2.0 ROLES AND RESPONSIBILITIES



Similar documents
ClOP CHAPTER Departmental Information Technology Governance Policy TABLE OF CONTENTS. Section 39.1

5 FAM 670 INFORMATION TECHNOLOGY (IT) PERFORMANCE MEASURES FOR PROJECT MANAGEMENT

A. This Directive applies throughout DHS, unless exempted by statutory authority.

U.S. Department of Education. Office of the Chief Information Officer

UNITED STATES DEPARTMENT OF THE INTERIOR BUREAU OF LAND MANAGEMENT MANUAL TRANSMITTAL SHEET

United States Department of Health & Human Services Enterprise Architecture Program Management Office. HHS Enterprise Architecture Governance Plan

Section 37.1 Purpose Section 37.2 Background Section 37.3 Scope and Applicability Section 37.4 Policy... 5

Legislative Language

HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC)

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM

U.S. Department of Energy Washington, D.C.

UNITED STATES PATENT AND TRADEMARK OFFICE. Information Technology Investment Review Board. Agency Administrative Order TABLE OF CONTENTS

DIRECTIVE TRANSMITTAL

Information Security Handbook: A Guide for Managers

Value to the Mission. FEA Practice Guidance. Federal Enterprise Architecture Program Management Office, OMB

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

CMS Policy for Information Security and Privacy

Guide for the Security Certification and Accreditation of Federal Information Systems

5 FAM 620 INFORMATION TECHNOLOGY (IT) PROJECT MANAGEMENT

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

U.S. Department of the Treasury. Treasury IT Performance Measures Guide

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

IT Project Governance Manual Version 1.1

Approved by the Assistant Secretary for Administration and Management (ASAM) on 2/28/2003 and 68 FR 1

TITLE III INFORMATION SECURITY

Public Law th Congress An Act

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

NARA s Information Security Program. OIG Audit Report No October 27, 2014

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

INFORMATION SECURITY

U.S. Department of Energy Washington, D.C.

Department of Homeland Security

Guide to IT Capital Planning and Investment Control (CPIC)

NASA OFFICE OF INSPECTOR GENERAL

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

MD 12.5 NRC CYBER SECURITY PROGRAM DT-13-15

CMS Policy for Information Technology (IT) Investment Management & Governance

Small Business. Leveraging SBA IT resources to support America s small businesses

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

USAID Management Operations Council Charter

5 FAM 630 DATA MANAGEMENT POLICY

No. 33 February 19, The President

OPM System Development Life Cycle Policy and Standards. Table of Contents

Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP AP-2/03-1

Office of the Chief Information Officer

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

STATEMENT OF CHARLES EDWARDS DEPUTY INSPECTOR GENERAL U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

How To Understand The Role Of Enterprise Architecture In The Context Of Organizational Strategy

STATE OF HAWAII CHIEF INFORMATION OFFICER AND THE OFFICE OF INFORMATION MANAGEMENT AND TECHNOLOGY UPDATE ON THE INFORMATION TECHNOLOGY STRATEGIC PLAN

A. Enhanced Delivery of Information and Services to the Public - Sec. 101, 3602

A Role-Based Model for Federal Information Technology/ Cybersecurity Training

Standards for Security Categorization of Federal Information and Information Systems

U.S. Department of Education Federal Student Aid

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Publication Number: Third Draft Special Publication Revision 1. A Role Based Model for Federal Information Technology / Cyber Security Training

INSPECTION CLOUD COMPUTING SECURITY DOCUMENTATION IN THE CYBER SECURITY ASSESSMENT MANAGEMENT SOLUTION

Identification And Review Of The Department s Major Information Technology Systems Inventory

STATEMENT OF SYLVIA BURNS CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF THE INTERIOR BEFORE THE

Get Confidence in Mission Security with IV&V Information Assurance

IT Baseline Management Policy. Table of Contents

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Audit of the Department of State Information Security Program

Department of Defense DIRECTIVE

Subject: Critical Infrastructure Identification, Prioritization, and Protection

FISMA Compliance: Making the Grade

NISTIR 7359 Information Security Guide For Government Executives

December 17, 2003 Homeland Security Presidential Directive/Hspd-7

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

Information Security for Managers

Deputy Chief Financial Officer Peggy Sherry. And. Chief Information Security Officer Robert West. U.S. Department of Homeland Security.

