Information Security and Privacy Policy Handbook This document implements OPM s Information Security and Privacy Policy requirements for the protection of information and information systems. Chief Information Officer March 31, 2011 March 2011
Table of Contents 1. INTRODUCTION... 4 1.1 Purpose... 4 1.2 Scope and Applicability... 4 1.3 Compliance, Enforcement, and Exceptions... 5 1.4 Document Organization... 6 1.5 Maintenance of the Official Version... 7 1.6 Legal Authority... 7 2. ROLE and RESPONSIBILITIES... 8 2.1 OPM Director... 8 2.2 Chief Information Officer (CIO)... 8 2.3 Deputy Chief Information Officer (DCIO)... 9 2.4 Chief Privacy Officer (CPO)... 9 2.5 Chief Information Security Officer (CISO)... 9 2.6 Information Systems Security Manager (ISSM)... 10 2.7 Chief of Enterprise Architecture... 11 2.8 Risk Executive (function)... 11 2.9 Information Technology Security Working Group (ITSWG)... 12 2.10 Privacy Program Manager... 12 2.11 Authorizing Official (AO)... 12 2.12 Information Owners... 13 2.13 System Owner (SO)... 13 2.14 Information System Security Officer (ISSO)... 14 2.15 Designated Security Officers (DSOs)... 14 2.16 Network Managers... 16 2.17 Data Center Managers... 16 2.18 Software Development Managers... 17 2.19 Database Managers... 17 2.20 Security Control Assessor... 17 2.21 OPM Managers and Supervisors... 18 2.22 Physical Security Manager... 18 2.23 Facility Manager... 19 2.24 OIG Role... 19 2.25 Contracting Officers and Procurement Officers... 20 2.26 Contracting Officer's Technical Representative (COTR)... 20 2.27 OPM Users (Internal and External)... 20 3. SECURITY PROGRAM... 22 3.1 Program Management Controls (PM)... 23 4. PRIVACY PROGRAM... 36 4.1 Privacy Framework... 37 4.2 PII Handling Requirements... 39 4.3 Privacy Compliance... 40 4.4 Education and Awareness... 43 4.5 Privacy Complaints... 43 4.6 Managing Privacy Incidents... 44 FOR OFFICIAL USE ONLY ii
5. MANAGEMENT CONTROLS... 45 5.1 Planning (PL)... 45 5.2 Security Assessment and Authorization (CA)... 49 5.3 Risk Assessment (RA)... 56 5.4 System and Services Acquisition (SA)... 60 6. OPERATIONAL CONTROLS... 67 6.1 Security Awareness and Training (AT)... 67 6.2 CONFIGURATION MANAGEMENT (CM)... 70 6.3 Contingency Planning (CP)... 78 6.4 Incident Response (IR)... 84 6.5 Maintenance (MA)... 88 6.6 Media protection (MP)... 91 6.7 Physical and Environmental (PE)... 94 6.8 Personnel Security (PS)... 101 6.9 System and Information Integrity (SI)... 103 7. TECHNICAL CONTROLS... 111 7.1 Access Controls (AC)... 111 7.2 Audit and Accountability (AU)... 123 7.3 Identification and Authentication (IA)... 128 7.4 System and Communications Protection (SC)... 135 APPENDIX A: ACRONYMS... 144 APPENDIX B: GLOSSARY... 146 APPENDIX C: REFERENCES... 163 APPENDIX D: WAIVER REQUEST FORM... 167 APPENDIX E: RISK ACCEPTANCE MEMORANDUM... 170 APPENDIX F: RULES OF BEHAVIOR... 175 APPENDIX G: SAMPLE CONTRACT CLAUSE... 177 APPENDIX H: OPM DEFINED SECURITY CONTROL PARAMETERS... 185 APPENDIX I: NIST SP 800-53, Rev. 3; Removed or Not Selected... 204 FOR OFFICIAL USE ONLY iii
Revision History Version Number Version Date Revision Summary 0.1 March 4, 2011 Draft ISPP - Document was revised in its entirety to clarify OPM s information security and privacy policies and roles and responsibilities, and to implement NIST SP 800-53 (Rev. 3) security controls. 0.2 March 14, 2011 Internal ITSP review and revisions. Entire document. 0.3 March 31, 2011 Adjust procedure review frequency from twoyears to one-year. The version of this document that is posted to the Web is the official, authoritative version. FOR OFFICIAL USE ONLY iv
A Message from the Chief Information Officer (CIO) Meeting Security Requirements Information security is a critical issue for all of us at the Office of Personnel Management (OPM). We are highly dependent on information resources to store, process, and transmit information while maintaining its confidentiality, integrity, and availability. OPM is required by law to ensure the security of information assets and the technology that is used to process them. Rapid advances in information systems require an increased awareness in the selection and application of appropriate security safeguards. The OPM Information Security and Privacy Policy The Information Security and Privacy Policy (ISPP), based on federal laws, regulations, and National Institute of Standards and Technology (NIST) standards and guidance, is the foundation of the OPM IT Security and Privacy Program. It is the highest priority to assure that OPM programs are carried out in a safe, accurate, accountable, and cost-effective manner. All users of OPM information resources should utilize this ISPP as guidance for the implementation of information security. It offers safeguards to protect the resources and the information that we rely on to carry out our important work. 1
Office of Personnel Management (OPM) Directive OPM Directive Subject: Information Security and Privacy Number: Original Issue Date: 3/31/2011 Date Last Reviewed: 3/31/2011 Purpose This directive authorizes the IT Security and Privacy (ITSP) Office to prescribe and publish the OPM Information Security and Privacy Policy (ISPP). The ISPP is an implementation deliverable of the directive. Scope This directive applies to all organizational units within OPM and is to be applied when information systems are used to accomplish the mission of OPM. Policy It is the policy of OPM to establish and manage an Information Security and Privacy Program. This ISPP provides uniform policies to be followed by all users of OPM information resources. Authorities a. Public Law 93-579, Privacy Act of 1974, dated September 27, 1975; b. Public Law 107-347, E-Government Act of 2002, which contains the Federal Information Security Management Act (FISMA), signed by the President on December 17, 2002. References a. Office of Management and Budget (OMB) Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Systems, dated February 8, 1996; b. National Institute of Standards and Technology (NIST) Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, dated September 1996; c. NIST Special Publication 800-16, Information Technology Security Training Requirements, dated April 1998; Continued on next page 2
