SlideShare a Scribd company logo

Eplc security approach_practices_guide

D
dizainioras
Technology
1 of 5
Download to read offline
DEPARTMENT OF HEALTH AND HUMAN SERVICES ENTERPRISE PERFORMANCE LIFE CYCLE FRAMEWORK <OPDIV Logo> PRACTIICES GUIIDE PRACT CES GU DE PROJECT MANAGEMENT PLAN - SECURITY APPROACH Issue Date: 7/7/2008 Revision Date: <mm/dd/yyyy> Document Purpose This Practices Guides is a brief document that provides an overview describing the best practices, activities, attributes, and related templates, tools, information, and key terminology project managers need to be aware of as they implement the integrated security activities within the Enterprise Performance Lifecycle (EPLC) and address the specific approach to fulfilling the requirements of security within their projects. The document does not attempt to revisit the recommended approach to developing a system security plan or how to integrate security within a System Development program as these are documented in detail elsewhere. Instead, the document tries to outline where and how design decisions can simplify design and documentation requirements. Background The implementation of the EPLC Framework represents the recognition that security must be a continuous process addressing risks, vulnerabilities, and security controls, through regular reviews throughout all stages of a system’s life cycle. Through this framework, information security is conducted in a manner that reduces risk to the information entrusted to HHS, and enables business activities through effective management of residual risks to information confidentiality, integrity, and availability. For federal security practitioners, compliance with the Federal Information Security Management Act (FISMA) has been the driving force. The culmination of the FISMA process is a system security plan that • Documents the people, processes, and IT resources implemented to protect a defined IT system; • Allows business and security owners to certify that the system is adequately protected according to federal standards, and • Formally accredits the system as authorized to process and store information, and • Lays the groundwork for change management, self-assessment, vulnerability testing and other processes that ensure no new security risks are introduced into the system without approval of appropriate authority. A number of federal laws and directives require integrating security into the development lifecycle of a system, including FISMA and Office of Management and Budget (OMB) Circular A-130, Appendix III. The National Institute of Standards and Technology (NIST) has extensive information on integrating security within the development lifecycle. Project managers should review chapter three of NIST Special Publication (SP) 800-100, Information Security Handbook: A Guide for Managers and for more detail review NIST SP 800-64, Security Considerations in the System Development Life Cycle, Revision 2. While the HHS EPLC establishes a more granular set of phases, these align closely with NIST documentation as shown in Table 1. Table 1: Comparing the NIST Development Phases to HHS EPLC NIST SDLC Implementation Operations Initiation Acquisition Development Disposition Phases Assessment Maintenance Implementation Operations and Requirements Development Maintenance Disposition Planning Initiation Analysis Concept Design Test HHS EPLC Phases <OPDIV> Project Management Plan - Security Approach (v1.0) Page 1 of 5 This document is 508 Compliant [Insert additional appropriate disclaimer(s)]
HHS EPLC Practices Guide - <OPDIV> Project Management Plan - Security Approach (v0.3) <MM/DD/YYYY> Practice Overview One of the primary goals of the EPLC is to ensure that security considerations are planned for early and handled consistently in the project lifecycle. The primary goal of the Security Approach is to document a plan that coordinates the other project stakeholders toward this end while clearly defining how the intended services within a project will be secured with the best outcome for the requirements of the business. To do this the security approach must highlight the owners and activities that connect the business goals of the system to the implemented security controls to ensure those goals are delivered securely. While the security approach for a program is linked to the System Security Plan (SSP), and much of the planning and documentation can likely be re-used in the SSP, it is a distinct process. The primary security document for a federal system is the SSP which is analyzed, updated, and accepted during the Certification and Accreditation (C&A) process. The SSP documents the system name, system categorization, system owner, Authorizing Official and contacts, information system type, system environment and interconnections, system description and purpose, applicable laws and regulations, selected security controls, completion and approval dates, and a plan for on-going maintenance. Details of the SSP and C&A development processes are well documented elsewhere within the EPLC and NIST. However, establishing how and where to draw system boundaries can be the most critical and difficult part of securing a system. The FIPS 199 requirement to secure an information system to the high watermark or highest impact level must be applied when grouping minor applications/subsystems with varying FIPS 199 impact levels into a single general support system or major application unless there is adequate boundary protection. Establish the Security Team The security team is a critical resource for IT system security. The security team consists of the Business Owner, System Owner, System Security Manager, User Representatives, the Designated Approving Authority (DAA), Certify Authority and other key participants who are involved in the C&A process. The EPLC C&A Practices Guide provides details on the Department’s process, including identifying others on the C&A team. Document the Security Roles and Responsibilities – Clearly identifying the personnel on the security team with important security roles for the different phases of the EPLC will assure that the security requirements are properly addressed. Program Managers leverage the configuration or change management activities to ensure that all the security the security requirements are identified with a responsible security manager. Developing the Security Approach The process of developing the security approach is primarily concerned with the actions necessary to define, integrate, and coordinate all subsidiary planning documents into a single PMP. The security approach is usually drafted by the Project Manager in collaboration with the security team. Like a good project management plan, the security approach does not need to be complicated or lengthy, so long as it covers the entire system and guides the later phases on how to collaborate with different team members and facilitate the business goals for the system. A fairly contained system or an update to an established system may not require an in-depth security approach as the difficult tasks of categorizing the system, characterizing the system, and defining the system boundary has already been done. Categorizing the System – Before the security approach can be developed, the information system and the information resident within that system must be categorized based on a FIPS 199 impact analysis. Each system identified in the agency's system inventory must be categorized using FIPS 199. NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, provides implementation guidance in completing this activity. See Table 2 for a summary of FIPS 199 categories. <OPDIV> Project Management Plan - Security Approach (v1.0) Page 2 of 5 This document is 508 Compliant [Insert additional appropriate disclaimer(s)]
HHS EPLC Practices Guide - <OPDIV> Project Management Plan - Security Approach (v0.3) <MM/DD/YYYY> Table 2: FIPS 199 Categorization POTENTIAL IMPACT Security Objective LOW MODERATE HIGH Confidentiality The unauthorized The unauthorized The unauthorized Preserving authorized disclosure of information disclosure of information disclosure of information restrictions on could be expected to have could be expected to have could be expected to have information access and a limited adverse effect a serious adverse effect a severe or catastrophic disclosure, including on organizational on organizational adverse effect on means for protecting operations, organizational operations, organizational organizational operations, personal privacy and assets, or individuals. assets, or individuals. organizational assets, or proprietary information. individuals. [44 U.S.C., SEC. 3542] Integrity The unauthorized The unauthorized The unauthorized Guarding against modification or modification or modification or destruction improper information destruction of destruction of of information could be modification or information could be information could be expected to have a severe destruction, and includes expected to have a expected to have a or catastrophic adverse ensuring information limited adverse effect on serious adverse effect on effect on organizational non-repudiation and organizational operations, organizational operations, operations, organizational authenticity. organizational assets, or organizational assets, or assets, or individuals. [44 U.S.C., SEC. 3542] individuals. individuals. Availability The disruption of access The disruption of access The disruption of access to Ensuring timely and to or use of information to or use of information or use of information or an reliable access to and use or an information system or an