spla continuous monitoring plan - · web viewspla) continuous monitoring plan version 1.0 may...
TRANSCRIPT
![Page 1: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/1.jpg)
Scottish Pride Inc.
Office of Information Services
Scottish Pride Licensing Application (SPLA)
Continuous Monitoring Plan
Version 1.0
May 28, 2013
![Page 2: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/2.jpg)
DOCUMENT CONTROL
Change RecordDate Author Version Change Reference
Quality Review HistoryDate Reviewer Comments
Approval Sign-offName Role Signature Date
Page 2 of 20
![Page 3: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/3.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
TABLE OF CONTENTS1 BACKGROUND..................................................................................................................................................4
1.1 PURPOSE........................................................................................................................................................41.2 SECURITY FRAMEWORK SYSTEM DEVELOPMENT LIFECYCLE (SDLC).........................................................41.3 OBJECTIVE.....................................................................................................................................................51.4 RISK...............................................................................................................................................................61.5 BENEFITS.......................................................................................................................................................6
2 REQUIREMENTS FOR CONTINUOUS MONITORING.............................................................................7
2.1 CONFIGURATION MANAGEMENT AND CONTROL...........................................................................................72.2 SECURITY CONTROL MONITORING................................................................................................................92.3 STATUS REPORTING AND DOCUMENTATION...............................................................................................11
3 SECURITY CONTROLS MONITORING.....................................................................................................13
APPENDIX A – RESPONSIBILITIES......................................................................................................................1
APPENDIX B – ANNUAL REQUIRED SECURITY CONTROLS.......................................................................1
APPENDIX C – YEAR-2 REQUIRED SECURITY CONTROLS..........................................................................1
APPENDIX D – YEAR-3 REQUIRED SECURITY CONTROLS..........................................................................1
LIST OF TABLESTable 1: SPLA Security Controls Assessment........................................................................14
LIST OF FIGURESFigure 1: Security Framework System Development Life Cycle..............................................7
Page 3 of 20
![Page 4: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/4.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
1 BACKGROUND1.1 PurposeContinuous monitoring is one of six steps in the Risk Management Framework described in NIST Special Publication 800‐37, Revision 1, Applying the Risk Management Framework (RMF) to Federal Information Systems (February 2010). (See Figure 1 below). The purpose of a continuous monitoring program is to determine if the complete set of planned, required, and deployed security controls within an information system or inherited by the system continue to be effective over time in light of the inevitable changes that occur. Continuous monitoring is an important activity in assessing the security impacts on an information system resulting from planned and unplanned changes to the hardware, software, firmware, or environment of operation.
Agency for Enterprise Information Technology Office of Information Security (AEIT/OIS) highly recommends agencies implement best practices identified in Florida Information Technology Resource Security Policies and Standards identified in 71A-1.001-.010, F.A.C. by formally developing a Continuous Monitoring Plan in accordance to NIST Special Publication (SP) 800-37 Revision 1. The Agencies must categorize all systems, identify and resolve risks, develop low-level and moderate-level system security plans, submit moderate-level systems for Security Authorization, perform continuous monitoring, and conduct annual reviews on the effectiveness of all security controls. This process, developed by NIST, is known as the Security Framework System Development Lifecycle (SDLC).
1.2 Security Framework System Development Lifecycle (SDLC)
The process to comply with AEIT/OIS moderate-level system security is documented in the Security Framework System Development Lifecycle in Figure 1. This SDLC addresses the steps towards compliance with the Agency for Enterprise Information Technology Office of Information Security (AEIT/OIS) directives on information systems security and state and federal laws.
Risk Assessments (RA) are promulgated under the AEIT/OIS directives on information systems security and the guidelines established by NIST Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems. AEIT requires Scottish Pride to implement a risk-based program for cost-effective Information Technology (IT). All business processes operate with some level of risk and one of the most effective ways to protect these
Page 4 of 20
![Page 5: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/5.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services business processes is through the implementation of effective internal security controls, risk evaluation, and risk management (RM).
A risk assessment is required before initiating Step 1 of the Security Framework System Development Lifecycle to establish a baseline indicating the risks to system resources in the areas of Management, Operational, and Technical controls. Risks should be assessed in the following areas: natural, environmental, human intentional and human unintentional threats.
This plan only follows Step 8 in the Security Framework System Development Lifecycle.
Step 1 System categorization was performed prior to the development of the SSP
Step’s 2-3 will be completed in the development of the SSP Step 4 Comprehensive risk assessment will be performed by an
independent third-party assessor Step 5 Certification and Accreditation package/approval will be
performed by an independent third-party authorizing authority identified by the CIO
1.2.1 Step 6 - Continuous Monitoring Plan
Step 6 is the development of the Continuous Monitoring Plan which provides oversight and monitoring of the security controls in the information system on an ongoing basis. The Continuous Monitoring Plan also describes the Agency’s procedural requirements and responsibilities for implementation of the NIST SP 800-53 Revision 2, CA-7.
Continuous Monitoring security control for the Scottish Pride information system. Continuous Monitoring begins after the system has been certified and accredited for operations, and the activities in this plan are performed continuously throughout the life cycle of the information system. The plan informs the CIO when changes occur that may have an impact on the security of the system. The continuous monitoring plan will include:
Continuous monitoring validation through spot checks, continuous
scans, and documentation updates Configuration management and control processes for the information
system Security impact analysis on actual or proposed changes to the
information system Assessment of selected security controls based on continuous
monitoring strategyPage 5 of 20
![Page 6: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/6.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Security status reporting
1.3 ObjectiveThe objective of the continuous monitoring plan is to develop a strategy and implement a plan for the continuous monitoring of Scottish Pride Licensing Application (SPLA) security control effectiveness taking into account any proposed/actual changes to the information system or its environment of operation. Furthermore, the Continuous Monitoring Plan should:
Be integrated into the agency’s SDLC processes Address the security impacts on information systems resulting from
changes to the hardware, software, firmware, or operational environment
Provide an effective mechanism to update the SSP, RA reports, and POA&M
Track the security state of the information system on a continuous basis
Maintain the security authorization for the system over time in highly dynamic environments of operation with changing threats, vulnerabilities, technologies, and mission/business processes
1.4 RiskFailure to meet compliance may put Scottish Pride in harm for further security issues. Furthermore, non-compliance with AEIT/OIS directives and Florida Statutes create a risk of losing critical program and system resource funding.