References, Continued d. NIST Special Publication 800-18, Rev. 1, Guide For Developing Security Plans For Information Technology Systems, dated February 2006; e. NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program, dated October 2003; f. NIST Special Publication 800-53, Rev.3, Recommended Security Controls for Federal Information Systems, dated August 2009; g. NIST Special Publication 800-61, Computer Security Incident Handling Guide, dated January 2004, and h. NIST Federal Information Processing Standards (FIPS). Responsible Offlces a. The OPM ChiefInformation Officer (CIa) shah designate an employee to serve as the ChiefInformation Security Officer (CISO). The CISO is responsible for formulating and directing the IT Security and Privacy Program for OPM, and subsequently, the creation ofthe ISPP. b. The CIa, CISO, System Owners (SO), Information System Security Officers (ISSO), and Designated Security Officers (DSO) ofthe various OPM Offices shall: (1) Implement the policies and procedures set forth in the ISPP, and; (2) Submit any new or revised regulations, forms, handbooks, or other publications, which are pertinent to or impact the Information Security and Privacy Program, to the CISO or the CIa for review and approval prior to publication. Offlce of Primary Interest Chief Information Officer e E. Perry Chief Information Offic
1. INTRODUCTION Efficient and effective security requires roles, policies, and processes to be clearly defined and understood by everyone. An information security policy is the primary building block for every information security effort. Policies establish both direction and management support. The security and policy programs support the Office of Personnel Management's (OPM) mission by protecting its employees, reputation, legal position, and physical and financial resources through the selection and application of appropriate requirements and policies. The OPM Information Technology (IT) Security Program is charged with ensuring three core principles: Confidentiality ensures OPM information is protected from unauthorized disclosure. Integrity ensures OPM information is protected from unauthorized, unanticipated, or unintentional modification. This includes, but is not limited to: Authenticity The verification of the identity of a user, user device, or the data being stored, transmitted, or otherwise exposed to possible unauthorized modification in an information system, or the establishment of the validity of a transmitted message. Non-repudiation Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender s identity, so neither can deny processing the data. Accountability Property that enables the tracing of system activities to their sources who may then be held responsible for such activities. Auditing is a primary means of establishing accountability. Availability ensures OPM information resources (system or data) are accessible on a timely basis to meet mission requirements or to avoid substantial losses. Availability also includes ensuring resources are used only for intended purposes. The OPM Security and Privacy Policy contains the OPM IT Security Program, Privacy Program, and includes chapters that address Management, Operational, and Technical controls which are enforced for the security of all OPM information systems. 1.1 Purpose The purpose of the OPM Security and Privacy Policy is to define the requirements necessary to meet the fundamental security and privacy objectives of confidentiality, integrity, and availability. This policy supersedes the previously issued IT Security & Procedure Handbook volumes 1 and 2 and applies to all OPM personnel and support contractors. 1.2 Scope and Applicability The policies in this document, and its references and attachments, apply to all OPM information resources. OPM information includes data that is owned, sent, received, or processed by the agency and includes information in either physical or digital form. OPM information resources include OPM hardware, software, media, and facilities. 4
Everyone who uses, manages, operates, maintains, or develops OPM applications or data wherever the applications or data reside must comply with the Information Security and Privacy Policy, unless a specific waiver is obtained from the Chief Information Officer (CIO) or the Chief Information Security Officer (CISO). The Information Security and Privacy Policy is also relevant to all contractors acting on behalf of OPM and to non-opm organizations or their representatives who are granted authorized access to OPM information and information systems. Finally, this policy applies to other agencies systems as delineated in Memorandums of Understanding (MOU) and Interconnection Security Agreements (ISA) with OPM. This Information Security and Privacy Policy (ISPP) does not include specific procedures to implement these policies. Procedures will be developed separately and maintained by the CISO. 1.3 Compliance, Enforcement, and Exceptions Compliance: OPM Information Security and Privacy Policy is mandatory for all employees and contractors. Enforcement: The CIO is responsible for continually reviewing the status of OPM's Information Security and Privacy Programs by monitoring: The effectiveness of security and privacy control measures; Compliance with existing policies, procedures, standards, and guidelines; and User awareness of information security and privacy. Violations of the policy contained in the ISPP may result in the loss or limitation of access to OPM information systems and information. Anyone who violates the policy may face administrative action ranging from counseling to removal from the OPM, as well as, criminal penalties or financial liability, depending on the severity of the misuse. OPM employees and contractors are subject to penalties established by the Privacy Act of 1974. Certain penalties apply to the misuse or unauthorized disclosure of personally identifiable information. The Act (5 U.S.C. 552a (g)) provides for civil remedies for injured parties, including actual damages, attorney fees, and litigation costs. A policy violation is an infringement or nonobservance of OPM policy. If policy violation is suspected, OPM employees shall report it to their OPM supervisor, manager, associate director, or office director, as appropriate. Contractors shall report suspected violations to their contracting officer s technical representative and the System Owner. The following preemptive actions must be taken to isolate the suspected violators and systems to prevent additional risk to OPM: The suspected violator s group lead shall notify the OPM (Department) for additional guidance; Management shall be responsible for any disciplinary actions The CIO shall be responsible for any technical actions; and 5
