PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

Similar documents
EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

Office of Inspector General

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Critical Controls for Cyber Security.

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Network & Information Security Policy

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

Supplier Security Assessment Questionnaire

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

POSTAL REGULATORY COMMISSION

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Miami University. Payment Card Data Security Policy

Cybersecurity Health Check At A Glance

Computer Security: Principles and Practice

Attachment A. Identification of Risks/Cybersecurity Governance

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Client Security Risk Assessment Questionnaire

SRA International Managed Information Systems Internal Audit Report

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Supporting FISMA and NIST SP with Secure Managed File Transfer

Utica College. Information Security Plan

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

Review of the SEC s Systems Certification and Accreditation Process

Get Confidence in Mission Security with IV&V Information Assurance

Information Security Program Management Standard

CHIS, Inc. Privacy General Guidelines

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Summary of CIP Version 5 Standards

Security Controls What Works. Southside Virginia Community College: Security Awareness

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

VMware vcloud Air HIPAA Matrix

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

System Security Plan Template

FedRAMP Standard Contract Language

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

TRIPWIRE NERC SOLUTION SUITE

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Service Children s Education

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

IBX Business Network Platform Information Security Controls Document Classification [Public]

VA Office of Inspector General

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Vendor Audit Questionnaire

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

OCIE CYBERSECURITY INITIATIVE

Qatar University Information Security Policies Handbook November 2013

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

NARA s Information Security Program. OIG Audit Report No October 27, 2014

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

Disaster Recovery and Business Continuity Plan

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

VA Office of Inspector General

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

Intel Enhanced Data Security Assessment Form

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Network and Security Controls

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Security Certification & Accreditation of Federal Information Systems A Tutorial

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Guide to Vulnerability Management for Small Companies

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Information Technology Engineers Examination. Information Technology Service Manager Examination. (Level 4) Syllabus

HIPAA Security Alert

How To Audit The Mint'S Information Technology

Compliance and Industry Regulations

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Data Management Policies. Sage ERP Online

Transcription:

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name] [Date] [Location] 1

Prepared by: [Author] [Title] Date Approved by: [Name] [Title] Date 2

Change Log Revision Date Sections Changed Author 3

Contents 1. Introduction... 6 1.1 Overview... 6 1.2 Document Scope... 7 2. Referenced Documents... 8 2.1 Controlling Documents... 8 2.2 Applicable Documents... 8 3. System Identification... 8 3.1 Responsibilities... 8 3.2 Title... 8 3.3 Operational Status... 8 3. 4 General Description... 8 3.5 Information Contacts... 8 4. Information Identification... 9 4.1 Information Processed... 9 4.2 FIPS 199 Category... 9 4.3 Applicable Laws, Policies, and Guidance... 9 4.4 Loss of System and Data Impact... 9 4.5 System Value... 9 5. Information Sharing... 9 6. Risk Assessment and Analysis... 9 7. Technical Controls... 10 8. Public Access Controls... 10 9. Rules of the System... 10 9.1 Obtaining a User Account... 10 9.2 Remote Access... 10 9.3 User Authentication, Privileges, and Limitations... 10 9.4 Process for Restoring Service... 11 9.5 Process for Escorting Personnel... 11 9.6 Consequences... 11 10. Personnel Screening... 11 11. Training... 11 11.1 Rules of the System... 11 11.2 Responsibilities... 11 11.3 Detection and Response... 11 11.4 Getting Help... 11 11.5 Center Policies, Procedures, and Guidelines... 11 12. Contingency Planning... 12 13. Incident Response... 12 14. System Interconnection... 12 15. Review of Security Controls... 12 4

