DOE CYBER SECURITY EBK: CORE COMPETENCY TRAINING REQUIREMENTS Key Cyber Security Role: Authorizing Official (AO)



Similar documents
U.S. DEPARTMENT OF ENERGY. Essential Body of Knowledge (EBK)

INFORMATION SECURITY STRATEGIC PLAN

Risk Management Guide for Information Technology Systems. NIST SP Overview

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

Security & Privacy Friends, Foes or Partners?

DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE

Federal Bureau of Investigation s Integrity and Compliance Program

Information Security Program

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

BUSINESS CONTINUITY PLANNING

Utica College. Information Security Plan

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

Information Technology

U.S. DEPARTMENT OF ENERGY

aecert Roadmap Eng. Mohammed Gheyath Director, Technical Affairs TRA

Security Control Standard

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

How To Audit The Mint'S Information Technology

CYBERSECURITY EXAMINATION SWEEP SUMMARY

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

Cybersecurity. Are you prepared?

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

CLASS TITLE: COMPLIANCE MANAGER CLASS CODE: 0016 DEPARTMENT: MENTAL HEALTH FLSA STATUS: E REPORTS TO: MENTAL HEALTH DIRECTOR DATE: 08/05

DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES

Department of Veterans Affairs VA Handbook Information Security Program

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

Audit Report. Management of Naval Reactors' Cyber Security Program

Guidance for Addressing Cybersecurity in the Chemical Sector. Version 2.0 December 2004

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Information Technology Policy

SafeBiz. Identity Theft and Data Breach Program For Small & Medium Size Businesses (SMB)

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Audit Report. Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland, Oregon

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Department of Homeland Security

DEPARTMENT OF TAXATION AND FINANCE SECURITY OVER PERSONAL INFORMATION. Report 2007-S-77 OFFICE OF THE NEW YORK STATE COMPTROLLER

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Overview of Presentation

Qatar University Information Security Policies Handbook November 2013

Keeping watch over your best business interests.

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

CYBERBOK Cyber Crime Security Essential Body of Knowledge: A Competency and Functional Framework for Cyber Crime Management

005ASubmission to the Serious Data Breach Notification Consultation

Threat Management: Incident Handling. Incident Response Plan

Fraud Prevention and Deterrence

Standards for the Professional Practice of Internal Auditing

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Qualification details

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

CYBER SECURITY PROCESS REQUIREMENTS MANUAL

Why you should adopt the NIST Cybersecurity Framework

The Department of Technology Services is responsible for installing and managing security controls and technologies on behalf of the State of Utah.

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

SEC Cybersecurity Findings May Establish De Facto Standard

Pursuant to section 1.7(i) of Executive Order 12333, as amended, the FBI is authorized to:

How IRS Protects Taxpayers and Helps Victims of Identity Theft. Global Identity Summit September 16, 2014

Audit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture

Board Approved June 24, 2015 FLSA: EXEMPT ASSOCIATE DEAN, CONTINUING EDUCATION PROGRAMS AND SERVICES

The Value of Vulnerability Management*

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Information Security Incident Response

STATEMENT OF RANDY S. MISKANIC VICE PRESIDENT, SECURE DIGITAL SOLUTIONS U.S. POSTAL SERVICE BEFORE THE SUBCOMMITTEE ON FEDERAL WORKFORCE, U.

Purchase College Information Security Program Charter January 2008

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

BOARD OF EDUCATION OF BALTIMORE COUNTY OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL INTERNAL AUDIT OPERATIONS MANUAL

Information Security Incident Management Guidelines

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Information Assurance Branch (IAB) Cybersecurity Best Practice for Executive Level Managers

Commonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives. Initiation date: January 2012

IT Security Risk Management: A Lifecycle Approach

Automation Suite for NIST Cyber Security Framework

IT-CNP, Inc. Capability Statement

Cyber Security. John Leek Chief Strategist

DHS, National Cyber Security Division Overview

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

INFRAGARD.ORG. Portland FBI. Unclassified 1

Deloitte Forensic Fraud Risk Management

State Homeland Security Strategy (2012)

State of Security Survey GLOBAL FINDINGS

McLennan Community College

Policy : Enterprise Risk Management Policy

U.S. Department of Energy Washington, D.C.

