APPENDIX B. State of Montana Security Roles and Responsibilities



Similar documents
Guide for the Role and Responsibilities of an Information Security Officer Within State Government

Data Security Incident Response Plan. [Insert Organization Name]

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

R345, Information Technology Resource Security 1

Utica College. Information Security Plan

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Information Security Program

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

How To Check If Nasa Can Protect Itself From Hackers

REPORT NO OCTOBER 2012 UNIVERSITY OF FLORIDA. Operational Audit

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

2014 Audit of the Board s Information Security Program

HIPAA COMPLIANCE PLAN. For. CHARLES RETINA INSTITUTE (Practice Name)

Ethical Considerations for Lawyers Using the Cloud

Classification: Computer Information Technology Specialist II (CITS II) Information Security Unit Title Code: V08005 Pay Range: 33

Qatar University Information Security Policies Handbook November 2013

Information Resources Security Guidelines

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

DISTRICT OF COLUMBIA RETIREMENT BOARD Position Vacancy Announcement

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

Rowan University Data Governance Policy

2.5.1 Policy on Responsible Use of University Computing Resources Introduction This policy governs the proper use and management of all University of

Institutional Data Governance Policy

Information Security Program CHARTER

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

Supporting FISMA and NIST SP with Secure Managed File Transfer

Information Security Program Management Standard

University Information Technology Security Program Standard

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

ITIL 2011 Lifecycle Roles and Responsibilities UXC Consulting

PHILADELPHIA POLICE DEPARTMENT DIRECTIVE 7.18

EPA Needs to Strengthen Its Privacy Program Management Controls

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

DHHS Directive Number II-12

City of Moreno Valley Date Adopted: April 6, 2007 CLASS SPECIFICATION Applications and Database Administrator

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

CIOP CHAPTER Common Operating Environment (COE) Services Management Policy TABLE OF CONTENTS. Section Purpose

Security Controls What Works. Southside Virginia Community College: Security Awareness

INFORMATION ASSURANCE PROGRAM

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

State Agency Manual of Records Management Policies

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

INFORMATION SECURITY STRATEGIC PLAN

Virginia Commonwealth University Information Security Standard

Professional Level Public Health Informatician

Department of Administration Goals and Objectives

Publication 805-A Revision: Certification and Accreditation

Our mission is to help our clients. maintain 401(k) compliance and avoid unnecessary risk. COLLABORATION. COMPLIANCE. CONVENIENCE.

Department of Veterans Affairs VA Handbook Information Security Program

United States Antarctic Program Information Resource Management Directive The USAP Information Security Program

Montana Legislative Fiscal Division. September 15, Prepared by Greg DeWitt, Senior Fiscal Analyst Pamela Joehler, Senior Fiscal Analyst

COMPLIANCE BENEFITS OF SAP ARCHIVING

Information Resource Management Directive USAP Information Security Awareness, Training and Education Program

Department of Defense DIRECTIVE

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

Integrated Governance, Risk and Compliance (igrc) Approach

Plan Development Getting from Principles to Paper

NSW Government Digital Information Security Policy

CITY OF HOUSTON. Executive Order. Information Technology (IT) Governance

September 2005 Report No

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

10. Bureau of Information Technology

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

Guideline for Roles & Responsibilities in Information Asset Management

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

SENIOR INFORMATION SYSTEMS MANAGER

FAIR Act Inventory Functions and Service Contract Inventory Product Service Codes Crosswalk Attachment I

State of Montana Montana Board of Crime Control. Agency IT Plan Fiscal Year

A Management Perspective

Office of Inspector General

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

BPA Policy Cyber Security Program

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Information Technology Division

V E H I C L E / E Q U I P M E N T R E P AI R T E C H N I C I AN S U P E R V I S O R Schematic Code ( )

Information Management Responsibilities and Accountability GUIDANCE September 2013 Version 1

Technical Competency Framework for Information Management (IM)

Achieving Security through Compliance

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP AP-2/03-1

Contingency Plan 32 Success Secrets. Copyright by Philip Downs

PART 10 COMPUTER SYSTEMS

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Security Control Standard

Information Technology Engineers Examination. Network Specialist Examination. (Level 4) Syllabus. Details of Knowledge and Skills Required for

