Week 4  Post Assignment.

The  information security planning has two big picture of it.
One is the organizational planning and the other is the contingency planning.
The organizational planning has business strategic, tactical and operational planning for running the company rule.
The contingency planning has incident response, disaster recovery and business continuity plan for reduce company threat by any reason.
The role of planning require Top-Bottom approach and Bottom-Top approach depend on the responsibility for their duty and vision of mission for department.

Today, let me explain the contingency planning part for information security plan.
The example or the sample of the scenario of disaster for exercise will be get better than ever than do nothing for the future impact. That will be reduce the people injure and the value of asset.
I had experience about this kind of scenario from War game in Military base.
We did created the virtual land map of Korea and deploy the units to bother line to DMZ.
North Korea attach the South Korea, the government announce to public about staring Korean War.
They destroy the government building and structure and keep move to South, also they are using the chemical weapon that make the worth flight situation to South Korean Army.
US trooper are supporting the Koran army, and North Korean move back to North and finally they give up.  This kind of excise, we did it every year at winter with US army for reduce Korean people injury and protect Korean people value of asset for country.      
We learned potential idea of recovery action and protect the land area through the program plan.
The company is small size of the country model.
They need everything check point plan for survival.  

How many people know about outside hacker are looking for your information.
Let me write some of information is the below link site and brife inforamtion.

Due to the lower propertion of internal threat agents, Misuse lost its pole position among the list of threat action categories.
Hacking and Malware have retaken the lead and are playing dirtier than ever.
Absent, weak, and stolen credentials are careening out of control.
Gaining quickly, however, is a newcomer to the top three-Physical.
After doubling as a percentage of all breaches in 2009, it managed to double again in 2010.
Maybe cybercrime is getting less "cyber"? Misuse and Social, though lower in percentage, were still high in number and provided some amazing examples of misbehavior, deception, and plotting for the highlight reel.

Reference.
" 2010, 2011, 2012 Data Breach investigations Report"

http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf

I have a good resource for the computer security, my professor make link this site for me.
Someone still don’t get the security information for using the personal computer or company resource system. I think this site give a lot of information about why we need the patch software and up to date version of software.

http://www.onguardonline.gov/articles/0009-computer-security

I found the good source of information security management, this web described the detail management for how can handle and audit and controlling the IT section.  

 

4 MANAGEMENT CONTROLS

 

4.1 Risk Assessment and Management

·        Describe the risk assessment methodology used to identify the threats and vulnerabilities of the system.  Include the date the review was conducted.  If there is no system risk assessment, include a milestone date (month and year) for completion of the assessment.

 

4.1.1 Performance Measures

• Performance measures should be established around criteria such Data Integrity, Access to Application (unauthorized access attempts) or other measures that reflect application security.  Detail what performance measures are in place for this application.

 

4.1.2 Configuration Management Information

• Identify the Configuration Management Plan for this system (Name, Date and Version of the document).  Is there a separate CCB Charter for this system (Yes or No)?  Provide the names of the Configuration Control Authority (CCA), Configuration Management Authority and the Designated Accrediting Authority (DAA).

 

4.2 Review of Security Controls

·        Have there been major changes or upgrades to the application in the current year.  If so, list any independent security reviews conducted on the application.

·        Include information about the type of security evaluation performed, who performed the review, the purpose of the review, the findings, and the actions taken as a result.

 

4.3 Rules of Behavior

·        A set of rules of behavior in writing must be established for each system.  The rules of behavior should be made available to every user prior to receiving access to the system.  It is recommended that the rules contain a signature page to acknowledge receipt.

·        The rules of behavior should clearly delineate responsibilities and expected behavior of all individuals with access to the system.  They should state the consequences of inconsistent behavior or non-compliance.  They should also include appropriate limits on interconnections to other systems.

·        Attach the rules of behavior for the system as an appendix and reference the appendix number in this section or insert the rules into this section.

 

4.4 Planning for Security in the Life Cycle

Determine which phase(s) of the life cycle the system, or parts of the system are in.  Describe how security has been handled in the life cycle phase(s) the system is currently in.

 

        4.4.1 Initiation Phase

·         Reference the sensitivity assessment that is described in Section 3.7, Sensitivity of Information Handled.

 

4.4.2 Development/Acquisition Phase

·         During the system design, were security requirements identified? 

·         Were the appropriate security controls with associated evaluation and test procedures developed before the procurement action?

·         Did the solicitation documents (e.g., Request for Proposals) include security requirements and evaluation/test procedures?

·         Did the requirements permit updating security requirements as new threats/vulnerabilities are identified and as new technologies are implemented?

·         If this is a purchased commercial application or the application contains commercial, off-the-shelf components, were security requirements identified and included in the acquisition specifications?

 

4.4.3 Implementation Phase

·         Were design reviews and systems tests run prior to placing the system in production? Were the tests documented?  Has the system been certified?

·         Have security controls been added since development?

·         Has the application undergone a technical evaluation to ensure that it meets

·         applicable federal laws, regulations, policies, guidelines, and standards?

·         Include the date of the certification and accreditation.  If the system is not authorized yet, include date when accreditation request will be made.

 

        4.4.4 Operation/Maintenance Phase

·         The security plan documents the security activities required in this phase.

 

        4.4.5 Disposal Phase

Describe in this section how information is moved to another system, archived,

discarded, or destroyed.  Discuss controls used to ensure the confidentiality of the

information.

·         Is sensitive data encrypted?

·         How is information cleared and purged from the system?

·         Is information or media purged, overwritten, degaussed or destroyed?

 

4.5 Authorize Processing

 

4.5.1 Certification and Accreditation

·        Provide the date of system certification and accreditation, name, and title of management official authorizing processing in the system.

·        If not authorized, provide the name and title of manager requesting approval to operate and date of request.  Include information on an formal Interim Accreditation

 

4.5.2 Privacy

• Detail information on conducting the Privacy Impact Assessment (PIA) including date conducted for this application.

Retrieved
"Annual Security Plans for Information Technology Systems"
http://www.ocio.usda.gov/sites/default/files/docs/2012/DM3565-001.htm