Capital Planning and Investment Control Guide

NASA S PROCESS FOR ACQUIRING INFORMATION TECHNOLOGY SECURITY ASSESSMENT AND MONITORING TOOLS

U.S. Department of Energy Office of Inspector General Office of Audit Services. Audit Report. Security Over Wireless Networking Technologies

Information Resources Management (IRM) Strategic Plan

State of Minnesota IT Governance Framework

UNITED STATES DEPARTMENT OF THE INTERIOR BUREAU OF LAND MANAGEMENT MANUAL TRANSMITTAL SHEET Data Administration and Management (Public)

Enhancing NASA Cyber Security Awareness From the C-Suite to the End-User

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

FITARA Implementation M-15-14: Management and Oversight of Federal IT

Baseline Cyber Security Program

United States Antarctic Program Information Resource Management Directive The USAP Information Security Program

Transcription:

2.0 ROLES AND RESPONSIBILITIES This handout describes applicable roles and responsibilities for the Capital Planning and Investment Process (CPIC) as presented in the NIST Integrating IT Security into Capital Planning and Investment. It includes a discussion of roles and responsibilities of stakeholders in the various organizational models within federal agencies. Figure 2-1. IT Management Hierarchical Diagram 2.1 Head of Agency The head of the agency is accountable for the security posture of the organization s information technology (IT) infrastructure and is ultimately responsible for completing and submitting annual reports. This position controls both the security policy and the resource budget and has final management responsibility for resource allocation. The head of the agency has the following responsibilities related to integrating IT security into the IT CPIC process Complying with the Federal Information Security Management Act (FISMA) requirements and the related information resource management policies and guidance including Office of Management and Budget (OMB) Circular A-130, NIST Integrating IT Security into 1

established by the Director of OMB, and the related IT standards promulgated by the Secretary of Commerce Ensuring the information security and resource management policies and guidance established are integrated with agency-strategic and operational planning processes under FISMA and are communicated promptly and effectively to all relevant officials within their agency Supporting the efforts of the director and the administrator of the General Services Administration to develop, maintain, and promote an integrated Internetbased system of delivering Federal Government information and services to the public Ensuring that senior agency officials provide information security for the information and information systems that support the operations and assets under their control Establishing strategic agency missions and vision (establish goals that flow down to budget, IT, and security themes) and ensuring that information security management processes are seamlessly integrated into those processes and documents Ensuring that the information protection is commensurate with the risk and magnitude of harm resulting from the information s compromise Approving the overall annual IT budgets and overall portfolio (with appropriate security integrated) developed through Investment Review Board (IRB) process Establishing priorities to achieve improvements in compliance to the President s Management Agenda. 2.2 Senior Agency Officials Senior agency officials provide information security for the information and information systems that support the operations and assets under their control, under the direction of the head of the agency. These duties include Assessing the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information systems under their control Determining the levels of information security appropriate to protect information systems under their control Implementing policies and procedures to cost effectively reduce risks to an acceptable level Periodically testing and evaluating information security controls and techniques to ensure they are effectively implemented NIST Integrating IT Security into 2

