Information System Security Officer (ISSO) Guide
Information System Security Officer (ISSO) Guide
Office of the Chief Information Security Officer Version 10
September 16, 2013
DEPARTMENT OF HOMELAND SECURITY
INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDE
Document Change History
Version 0.1 0.2
0.3 1.0 8.0
Date 11/25/09 12/15/09
1/27/2010 3/30/2010 6/06/2011
8.0
9/19/2011
10
Description
Initial Internal Draft
Revised Internal Draft, corrected formatting and grammatical errors
Incorporated ISO comments
Final Version
? Updated entire document for terminology changes per DHS 4300A Version 8.0 and NIST SP 800-37
? Changed version to match DHS 4300A ? Created new section 2.1.2 Critical
Control Review (CCR) Team
? Updates: o 2.1.1 Document Review (DR) Team; o 2.1.4 DHS InfoSec Customer Service Center;
? Appendix C: OIG Potential Listing of Security Test Tools & Utilities.
? Section 5.1 ISSO letter Attachement N was changed to Attachement C.
? Document updated to reflect new IACS tool, Ongoing Authorization, and other minor changes.
? ISO changed to DHS OCISO.
i
INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDE
TABLE OF CONTENTS DOCUMENT CHANGE HISTORY....................................................................................................... I TABLE OF CONTENTS .............................................................................................................. II LIST OF FIGURES ..................................................................................................................... IV 1.0 INTRODUCTION ................................................................................................................... 1
1.1 BACKGROUND.................................................................................................................. 1 1.2 PURPOSE .......................................................................................................................... 1 1.3 SCOPE .............................................................................................................................. 1 1.4 DHS INFORMATION SECURITY PROGRAM........................................................................ 2 1.5 ESSENTIALS ..................................................................................................................... 2
2.0 ORGANIZATIONAL ROLES, RESPONSIBILITIES AND RELATIONSHIPS............................... 3 2.1 DHS CHIEF INFORMATION SECURITY OFFICER (CISO) ..................................... 4 2.2 COMPONENT CISO / ISSM AND STAFF ............................................................................ 7 2.3 SYSTEM OWNER............................................................................................................... 8 2.4 SYSTEM, DATABASE, AND MAJOR APPLICATION ADMINISTRATORS (TECHNICAL STAFF) 8 2.5 BUSINESS OWNER ............................................................................................................ 8 2.6 SECURITY CONTROL ASSESSOR (SCA) ............................................................................ 8 2.7 AUTHORIZING OFFICIAL .................................................................................................. 9 2.8 CHIEF FINANCIAL OFFICER .............................................................................................. 9 2.9 CHIEF PRIVACY OFFICER ................................................................................................. 9 2.10 CHIEF SECURITY OFFICER (CSO) / FACILITY SECURITY OFFICER (FSO) ....................... 10 2.11 DHS SECURITY OPERATIONS CENTER (SOC)................................................................ 10 2.12 CONFIGURATION CONTROL BOARD (CCB).................................................................... 10 2.13 FACILITY MANAGERS .................................................................................................... 11 2.14 PEERS............................................................................................................................. 11
3.0 ISSO RESOURCES AND TOOLS......................................................................................... 11 3.1 REFERENCES .................................................................................................................. 11 3.2 DHS INFOSEC CUSTOMER SERVICE CENTER ................................................................. 16
4.0 SYSTEM ENGINEERING LIFE CYCLE (SELC).................................................................. 16 4.1 LIFE CYCLE PHASES....................................................................................................... 17 4.2 ISSO RESPONSIBILITIES DURING THE LIFE CYCLE ......................................................... 21
5.0 ISSO RESPONSIBILITIES .................................................................................................. 21 5.1 ISSO LETTER................................................................................................................. 22 5.2 ACCESS CONTROL.......................................................................................................... 23 5.3 ACQUISITION PROCESS................................................................................................... 24 5.4 CONTROL ASSESSMENTS................................................................................................ 25
ii
INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDE
