|
The Value of =
Documentation: A=20
Useful System Security Plan Template
Falan =
Memmott
April=20
21, 2001
Introduction
This paper is intended for those =
who may be new=20
to the information security arena and who have been tasked short =
order=20
with assembling a system security plan for a civilian agency =
Security=20
Certification and Accreditation Package. A Security Certification =
and=20
Accreditation Package requires several documents and is not =
limited to but=20
may include these: Risk Assessment, Risk Mitigation Plan, System =
Security=20
Plan, Certification Test Plan, Certification Test =
Report.
I used NIST Special Publication =
800-18 as a=20
guide for this paper about the value of system documentation and =
systems=20
security plans. I have chosen to provide additional insight to the =
guide,=20
and have built a template as a practical extension of the =
materials=20
contained in 800-18. The basic purpose of this paper is to address =
the=20
value of system documentation and it provides a System Security =
Plan (SSP)=20
template that can be put to immediate use in the field. =
Why Documentation?
One aspect of successfully managing =
an IT=20
system is actively protecting it. In order to actively protect a =
system,=20
you have to know what it is, what it does, what its weaknesses =
are, what=20
potential threats to it exist, and what has or is being done to =
mitigate=20
the risks to your data and system (DOJ).
Organizations that choose to =
passively protect=20
their systems can lose vital institutional knowledge when =
something as=20
simple as one mere employee is injured, retires, or follows a =
better=20
opportunity. Yet how much more they lose when an employee =
willfully=20
destroys data on their way out the door, or when an intruder =
alters access=20
logs and creates hidden accounts. These examples illustrate what =
can come=20
from what is essentially system negligence. Yet, all of these =
attacks on a=20
system’s availability, integrity, and confidentiality could =
have been=20
addressed in a preventative manner through the results that come =
from=20
having gone through the process of completing thorough system=20
documentation.
Are systems really neglected? Funny =
you should=20
ask. One of the most common but tragic efforts I have seen for =
attempting=20
to get out of doing system documentation is the almost existential =
notion=20
that, "if my data isn’t sensitive, then it doesn’t =
need protection,=20
right?" Of course, people often take it a step further, and those =
in the=20
Federal sector who do so may suddenly find themselves defending =
their=20
existence to their Inspector General. Why people don’t =
consider the=20
consequences of stating that their system has no data of value on =
it=20
puzzles information assurance professionals to this day. The =
important=20
point here is not to do it--or you may find yourself trying to =
prove that=20
your organizational role is valid and that you really do need your =
IT=20
budget. Do people really do this? Ask around. You’ll be=20
surprised.
OK. So, what does every manager =
really want? To=20
be recognized, promoted, or build an empire of course. How can a =
manager=20
arrive at these goals if they don’t have the tools they need =
to make=20
effective decisions? There is no legitimate means. This is because =
effective decisions cannot be made if what a system is, and what =
it does,=20
etc, is not known.
Commonly, managers "have not =
instituted=20
procedures for ensuring that risks are fully understood and that =
controls=20
implemented to mitigate risks are effective" (GAO). Therefore, =
protection=20
should be determined by evaluating the sensitivity and criticality =
of the=20
information processed, the relationship of the system to the=20
organization’s mission, and the economic value of the =
system’s components,=20
among other factors.
At this point some may try to =
dismiss=20
documenting system security since risk must be accepted as a part =
of doing=20
business. While it is true that a decision must be made to proceed =
with=20
risk acceptance or risk mitigation, all systems deserve =
risk-effective=20
decisions to be made, and this can only be accomplished by having =
key=20
information about the system available to the decision maker. =
Another hazard of managers not =
clearly=20
understanding their systems is that they will rely on =
technologists for=20
advice. Being a technologist myself, I can admit that sometimes it =
is=20
easier to take technology in search of a mission and to let =
technology=20
dictate a system’s requirements, rather than to build in =
security from the=20
beginning. Besides, who has time for documentation when you get =
new "toys"=20
to work with and "work" is sending you subliminal messages to =
leave that=20
boring paperwork stuff alone.
