PERSONNEL SECURITY
TABLE
OF CONTENTS
DM 3545-000
Page
Chapter 9 –
General Information
1 Purpose 1
2 Cancellation 1
3 References 1
4 Scope 2
5 Abbreviations 2
6 Definitions and Terms 3
3545-002
Part 2 – USDA
Information Systems Security Program and Program
Manager
1 Background 6
2 Policy 6
3 Procedures 9
4 Responsibilities 15
U.S. DEPARTMENT OF
AGRICULTURE
WASHINGTON, D.C. 20250
DEPARTMENTAL MANUAL
|
Number: 3545-000 |
|
SUBJECT:
Personnel Security |
DATE: March
27, 2006 |
|
OPI: |
||
GENERAL INFORMATION
1 PURPOSE
The
purpose of this Departmental Manual is to provide
guidance
to USDA agencies and staff offices on personnel security requirements. Part 1 of this chapter discusses computer
security awareness and training; Part 2 covers requirements for all USDA
Information Systems Security Programs and Program Managers, and Part 3 outlines
requirements for Personnel Background Investigations.
2 CANCELLATION
This
Departmental Manual will be in effect until superseded.
Cancel
DM 3545-000 dated February 17, 2005.
3 REFERENCES
The following Public Laws and Federal guidance are applicable to this manual:
NIST Special Publications, Series 800, Information System Security;
OMB Circular A-123, Management Accountability and Control;
OMB Circular A-127, Financial Management Systems;
OMB Circular A-130, Appendix III, Management of Information Resources;
OMB Memorandum M-03-18, Implementation Guidance for the
E-Government Act of 2002;
March 27,
2006 3505-001
Public
Law 93-502, “Freedom of Information Act of 1980”;
Public
Law 93-579, “Privacy Act of 1974”;
Public
Law 97-255, “Federal Manager’s Financial Integrity Act of
1982”;
Public
Law 99-474, “Computer Fraud and Abuse Act”;
Public
Law 100-235, “The Computer Security Act of 1987”;
Public
Law 103-62, “Government Performance and Results Act”;
Public
Law 107-347, “E-Government Act of 2002”;
DM 3500, Cyber Security Manual, All Chapters;
DR 3300, Telecommunications and Internet Services and Use,
Appendix I; and
4 SCOPE
This manual applies to all USDA agencies,
programs, teams,
organizations, appointees, employees
and other activities.
5 ABBREVIATIONS
ACIO CS Associate
Chief Information Officer for Cyber Security
AIS Automated Information
System(s)
CIO Chief Information Officer
CS Cyber Security
E-gov E-Government
IRM Information Resources
Management
ISSM Information Systems Security
Manager
ISSO Information Systems Security
Officer
ISSP Information Systems Security
Program
ISSPM Information Systems Security
Program Manager
IT Information Technology
NIST National Institute of Standards
and Technology
OCIO Office of the Chief Information
Officer
OMB Office of Management and Budget
PDD Presidential Decision Directive
PL Public Law
SA System Administrator
SBU Sensitive But Unclassified
SLC System Life Cycle
SDLC System Development Life Cycle
USDA United States Department of
Agriculture
6 DEFINITIONS AND TERMS
a Asset - A major application,
general support system, high impact program, physical plant, mission critical
system or logically related group of systems.
b Automated Information System -
An AIS is any assembly of electronic equipment, hardware, software and firmware
configured to collect, create, communicate, disseminate, process, store, and
control data or information.
c Configuration Management (CM):
CM is a process of reviewing and controlling the components of an Information
Technology System throughout its life to ensure that they are well defined and
cannot be changed without proper justification and full knowledge
of the consequences. CM ensures that the hardware, software,
communications services and documentation for a system can be accurately
determined at any time.
d Designated
Accrediting Authority (DAA) - From a security
perspective, all USDA General Support Systems
(GSS) and Major Software Applications (MSA) are required to undergo a security
certification process and be accredited by a Designated Accrediting Authority
(DAA) prior to being placed in operation.