1.5 BenefitsWith a compliant monitoring program, Scottish Pride becomes more efficient in their operations, and most importantly, more secure. In addition to reaping the benefits of strong controls and the ability to deliver continuous compliance with current and emerging regulations, Scottish Pride will be able to:
Reduce risk, cost and increase efficiency Create a consistent, agency-wide view of the current security posture;
creating ties between program activities such as assessment and remediation and showing business unit managers at all agency levels exactly where they stand in addressing security issues
Develop automated and integrated IT processes reducing burden on administrative staff and improving business effectiveness
Improve agency planning and strategic decision makingPage 6 of 20
![Page 7: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/7.jpg)
STEP
2SELECTSecurity
Controls FIPS 200/SP 800
-53
Define
category of information
system according to potential impact of
loss
IMPLEMENTSecurity Controls
SP 800 SeriesSele
ct minimum security controls (i.e.,
safeguards and countermeasures) planned or in place to protect the information syste
m
Implement
security controls in new or
legacy information systems; implement
security configuration
checklists
Determine extent
to which the security controls
are implemented correctly, operating as intended,
and producing desired outcome with respect to
meeting security requirements
Determine risk to operatio
ns, assets
, or individuals and,
if acceptable, authorizes information
system processing
AUTHORIZEInformation Systems
SP 800
-37
MONITOR Security Controls
SP
800
-53A
CATEGORIZEInformation Systems
FIPS 199/SP 800
-60
ASSESSSecurity
ControlsSP 800
-53A
STEP
3STEP
1
STEP
4STEP
5STEP
6
Continuously
track chang
es to the information system
that may affect security controls and
assesses control effectiveness
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Create and enforce configuration management standards, and identification of risks to all systems
Figure 1: Risk Management Framework
2 REQUIREMENTS FOR CONTINUOUS MONITORINGContinuous Monitoring is composed of three tasks: (1) Configuration Management and Control, (2) Security Control Monitoring, and (3) Status Reporting and Documentation. The tasks can further be broken down into nine subtasks which are described below. The goal of the Continuous Monitoring phase is to maintain SPLA’s authorization to operate after certification and accreditation has been granted. This goal is achieved through activities which provide ongoing, near-real time risk management and operational security such as monitoring SPLA, ensuring SPLA operates in a secure fashion and reporting status to appropriate Scottish Pride personnel.
2.1 Configuration Management and ControlConfiguration Management and Control consists of developing SPLA’s monitoring plan, monitoring SPLA for changes, and analyzing changes to
Page 7 of 20
![Page 8: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/8.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services determine security impact. The System Owner shall implement the details of tasks involved in these activities identified as:
Subtask 1: Security Control Monitoring Strategy - Develop a strategy for the continuous monitoring of security control effectiveness and any proposed/actual changes in SPLA including hardware, software, firmware, and surrounding environment
o Establish a strict configuration management process to support continuous monitoring activities
o Define the methodology for conducting security impact analyses to determine the extent to which proposed changes to SPLA or its operating environment will affect the security state of SPLA
o Determine how many subsets of security controls will be assessed during the authorization period, which security controls will be included in each subset, and the schedule according to which the security control subsets will be assessed
o Determine the tools that will be used in assessing security controls. For example, Security Content Automation Protocol (SCAP)-validated products should be used to verify whether the security configuration settings of various products comply with government standards, guidance, and policies
o Document the continuous monitoring strategyo Obtain approval for the continuous monitoring plan and strategy
from the CIO and ISM
Subtask 2: System and Environment Changes - Analyze and document the proposal or actual changes to SPLA (including hardware, software, firmware, and surrounding environment) to determine the security impact of such changeso Document any relevant information about proposed changes to the
hardware, software, and firmware components, SPLA’s operating environment, or Scottish Pride’s policies, procedures, or guidance
o Document actual changes to SPLA collecting the same information as the proposed changes so that the actual changes can be analyzed and appropriate Scottish Pride personnel can determine whether or not the actual change can remain in SPLA
Subtask 3: Security Impact Analysis - Determine the security impact of the proposed or actual changes to SPLA or the environment of operation in accordance with the security control monitoring strategy
Page 8 of 20
![Page 9: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/9.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
o Analyze each proposed/actual change to SPLA to determine what impact, if any, the change has on the security posture of the system
o Monitor compliance of SPLA component’s configuration. If SPLA contains information technology components for which there exists SCAP-validated tools, those tools should be used to monitor the component’s configuration
o Document the results of the security impact analysis and share the results with the Information System Security Officer (ISSO), Information Security Manager (ISM), and Chief Information Officer (CIO) using an approved format
o Determine if remediation actions or other changes to SPLA are necessary based on the security impact analysis, determine the impacts of the actions or other changes, and document them in the Plan of Action and Milestones (POA&M)
o If the analysis determines that there is a significant change requiring reaccreditation of SPLA, report SPLA security status to the ISSO, CIO and ISM
The first step is to establish a security control monitoring strategy to select which security controls to monitor and how to monitor them effectively. Selection of security controls for monitoring should take into consideration the importance of the security control to SPLA and Scottish Pride. Monitoring of security controls can be done in three ways:
1. Automated processes – Vulnerability Scanners, Web Application Scanners, Patch Management software, Security Information and Event Management software and Information Security Automation Program (ISAP) / Security Content Automation Protocol (SCAP) tools
2. IT management systems – Information Technology Infrastructure Library (ITIL), Capability Maturity Model Integration (CMMI) or other change management solutions
3. Periodic audits – Auditing of sets of security controls on a regular basis
When a new or proposed change is identified, Scottish Pride security staff should provide feedback to the ISSO when changes could affect the security state. Effort spent identifying and analyzing changes should be commensurate with the security priority of SPLA and the risk system changes might incur. Documentation of SPLA changes should inform the System Owner and also be reflected in System Security Plan (SSP) updates, POA&M updates, and status reports to other appropriate Scottish Pride personnel.
Page 9 of 20
![Page 10: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/10.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
2.2 Security Control Monitoring SPLA Security Control Monitoring consists of the ongoing processes of security control assessment and remediation actions. When security controls are identified as being ineffective, before or during the Continuous Monitoring phase, they must be remediated. The remediation method used is the periodic review of a subset of system security controls.
This method is a compliance requirement which can be simplified through good documentation procedures and recognizing the best practices which achieve the goals of Security Control Monitoring. The following tasks involved in these activities are:
Subtask 4: Ongoing Security Control Assessments - Assess a selected subset of the security controls in SPLA or the environment of operation (including those controls affected by changes to the system/environment) in accordance with the continuous monitoring strategyo The System Owner should:
Assign responsibility for assessing a subset of security controls to an assessor who has an appropriate level of independence as defined by the CIO and the knowledge, skills, and abilities to complete the assessment
Update the POA&M after the assessment has been completed based on the updated security assessment report provided by the security control assessor
o The security control assessor should: Develop the security assessment plan that defines the
appropriate procedures from NIST SP 800-53A to assess the security controls
Obtain approval for the security assessment plan from the CIO Conduct the security assessment in accordance with the
agreed-upon procedures, personnel, milestones, and schedule Update the security assessment report with the information
gained during the assessment of the subset of security controls and submit it to the System Owner, ISSO, and ISM
Subtask 5: Ongoing Remediation Actions - Conduct remediation actions based on the results of the selected security control assessments and outstanding items in the POA&M. The System Owner should initiate remediation actions based on the findings produced during the continuous monitoring assessments of the security controls,
Page 10 of 20
![Page 11: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/11.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
the outstanding items listed in the POA&M, and the results of performing the activities required by the system’s security control (e.g., vulnerability scanning, contingency plan testing, incident response handling). The System Owner should: o Consult with the ISSO, ISM, and CIO and review each assessor
finding and determine the severity or seriousness of the finding and whether the finding is significant enough to be worthy of further investigation or remedial action
o Determine the appropriate steps required to correct any identified weaknesses or deficiencies that require remediation efforts, establish an implementation plan and schedule for the defined actions, and update the POA&M with the planned remediation actions
o Assess SPLA after the remediation actions have been completed to determine if the security controls remain effective after changes have been implemented
o Update the POA&M with the current status when a remediation action has been successfully completed
The System Owner needs to revisit, on a regular basis, the risk management activities described in the Risk Management Framework Figure 1 (Page 3) to ensure the selection of security controls remains appropriate for SPLA. The System Owner should:
Monitor events that occur throughout Scottish Pride and determine if those events introduce or uncover new vulnerabilities or threats to SPLA
Determine whether the selected security controls remain sufficient to protect the information and SPLA assets against the newly identified vulnerabilities and threats
Reconfirm SPLA’s impact level and security category of SPLA and the information processed, stored, or transmitted by SPLA and determine if they should be changed
Consult with the ISSO, ISM, and CIO to determine if the authorization should be updated
2.3 Status Reporting and DocumentationStatus Reporting and Documentation consists of Critical Document Updates, Security Status Reporting, Ongoing Risk Determination and Acceptance, and System Removal and Decommissioning. The overall goal is to ensure that the documentation describing the security status of SPLA does not become stale.
