Information Security Plan (NISTP)
A. Change Management Plans for Secure IT Systems (CSO’s role in approving changes)
The Primary of the Protection Office or the CSO was used usually within the technological innovation process to allocate the person responsible for IT security. Primary Information Protection Official is more precise information of this place and these days CISO headline is becoming more frequent for management with an unique details security concentrate.
Purpose is to perform an assessment of the change management process to provide management with assurance that the process is handled, monitored and is adapted to good methods.
Opportunity will focus on the program change management procedures. It will rely on the technique's growth method to offer a design growth and testing technique, and the system's demand and occurrence control procedures to offer feedback to the change management system. All procedures impacting these functions prior to the system\'s demand or incident or even problem ticket coming into the change management process are outside the coverage of this review.
IT evaluation and assurance professionals are expected to personalize this record to the environment in which they are performing an guarantee process. This paper is to be used as an evaluation tool and point of start. It may be customized by the IT evaluation and assurance pros. It is presumed that the IT evaluation and assurance professional maintains the Cert 0Information Systems Auditor (CISA) status or has the necessary subj matter knowledge needed to perform the task and is monitored by an experienced with the CISA status and necessary expertise to the subject matter to effectively evaluate the task conducted.
B. Certification & Accreditation for IT Systems (SSAA’s, DAA’s, ATO’s, etc.)
The NSTISSI or National Security Telecommunications and Information System Security have created national standards for the accreditation and certification of security systems. This involves a process in which the general tasks, management and activity structure in accrediting and certifying systems were designed to maintain level of security and Information Assurance (IA) of particular site or system. Its main objective is to focus the information system perspectives on enterprise-wide implementation while integrating the organization’s business case and mission.
There are three parts that the accreditation of IT component is being conducted:
1) Interim Approval to Operate or Approval to Operate (IATO/ATO) - Certification for the benefit to store info and process.
2) Approval of Interim to Connect or Connect Approval (IATC/ATC) – Certification or accreditation to receive and transmit information.
3) Service Denial (DOS) – This is an IT component failure to achieve either of the primary ailments of IATC/ATC or the IATO/ATO. This condition puts the element in a status of re-evaluation procedure which needs the minimization of the primary specifications or the cancellation of the elements because of not complying to security rules
C. Information System Security Plan
Technical environment needs federal agencies to look at a few set of control of management to protect their IT resources. These controls of management are instructed at individual Information Technology people in order to indicate the allocated nature of the present technology. Specialized and operational controls are supporting the management control. To be effective, these manages all must interrelate. This paper provides a guide for government organizations to follow when creating the protection programs that records the management, technical, and functional tasks for government computerized information program. All techniques must be protected by system protection plans if they are classified as a “major application” or “general support sys.” Specific protection programs for other applications are not required because the security control for those programs or techniques would be provided by the general support system in which they operate.
Reasons of System Protection Plans are to provide an introduction to the protection specifications of it and explain the controls in place or planned for meeting those specifications and determine obligations and expected actions of all individuals who access the system.
D. Information Security Metrics and Measurements (Audits and/or Governance)
Governance on the Information Security is the liability of the panel of administrators and higher executives. It must be a vital and clear aspect of business governance and be arranged with the IT governance structure. Senior Executives have the liability to consider and reply to the issues and sensitive issues brought up by information security, board of directors will progressively be predicted to make information security an important aspect of governance, incorporated with procedures they already have position to govern.
There are many factors to info security governance; there are several issues that may help the question, “What is Information Security Governance?”
- Information security governance’s desired results
- Information assets protection and knowledge
- Benefits of Information security governance
- Process Integration
A key objective of information protection is to decrease negative effects on the organization to an appropriate level of danger. IS defends information resources against chance of loss, functional discontinuity, neglect, illegal disclosure, inaccessibility and harm and also defends against the ever-increasing potential for municipal or legal responsibility that organization experience as an outcome of information loss and inaccuracy. These losses translates to inability of the organization to perform its intended function, therefore it is important that the described organizations wherewith establish stronger grounds to sustain adequate information system security.
References
Drug Enforcement Administration Office of Diversion Control (2010). Controlled Substance Ordering System. Certificate Policy, 4(0). Retrieved from http://www.deaecom.gov/Ecom_CP.pdf
Infectionvectors.com (n.d.). Introduction to DIACAP for Certification and Accreditation Practitioners. DIACAP Introduction for C&A Practitioners. Retrieved from http://www.infectionvectors.com/library/diacap_review-iv.pdf
Isaca.org (n.d.). Change Management Audit/Assurance Program. Retrieved May 4, 2013, from http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Change-Management-Audit-Assurance-Program.aspx
National Security Agency (2000). National Information Assurance Certification and Accreditation Process. NSTISSI No. 1000. Retrieved from http://www.cnss.gov/Assets/pdf/nstissi_1000.pdf
Sans.org (2007). Certification and Accreditation. Retrieved May 4, 2013, from http://www.sans.org/reading_room/whitepapers/auditing/certification-accreditation-dummies_1966
Swanson, M., Hash , J., & Bowen , P. (2006). Guide for Developing Security Plans for Federal Information Systems. NIST Special Publication, 800(18). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf