Information Resource Management Directive 5000.04 USAP Information Security Risk Management



Similar documents
Information Resource Management Directive The USAP Security Assessment & Authorization Program

Information Resource Management Directive USAP Information Security Architecture

Information Resource Management Directive USAP Information Security Awareness, Training and Education Program

Information Resource Management Directive USAP Contingency & Disaster Recovery Program

United States Antarctic Program Information Resource Management Directive The USAP Information Security Program

Information Resource Management Directive USAP Software Management and Protection

Information Resource Management Directive USAP Information Security Incident Management

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

EPA Classification No.: CIO P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

INFORMATION PROCEDURE

Information Security for Managers

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Information System Rules of Behavior ICT-INST_ USAP Enterprise Information Infrastructure

Office of Inspector General

Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP AP-2/03-1

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

ISMS Implementation Guide

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

Atlanta Public Schools. National Science Foundation Award Number ESR Financial Schedules. and. Independent Auditors' Reports

Information Security Program CHARTER

Virginia Commonwealth University School of Medicine Information Security Standard

Security Control Standard

Audit of the Department of State Information Security Program

Minimum Security Requirements for Federal Information and Information Systems

Information Security for IT Administrators

Office of Inspector General

Guideline for Roles & Responsibilities in Information Asset Management

University of Sunderland Business Assurance Information Security Policy

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Standards for Security Categorization of Federal Information and Information Systems

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

UF IT Risk Assessment Standard

Get Confidence in Mission Security with IV&V Information Assurance

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security

EPA Needs to Improve Security Planning and Remediation of Identified Weaknesses in Systems Used to Protect Human Health and the Environment

Legislative Language

Guidelines 1 on Information Technology Security

COMMERCIALISM INTEGRITY STEWARDSHIP. Security Breach and Weakness Policy & Guidance

Risk Management Guide for Information Technology Systems. NIST SP Overview

NIST National Institute of Standards and Technology

Department of Veterans Affairs VA Handbook Information Security Program

National Information Assurance Certification and Accreditation Process (NIACAP)

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

Audit of Veterans Health Administration Blood Bank Modernization Project

CMS Information Security Risk Assessment (RA) Methodology

Federal Information Security Management Act FY 2013 Independent Evaluation Report, Report Number

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

NASA Information Technology Requirement

FSIS DIRECTIVE

Deputy Chief Financial Officer Peggy Sherry. And. Chief Information Security Officer Robert West. U.S. Department of Homeland Security.

TITLE III INFORMATION SECURITY

Standard Operating Procedure Information Security Compliance Requirements under the cabig Program

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

2.0 ROLES AND RESPONSIBILITIES

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5),

Department of Veterans Affairs VA HANDBOOK CONTRACT SECURITY

5 FAM 620 INFORMATION TECHNOLOGY (IT) PROJECT MANAGEMENT

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

UF Risk IT Assessment Guidelines

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

In Brief. Smithsonian Institution Office of the Inspector General

POSTAL REGULATORY COMMISSION

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

Information Security Program

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Audit Report. Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland, Oregon

Department of Veterans Affairs VA DIRECTIVE 6601 REMOVEABLE STORAGE MEDIA

PBGC Information Security Policy

U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL

Appendix A: Rules of Behavior for VA Employees

How To Get The Nist Report And Other Products For Free

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

ENTERPRISE RISK M A NAGEMENT POLICY

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE

How To Check If Nasa Can Protect Itself From Hackers

NASA OFFICE OF INSPECTOR GENERAL

HEALTHCARE SECURITY AND PRIVACY CATALOG OF SERVICES

HHS Information System Security Controls Catalog V 1.0

California Independent System Operator Corporation Code of Conduct Certification Process Report of Independent Accountants January 22, 2010

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

PRIVACY ACT COMPLIANCE

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

FACT SHEET: Ransomware and HIPAA

NARA s Information Security Program. OIG Audit Report No October 27, 2014

UNITED STATES COMMISSION ON CIVIL RIGHTS. Fiscal Year 2012 Federal Information Security Management Act Evaluation

SYSTEM NAME: Digital Identity Access Management System (DIAMS) - P281. SYSTEM LOCATION: U.S. Department of Housing and Urban Development, 451 Seventh

NSW Government Digital Information Security Policy

Federal Communications Commission Office of Inspector General

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

OFFICIAL USE ONLY. Department of Energy. DATE: January 31, 2007 Audit Report Number: OAS-L-07-06

HIPAA BUSINESS ASSOCIATE AGREEMENT

Overview of the HIPAA Security Rule

Transcription:

The National Science Foundation Polar Programs United States Antarctic Program Information Resource Management Directive 5000.04 USAP Information Security Risk Management Organizational Function Information Resource Management Policy Number Issue Date 5000.04 1 August 2004 Policy Category Subject Office of Primary Responsibility Information Security Policies and Instructions Risk Management National Science Foundation Geosciences Directorate Division of Polar Programs Antarctic Infrastructure & Logistics Effective Date Updated Authorized By Responsible Official 1 August 2004 11 May 2013 Section Head, NSF/GEO/PLR/AIL Primary Responsibility: Mr. Patrick D. Smith Technology Development Manager Address Distribution Online Publication Suite 755 4201 Wilson Blvd Arlington, VA 22230 USAP-Wide http://www.usap.gov/technology/contenthandler.cfm?id=1563 Phone Fax Web Status Security Responsibility: Ms. Desari Mattox USAP Information Security Manager 703.292.8032 703.292.9080 http://www.nsf.gov/div/index.jsp?div=plr Final Policy 1. PURPOSE This policy establishes the Information Security Risk Management program for information resources supporting the National Science Foundation (NSF), Geosciences Directorate (GEO), Polar Programs (PLR), United States Antarctic Program (USAP). Risk is the possibility of something adverse happening. Risk management is the process of reducing risk by identifying, analyzing, controlling, and minimizing losses associated with events to a point acceptable to an organization. From a security perspective, risk is a function of the likelihood of a given threat source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. 2. BACKGROUND Federal information technology regulations require USAP information resources to undergo an Information Security Risk Management process to identify the risks Page 1

