SOP 13-1



Security Plan for the [insert system name here]

[Insert Directorate Name here]

Issue Date: MM-DD-YYYY

Effective Date: MM-DD-YYYY

Verify that this is the correct version before use.

[Insert Document Revision Letter here; e.g., “Rev. A”

This document contains information that is sensitive to the foregoing organization. Reproduction or distribution of this document should be done only with the written approval of the management of this organization. When unattended, this document should be stored in a facility commensurate with its sensitivity.

This document was prepared for and is the property of the National Aeronautics and Space Administration and has not been approved for public release.

[pic]

National Aeronautics and

Space Administration

[Center Name]

[Center Location]

This page to be filled out in accordance with Center policy and requirements

Security Plan for the [Insert system name here]

Issue Date: MM-DD-YYYY

Effective Date: MM-DD-YYYY

[Insert Doc Rev Letter here; e.g. “Rev A”]

Prepared by:

________________________________ MM-DD-YYYY

[Information System Security Official (ISSO) name] Date

[ISSO title]

Approved by:

________________________________ MM-DD-YYYY [Authorizing Official] Date

[Authorizing Official’s Title]

National Aeronautics and Space Administration

[Center Name]

[Center Location]

Document Revision Log

|Revision Letter |Change Date |Originator/Phone |Description |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

Insert the Table of Contents here

1.0 Executive Summary

| |Master IT System Security Plan | | |Subordinate IT System Security Plan |

| | | | | |

| |Major Application | | |General Support System |

| | | | | |

| |Mission Essential System | | | |

| |Initiation Phase | | |Operations/Maintenance Phase |

| | | | | |

| |Acquisition Phase/Development | | |Disposal Phase |

| | | | | |

| |Implementation Phase | | | |

|Master Plan |

|Master System Unique Identifier |Number |

|Unique Program Identifier (UPI) |Number |

|Plan Name |Name |

|Responsible Program/ Functional Officer |Name |

|Plan System Owner |Name |

|Certification Agent |Name |

|Authorizing Official |Name |

|Plan Short Description |Text |

|Type of Information |Text |

|Impact Level |Text |

|Authorized to Operate (Accredited) |Date |

|Interim Authorization to Operate (IATO) |Date |

|Expiration Date of IATO |Date |

|Annual Testing of Controls |Date |

|Annual Testing of Contingency Plan |Date |

|Subordinate Plan |

|(repeat section as many times as necessary) |

|Date of Last Update |Date |

|Subordinate System Unique Identifier |Number |

|Plan Name |Name |

|Responsible Program/Functional Officer |Name |

|Plan System Owner |Name |

|Line Manager (if applicable) |Text |

|Certification Agent |Name |

|Authorizing Official |Name |

|Plan Short Description |Text |

|Type of Information |Text |

|Impact Level |Text |

|Authorized to Operate (Accredited) |Date |

|Interim Authorization to Operate |Date |

|Expiration Date of IATO |Date |

|Annual testing of Controls |Date |

|Annual Testing of Contingency Plan |Date |

Describe any residual risks

Describe what steps were taken to mitigate the risks

Describe the impact to NASA if the risk(s) were to be successfully exploited

Describe the results of the certification process

Was the system recommended for accreditation? If not, why not?

Insert the Signed Letter of Accreditation here

Statement of Readiness for Certification and Accreditation

The IT system security plan and executive summary accurately describes the security posture of this system and all residual risks associated with this system and NASA’s information.

I (we) confirm that all required steps have been successfully accomplished in preparing this system for the certification process.

As signed by:

________________________________________________ _________________________

(System Owner) (Date)

________________________________________________ _________________________

(Line Manager) (Date)

________________________________________________ _________________________

(OCSO) (Date)

________________________________________________ _________________________

(ISSO) (Date)

________________________________________________ _________________________

(Information Owner) (Date)

________________________________________________ _________________________

(CIO, if required) (Date)

________________________________________________ _________________________

(ITSM, if required) (Date)

2.0 Plan Development

2.1 System Identification

| |Master IT System Security Plan | | |Subordinate IT System Security Plan |

| | | | | |

| |Major Application | | |General Support System |

| | | | | |

| |Mission Essential System | | | |

2.2 Life Cycle Status

| |Initiation Phase | | |Operations/Maintenance Phase |

| | | | | |

| |Acquisition Phase/Development | | |Disposal Phase |

| | | | | |

| |Implementation Phase | | | |

2.3 General System Information

|Date of Last Update |Date |

|System Unique Identifier (Master or Subordinate) |Number |

|UPI Identifier |Number |

|Plan Name |Name |

|Responsible Program/ Functional Officer |Name |

|Plan System Owner |Name |

|Line Manager (if applicable) |Name |

|Certification Agent |Name |

|Authorizing Official |Name |

|Plan Short Description |Text |

|Type of Information |Text |

|Impact Level |Text |

|Authorized to Operate (Accredited) |Date |

|Interim Authorization to Operate (IATO) |Date |

|Expiration Date of IATO |Date |

|Annual Testing of Controls |Date |

|Annual Testing of Contingency Plan |Date |

2.4 Key Information Contacts

|Line Manager (Day-to-day system manager) |

|Name |Name |

|Title |Name |

|E-Mail Address |Text |

|Work Phone Number |Number |

|Pager Number |Number |

|Cell Phone Number |Number |

|Chief Information Officer |

|Name |Name |

|E-Mail Address |Text |

|Work Phone Number |Number |

|Pager Number |Number |

|Cell Phone Number |Number |

|Organization Computer Security Official |

|Name |Name |

|E-Mail Address |Text |

|Work Phone Number |Number |

|Pager Number |Number |

|Cell Phone Number |Number |

|Information System Security Officer |

|Name |Name |

|E-Mail Address |Text |

|Work Phone Number |Number |

|Pager Number |Number |

|Cell Phone Number |Number |

|System Administrator |

|Name |Name |

|E-Mail Address |Text |

|Work Phone Number |Number |

|Pager Number |Number |

|Cell Phone Number |Number |

2.5 General Description/Purpose

2.6 System Environment

2.7 System Interconnection/Information Sharing

2.8 Applicable Laws or Regulations Affecting the System

2.9 General Description of Information Sensitivity

|System Information Types |Confidentiality |Integrity |Availability |

|Type 1 | | | |

|Type 2 | | | |

|Type 3, etc. | | | |

|System Security Category | | | |

Overall system security category is _______________________

(1) For each information type, provide a short description of your methodology.

