• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
CHAPTER 13, PART 1ANNUAL SECURITY PLANS FOR INFORMATION TECHNOLOGY (IT) SYSTEMS1 BACKGROUNDInformation security has escalated as the subject of high-levelattention from both the press and media. Recent terrorist attackshave only highlighted the need to ensure that we have the highestlevel of information security practices. IT Security Plans havebecome the foundation document in the overall security processbecause they define the system security features and controls.They support Capital Planning and Investment Control (CPIC),Federal Information Security Management Act (FISMA) reporting,System Life Cycle efforts, Risk Management activities as well as theCertification and Accreditation of Information Technology (IT)systems. Therefore, it is critical that they be prepared/updated onan ongoing basis with the most current information concerningeach agency’s information security practices. These plans areupdated and submitted annually.FISMA and OMB A-130, Appendix III, require Annual Security Plansfor IT Systems. Each plan should reflect accurate andcomprehensive details required by NIST 800-18, Guide forDeveloping Security Plans for IT Systems. The generic term “systemcovers all General Support Systems (GSS) and Applications.2 POLICYAll USDA agencies and staff offices will develop and maintainan Overall Program Security Plan and individual Security Plans for allGSS and Major Applications. These plans will be prepared usingthe instructions and templates for these three types of plans in Table1, Security Plan Guidance. This table includes a section to assistagencies in defining GSS and Applications and modified templatesfor electronic submission of plans. Modification of the templatesclosely parallels NIST 800-18 but also contains information requiredby FISMA and the Office of Inspector General audits. All SecurityPlans will be due to the Cyber Security (CS) each year by the lastworking day in April. Once the Annual Security Plan is completeany appropriate change will be reflected in the agencyHardware/Software Inventory database as required by policies forConfiguration Management, Vulnerability Scanning and Patch
 
DM 3565-001 February 17, 2005
Management. The Agency Head or Administrator must submit acover letter with all plans attesting to the completeness andaccuracy of the security plans. This letter will include information onwhether the deficiencies from the prior years security plansubmissions have been corrected or there is an Plan of Action andMilestones (POAM) in the FISMA Report.Policy Exception Requirements Agencies will submit all policyexception requests directly to the ACIO for Cyber Security.Exceptions to policy will be considered only in terms ofimplementation time; exceptions will not be granted to therequirement to conform to this policy. Exceptions that areapproved will be interim in nature and will require that eachagency report this Granted Policy Exception (GPE) as a Plan of
 
Action & Milestone (POA&M) in their FISMA reporting, with a GPEnotation, until full compliance is achieved. Interim exceptionsexpire with each fiscal year. Compliance exceptions that requirelonger durations will be renewed on an annual basis with anupdated timeline for completion. CS will monitor all approvedexceptions.3 RESPONSIBILITIESa The Associate CIO for Cyber Security will: (1) Provide guidance and tools and strategies to assistUSDA agencies in complying with the requirements toprepare Annual Security Plans for their Overall SecurityProgram, GSS and Applications;(2) Perform vigorous reviews of all Annual Security Plansubmissions to ensure that information security practicesare sufficiently detailed and complete; providefeedback to each agency and staff office concerningthese plans;(3) Review all policy exception requests in a timely mannerand respond to the requesting office; and(4) Perform oversight reviews of agencies/staff offices toensure that information in these plans comply with thispolicy.
2
 
February 17, 2005 DM 3565-001
b Agency Chief Information Officer will:(1) Ensure that the Agency Head signs the transmittalcover letter attesting to the completeness andcorrectness of the plans;(2) Ensure that all personnel, especially business ownersand developers are familiar with Annual Security Planrequirements; business owners and developers of ITsystems are responsible for the preparation of theseplans;(3) Develop and maintain an inventory of all IT systems;determine data sensitivity and identify GSS andApplications;(4) Prepare detailed plans for their Overall SecurityProgram, General Support Systems and Applicationsand submit to CS for review and evaluation;(5) Submit all plans to the Office of Cyber Security by thelast working day in April each year; plans will include anPOA&Ms for security weaknesses not corrected fromthe prior year’s submissions;6) Submit the package electronically and in hard copy tothe Office of Cyber Security;(7) Ensure that copies of Security Plans are maintained inthe agency or staff office; and(8) Ensure that all IT systems have adequate securitycontrols based on the sensitivity of data, missioncriticality and value of the data in the system;document these controls in a security plan.c The Agency Information Systems Security Program Managerswill:(1) Become thoroughly familiar with all Security Planrequirements;
3
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...