Approved by the Audit and Compliance Committee of the Providence Health & Services Board of Directors

Transcription:

DOE CYBER SECURITY EBK: CORE COMPETENCY TRAINING REQUIREMENTS Key Cyber Security Role: Authorizing Official (AO) Role Definition: The AO is the Senior DOE Management Federal official with the authority to formally assume responsibility and be held fully accountable for operating an information system at an acceptable level of risk. Competency Area: Incident Management Competency Definition: Refers to the knowledge and understanding of the processes and procedures required to prevent, detect, investigate, contain, eradicate, and recover from incidents that impact the organizational mission as directed by the DOE Cyber Incident Response Capability (CIRC). Behavioral Outcome: Individuals fulfilling the role of AO will have a working knowledge of policies and procedures required to identify and respond to cyber security incidents, cyber security alerts, and INFOCON changes as directed by the CIRC. Training concepts to be addressed at a minimum: Establish relationships between the CIRC and internal individuals/groups (e.g., AO, classification/technical officer, Facility Security Officer, legal department, etc.) and external individuals and/or groups (e.g., CIRC, law enforcement agencies, vendors, and public relations professionals). NOTE: The AO needs to monitor POA&Ms even if the AO Representative tracks the activities of a POA&M. Competency Area: Incident Management Functional Requirement: Implement Competency Definition: Refers to the knowledge and understanding of the processes and procedures required to prevent, detect, investigate, contain, eradicate, and recover from incidents that impact the organizational mission as directed by the DOE Cyber Incident Response Capability (CIRC). Behavioral Outcome: Individuals fulfilling the role of AO will understand the processes and accomplish procedures required to appropriately categorize and report cyber security incidents as dictated by the DOE CIRC as well as coordinate and communicate incident response actions with Law Enforcement Agencies, Federal agencies, and/or external governmental entities. Training concepts to be addressed at a minimum: 1

Assign or assist with assigning appropriate incident characterization (i.e., Type 1 or Type 2) and categorization (i.e., low, medium, high, or very high). Respond to and report incidents within mandated timeframes as required by DOE CIRC and other Federal agencies as appropriate. Coordinate, interface, and work under the direction of appropriate legal authority (e.g., Inspector General, FBI) regarding cyber incident investigations that involve Federal agencies and external governmental entities (e.g., Law Enforcement, state, local, etc.). Respond proactively to changes in INFOCON levels as disseminated by Senior DOE Management or the DOE Chief Information Officer. Competency Area: Cyber Security Training and Awareness Competency Definition: Refers to the knowledge of principles, practices, and methods required to raise employee awareness about basic information security and train individuals with information security roles to increase their knowledge, skills, and abilities. Behavioral Outcome: Individuals fulfilling the role of AO will understand the concepts of effective cyber security awareness activities to influence human behavior as well as understand the criticality of regular cyber security training for individuals with information security roles. Competency Area: Cyber Security Training and Awareness Functional Requirement: Evaluate Competency Definition: Refers to the knowledge of principles, practices, and methods required to raise employee awareness about basic information security and train individuals with information security roles to increase their knowledge, skills, and abilities. Behavioral Outcome: Individuals fulfilling the role of AO will understand the concepts of effective cyber security awareness activities to influence human behavior as well as understand the criticality of regular cyber security training for individuals with information security roles. Review cyber security awareness and training program materials and recommend improvements. Competency Area: Information Technology (IT) Systems Operations and Maintenance 2

Competency Definition: Refers to the ongoing application of principles, policies, and procedures to maintain, monitor, control, and protect IT infrastructure and the information residing on such infrastructure during the operations phase of an IT system or application. Behavioral Outcome: The individual serving as the AO will have a working knowledge of the policies, procedures, and controls required to protect IT infrastructure and data to include technical, operational, and administrative security controls and will apply this knowledge when monitoring the IT infrastructure security administration program. Competency Area: Personnel Security Competency Definition: Refers to the knowledge of human resource selection methods and controls used by an organization to help deter willful acts of security breaches such as theft, fraud, misuse, and noncompliance. These controls include organization/functional design elements such as separation of duties, job rotation, and classification. Behavioral Outcome: Individuals fulfilling the role of AO will have a working knowledgeable of personnel security policies and procedures and will coordinate with the appropriate security oversight offices to ensure that personnel security access controls are implemented as required by system functional design specifications and as mandated by Departmental directives. Coordinate with physical security, operations security, and other organizational managers to ensure a coherent, coordinated, and holistic approach to security across the organization. Competency Area: Physical and Environmental Security Competency Definition: Refers to the knowledge of controls and methods used to protect an organization s operational environment including personnel, computing equipment, data, and physical facilities. This concept also refers to the methods and controls used to proactively protect an organization from natural or man-made threats to physical facilities, as well as physical locations where IT equipment is located (e.g., central computing facility). Behavioral Outcome: The individual serving as the AO will have a working knowledgeable of physical security policies and procedures and will coordinate with the appropriate security oversight offices to ensure that physical controls are implemented as required by the system functional design specifications, as required to adequately protect computing facilities and equipment form natural or man-made threats, and as mandated by Departmental directives. 3