This individual is the agency management official who formally
authorizes a system’s operation in writing and explicitly accepts any risks
associated with that system. The
implementation of a formal configuration management process is a requirement
for system accreditation.
e Federal Computer System - This
terms applies to a computer system operated by a Federal agency or a contractor
of a Federal agency or other organization that processes information using a
computer system on behalf of the
government to accomplish a Federal function. This includes automatic data processing equipment.
f Information Systems Security
Manager (ISSM) – Individual designated to act as the security official for
a major functional or operational unit within an agency. The ISSM acts as a technical and functional
manager who takes the tactical view of security.
g Information Systems Security Program
(ISSP) - The agency program office
responsible for discharging the security responsibilities defined under the Federal
Information Security Management Act (FISMA) as well as other regulatory and
USDA policy directives.
h Information Systems Security
Program Manager (ISSPM) - The government individual(s) formally designated
in writing to manage the agency’s ISSP who takes the strategic view of
security. This individual serves as the
Point of Contact (POC) for all agency cyber security (CS) matters and provides
subject matter guidance to agency personnel.
j System
Development Life Cycle (SDLC) – The course of developmental changes through
which a system passes from its conception to the termination of its use and
subsequent salvage and/or retirement.
There are many models for the IT SDLC but most contain five basic
phases: initiation,
development/acquisition, implementation, operation, and disposal.
k Unit
– An individual, group, structure, or other entity regarded as an elementary
structural or functional constituent of a whole.
CHAPTER 9, PART 2
USDA INFORMATION SYSTEMS SECURITY PROGRAM
1 BACKGROUND
On
January 23, 2002, Congress enacted Public Law, 107-347, E-Government Act of
2002. The Federal Information Security
Management Act (FISMA) of 2002, Title III, of this law requires that each
agency have effective information security controls over Information Technology
(IT) to support Federal operations and assets and provide a mechanism for
improved oversight of Federal agency information security programs. This Act was designed to strengthen OMB
Circular A-130, Appendix III that initially established specific requirements
for all agency security programs. As
technology has grown more complex and open, the need for effective Federal information
security programs in each agency and
staff office is essential. In USDA,
this program is referred to as the Information Systems Security Program (ISSP).
USDA
has undertaken an aggressive role in support of E-gov to include ensuring that IT
systems have been certified and accredited or otherwise authorized as being
properly secured. All of these actions
require that each agency ISSP be responsive and responsible in supporting
security requirements. The material in
this chapter is designed to outline the responsibilities of each agency and
staff office ISSP and to specifically define the security roles of the Agency
Administrator or Head, Chief Information Officer (CIO) and Information Systems
Security Program Manager (ISSPM).
These positions are vital components in securing USDA corporate
information technology assets by
providing effective agency management and oversight of its ISSP.
2 POLICY
All
USDA agencies and staff offices will organize, implement and maintain an ISSP
that ensures security of all information technology assets.
Security must be adequately addressed in all phases of the System Development Life Cycle (SDLC),
normally commencing in the IT System Initiation Phase. Each agency ISSP will include the following
responsibilities:
·
Categorize
sensitivity of information and information systems in accordance with FIPS 199;
·
Conduct
regular risk assessments for IT systems and computing devices;
·
Implement
effective risk mitigation strategies;
·
Conduct
formal Certification and Accreditation (C&A) of all agency IT systems;
·
Implement
security controls throughout the System Life Cycle;
·
Use the
Capital Planning and Investment Controls (CPIC) process to formulate and plan
security costs for all systems;
·
Monitor the system
Configuration Management (CM) process of all systems;
·
Prepare
agency annual Program and System Specific Security Plans;
·
Manage an
effective Security Awareness and Training Program;
·
Manage the
agency Security Incident Response Program;
·
Conduct
annual self-assessment of the ISSP using NIST 800-26 and NIST 800-53;
·
Monitor IT
systems using audit trails, controls logs and other mechanisms;
·
Establish an electronic
inventory of all IT systems and computing devices;
·
Maintain agency IT
inventory in the Enterprise Architecture Repository (EAR);
·
Disseminate
department policy and procedures to all agency personnel;
·
Respond to regular and
ad hoc reporting requirements and audits by internal or external agencies; and
·
Monitor agency compliance to USDA, OMB, NIST and other governing bodies’
policy for security.