associated with their operation and to take steps to reduce, and maintain that risk to an acceptable level. 3. GUIDING PRINCIPLES Risk Management is integral to the development and operation of information resources. 4. POLICY The USAP risk management process applies to all USAP information resources. 4.1 Operational Definitions 4.1.1 Risk Risk is the possibility of something adverse happening. From a security perspective, risk is a function of the likelihood of a given threat source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. 4.1.2 Risk Assessment The technical evaluation of an information system's security features, safeguards, and vulnerabilities that establish the extent to which the system meets requirements to withstand identified threats at specified levels of risk and probability. The process includes quantifying the impact of potential threats, by putting a price or value on the cost of a lost functionality. 4.1.3 Threat Any circumstance or event with the potential to cause harm to the NSF USAP through the disclosure, modification or destruction of information, or by the denial of critical services. 4.1.4 Vulnerability The absence or weakness of a safeguard in an information system s security procedures, design, implementation, or internal controls that could be exploited in an unauthorized manner, resulting in a security breach or a violation of security policies. 4.2 Information Security Risk Management The USAP Information Security Manager (ISM) will establish an information security risk management process to identify, analyze, control, and minimize the losses associated with identified threats and vulnerabilities. The program will include procedures for performing information security risk assessments to quantify the impact of potential threats and assign values on the cost of a lost functionality. 4.3 Affected Information Systems All USAP information resources are covered under this policy. The ISM in conjunction with all USAP operational locations, will establish and maintain a list of identified threats Page 2

and potential losses associated with those threats, and implement appropriate risk reduction measures. Using the guidelines in NSF Manual 7, The NSF Information Security Handbook, the list will be updated periodically, or when major events occur. A copy of this list will be maintained in the contingency plan for each site. 4.4 Participation All USAP organizational elements, U.S. Government employees, research grantees, private citizens, contractors and sub-contractors personnel, and foreign nationals will support the information security risk management program in an appropriate manner. 4.5 Site Information Security Assessments To comply with NSF guidance, the ISM will perform annual risk assessments for each USAP operating location. 4.6 New Information Systems To comply with OMB Circular A-130, all new information systems acquired or developed for NSF PLR to support USAP science or operations requirements will incorporate the NIST Risk Management process in their project and system life cycle planning. 4.7 Commercial Off-The-Shelf Applications Commercial off-the-shelf (COTS) applications will be evaluated to assess the risks associated with their use. The evaluation will use the common criteria where applicable. 4.8 Legacy Information Systems Older information systems that play critical roles in the accomplishment of USAP science or operations tasks, but that have exceeded their design lives will be assessed to determine the risks associated with their continued operation. 4.9 Science Grant Information Systems Information systems employed within a science grant project that are managed by the grant team. These systems are typically procured using NSF grant funds, or funds from the sponsoring institution. For the purposes of the USAP, these systems are typically considered non-usap systems. Per direction of PLR, these systems will be assessed to determine the risks associated with their connection to the USAP information infrastructure. 5. APPLICABILITY AND COMPLIANCE This policy applies to all information resources, systems, and technology and to all users of these resources, systems and technology within the USAP operating environment or connected to the USAP information infrastructure. Compliance with this policy is as indicated in USAP Information Resource Management Directive 5000.01, The USAP Information Security Program. Page 3

6. RESPONSIBILITIES Within the NSF and the USAP, several elements have specific responsibilities with respect to the information security risk management program. 6.1 USAP Information Security Manager The USAP ISM develops and implements the information security risk management process, in alignment with guidance from the NSF Chief Information Officer (CIO) and NSF Information Security Officer (ISO). 6.2 USAP Information Systems Owners Owners of USAP information systems ensure their systems comply with appropriate federal guidelines for risk assessment and risk management. 7. POLICY IMPLEMENTATION 7.1 Implementation The ISM will develop appropriate processes, standards, and procedures to implement the USAP information security risk management program. USAP organizational elements will document and publish procedures as appropriate to implement specific tasks needed to comply with this policy. 8. AUTHORITY Publication of this policy is in conformance with the authority of the National Science Foundation Act of 1950, as amended and extended, the Federal Information Security Management Act of 2002 and NSF guidance. Brian Stone Section Head, NSF/GEO/PLR/AIL Page 4

REVISION/CHANGE RECORD Pages Date Version Author/Reviewer Reason for Change All 6/9/2011 1.0 Matthew Rogers All 5/3/2012 2.0 Alex Jerasa All 5/11/2013 3.0 Desari Mattox Verified alignment with NIST Special Publication 800-53 Revision 2. Changed ISM name. Updated key contacts and conducted FY12 review Updated OPP and AIL titles to align with NSF re- organization & Verify alignment with NIST SP 800-53 rev 3. Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information