Fortunately, times are changing =
with the advent=20
of serious e-commerce, but it is still a rare thing for =
technologists in=20
general to be rewarded for properly applying security to their =
systems.=20
After all, we’re rewarded for how transparently everything =
operates, how=20
fast processors can churn, and for how quick we can get that next =
software=20
release out, not for bogging the system down by adding encryption =
etc., or=20
for filling out forms on the status of your systems. For all of =
these=20
reasons, it is clear that efforts should be made to thoroughly =
document a=20
system’s security.
Since security is historically, =
outside of the=20
Department of Defense and financial industries, an afterthought, =
it is not=20
uncommon that security requirements will come down through =
administrative=20
channels in such a surprising fashion that all to often they leave =
bewildered information technologists or project managers wondering =
what to=20
do.
So What Is A System Security Plan=20
Anyway?
Best practices dictate that one of =
the best=20
ways to document the protection afforded the system by managerial, =
operational, technical, and other means is by creating a system =
security=20
plan. This is because a well-done SSP provides a concise location =
(OMB) of=20
documented system requirements that can be readily utilized from =
the=20
initial phases of a system’s development through its =
disposal.
SSPs are of particular value =
because they=20
address so many security-related facets of a system. In short, the =
material in an SSP will help in protecting the confidentiality, =
integrity,=20
and availability of the system it is for because it documents the =
system’s=20
basic security requirements, the controls in place, planned =
controls, the=20
responsibilities of system users, and expected user behavior =
(Swanson, 2).=20
These five areas are key areas to document.
Documenting the five areas above =
provides a=20
very useful concentration of security information—one that =
can be used=20
throughout any systems development life cycle phase. The security=20
requirements show developers, managers, and auditors alike, what =
the=20
system should be allowed to do or not do. Documenting the controls =
in=20
place, or the planned controls in instances of system development =
or=20
remediation, identifies specifics about a system’s security. =
Putting the=20
responsibilities of system users in writing is vital since you can =
create=20
a user policy / announcement that users have to sign that they =
have read=20
them. By using this method as an opportunity to inform users about =
their=20
security responsibilities, you can also increase their awareness =
of=20
information security, as well as provide your organization =
recourse for=20
user misbehavior.
Security Plan Template =
Overview
I have created APPENDIX A below as =
a guide to=20
drafting a system security plan for new or existing general =
support=20
systems. As you may be aware, NIST classifies systems as either =
"systems,"=20
"major applications" or "general support systems." Only major =
applications=20
and general support systems are required to have system security =
plans=20
because generic systems are likely to be included under the =
umbrella of=20
one of the former.
When looking for detailed =
solutions, the NIST=20
Special Publication 800-18 does an excellent job of describing a =
framework=20
for a system security plan and should be referenced http://cs=
rc.nist.gov/publications/nistpubs/index.html/=20
(NIST).
I have chosen to use an adapted=20
fill-in-the-blank approach in order to simplify the process of =
adequately=20
documenting a system via a SSP for the anxious information =
technologist or=20
project manager; however, I believe that information assurance=20
professionals will also find this document a ready and adaptable =
resource.=20
To get the most from the adapted=20
fill-in-the-blank approach, I recommend attempting to first view =
each=20
"blank" as though it were an inquiry.
For example, under Integrity =
Controls I have=20
stated:
The procedures for updating =
anti-virus=20
signature files are:
Procedure X
Procedure Y
Procedure Z
Try asking yourself, "What are our =
procedures=20
for updating anti-virus signature files?" Then, as you pause and =
answers=20
come flooding to your mind, simply replace ‘Procedure =
X’ with the first=20
step of what you or your organization actually does. I have used=20
variations of X, Y, and Z throughout to this template in order to=20
illustrate that more than one response may be =
necessary.
If answers didn’t come =
flooding to your mind,=20
don’t fret. You will find it best to answer each area with =
existing=20
policy. If you’re lucky, your security officer or security =
program manager=20
has recently updated and published an enterprise information =
security=20
handbook filled with the best security policies written in lay =
terms. If=20
you’re not so fortunate, you may have to root around in =
dusty employee=20
handbooks and surf on your static intranet links until you find at =
least=20
some applicable existing policy. Using existing policy simplifies =
and=20
hastens coordination issues and ruffles the fewest organizational=20
feathers.