The CIO shall restrict access to OPM information systems until the violator proves, to the satisfaction of the CIO, that the issue is resolved and there is no future risk. Exceptions: Policy waivers are approved deviations from a policy requirement that are only allowed when adherence to the policy is not feasible. Only the CIO or the CISO may approve a waiver to the ISPP. Waivers will be reviewed on a case-by-case basis. Attachment D contains a formal three-page waiver request form, which must be submitted by the System Owner (SO), Information System Security Officer (ISSO), Designated Security Officer (DSO), or OPM user for consideration and approval by the CISO or CIO. Each waiver must be submitted with a compelling business case justification and risk assessment. Adoption of the Information Security and Privacy Policy Requirements OPM users are responsible for using the current official version of the ISPP posted on the OPM Intranet. OPM leadership will hold users responsible for adhering to the policies and standards in the current official version. 1.4 Document Organization Office of Personnel Management has organized this policy to address information security and privacy as follows: Chapter 1. Contains OPM s overarching policy statement on information security and privacy. The scope and applicability is outlined revealing who the policy applies to and what resources the policy encompasses. Compliance, enforcement and exceptions of the policy are discussed, including OPM expectations regarding these issues. Chapter 2. Provides a general overview of security and privacy responsibilities for everyone (referred to as OPM users ) who uses, manages, operates, maintains, or develops OPM applications or data, based on specific job functions. Refer to Chapter 2 for details regarding specific roles and responsibilities. Some OPM users may have additional security and privacy responsibilities based on their job function. Chapter 3. Provides OPM Information Security Program policy. The program provides enterprise-wide checks and balances to ensure information security efforts are maximized, and the three core principals of Confidentiality, Integrity, and Availability are sufficiently addressed for OPM. Chapter 4. Provides OPM Privacy Program policy. The program provides direction for handling and protection of information subject to the Privacy Act. Chapter 5. Provides OPM Management Controls policy. Management controls are security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security. Chapter 6. Provides OPM Operational Controls policy. Operational controls are the security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems). 6
Chapter 7. Provides OPM Technical Controls policy. Technical controls are security controls (i.e., safeguards or countermeasures) that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. Appendices. Contain applicable acronyms; glossary of key terms; references to applicable laws, guidance, etc.; standard forms and templates; OPM defined National Institute of Standards and Technology (NIST) control parameters; etc. 1.5 Maintenance of the Official Version The CIO will review the implementation of this policy at least every three (3) years from its initial distribution, and will review and update it based on emerging information security and privacy policy requirements. When document revisions are formally approved, the IT Security and Privacy Group (ITSP) will issue a new version or an amendment to the ISPP and post it to the OPM Intranet. If a change is not substantive but minor, policy can be changed by the CISO with approval from the CIO, without going through the standard approval process. Contact the Office of Personnel Management, Chief Information Security Officer, 1900 E St. NW, Washington, DC 20415-7900 or send an email to ITsecuritypolicy@opm.gov if you have questions concerning information in the Information Security and Privacy Policy. 1.6 Legal Authority OPM developed ISPP to comply with applicable laws and directives related to information security and privacy. This policy document acquires its legal authority from the Federal Information Security Management Act (FISMA), the Privacy Act of 1974, the E-Government Act of 2002, the Paperwork Reduction Act, the Clinger-Cohen Act of 1996, and all relevant National Institute of Standards and Technology (NIST) standards, regulations in the Code of Federal Regulations (CFR), and Office of Management and Budget (OMB) memorandums, circulars, and directives. 7
2. ROLE AND RESPONSIBILITIES All Office of Personnel Management (OPM) users have information security and privacy responsibilities. The key roles and responsibilities for carrying out this policy are outlined below. 2.1 OPM Director The Clinger-Cohen Act assigns to the agency head the responsibility for ensuring the information security policies, procedures, and practices of the executive agency are adequate. The OPM Director shall: Provide information security protections commensurate with the risk and magnitude of the harm that would result from the misuse of the agency s information resources, whether intentional or unintentional; Ensure that an information security and privacy program shall be developed, documented, and implemented; Ensure that information security and privacy policy shall be integrated with strategic and operational planning policy; Ensure that senior OPM officials within the organization shall be given the necessary authority to secure the operations and assets under their control and meet their responsibilities under security and privacy statutes and regulations; Designate a Chief Information Officer (CIO) and delegate authority to that individual to ensure compliance with applicable information security and privacy requirements; Ensure that the CIO, in coordination with other OPM officials, shall report as required by law and regulation on the effectiveness of OPM s information security and privacy program, including progress on remedial actions; Designate a Chief Privacy Officer (CPO) to ensure compliance with applicable privacy requirements; and Ensure that OPM shall train personnel to support compliance with information security and privacy policies, processes, standards, and guidelines. 