information system information system could of information. could be expected to have could be expected to have be expected to have a [44 U.S.C., SEC. 3542] a limited adverse effect a serious adverse effect severe or catastrophic on organizational on organizational adverse effect on operations, organizational operations, organizational organizational operations, assets, or individuals. assets, or individuals. organizational assets, or individuals. Characterize the System – In compliance with OMB Circular A-130, the system in development should be characterized as part of a General Support System, Major Application, or Minor Application. All information systems labeled as a major application (MA) or general support system (GSS) must be covered by an SSP. Specific system security plans for minor applications are not required because the security controls for those applications should be provided by the GSS or MA in which they operate. Furthermore, changes to an existing system must be assessed for impact as major changes require the re-certification and accreditation of the system. Appropriately characterizing the system and/or the impact of any proposed changes will impact later phases not only by establishing the requirement for a new or updated SSP but also assists in defining the system boundaries and thus clarifying critical stakeholders. Establishing the System Boundaries – The next step in establishing the security approach is defining where the system boundaries lie and how the system interfaces with other systems. This requires an analysis of both technical system boundaries and organizational responsibilities. Because the overall categorization of a system is established by its FIPS 199 ‘high water mark’, the FIPS 199 impact levels must be considered when constructing the system boundaries. Constructing a preliminary notion of the physical and logical boundaries around a set of processes, communications, storage, and related resources identifies a system. The set of elements within these boundaries constitutes a single system. Each component of the system must: • Be under the same direct management control (i.e., one system owner even though the MA may cross several business lines) • Have the same general business function(s) or business objective(s) • Have essentially the same operating characteristics and security needs All components of a system do not need to be physically connected. Examples: • A disparate set of identical systems used to provide redundant Internet services • Geographically dispersed storage arrays used to provide operational and redundant mail stores • A system with multiple identical configurations that are installed in locations with the same environmental and physical safeguards. <OPDIV> Project Management Plan - Security Approach (v1.0) Page 3 of 5 This document is 508 Compliant [Insert additional appropriate disclaimer(s)]
HHS EPLC Practices Guide - <OPDIV> Project Management Plan - Security Approach (v0.3) <MM/DD/YYYY> Most critically, it is certainly appropriate to reference an underlying GSS as providing a number of security requirements (e.g. authentication), or even define multiple systems within the same development program. In defining the various system boundaries, the Program Manager must work with the security team so that their approach ensures that meeting business requirements, system accreditation, as well as continuous monitoring and re-accreditation are cost effective and manageable. Identify Programmatic Activities that Support Security A number of activities support the security goals, but are not directly involved with the implementation of technical security controls. Document how these activities are being leverage in support of the security approach. Possible activities include IT security funding requests in capital planning and investment control activities, developer and staff training, risk, change and configuration management activities, and documentation development. Best Practices • Prepare for later stages – While the majority of security deliverables are completed in the Implementation phase, Program Managers can leverage increased return on investment in their security programs by using these deliverable targets to guide the earlier stages of a system, such as: • Early identification and mitigation of security vulnerabilities and misconfigurations, resulting in lower cost of security control implementation and vulnerability mitigation; • Awareness of potential engineering challenges caused by mandatory security controls; • Identification of shared security services and reuse of security strategies and tools to reduce development cost and schedule while improving security posture through proven methods and techniques; • Facilitating informed executive decision making through comprehensive risk management in a timely manner; • Coordinate with stakeholders – Developers, business owners, and security partners all have insight into the goals and challenges likely to encounter when developing, integrating, and implementing system security. Including these individuals in the development of the security approach will facilitate the later phases. • Review and Modify – A number of assumptions will be required in the earliest documentation of the security approach. • Integrate with related activities – Outputs of the security approach activities will need to be integrated into other Program Management and EPLC activities, e.g.: o Security Requirements will need to be fed into the Requirements Analysis phase as well as the Configuration Management activities; o Conflicts and risk will need to be managed within the Risk Management or Issues Management activities; o System Boundaries estimates may affect Scope Management activities; and o Security Stakeholders need to be included within the Communications Management activities. o Individuals with key security responsibilities need to be identified, and ensuring they complete Mandatory Role-Based Training (RBT) must be considered when planning training requirements Practice Activities Activities within the security approach should help establishes the number and scope of system security plans and C&A documents required to effectively secure and document the output of the project. • Coordinate system purpose, business needs and requirements, and security requirements • Document the intended Security Approach • Document the Security Critical Partners, Designated Approving Authority, and Certification Authority for each C&A package likely to be developed • Establish preliminary System Security Categorization according to NIST SP 800-60 and FIPS-199 o Identify information sensitivity o Select provisional impact level o Review provisional impact levels and adjust/finalize information impact o Assign system security category • Establish system and sub-system boundaries o Identify data sharing and external system interconnections <OPDIV> Project Management Plan - Security Approach (v1.0) Page 4 of 5 This document is 508 Compliant [Insert additional appropriate disclaimer(s)]
HHS EPLC Practices Guide - <OPDIV> Project Management Plan - Security Approach (v0.3) <MM/DD/YYYY> o Identify any interconnections with a GSS. o Define boundaries for any sub-system to be developed • Document any required security controls from NIST SP 800-53 known to be provided by an underlying GSS or MA. • Document critical stakeholders for supporting GSS or MA and include these individuals in the security approach development as appropriate. • Document and map any required security controls from NIST SP 800-53 known to be provided by the system in development, a sub-system in development. • Document any remaining security controls that cannot be mapped to the system or sub-systems in development, or an underlying GSS or MA. • Document development teams responsible for design and implementation of new security controls. • Document development teams responsible for integration with GSS, MA, minor applications, or other interconnected systems. Practice Related Information NIST FIPS Publications All NIST Federal Information Processing Standards (FIPS) publications are available at the following site: http://csrc.nist.gov/publications/PubsFIPS.html. • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems • FIPS 200, Minimum Security Requirements for Federal Information and Information Systems NIST Special Publications All NIST Special Publications (SP) are available at http://csrc.nist.gov/publications/PubsSPs.html. • NIST SP 800-64, Security Considerations in the System Development Life Cycle, Revision 2 • NIST SP 800-60, Draft Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes), Volume 1: Guide for Mapping Types of Information and Information Systems to Security Categories Volume 2: Appendices • NIST SP 800-53 Rev. 2, Recommended Security Controls for Federal Information Systems • NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems • NIST SP 800-34, Contingency Planning Guide for Information Technology Systems • NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems • NIST SP 800-30, Risk Management Guide for Information Technology Systems • NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems • NIST SP 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems Practice Key Terms CA – Certification Agent DAA – Designated Approving Authority GSS – General Support System ISSO – Information System Security Officer MA – Major Application SP – Special Publication SSP – System Security Plan <OPDIV> Project Management Plan - Security Approach (v1.0) Page 5 of 5 This document is 508 Compliant [Insert additional appropriate disclaimer(s)]