Page 11 of 20
![Page 12: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/12.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services The POA&M is particularly important to keep current because it reflects a single aspect of SPLA, the controls known to have been inadequate. The SSP should also be updated on an ongoing basis to support the near real-time view of SPLA’s security posture.When SPLA system status changes occur, they must be documented and presented to the appropriate agency officials. Significant changes may require the ISSO to consider whether the risk(s) presented requires reconsideration of the operating status of the system. Additionally, these updates should be periodic and ensure all affected Scottish Pride staff is aware of SPLA’s status. Details of tasks involved in these activities are:
Subtask 6: Critical Document Updates - Update the SSP, security assessment report, and POA&M based on the results of the continuous monitoring process. Continuous monitoring provides System Owners with an effective tool for producing ongoing updates to SSPs, security assessment reports, and POA&Ms. These documents are critical to understanding and explicitly accepting risk on a day-to-day basis. The System Owner should: o Ensure that the security control assessor updates the security
assessment report with the results of the security control assessments conducted during the continuous monitoring phase
o Update the SSP and POA&M to identify changes to SPLA, the operating environment, the security controls, and the implementation of the SPLA’s security controls
o Preserve the original version of the documents so that they are available for oversight, management, security control assessments, and auditing purposes
o Share the updated documentation with others Subtask 7: Security Status Reporting - The System Owner should
document the results of the continuous monitoring activities in security status reports and provide them to the ISSO, ISM, and CIO. The System Owner should: o Describe the continuous monitoring activities and how the
vulnerabilities discovered during the security control assessments and security impact analyses are being addressed
o Provide the security status reports to the ISSO, ISM, and CIO at appropriate Scottish Pride defined frequencies
Subtask 8: Ongoing Risk Determination and Acceptance - Periodically review the reported security status of SPLA and determine whether the risk to Scottish Pride operations and assets, individuals, other organizations, or the Nation remains acceptable. The System
Page 12 of 20
![Page 13: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/13.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Owner should provide sufficient information to the ISSO, ISM, and CIO for them to be able to make appropriate reauthorization decisions. The ISSO, ISM, and CIO should: o Review the updated security assessment report, SSP, POA&M, and
security status reports to determine whether the risk to the information and SPLA remains acceptable
o Determine whether SPLA requires reauthorizationo Document the decision and forward it to the System Owner for
appropriate action Subtask 9: System Removal and Decommissioning - Implement
an Scottish Pride approved SPLA decommissioning strategy, when needed, which executes required actions when SPLA is removed from service. When SPLA is removed from operation, the System Owner should ensure that all security controls addressing SPLA decommissioning are implemented. The System Owner should: o Determine a decommissioning strategy for SPLA when SPLA is no
longer needed by Scottish Prideo Keep users and application owners served by the decommissioned
SPLA or system components informed about the decommissioning activities and any issues associated with their information or applications
o Sanitize or destroy SPLA components in accordance with applicable regulations and guidance to remove system information from SPLA media so that there is reasonable assurance that the information cannot be retrieved or reconstructed
o Update Scottish Pride’s tracking and management systems to identify the specific SPLA components that are being removed from the inventory
o Record the decommissioned status of SPLA in the SSP and distribute the document to appropriate individuals or agencies
3 SECURITY CONTROLS MONITORINGThe following schedule in Table 1 shall be established by the System Owner for continuous monitoring security control assessment to ensure that all controls requiring assessment are covered and that all controls are assessed at least once during the three-year accreditation cycle.
Year 1 – Full accreditation, all security controls assessed Year 2 – All security controls required to be assessed annually (See
Appendix B), plus a subset of the remainder of security controls (See Appendix C) must be assessed
Page 13 of 20
![Page 14: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/14.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Year 3 – All security controls required to be assessed annually (See Appendix B), plus a subset of security controls (See Appendix D) that were not assessed during Year 2 must be assessed
As it is not feasible or cost-effective to monitor all of the security controls in SPLA on a continuous basis, an appropriate subset of those controls for the annual assessment shall be selected. The selection of a subset of security controls for continuous monitoring assessment includes the following considerations:
Annual Security Control Requirements – Those security controls that require annual assessment as identified by NIST SP 800-53
Significant changes to SPLA – A significant change to SPLA, or its operating environment, may introduce new security vulnerabilities and may require a more frequent assessment of select security controls
External Influences – Activities outside the direct control of SPLA which may impact security posture. Examples may include, but are not limited to, organizational changes, new or modified policies, and newly identified threats or vulnerabilities
Scottish Pride Requirements – Those security controls that Scottish Pride deems essential to protecting SPLA may require increased attention, and more frequent assessment
Plan of Action and Milestone (POA&M) Items – New or modified security controls, implemented to remediate identified weaknesses, should be assessed for effectiveness
Table 1: SPLA Security Controls AssessmentControl Numbe
r
Control Name Frequency
Access Control (AC)AC-1 Access Control Policy and Procedures Year 1 Year 2 AC-2 Account Management Year 1 AnnualAC-3 Access Enforcement Year 1 Year 2AC-4 Information Flow Enforcement Year 1 Year 2AC-5 Separation of Duties Year 1 Year 3AC-6 Least Privilege Year 1 Year 3AC-7 Unsuccessful Logon Attempts Year 1 AnnualAC-8 System Use Notification Year 1 Year 3AC-11 Session Lock Year 1 Year 3AC-12 Session Termination Year 1 Year 3
Page 14 of 20
![Page 15: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/15.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Control Numbe
r
Control Name Frequency
AC-13 Supervision and Review – Access Control
Year 1 Annual
AC-14 Permitted Actions w/o Identification or Authentication
Year 1 Year 2
AC-17 Remote Access Year 1 AnnualAC-18 Wireless Access Restrictions Year 1 Year 3AC-19 Access Control for Portable and Mobile
SystemsYear 1 Year 3
AC-20 Use of External Information Systems Year 1 Year 2
Page 15 of 20
![Page 16: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/16.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Awareness and Training (AT)AT-1 Security Awareness and Training
Policies and ProceduresYear 1 Year 2
