CHAPTER 9, PART 2
USDA INFORMATION SYSTEMS SECURITY PROGRAM
1 BACKGROUND
On January 23, 2002, Congress enacted Public Law, 107-347, E-Government Act of 2002. The Federal Information Security Management Act (FISMA) of 2002, Title III, of this law requires that each agency have effective information security controls over Information Technology (IT) to support Federal operations and assets and provide a mechanism for improved oversight of Federal agency information security programs. This Act was designed to strengthen OMB Circular A-130, Appendix III that initially established specific requirements for all agency security programs. As technology has grown more complex and open, the need for effective Federal information security programs in each agency and staff office is essential. In USDA, this program is referred to as the Information Systems Security Program (ISSP).
USDA has undertaken an aggressive role in support of E-gov to include ensuring that IT systems have been certified and accredited or otherwise authorized as being properly secured. All of these actions require that each agency ISSP be responsive and responsible in supporting security requirements. The material in this chapter is designed to outline the responsibilities of each agency and staff office ISSP and to specifically define the security roles of the Agency Administrator or Head, Chief Information Officer (CIO) and Information Systems Security Program Manager (ISSPM). These positions are vital components in securing USDA corporate information technology assets by providing effective agency management and oversight of its ISSP.
2 POLICY
All USDA agencies and staff offices will organize, implement and maintain an ISSP that ensures security of all information technology assets. Security must be adequately addressed in all phases of the System Development Life Cycle (SDLC), normally commencing in the IT System Initiation Phase. Each agency ISSP will include the following responsibilities:
Categorize sensitivity of information and information systems in accordance with FIPS 199;
Conduct regular risk assessments for IT systems and computing devices;
Implement effective risk mitigation strategies;
Conduct formal Certification and Accreditation (C&A) of all agency IT systems;
Implement security controls throughout the System Life Cycle;
Use the Capital Planning and Investment Controls (CPIC) process to formulate and plan security costs for all systems;
Monitor the system Configuration Management (CM) process of all systems;
Prepare agency annual Program and System Specific Security Plans;
Manage an effective Security Awareness and Training Program;
Manage the agency Security Incident Response Program;
Conduct annual self-assessment of the ISSP using NIST 800-26 and NIST 800-53;
Monitor IT systems using audit trails, controls logs and other mechanisms;
Establish an electronic inventory of all IT systems and computing devices;
Maintain agency IT inventory in the Enterprise Architecture Repository (EAR);
Disseminate department policy and procedures to all agency personnel;
Respond to regular and ad hoc reporting requirements and audits by internal or external agencies; and
Monitor agency compliance to USDA, OMB, NIST and other governing bodies’ policy for security.
Agencies may elect either a traditional ISSP structure with the responsibilities delineated in Responsibilities, Section 4, of this policy or use the alternative structure defined in Procedures, Section 3 below. An alternative structure is useful in agencies of greater than 1,000 IT users (employees, contractors, volunteers, partners, or customers), as it outlines the tactical security responsibilities below the ISSPM level. The duties of the ISSPM/ISSM can be designated as the agency sees fit, as long as all responsibilities are designated in writing and effectively executed. Associate CIO for Cyber Security (ACIO CS) must be advised that the alternative structure is being implemented and each agency must comply with the duties defined for this structure.
Each Agency Head or CIO will formally designate at least one Information Systems Security Program Manager (ISSPM) using the Designation of ISSPM and Deputy ISSPM form contained in Appendix A to serve in these positions. These forms will be sent to the ACIO CS when individuals are assigned to these positions. The duties and responsibilities of an ISSPM are diverse, comprehensive and complex. This position is one of high sensitivity and level of trust and therefore will be filled only by full time government personnel. In addition, this position has a requirement for high confidentiality due to the critical nature of the investigatory and compliance work. Therefore space should be assigned to the ISSPM and Deputy ISSPM that affords locking files and the ability to conduct meetings of a highly sensitive nature in private. In no case, are ISSPMs and Deputy ISSPMs to be assigned to a work/office area with individuals not associated with information security. To successfully establish, manage and improve an agency/staff office/program area ISSP, the ISSPM shall receive comprehensive annual security training. Agencies/staff offices/program areas shall appoint a Deputy ISSPM and as many Information Systems Security Officers (ISSOs) as necessary to comply with this policy. The agency ISSPM shall be recognized as the organization’s CS expert, leader and point of contact. The agency ISSPM, Deputy ISSPM and ISSM/ISSO positions are considered to be High Risk Public Trust positions as defined by 5 CFR 731. Each agency will ensure that the individuals in these positions have the appropriate level of background investigation completed. Additionally, each agency is responsible for determining the National Defense sensitivity level of these positions as defined in 5 CFR 732 and obtaining the appropriate level of security clearance. Individuals in these positions will have a direct reporting relationship with the agency CIO.