Recommended

Environmental stress screening
Environmental stress screeningEnvironmental stress screening
Environmental stress screeningHilaire (Ananda) Perera P.Eng.
 
Road map to cmm
Road map to cmmRoad map to cmm
Road map to cmmNaveed Khan
 
BUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENTBUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENTTalkSahana
 
Audit Steps
Audit StepsAudit Steps
Audit StepsRnR DataLex Pvt Ltd
 
Front GRC Brochure
Front GRC BrochureFront GRC Brochure
Front GRC Brochureaeltvedt
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approachtschraider
 
IT GOVERNANCE CONSULTING
IT GOVERNANCE CONSULTINGIT GOVERNANCE CONSULTING
IT GOVERNANCE CONSULTINGArul Nambi
 
Hughitt brian
Hughitt brianHughitt brian
Hughitt brianNASAPMC
 

Recommended

Environmental stress screening
Environmental stress screeningEnvironmental stress screening
Environmental stress screeningHilaire (Ananda) Perera P.Eng.
 
Road map to cmm
Road map to cmmRoad map to cmm
Road map to cmmNaveed Khan
 
BUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENTBUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENTTalkSahana
 
Audit Steps
Audit StepsAudit Steps
Audit StepsRnR DataLex Pvt Ltd
 
Front GRC Brochure
Front GRC BrochureFront GRC Brochure
Front GRC Brochureaeltvedt
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approachtschraider
 
IT GOVERNANCE CONSULTING
IT GOVERNANCE CONSULTINGIT GOVERNANCE CONSULTING
IT GOVERNANCE CONSULTINGArul Nambi
 
Hughitt brian
Hughitt brianHughitt brian
Hughitt brianNASAPMC
 
Vmac Trainer Pack Maint.Audit
Vmac Trainer Pack Maint.AuditVmac Trainer Pack Maint.Audit
Vmac Trainer Pack Maint.AuditEfren Mañez-M.E.,FM Consultant-Book Author
 
461361 1013243 chapter_2_dec__11
461361 1013243 chapter_2_dec__11461361 1013243 chapter_2_dec__11
461361 1013243 chapter_2_dec__11anup4704
 
CA Quality Management System
CA Quality Management SystemCA Quality Management System
CA Quality Management SystemWahyu Prasetianto
 
ICD-10 action plan-revised
ICD-10 action plan-revisedICD-10 action plan-revised
ICD-10 action plan-revisedLawrence Medical Managers
 