The next best way to answer each =
blank is with=20
the existing typical organizational or managerial response. If =
your=20
typical way of handling things is a functional and accepted =
method, then=20
you have it easy. Just put it in writing. "But wait," you may be =
thinking,=20
"you want me to document that our friendly termination procedures =
involve=20
surprise drop offs of empty boxes to the cubes of employees that =
are to be=20
let go by mid-day?" If that’s case, I’d hate to see =
your unfriendly=20
termination procedures, but you’ll have to make that =
decision. Just=20
remember, others will review this document, so you may wish to =
quickly=20
revisit your poor public relations campaign and upgrade your =
procedures to=20
something more palatable before the truth gets out.
Now what if you come across a blank =
that you’ve=20
never dealt with? Simple. Invent a response that you feel a =
reasonable and=20
prudent person would accept, and see where it gets you. The real =
key to=20
any response is that it is enforceable. The best enforceable =
responses are=20
those that are documented and known, and thus the cycle of =
committing all=20
things to paper and spreading the word of the value of current =
system=20
documentation continues.
Allow your trusted peers to review =
your initial=20
security plan and ask them for insights. After incorporating their =
useful=20
responses, you will probably be asked to submit your security plan =
to your=20
organization’s information assurance office. You may find it =
in your best=20
interest to create a cover letter for all of those who support =
your=20
efforts to sign off on.
Be committed to your answers, and =
know that=20
when your document is reviewed, it is not you undergoing a =
personal=20
confrontation. Rather, the review process is a useful method of =
weeding=20
out unnecessary information, examining deficiencies, and shaping =
your=20
system security plan into the tool it is meant to be.
Because organizations may have a =
preferred=20
format (NIH), I have purposely left this SSP template unnumbered =
in order=20
to easily accommodate adaptations.
You will likely want to create a =
cover sheet=20
for your document and include on it the "Name of your =
Organization," the=20
acknowledgement "Sensitive Information," an "Organizational Logo," =
the=20
title "System Security Plan for System Name / Identification =
Number," the=20
current "Date" for versioning purposes, and the statement =
"Prepared by,"=20
to identify who to contact for clarification and to give yourself =
some=20
credit. Note: The date and the acknowledgement of it containing =
sensitive=20
information should be on every page.
As you go about gathering =
information, avoid=20
generic statements, because they do not provide you with thorough=20
documentation. Also, set specific "shall" dates for things not yet =
accomplished. For example, "The procedures for updating anti-virus =
signature files shall be listed here by August 31, 2001." Setting =
specific=20
dates and avoiding the use of generic "all month" dates will let =
you know=20
where you stand and keep your deliverable schedule on =
track.
On a parting note, remember, a SSP =
is a dynamic=20
document reflecting the current security posture of the IT system. =
Therefore, as further security related information is acquired and =
as=20
system developments occur, updates to the SPP subject areas should =
be=20
made.
Works Cited:
Swanson, Marianne. "Special =
Publication=20
800-18." NIST Computer Security Resource Center (CSRC). December=20
1998.
URL: http://cs=
rc.nist.gov/publications/nistpubs/index.html/
OMB. "Management of Federal =
Information=20
Resources." Circular No. A-130. November 2000.
URL: http://www.whitehouse.gov/omb/circulars/a130/a130appendix_iii.html=
=20
GAO. "Information Security: Serious =
Weaknesses=20
Place Critical Federal Operations and Assets at Risk." GAO / =
AIMD-98-92.=20
September 1998.
URL: http://www.access.gpo.gov/cgi-bin/getdoc.cgi?dbname==
gao&docid=f:ai98092.txt
NIH. "Application / System Security =
Plan=20
Template." NIH. May 1999.
URL: http://irm.cit.=
nih.gov/security/secplantemp.html
DOJ. "Systems Development Life =
Cycle Guidance=20
Document." DOJ / IRM / Appendix C-9. March 2000.