5.5 ANNUAL SECURITY AWARENESS AND ROLE-BASED TRAINING ..................................... 26 5.6 AUDITS .......................................................................................................................... 27 5.7 AUDITING (LOGGING) AND ANALYSIS ........................................................................... 29 5.8 BUDGET ......................................................................................................................... 31 5.9 SECURITY AUTHORIZATION PROCESS ............................................................................ 32 5.10 COMMON CONTROLS ..................................................................................................... 34 5.11 CONFIGURATION MANAGEMENT (CM) .......................................................................... 35 5.12 CONTINGENCY PLANNING.............................................................................................. 36 5.13 CONTINUOUS MONITORING ........................................................................................... 38 5.14 IDENTIFICATION AND AUTHENTICATION ........................................................................ 39 5.15 INCIDENT RESPONSE INCLUDING PII .............................................................................. 39 5.16 INTERCONNECTION SECURITY AGREEMENTS AND MEMORANDA OF UNDERSTANDING / AGREEMENT .............................................................................................................................. 40 5.17 INVENTORY.................................................................................................................... 41 5.18 MAINTENANCE............................................................................................................... 42 5.19 MEDIA PROTECTION ...................................................................................................... 42 5.20 PATCH MANAGEMENT ................................................................................................... 42 5.21 PERSONNEL SECURITY ................................................................................................... 43 5.22 PHYSICAL AND ENVIRONMENTAL SECURITY ................................................................. 44 5.23 PLANNING ...................................................................................................................... 46 5.24 POA&M MANAGEMENT ............................................................................................... 47 5.25 RISK ASSESSMENT ......................................................................................................... 47 5.26 SYSTEM AND COMMUNICATIONS PROTECTION .............................................................. 47 5.27 SYSTEM AND INFORMATION INTEGRITY......................................................................... 48 5.28 SYSTEM AND SERVICES ACQUISITION ............................................................................ 48 5.29 SYSTEM INTERCONNECTIONS ......................................................................................... 49 5.30 SECURITY TRAINING ...................................................................................................... 49
6.0 REQUIREMENTS FOR PRIVACY SYSTEMS AND CFO DESIGNATED SYSTEMS ................. 50 6.1 PRIVACY SYSTEMS......................................................................................................... 50 6.2 CFO DESIGNATED SYSTEMS.......................................................................................... 50
7.0 ISSO RECURRING TASKS................................................................................................. 53 7.1 ONGOING ACTIVITIES .................................................................................................... 53 7.2 ISSO WEEKLY ACTIVITIES............................................................................................. 53 7.3 ISSO MONTHLY ACTIVITIES .......................................................................................... 53 7.4 ISSO QUARTERLY ACTIVITIES ....................................................................................... 53 7.5 ISSO ANNUAL ACTIVITIES ............................................................................................. 53 7.6 AS REQUIRED ACTIVITIES.............................................................................................. 54
APPENDIX A: REFERENCES.......................................................................................................... 55 iii
INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDE APPENDIX B: ACRONYMS............................................................................................................. 58 APPENDIX C: OIG POTENTIAL LISTING OF SECURITY TEST TOOLS & UTILITIES .................... 61
LIST OF FIGURES Figure 1. ISSO Interactions............................................................................................................ 4 Figure 2. SELC Process ............................................................................................................... 17 Figure 3. ISSO Security Authorization Process Relationships.................................................... 33
iv
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- cio leadership gartner
- it security procedural guide audit and accountability au cio it
- cio as chief integration officer deloitte us
- the chief information officer a review of the role informing science
- 2020 state of the cio executive summary
- nist risk management framework quick start guide roles and
- devsecops playbook u s department of defense
- the business savvy cio vmware
- taming the digital dragon the 2014 cio agenda gartner
- shaping cio deloitte us
Related searches
- security officer roles and responsibilities
- navy security officer program
- special security officer navy
- special security officer army
- special security officer course
- information security officer job description
- bank information security officer duties
- information systems security officer job description
- bank information security officer role
- chief information security officer responsibilities
- chief information security officer requirements
- chief information security officer jobs