Dcscourse doc
Dcscourse docDcscourse doc
Dcscourse docVikram Adhikari
 
Introduction-for_management_program(part_2)
Introduction-for_management_program(part_2)Introduction-for_management_program(part_2)
Introduction-for_management_program(part_2)hepta-sat
 
Vonnie simonsen
Vonnie simonsenVonnie simonsen
Vonnie simonsenNASAPMC
 
AIA SOX Conference May 2009 - CCM &amp; Data Analytics
AIA SOX Conference May 2009 - CCM &amp; Data AnalyticsAIA SOX Conference May 2009 - CCM &amp; Data Analytics
AIA SOX Conference May 2009 - CCM &amp; Data Analyticsprosenzw69
 
7 sw-project and-process_measurement_0907_ebert
7 sw-project and-process_measurement_0907_ebert7 sw-project and-process_measurement_0907_ebert
7 sw-project and-process_measurement_0907_ebertgiaptruta
 
Solvency II - Programme Assurance
Solvency II - Programme AssuranceSolvency II - Programme Assurance
Solvency II - Programme Assurancegainline
 
Domain Modelling
Domain ModellingDomain Modelling
Domain Modellingkim.mens
 
Net challenge training_material_performance management_v05
Net challenge training_material_performance management_v05Net challenge training_material_performance management_v05
Net challenge training_material_performance management_v05netchallenge
 
L10 system implementation
L10 system implementationL10 system implementation
L10 system implementationOMWOMA JACKSON
 
Project Performance, Feedback Loops, Risks, and System Dynamics
Project Performance, Feedback Loops, Risks, and System DynamicsProject Performance, Feedback Loops, Risks, and System Dynamics
Project Performance, Feedback Loops, Risks, and System DynamicsHIMADRI BANERJI
 
Analysis and Control of Computing Systems
Analysis and Control of Computing SystemsAnalysis and Control of Computing Systems
Analysis and Control of Computing Systemsnorhavillegas
 
Value Reference Model - Quality and Customer Care
Value Reference Model - Quality and Customer CareValue Reference Model - Quality and Customer Care
Value Reference Model - Quality and Customer CareArnaldo Colombo
 
Ch14-Software Engineering 9
Ch14-Software Engineering 9Ch14-Software Engineering 9
Ch14-Software Engineering 9Ian Sommerville
 
Systems development fall 2006
Systems development fall 2006Systems development fall 2006
Systems development fall 2006eeetq
 
Dawn.schaible
Dawn.schaibleDawn.schaible
Dawn.schaibleNASAPMC
 
Systems Lifecycle workbook
Systems Lifecycle workbookSystems Lifecycle workbook
Systems Lifecycle workbookMISY
 
Aips guide element 6 process safety knowledge rev 2
Aips guide element 6 process safety knowledge rev 2Aips guide element 6 process safety knowledge rev 2
Aips guide element 6 process safety knowledge rev 2bitsgian
 
Module-4 PART-2&3.ppt
Module-4 PART-2&3.pptModule-4 PART-2&3.ppt
Module-4 PART-2&3.pptSharatNaik11
 

More Related Content

What's hot

461361 1013243 chapter_2_dec__11
461361 1013243 chapter_2_dec__11461361 1013243 chapter_2_dec__11
461361 1013243 chapter_2_dec__11anup4704
 
CA Quality Management System
CA Quality Management SystemCA Quality Management System
CA Quality Management SystemWahyu Prasetianto
 
Introduction-for_management_program(part_2)
Introduction-for_management_program(part_2)Introduction-for_management_program(part_2)
Introduction-for_management_program(part_2)hepta-sat
 
Vonnie simonsen
Vonnie simonsenVonnie simonsen
Vonnie simonsenNASAPMC
 
AIA SOX Conference May 2009 - CCM &amp; Data Analytics
AIA SOX Conference May 2009 - CCM &amp; Data AnalyticsAIA SOX Conference May 2009 - CCM &amp; Data Analytics
AIA SOX Conference May 2009 - CCM &amp; Data Analyticsprosenzw69
 
7 sw-project and-process_measurement_0907_ebert
7 sw-project and-process_measurement_0907_ebert7 sw-project and-process_measurement_0907_ebert
7 sw-project and-process_measurement_0907_ebertgiaptruta
 
Solvency II - Programme Assurance
Solvency II - Programme AssuranceSolvency II - Programme Assurance
Solvency II - Programme Assurancegainline
 
Domain Modelling
Domain ModellingDomain Modelling
Domain Modellingkim.mens
 
Net challenge training_material_performance management_v05
Net challenge training_material_performance management_v05Net challenge training_material_performance management_v05
Net challenge training_material_performance management_v05netchallenge
 
L10 system implementation
L10 system implementationL10 system implementation
L10 system implementationOMWOMA JACKSON
 
Project Performance, Feedback Loops, Risks, and System Dynamics
Project Performance, Feedback Loops, Risks, and System DynamicsProject Performance, Feedback Loops, Risks, and System Dynamics
Project Performance, Feedback Loops, Risks, and System DynamicsHIMADRI BANERJI
 
Analysis and Control of Computing Systems
Analysis and Control of Computing SystemsAnalysis and Control of Computing Systems
Analysis and Control of Computing Systemsnorhavillegas
 
Value Reference Model - Quality and Customer Care
Value Reference Model - Quality and Customer CareValue Reference Model - Quality and Customer Care
Value Reference Model - Quality and Customer CareArnaldo Colombo
 
Ch14-Software Engineering 9
Ch14-Software Engineering 9Ch14-Software Engineering 9
Ch14-Software Engineering 9Ian Sommerville
 
