Enterprise Security Management Practices ◾ 51
© 2011 by Taylor & Francis Group, LLC
Information System Security Cycles
Before moving on to discussing the organization’s roles and responsibilities, the
ISSMP must understand the overall concept of establishing, testing, approving,
and monitoring the information system’s security, so the roles and responsibilities
can be put into perspective.
Once again, in the publications and practice there are various methods, but
basically all have the same components. e following is a generic approach to
system certication and accreditation (C&A). See the accompanying graphic for a
visual representation of the phases.
Initiation Phase: Basically all the actions described
thus far in this chapter are done during this phase.
ese actions include identifying the organization’s
mission, goals, and objectives; describing the system
components, boundaries, functions, and connec-
tions; determining and implementing the security
controls that are necessary; and conducting an ini-
tial risk assessment. en, identify the responsible
individuals and document all of these ndings in a
security plan.
Verication Phase: A comprehensive assessment of the management, opera-
tional, and technical security controls in an information system in support
of system accreditation. is includes verifying that the controls identied
in the security plan are implemented correctly, operating as intended, and
producing the desired outcomes, and documenting the results in a formal
document, i.e., a Security Assessment Report.
Approval Phase: e actions taken to review the System Security Plan, Security
Assessment Report, and Corrective Action Plan or Plan of Actions and
Milestones (POA&M, see sidebar) are completed prior to a senior manage-
ment ocial’s approval of an information system for operation or for contin-
ued operation. is ocial is responsible for the information system’s business
function and supporting resources and is knowledgeable of the security sta-
tus, including the security controls and risks, and for formally accepting the
risk to the individuals and organization (including mission, assets, functions,
image, and reputation).
Maintenance Phase: Taking actions to ensure that the authorized conguration,
security controls, and level of risk are maintained. e actions will include
an active conguration management program, ensuring that all updates are
implemented, risk assessments are continuously conducted, senior manage-
ment is kept up to date on all changes to the security status, contingency and
Initiation
Verification
Approval
Maintenance
Disposal
52 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
incident response plans are exercised, personnel are trained, and security aware-
ness is maintained.
Disposal Phase: is phase occurs when a determination is made that an infor-
mation system is no longer required. Actions must be taken to ensure that the
security of any residual information is protected and the permanent disrup-
tion of services is not a surprise to anyone. Information that must be retained
for legal or regulatory purposes must be transported and archived in a secure
location. In disposing of software, media, and hardware, steps must be taken
to ensure that inappropriate reuse of licenses does not occur and that storage
media are sanitized. Discontinuing services to other elements and intercon-
nections must be thoroughly coordinated in advance and during the dis-
connecting process.
Other system security cycles are suggested in various publications. ey have
similar phases, but in fact they are also similar in the actions that must be conducted
PLAN OF ACTION AND MILESTONES
Project management processes provide many tools that are useful to ISSMPs.
One such tool is the Plan of Action and Milestones (POA&M). is is a
spreadsheet used by the project manager, senior management, and nancial
personnel to track project actions. e POA&M normally has at least the fol-
lowing items in the columns:
Action to correct a weakness or to support a mission or business need
Priority of the Action relative to the other Actions in the POA&M
Point of Contact for the individual who is responsible for completing
the Action
Resources Required to pay for the activities and material to complete
the Action
Complete by Date for the Action
Milestones and Completion Dates for major activities to complete
the Action
Source of Action, i.e., exercise report, audit, testing, and so forth
Status as of the date of the POA&M
e POA&M provides management with a list of prioritized actions that
need to be accomplished and the status of each for planning and funding
purposes. Also, the POA&M provides nancial personnel and senior man-
agement with a prioritized list of actions that need to be funded to reduce the
mission or business risks.
Enterprise Security Management Practices ◾ 53
© 2011 by Taylor & Francis Group, LLC
to ensure that the security for an information system is correctly implemented,
maintained, and disassembled. Figure1.10 provides several examples of these other
cycles and how they relate to the one described above.