2.2 Chief Information Officer (CIO) The OPM CIO shall lead the development, management, operations, and support of the information technology (IT) infrastructure, with the assistance of the managers and staff in the Office of Chief Information Officer (OCIO). The CIO shall be responsible for establishing and maintaining the information security and privacy program at OPM and serves as the Chief Privacy Officer (also known as the OPM Senior Agency Official for Privacy). The CIO shall: Develop and maintain an OPM-wide information security and privacy program, including the policies, procedures, and control techniques required; Report as required by law and regulation to the OPM Director on the effectiveness of OPM s information security and privacy program, including progress on remedial actions; Ensure compliance with information security- and privacy-related federal laws and regulations, as well as other Government-wide policies, mandates, and directives; 8
Oversee the security of OPM s information resources, which shall include the security authorization of general support systems such as the network and mainframe platforms; Ensure the continuity of support to mission-critical systems and operations; Ensure the timely review and resolution of information security and privacy issues; Ensure implementation of the management, operational, and technical information security controls assigned to the CIO; Designate a Chief Information Security Officer (CISO) and a Privacy Program Manager; Review and sign Privacy Impact Assessments (PIA) which shall be in accordance with the OPM PIA Guide; Promote and support information security and privacy training for general users and those with significant information security or privacy responsibilities; and Monitor the activities of the OPM-wide Information Technology Security Working Group (ITSWG). 2.3 Deputy Chief Information Officer (DCIO) The Deputy Chief Information Officer (DCIO) shall provide assistance and support in fulfilling the duties of the CIO. The DCIO shall: Assist the CIO in ensuring the timely review and resolution of information security and privacy issues; Assist the CIO in ensuring implementation of the management, operational, and technical information security controls assigned to the CIO; and Ensure the continuity of support to mission-critical systems and operations. 2.4 Chief Privacy Officer (CPO) (OPM Chief Privacy Officer (CPO) shall be responsible for privacy compliance across the agency, including privacy compliance measures that apply to information security assets and activities. The CPO shall: Develop, promote, and support OPM s privacy program; Review and implement new and modified privacy policies; Represent OPM on interagency workgroups and initiatives involving privacy issues; and Review and evaluate OPM s PIA. The OPM Privacy Impact Assessment Guide provides additional information on conducting and completing a PIA. 2.5 Chief Information Security Officer (CISO) The Chief Information Security Officer (CISO) is designated by the CIO. The CISO serves as the CIO s primary information security adviser, and guides the information security activities of OPM s Authorizing Officials (AO), SOs, and Designated Security Officers (DSO). The CISO shall: Perform information security duties as the primary duty; 9
Head the Information Technology Security and Privacy office with the mission and resources to assist in ensuring agency compliance with information security requirements; Periodically assess risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency; Develop and maintain risk-based, cost-effective information security policies, procedures, and control techniques to address all applicable requirements throughout the life cycle of each agency information system to ensure compliance with applicable requirements; Facilitate development of subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems; Ensure that agency personnel, including contractors, receive appropriate information security awareness training; Train and oversee personnel with significant responsibilities for information security with respect to such responsibilities; Periodically test and evaluate the effectiveness of information security policies, procedures, and practices; Establish and maintain a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; Develop and implement procedures for detecting, reporting, and responding to security incidents; Ensure preparation and maintenance of plans and procedures to provide continuity of operations for information systems that support the operations and assets of the agency; Support the agency CIO in annual reporting to the agency head on the effectiveness of the agency information security program, including progress of remedial actions; Conduct/coordinate information security audits at OPM and contractor facilities; and Chair OPM s IT Security Working Group (ITSWG) and serve as secretariat. 2.6 Information Systems Security Manager (ISSM) The Information Systems Security Manager (ISSM) is responsible for providing assistance and support to the CISO in managing the OPM information security program, with a strong focus on 10
