Every application that is going to be deployed in the Agency central environment or any NCC managed resource is required to have a signed Application Security Plan.
It is the program office's responsibility to determine the sensitivity of their data and the risk associated with it, and to write an application security plan in accordance with EPA policy and guidance. Per EPA Directive 2195A1, it is the responsibility of the respective information manager to determine sensitivity and to develop security plans.
Each program office may have its own specific security review procedures. A "Management Official", who is not the person responsible for security of the application, must authorize use of the application by signing an authorization statement. The authorization must be based on the security plan and any tests conducted. The SIRMO must also approve the security plan. The program office's Information Security Officer is the authority to turn to for guidance on the security plan review procedures. The ISO must also maintain on file a copy of the current security plan.
Agency policy and guidance for the application security plan is available on the Web in the Information Security Manual at: http://intranet.epa.gov/itsecurity/.
The separate Guidance documents on this site
http://intranet.epa.gov/itsecurity/certaccrassess/itsecurityplan.html
include examples of security plans in its appendices.
Note: The links above are on the EPA Intranet, they are not visible to computers outside the EPA LAN.
However, there are some publicly available security resources. The first is NIST Special Publication 800-18 Rev. 1 (PDF, 460KB, 48 pages) "Guide for Developing Security Plans for Information Technology Systems." The second is OMB A-130 appendix III.
OEI/OTOP/IT Policy and Planning Division is available to answer questions and help interpret the Information Security Manual and other agency information technology policies.
As operator of the General Support System (web infrastructure, etc) upon which the application will run, it is NCC's responsibility to review the security plan for identifiable risks and to make sure that the application will not compromise security of the NCC General Support System. NCC does not approve security plans, but we may refuse to deploy an application until identified risks are adequately addressed. NCC will also advise the client office of any known residual risks associated with the general support system or network that the application's security should consider. Therefore, client offices should work with NCC early in the life-cycle process to ensure security is adequately considered.
|