Agencies
may elect either a traditional ISSP structure with the responsibilities
delineated in Responsibilities, Section 4, of this policy or use the
alternative structure defined in Procedures, Section 3 below. An alternative structure is useful in
agencies of greater than 1,000 IT users (employees, contractors, volunteers,
partners, or customers), as it outlines the tactical security responsibilities
below the ISSPM level. The duties of
the ISSPM/ISSM can be designated as the agency sees fit, as long as all
responsibilities are designated in writing and effectively executed. Associate CIO for Cyber Security (ACIO CS)
must be advised that the alternative structure is being implemented and each
agency must comply with the duties defined for this structure.
Each
Agency Head or CIO will formally
designate at least one Information Systems Security Program Manager (ISSPM)
using the Designation of ISSPM and
Deputy ISSPM form contained in Appendix A to serve in these
positions. These forms will be sent to
the ACIO CS when individuals are
assigned to these positions. The
duties and responsibilities of an ISSPM are diverse, comprehensive and
complex. This position is one of high
sensitivity and level of trust and therefore will be filled only by full time
government personnel. In addition, this
position has a requirement for high confidentiality due to the critical nature
of the investigatory and compliance work.
Therefore space should be assigned to the ISSPM and Deputy ISSPM that
affords locking files and the ability to conduct meetings of a highly sensitive
nature in private. In no case, are
ISSPMs and Deputy ISSPMs to be assigned to a work/office area with individuals
not associated with information security.
To successfully establish, manage and improve an agency/staff
office/program area ISSP, the ISSPM shall receive comprehensive annual security
training. Agencies/staff
offices/program areas shall appoint a Deputy ISSPM and as many Information
Systems Security Officers (ISSOs) as necessary to comply with this policy. The agency ISSPM shall be recognized as the
organization’s CS expert, leader and point of contact. The agency ISSPM, Deputy ISSPM and
ISSM/ISSO positions are considered to be High Risk Public Trust positions as
defined by 5 CFR 731. Each agency will
ensure that the individuals in these positions have the appropriate level of
background investigation completed.
Additionally, each agency is responsible for determining the National
Defense sensitivity level of these positions as defined in 5 CFR 732 and
obtaining the appropriate level of security clearance. Individuals in these positions
will have a direct reporting relationship with the agency CIO.
Policy
Exception Requirements – Agencies/Staff Offices and program areas that
cannot comply with this policy will submit all policy exception requests
directly to the ACIO CS. Temporary
exceptions to policy will be considered only in terms of implementation
timeframes and progress toward meeting the standards will be monitored by OCIO
CS. Exceptions that are approved will
require that each agency report this Granted Policy Exception (GPE) as a Plan
of Action & Milestone (POA&M) in their FISMA reporting, with a GPE
notation, until full compliance is achieved. Interim exceptions expire with each fiscal year. Compliance exceptions that require longer
durations will be considered for renewal on an annual basis with an updated
timeline for completion. OCIO CS
will monitor all approved exceptions.
3 PROCEDURES
Agencies
and staff offices electing to adopt a three-tier ISSP management approach will
have a structure comprised of:
·
Information
Systems Security Program Manager (ISSPM):
This person and
the deputy ISSPM are responsible for managing the ISS efforts for an entire
agency or staff office. This person is
a program manager responsible for the strategic security requirements of the
program to include planning, budget review, consolidation of agency security
reports, and coordination of the ISSP into the culture of the entire
organization. ISSPMs will act as
consultants for ISSM/ISSOs and work with them to resolve highly technical
matters, when necessary. Ultimately,
the ISSPM is still responsible for efficient operation of the overall ISSP.
·
Information
Systems Security Manager (ISSM): This individual(s), including deputy(ies),
is responsible for managing the tactical efforts of a business, functional, or
operational entity within an agency.
Their responsibilities include the daily operational security issues of
the unit and overall management of the “front line” security requirements for
the unit. This individual may often be
called upon to assist in the resolution of certain system security issues.
