CHAPTER 8 – PART 2

Risk Assessment and Security Checklists

 

 

1        BACKGROUND

 

The United States Department of Agriculture houses and processes sensitive data, including personal information of US citizens, payroll and financial transactions, proprietary information and life/mission critical data.  It is essential that this information be protected from the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration or destruction. 

 

To assist USDA agencies in identifying potentially harmful deficiencies in their respective security programs and security controls, a set of security checklists have been developed.  This set includes checklists for the following platforms, environments and operating systems:

 

General Checklist for Security Programs

Microsoft Windows NT For Servers

Microsoft Windows NT For Workstations

Microsoft Windows 2000 for Servers

Microsoft Windows 2000 for Workstations

UNIX for Servers

UNIX for Workstations

Telecommunications

Personal Electronic Devices

IBM AS/400 Systems

Software Development Environments

Mainframe Environments

Web Farm Environments

Classified Systems

 

 

2          POLICY

 

Each USDA agency and staff office shall conduct an assessment of it’s security program every year, using the USDA General Security Checklist.  The assessment shall be completed during the fourth quarter of the fiscal year. Results of the assessment shall be submitted to OCIO’s Cyber Security Program.

 

Policy Exception Requirements – Agencies will submit all policy exception requests directly to the ACIO for Cyber Security.  Exceptions to policy will be considered only in terms of implementation timeframes; exceptions will not be granted to the requirement to conform to this policy.  Exceptions that are approved will be interim in nature and will require that each agency report this Granted Policy Exception (GPE) as a Plan of Action & Milestone (POA&M) in their FISMA reporting, with a GPE notation, until full compliance is achieved.  Interim exceptions expire with each fiscal year.  Compliance exceptions that require longer durations will be renewed on an annual basis with a updated timeline for completion.  CS will monitor all approved exceptions.

 

 

3          PROCEDURES

 

a         Review of Security Controls.  Assessments of all GSS and MA, whether USDA owned and operated or contractor owned and operated are required whenever a major change is made to the system, or at least every three years.  Assessments could include applications such as databases and spreadsheets depending on the sensitivity of the data, inherent risks, mitigation costs and value of assets.  Each agency is responsible for making this determination.  These assessments shall be completed using one or more of the security checklists developed for USDA.  The number of checklists to be used will depend on the operating systems and the technical environments that comprise the system.  For example, a single system may require the execution of a UNIX checklist, a Mainframe checklist and a Telecommunications checklist in order to ensure that all necessary security controls are considered.

 

Checklists may also be used by agencies for any GSS system, such as operational environments and their program products where deemed necessary to protect the confidentiality, integrity and availability of information and the application or data they support.  The checklist will be used at the GSS level and augmented by a review of the application access controls.

 

Results of these assessments will be submitted to OCIO’s Cyber Security Program 30 working days after completion of the assessment.  Both the checklists and the results are considered highly sensitive and to be released to USDA employees or contractors only on a “Need to Know” basis.  We strongly urge that a Non-Disclosure Agreement be signed prior to release.

 

b         System Development Assessment.   For every system that is developed or managed under contract, the requirement for an assessment using the appropriate checklist(s) will be incorporated into the contract security requirements.  A risk assessment will be performed in conjunction with system development.  At a minimum, this assessment will include the execution of one or more security checklists developed for USDA.  The number of checklists to be used will depend on the operating systems and technical environments that comprise the system.

 

Results of these assessments shall be included with other documentation submitted to OCIO for exception requests or in conformance with the Capital Planning and Investment Control (CPIC) requirements.

 

c          Checklist Revision and Version Control.  Agencies are encouraged to request changes to security checklist at any time to ensure they are current and relevant.   At least once annually, OCIO will hold a checklist update session for each checklist to ensure completeness and that all question remain germane.  Prior to executing any checklist for any purpose, agencies shall contact OCIO/Cyber Security to obtain the most recent version.

 

 

4          RESPONSIBILITIES

 

a         The Chief Information Officer/Deputy will:

 

                     (1)          Support the USDA Risk Management Program for the protection of USDA Information Technology assets;

                                    and

 

(2)       Encourage agencies to perform assessments using Security Checklists.

 

b         The Associate CIO for Cyber Security will:

 

(1)       Develop and maintain policies, tools, and techniques for assessing risk to USDA information systems;

 

(2)       Provide training and guidance to agencies for identifying risks and vulnerabilities to the information systems they use and maintain;

 

(3)       Review the results of assessments conducted by agencies;

 

(4)              Assist agencies in devising appropriate risk mitigation

strategies, as required; and

 

(5)       Review all exception requests and capital planning documentation to ensure risks have been assessed prior to deployment of all USDA General Support Systems and Major Applications.

 

c          The Associate CIO for Information Resources Management (IRM) will:

 

(1)              Support the policy and procedures contained in this

chapter to ensure that the USDA Risk Management Program is used in all USDA managed networks, systems and servers; and

 

(2)              Receive, review and coordinate a response with the Associate CIO for Cyber Security to any exception requests for exceptions to this policy.

 

d         The Agency Chief Information Officers will:

(1)              Ensure that information system security controls are selected and implemented commensurate with identified risks;

 

(2)              Ensure that all agency personnel, especially the Agency Information System Security Program Manager (ISSPM), are aware of the policy and procedures concerning assessments;

 

(3)              Ensure that assessments are conducted as prescribed in this policy by IT personnel or anyone delivering services via an IT system; and

 

(4)              Report the findings of assessments promptly to OCIO/Cyber Security as defined in the procedures section;

 

(5)              Ensure that all completed Checklists are kept in a secure location and that access is granted on a need to know basis; and

 

(6)              Provide access to assessment results which are considered to be sensitive on a need to know basis.

 

e          The agency Information System Security Program Managers/staff will:

 

(1)              Conduct or coordinate assessments as prescribed in this policy;

 

(2)              Ensure that checklists and results are protected and released on a need to know basis;

 

(3)              Coordinate checklist change requests for their respective agency and submit to OCIO/Cyber Security; and

 

(4)              Participate in the checklist development, training and maintenance process.

-END-