AT-2 Security Awareness Year 1 AnnualAT-3 Security Training Year 1 AnnualAT-4 Security Training Records Year 1 Year 2
Audit and Accountability (AU)AU-1 Audit and Accountability Policy and
ProceduresYear 1 Year 2
AU-2 Auditable Events Year 1 AnnualAU-3 Content of Audit Records Year 1 AnnualAU-4 Audit Storage Capacity Year 1 AnnualAU-5 Response to Audit Processing Failures Year 1 AnnualAU-6 Audit Monitoring, Analysis, and
ReportingYear 1 Annual
AU-7 Audit Reduction and Report Generation
Year 1 Annual
AU-8 Time Stamps Year 1 Year 2AU-9 Protection of Audit Information Year 1 Year 2
AU-11 Audit Retention Year 1 AnnualCertification, Accreditation, and Security Assessments (CA)
CA-1 Certification, Accreditation, and Security Assessment Policies and Procedures
Year 1 Year 2
CA-2 Security Assessments Year 1 Year 2CA-3 Information System Connections Year 1 Year 2 CA-4 Security Certification Year 1 Year 2 CA-5 Plan of Action and Milestones Year 1 Year 2CA-6 Security Accreditation Year 1 Year 3CA-7 Continuous Monitoring Year 1 Year 2
Configuration Management (CM)CM-1 Configuration Management Policy and
ProceduresYear 1 Year 2
CM-2 Baseline Configuration Year 1 AnnualCM-3 Configuration Change Control Year 1 AnnualCM-4 Monitoring Configuration Changes Year 1 Annual
Page 16 of 20
![Page 17: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/17.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
CM-5 Access Restrictions for Change Year 1 AnnualCM-6 Configuration Settings Year 1 AnnualCM-7 Least Functionality Year 1 AnnualCM-8 Information System Component
InventoryYear 1 Annual
Contingency Planning (CP)CP-1 Contingency Management Policy and
ProceduresYear 1 Year 2
CP-2 Contingency Plan Year 1 AnnualCP-3 Contingency Training Year 1 AnnualCP-4 Contingency Plan Testing and
ExercisesYear 1 Annual
CP-5 Contingency Plan Updates Year 1 AnnualCP-6 Alternate Storage Sites Year 1 AnnualCP-7 Alternate Processing Sites Year 1 AnnualCP-8 Telecommunication Services Year 1 AnnualCP-9 Information System Backup Year 1 AnnualCP-10 Information System Recovery and
ReconstitutionYear 1 Annual
Identification and Authentication (IA)IA-1 Identification and Authentication
Policy and ProceduresYear 1 Year 2
IA-2 User Identification and Authentication Year 1 Year 3IA-3 Device Identification and
AuthenticationYear 1 Year 2
IA-4 Identifier Management Year 1 AnnualIA-5 Authenticator Management Year 1 AnnualIA-6 Authenticator Feedback Year 1 Annual
Incident Response (IR)IR-1 Incident Response Policy and
ProceduresYear 1 Year 2
IR-2 Incident Response Training Year 1 AnnualIR-3 Incident Response Testing and
ExercisesYear 1 Year 2
IR-4 Incident Handling Year 1 Year 2IR-5 Incident Monitoring Year 1 AnnualIR-6 Incident Reporting Year 1 Annual
Page 17 of 20
![Page 18: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/18.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
IR-7 Incident Response Assistance Year 1 Year 2
Maintenance (MA)MA-1 System Maintenance Policy and
ProceduresYear 1 Year 2
MA-2 Controlled Maintenance Year 1 AnnualMA-3 Maintenance Tools Year 1 AnnualMA-4 Remote Maintenance Year 1 AnnualMA-5 Maintenance Personnel Year 1 AnnualMA-6 Timely Maintenance Year 1 Annual
Media Protection (MP)MP-1 Media Protection Policy and
ProceduresYear 1 Year 2
MP-2 Media Access Year 1 Year 3MP-4 Media Storage Year 1 Year 3MP-5 Media Transport Year 1 AnnualMP-6 Media Sanitization and Disposal Year 1 Annual
Physical and Environmental Protection PE)PE-1 Physical and Environmental Protection
Policy ProceduresYear 1 Year 2
PE-2 Physical Access Authorizations Year 1 AnnualPE-3 Physical Access Control Year 1 AnnualPE-5 Access Control for Display Medium Year 1 Year 2PE-6 Monitoring Physical Access Year 1 AnnualPE-7 Visitor Control Year 1 AnnualPE-8 Access Records Year 1 Year 2PE-9 Power Equipment and Power Cabling Year 1 Year 2
PE-10 Emergency Shutoff Year 1 Year 2PE-11 Emergency Power Year 1 Year 2PE-12 Emergency Lighting Year 1 AnnualPE-13 Fire Protection Year 1 AnnualPE-14 Temperature and Humidity Controls Year 1 AnnualPE-16 Delivery and Removal Year 1 AnnualPE-17 Alternate Work Site Year 1 Year 3
Page 18 of 20
![Page 19: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/19.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
PE-18 Location of Information System Components
Year 1 Year 2
Page 19 of 20
![Page 20: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/20.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Planning (PL)PL-1 Security Planning Policy and
ProceduresYear 1 Year 2
PL-2 System Security Plan Year 1 Year 3PL-3 System Security Plan Update Year 1 Year 2PL-4 Rules of Behavior Year 1 AnnualPL-5 Privacy Impact Assessment Year 1 Year 3PL-6 Security Related Activity Planning Year 1 Annual
Personnel Security (PS)PS-1 Personnel Security Policy and
ProceduresYear 1 Year 2
PS-2 Position Categorization Year 1 Year 3PS-3 Personnel Screening Year 1 AnnualPS-4 Personnel Termination Year 1 AnnualPS-5 Personal Transfer Year 1 AnnualPS-6 Access Agreements Year 1 AnnualPS-7 Third-Party Personnel Security Year 1 AnnualPS-8 Personnel Sanctions Year 1 Year 3
Risk Assessment (RA)RA-1 Risk Assessment Policy and
ProceduresYear 1 Year 2
RA-2 Security Categorization Year 1 Year 3RA-3 Risk Assessment Year 1 Year 3RA-4 Risk Assessment Update Year 1 Year 3RA-5 Vulnerability Scanning Year 1 Year 2
System and Services Acquisition (SA)SA-1 System and Services Acquisition Policy
and ProceduresYear 1 Year 2
SA-2 Allocation of Resources Year 1 Year 2SA-3 Life Cycle Support Year 1 Year 2SA-4 Acquisitions Year 1 AnnualSA-5 Information System Documentation Year 1 Year 2SA-6 Software Usage Restrictions Year 1 Year 2SA-7 User Installed Software Year 1 AnnualSA-8 Security Engineering Principle Year 1 Year 2SA-9 External Information System Services Year 1 Year 3
Page 20 of 20
![Page 21: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/21.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
SA-11 Developer Security Testing Year 1 Year 3System and Communication Protection (SC)
SC-1 System and Communications Protection Policy and Procedures
Year 1 Year 2
SC-2 Application Partitioning Year 1 Year 2SC-4 Information Remnance Year 1 AnnualSC-5 Denial of Service Protection Year 1 Year 3SC-7 Boundary Protection Year 1 AnnualSC-8 Transmission Integrity Year 1 AnnualSC-9 Transmission Confidentiality Year 1 Year 3
SC-10 Network Disconnect Year 1 Year 3SC-14 Public Access Protections Year 1 Year 3SC-17 Public Key Infrastructure Certificates Year 1 AnnualSC-18 Mobile Code Year 1 Year 2SC-19 Voice Over Internet Protocol Year 1 Year 2SC-20 Secure Name/Address Resolution
Service (Authoritative Source)Year 1 Year 2
SC-22 Architecture and Provisioning for Name/Address Resolution Service
Year 1 Year 2
SC-23 Session Authenticity Year 1 Year 3System and Information Integrity (SI)
SI-1 System and Information Integrity Policy and Procedures
Year 1 Year 2
SI-2 Flaw Remediation Year 1 AnnualSI-3 Malicious Code Protection Year 1 Year 3SI-4 Information System Monitoring Tools
and TechniquesYear 1 Annual
SI-5 Security Alerts and Advisories Year 1 AnnualSI-8 Spam and Spyware Protection Year 1 Year 3SI-9 Information Input Restrictions Year 1 Year 3
SI-10 Information Input Accuracy, Completeness, and Validity
Year 1 Annual
SI-11 Error Handling Year 1 AnnualSI-12 Output Handling and Retention Year 1 Annual
Page 21 of 20
![Page 22: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/22.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Additional Security ControlsAny critical volatile security controls, as determined by the System Owner
Annual
The CIO may identify Agency security controls and/or designate additional SPLA security controls for annual assessment
Annual
Page 22 of 20
