIS) division where the EA role resides a) OIS shall be represented by one technical representative. 3) Regional Offices a) The Regional Offices shall be represented by one technical representative. This representative s role must include cyber security responsibilities of a technical nature. The representative shall be agreed upon collectively by all Regional Offices. Up to two non-permanent members from other NRC offices can be selected to participate in the ESA-WG. The involvement of program offices as non-permanent members is desired to provide a business and mission point of view to the working group. All members must have technical cyber security responsibilities at the agency as part of their job. The total number of ESA-WG members, to include permanent and non-permanent members, cannot exceed five. Each ESA-WG member may identify an alternate representative to participate in ESA-WG meetings and activities (including voting if the primary representative is not available). The alternate must meet the same requirements specified for the primary representative (e.g., must have technical cyber security responsibilities; must be part of a specific organization within the member office). A complete ESA-WG member listing, including non-permanent member offices, can be found on the CSO web site. The SITSO for PST must approve all changes to NRC member offices and office representatives. 3.2 ESA-WG VOTING Each ESA-WG member office, whether permanent or non-permanent, shall only have one vote. A population of over half of the ESA-WG member offices is required in order to create a quorum for voting to occur.

CSO Enterprise Architecture Working Group Charter Page 3 A simple majority of votes in favor of a deliverable is required in order for the document to proceed to the ISSO Forum for review and comment. All ISSO Forum comments are considered by the ESA-WG, and the ESA-WG shall provide a written comment response to the reviewer. The ESA-WG shall cast an additional vote to approve the resolution of the ISSO Forum comment(s) before the deliverable proceeds to the DAA for non-major IT investments for approval. If a tie occurs while voting, then the affected deliverable shall be tabled for discussion and set to be voted on for a second time during the next ESA-WG meeting. If a tie occurs during the second time that a deliverable is voted on, the ESA-WG Chair shall cast the tie-breaking vote. The intent of this tie-breaking process is to ensure that the ESA-WG is able to continue to move forward with a clear decision (approval or otherwise) on proposed deliverables. 3.3 ESA-WG ATTENDANCE Attendance at meetings may be in person or via teleconference. As situations dictate, documents may be voted on via email. If a vote is taken during a meeting, a voting member must attend in person or via teleconference to vote; if a voting representative cannot attend and misses a vote, that representative may provide an email with his/her stated position on the proposed deliverable after the vote is cast. Votes and comments are not anonymous, and comments supporting each member s vote are encouraged to inform the ESA-WG as to the rationale for support or opposition to a proposed deliverable. 3.4 ESA-WG ROLES AND RESPONSIBILITIES The following sections describe the roles and responsibilities associated with the ESA-WG. 3.4.1 ESA-WG CHAIR The CSO SITSO for PST or his/her designee serves as the ESA-WG Chair and provides vision, leadership, direction, and oversight of the ESA-WG. The ESA-WG Chair appoints the ESA-WG executive secretary from his/her staff, and facilitates the ESA-WG meetings. The ESA-WG Chair provides updates on relevant security events as they impact the IPTs, and facilitates the ESA-WG meetings. The ESA-WG Chair shall review the office membership of the ESA-WG on a periodic basis to adjust non-permanent member offices and/or member office representation. The ESA-WG Chair casts tie-breaking votes to enable progress by the ESA-WG. 3.4.2 ESA-WG EXECUTIVE SECRETARY The ESA-WG executive secretary is appointed by the Chair and serves as the PST point of contact for ESA-WG members. He/she performs the following functions: Arranges for meeting dates, space, and necessary conferencing services; Develops meeting agendas; Documents meeting minutes; Tallies votes; Compiles input received from the membership and provides the input to the Chair; and Emails information to ESA-WG members.