supporting the implementation of appropriate security controls spelled out in the provisions of applicable information security statutes and regulations. The ISSM shall: Assist the CISO in the implementation and enforcement of OPM s information security and privacy policies and procedures; Coordinate the development of Security Assessment and Authorization documentation. Additional information shall be found in OPM s Security Assessment and Authorization Procedure; Coordinate a standard Security Assessment and Authorization process that shall be used throughout the agency, shall provide internal Security Assessment and Authorization guidance or policy; and shall review security authorization packages prior to CIO review; Coordinate the preparation and maintenance of plans and procedures to provide continuity of operations for information systems that support OPM s operations and assets; Coordinate the development, update, and release of appropriate information security awareness training; and Coordinate necessary information requested for internal and external reviews and inspections to ensure compliance with established policies and procedures. 2.7 Chief of Enterprise Architecture The Chief of Enterprise Architecture is an individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes. Enterprise Architecture is the description of an enterprise s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment at the enterprise s boundary, how they are operated to support the enterprise mission, and how they contribute to the enterprise s overall security posture. 2.8 Risk Executive (function) The Risk Executive (function) is performed by a team which is comprised of the CISO, Deputy CIO, Chief of Enterprise Architecture, and Chief of Quality Assurance. The Risk Executive (function) has inherent U.S. Government authority and is assigned to government personnel only. The Risk Executive (function) shall: Provide a comprehensive, holistic approach for addressing risk throughout OPM; an approach that provides a greater understanding of the integrated operations of OPM; Provide an OPM forum to consider all sources of risk (including aggregated risk) to OPM operations and assets, individuals, other organizations, and the Nation; and Ensure that the shared responsibility for supporting OPM mission/business functions using external providers of information and services receives the needed visibility and is elevated to the appropriate decision-making authorities. 11
2.9 Information Technology Security Working Group (ITSWG) The Information Technology Security Working Group (ITSWG) oversees OPM compliance with information security mandates and OPM information security-related policies. It provides input to program office and OPM-wide planning efforts and approaches in response to emerging information security and privacy issues. Responsibilities of the ITSWG are described in the ITSWG Charter. 2.10 Privacy Program Manager The Privacy Program Manager is responsible for overseeing the OPM privacy program, with a strong focus on protecting Personally Identifiable Information (PII) and implementing the provisions of privacy statutes and regulations. The Privacy Program Manager shall: Develop program plans for addressing privacy-related laws and regulations at OPM and manage implementation of the plans; Develop and maintain an OPM-wide information security and privacy program, including the policies, procedures, and control techniques required; Evolve the privacy program and address new and changing privacy policies and standards; Identify trends and recommend to the CISO actions to address organizational, privacyrelated weaknesses identified through privacy audits and privacy-related assessments such as PIAs; Advise the CIO, CISO and OPM program offices on the implications and requirements of privacy-related statutes and regulations; Review PIA and recommend action to the CIO; (See OPM s PIA Guide for more information.); Develop OPM-wide related communications and training, and coordinate their delivery; Serve as secretariat to OPM s privacy-related action teams; and Track actual or suspected losses of or unauthorized access to PII, and follow up on remediation efforts, and prepare reports as requested. 2.11 Authorizing Official (AO) The Authorizing Official (AO) is an executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations and assets, individuals, other organizations, and the Nation. The role of an AO has inherent U.S. Government authority and is assigned to government personnel only. Only an executive can accept risk. Risk justification must be supported with a compelling business case. With the increasing complexity of missions/business processes, partnership arrangements, and the use of external/shared services, it is possible that a particular information system may involve multiple AOs. The AO shall: Have budgetary oversight for an information system or be responsible for the mission and/or business operations supported by the system; Be accountable for the security risks associated with information system operations; 12
Review Security Assessment and Authorization documentation and discuss concerns with the CISO as necessary; Deny authorization to operate an information system or if the system is operational, halt operations, if unacceptable risks exist; Coordinate their activities with the CISO, System Owner (SO), Information System Security Officers (ISSO), Security Control Assessors, and other interested parties during the security authorization process; Establish agreements among AOs, if multiple AOs, and document in the SSP; and Be responsible for ensuring all activities and functions delegated to an Authorizing Official Designated Representatives are carried out. 2.12 Information Owners Information Owners are responsible for the security of the information they own that resides within an OPM system. Information owners are responsible for coordinating with the SO to establish controls regarding the generation, collection, processing, dissemination, and disposal of information residing on an OPM system. Information Owners shall: Establish rules for appropriate use and protection of OPM information; Safeguard all PII that OPM owns, sends, receives, or processes; Provide input to SOs regarding security requirements for the information systems where the information resides; and Determine who should have access, what privileges, and the level of access to the information. 2.13 System Owner (SO) The System Owner is the official responsible for the overall security, procurement, development, integration, modification, or operation and maintenance of an information system. The SO shall: Categorize the information system according to the potential impact to OPM of a breach of confidentiality, integrity, or availability; Ensure the implementation of the security controls appropriate to the risk rating established through the categorization process for the system; Identify and evaluate security risks and vulnerabilities and establish risk mitigation plans; Approve System Security Plans (SSPs), and review Memorandums of Agreement or Understanding (MOA/U), and Plans of Action and Milestones (POA&Ms) and determine whether significant changes in the information systems or environments of operation require reauthorization; Ensure the Information Security and Privacy Policy (ISPP) is followed by all users accessing the information system; Ensure the management, operational and technical information security controls are implemented and operating as intended for all of their information systems; 13