Systems development fall 2006
Systems development fall 2006Systems development fall 2006
Systems development fall 2006eeetq
 
Dawn.schaible
Dawn.schaibleDawn.schaible
Dawn.schaibleNASAPMC
 

What's hot (19)

Vmac Trainer Pack Maint.Audit
Vmac Trainer Pack Maint.AuditVmac Trainer Pack Maint.Audit
Vmac Trainer Pack Maint.Audit
 
461361 1013243 chapter_2_dec__11
461361 1013243 chapter_2_dec__11461361 1013243 chapter_2_dec__11
461361 1013243 chapter_2_dec__11
 
CA Quality Management System
CA Quality Management SystemCA Quality Management System
CA Quality Management System
 
ICD-10 action plan-revised
ICD-10 action plan-revisedICD-10 action plan-revised
ICD-10 action plan-revised
 
Dcscourse doc
Dcscourse docDcscourse doc
Dcscourse doc
 
Introduction-for_management_program(part_2)
Introduction-for_management_program(part_2)Introduction-for_management_program(part_2)
Introduction-for_management_program(part_2)
 
Vonnie simonsen
Vonnie simonsenVonnie simonsen
Vonnie simonsen
 
AIA SOX Conference May 2009 - CCM &amp; Data Analytics
AIA SOX Conference May 2009 - CCM &amp; Data AnalyticsAIA SOX Conference May 2009 - CCM &amp; Data Analytics
AIA SOX Conference May 2009 - CCM &amp; Data Analytics
 
7 sw-project and-process_measurement_0907_ebert
7 sw-project and-process_measurement_0907_ebert7 sw-project and-process_measurement_0907_ebert
7 sw-project and-process_measurement_0907_ebert
 
Solvency II - Programme Assurance
Solvency II - Programme AssuranceSolvency II - Programme Assurance
Solvency II - Programme Assurance
 
Domain Modelling
Domain ModellingDomain Modelling
Domain Modelling
 
Net challenge training_material_performance management_v05
Net challenge training_material_performance management_v05Net challenge training_material_performance management_v05
Net challenge training_material_performance management_v05
 
L10 system implementation
L10 system implementationL10 system implementation
L10 system implementation
 
Project Performance, Feedback Loops, Risks, and System Dynamics
Project Performance, Feedback Loops, Risks, and System DynamicsProject Performance, Feedback Loops, Risks, and System Dynamics
Project Performance, Feedback Loops, Risks, and System Dynamics
 
Analysis and Control of Computing Systems
Analysis and Control of Computing SystemsAnalysis and Control of Computing Systems
Analysis and Control of Computing Systems
 
Value Reference Model - Quality and Customer Care
Value Reference Model - Quality and Customer CareValue Reference Model - Quality and Customer Care
Value Reference Model - Quality and Customer Care
 
Ch14-Software Engineering 9
Ch14-Software Engineering 9Ch14-Software Engineering 9
Ch14-Software Engineering 9
 
Systems development fall 2006
Systems development fall 2006Systems development fall 2006
Systems development fall 2006
 
Dawn.schaible
Dawn.schaibleDawn.schaible
Dawn.schaible
 

Similar to Eplc security approach_practices_guide

Systems Lifecycle workbook
Systems Lifecycle workbookSystems Lifecycle workbook
Systems Lifecycle workbookMISY
 
Aips guide element 6 process safety knowledge rev 2
Aips guide element 6 process safety knowledge rev 2Aips guide element 6 process safety knowledge rev 2
Aips guide element 6 process safety knowledge rev 2bitsgian
 
Module-4 PART-2&3.ppt
Module-4 PART-2&3.pptModule-4 PART-2&3.ppt
Module-4 PART-2&3.pptSharatNaik11
 
Lightweight Processes: A Definition
Lightweight Processes: A DefinitionLightweight Processes: A Definition
Lightweight Processes: A DefinitionGlen Alleman
 
Pm for application development
Pm for application developmentPm for application development
Pm for application developmentAbdelrahman Serag
 
Preventive Maintenance Process and Program
Preventive Maintenance Process and ProgramPreventive Maintenance Process and Program
Preventive Maintenance Process and ProgramRicky Smith CMRP
 
Cpm500 d _alleman__tpm lesson 3 (v1)
Cpm500 d _alleman__tpm lesson 3 (v1)Cpm500 d _alleman__tpm lesson 3 (v1)
Cpm500 d _alleman__tpm lesson 3 (v1)Glen Alleman
 
Project management best practices
Project management best practicesProject management best practices
Project management best practiceswalkerswu
 
Cost effective auditing of web applications and networks in smb
Cost effective auditing of web applications and networks in smbCost effective auditing of web applications and networks in smb
Cost effective auditing of web applications and networks in smbLalit Choudhary
 
065 management information system
065 management information system065 management information system
065 management information systemdrdej19
 
065 Management Information System and Productivity
065 Management Information System and Productivity 065 Management Information System and Productivity
065 Management Information System and Productivity Dr Fereidoun Dejahang
 
Mps alexandru
Mps alexandruMps alexandru
Mps alexandruL_Ramona
 
ICAB - ITK Chapter 5 Set 2 - Internal Control in IT Systems
ICAB - ITK Chapter 5 Set 2 - Internal Control in IT SystemsICAB - ITK Chapter 5 Set 2 - Internal Control in IT Systems
ICAB - ITK Chapter 5 Set 2 - Internal Control in IT SystemsMohammad Abdul Matin Emon
 

Similar to Eplc security approach_practices_guide (20)

Systems Lifecycle workbook
Systems Lifecycle workbookSystems Lifecycle workbook
Systems Lifecycle workbook
 