Policy Exception Requirements – Agencies/Staff Offices and program areas that cannot comply with this policy will submit all policy exception requests directly to the ACIO CS. Temporary exceptions to policy will be considered only in terms of implementation timeframes and progress toward meeting the standards will be monitored by OCIO CS. Exceptions that are approved will require that each agency report this Granted Policy Exception (GPE) as a Plan of Action & Milestone (POA&M) in their FISMA reporting, with a GPE notation, until full compliance is achieved. Interim exceptions expire with each fiscal year. Compliance exceptions that require longer durations will be considered for renewal on an annual basis with an updated timeline for completion. OCIO CS will monitor all approved exceptions.
3 PROCEDURES
Agencies and staff offices electing to adopt a three-tier ISSP management approach will have a structure comprised of:
Information Systems Security Program Manager (ISSPM): This person and the deputy ISSPM are responsible for managing the ISS efforts for an entire agency or staff office. This person is a program manager responsible for the strategic security requirements of the program to include planning, budget review, consolidation of agency security reports, and coordination of the ISSP into the culture of the entire organization. ISSPMs will act as consultants for ISSM/ISSOs and work with them to resolve highly technical matters, when necessary. Ultimately, the ISSPM is still responsible for efficient operation of the overall ISSP.
Information Systems Security Manager (ISSM): This individual(s), including deputy(ies), is responsible for managing the tactical efforts of a business, functional, or operational entity within an agency. Their responsibilities include the daily operational security issues of the unit and overall management of the “front line” security requirements for the unit. This individual may often be called upon to assist in the resolution of certain system security issues.
Information Systems Security Officer (ISSO): This person(s), including deputy(ies), is responsible for the day-to-day security administration for one or more information systems. Theirs is an operational security effort regarding the system(s) for which they are responsible.
a RESPONSIBILITIES (Alternate)
(1) The Agency Chief Information Officer (CIO) will:
(a) Act as the agency Senior Security Officer
(SSO) who is responsible for supporting the
strategic requirements of the ISSP;
(b) Ensure that adequate funding, training and
resources are provided to the ISSP to support
the agency mission;
(c) Facilitate the resolution of high-level security matters within the agency by acting as a champion for the ISSPM;
(d) Ensure that ISSM/ISSOs are designated to provide adequate security to business, functional or operational entities;
(e) Serve as the certification official for agency
security requirements (i.e., Annual Security Plans, FISMA and other formal reporting requirements, Waiver Requests and Certification of agency IT Systems);
(f) Formally designate in writing to ACIO CS the ISSPM(s) and Deputy(ies) for each agency; ensure that these individuals are permanent members of all system development, telecommunications planning and System Development Life Cycle planning teams; and
(g) Provide role-based and specialized security-based training to the ISSPM(s) and Deputy ISSPM(s) from USDA enterprise training vehicles.
(2) The Agency Information Systems Security Program
Manager (ISSPM) will:
(a) Manage the agency ISSP including the activities and training from USDA Enterprise training vehicles of the ISSM/ISSOs;
(b) Support the strategic security program requirements to include: planning, budget analysis, department policy review and internal policy formulation, agency FISMA, POA&M, and audit reporting requirements, agency Security Architecture and agency IT CPIC;
(c) Consolidate individual reports from all functional and operation units into one agency combined report (i.e., monthly scans, patches, incidents) for higher level management, including ACIO CS;
(d) Monitor the progress of the ISSM/ISSOs to ensure that they meet the necessary program security requirements of NIST 800-26 and departmental policy directives;
(e) Serves as the principle consultant to the agency CIO and senior management, including ACIO CS;
(f) Coordinate agency Incident Response with the agency ISSM/ISSOs to include all associated actions necessary to mitigate the risk to unit systems; and
(g) Oversee the implementation of agency security policies, procedures and guidelines.