Ensure system users and support personnel receive the requisite security and privacy training; Ensure that DSOs are identified and provide security-related support; Ensure that program office senior management is aware of the resources required to assess and authorize information systems allowing appropriate work plans and budgets to be developed; Ensure appropriate staff (system administrators, technical developers, and other staff) are assigned to coordinate with the DSO in developing Security Assessment and Authorization documentation (See OPM s Security Assessment and Authorization Procedure for more information); Provide necessary system-related documentation to the CISO; Take appropriate steps to reduce or eliminate system vulnerabilities identified in the Security Assessment and Authorization process; Ensure PIAs are conducted on all systems before implementation or enhancement, in accordance with OPM s Privacy Impact Assessment Guide; Review acquisition documentation to ensure adequate and cost-effective security measures and safeguards are included; and Ensure all contracts for IT services, both software and hardware, include clauses incorporating OPM s System Security Plan (SSP) and related references. 2.14 Information System Security Officer (ISSO) The Information System Security Officer has the detailed knowledge and expertise required to manage the security aspects of an information system and is assigned responsibility for the dayto-day security operations of a system. The ISSO shall: Ensure that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the SO; Serve as a principal advisor on all matters, technical and otherwise, involving the security of an information system; Ensure physical and environmental protection, personnel security, incident handling, and security training and awareness; and Assist in the development of the security policies and procedures and to ensure compliance with those policies and procedures; and Monitor a system and its environment of operation, in close coordination with the SO. This includes developing and updating the SSP, managing and controlling changes to the system, and assessing the security impact of those changes. 2.15 Designated Security Officers (DSOs) The Designated Security Officer (DSO) is appointed by an OPM Program Office or Department to represent the interests of the program office or department in carrying out the security functions of the organization. The DSO shall: 14
Work closely with the CISO, ISSO, and appropriate staff in the program offices to protect information resources from misuse, whether intentional or unintentional. This effort will involve reviewing, evaluating, and recommending appropriate information security and privacy measures along with safeguards; Conduct periodic security reviews of system facilities to ensure safeguards are commensurate with the system information being stored, processed, or transmitted; Update system security documentation and work with the SO and ISSO to assess the security impact of any information system changes; Coordinate with the Software Development Managers and ensure security requirements and issues are addressed consistent with this policy; Assist the CISO, Information Systems Security Manager, and ISSO in the identification, implementation, and assessment of common security controls; Ensure the implementation of any modifications necessary and correct security control deficiencies found during security assessment testing; Advise users of the security features and procedures to be used for information systems; Establish access control criteria and administrative procedures consistent with OPM policy; Review and approve new user accounts for system and network access after obtaining supervisor or management approval; Ensure the development and timely completion of reports to security and privacy including those related to POA&Ms, system inventory, security controls testing and monitoring, contingency plan testing etc.; Ensure all actual and suspected security incidents and breaches of PII are reported to the OPM Situation Room (SitRoom); Assist in the investigation of actual or suspected security incidents and breaches of PII as appropriate; Participate in internal/external reviews, inspections, and audits to ensure compliance with federal laws and OPM policy; Coordinate with the CISO to advise contracting officers developing or administering contracts on behalf of OPM regarding the content and implementation of contract clauses related to OPM s information security and privacy policy; Review acquisition documentation to ensure the inclusion of appropriate information security-related clauses, consistent with this policy and the Policy on IT Procurement; Develop and maintain (with the assistance of the CISO) an annually verified list of systems requiring security authorization; Coordinate the Security Assessment and Authorization process for program office systems (See OPM s Security Assessment and Authorization Procedure for more information.); and Attend monthly ITSWG meetings and participate in ITSWG activities. 15