Executive Management of Information Security

For additional information on T.I.P.S. please call us at or

SRA International Managed Information Systems Internal Audit Report

Guide for the Security Certification and Accreditation of Federal Information Systems

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Legislative Audit Division State of Montana. Criminal Justice Information Network (CJIN)

Controlling Data Resources in Distributed Environments Barbara Grant

Project Review Board Governance Guide

CLASSIFICATION SPECIFICATION FORM

Electronic Records Management

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

July 2013 Report No

Transcription:

APPENDIX B State of Montana Security Roles and Responsibilities Pursuant to 2-15-114, MCA, Security Responsibilities of Departments for Data, each department head is required to designate an information security manager to administer the department s security program. This position, along with others within the organization, performs duties associated with a strong security program. This document contains these roles and identifies responsibilities associated with them in regards to information security as well as provides a recommended reporting structure. ROLES AND RESPONSIBILITIES The following roles and responsibilities are recommended as key positions to an adequate information security program according to NIST guidance. Not all of these positions may be applicable depending on the size and scope of the organization. A primary consideration should be how to combine responsibilities in smaller organizations or when manpower is limited where separation of duties and conflicts of interest can still be maintained for the intent and needs of security. Some of the roles explained below are grouped and in some larger organizations these may have two or more individuals or levels of management assigned to these roles with more specific responsibilities. This list is a good representation of the main groupings of functional security roles to provide a well-rounded information security program and should apply to most state agencies. A. Senior Management. The department head will ensure that an information security program is implemented and sustained sufficient to support the mission of this organization. Recommended responsibilities: Approves system security plans, Approves security assessment plans/reports, Approves memorandums of agreement or understanding, Approves plans of action and milestones, Authorizes operation of an information system, Issues an interim authorization to operate the information system under specific terms and conditions, Denies authorization to operate the information system (or if the system is already operational, halts operations) if unacceptable security risks exist, and Oversees the budget. B. Security Management. The Department Head will appoint an Information Security Manager (ISM) who directs the organization s day-to-day management of the organizations information security management program to include coordination of all security-related interactions both internal and external while maintaining a documented program (integration with continuity and records management). This position fulfills the requirements of 2-15-114, MCA. Recommended responsibilities:

Designates an Information Security Officer (ISO) who shall carry out the ISM's responsibilities for system security, Ensures information security policies and procedures are developed and maintained, Ensures the identification, implementation, and assessment of common security controls, Ensures that personnel with significant responsibilities for system security plans are trained, Ensures adequate system security planning for department, Ensures that an organization-wide information security program is effectively implemented, Ensures information security considerations are integrated into programming/planning/budgeting cycles, enterprise architectures, and acquisition/system development life cycles, Ensures information systems are covered by an approved security plan and are authorized to operate by the Agency Authorizing Official, and Ensures there is centralized reporting of all security-related activities. C. Information Security Officer. Responsible for helping to ensure that the appropriate operational security posture is maintained for each information system as well as the overall operational requirements of the technology platform. Recommended responsibilities: Carries out the IIM's responsibilities for system security planning, Coordinates the development, review and acceptance of system security plans with Information System Owners, Operational Information System Security Officer(s), Information System Security Developers, and the CIO, Coordinates the identification, implementation, and assessment of the common security controls, Serves with the Applications Manager as the ISM s primary liaison to the Information System Owners, maintains information security duties as a primary responsibility, Identifies, implements, and assesses the common security controls, and In partnership with the Applications Manager, coordinates with the Information System Owner any changes to the system and assesses the security impact of those changes. D. Program and Functional Managers/Application Owners. Responsible for a program or business function (e.g., procurement or payroll) including the supporting computer system(s). Their responsibilities include providing for appropriate security, including management, operational, and technical controls. These officials are (usually assisted) supported by a technical staff that oversees the actual workings of the system with midlevel management helping develop and implement security requirements. Recommended responsibilities: Develops the system security plan in coordination with assigned Information System Security Developers, Operational Information System Security Officer(s), and functional "end users," Maintains the system security plan,