(3) The Agency Information Systems Security Manager (ISSM) will:
(a) Serve as the Point of Contact (POC) for all unit CS matters; provide subject matter guidance to agency personnel;
(b) Participate in the process and monitor to ensure that all agency systems are C&A’d prior to actual operation and that they are reaccredited every three years or when significant system change occurs;
(c) Disseminate departmental security policy and procedures; formulate internal agency security procedures and support implementation, testing, and integration into the agency culture (mission and business operation);
(d) Participate as a permanent member of unit system development teams, telecommunications planning, and System Development Life Cycle (SDLC) processes;
(e) Conduct internal audits of all agency IT systems to ensure compliance with federal and departmental policy and procedures;
(f) Participate in general and role-based security training to enhance knowledge and skill level; recommend appropriate training for staff to ISSPM;
(g) Proactively coordinate the establishment of system security controls to protect agency information using authentication techniques, encryption, firewalls, access controls, and comprehensive departmental Incident Response Procedures with all System Administrators (SA) and business owners;
(h) Coordinate with business owners to categorize information systems and determine sensitivity levels;
(i) Establish Disaster Recovery/Business Resumption (DR/BR) and other emergency plans for all IT systems; ensure compliance with backup and storage procedures;
(j) Monitor physical spaces to ensure that the security requirements of IT Restricted Space are followed in maintaining, updating or planning new space, and advise the CIO if space does not meet security requirements;
(k) Develop and manage a Security Awareness Program including arranging or conducting security awareness briefings; recommend to the agency ISSPM security training for all agency personnel, including contractors, based on their role in the organization; ensure that all personnel are appropriately trained in the security Rules of Behavior prior to being granted access to unit systems;
(l) Arrange for background screening of unit employees based on the level of trust and sensitivity of the position they occupy in the organization;
(m) Participate in the development of an agency security architecture for all IT systems;
(n) Monitor and coordinate patch management and scanning techniques for all unit systems; participate in identification and mitigation of all system vulnerabilities,
(o) Coordinate the provision of security controls for Portable Electronic Devices (PEDS) and other wireless technology;
(p) Participate in the Overall Agency Security Plan for the program and coordinate with Information Systems Security Officers (ISSO) to ensure that current system specific plans are in place for all IT systems; coordinate or participate in risk assessments of all unit systems and mitigate vulnerabilities;
(q) Monitor CM practices to ensure that security controls are maintained over the life of the IT systems, and formulate and prepare an electronic agency inventory for unit computing devices;
(r) Monitor and participate in assessments to ensure that Privacy requirements are met;
(s) Plan and document security costs for unit IT investments and systems;
(t) Prepare and update reports to ensure that the unit complies with mandated internal and external security reporting requirements, including FISMA and CPIC;
(u) Proactively participate in new CS initiatives including, but not limited to, computer investigations and forensics; and
(v) Prepare and coordinate unit Incident Responses with the agency ISSPM to include all associated actions necessary to mitigate the risk to unit systems.
4 Agency Information Systems Security Officers (ISSO) will:
(a) Be knowledgeable of Federal, Departmental, and agency security regulations when developing functional and technical requirements; serve as a POC for system users with security issues;
(b) Coordinate security program and system elements with the agency IT Program Managers by evaluating system environments for security requirements and controls including: IT Security Architecture, hardware, software, telecommunications, security trends, and associated threats and vulnerabilities;
(c) Manage security controls to ensure confidentiality, integrity and availability of information; build security into the system development process and define security specifications to support the acquisition of new systems; review and sign off on system procurement requests to ensure that security has been considered and included;
(d) Assist with security controls and associated costs in the CPIC Process;
(e) Assist the ISSM in the C&A process, including updates to the overall Agency and System Security Plans (SSP) for the program; serve as a key advisor in risk assessments of all systems and mitigate vulnerabilities; adhere to CM practices to ensure that security controls are maintained over the life of IT systems; update the electronic agency inventory for all agency computing devices;
(f) Adhere to and implement system security controls that ensure the protection of Sensitive But Unclassified (SBU) information using authentication techniques, encryption, firewalls, and access controls;
(g) Assist the ISSPM in following Department Incident Response Procedures;
(h) Assist the system owner and ISSM in the development, testing and maintenance of agency and system contingency plans, backup and storage procedures; document all procedures according to departmental and agency standards;
(i) Audit and monitor application, system and security logs for security threats, vulnerabilities and suspicious activities; report suspicious activities to the agency ISSPM;
(j) Support and facilitate the security awareness, training and education program; and
(k) Assist the ISSM in any other security related duties, as required.
