LC Initial IT Security Determination Template



[pic]

Initial IT Security Determination

Revision History

|Revision |Date |Revised By |Notes |

|N/A |August 12, 2005 |Steve Elky |Initial document |

|N/A |March 21, 2006 |Steve Elky |Updates to template |

|N/A |July 11, 2006 |Steve Elky |Removed FIPS 199 security categorization |

|N/A |March 9, 2007 |Steve Elky |Added Hosting Option and Minor Application sections |

|N/A |April 2, 2007 |Steve Elky |Address comments from peer review |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

Table of Contents

1 Introduction 1

2 System Purpose and Description 1

3 Determine C&A Requirements 2

4 Key Roles 3

5 Classes of Users 4

6 User and Administrative Interfaces 4

7 Security Boundary 5

8 Interfaces to Other Systems 5

9 Initial Business Impact Assessment 6

9.1 Business Impact Analysis Purpose 6

9.2 BIA Methodology 6

9.2.1 Identify Business Processes Supported by the Application 6

9.2.2 Identify Supporting IT Resources 7

9.2.3 Identify Interfaces and Dependencies 7

9.3 Preliminary System Information 7

9.4 BIA Results 8

10 Hosting Option Determination 8

Table of Figures

Figure 1 – System Architecture 2

Figure 2 – Key Roles 3

Figure 3 – User Classes and Clients 4

Figure 4 –Interface Summary 5

Figure 5 – System Information 7

Figure 6 – Detailed BIA Results 8

Introduction

The Initial Security Determination (ISD), along with the LC FIPS 199 Security Categorization provides the system owner with a clear understanding of the protection requirements concerning the system. From this, the required resources can be determined. This initial step is usually performed prior to the formal Certification and Accreditation effort as part of Phase 2: Planning and Requirements Analysis Phase of the LOC SDLC.

Note that this document is completed according to the best information available at the stage in the project when the ISD is performed. The ISD does not need to be updated thereafter.

This ISD will act as the basis for tailoring the Security Requirements Traceability Matrix (SRTM) and establishing the proper level of effort to be expended on the Certification process. Moreover, the ISD contains information that will be invaluable during the design process and feeds the Design Document, System Security Plan and the IT Contingency Plan.

The ISD covers the following items:

• System purpose and description

• Determine C&A requirements

• Key roles

• Classes of users

• User and administrative interfaces

• Security boundary

• Interfaces to other systems

• Initial Business Impact Analysis (allowable downtime and projected resources)

• Hosting option determination

• Security category (attached from LC FIPS 199 for the application)

System Purpose and Description

Figure 1 – System Architecture

[pic]

Determine C&A Requirements

is a

• provides all IT security controls

• is documented in the IT Security Plan

Key Roles

Figure 2 – Key Roles

|Role |Name |Title |Phone |Email |

|Certifying Official (CO) | | | | |

|Designated Approving | | | | |

|Authority (DAA) | | | | |

|Information Owner (IO) | | | | |

|Information Systems Security| | | | |

|Officer (ISSO) | | | | |

|IT Security Program Manager | | | | |

|(ITSPM) | | | | |

|System Owner (SO) | | | | |

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download