![Page 23: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/23.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
APPENDIX A – RESPONSIBILITIES Title Role Responsibility
System Owner Monitor May designate a representative to perform continuous monitoring security control assessments as required for the annual report to the CIO
Develop and document a continuous monitoring strategy for their information systems
Be responsible for continuous monitoring security control assessment activities
Ensure resources are provided for the continuous monitoring security control assessment activities for SPLA
Report to the ISSO, any significant changes made to SPLA that may cause an impact to the security status and require a reaccreditation of SPLA
Participate in the agency’s configuration management process
Establish and maintain an inventory of SPLA’s components
Conduct security impact analyses on all changes to SPLA
Conduct security assessments of security controls according to their continuous monitoring strategies
Prepare and submit security status reports at the monthly
Conduct remediation activities as necessary to maintain the current authorization status
Update the selection of security controls for SPLA when events occur that indicate the baseline set of security controls is no longer adequate to protect SPLA
Update critical security documents on a regular basisInformation Systems Security Officer (ISSO)
Supporter
Provide oversight to continuous monitoring security control assessment activities for SPLA, ensuring completion and reporting no later than July 31st of each fiscal year
Provide an assessment and recommendation to the System Owner and CIO as to the need for reaccreditation as a result of a reported or identified significant change to SPLA
Participate in the formal configuration management process
Information Security Manager (ISM)
Overseer Support the information owner on the continuous monitoring security control assessment procedures to complete security responsibilities
Ensure Agency annual security controls are certified
Appendix A - 1
![Page 24: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/24.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Title Role Responsibilityannually
Prepare and submit Agency metrics on continuous monitoring security control assessments as required for the annual Scottish Pride report satisfying auditing requirements
Participate in the formal configuration management process
Chief Information Officer (CIO)
Leader Ensure an effective continuous monitoring program is established for the organization
Establish expectations/requirements for the agency’s continuous monitoring process
Provide funding, personnel, and other resources to support continuous monitoring
Maintain high-level communications and working group relationships among agency entities
Ensure that information systems are covered by an approved security plan, are authorized to operate, and are monitored throughout the system development life cycle
Ensure completion of continuous monitoring security control assessments on SPLA
Ensure Scottish Pride CIO designated and/or common security controls are certified annually
Determine whether a significant change to SPLA requires reaccreditation and advise the ISSO and ISM of such a decision
Review SPLA security weaknesses reported that was identified during the continuous monitoring security control assessment activities
User Advisor Identify changes to mission, business, or operational security requirements
• Report any weaknesses in, or new requirements for, SPLA operations
• Submit and justify system change requests to the through the agency’s formal configuration management process
Operations Manager (GeoSol)
Supporter
• Support the information owner/information System Owner to complete security responsibilities
• Participate in the formal configuration management process
Appendix A - 2
![Page 25: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/25.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
APPENDIX B – ANNUAL REQUIRED SECURITY CONTROLSThe following security controls should be monitored annually:
Access Controls (AC) AC-2 Account Management: Scottish Pride manages information system
accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. Scottish Pride reviews information system accounts annually.
AC-7 Unsuccessful Logon Attempts: The information system enforces a limit of three consecutive invalid access attempts by a user during a 30 minute time period. The information system automatically locks the account/node for 30 minutes for low systems or until an appropriate security administrator manually intervenes to unlock accounts on moderate and high systems when the maximum number of unsuccessful attempts is exceeded.
AC-13 Supervision and Review—Access Control: Scottish Pride supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls.
AC-17 Remote Access: Scottish Pride documents, monitors, and controls all methods of remote access (e.g., dial-up, Internet) to the information system including remote access for privileged functions. Appropriate Scottish Pride officials authorize each remote access method for the information system and authorize only the necessary users for each access method.
Awareness and Training (AT) AT-2 Security Awareness: Scottish Pride ensures all users (including managers
and senior executives) are exposed to basic information system security awareness materials before authorizing access to the system and at least annually thereafter.
AT-3 Security Training: Scottish Pride identifies personnel with significant information system security roles and responsibilities, documents those roles and responsibilities, and provides appropriate information system security training before authorizing access to the system and each year thereafter.
Audit and Accountability (AU)AU-2 Auditable Events: The information system generates audit records for
events identified in the Scottish Pride IT Security Handbook.
AU-3 Content of Audit Records: The information system captures sufficient information in audit records to establish what events occurred, the sources of the events, and the outcomes of the events.
Appendix B - 1
![Page 26: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/26.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Audit and Accountability (AU)AU-4 Audit Storage Capacity: Scottish Pride allocates sufficient audit record
storage capacity and configures auditing to prevent such capacity being exceeded.
AU-5 Response to Audit Processing Failures: In the event of an audit failure or audit storage capacity being reached, the information system alerts appropriate Scottish Pride officials and takes the following additional actions:
Shutdown the system Overwrite the oldest audit records Stop generating audit records
AU-6 Audit Monitoring, Analysis, and Reporting: Scottish Pride regularly reviews/analyzes audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, report’s findings to appropriate officials, and takes necessary actions.
AU-7 Audit Reduction and Report Generation: The information system provides an audit reduction and report generation capability.
AU-11 Audit Retention: Scottish Pride retains audit logs in accordance with Scottish Pride records retention policies, but at least for one year for high and moderate systems to provide support for after-the-fact investigations of security incidents and to meet regulatory and Scottish Pride information retention requirements.
Configuration Management (CM) CM-2 Baseline Configuration: Scottish Pride develops, documents, and
maintains a current, baseline configuration of the information system and an inventory of the system’s constituent components.