4 RESPONSIBILITIES
a The Associate CIO for Cyber Security (ACIO CS) will:
(1) Act as the recognized Senior Security Officer (SSO) for the department and the central point of contact for CS management within USDA;
(2) Formulate and issue departmental CS policies and procedures for all USDA agencies and staff offices;
(3) Promote and monitor C&A of all USDA IT Systems;
(4) Provide enterprise-wide contractual vehicles and tools for security products and services;
(5) Monitor agencies to ensure that all Security Plans are current for programs and agency IT systems;
(6) Ensure that agencies comply with CS policy and procedures;
(7) Collaborate in identification of material weaknesses and assist in formulating mitigation strategies, if required;
(8) Centralize the department’s Computer Incident Response with US-CERT and other computer emergency response teams;
(9) Assist agencies in responding to computer fraud and with the handling of forensic evidence and investigations;
(10) Ensure that agencies implement and maintain managerial, technical, and operational security controls;
(11) Support and promote IT Contingency Planning efforts;
(12) Monitor and evaluate physical security within IT Restricted space;
(13) Ensure agencies meet Privacy Act requirements;
(14) Review and make recommendations to the CIO for all IT Investments and Waiver requests;
(15) Establish and support a Departmental security awareness and training program;
(16) Review requests for exceptions to CS Policy and Procedures in a timely manner; and
(17) Act as the central point for preparing regulatory reports required by FISMA and other legislation.
b Agency Chief Information Officer (CIO) will:
(1) Establish, implement and provide adequate resources for an agency ISSP that provides a comprehensive and proactive security process to protect agency assets;
(2) Be knowledgeable in legal and liability issues surrounding computing devices, the consequences of security breaches and requirements of executive accountability for IT systems;
(3) Ensure that all agency systems are C&A’d prior to operation and that they are reaccredited every three years or when significant system change occurs;
(4) Ensure that Departmental security policy and procedures are disseminated; ensure that internal agency security procedures are implemented, tested, and integrated into the agency culture;
(5) Designate in writing, using the form in Appendix A, an agency ISSPM who is a direct report; ensure that the ISSPM is a permanent member of all agency system development initiatives, telecommunications planning, and SDLC processes;
(6) Provide general and role-based security training to the ISSPM and security staff to include field personnel from USDA enterprise training vehicles;
(7) Establish and monitor an agency Personal Use Policy for all computing devices;
(8) Proactively support the establishment of system security controls at the USDA’s C2 Level of Trust
and provide protection of SBU information using authentication techniques, encryption, firewalls, access controls, and comprehensive Departmental Incident Response Procedures;
(9) Support agency contingency planning efforts by establishing DR/BR and other emergency plans for all IT systems;
(10) Ensure that the security requirements of IT Restricted Space are followed in maintaining, updating or planning new space;
(11) Ensure that all agency personnel, including contractors, receive security awareness briefings and training based on their role in the organization;
conduct background screening of all employees based on the level of trust and sensitivity of the position they occupy in the organization;
(12) Support the development of an agency security architecture for all IT systems;
(13) Ensure patch management and scanning techniques are employed to protect, identify and mitigate system vulnerabilities;
(14) Provide security controls for Portable Electronic Devices (PEDS) and other wireless technology;
(15) Ensure that an overall agency security plan is prepared for the program and current system specific plans are in place for all IT systems;
(16) Conduct risk assessments of all systems and mitigate vulnerabilities wherever feasible;
(17) Establish CM practices to ensure that security controls are maintained over the life of the IT systems;
(18) Ensure that all computing devices are captured in an electronic agency inventory and included in the Department’s Enterprise Architecture Repository (EAR);
(19) Ensure that agency and Federal Privacy Act requirements are met;
(20) Ensure that security costs are planned and entered in to agency’s annual budget submission for all IT investments and systems;
(21) Ensure that the agency complies with mandated internal and external security reporting requirements, including FISMA and CPIC;
(22) Ensure that support is provided for computer investigations and forensics; and
(23) Proactively support CS initiatives.