Delegating to the agency Chief Information Officer (CIO) the authority to ensure compliance with agency security requirements Providing senior IT advice to the head of each agency and the Management Review Board. 2.3 Chief Information Officer The Information Technology Management Reform Act of 1996 (also known as the Clinger-Cohen Act) requires agencies to appoint CIOs. The agency CIO is the senior IT advisor to the IRB and the head of the agency. In this capacity, the CIO Assists senior agency officials with IT issuesdevelops and maintains an agencywide information security program Develops and maintains risk-based information security policies, procedures, and control techniques Designates a senior agency information security officer to carry out CIO directives as required by FISMA Designs, implements, and maintains processes for maximizing the value and managing the risks of IT acquisitions Presents proposed IT portfolios to the IRB Provides final portfolio endorsements Presents and recommends control and evaluates decisions and recommendations Ensures IT training for agency staff and oversees IT security personnel. 2.4 Senior Agency Information Security Officer As mandated by FISMA, the senior agency information security officer is appointed by the CIO and manages information security throughout the agency. The senior agency information security officer is responsible for coordinating program requirements throughout the agency with designated points of contact and project managers, including Developing and maintaining an agency-wide information security program Issuing annual IT planning guidance, including security themes, objectives, and prioritization criteria for new and legacy systems. Developing and maintaining information security policies, procedures, and control techniques Assisting senior agency officials concerning their responsibilities. NIST Integrating IT Security into 3

2.5 Chief Financial Officer The agency chief financial officer (CFO) is the senior financial advisor to the IRB and the head of the agency. In this capacity, the CFO is responsible for Reviewing cost goals of each major investment Reporting financial management information to OMB as part of the President s budget Complying with legislative and OMB-defined responsibilities as they relate to IT capital investments Reviewing systems that impact financial management activities Forwarding investment assessments to the IRB. 2.6 Investment Review Board The members of the IRB evaluate existing and proposed IT investments to determine the appropriate mix of investments that will allow the agency to achieve its goals. The IRB Is composed of the CFO and organization and bureau management Operates at the enterprise level Approves the CIO s IT strategic guidance, including security themes and prioritization criteria (these themes and criteria need to reflect the evolving needs to security) Approves the controls and evaluates the IT portfolio with embedded security requirements, objectives, measures, and milestones Ensures alignment of President s Management Agenda (PMA) achievement, strategic agency missions, and vision with IT security themes and criteria. 2.6.1 Technical Review Board The Technical Review Board (TRB) is comprised of OCIO elements (cyber security and architecture plus others), managers, and other applicable members. In this capacity, the TRB Conducts detailed IT investment review and security analysis and reviews business cases for security requirements Balances IT investment portfolios based on CIO/IRB IT security themes and prioritization criteria Acts as a Department focal point for coordinating OCIO strategic planning, architectural standards, and outreach to organizations and bureaus. NIST Integrating IT Security into 4

2.6.2 IT Capital Planning and Architecture Subcommittees Responsibilities of the IT Capital Planning and Architecture Subcommittees are to Provide expertise on areas from OCIO and Operating Units, and as subject matter experts, perform an advisory function Translate OMB IT capital planning security guidance into operational and internal process control enhancements Supply process improvements and provide Enterprise Architecture support for the Technical Review Board. 2.7 Operating Unit Executive Management Operating Unit Executive Management focuses on processes for integrating IT security themes into business cases and the OMB Exhibit 53/300 process. 2.8 Project Manager/System Owner The project manager has overall responsibility for coordinating the management and technical aspects of the life cycle of a system. Responsibilities of a project manager may include (but are not limited to) the following Developing a project management plan that integrates security throughout the life cycle Developing a cost and schedule baseline and completing a project within schedule and budget constraints while meeting the customer s needs Coordinating the development, implementation, and operation and maintenance of a system with appropriate units within an agency Reporting the results of projects to the system owner and other appropriate agency staff Presenting, when appropriate, the progress of critical projects to the OCIO, the IRB, and other applicable review entities. The system owner is located within the bureau/operating unit benefiting from or requesting the systems project/investment and is frequently thought of as the customer for that project. The system owner performs the following functions Maintains active senior-level involvement throughout the development of the system Participates in project review activities and reviews project deliverables Coordinates activities with the agency senior IT executive NIST Integrating IT Security into 5

Obtains and manages the budget throughout the project's life cycle against a project manager s delivered, locked baseline Holds review and approval authority for ensuring that developed products incorporate security and meet user requirements Provides baseline assessment performance measures to evaluate the security of the delivered IT initiative. NIST Integrating IT Security into 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information