Coordinate with personnel managing IT security, personnel security, COMSEC, operations security, and other security functional areas to provide an integrated, holistic, and coherent security effort. Competency Area: Regulatory and Standards Compliance Competency Definition: Refers to the application of the principles, policies, and procedures that enable an organization to meet applicable information security laws, regulations, standards, and policies to satisfy statutory requirements, perform industry-wide best practices, and achieve information security program goals. Behavioral Outcome: Individuals fulfilling the role of AO will have a working knowledge of the organizational compliance program and will assess the effectiveness of assessment techniques and remedial actions and procedures. Identify major risk factors (e.g., product, compliance, and operational) and coordinate the application of information security strategies, plans, policies, and procedures to reduce regulatory risk. Competency Area: Security Risk Management Functional Requirement: Evaluate Competency Definition: Refers to the knowledge of policies, processes, and technologies used to create a balanced approach to identifying and assessing risks to information assets, personnel, facilities, and equipment, and to manage mitigation strategies that achieve the security needed at an affordable cost. Behavioral Outcome: Individuals fulfilling the role of AO will understand risk management policies and procedures and will be able to assess the effectiveness of the risk management program as well as understand/accept residual risk and compensatory measures as permitted by Departmental directives. Assess effectiveness of the risk management program and suggest changes for improvement. Review the performance of, and provide recommendations for, risk management tools and techniques. Assess residual risk and associated mitigation techniques or procedures implemented by the organization. Assess the results of threat and vulnerability assessments to identify security risks to information systems. Make determination on acceptance of residual risk as permitted by Departmental directives and 4

the applicable Risk Management Approach. Competency Area: Strategic Security Management Competency Definition: Refers to the knowledge of principles, practices, and methods involved in making managerial decisions and actions that determine the long-term performance of an organization. The goal of strategic security management is to ensure that an organization s security practices and policies are in line with the mission statement. Behavioral Outcome: Individuals fulfilling the role of AO will coordinate all aspects of the cyber security program at the Operating Unit level with Senior DOE Management and other organizations. Coordinate all aspects of the cyber security program (i.e., risk management, program management, technical security, personnel security, administrative security, policy and procedure, etc.) at the Operating Unit level with Senior DOE Management. Competency Area: System and Application Security Competency Definition: Refers to the knowledge of principles, practices, and procedures required to integrate information security into an Information Technology (IT) system or application during the System Development Life Cycle (SDLC). The goal of this activity is to ensure that the operation of IT systems and software does not present undue risk to the organization and information assets. Supporting activities include risk assessment, risk mitigation, security control selection, implementation and evaluation, certification and accreditation, and software security standards compliance. Behavioral Outcome: Individuals fulfilling the role of AO will approve the operation of an information system via accreditation or an Interim Approval to Operate (IATO) based on an acceptable level of risk. Competency Area: System and Application Security Functional Requirement: Implement Competency Definition: Refers to the knowledge of principles, practices, and procedures required to integrate information security into an Information Technology (IT) system or application during the System Development Life Cycle (SDLC). The goal of this activity is to ensure that the operation of IT systems and software does not present undue risk to the organization and information assets. Supporting activities include risk assessment, risk mitigation, security control selection, implementation and 5

evaluation, certification and accreditation, and software security standards compliance. Behavioral Outcome: Individuals fulfilling the role of AO will approve the operation of an information system via accreditation or an Interim Approval to Operate (IATO) based on an acceptable level of risk. Approve the operation (i.e., accreditation or re-accreditation) of an information system, grants an Interim Approval to Operate (IATO) under specific terms and conditions, or decline to accredit based on system testing and evaluation (STE) results. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information