DOCSLIB.ORG

Information System Security Officer (ISSO) Guide

Information System Security Officer (ISSO) Guide

Information System Security Officer (ISSO) Guide Office of the Chief Information Security Officer Version 10 September 16, 2013 DEPARTMENT OF HOMELAND SECURITY INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDE Document Change History Version Date Description 0.1 11/25/09 Initial Internal Draft 0.2 12/15/09 Revised Internal Draft, corrected formatting and grammatical errors 0.3 1/27/2010 Incorporated ISO comments 1.0 3/30/2010 Final Version 8.0 6/06/2011 • Updated entire document for terminology changes per DHS 4300A Version 8.0 and NIST SP 800-37 • Changed version to match DHS 4300A • Created new section 2.1.2 Critical Control Review (CCR) Team • Updates: o 2.1.1 Document Review (DR) Team; o 2.1.4 DHS InfoSec Customer Service Center; • Appendix C: OIG Potential Listing of Security Test Tools & Utilities. 8.0 9/19/2011 • Section 5.1 ISSO letter Attachement N was changed to Attachement C. 10 • Document updated to reflect new IACS tool, Ongoing Authorization, and other minor changes. • ISO changed to DHS OCISO. i INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDE TABLE OF CONTENTS DOCUMENT CHANGE HISTORY ....................................................................................................... I TABLE OF CONTENTS .............................................................................................................. II LIST OF FIGURES ..................................................................................................................... IV 1.0 INTRODUCTION ................................................................................................................... 1 1.1 BACKGROUND .................................................................................................................. 1 1.2 PURPOSE .......................................................................................................................... 1 1.3 SCOPE .............................................................................................................................. 1 1.4 DHS INFORMATION SECURITY PROGRAM ........................................................................ 2 1.5 ESSENTIALS ..................................................................................................................... 2 2.0 ORGANIZATIONAL ROLES, RESPONSIBILITIES AND RELATIONSHIPS ............................... 3 2.1 DHS CHIEF INFORMATION SECURITY OFFICER (CISO) ..................................... 4 2.2 COMPONENT CISO / ISSM AND STAFF ............................................................................ 7 2.3 SYSTEM OWNER ............................................................................................................... 8 2.4 SYSTEM, DATABASE, AND MAJOR APPLICATION ADMINISTRATORS (TECHNICAL STAFF) 8 2.5 BUSINESS OWNER ............................................................................................................ 8 2.6 SECURITY CONTROL ASSESSOR (SCA) ............................................................................ 8 2.7 AUTHORIZING OFFICIAL .................................................................................................. 9 2.8 CHIEF FINANCIAL OFFICER .............................................................................................. 9 2.9 CHIEF PRIVACY OFFICER ................................................................................................. 9 2.10 CHIEF SECURITY OFFICER (CSO) / FACILITY SECURITY OFFICER (FSO) ....................... 10 2.11 DHS SECURITY OPERATIONS CENTER (SOC) ................................................................ 10 2.12 CONFIGURATION CONTROL BOARD (CCB) .................................................................... 10 2.13 FACILITY MANAGERS .................................................................................................... 11 2.14 PEERS ............................................................................................................................. 11 3.0 ISSO RESOURCES AND TOOLS ......................................................................................... 11 3.1 REFERENCES .................................................................................................................. 11 3.2 DHS INFOSEC CUSTOMER SERVICE CENTER ................................................................. 16 4.0 SYSTEM ENGINEERING LIFE CYCLE (SELC) .................................................................. 16 4.1 LIFE CYCLE PHASES ....................................................................................................... 17 4.2 ISSO RESPONSIBILITIES DURING THE LIFE CYCLE ......................................................... 21 5.0 ISSO RESPONSIBILITIES .................................................................................................. 21 5.1 ISSO LETTER ................................................................................................................. 22 5.2 ACCESS CONTROL .......................................................................................................... 23 5.3 ACQUISITION PROCESS................................................................................................... 24 5.4 CONTROL ASSESSMENTS ................................................................................................ 25 ii INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDE 5.5 ANNUAL SECURITY AWARENESS AND ROLE-BASED TRAINING ..................................... 26 5.6 AUDITS .......................................................................................................................... 27 5.7 AUDITING (LOGGING) AND ANALYSIS ........................................................................... 29 5.8 BUDGET ......................................................................................................................... 31 5.9 SECURITY AUTHORIZATION PROCESS ............................................................................ 32 5.10 COMMON CONTROLS ..................................................................................................... 34 5.11 CONFIGURATION MANAGEMENT (CM) .......................................................................... 35 5.12 CONTINGENCY PLANNING .............................................................................................. 36 5.13 CONTINUOUS MONITORING ........................................................................................... 38 5.14 IDENTIFICATION AND AUTHENTICATION ........................................................................ 39 5.15 INCIDENT RESPONSE INCLUDING PII .............................................................................. 39 5.16 INTERCONNECTION SECURITY AGREEMENTS AND MEMORANDA OF UNDERSTANDING / AGREEMENT .............................................................................................................................. 40 5.17 INVENTORY .................................................................................................................... 41 5.18 MAINTENANCE ............................................................................................................... 42 5.19 MEDIA PROTECTION ...................................................................................................... 42 5.20 PATCH MANAGEMENT ................................................................................................... 42 5.21 PERSONNEL SECURITY ................................................................................................... 43 5.22 PHYSICAL AND ENVIRONMENTAL SECURITY ................................................................. 44 5.23 PLANNING ...................................................................................................................... 46 5.24 POA&M MANAGEMENT ............................................................................................... 47 5.25 RISK ASSESSMENT ......................................................................................................... 47 5.26 SYSTEM AND COMMUNICATIONS PROTECTION .............................................................. 47 5.27 SYSTEM AND INFORMATION INTEGRITY ......................................................................... 48 5.28 SYSTEM AND SERVICES ACQUISITION ............................................................................ 48 5.29 SYSTEM INTERCONNECTIONS ......................................................................................... 49 5.30 SECURITY TRAINING ...................................................................................................... 49 6.0 REQUIREMENTS FOR PRIVACY SYSTEMS AND CFO DESIGNATED SYSTEMS ................. 50 6.1 PRIVACY SYSTEMS ......................................................................................................... 50 6.2 CFO DESIGNATED SYSTEMS .......................................................................................... 50 7.0 ISSO RECURRING TASKS ................................................................................................. 53 7.1 ONGOING ACTIVITIES .................................................................................................... 53 7.2 ISSO WEEKLY ACTIVITIES ............................................................................................. 53 7.3 ISSO MONTHLY ACTIVITIES .......................................................................................... 53 7.4 ISSO QUARTERLY ACTIVITIES ......................................................................................

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    66 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us