c The Agency Information Systems Security Program Managers (ISSPM) will:
(1) Serve as the POC for all agency CS matters; provide subject matter guidance to agency personnel;
(2) Manage the agency ISSP, including field activities;
(3) Participate in the process and monitor the program to ensure that all agency systems are C&A’d prior to operation and that they are reaccredited every three years or when significant system change occurs;
(4) Disseminate Departmental security policy and procedures; formulate internal agency security policies, procedures and support implementation, testing, and integration into the agency culture (mission and business operation);
(5) Participate, as a permanent member, on all agency system development teams, telecommunications planning, and SDLC processes;
(6) Conduct internal audits of all agency IT systems to ensure compliance with federal and departmental policy and procedures;
(7) Participate in general and role-based security training to enhance knowledge and skill level from USDA Enterprise training vehicles; recommend appropriate training for staff and field personnel from USDA Enterprise training vehicles and other sources to CIO;
(8) Proactively coordinate the establishment of system security controls at the USDA’s C2 Level of Trust; the protection of SBU information using authentication techniques, encryption, firewalls, access controls, and comprehensive departmental Incident Response Procedures with all SAs and business owners, and develop security baselines, where applicable;
(9) Coordinate with business owners to categorize information systems and determine sensitivity levels;
(10) Establish DR/BR and other emergency plans for all IT systems; ensure compliance with backup and storage procedures;
(11) Monitor to ensure that the security requirements of IT Restricted Space are followed in maintaining, updating or planning new space, and advise the CIO if space does not meet security requirements;
(12) Develop and manage a Security Awareness Program including arranging or conducting security awareness briefings; recommend to the agency CIO security training for all agency personnel, including contractors, based on their role in the organization; ensure that all personnel are appropriately trained in the Security Rules of Behavior prior to being granted access to agency systems;
(13) Coordinate with local Human Resources Offices to arrange for background screening of all IT employees based on the level of trust and sensitivity of the position they occupy in the organization;
(14) Participate in the development of an agency security architecture for all IT systems;
(15) Monitor and coordinate patch management and scanning programs for all agency systems; participate in identification and mitigation of all system vulnerabilities;
(16) Coordinate the provision of security controls for PEDS and other wireless technology;
(17) Formulate and prepare the overall Agency Security Plan for the program and coordinate with ISSOs to ensure that current system specific plans are in place for all IT systems;
(18) Coordinate or participate in risk assessments of all systems and mitigate vulnerabilities;
(19) Monitor CM practices to ensure that security controls are maintained over the life of the IT systems;
(20) Develop and prepare an electronic agency inventory for all agency computing devices;
(21) Monitor and participate in assessments to ensure that agency Privacy requirements are met;
(22) Plan and document security costs for all IT investments and systems;
(23) Prepare and update agency reports to ensure that the agency complies with mandated internal and external security reporting requirements, including FISMA and CPIC; and
(24) Proactively participate in CS initiatives including, but not limited to, computer investigations and forensics.
d The Agency IRM, Automation Information System Management, Operations and Programming Staff will:
(1) Be knowledgeable of Federal and agency security regulations when developing functional and technical requirements;
(2) Coordinate security program and system elements with the agency IT Program Managers and ISSPM (ISSM or ISSO as appropriate) by evaluating system environments for security requirements and controls including: IT Security Architecture, hardware, software, telecommunications, security trends, and associated threats and vulnerabilities;
(3) Manage security controls to ensure confidentiality, integrity and availability of information; build security into the system development process and define security specifications to support the acquisition of new systems;
(4) Assist with defining security controls and associated costs in the CPIC process;
(5) Assist the system owner and ISSPM in the C&A process, including updates to the overall Agency and System Security Plans (SSP);
(6) Participate in risk assessments of all systems and mitigate vulnerabilities;
(7) Adhere to CM practices to ensure that security controls are maintained over the life of IT systems;
(8) Update the electronic agency inventory for all agency computing devices;
(9) Adhere to and implement system security controls at the USDA C2 Level of Trust and ensure the protection of SBU information using authentication techniques, encryption, firewalls, and access controls;
(10) Assist the ISSPM in following department Incident Response Procedures;
(11) Assist the system owner and ISSPM in the development, testing and maintenance of Agency and System Contingency Plans, backup and storage procedures; document all procedures according to departmental and agency standards;
(12) Audit and monitor application, system and security logs for security threats, vulnerabilities and suspicious activities; report suspicious activities to the agency ISSP Office; and
(13) Assist the ISSPM in any other security related duties, as required.
-END-
APPENDIX A
DESIGNATION OF ISSPM AND DEPUTY ISSPM
GS
Series/Title:_________________________________ Level
of Background Investigation:_______________________________________
|
Name:_____________________________________
Agency: ___________________________________
|
Location: _______________________________________
_______________________________________
Phone Number: ____________________ Cell Number: ____________________
Fax Number: _______________________ E-mail:__________________________
Agency CIO Name :____________________________
Agency CIO Signature: ____________________________
Date: _____________
File Type | application/msword |
File Title | CHAPTER 9, PART 2 |
Author | Rgreene |
Last Modified By | Rgreene |
File Modified | 2008-05-12 |
File Created | 2008-05-12 |