To further understand how the information system security cycles relate to the
other cycles that have a heavy impact on the development, implementation, opera-
tions, and security of an information system see Figure1.11.
Of the many project management tools, POA&M is one that can be very impor-
tant to an ISSMP, because this tool provides a living record of the priority actions
for improving the security of an information system. e POA&M is also a docu-
ment recognized by project managers, management, and nancial personnel as a
list of actions that need to be funded to reduce the mission or business risks. In fact,
under the Federal Information Security Management Act (FISMA), the Oce of
Management and Budget (OMB) is responsible for overseeing the management of all
government IT systems and related security. In support of this responsibility, on a
quarterly basis, all organizations submit their list of IT system security deciencies
and plans to correct them to the OMB in the form of a POA&M. e OMB uses
these POA&Ms to track the deciencies and the funding for correcting them. e
OMB can track the funds because it is responsible for reviewing the government
organizations’ requests for funding prior to the president submitting the annual
budget request to Congress for the allocation of funds for the next scal year.
Figure 1.10 Information system security cycles.
54 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Cycles, processes, and reports are all very eective tools, but as can be seen in
the OMB/POA&M example, tools are only eective if individual roles and respon-
sibilities are identied and monitored.
Roles and Responsibilities
Organizations have management structures to ensure that all elements work
together to meet the organization’s mission, goals, and objectives in the most eec-
tive and ecient manner possible. Management at all levels provides the leadership,
planning, programming, oversight, and direction to ensure that activities are on
time and on schedule. To maintain a successful organization, individual roles and
responsibilities must be clearly communicated to the specic individuals in the
roles, and the rest of the individuals in and working with the organization (i.e.,
vendors, partners, clients, etc.).
As in so many other processes discussed in this chapter, there is no one best
organizational structure for information system security. e correct organization
should be derived from the inputs discussed during the initial reviews of the sys-
tems in the organization, i.e., mission, culture, environment, professional, and so
forth. ISSMPs may have little control over how the organization is structured, but
they must have a rm grasp of the structure and which individuals and groups are
responsible for resourcing, operating, managing, monitoring, and approving the
information systems and providing all the other security controls, such as physical,
environmental, personnel, and technical.
Various documents identify potential positions with roles and responsibilities
that are necessary to support the security for information systems. e tables for
SDLC
Initiation
Development
Acquisition
Operation
Maintenance
Implementation
Disposition
Disposal
Generic
Initiation
Verification
Maintenance
Approval
Disposal
RMF
Categorize System
Implement Controls
Select Controls
Assess Controls
Authorize System
Monitor Controls
Figure 1.11 Development and security cycles.
Enterprise Security Management Practices ◾ 55
© 2011 by Taylor & Francis Group, LLC
three of these are identied in Figure1.12. e specics for each can be found in
the reference documents identied in the titles of each column.
Analysis of the various roles in these models and others discloses a key set of ve
generic security roles that are necessary to ensure success in any information system
security program. ese are senior management, approving authority, verication
entity, system owner, and user representative.
1. Senior Management: Senior management is the individual or individu-
als who have the vision, responsibility, and authority for setting and lead-
ing the organization toward meeting its mission, goals, and objectives. ese
individuals have the legal responsibility for ensuring that the organization
NIST – SP 800-37 ISO – ISO/IEC 27002:2005 DoD – DODI-8500.2
Authorization
Advocate
Board of Directors Designated Approving
Authority (DAA)
Authorizing Official/
DAA
General Management–
CEO/COO
Certifier and
Certifying Team
Designated
Representative
Chief Security Officer
(CSO)
Program Manager
Chief Information
Officer
CISO User Representative
Senior Agency
Information Security
Officer
Risk Management
Officer
ISSO
Information Owner Business Unit Security
Officer
Developer, Integrator,
or Maintainer
Information System
Owner
Cybercrime Incident
Response Team (CIRT)
Program Manager
Information System
Security Officer (ISSO)
User Representative
Certification Agent
Risk Analyst
Figure 1.12 Various security organizational models.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.