CSO Enterprise Architecture Working Group Charter Page 4 3.4.3 ESA-WG MEMBER RESPONSIBILITIES Members are responsible for attending meetings, providing input, and voting on recommendations concerning: Enterprise-wide architectural requirements; Future state ( to-be ) architectural requirements; and Other documents as necessary (e.g., Analysis of Alternatives, Transition Plans), which support the operations of the ESA-WG and respective IPTs. 4 INTEGRATED PROJECT TEAMS The IPTs shall provide cyber security architecture requirements that support the IPT subject areas to the ESA-WG. Each IPT shall leverage resources developed during existing NRC efforts such as the Systems and Technology Analytical Research Team (START), the Standards Working Group (SWG), the Portfolio Councils, and other ongoing NRC IT modernization initiatives. In addition, the IPTs shall incorporate lessons learned from other federal government initiatives such as the Federal Enterprise Architecture (FEA). The SWG may serve as the ESA IPT for architecture related cyber security standards at the discretion of the ESA-WG Chair. In this case, the SWG Chair shall serve the role of the IPT Chair. 4.1 IPT MEMBERSHIP The following NRC member offices shall be permanent voting members of each IPT: 1) Computer Security Office (CSO) a) CSO representatives shall include the SITSO for PST or his/her designee as the Chair and CSO voting member. 2) Office of Information Services (OIS) a) OIS shall be represented by one technical representative. 3) Regional Offices a) The Regional Offices shall be represented by one technical representative. This representative s role must include cyber security responsibilities of a technical nature. The representative shall be agreed upon collectively by all Regional Offices. The IPT chair can select up to four non-permanent members from other NRC offices to participate in each IPT. Each IPT should contain members that have a level of technical expertise relevant to the subject area. All members must have technical cyber security responsibilities at the agency as part of their job. The total number of IPT members for each IPT, to include permanent and non-permanent members, cannot exceed seven. Each IPT member may identify an alternate representative to participate in IPT meetings and activities (including voting if the primary representative is not available). The alternate must meet the same requirements specified for the primary representative. ESA-WG members may also serve as IPT members. A complete member listing for each active IPT, including non-permanent member offices, can be found on the CSO web site. The SITSO for PST must approve all changes to NRC member offices and office representatives.

CSO Enterprise Architecture Working Group Charter Page 5 4.2 IPT VOTING Each IPT member office, whether permanent or non-permanent, shall only have one vote. A population of over half of the IPT member offices is required in order to create a quorum for voting to occur. A simple majority of votes in favor of a deliverable is required in order for the document to proceed to the ESA-WG for review and comment. If a tie occurs while voting, then the affected deliverable shall be tabled for discussion and set to be voted on for a second time during the next IPT meeting. If a tie occurs during the second time that a document is voted on, the IPT Chair shall cast the tie-breaking vote. The intent of this tie-breaking process is to ensure that the IPT is able to continue to move forward with a clear decision (approval or otherwise) on proposed deliverables. 4.3 IPT ATTENDANCE Attendance at meetings may be in person or via teleconference. As situations dictate, documents may be voted on via email. If a vote is taken during a meeting, a voting member must attend in person or via teleconference to vote; if a voting representative cannot attend and misses a vote, that representative may provide an email with his/her stated position on the proposed deliverable after the vote is cast. Votes and comments are not anonymous, and comments supporting each member s vote are encouraged to inform the IPT as to the rationale for support or opposition to a proposed deliverable. 4.4 IPT ROLES AND RESPONSIBILITIES Each IPT shall be responsible for developing and delivering cyber security architectural requirements for designated subject areas to the ESA-WG. IPTs may lead or assist the ESA-WG with the development of future ( to-be ) capabilities and requirements. IPTs may produce other documents including whitepapers, guidance, processes, and other documents, as needed, pertaining to the ESA subject area(s). 4.4.1 IPT CHAIR The CSO SITSO for PST or his/her designee serves as the IPT Chair and provides vision, leadership, direction, and oversight of the IPT. The IPT Chair provides updates on relevant security events as they impact the IPTs, and facilitates the IPT meetings. The IPT Chair shall review the office membership of the IPT on a periodic basis to adjust non-permanent member offices and/or member office representation. The IPT Chair casts tie-breaking votes to enable progress by the IPT. 5 ADMINISTRATIVE CHANGES TO DOCUMENTS ESA-WG voting and approval is not required for administrative changes to ESA-WG approved documents. Administrative changes include, but are not limited to, updates for the following: Errors; Formatting; Grammar;

CSO Enterprise Architecture Working Group Charter Page 6 Spelling; References to other documents (e.g., references to another NRC standard, process, or template; references to external standards or architectural frameworks); Addition of or changes to Uniform Resource Locators (URLs); and Names and signatures associated with NRC positions when different individuals are appointed to those positions. 6 CHARTER REVIEW AND REVISION The ESA-WG Charter will be reviewed at least annually. If an update to the ESA-WG Charter is required, the update must be voted on and approved subject to the voting process described in Section 3.2, ESA-WG VOTING.

CSO Enterprise Architecture Working Group Charter Page 7 7 ESA-WG CHARTER CHANGE HISTORY Date Version Description of Changes 14-Mar-13 1.0 Initial version

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information