·
Information
Systems Security Officer (ISSO): This person(s), including
deputy(ies), is responsible for the day-to-day security administration for one
or more information systems. Theirs is
an operational security effort regarding the system(s) for which they are
responsible.
a RESPONSIBILITIES (Alternate)
(1)
The
Agency Chief Information Officer (CIO) will:
(a)
Act as the
agency Senior Security Officer
(SSO) who is responsible for supporting the
strategic requirements of the ISSP;
(b) Ensure that adequate funding, training and
resources are provided to the ISSP to
support
the agency mission;
(c) Facilitate the resolution of
high-level security matters within the agency by acting as a champion for the
ISSPM;
(d) Ensure that ISSM/ISSOs are
designated to provide adequate security to business, functional or operational
entities;
(e) Serve as the certification official for
agency
security
requirements (i.e., Annual Security Plans, FISMA and other formal reporting
requirements, Waiver Requests and Certification of agency IT Systems);
(f) Formally designate in writing to ACIO CS
the ISSPM(s) and Deputy(ies) for each agency; ensure that these individuals are
permanent members of all system development, telecommunications planning and
System Development Life Cycle planning teams; and
(g) Provide role-based and specialized
security-based training to the ISSPM(s) and Deputy ISSPM(s) from USDA
enterprise training vehicles.
(2)
The
Agency Information Systems Security Program
Manager (ISSPM) will:
(a) Manage the agency ISSP including the
activities and training from USDA Enterprise training vehicles of the ISSM/ISSOs;
(b) Support the strategic security program
requirements to include: planning, budget analysis, department policy review
and internal policy formulation, agency FISMA, POA&M, and audit reporting
requirements, agency Security Architecture and agency IT CPIC;
(c) Consolidate individual reports from all functional
and operation units into one agency combined report (i.e., monthly scans,
patches, incidents) for higher level management, including ACIO CS;
(d) Monitor the progress of the ISSM/ISSOs
to ensure that they meet the necessary program security requirements of NIST
800-26 and departmental policy directives;
(e) Serves
as the principle consultant to the agency CIO and senior management, including
ACIO CS;
(f) Coordinate
agency Incident Response with the agency ISSM/ISSOs to include all associated actions
necessary to mitigate the risk to unit systems; and
(g) Oversee the implementation of agency
security policies, procedures and guidelines.
(3)
The
Agency Information Systems Security Manager (ISSM) will:
(a) Serve as the Point of Contact (POC) for all
unit CS matters; provide subject matter guidance to agency personnel;
(b) Participate in the process and monitor to ensure that all agency systems are C&A’d prior to actual operation and that they are reaccredited every three years or when significant system change occurs;
(c) Disseminate departmental security policy and procedures; formulate internal agency security procedures and support implementation, testing, and integration into the agency culture (mission and business operation);
(d) Participate as a permanent member of unit system development teams, telecommunications planning, and System Development Life Cycle (SDLC) processes;
(e) Conduct internal audits of all agency IT systems to ensure compliance with federal and departmental policy and procedures;
(f) Participate in general and role-based security training to enhance knowledge and skill level; recommend appropriate training for staff to ISSPM;
(g) Proactively coordinate the establishment of system security controls to protect agency information using authentication techniques, encryption, firewalls, access controls, and comprehensive departmental Incident Response Procedures with all System Administrators (SA) and business owners;
(h) Coordinate with business owners to categorize information systems and determine sensitivity levels;
(i) Establish Disaster Recovery/Business
Resumption (DR/BR) and other emergency plans for all IT systems; ensure
compliance with backup and storage procedures;
(j) Monitor physical spaces to ensure that the security requirements of IT Restricted Space are followed in maintaining, updating or planning new space, and advise the CIO if space does not meet security requirements;
(k) Develop and manage a Security Awareness
Program including arranging or conducting security awareness briefings;
recommend to the agency ISSPM security training for all agency personnel,
including contractors, based on their role in the organization; ensure
that all personnel are appropriately trained in the security Rules of Behavior
prior to being granted access to unit systems;
(l) Arrange for background screening of unit employees based on the level of trust and sensitivity of the position they occupy in the organization;
(m) Participate in the development of an agency security architecture for all IT systems;
(n) Monitor and coordinate patch management and scanning techniques for all unit systems; participate in identification and mitigation of all system vulnerabilities,