2.16 Network Managers The Network Manager of any network that handles OPM applications or data, wherever the network resides, provides in-depth technical information security support for OPM s infrastructure. The Network Manager shall: Manage and implement appropriate server, desktop, and network information security practices in accordance with OPM s Information Security and Privacy Policy (ISPP); Plan and manage day-to-day security-related activities and install and operate appropriate hardware and software needed to safeguard and protect information resources from misuse, whether intentional or unintentional; Work closely with the CISO, Information Systems Security Manager, Privacy Program Manager, and DSO, as appropriate, to review, evaluate, and recommend appropriate computer security measures and safeguards to protect information resources from misuse, whether intentional or unintentional; Manage or oversee incident reporting activities relevant to OPM information as appropriate, which may include service as the point of contact for the United States Computer Emergency Readiness Team (US-CERT). This responsibility is shared with the CISO; and Assist in the investigation of actual and suspected security incidents and breaches of PII as appropriate. 2.17 Data Center Managers The Data Center Manager of any facility that handles OPM applications or data, wherever the data center resides, provides information security protection for OPM s data. The Data Center Manager shall: Plan and manage day-to-day security-related activities and install and operate the appropriate hardware and software needed to safeguard and protect information resources from misuse, whether intentional or unintentional; Formulate, test, and maintain contingency and Disaster Recovery Procedures and Plans; Work closely with the CISO, Information Systems Security Manager, Privacy Program Manager, and DSO, as appropriate, to review, evaluate, and recommend appropriate computer security measures and safeguards to protect information resources from misuse, whether intentional or unintentional; Coordinate with the CISO to advise contracting officers developing or administering contracts on behalf of OPM regarding the content and implementation of contract clauses related to OPM s information security and privacy policy; Review other acquisition documentation and shall ensure the inclusion of appropriate information security-related clauses, consistent with this policy and the Policy on IT Procurement; Ensure regular backups of data, software, applications, and information; and Report any actual or suspected breaches of PII to the OPM Situation Room (SitRoom), in accordance with the reporting procedures on the Privacy Web pages on the OPM Intranet. 16
2.18 Software Development Managers The Software Development Manager provides software development security support for OPM users, contractors, and non-opm organizations or their representatives who are granted authorized access to OPM s development environment. The Software Development Manager shall: Plan, direct, and coordinate all activities associated with the development of software policies and procedures, software certification processes, and resolution of technical issues; Collaborate with the database, network, and data center managers to manage audit records showing the addition, modification, or deletion of information from an information system; Assess all security controls in an information system during the initial security authorization; Develop, document, and maintain a current OPM baseline guidance configuration of the information system and an inventory of the system s constituent components; and Enforce access restrictions associated with changes to the information system and maintain records associated with changes to system accesses. 2.19 Database Managers The Database Manager provides in-depth technical information security support for OPM users, contractors, and non-opm organizations or their representatives who are granted authorized access to OPM s database infrastructure. The Database Manager shall: Formulate, test, and maintain disaster recovery and contingency plans and procedures; Work closely with appropriate personnel (i.e., CISO, Information Systems Security Manager, Privacy Program Manager, and DSO) to review, evaluate, and recommend appropriate computer security measures and safeguards to protect information resources from misuse, whether intentional or unintentional; Ensure the integration of security and privacy policies into database design and maintenance for those databases that process OPM information; Coordinate with the CISO to advise contracting officers developing or administering contracts regarding the content and implementing contract clauses related to OPM s Information Security and Privacy Policy (ISPP); and Review other acquisition documentation to ensure the inclusion of appropriate information security-related clauses is consistent with this policy and the Policy on IT Procurement. 2.20 Security Control Assessor The security control assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as 17
intended, and producing the desired outcome with respect to meeting the security requirements for the system). The Security Control Assessor shall: Assess the management, operational, and security controls detailed in the System Security Plan of an information system in support of security authorization; Provide an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation; Recommend corrective actions to address identified vulnerabilities; Prepare the final security assessment report containing the results and findings from the assessment; Provide specific recommendations on how to correct weaknesses or deficiencies in the controls and address identified vulnerabilities; and Prepare a recommendation for security authorization of the system for the CISO and AO review and approval per OPM Security Assessment and Authorization Procedure. 2.21 OPM Managers and Supervisors All OPM Managers and Supervisors are responsible for carrying out the applicable provisions of this policy and for supervising or directing the users who work for them to ensure their compliance with this policy. OPM Managers and Supervisors shall: Implement and enforce this policy; Instruct their employees and contractors on the importance of following OPM s Security and Privacy Policy and Procedures; Ensure employees and contractors have appropriate background investigations; Ensure employees and contractors are appropriately trained for their information securityand privacy-related job activities; Determine appropriate access requirements for employees and contractors; Work with the office of the CIO to limit access for OPM users only to information resources needed to complete assigned job activities; and Review and approve new user accounts for system and network access. 