16. Authorization to Process... 12 Appendix A... 13 Appendix B System Inventory and Diagrams... 14 1. Inventory... 14 5

1. Introduction 1.1 Overview The Planetary Data System (PDS) includes a federation of geographically distributed Discipline Nodes. Each Discipline Node maintains a data and computing infrastructure to support online archive operations and to provide data distribution services for public access to the archive of scientific data products resulting from NASA planetary missions. Figure 1 shows the organization of the PDS nodes. This document provides a specific Information Technology Security Plan for the [PDS Node Name]. It covers the IT Security practices at the Discipline Node. This includes the following: Identification of systems this includes systems in the enterprise. The information within systems and its classification this includes the information managed within systems and their risk level should systems be impacted based on the FIPS 199 classification. Information sharing with external users This identifies what and how data is shared externally. Risk management This includes identified risks including known vulnerabilities. Technical IT security controls This includes controls that are in place to mitigate risk to systems. An example set of security controls is identified in Appendix A. Public access controls These are controls that are in place to protect the system from unauthorized public access. Personnel screening - These are processes in place to screen potential users of the systems including granting of user accounts on systems. Training These are processes and rules in place to train users on IT security practices. Contingency Planning These are plans and processes for system recovery should it be required do to a disaster situation. System Interconnection These identify the connections between other systems, 6

both internally and externally. Review of IT Security Controls This identifies the procedures used to review and audit the IT security controls to ensure compliance. A separate IT Security plan is maintained by the Engineering Node which includes a compilation of the individual IT Security Plans plus an overall plan for the federation. Figure 1: PDS Node Organization 1.2 Document Scope This document is the Information Technology Security Plan for the PDS node [insert node name]. The remaining PDS nodes are covered by separate plans. The relationship between these plans is described in [Central PDS Plan]. Each of these individual security plans identifies system risks, technical controls, contingency plans, and primary contact information for the local node computing equipment. 7

2. Referenced Documents 2.1 Controlling Documents [1] [Any related grant/contract requirements] 2.2 Applicable Documents [1] [If applicable, NIST Special Publication 800-53, Revision 3, 05/2010] [2] [Central Plan name] [3] [Any relating Interconnection Security Agreement s] 3. System Identification 3.1 Responsibilities [Describe who is responsible for the PDS Node including who is responsible for authorizing the security plan] 3.2 Title The commonly used name for the equipment covered under this plan is [Name of the Node and/or Computing environment] 3.3 Operational Status [Describe the operational status of the equipment. For example, is it operational, in development, or a mix of both. Describe the time periods when the equipment is operational, for example if it is available 24/7.] 3. 4 General Description [Provide an overview of the system including what it is used for, what type of users will access the system, what software is utilized or developed on the system, and how it is connected to the network. Diagrams, both for data flow and network, can be included here.] 3.5 Information Contacts Name Title Phone Email 8

4. Information Identification 4.1 Information Processed The PDS [Node name] system will [Describe what the information is on the system and how the PDS node will process it] 4.2 (Federal Information Processing Standard (FIPS) 199 Category FIPS Publication 199 defines three levels of potential impact on an organization or individuals should there be a breach of security. Following these standards, the PDS [Node name] system is classified as a [Low (L), Moderate (M), High (H)] impact system. 4.3 Applicable Laws, Policies, and Guidance The PDS [node name] computing systems follow the [institutional and/or NASA] guidelines described in [institutional requirements and/or (NASA Procedural Requirements (NPR) 2810.1] 4.4 Loss of System and Data Impact [Describe the impact if the Node experiences a loss of software, hardware, or network connectivity.] 4.5 System Value [Describe the cost of replacing the system] 5. Information Sharing [If applicable, describe how the information held on the system is shared with external entities.] 6. Risk Assessment and Analysis 6. 1 Summary of Risk Assessment Findings The results of the current risk assessment for the PDS [Node name], indicate that the level residual risk to this system is acceptable. The security planning process ensures that security controls are selected and addressed appropriate to the value of the information on the system, and that residual risk is further mitigated by contingency planning. Any remaining known vulnerabilities have been noted, and the plan of actions and milestones (POA&M) toward correction have been identified 6. 2 Results of Risk Analysis 9

