(see Section 4.4, Tools)
Using the sample document of the cyber-security assist visit In-Briefing presentation and the information gathered during the planning activities, develop a comprehensive In-Briefing to be presented to the appropriate management/staff of the organization undergoing the Risk Assessment Review.
Step 1. Identify the systems and applications that require Security Plan documentation.
Step 2. Apply the security plan template to each system and application identified for Security Plan documentation. Users modify each section of the template with security specifications particular to their systems or applications based on the requirements identified in the comments section of the template. (The title of each section requiring modification contains highlighted text signaling an attached comment. By moving the mouse arrow over the highlighted text, a comment box will appear with specific information identifying or clarifying the requirements for that section).
Complete a Security Compliance Checklist for each file server identified in the security planning document. These Security Compliance Checklists contain specific requirements associated with the operating system software configuration on each server.
Complete an Emergency Readiness Evaluation checklist for each system/application being evaluated. The Emergency Readiness Evaluation checklist is used to verify the status of Continuity of Operations Planning associated with the system/application.
The process builds a security plan for each USAID general support system and major application that will meet the requirements specified by OMB A-130 Appendix III, associated with security plans.
|3.2||Relationship to Other BSPs|
|The cyber-security assistance visit process comprises several sub-processes, one of which is the development of a Security Plan. More relationships will be added as additional BSPs are submitted.|
|4.0||How To Use This BSP|
|Having the Administrator of the system being reviewed work closely with the Risk Assessment team members in developing the Security Plan can enhance the efficiency of this process.|
|4.2||Implementation Resource Estimates|
System Administrator or knowledge equivalent.
Time per System/Application: Depends on the size of the system; approximately 40 hours to complete the Security Plan template, the Security Compliance checklist, and the Emergency Readiness Evaluation checklist.
Preparation Time up-front: Depends on the time required to identify systems and applications, and to gather the requisite security specifications information for each system and application; approximately 40 hours for each system and application.
|4.3||Performance Goals and Indicators (Metrics)|
|General Goal: To
eliminate the security vulnerabilities associated with the configuration of the
organizations systems/applications and develop a security plan to maintain the
proper security posture for these systems/applications.
Performance Goal: To develop a Security Plan for all USAID general support and major applications.
Outcome Goal: Security Plans developed during a Risk Assessment Review will comply with OMB A-130 Appendix III.
Output goal: An OMB A-130 Appendix III compliant Security Plan.
General Objective: To identify and document the security posture of the USAID general support systems and major applications. This information can assist Senior Management in making appropriate security related decisions.
Performance Indicator: Document the existence of a Security Plan for each USAID general support and major application.
|The tools used to perform
the BSP for Security Plan Development within the Risk Assessment Review are:
|A||Executive Overview and Briefing|
|Editor's Note: See Appendix A *.ppt briefing|
|NIST Special Publication 800-18 (.pdf format)|
|The United States Agency for International Development (USAID) has contracted for general IRM support with Computer Sciences Corporation (CSC) under the Agency's Principle Resource for Information Management Enterprisewide (PRIME) contract (GS00K96AJD0012) with FEDSIM. USAID obtains its information system security support from CSC under the PRIME contract using the Performance Work Statement (PWS) at Appendix C *.doc.|
|Not yet evaluated|
|BSP 0002, Version 1.0 was reviewed after conducting cyber-assistance visits to Phnom Penh, Cambodia and Manila, Philippines during November and December 2000. Review determined need to revise time estimates in Section 4.2, from 4 hours to 40 hours.|