(o) Coordinate the provision of security controls for Portable Electronic Devices (PEDS) and other wireless technology;
(p) Participate in the Overall Agency Security Plan for the program and coordinate with Information Systems Security Officers (ISSO) to ensure that current system specific plans are in place for all IT systems; coordinate or participate in risk assessments of all unit systems and mitigate vulnerabilities;
(q) Monitor CM practices to ensure that security controls are maintained over the life of the IT systems, and formulate and prepare an electronic agency inventory for unit computing devices;
(r) Monitor and participate in assessments to ensure that Privacy requirements are met;
(s) Plan and document security costs for unit IT investments and systems;
(t) Prepare and update reports to ensure that the unit complies with mandated internal and external security reporting requirements, including FISMA and CPIC;
(u) Proactively participate in new CS
initiatives including, but not limited to, computer investigations and
forensics; and
(v) Prepare
and coordinate unit Incident Responses with the agency ISSPM to include all
associated actions necessary to mitigate the risk to unit systems.
4 Agency
Information Systems Security Officers (ISSO) will:
(a) Be
knowledgeable of Federal, Departmental, and agency security regulations when
developing functional and technical requirements; serve as a POC for system
users with security issues;
(b) Coordinate
security program and system elements with the agency IT Program Managers by
evaluating system environments for security requirements and controls
including: IT Security Architecture,
hardware, software, telecommunications, security trends, and associated threats
and vulnerabilities;
(c) Manage
security controls to ensure confidentiality, integrity and availability of
information; build security into the system development process and define
security specifications to support the acquisition of new systems; review and
sign off on system procurement requests to ensure that security has been
considered and included;
(d) Assist
with security controls and associated costs in the CPIC Process;
(e) Assist
the ISSM in the C&A process, including updates to the overall Agency and
System Security Plans (SSP) for the program; serve as a key advisor in risk
assessments of all systems and mitigate vulnerabilities; adhere to CM practices
to ensure that security controls are maintained over the life of IT systems;
update the electronic agency inventory for all agency computing devices;
(f) Adhere
to and implement system security controls that ensure the protection of
Sensitive But Unclassified (SBU) information using authentication techniques,
encryption, firewalls, and access controls;
(g) Assist
the ISSPM in following Department Incident Response Procedures;
(h) Assist
the system owner and ISSM in the development, testing and maintenance of agency
and system contingency plans, backup and storage procedures; document all
procedures according to departmental and agency standards;
(i) Audit
and monitor application, system and security logs for security threats,
vulnerabilities and suspicious activities; report suspicious activities to the
agency ISSPM;
(j) Support
and facilitate the security awareness, training and education program; and
(k) Assist
the ISSM in any other security related duties, as required.
4 RESPONSIBILITIES
a The Associate CIO for Cyber Security
(ACIO CS) will:
(1) Act
as the recognized Senior Security Officer (SSO) for the department and the central
point of contact for CS management within USDA;
(2) Formulate and issue departmental CS policies and procedures for all USDA agencies and staff offices;
(3) Promote
and monitor C&A of all USDA IT Systems;
(4) Provide
enterprise-wide contractual vehicles and tools for security products and
services;
(5) Monitor
agencies to ensure that all Security Plans are current for programs and agency
IT systems;
(6) Ensure
that agencies comply with CS policy and procedures;
(7) Collaborate
in identification of material weaknesses and assist in formulating mitigation
strategies, if required;
(8) Centralize the department’s Computer
Incident
Response with US-CERT and other computer
emergency
response teams;
(9) Assist agencies in responding to computer
fraud
and with the handling of forensic
evidence and
investigations;
(10)
Ensure that agencies implement and maintain
managerial, technical, and
operational security
controls;
(11) Support
and promote IT Contingency Planning efforts;
(12)
Monitor and evaluate physical security within IT Restricted space;
(13)
Ensure agencies meet Privacy Act requirements;
(14) Review and make recommendations to the CIO for all IT Investments and Waiver requests;
(15) Establish and support a Departmental security awareness and training program;
(16) Review
requests for exceptions to CS Policy and Procedures in a timely manner; and
(17)
Act as the central point for preparing regulatory reports required by
FISMA and other legislation.