URL: http://www.usd=
oj.gov/jmd/irm/lifecycle/apdxc9.htm
APPENDIX A – USEFUL SYSTEM =
SECURITY PLAN=20
TEMPLATE
COVER SHEET
The Cover Sheet should =
contain:
Name of your =
Organization
Sensitive=20
Information Acknowledgement (on each page)
Organizational=20
Logo
System Security Plan for System Name / Identification=20
Number
Date (on each page)
Prepared by
EXECUTIVE SUMMARY
The Executive Summary should=20
contain:
Introduction
System =
Purpose
High-level=20
System Overview
Brief References to Applicable Laws / =
Regulations=20
TABLE OF CONTENTS
EXECUTIVE SUMMARY
SYSTEM IDENTIFICATION
System =
Title
System=20
Identification Number
Responsible Organization
Information=20
Contacts
System Owners
System Administrators
System=20
Maintenance
Assignment of Security Responsibility
System =
Operational=20
Status
General Description / Purpose
System =
Environment
System=20
Interconnection / Information Sharing
Sensitivity of =
Information=20
Handled
Applicable Laws or Regulations Affecting the =
System
General=20
Descriptions of Information Sensitivity
MANAGEMENT CONTROLS
Risk =
Assessment and=20
Management
Review of Security Controls
Rules of =
Behavior
Planning=20
for Security in the Life-Cycle
Accreditation / Authorize=20
Processing
OPERATIONAL CONTROLS
Personnel=20
Controls
Physical and Environmental Protection
Production / =
Input=20
Output Controls
Continuity of Operations Plan
Hardware and =
System=20
Software Maintenance Controls
Integrity=20
Controls
Documentation
Security Training, Education, and=20
Awareness
Incident Response Capability
TECHNICAL=20
CONTROLS
Authentication
Identification
Logical Access=20
Controls
Audit Trails
SYSTEM IDENTIFICATION
System Title / System Alias=20
(Acronym)
System X (X)
System Identification =
Number
Agency/Corporate =
Acronym-Organization=20
Acronym-GS-System Alias-Number-Year
Responsible =
Organization
Agency/Corporate =
Name
Organization=20
Name
Address
Phone
Information Contacts:
System Owner(s)
Person =
X
Title
Agency/Corporate=20
Name
Organization Name
Address
Phone =
Email
System =
Administrator(s)
Person =
Y1
Title
Agency/Corporate=20
Name
Organization Name
Address
Phone
Email
Person=20
Y2
Title
Agency/Corporate Name
Organization=20
Name
Address
Phone
Email
System Maintenance
Person =
Y3
Title
Agency/Corporate=20
Name
Organization Name
Address
Phone =
Email
Assignment of Security=20
Responsibility
Person =
Z
Title
Agency/Corporate=20
Name
Organization Name
Address
Phone =
Email
System Operational =
Status
The following chart depicts the =
system(s)=20
covered by this SSP and their operational status:
|
System =
Name |
Under=20
Development |
Undergoing a =
Major=20
Modification |
Operational |
| System=20
X |
– |
Yes |
– |
|
|
|
|
General System Description /=20
Purpose
This system is a General Support=20
System.
The purpose of this system is =
to…
The process flow of the system is =
as=20
follows:
1.
2.
3.
4.
5.
6.
The following chart depicts =
internal and=20
external user organizations and the types of data and processing =
they=20
utilize:
|
Organization =
Name |
Internal |
External |
Types of Data=20
Processing |
| Organization Y |
Yes |
– |
Data =
Y |
|
|
|
|
|
|
|
|
|
|
Technical System =
Environment
The system is =
located…
The system is connected =
to…
The system’s platform =
is…
The system’s principle =
components=20
are…
The system uses…
The security software protecting =
the system=20
is…
System Interconnection / =
Information=20
Sharing
The following chart depicts =
interconnected=20
systems, their unique identifiers, whether they have their own =
SSP, and if=20
an MOU has been obtained:
|
Interconnected =
Systems |
System=20
Identifiers |
SSP |
MOU |
| System=20
Z |
ZZZ-YYYY-GS-X-01-2001 |
Yes |
– |
|
|
|
|
|
|
|
|
|
|
Sensitivity of Information=20
Handled
Applicable Laws or Regulations =
Affecting the=20
System
General Descriptions of Information =
Sensitivity
The following chart depicts the =
criticality of=20
the system based on its basic protection requirements:
|
Protection =
Requirements=20
|
Low |
Medium |
High |
| Availability |
– |
– |
Yes |
|
Integrity |
– |
Yes |
– |
|
Confidentiality |
– |
Yes |
– |
MANAGEMENT CONTROLS
Risk Assessment and =
Management
The Risk Assessment methodology =
used on the=20
system was / will…
The latest Risk Assessment =
performed on the=20
system was completed on XXXXX YY, 2001.