Aips guide element 6 process safety knowledge rev 2
Aips guide element 6 process safety knowledge rev 2Aips guide element 6 process safety knowledge rev 2
Aips guide element 6 process safety knowledge rev 2
 
Module-4 PART-2&3.ppt
Module-4 PART-2&3.pptModule-4 PART-2&3.ppt
Module-4 PART-2&3.ppt
 
10.1.1.87.8236
10.1.1.87.823610.1.1.87.8236
10.1.1.87.8236
 
Lightweight Processes: A Definition
Lightweight Processes: A DefinitionLightweight Processes: A Definition
Lightweight Processes: A Definition
 
Pm for application development
Pm for application developmentPm for application development
Pm for application development
 
Aim crisp handout
Aim crisp handoutAim crisp handout
Aim crisp handout
 
Preventive Maintenance Process and Program
Preventive Maintenance Process and ProgramPreventive Maintenance Process and Program
Preventive Maintenance Process and Program
 
Cpm500 d _alleman__tpm lesson 3 (v1)
Cpm500 d _alleman__tpm lesson 3 (v1)Cpm500 d _alleman__tpm lesson 3 (v1)
Cpm500 d _alleman__tpm lesson 3 (v1)
 
Aup
AupAup
Aup
 
Erp implementation lifecycle
Erp implementation lifecycleErp implementation lifecycle
Erp implementation lifecycle
 
Project management best practices
Project management best practicesProject management best practices
Project management best practices
 
PM_WBS
PM_WBSPM_WBS
PM_WBS
 
SDLC
SDLCSDLC
SDLC
 
Cost effective auditing of web applications and networks in smb
Cost effective auditing of web applications and networks in smbCost effective auditing of web applications and networks in smb
Cost effective auditing of web applications and networks in smb
 
065 management information system
065 management information system065 management information system
065 management information system
 
065 Management Information System and Productivity
065 Management Information System and Productivity 065 Management Information System and Productivity
065 Management Information System and Productivity
 
ERP 04
ERP 04ERP 04
ERP 04
 
Mps alexandru
Mps alexandruMps alexandru
Mps alexandru
 
ICAB - ITK Chapter 5 Set 2 - Internal Control in IT Systems
ICAB - ITK Chapter 5 Set 2 - Internal Control in IT SystemsICAB - ITK Chapter 5 Set 2 - Internal Control in IT Systems
ICAB - ITK Chapter 5 Set 2 - Internal Control in IT Systems
 