CM-3 Configuration Change Control: Scottish Pride documents and controls changes to the information system. Appropriate Scottish Pride officials approve information system changes in accordance with Scottish Pride policies and procedures.
CM-4 Monitoring Configuration Changes: Scottish Pride monitors changes to the information system and conducts security impact analyses to determine the effects of the changes.
CM-5 Access Restrictions for Change: Scottish Pride enforces access restrictions associated with changes to the information system.
CM-6 Configuration Settings: Scottish Pride configures the security settings of information technology products to the most restrictive mode consistent with information system operational requirements.
CM-7 Least Functionality: Scottish Pride configures the information system to provide only essential capabilities and specifically prohibits and/or restricts the use of any protocol or service that is not explicitly permitted.
CM-8 Information System Component Inventory: Scottish Pride develops, documents, and maintains a current inventory of the components of the information system and relevant ownership information.
Appendix B - 2
![Page 27: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/27.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Appendix B - 3
![Page 28: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/28.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Contingency Planning (CP) CP-1 Contingency Planning Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, contingency planning policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.
CP-2 Contingency Plan: Scottish Pride develops and implements a contingency plan for the information system addressing contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the system after a disruption or failure. Designated officials within Scottish Pride review and approve the contingency plan and distribute copies of the plan to key contingency personnel.
CP-3 Contingency Training: Scottish Pride trains personnel in their contingency roles and responsibilities with respect to the information system and provides refresher training annually.
CP-4 Contingency Plan Testing and Exercises: Scottish Pride tests the contingency plan for the information system at least annually using to determine the plan’s effectiveness and Scottish Pride’s readiness to execute the plan. System rated as high shall be tested at the alternate processing site. Appropriate officials within Scottish Pride review the contingency plan test results and initiate corrective actions.
CP-5 Contingency Plan Update: Scottish Pride reviews the contingency plan for the information system once per year and revises the plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing.
CP-6 Alternate Storage Sites: Scottish Pride identifies an alternate storage site and initiates necessary agreements to permit the storage of information system backup information.
CP-7 Alternate Processing Site: Scottish Pride identifies an alternate processing site and initiates necessary agreements to permit the resumption of information system operations for critical mission/business functions within 24 hours when the primary processing capabilities are unavailable.
CP-8 Telecommunications Services: Scottish Pride identifies primary and alternate telecommunications services to support the information system and initiates necessary agreements to permit the resumption of system operations for critical mission/business functions within 24 hours when the primary telecommunications capabilities are unavailable.
CP-9 Information System Backup: Scottish Pride conducts backups of user-level and system-level information (including system state information) contained in the information system according to backup schedules documented in the system contingency plan and stores backup information at an appropriately secured location.
CP-10 Information System Recovery and Reconstitution: Scottish Pride employs mechanisms with supporting procedures to allow the information
Appendix B - 4
![Page 29: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/29.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
system to be recovered and reconstituted to the system’s original state after a disruption or failure.
Appendix B - 5
![Page 30: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/30.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Identification and Authentication (IA)IA-4 Identifier Management: Scottish Pride manages user identifiers by: (1)
uniquely identifying each user; (2) verifying the identity of each user; (3) receiving authorization to issue a user identifier from an appropriate Scottish Pride official; (4) ensuring that the user identifier is issued to the intended party; (5) disabling user identifier after 30 days of inactivity; and (6) archiving user identifiers.
IA-5 Authenticator Management: Scottish Pride manages information system authenticators (e.g., tokens, PKI certificates, biometrics, passwords, key cards) by: (1) defining initial authenticator content; (2) establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; and (3) changing default authenticators upon information system installation.
IA-6 Authenticator Feedback: The information system provides feedback to a user during an attempted authentication and that feedback does not compromise the authentication mechanism.
Incident Response (IR)IR-2 Incident Response Training: Scottish Pride trains personnel in their
incident response roles and responsibilities with respect to the information system and provides refresher training at least annually.
IR-5 Incident Monitoring: Scottish Pride tracks and documents information system security incidents on an ongoing basis.
IR-6 Incident Reporting: Scottish Pride promptly reports incident information to appropriate authorities.
Maintenance (MA) MA-2 Controlled Maintenance: Scottish Pride schedules, performs, and
documents routine preventative and regular maintenance on the components of the information system in accordance with manufacturer or vendor specifications and/or Scottish Pride requirements.
MA-3 Maintenance Tools: Scottish Pride approves, controls, and monitors the use of information system maintenance tools and maintains the tools on an ongoing basis.
MA-4 Remote Maintenance: Scottish Pride approves, controls, and monitors remotely executed maintenance and diagnostic activities.
MA-5 Maintenance Personnel: Scottish Pride maintains a list of personnel authorized to perform maintenance on the information system. Only authorized personnel perform maintenance on the information system.
MA-6 Timely Maintenance: Scottish Pride obtains maintenance support and spare parts within 48 hours of failure.
Appendix B - 6
![Page 31: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/31.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Media Protection (MP) MP-5 Media Transport: Scottish Pride controls information system media (paper
and electronic) and restricts the pickup, receipt, transfer, and delivery of such media to authorized personnel.
MP-6 Media Sanitization and Disposal: Scottish Pride sanitizes information system digital media using approved equipment, techniques, and procedures. Scottish Pride tracks, documents, and verifies media sanitization actions and periodically tests sanitization equipment/procedures to ensure correct performance.
Physical and Environmental Protection (PE)PE-2 Physical Access Authorizations: Scottish Pride develops and keeps
current lists of personnel with authorized access to facilities containing information systems (except for those areas within the facilities officially designated as publicly accessible) and issues appropriate authorization credentials (e.g., badges, identification cards, smart cards). Designated officials within Scottish Pride review and approve the access list and authorization credentials once a year.
PE-3 Physical Access Control: Scottish Pride controls all physical access points (including designated entry/exit points) to facilities containing information systems (except for those areas within the facilities officially designated as publicly accessible) and verifies individual access authorizations before granting access to the facilities. Scottish Pride also controls access to areas officially designated as publicly accessible, as appropriate, in accordance with Scottish Pride’s assessment of risk.
PE-6 Monitoring Physical Access: Scottish Pride monitors physical access to information systems to detect and respond to incidents.
PE-7 Visitor Control: Scottish Pride controls physical access to information systems by authenticating visitors before authorizing access to facilities or areas other than areas designated as publicly accessible.
PE-12 Emergency Lighting: Scottish Pride employs and maintains automatic emergency lighting systems that activate in the event of a power outage or disruption and that cover emergency exits and evacuation routes.
PE-13 Fire Protection: Scottish Pride employs and maintains fire suppression and detection devices/systems that can be activated in the event of a fire.
PE-14 Temperature and Humidity Controls: Scottish Pride regularly maintains within acceptable levels and monitors the temperature and humidity within facilities containing information systems.
PE-16 Delivery and Removal: Scottish Pride controls information system-related items (i.e., hardware, firmware, software) entering and exiting the facility and maintains appropriate records of those items.
Appendix B - 7
![Page 32: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/32.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Planning (PL)PL-3 System Security Plan Update: Scottish Pride reviews the security plan for
the information system annually and revises the plan to address system/organizational changes or problems identified during plan implementation or security control assessments.