The next Risk Assessment will =
performed on the=20
system no later than XXXXX YY, 2004.
Review of Security =
Controls
The latest independent security =
review of the=20
system was completed on XXXX YY, 2001.
X performed the security review for =
the purpose=20
of Y.
The findings of the independent =
security review=20
show…
As a result of these findings, the =
following=20
actions have been / will be taken:
Action X
Action Y
Action =
Z
Rules of Behavior
As the Rules of Behavior will vary =
greatly=20
between systems let alone organizations, see NIST Special =
Publication=20
800-18 for guidance on satisfying this section.
Planning for Security in the Life=20
Cycle
The system is in the X phase of the =
Life=20
Cycle.
As a system’s life cycle will =
vary greatly=20
between organizations, see NIST Special Publication 800-18 for =
guidance on=20
satisfying this section.
Accreditation / Authorize=20
Processing
This chart depicts when and who has =
requested=20
to operate the system and when and who has given their approval =
for system=20
operation:
|
Manager Name=20
|
Manager=20
Title |
Request to=20
Operate |
Authorization =
to=20
Operate |
| X |
X1 |
XXXXX XX, =
XXXX |
|
|
Y |
Y2 |
|
XXXXX =
XX,
XXXX |
OPERATIONAL CONTROLS
Personnel Controls
The following position(s) have =
undergone a=20
position sensitivity analysis, and are rated as having High, =
Moderate, or=20
Low sensitivity:
X Position = High sensitivity =
Y Position ==20
Moderate sensitivity
The following position(s) have not =
yet=20
undergone a position sensitivity analysis:
Z Position = Sensitivity=20
undetermined
The following individuals(s) have =
undergone=20
background screening appropriate to their position:
Person X
Person Y
The following individuals(s) have =
not yet=20
undergone background screening appropriate to their position, but =
shall by=20
the date(s) listed below:
Person Z – April, 13 200? =
(Date in the near=20
future)
Using the principle of least =
privilege, user=20
access has been limited to the minimum necessary for the following =
positions:
X Position
Y Position =
The critical function(s) that have =
been divided=20
among different positions are:
X Position = Ability to X
Y1 =
Position ==20
Ability to Y1
Y2 Position = Ability to Y2
The critical function(s) that have =
not yet been=20
divided among different positions, but shall be by the date(s) =
listed=20
below are:
Z Position = Ability to Z1, Z2, =
Z3 – Date in=20
the near future
User accounts for this system are =
requested=20
by…
User accounts for this system are =
established=20
by…
User accounts for this system are =
issued=20
by…
User accounts for this system are =
closed=20
by…
The mechanisms in place for holding =
users=20
responsible for their actions are:
Mechanism X
Mechanism =
Y
Mechanism=20
Z
The procedures for friendly =
terminations=20
are:
Step X
Step Y
Step =
Z
The procedures for unfriendly =
terminations=20
are:
Step X
Step Y
Step =
Z
Physical and Environmental=20
Protection
Entry and exit of personnel from =
areas=20
containing system hardware, supporting systems, and backup media =
is=20
restricted by:
Restriction X
Restriction =
Y
Entry and exit of personnel from =
areas=20
containing system hardware, supporting systems, and backup media =
is=20
restricted by:
Restriction Z
The working fire suppression =
equipment stored=20
near critical systems is accessible by:
Action X, Location X
Action Y, =
Locations Y,=20
Z
Action Z, Location Z
In case of electrical power failure =
systems and=20
personnel are protected by:
Option X
Option Y
In case of heating / =
air-conditioning failure=20
systems and personnel are protected by:
Option X
Option Y
In case of potable water failure =
personnel are=20
protected by:
Option X
Option Y
In case of sewage failure personnel =
are=20
protected by:
Option X
Option Y
In case of structural collapse, the =
systems are=20
protected by:
Option X
Option Y
In case of structural collapse, the =
systems are=20
protected by:
Option X
Option Y
The only plumbing lines that may =
endanger the=20
system are located at:
Location X
In case of plumbing leaks, the =
systems are=20
protected by:
Option X
Option Y
The greatest risk of the potential =
interception=20
of system data comes from Risk X, and has been addressed by =
Safeguards X=20
and Y.