2.22 Physical Security Manager The OPM Physical Security Manager (PSM), located at the OPM Headquarters Office in Washington, DC, shall establish security standards/guidelines and monitor implementation at the Headquarters Office. The same standards apply at other OPM facilities; however, the Facility Managers are responsible for implementing associated controls within those locations. The PSM shall monitor the implementation of OPM physical standards to ensure compliance at all OPM facilities. The PSM reviews facilities physical access authorizations before access is granted, and reviews authorizations when individuals are reassigned or transferred to other positions within the organization. The PSM shall ensure: 18
Physical security-related incidents are remediated, involving loss of or damage to OPM issued property, threats, assaults, or other criminal activity involving OPM; Review, coordination of, and the writing of physical security plans, directives, checklists, procedures, policies, assessments, and surveys; Establishment and implementation of physical security access control measures, procedures, and guidelines; Screening of individuals (i.e., conducting background investigations) requiring access to OPM facilities, information, and information systems is completed before authorizing access; and Access is terminated, exit interviews are conducted, all OPM information system-related property (e.g., keys, identification cards, building passes) are returned, and appropriate personnel have access to official records created by the terminated employee that are stored on OPM information systems. 2.23 Facility Manager OPM Facility Managers are primarily responsible for building maintenance (e.g., HVAC, lighting, power, fire suppression, etc.). However, Facility Managers located at non-headquarter facilities are responsible for implementing physical security controls following standards and guidelines established by the Physical Security Manager (PSM). The Facility Manager shall ensure implementation of the following at OPM facilities: Physical security controls at non-headquarter facilities; Redundant and parallel power cabling paths; Automatic voltage controls; Long-term alternate power supply for the information system and it is capable of maintaining minimally required operational capability in the event of extended loss of primary power source; Long-term alternate power supply that is not reliant on external power generation; Emergency lighting for all areas within the facility supporting essential missions and business functions; Fire detection devices/systems for the information system activate automatically and notify the organization and emergency responders in the event of a fire; Temperature and humidity controls to maintain conditions that are conducive for maintaining information system longevity and functionality; and Mechanisms that protect the information system from water damage. 2.24 OIG Role The Office of Inspectors General (OIG) is to ensure Federal Information Security Management Act (FISMA) compliance. The OIG evaluates how National Institute of Standards and Technology (NIST) guidance is applied in the context of its mission/business responsibilities, operational environment, and unique organizational conditions. The OIG performs a yearly assessment on agency information systems assessing OPM compliance with FISMA and NIST 19
Special Publications to assure the security posture is valid and sound, according to NIST standards and guidelines. 2.25 Contracting Officers and Procurement Officers Office of Personnel Management contracting officers are responsible for dealing with contractors and have sole authority to solicit proposals and negotiate, award, and modify contracts on behalf of OPM. Contracting Officers and Procurement Officers shall: Ensure all contracts for IT hardware, software, and services include clauses incorporating OPM s Information Security and Privacy Policy and related references; and Ensure all contracts entailing the use of PII in paper or electronic form include clauses incorporating OPM s Information Security and Privacy Policy (ISPP) and related references. 2.26 Contracting Officer's Technical Representative (COTR) OPM Contracting Officer's Technical Representatives (COTR) are responsible for ensuring OPM-IT contractor business relationships are mutually beneficial and provide those products and services OPM needs. The COTR is a technical information conduit, business partner and a contracting and regulatory liaison between OPM and the IT contractor. The COTR shall: Ensure that a security clause for Federal Information Security Management Act (FISMA) compliance is added to all IT contracts. Notify the help desk and physical security of all departing contractors so associated accounts can be disables to prevent system access. Ensure that contractors complete annual security awareness training. Recommend with full justification, whether to provide government IT property to a Contractor for a proposed procurement; Maintain appropriate files to support the awarded IT contract thru the completed task; Assist and participate in the post-award orientation apprising the IT contractor of all postaward rights, duties and milestones of both parties affecting substantial performance; Monitor the acquisition, control, and disposition of OPM IT property by OPM personnel and by the IT contractor; Assess IT contractors for any loss, damage, or destruction of property; and Document IT contractor performance. 2.27 OPM Users (Internal and External) An OPM user is anyone who uses, manages, operates, maintains, or develops OPM applications or data. OPM users are responsible for complying with this policy and protecting information resources from loss, theft, misuse, unauthorized access, destruction, unauthorized modification, disclosure, or duplication (intentional or unintentional). The term information resources includes both Government information and information technology. 20