b Agency
Chief Information Officer (CIO) will:
(1) Establish, implement and provide adequate resources for an agency ISSP that provides a comprehensive and proactive security process to protect agency assets;
(2) Be knowledgeable
in legal and liability issues surrounding computing devices, the consequences
of security breaches and requirements of executive accountability for IT
systems;
(3) Ensure that all agency systems are C&A’d prior to operation and that they are reaccredited every three years or when significant system change occurs;
(4) Ensure that Departmental security policy and procedures are disseminated; ensure that internal agency security procedures are implemented, tested, and integrated into the agency culture;
(5) Designate in writing, using the form in Appendix A, an agency ISSPM who is a direct report; ensure that the ISSPM is a permanent member of all agency system development initiatives, telecommunications planning, and SDLC processes;
(6) Provide general and role-based security
training to the ISSPM and security staff to include field personnel from USDA
enterprise training vehicles;
(7) Establish and monitor an agency Personal Use Policy for all computing devices;
(8) Proactively support the establishment of system security controls at the USDA’s C2 Level of Trust
and provide protection of SBU information using authentication techniques, encryption, firewalls, access controls, and comprehensive Departmental Incident Response Procedures;
(9) Support agency contingency planning efforts by establishing DR/BR and other emergency plans for all IT systems;
(10) Ensure that the security requirements of IT Restricted Space are followed in maintaining, updating or planning new space;
(11) Ensure that all agency personnel, including contractors, receive security awareness briefings and training based on their role in the organization;
conduct background screening of all employees based on the level of trust and sensitivity of the position they occupy in the organization;
(12) Support the development of an agency security architecture for all IT systems;
(13) Ensure patch management and scanning techniques are employed to protect, identify and mitigate system vulnerabilities;
(14) Provide security controls for Portable Electronic Devices (PEDS) and other wireless technology;
(15) Ensure that an overall agency security plan is prepared for the program and current system specific plans are in place for all IT systems;
(16) Conduct risk assessments of all systems and mitigate vulnerabilities wherever feasible;
(17) Establish CM practices to ensure that security controls are maintained over the life of the IT systems;
(18) Ensure that all computing devices are captured in an electronic agency inventory and included in the Department’s Enterprise Architecture Repository (EAR);
(19) Ensure that agency and Federal Privacy Act requirements are met;
(20) Ensure that security costs are planned and entered in to agency’s annual budget submission for all IT investments and systems;
(21) Ensure that the agency complies with mandated internal and external security reporting requirements, including FISMA and CPIC;
(22) Ensure that support is provided for computer investigations and forensics; and
(23) Proactively support CS initiatives.