Mobile and portable systems are =
accounted for=20
by:
Method Z
In case of loss or damage, mobile =
and portable=20
systems and the data they contain are protected by:
Method X
Method Y
Production / Input and Output=20
Controls
The group (help desk) designated to =
offer=20
advice and support users is Group X, which can be contacted by the =
following methods:
Method X
Method Y
The procedures for ensuring =
unauthorized=20
individuals cannot read, copy, alter, or steal printed information =
are:
Step X
Step Y
The procedures for ensuring =
unauthorized=20
individuals cannot read, copy, alter, or steal electronic =
information=20
are:
Step X
Step Y
The procedures for ensuring the =
restricted=20
access of sensitive system outputs are:
Step X
Step Y
The procedures for ensuring only =
authorized=20
individuals can pick up, receive, or deliver input and output =
information=20
and media are:
Step X
Step Y
Step =
Z
The procedures for controlling the =
secure=20
transport of system media or output are:
Step X
Step Y
The procedures for controlling the =
secure=20
mailing of system media or output are:
Step X
Step Y
Sensitivity labeling is =
accomplished=20
by:
Method X
The following sensitivity / =
handling label(s)=20
are used frequently:
Label X
Label Y
Label =
Z
Inventory management is =
accomplished=20
by:
Method X
Method Y
Media storage protection is =
accomplished=20
by:
Method X in Location X
Method Y =
in all other=20
locations
The procedures for sanitizing =
electronic media=20
for reuse are:
Step X
Step Y
The procedures for destroying =
unusable=20
electronic media are:
Step X
Step Y
The procedures for shredding or =
otherwise=20
destroying sensitive hardcopy are:
Step X
Step Y
Continuity of Operations Plan=20
(COOP)
The COOP to allow the continuance =
of=20
mission-critical functions for this system in case of a =
catastrophic event=20
involves the following steps:
Step X
Step X1
Step Y
Step =
Y1
Step=20
Y2
Step Z
Step Z1
The full COOP is accessible via the =
following=20
personnel / methods:
Person X
Person Y
Person =
Z
Method=20
X
Method Y
The COOP for this system has been =
tested=20
by:
Method X
Method Y
Method =
Z
The COOP for this system was last=20
tested:
Date X
The COOP for this system will next =
be=20
tested:
Date Y
The COOP(s) to allow the for all =
supporting IT=20
systems and networks are accessible via the following personnel /=20
methods:
Person X
Person Y
Method =
X
Method=20
Y
Formal written emergency operating =
procedures=20
are posted at:
Location X
Location Y
The personnel knowledgeable of and =
trained in=20
the COOP for this system, and their responsibilities =
are:
Person X, Responsibility =
X
Person Y,=20
Responsibility Y
Person Z, Responsibility Y
The written COOP agreements for =
backup=20
processing are with the following points-of-contact and their =
respective=20
organizations:
Agreement X, Person X and Contact =
Information,=20
Organization X
Agreement X, Person Y and Contact Information,=20
Organization X
Agreement Y, Person Z and Contact Information,=20
Organization Y
The procedures and frequency of =
local backups=20
for this system are:
Step X, Daily, Incremental =
Backup
Step Y,=20
Monthly, Full Backup
Generational backups are securely =
stored in the=20
following locations:
Incremental Backups for this fiscal =
year,=20
On-site Location X
Differential Backups for this fiscal year, =
On-site=20
Location Y
Full Backups for the last five years, Off-site =
Location=20
Z
The content of each backup is as=20
follows:
Incremental Backups =
contain…data=20
types.
Differential Backups contain…data types.
Full =
Backups=20
contain…data types.
