Regulatory Compliance And Oversight
The Department of Labor (DOL) OCIO is responsible
for providing regulatory oversight for information technology (IT) security.
This oversight includes the development of department-wide policy, procedures,
and guidance for compliance with Federal laws, regulations, and guidelines, and
sound security and privacy practices. Additionally, OCIO Security is
responsible for reviewing security program documentation developed to ensure
compliance and further enhance security practices across all component
agencies. Documents reviewed include, but are not limited to:
- Security Program Plans
- Risk Assessments
- System Security Plans
- Contingency and Disaster Recovery Plans
- Incident Response Plan
- Plan of Action and Milestones
- Interconnection Security Agreements
- Memoranda of Understanding
- Security Controls Assessment
- Certification and Accreditation Documents
- Security Controls Test and Evaluation (SCT&E)
Federal Information Security Management Act (FISMA) Implementation and Reporting
The OCIO Security team is responsible for compiling the Department's quarterly and annual reporting of information security under FISMA. This includes the collection, review, and aggregation of reports on the quarterly plans of action and milestones (POA&M), to mitigate security weaknesses, eGovernment evaluations, and annual review of departmental security programs. DOL uses the National Institutes of Standards (NIST) Special Publication 800-53A, Security Self-Assessment Guide for Assessing the Security Controls in Federal Information Systems, to conduct this annual review.
Computer Security Awareness and Training
DOL OCIO Security is responsible for developing the department-wide minimum training requirements for all employees, computer security professionals, and executive management. This includes hosting the annual computer security awareness training and other activities throughout the year to reinforce the IT security knowledge of DOL employees. DOL component agencies are required to add depth to the department-wide training requirement to bring system users up to speed on security requirements particular to the systems and applications they operate.
Computer Security Incident Response
DOL OCIO Security maintains a computer security incident response capability to address incidents across the department. The DOL Computer Security Incident Response Capability (CSIRC) functions in dual modes - proactive and reactive. The team proactively monitors federal and commercial computer incident response and homeland security groups (e.g., US-CERT) to determine potential threats to DOL systems and newly discovered vulnerabilities in DOL systems and applications. The team then notifies the security officers at each component agency, and, as required, collects feedback on the mitigation of new vulnerabilities and threats.
Furthermore, the DOL CSIRC is responsible for response to anomalies and incidents related to computer security in DOL systems and applications. DOLCSIRC coordinates anomaly reporting to determine if potential threat activity is directed against one component agency or across all of DOL. Additionally, DOLCSIRC is responsible for coordinating incident reporting to outside organizations, including law enforcement and government-wide incident response.
OCIO Program Integration
DOL makes information security a priority. This emphasis integrates information security into the Department’s Enterprise Architecture (EA), System Development Life Cycle Management and Manual (SDLCMM) and the Department’s IT planning, management, and the Capital Planning and Investment Control process (CPIC).
Capital Planning
The OCIO Security team routinely interacts with the OCIO Capital Planning team to ensure that the Department’s IT fiscal decisions maintain its strong information security posture. Security is an integral part of the system development life cycle; therefore, the security team actively participates in the Select and Control process. In support of the Select process, the team reviews several iterations of the initiative’s Exhibit 300 business case to ensure that the initiatives are in compliance with the latest security policies. During the Control process, the team participates in the quarterly capital planning control reviews to follow the progress of projects and initiatives, both in operations and in development for, to ensure continued compliance with security requirements and best practices.
Enterprise Architecture
The OCIO Security team is actively involved in the efforts of DOL to establish and manage enterprise architecture. The team routinely reviews enterprise architecture guidance documents through the eGovernment reviews to ensure that they are in compliance with current security laws, regulations, guidelines, and best practices. Part of this effort is directed at maintaining a common and uniform architecture for security protection at DOL to maximize interoperability of component agency information systems. Furthermore, this commonality is extended to maximize government-wide information sharing and interoperability under the EGovernment initiative and the President's Management Agenda
Information Collection
The OCIO Security team actively participates in the information collection efforts at DOL. The systems at DOL contain a wide variety of sensitive, but unclassified, information - personally identifiable information (PII), corporate sensitive data, or leading economic indicators. Any efforts to increase information sharing or change information collection practices should carefully review the security impact of the effort and find ways to eliminate, as much as possible, the risk to compromise of this information.
Government-Wide Outreach
The OCIO Security team participates in several
government-wide initiatives to share lessons learned and ensure compliance with
the objectives of EGovernment on the President's Management Agenda. These
activities include, but are not limited to:
promote use of the Internet, other information technologies, and interagency collaboration in providing E-Government services, to provide increased opportunities for citizen participation in Government
-
improve the Government's ability to achieve agency missions and program performance goals;
-
reduce costs and burdens for businesses and other Government entities;
make the Federal Government more transparent and accountable; and
- provide better access to Government information and services in a manner consistent with laws regarding protection of personal privacy, national security, records retention, access for persons with disabilities, and other relevant laws.
|
|