Tuesday, December 3, 2013


I found the good source of information security management, this web described the detail management for how can handle and audit and controlling the IT section.  
 

4 MANAGEMENT CONTROLS

 

4.1 Risk Assessment and Management

·        Describe the risk assessment methodology used to identify the threats and vulnerabilities of the system.  Include the date the review was conducted.  If there is no system risk assessment, include a milestone date (month and year) for completion of the assessment.

 

4.1.1 Performance Measures

  • Performance measures should be established around criteria such Data Integrity, Access to Application (unauthorized access attempts) or other measures that reflect application security.  Detail what performance measures are in place for this application.

 

4.1.2 Configuration Management Information

  • Identify the Configuration Management Plan for this system (Name, Date and Version of the document).  Is there a separate CCB Charter for this system (Yes or No)?  Provide the names of the Configuration Control Authority (CCA), Configuration Management Authority and the Designated Accrediting Authority (DAA).

 

4.2 Review of Security Controls

·        Have there been major changes or upgrades to the application in the current year.  If so, list any independent security reviews conducted on the application.

·        Include information about the type of security evaluation performed, who performed the review, the purpose of the review, the findings, and the actions taken as a result.

 

4.3 Rules of Behavior

·        A set of rules of behavior in writing must be established for each system.  The rules of behavior should be made available to every user prior to receiving access to the system.  It is recommended that the rules contain a signature page to acknowledge receipt.

·        The rules of behavior should clearly delineate responsibilities and expected behavior of all individuals with access to the system.  They should state the consequences of inconsistent behavior or non-compliance.  They should also include appropriate limits on interconnections to other systems.

·        Attach the rules of behavior for the system as an appendix and reference the appendix number in this section or insert the rules into this section.

 

4.4 Planning for Security in the Life Cycle

Determine which phase(s) of the life cycle the system, or parts of the system are in.  Describe how security has been handled in the life cycle phase(s) the system is currently in.

 

        4.4.1 Initiation Phase

·         Reference the sensitivity assessment that is described in Section 3.7, Sensitivity of Information Handled.

 

4.4.2 Development/Acquisition Phase

·         During the system design, were security requirements identified? 

·         Were the appropriate security controls with associated evaluation and test procedures developed before the procurement action?

·         Did the solicitation documents (e.g., Request for Proposals) include security requirements and evaluation/test procedures?

·         Did the requirements permit updating security requirements as new threats/vulnerabilities are identified and as new technologies are implemented?

·         If this is a purchased commercial application or the application contains commercial, off-the-shelf components, were security requirements identified and included in the acquisition specifications?

 

4.4.3 Implementation Phase

·         Were design reviews and systems tests run prior to placing the system in production? Were the tests documented?  Has the system been certified?

·         Have security controls been added since development?

·         Has the application undergone a technical evaluation to ensure that it meets

·         applicable federal laws, regulations, policies, guidelines, and standards?

·         Include the date of the certification and accreditation.  If the system is not authorized yet, include date when accreditation request will be made.

 

        4.4.4 Operation/Maintenance Phase

·         The security plan documents the security activities required in this phase.

 

        4.4.5 Disposal Phase

Describe in this section how information is moved to another system, archived,

discarded, or destroyed.  Discuss controls used to ensure the confidentiality of the

information.

·         Is sensitive data encrypted?

·         How is information cleared and purged from the system?

·         Is information or media purged, overwritten, degaussed or destroyed?

 

4.5 Authorize Processing

 

4.5.1 Certification and Accreditation

·        Provide the date of system certification and accreditation, name, and title of management official authorizing processing in the system.

·        If not authorized, provide the name and title of manager requesting approval to operate and date of request.  Include information on an formal Interim Accreditation

 

4.5.2 Privacy

  • Detail information on conducting the Privacy Impact Assessment (PIA) including date conducted for this application.
Retrieved
"Annual Security Plans for Information Technology Systems"
http://www.ocio.usda.gov/sites/default/files/docs/2012/DM3565-001.htm
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)