Ensures that the system is deployed and operated according to the agreed-upon security requirements, Ensures that system users and support personnel receive the requisite security training, Updates the system security plan whenever a significant change occurs, Assists in the identification, implementation, and assessment of the common security controls of both the application and the information, Establishes the rules for appropriate use and protection of the subject data/information (rules of behavior), Shares information regarding the security requirements and security controls for the information where the information resides, and Decides who has access to the information system and with what types of privileges or access rights, and E. Technology Providers/System Management/System Administrators. These personnel are the managers and technicians who design and operate computer systems. They are responsible for implementing technical security on computer systems and for being familiar with security technology that relates to their system(s); ensuring consistent confidentiality, integrity, and availability. Recommended responsibilities: Plays an active role in the continuous monitoring of critical systems and the overall environment, Act as a consultant to the Information System Owner to ensure thorough security plans exist, Manages and controls changes to the system and assess the security impact of those changes Develops secure back-up and restore functions, and Executes the commands necessary to provide the access to the information systems as defined by the Information System Owner. F. Supporting Functions. The security responsibilities of managers, technology providers and security officers are supported by functions normally assigned to others. Some of the more important of these may be Auditors, Physical Security, Disaster Recovery/Contingency Planning, Quality Assurance, Procurement, Training, Personnel (HR), Risk Management/Planning Staff, and the Physical plant or office (General Services Division). G. Department Users. Regardless of the direct or indirect interaction with computers or other information systems and processes the users and the functional managers/application owners (or their representatives) are responsible for identifying and making known the needs and requirements for protection of information; confidentiality, integrity and availability. Department employees play a critical role for information security in complying with established procedures and providing the front line defense and prevention of potential breach and reduced risk. H. Contract Users. Any contracted vendor who interacts with State or Department information systems (computer supported or hardcopy) must support and comply with all established security protocols and requirements. I. State Customers. This Department will monitor and interact with State customers and e- Gov users who access public information and other State web and internet resources to ensure continuity with confidentiality, integrity, and availability of information on all

State Systems. J. Security Teams/Councils/Working Groups. The Department will participate with established security teams (Councils/Working Groups) which directly support best practice initiatives for continuous improvement and continuity of Department and State-wide missions. REPORTING STRUCTURE It is recommended that the Information Security Manager (ISM) report directly to the Director or Agency Head. This reporting structure is recommended because of the necessity of the ISM to be able to perform effectively and independently. SKILLS AND ABILITIES Successful ISMs must have a broad range of business management and technical security skills. Possessing a background in the development and subsequent enforcement of security policies and procedures, security awareness programs, business continuity and disaster recovery plans, IT, auditing, and applicable industry and governmental compliance issues is critical. They must be savvy in understanding the business needs of an agency and be fully supportive of its mission and goals. Some areas where an ISM must possess adequate skills and abilities include: Strategic - An agency ISM must understand the agency s program areas and business needs and their role within the activities of the agency. The ISM must keep abreast of evolving technologies to ensure appropriate security controls are implemented and maintained as agency processes change. Identifying security risks to the agency and being able to evaluate and recommend appropriate security measures, from a strategic perspective, will help management understand the risks and the need to reduce them to acceptable levels. Management and Communication Skills The ability to effectively communicate, both verbally and in writing, across all levels of management and the user community cannot be understated. The need to interact with critical staff (such as executive management, the Privacy Officer, the CIO, and the disaster recovery coordinator) and other agency business units (such as the legal, human resources, IT, procurement, business services, facilities management offices) to cooperatively achieve the goals is critical to the success of the information security program. The ability to write effectively, to explain information security in layperson terms, can be difficult. Executive management may not understand why a certain security component costs so much, or why it is important to the agency s goals. Possessing the ability to effectively develop issue papers, memorandums, letters, work plans, and other types of written communication can be invaluable in documenting security concerns and decisions, and in explaining important perspectives. Technical Competence ISMs are required to have a certain level of technical competence to lead their organization s security initiatives. They need a general knowledge of how technical issues affect the business of the agency. It is very difficult for a security leader to be respected by their agency, regardless of size, without having a proper grasp of the technical security issues that affect it. Further, it would be difficult to

garner the respect of the other technical staff within the organization without that knowledge. Being passionate about information security is critical to the success of the program. If an ISM is not fervent about it, he or she may find that is not the right career choice for them. Those ISMs that are fanatical about it should recognize that there is sometimes a fine line between passionate and obsessive. An important function of the ISM is to not always to say, NO! but to find secure ways to implement technologies while carefully weighing the risks against the business needs of the agency.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information