3.0 Management Controls

3.1 Risk Assessment and Management

3.2 Review of Security Controls

3.3 Rules of Behavior

3.4 Planning for Security in the Life Cycle

(1) Initiation Phase

(2) Acquisition/development Phase

|Questions |Yes |No |

|(i) During the system design, were security requirements identified? | | |

|(ii) Were the appropriate security controls with associated evaluation and test procedures | | |

|developed before the procurement action? | | |

|(iii) Did the solicitation documents (e.g., Request for Proposals) include security requirements | | |

|and evaluation/test procedures? | | |

|(iv) Did the requirements permit updating security requirements as new threats/vulnerabilities | | |

|are identified and as new technologies are implemented? | | |

|Were security requirements identified and included in the acquisition specifications, if this is a| | |

|purchased commercial application or the application contains commercial, off-the-shelf | | |

|components,? | | |

(i) Provide a short description for each answer given.

(3) Implementation Phase

|Questions |Yes |No |

|(i) Were design reviews and systems tests run prior to placing the system in production? | | |

| Were the tests documented? | | |

| Has the system been certified? | | |

| Has the system been accredited (authorized to process)? | | |

|(ii) Have security controls been added since development? | | |

| If so, was the system tested and re-certified? | | |

|(iii) Has the application undergone a technical evaluation to ensure that it meets applicable | | |

|federal laws, regulations, policies, guidelines, and standards? | | |

(iv) Include the date of the certification and accreditation. If the system is not authorized yet, include date when the accreditation request will be made.

(i) Provide a short description for each answer given.

(4) Operation/Maintenance Phase

(5) Disposal Phase

3.5 Certification and Accreditation

4.0 Operational Controls

4.1 Personnel Controls

|Questions |Yes |No |

|(i) Have all positions been reviewed for information or system privilege level? | | |

|(ii) Have individuals received background checks appropriate for the position to which they are assigned | | |

|(iii) Is user access restricted to the minimum necessary to perform the job? | | |

|(iv) Is there a process for requesting, establishing, issuing, and closing user accounts? | | |

|(v) Are critical functions divided among different individuals (separation of duties)? | | |

(i) Provide a short description for each answer given.

4.2 Physical and Environmental Protection

4.3 Production, Input/Output Controls

4.4 Contingency Planning

| |Yes |No |Not Needed |

|Business Continuity Plan | | | |

|Business Impact Analysis | | | |

|Business Recovery/Resumption Plan | | | |

|Contingency Plan | | | |

|Continuity of Operations Plan | | | |

|Disaster Recovery Plan | | | |

|Incident Response Plan | | | |

|Other: (list type of plan here) | | | |

(i) Provide a short description for each answer given.

(2) As a minimum, a contingency plan will be in place and will include the following:

(i) List the primary recovery team members:

|Team Member Name |Role |Work Phone |Pager |Home Phone |

| | | | | |

| | | | | |

| | | | | |

| | | | | |

4.5 Application Software Maintenance Controls

a. Describe the following software maintenance controls for each software application:

|Questions |Yes |No |

|(1) Was the application software developed in-house or under contract? | | |

|(2) Does the government own the software? | | |

|(3) Was the software received from another agency? | | |

|(4) Is the application software a copyrighted commercial off-the-shelf product or shareware? | | |

|(5) Has the software been properly licensed and enough copies purchased for all systems? | | |

|(6) Is there a formal change control process in place and if so, does it require that all changes to the | | |

|application software be tested and approved before being put into production? | | |

|(7) Is test data live data or made-up data used in the testing of the application? | | |

|(8) Are all changes to the application software documented? | | |

|(9) Are software test results documented? | | |

|(10) Are there organizational policies against illegal use of copyrighted software or shareware? | | |

|(11) Are periodic audits conducted of users’ computers to ensure only legal licensed copies of software are | | |

|installed? | | |

|(12) Are software warranties managed to minimize the cost of upgrades and cost reimbursement or replacement | | |

|for deficiencies? | | |

(i) Provide a short description for each answer given.

.

4.6 Hardware and System Software Maintenance Controls

4.7 Data Integrity/Validation Controls

.

4.8 Documentation

4.9 Security Awareness and Training

a. Is training provided for the following:

|Training Provided |Yes |No |

|Rules of the system | | |

|Responsibilities described in the NPR 2810.1 | | |

|How to detect and respond to suspected and real IT security incidents | | |

|How to get help in using the information system or its security features | | |

|NASA and Center IT security policies, procedures, and guidelines | | |

(i) Provide a short description for each answer given.

4.10 IT Security Incident Response

5.0 Technical Controls

5.1 Identification and Authentication

5.2 Logical Access Controls

5.3 Public Access Controls

5.4 Audit Trails

5.5 System and Communication Protection

Appendix A – Acronyms

Appendix B – Attachments

Appendix C – Risk Analysis

Appendix D – Contingency Plan(s)

Other Appendices and Attachments

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download