Hardware and System Software =
Maintenance=20
Controls
The normal restrictions on those =
who perform=20
maintenance and repair activities are:
Restriction X
Restriction =
Y
The special procedures to allow for =
emergency=20
maintenance and repair activities are:
Procedure X
Procedure =
Y
The procedures used for items =
serviced through=20
off-site maintenance and repairs are:
Procedure X
Procedure =
Y
The procedures used for maintenance =
and repairs=20
via remote maintenance services are:
Procedure X
Procedure =
Y
The configuration management =
procedures used=20
for system / software version control are:
Procedure X
Procedure =
Y
The configuration management =
procedures used=20
for testing system / software components prior to operation=20
are:
Procedure X
Procedure =
Y
The configuration management =
procedures used to=20
ensure continuity of operations plans and other associated data=20
are:
Procedure X
Procedure =
Y
The configuration management =
procedures control=20
the usage of test data are:
Procedure X
Procedure =
Y
The configuration management =
procedures control=20
the usage of live data are:
Procedure X
Procedure =
Y
The organizational policies against =
the illegal=20
use of copyrighted software are…
Integrity Controls
The procedures for updating =
anti-virus=20
signature files are:
Procedure X
Procedure =
Y
Procedure=20
Z
The password crackers / checkers =
used to test=20
password strength are:
Software X
Software Y
The integrity verification programs =
used to=20
look for data tampering, errors, etc are:
Software X
Software Y
The intrusion detection tools used =
to identify=20
attacks and do trend analysis are:
Software X
Software Y
The system performance monitoring =
tools used to=20
analyze system performance are:
Software X
Software Y
The procedures used for system =
penetration=20
tests are:
Procedure X
Procedure =
Y
The message authentication and =
non-repudiation=20
feature of the system is:
Feature X
Documentation
The following chart depicts the =
types, POCs,=20
and locations of system documentation:
|
Documentation =
Type=20
|
Vendor |
POC |
Location |
| Documentation X |
X |
Z |
Z |
|
COOP |
None |
Z |
Z |
|
– |
– |
– |
– |
Security Training, Education, and=20
Awareness
The procedures for ensuring that =
employees and=20
contractor personnel have been provided system security training=20
are:
Procedure X
Procedure =
Y
System security training has been =
provided to=20
the following individuals(s):
Person X
Person Y
Person =
Z
The procedures for ensuring that =
employees and=20
contractor personnel are educated in how to recognize and report =
system=20
security incidents are:
Procedure X
Procedure =
Y
System security awareness has been =
promoted by=20
the use of the following methods:
Method X
Method Y
Method =
Z
The procedures for measuring the =
effectiveness=20
of system security awareness promotion methods are:
Procedure X
Procedure =
Y
Incident Response =
Capability
The procedures for reporting system =
security=20
incidents are:
Procedure X
Procedure =
Y
Procedure=20
Z
The person(s) who receive and =
respond to vendor=20
alerts / advisories are:
Person X
Person Y
The measures planned or in place to =
prevent=20
system security incidents are:
In Place Measure X
Planned =
Measure=20
Y
Planned Measure Z
TECHNICAL CONTROLS
Authentication
The authentication methods for the =
system=20
are:
Method X
Method Y
Method =
Z
Passwords for the system shall meet =
the=20
following requirements:
Requirement X
Requirement =
Y
Requirement=20
Z
Requirement Z1
Requirement Z2
The procedures for verifying that =
all default=20
authentication mechanism have been disabled or changed =
are:
Procedure X
Procedure =
Y
Identification
The identification methods for the =
system=20
are:
Method X
Method Y
Method =
Z
Logical Access =
Controls
The controls in place to authorize =
the=20
activities of users and system personnel are:
Control X
Control Y
Control =
Z
The controls in place to restrict =
the=20
activities of users and system personnel are:
Control X
Control Y
Control =
Z
The controls in place to detect =
unauthorized=20
activities of users and system personnel are:
Control X
Control Y
Control =
Z
Prior to login, the warning banner =
for this=20
system states:
Audit Trails
System audit trails record the =
following=20
events:
Auditable Event X
Auditable =
Event=20
Y
Auditable Event Z
The procedures for ensuring the =
confidentiality=20
of audit trail data are:
Procedure X
Procedure =
Y
Procedure=20
Z
System audit trail data is reviewed =
by Person X=20
every Z.
System audit trail data is reviewed =
by Person Y=20
every Z1. |