c The
Agency Information Systems Security Program Managers (ISSPM) will:
(1) Serve as the POC for all agency CS matters; provide subject matter guidance to agency personnel;
(2) Manage
the agency ISSP, including field activities;
(3) Participate in the process and monitor the program to ensure that all agency systems are C&A’d prior to operation and that they are reaccredited every three years or when significant system change occurs;
(4) Disseminate Departmental security policy and procedures; formulate internal agency security policies, procedures and support implementation, testing, and integration into the agency culture (mission and business operation);
(5) Participate, as a permanent member, on all agency system development teams, telecommunications planning, and SDLC processes;
(6) Conduct internal audits of all agency IT systems to
ensure compliance with federal and departmental
policy and procedures;
(7) Participate in general and role-based security training to enhance knowledge and skill level from USDA Enterprise training vehicles; recommend appropriate training for staff and field personnel from USDA Enterprise training vehicles and other sources to CIO;
(8) Proactively coordinate the establishment of system security controls at the USDA’s C2 Level of Trust; the protection of SBU information using authentication techniques, encryption, firewalls, access controls, and comprehensive departmental Incident Response Procedures with all SAs and business owners, and develop security baselines, where applicable;
(9) Coordinate with business owners to categorize information systems and determine sensitivity levels;
(10) Establish DR/BR and other emergency plans
for all IT systems; ensure compliance with backup and storage procedures;
(11) Monitor to ensure that the security requirements of IT Restricted Space are followed in maintaining, updating or planning new space, and advise the CIO if space does not meet security requirements;
(12) Develop and manage a Security Awareness Program including arranging or conducting security awareness briefings; recommend to the agency CIO security training for all agency personnel, including contractors, based on their role in the organization; ensure that all personnel are appropriately trained in the Security Rules of Behavior prior to being granted access to agency systems;
(13) Coordinate with local Human Resources Offices to arrange for background screening of all IT employees based on the level of trust and sensitivity of the position they occupy in the organization;
(14) Participate in the development of an agency security architecture for all IT systems;
(15) Monitor and coordinate patch management and scanning programs for all agency systems; participate in identification and mitigation of all system vulnerabilities;
(16) Coordinate the provision of security controls for PEDS and other wireless technology;
(17) Formulate and prepare the overall Agency Security Plan for the program and coordinate with ISSOs to ensure that current system specific plans are in place for all IT systems;
(18) Coordinate or participate in risk assessments of all systems and mitigate vulnerabilities;
(19) Monitor CM practices to ensure that security controls are maintained over the life of the IT systems;
(20) Develop and prepare an electronic agency inventory for all agency computing devices;
(21) Monitor and participate in assessments to ensure that agency Privacy requirements are met;
(22) Plan and document security costs for all IT investments and systems;
(23) Prepare and update agency reports to ensure that the agency complies with mandated internal and external security reporting requirements, including FISMA and CPIC; and
(24) Proactively
participate in CS initiatives including, but not limited to, computer
investigations and forensics.
d The
Agency IRM, Automation Information System Management, Operations and
Programming Staff will:
(1) Be
knowledgeable of Federal and agency security regulations when developing
functional and technical requirements;
(2) Coordinate
security program and system elements with the agency IT Program Managers and
ISSPM (ISSM or ISSO as appropriate) by evaluating system environments for
security requirements and controls including:
IT Security Architecture, hardware, software, telecommunications,
security trends, and associated threats and vulnerabilities;
(3) Manage
security controls to ensure confidentiality, integrity and availability of
information; build security into the system development process and define
security specifications to support the acquisition of new systems;
(4)
Assist with
defining security controls and associated costs in the CPIC process;
(5)
Assist the
system owner and ISSPM in the C&A process, including updates to the overall
Agency and System Security Plans (SSP);
(6)
Participate
in risk assessments of all systems and mitigate vulnerabilities;
(7)
Adhere to CM
practices to ensure that security controls are maintained over the life of IT
systems;
(8)
Update the
electronic agency inventory for all agency computing devices;
(9)
Adhere to
and implement system security controls at the USDA C2 Level of Trust and ensure
the protection of SBU information using authentication techniques, encryption,
firewalls, and access controls;
(10)
Assist the
ISSPM in following department Incident Response Procedures;
(11)
Assist the
system owner and ISSPM in the development, testing and maintenance of Agency
and
System Contingency Plans, backup and storage procedures; document all
procedures according to departmental and agency standards;
(12) Audit
and monitor application, system and security logs for security threats, vulnerabilities
and suspicious activities; report
suspicious activities to the agency ISSP Office; and
(13) Assist the ISSPM in any other security
related duties,
as
required.
-END-
APPENDIX A
DESIGNATION OF ISSPM AND DEPUTY ISSPM
GS Series/Title:_________________________________ Level of Background
Investigation:_______________________________________
Name:_____________________________________
Agency: ___________________________________
Location: _______________________________________
_______________________________________
Phone Number: ____________________ Cell Number: ____________________
Fax Number: _______________________ E-mail:__________________________
Agency CIO Name :____________________________
Agency CIO Signature: ____________________________
Date: _____________