PL-4 Rules of Behavior: Scottish Pride establishes and makes readily available to all information system users a set of rules that describes their responsibilities and expected behavior with regard to information system usage. Scottish Pride receives signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system.
PL-6 Security-Related Activity Planning: Scottish Pride plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on Scottish Pride operations (i.e., mission, functions, image, and reputation), Scottish Pride assets, and individuals.
Personal Security (PS)PS-3 Personnel Screening: Scottish Pride screens individuals requiring access to
Scottish Pride information and information systems before authorizing access.
PS-4 Personnel Termination: When employment is terminated, Scottish Pride terminates information system access, conducts exit interviews, ensures the return of all Scottish Pride information system-related property (e.g., keys, identification cards, building passes), and ensures that appropriate personnel have access to official records created by the terminated employee that are stored on Scottish Pride information systems.
PS-5 Personnel Transfer: Scottish Pride reviews information systems/facilities access authorizations when individuals are reassigned or transferred to other positions within Scottish Pride and initiates appropriate actions (e.g., reissuing keys, identification cards, building passes; closing old accounts and establishing new accounts; and changing system access authorizations).
PS-6 Access Agreements: Scottish Pride completes appropriate access agreements (e.g., nondisclosure agreements, acceptable use agreements, rules of behavior, conflict-of-interest agreements) for individuals requiring access to Scottish Pride information and information systems before authorizing access.
PS-7 Third-Party Personnel Security: Scottish Pride establishes personnel security requirements for third-party providers (e.g., service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, network and security management) and monitors provider compliance to ensure adequate security.
Appendix B - 8
![Page 33: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/33.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
System and Services Acquisition (SA)SA-4 Acquisitions: Scottish Pride includes security requirements and/or security
specifications, either explicitly or by reference, in information system acquisition contracts based on an assessment of risk.
SA-7 User Installed Software: Scottish Pride enforces explicit rules governing the downloading and installation of software by users.
System and Communication Protection (SC)SC-4 Information Remnance: The information system prevents unauthorized
and unintended information transfer via shared system resources.
SC-7 Boundary Protection: The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.
SC-17 Public Key Infrastructure Certificates: Scottish Pride develops and implements a certificate policy and certification practice statement for the issuance of public key certificates used in the information system.
System and Information Integrity (SI)SI-2 Flaw Remediation: Scottish Pride identifies, reports, and corrects
information system flaws.
SI-4 Information System Monitoring Tools and Techniques: Scottish Pride employs tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system.
SI-5 Security Alerts and Advisories: Scottish Pride receives information system security alerts/advisories on a regular basis, issues alerts/advisories to appropriate personnel, and takes appropriate actions in response.
SI-10 Information Input Accuracy, Completeness, and Validity: The information system checks information inputs for accuracy, completeness, and validity.
SI-11 Error Handling: The information system identifies and handles error conditions in an expeditious manner.
SI-12 Output Handling and Retention: Scottish Pride handles and retains output from the information system in accordance with Scottish Pride policy
and operational requirements.
Appendix B - 9
![Page 34: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/34.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
APPENDIX C – YEAR-2 REQUIRED SECURITY CONTROLSYear 2 monitoring should include all security controls required to be assessed annually (See Appendix B), plus a subset of the remainder of security controls below must be assessed.
Access Controls (AC) AC-1 Access Control Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.
AC-3 Access Enforcement: The information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy.
AC-4 Information Flow Enforcement: The information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.
AC-14 Permitted Actions w/o Identification or Authentication: Scottish Pride identifies specific user actions that can be performed on the information system without identification or authentication.
AC-20 Use of External Information Systems: Scottish Pride restricts the use of personally owned information systems for official U.S. Government business involving the processing, storage, or transmission of federal information.
Awareness and Training (AT) AT-1 Security Awareness and Training Policy and Procedures: Scottish
Pride develops, disseminates, and periodically reviews/updates: (1) a formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.
AT-4 Security Training Records: Scottish Pride documents and monitors individual information system security training activities including basic security awareness training and specific information system security training.
Appendix C - 1
![Page 35: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/35.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Audit and Accountability (AU)AU-1 Audit and Accountability Policy and Procedures: Scottish Pride
develops, disseminates, and periodically reviews/updates: (1) a formal, documented, audit and accountability policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.
AU-8 Time Stamps: The information system provides time stamps for use in audit record generation.
AU-9 Protection of Audit Information: The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
Certification, and Accreditation, and Security Assessments(CA)
CA-1
Certification, Accreditation, and Security Assessment Policies and Procedures: Scottish Pride develops, disseminates, and periodically reviews/updates: (1) formal, documented, security assessment and certification and accreditation policies that address purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the security assessment and certification and accreditation policies and associated assessment, certification, and accreditation controls.
CA-2
Security Assessments: Scottish Pride conducts an assessment of the security controls in the information system annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
CA-3
Information System Connections: Scottish Pride authorizes all connections from the information system to other information systems outside of the accreditation boundary and monitors/controls the system interconnections on an ongoing basis. Appropriate Scottish Pride officials approve information system interconnection agreements.
CA-4
Security Certification: Scottish Pride conducts an assessment of the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
CA-5
Plan of Action and Milestones: Scottish Pride develops and updates quarterly, a POA&M for the information system that documents Scottish Pride’s planned, implemented, and evaluated remedial actions to correct any deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.
CA-7Continuous Monitoring: Scottish Pride monitors the security controls in the information system on an ongoing basis.
Appendix C - 2
![Page 36: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/36.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Appendix C - 3
![Page 37: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/37.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Configuration Management (CM) CM-1 Configuration Management Policy and Procedures: Scottish Pride
develops, disseminates, and periodically reviews/updates: (1) a formal, documented, configuration management policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
Contingency Planning (CP) CP-1 Contingency Planning Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, contingency planning policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.
Identification and Authentication (IA)IA-1 Identification and Authentication Policy and Procedures: Scottish
Pride develops, disseminates, and periodically reviews/updates: (1) a formal, documented, identification and authentication policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
IA-3 Device Identification and Authentication: The information system identifies and authenticates specific devices before establishing a connection.
Incident Response (IR)IR-1 Incident Response Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, incident response policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls.
IR-3 Incident Response Testing and Exercises: Scottish Pride tests the incident response capability for the information system at least annually using automated mechanisms for high systems to determine the incident response effectiveness and documents the results.
IR-4 Incident Handling: Scottish Pride implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
Appendix C - 4
![Page 38: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/38.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
IR-7 Incident Response Assistance: Scottish Pride provides an incident support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents. The support resource is an integral part of Scottish Pride’s incident response capability.
Maintenance (MA) MA-1 System Maintenance Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, information system maintenance policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the information system maintenance policy and associated system maintenance controls.
Media Protection (MP) MP-1 Media Protection Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, media protection policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the media protection policy and associated media protection controls.
Physical and Environmental Protection (PE)PE-1 Physical and Environmental Protection Policy and Procedures:
Scottish Pride develops, disseminates, and periodically reviews/updates: (1) a formal, documented, physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls.
