framework

Download Free IT Security Plan Template

The purpose of the system security plan (SSP) is to provide an overview of federal information system security requirements and describe the controls in place or planned to meet those requirements. The SSP also delineates responsibilities and expected behavior of all individuals who access the information system and should be viewed as documentation of the structured process for planning adequate, cost-effective security protection for a major application or general support system. It should reflect input from various managers with responsibilities concerning the information system, including information owner(s), system owner(s), system operator(s), and the information security manager. Additional information may be included in the basic plan, and the structure and format organized according to requirements.

The Federal Desktop Core Configuration (FDCC) is a security configuration that must be enabled on any desktop that connects to a federal network. FDCC began with a 2007 memorandum by the United States Office of Management and Budget (OMB). That memo discusses the need for a centralization of effort in defining a central configuration for all desktops contained within federal IT environments. Such a unified configuration would strengthen federal IT security by mandating a tested configuration across all federal IT organizations.

This configuration would additionally provide a standardized starting point for external vendors, easing their process with developing solutions that work across the whole of government IT. In conjunction with the FDCC, the OMB also began work on the Security Content Automation Protocol (SCAP), a cross platform vulnerability management protocol that enables outside vendors to validate their productsf functionality with FDCC desktops as well as other regulations required by government systems.

Download Free Cloud Computing IT Security Control Objectives

Asset management, access control

Data protection/segregation/encryption
To provide logical segregation of CSP customers’ data
To enable customer classification of sensitive data
To enable protection of data commensurate with risk and defined information classifications

Information systems acquisition, development, and maintenance

Encryption standards
To enable encryption of sensitive data using consistent mechanisms
To enable access to current and archived data regardless of which keys were used for encryption

Communications and operations management

Download Free Payment Card Industry Data Security Standard Compliance (PCI DSS) Roles and Responsibilities Matrix Templates

- Chief Information Officers (CIOs) who are concerned with the deployment and operation of systems and IT-related processes.

- Chief Information Security Officers (CISOs) who are concerned with the overall information security program and compliance with information security policies.

- Chief Financial Officers (CFOs) who are concerned with the overall control environment of their organizations. This is often delegated to financial positions such as those in Payments Operations, and Accounts Receivable.

- Chief Privacy Officers (CPOs) who are responsible for the implementation of policies that relate to the management of personal information, including policies that support compliance with privacy and data protection laws.

The ISLA framework is enabling because it introduces advanced work-flow automation and community management technology into the OSS environment, thereby creating a number of core capabilities that can be divided over seven functionally oriented logical domains, which will be discussed later in the chapter.

The three framework components are as follows:
1. Enabling technology and concepts
- Dynamic work-flow automation
- Dynamic work-flow communities

2. Capabilities
- Universal access
- Intelligence
- Collaboration
- Automation