Recently uploaded

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 

Recently uploaded (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 

Eplc security approach_practices_guide

  • 1. DEPARTMENT OF HEALTH AND HUMAN SERVICES ENTERPRISE PERFORMANCE LIFE CYCLE FRAMEWORK <OPDIV Logo> PRACTIICES GUIIDE PRACT CES GU DE PROJECT MANAGEMENT PLAN - SECURITY APPROACH Issue Date: 7/7/2008 Revision Date: <mm/dd/yyyy> Document Purpose This Practices Guides is a brief document that provides an overview describing the best practices, activities, attributes, and related templates, tools, information, and key terminology project managers need to be aware of as they implement the integrated security activities within the Enterprise Performance Lifecycle (EPLC) and address the specific approach to fulfilling the requirements of security within their projects. The document does not attempt to revisit the recommended approach to developing a system security plan or how to integrate security within a System Development program as these are documented in detail elsewhere. Instead, the document tries to outline where and how design decisions can simplify design and documentation requirements. Background The implementation of the EPLC Framework represents the recognition that security must be a continuous process addressing risks, vulnerabilities, and security controls, through regular reviews throughout all stages of a system’s life cycle. Through this framework, information security is conducted in a manner that reduces risk to the information entrusted to HHS, and enables business activities through effective management of residual risks to information confidentiality, integrity, and availability. For federal security practitioners, compliance with the Federal Information Security Management Act (FISMA) has been the driving force. The culmination of the FISMA process is a system security plan that • Documents the people, processes, and IT resources implemented to protect a defined IT system; • Allows business and security owners to certify that the system is adequately protected according to federal standards, and • Formally accredits the system as authorized to process and store information, and • Lays the groundwork for change management, self-assessment, vulnerability testing and other processes that ensure no new security risks are introduced into the system without approval of appropriate authority. A number of federal laws and directives require integrating security into the development lifecycle of a system, including FISMA and Office of Management and Budget (OMB) Circular A-130, Appendix III. The National Institute of Standards and Technology (NIST) has extensive information on integrating security within the development lifecycle. Project managers should review chapter three of NIST Special Publication (SP) 800-100, Information Security Handbook: A Guide for Managers and for more detail review NIST SP 800-64, Security Considerations in the System Development Life Cycle, Revision 2. While the HHS EPLC establishes a more granular set of phases, these align closely with NIST documentation as shown in Table 1. Table 1: Comparing the NIST Development Phases to HHS EPLC NIST SDLC Implementation Operations Initiation Acquisition Development Disposition Phases Assessment Maintenance Implementation Operations and Requirements Development Maintenance Disposition Planning Initiation Analysis Concept Design Test HHS EPLC Phases <OPDIV> Project Management Plan - Security Approach (v1.0) Page 1 of 5 This document is 508 Compliant [Insert additional appropriate disclaimer(s)]
  • 2. HHS EPLC Practices Guide - <OPDIV> Project Management Plan - Security Approach (v0.3) <MM/DD/YYYY> Practice Overview One of the primary goals of the EPLC is to ensure that security considerations are planned for early and handled consistently in the project lifecycle. The primary goal of the Security Approach is to document a plan that coordinates the other project stakeholders toward this end while clearly defining how the intended services within a project will be secured with the best outcome for the requirements of the business. To do this the security approach must highlight the owners and activities that connect the business goals of the system to the implemented security controls to ensure those goals are delivered securely. While the security approach for a program is linked to the System Security Plan (SSP), and much of the planning and documentation can likely be re-used in the SSP, it is a distinct process. The primary security document for a federal system is the SSP which is analyzed, updated, and accepted during the Certification and Accreditation (C&A) process. The SSP documents the system name, system categorization, system owner, Authorizing Official and contacts, information system type, system environment and interconnections, system description and purpose, applicable laws and regulations, selected security controls, completion and approval dates, and a plan for on-going maintenance. Details of the SSP and C&A development processes are well documented elsewhere within the EPLC and NIST. However, establishing how and where to draw system boundaries can be the most critical and difficult part of securing a system. The FIPS 199 requirement to secure an information system to the high watermark or highest impact level must be applied when grouping minor applications/subsystems with varying FIPS 199 impact levels into a single general support system or major application unless there is adequate boundary protection. Establish the Security Team The security team is a critical resource for IT system security. The security team consists of the Business Owner, System Owner, System Security Manager, User Representatives, the Designated Approving Authority (DAA), Certify Authority and other key participants who are involved in the C&A process. The EPLC C&A Practices Guide provides details on the Department’s process, including identifying others on the C&A team. Document the Security Roles and Responsibilities – Clearly identifying the personnel on the security team with important security roles for the different phases of the EPLC will assure that the security requirements are properly addressed. Program Managers leverage the configuration or change management activities to ensure that all the security the security requirements are identified with a responsible security manager. Developing the Security Approach The process of developing the security approach is primarily concerned with the actions necessary to define, integrate, and coordinate all subsidiary planning documents into a single PMP. The security approach is usually drafted by the Project Manager in collaboration with the security team. Like a good project management plan, the security approach does not need to be complicated or lengthy, so long as it covers the entire system and guides the later phases on how to collaborate with different team members and facilitate the business goals for the system. A fairly contained system or an update to an established system may not require an in-depth security approach as the difficult tasks of categorizing the system, characterizing the system, and defining the system boundary has already been done. Categorizing the System – Before the security approach can be developed, the information system and the information resident within that system must be categorized based on a FIPS 199 impact analysis. Each system identified in the agency's system inventory must be categorized using FIPS 199. NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, provides implementation guidance in completing this activity. See Table 2 for a summary of FIPS 199 categories. <OPDIV> Project Management Plan - Security Approach (v1.0) Page 2 of 5 This document is 508 Compliant [Insert additional appropriate disclaimer(s)]
  • 3. HHS EPLC Practices Guide - <OPDIV> Project Management Plan - Security Approach (v0.3) <MM/DD/YYYY> Table 2: FIPS 199 Categorization POTENTIAL IMPACT Security Objective LOW MODERATE HIGH Confidentiality The unauthorized The unauthorized The unauthorized Preserving authorized disclosure of information disclosure of information disclosure of information restrictions on could be expected to have could be expected to have could be expected to have information access and a limited adverse effect a serious adverse effect a severe or catastrophic disclosure, including on organizational on organizational adverse effect on means for protecting operations, organizational operations, organizational organizational operations, personal privacy and assets, or individuals. assets, or individuals. organizational assets, or proprietary information. individuals. [44 U.S.C., SEC. 3542] Integrity The unauthorized The unauthorized The unauthorized Guarding against modification or modification or modification or destruction improper information destruction of destruction of of information could be modification or information could be information could be expected to have a severe destruction, and includes expected to have a expected to have a or catastrophic adverse ensuring information limited adverse effect on serious adverse effect on effect on organizational non-repudiation and organizational operations, organizational operations, operations, organizational authenticity. organizational assets, or organizational assets, or assets, or individuals. [44 U.S.C., SEC. 3542] individuals. individuals. Availability The disruption of access The disruption of access The disruption of access to Ensuring timely and to or use of information to or use of information or use of information or an reliable access to and use