Threat sources and potential impacts to the PDS [node name] system are both IT-specific and physical. Known vulnerabilities are addressed by implementing the protective measures documented in Appendix A and are continually addressed through quarterly and selfinitiated vulnerability scans along with a review of protective measures. The conclusion of this system-specific risk analysis is that the level of residual risk for the PDS [node name] is acceptable. 7. Technical Controls Appendix A contains the technical controls that respond to the requirements and the risk assessment. These include the technical controls that enforce the rules or policies of the system. 8. Public Access Controls [Describe how the system is protected from public access] 9. Rules of the System All users of the PDS [node name] computing equipment must take required security training. Training is available at [node security training program]. 9.1 Obtaining a User Account [Describe how accounts are requested, approved, and how the passwords are disseminated.] 9.2 Remote Access [If applicable, describe how remote access is granted.] 9.3 User Authentication, Privileges, and Limitations [Describe rules relating to user authentication and privileges. For example, When authenticating a user, the systems will not display the passwords in clear text. All system passwords are encrypted when stored and are restricted from the user s view. Users are not permitted to include passwords in scripts or programs. The System Administrator sets the privileges and limitations for the user accounts within this system. In the event of a security or system failure, a user s privileges may be revoked while the user is active on the system. In this case, the System Administrator will attempt to 10

contact the user before any changes are made so that the user can gracefully log off. A contact list with at least two methods of communication has been established for this purpose and is posted at.. ] 9.4 Process for Restoring Service Procedures for restoring service after system crashes or unplanned outages are outlined in the [Contingency plan name]. 9.5 Process for Escorting Personnel [If applicable, describe process for escorting personnel to access equipment physically.] 9.6 Consequences [Describe the consequences of users not abiding by the security rules of the system per their training.] 10. Personnel Screening Users are granted privileges as necessary for the performance of their job within this system. The number of privileged users who can bypass security and process controls is [x]. 11. Training 11.1 Rules of the System [Describe how users are trained on the rules of the system.] 11.2 Responsibilities [Describe who is responsible for completing training.] 11.3 Detection and Response [Describe how users are trained on detection and response of security incidents.] 11.4 Getting Help [Describe how users are trained to request help.] 11.5 Center Policies, Procedures, and Guidelines [Describe any related training required by the Node facility] 11

12. Contingency Planning Plans and procedures for continuing PDS [Node name] operations after a natural or human-caused disaster can be found in the [Contingency Plan name]. Contingency Plans are managed in a separate plan and delivered to the PDS Management Node at Goddard Space Flight Center. These plans are available, should it be requested. 13. Incident Response [Describe who should be notified in the case of a security incident.] 14. System Interconnection [Describe how this system connects to others both at the facility and within PDS. Include any related diagrams.] 15. Review of Security Controls [Describe how the IT system is audited and what is done with the results of the audit. For example IT Systems are subject to independent audit to verify that the planned controls have been implemented and are effective. Within the PDS [Node name] system, verification is composed of three parts: Quarterly network scans for vulnerabilities conducted by [who will perform the scan] on-site examination of configuration settings and other system information by an auditor/system Administrator; and on-site inspection of remaining controls, such as physical security, password dissemination procedures, etc., by a field auditor. Any problems found during an audit, that cannot be immediately corrected become audit findings. All findings are reviewed by [Security group name]. Valid findings will result in problem tickets being created; tickets must be closed (fixed, waived, or have a lien) within the prescribed time specified on the ticket. Corrective actions taken in response to a ticket are verified by [Security group name] before the associated ticket is closed. Vulnerabilities discovered by network scans are first reviewed by [Security group name] for validity. ] 16. Authorization to Process By signing the approval page of this document, the PDS [Node name] Managers and Systems Engineer state that this plan adequately secures the system, its data, and its operation. 12

Appendix A Technical Controls [NOTE: Discipline Nodes should identify their own technical controls.] Unique ID Requirement Text 1 2 3 4 5 6 7 etc 13

Appendix B System Inventory and Diagrams 1. Inventory 1.1 Hardware [Include hardware list] 1.2 Software [Include software list] 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information