or an information system or an information system information system could of information. could be expected to have could be expected to have be expected to have a [44 U.S.C., SEC. 3542] a limited adverse effect a serious adverse effect severe or catastrophic on organizational on organizational adverse effect on operations, organizational operations, organizational organizational operations, assets, or individuals. assets, or individuals. organizational assets, or individuals. Characterize the System – In compliance with OMB Circular A-130, the system in development should be characterized as part of a General Support System, Major Application, or Minor Application. All information systems labeled as a major application (MA) or general support system (GSS) must be covered by an SSP. Specific system security plans for minor applications are not required because the security controls for those applications should be provided by the GSS or MA in which they operate. Furthermore, changes to an existing system must be assessed for impact as major changes require the re-certification and accreditation of the system. Appropriately characterizing the system and/or the impact of any proposed changes will impact later phases not only by establishing the requirement for a new or updated SSP but also assists in defining the system boundaries and thus clarifying critical stakeholders. Establishing the System Boundaries – The next step in establishing the security approach is defining where the system boundaries lie and how the system interfaces with other systems. This requires an analysis of both technical system boundaries and organizational responsibilities. Because the overall categorization of a system is established by its FIPS 199 ‘high water mark’, the FIPS 199 impact levels must be considered when constructing the system boundaries. Constructing a preliminary notion of the physical and logical boundaries around a set of processes, communications, storage, and related resources identifies a system. The set of elements within these boundaries constitutes a single system. Each component of the system must: • Be under the same direct management control (i.e., one system owner even though the MA may cross several business lines) • Have the same general business function(s) or business objective(s) • Have essentially the same operating characteristics and security needs All components of a system do not need to be physically connected. Examples: • A disparate set of identical systems used to provide redundant Internet services • Geographically dispersed storage arrays used to provide operational and redundant mail stores • A system with multiple identical configurations that are installed in locations with the same environmental and physical safeguards. <OPDIV> Project Management Plan - Security Approach (v1.0) Page 3 of 5 This document is 508 Compliant [Insert additional appropriate disclaimer(s)]
  • 4. HHS EPLC Practices Guide - <OPDIV> Project Management Plan - Security Approach (v0.3) <MM/DD/YYYY> Most critically, it is certainly appropriate to reference an underlying GSS as providing a number of security requirements (e.g. authentication), or even define multiple systems within the same development program. In defining the various system boundaries, the Program Manager must work with the security team so that their approach ensures that meeting business requirements, system accreditation, as well as continuous monitoring and re-accreditation are cost effective and manageable. Identify Programmatic Activities that Support Security A number of activities support the security goals, but are not directly involved with the implementation of technical security controls. Document how these activities are being leverage in support of the security approach. Possible activities include IT security funding requests in capital planning and investment control activities, developer and staff training, risk, change and configuration management activities, and documentation development. Best Practices • Prepare for later stages – While the majority of security deliverables are completed in the Implementation phase, Program Managers can leverage increased return on investment in their security programs by using these deliverable targets to guide the earlier stages of a system, such as: • Early identification and mitigation of security vulnerabilities and misconfigurations, resulting in lower cost of security control implementation and vulnerability mitigation; • Awareness of potential engineering challenges caused by mandatory security controls; • Identification of shared security services and reuse of security strategies and tools to reduce development cost and schedule while improving security posture through proven methods and techniques; • Facilitating informed executive decision making through comprehensive risk management in a timely manner; • Coordinate with stakeholders – Developers, business owners, and security partners all have insight into the goals and challenges likely to encounter when developing, integrating, and implementing system security. Including these individuals in the development of the security approach will facilitate the later phases. • Review and Modify – A number of assumptions will be required in the earliest documentation of the security approach. • Integrate with related activities – Outputs of the security approach activities will need to be integrated into other Program Management and EPLC activities, e.g.: o Security Requirements will need to be fed into the Requirements Analysis phase as well as the Configuration Management activities; o Conflicts and risk will need to be managed within the Risk Management or Issues Management activities; o System Boundaries estimates may affect Scope Management activities; and o Security Stakeholders need to be included within the Communications Management activities. o Individuals with key security responsibilities need to be identified, and ensuring they complete Mandatory Role-Based Training (RBT) must be considered when planning training requirements Practice Activities Activities within the security approach should help establishes the number and scope of system security plans and C&A documents required to effectively secure and document the output of the project. • Coordinate system purpose, business needs and requirements, and security requirements • Document the intended Security Approach • Document the Security Critical Partners, Designated Approving Authority, and Certification Authority for each C&A package likely to be developed • Establish preliminary System Security Categorization according to NIST SP 800-60 and FIPS-199 o Identify information sensitivity o Select provisional impact level o Review provisional impact levels and adjust/finalize information impact o Assign system security category • Establish system and sub-system boundaries o Identify data sharing and external system interconnections <OPDIV> Project Management Plan - Security Approach (v1.0) Page 4 of 5 This document is 508 Compliant [Insert additional appropriate disclaimer(s)]
  • 5. HHS EPLC Practices Guide - <OPDIV> Project Management Plan - Security Approach (v0.3) <MM/DD/YYYY> o Identify any interconnections with a GSS. o Define boundaries for any sub-system to be developed • Document any required security controls from NIST SP 800-53 known to be provided by an underlying GSS or MA. • Document critical stakeholders for supporting GSS or MA and include these individuals in the security approach development as appropriate. • Document and map any required security controls from NIST SP 800-53 known to be provided by the system in development, a sub-system in development. • Document any remaining security controls that cannot be mapped to the system or sub-systems in development, or an underlying GSS or MA. • Document development teams responsible for design and implementation of new security controls. • Document development teams responsible for integration with GSS, MA, minor applications, or other interconnected systems. Practice Related Information NIST FIPS Publications All NIST Federal Information Processing Standards (FIPS) publications are available at the following site: http://csrc.nist.gov/publications/PubsFIPS.html. • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems • FIPS 200, Minimum Security Requirements for Federal Information and Information Systems NIST Special Publications All NIST Special Publications (SP) are available at http://csrc.nist.gov/publications/PubsSPs.html. • NIST SP 800-64, Security Considerations in the System Development Life Cycle, Revision 2 • NIST SP 800-60, Draft Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes), Volume 1: Guide for Mapping Types of Information and Information Systems to Security Categories Volume 2: Appendices • NIST SP 800-53 Rev. 2, Recommended Security Controls for Federal Information Systems • NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems • NIST SP 800-34, Contingency Planning Guide for Information Technology Systems • NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems • NIST SP 800-30, Risk Management Guide for Information Technology Systems • NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems • NIST SP 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems Practice Key Terms CA – Certification Agent DAA – Designated Approving Authority GSS – General Support System ISSO – Information System Security Officer MA – Major Application SP – Special Publication SSP – System Security Plan <OPDIV> Project Management Plan - Security Approach (v1.0) Page 5 of 5 This document is 508 Compliant [Insert additional appropriate disclaimer(s)]