PE-5 Access Control for Display Medium: Scottish Pride controls physical access to information system devices that display information to prevent unauthorized individuals from observing the display output.
PE-8 Access Records: Scottish Pride maintains a visitor access log to facilities (except for those areas within the facilities officially designated as publicly accessible) that includes: (1) name and organization of the person visiting; (2) signature of the visitor; (3) form of identification; (4) date of access; (5) time of entry and departure; (6) purpose of visit; and (7) name and organization of person visited. Visitor logs are reviewed at closeout, maintained on file, and available for further review for one year.
PE-9 Power Equipment and Power Cabling: Scottish Pride protects power equipment and power cabling for the information system from damage and destruction.
Appendix C - 5
![Page 39: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/39.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
PE-10 Emergency Shutoff: For specific locations within a facility containing concentrations of information system resources (e.g., data centers, server rooms, mainframe rooms),Scottish Pride provides the capability of shutting off power to any information technology component that may be malfunctioning (e.g., due to an electrical fire) or threatened (e.g., due to a water leak) without endangering personnel by requiring them to approach the equipment.
PE-11 Emergency Power: Scottish Pride provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.
PE-18 Location of Information System Components: Scottish Pride positions information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.
Planning (PL)PL-1 Security Planning Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, security planning policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the security planning policy and associated security planning controls.
Personal Security (PS)PS-1 Personnel Security Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, personnel security policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the personnel security policy and associated personnel security controls.
Risk Assessment (RA)RA-1 Risk Assessment Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented risk assessment policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls.
RA-5 Vulnerability Scanning: Using appropriate vulnerability scanning tools and techniques, Scottish Pride scans for vulnerabilities in the information system every six months or when significant new vulnerabilities affecting the system are identified and reported.
System and Services Acquisition (SA)SA-1 System and Services Acquisition Policy and Procedures: Scottish Pride
develops, disseminates, and periodically reviews/updates: (1) a formal,
Appendix C - 6
![Page 40: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/40.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
documented, system and services acquisition policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.
SA-2 Allocation of Resources: Scottish Pride determines, documents, and allocates as part of its capital planning and investment control process the resources required to protect the system.
SA-3 Life Cycle Support: Scottish Pride manages the information system using a system development life cycle methodology that includes information security considerations.
SA-5 Information System Documentation: Scottish Pride ensures that adequate documentation for the information system and its constituent components are available, protected when required, and distributed to authorized personnel.
SA-6 Software Usage Restrictions: Scottish Pride complies with software usage restrictions.
SA-8 Security Engineering Principles: Scottish Pride designs and implements the information system using security engineering principles.
System and Communication Protection (SC)SC-1 System & Communications Protection Policy & Procedures: Scottish
Pride develops, disseminates, and periodically reviews/updates: (1) a formal, documented, system and communications protection policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.
SC-2 Application Partitioning: The information system separates user functionality (including user interface services) from information system management functionality.
SC-18 Mobile Code: Scottish Pride: (1) establishes usage restrictions and implementation guidance for mobile code technologies based on the potential to cause damage to the information system if used maliciously; and (2) documents, monitors, and controls the use of mobile code within the information system. Appropriate Scottish Pride officials authorize the use of mobile code.
SC-19 Voice Over Internet Protocol: Scottish Pride: (1) establishes usage restrictions and implementation guidance for Voice Over Internet Protocol (VOIP) technologies based on the potential to cause damage to the information system if used maliciously; and (2) documents, monitors, and controls the use of VOIP within the information system. Appropriate Scottish Pride officials authorize the use of VOIP.
SC-20 Secure Name/Address Resolution Service (Authoritative Source): The information system that provides name/address resolution service provides additional data origin and integrity artifacts along with the authoritative data it returns in response to resolution queries.
Appendix C - 7
![Page 41: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/41.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
SC-22 Architecture and Provisioning For Name/Address Resolution Service: The information systems that collectively provide name/address resolution service for Scottish Pride are fault tolerant and implement role separation.
System and Information Integrity (SI)SI-1 System and Information Integrity Policy and Procedures: Scottish
Pride develops, disseminates, and periodically reviews/updates: (1) a formal, documented, system and information integrity policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls.
Appendix C - 8
![Page 42: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/42.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
APPENDIX D – YEAR-3 REQUIRED SECURITY CONTROLSYear 3 monitoring should include all security controls required to be assessed annually (See Appendix B), plus a subset of security controls below that were not assessed during Year 2 must be assessed.
Access Controls (AC) AC-5 Separation of Duties: The information system enforces separation of
duties through assigned access authorizations.
AC-6 Least Privilege: The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks.
AC-8 System Use Notification: The information system displays an approved, system use notification message before granting system access informing potential users: (1) that the user is accessing a U.S. Government information system; (2) that system usage may be monitored, recorded, and subject to audit; (3) that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (4) that use of the system indicates consent to monitoring and recording. The system use notification message provides appropriate privacy and security notices (based on associated privacy and security policies or summaries) and remains on the screen until the user takes explicit actions to log on to the information system.
AC-12 Session Termination: The information system automatically terminates a session after ten minutes of inactivity.
AC-18 Wireless Access Restrictions: Scottish Pride: (1) establishes usage restrictions and implementation guidance for wireless technologies; and (2) documents, monitors, and controls wireless access to the information system. Appropriate Scottish Pride officials authorize the use of wireless technologies.
AC-19 Access Control for Portable and Mobile Systems: Scottish Pride: (1) establishes usage restrictions and implementation guidance for portable and mobile devices; and (2) documents, monitors, and controls device access to Scottish Pride networks. Appropriate Scottish Pride officials authorize the use of portable and mobile devices.
Certification, and Accreditation, and Security Assessments(CA)CA-6 Security Accreditation: Scottish Pride authorizes (i.e., accredits) the
information system for processing before operations and updates the authorization every 3 years. A senior Scottish Pride official signs and approves the security accreditation.
Appendix D - 1
![Page 43: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/43.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Identification and Authentication (IA)IA-2 User Identification and Authentication: The information system
uniquely identifies and authenticates users (or processes acting on behalf of users).
Media Protection (MP) MP-2 Media Access: Scottish Pride ensures that only authorized users have
access to information in printed form or on digital media removed from the information system.
MP-4 Media Storage: Scottish Pride physically controls and securely stores information system media, both paper and electronic, based on the highest FIPS 199 security category of the information recorded on the media.
Planning (PL)PL-2 System Security Plan: Scottish Pride develops and implements a security
plan for the information system that provides an overview of the security requirements for the system and a description of the security controls in place or planned for meeting those requirements. Designated officials within Scottish Pride review and approve the plan.
PL-5 Privacy Impact Assessment: Scottish Pride conducts a privacy impact assessment on the information system.
Personal Security (PS)PS-2 Position Categorization: Scottish Pride assigns a risk designation to all
positions and establishes screening criteria for individuals filling those positions. Scottish Pride reviews and revises position risk designations periodically in accordance with Office of Personnel Management (OPM) guidance.
PS-8 Personnel Sanctions: Scottish Pride employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.
Appendix D - 2
![Page 44: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/44.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
Risk Assessment (RA)RA-2 Security Categorization: Scottish Pride categorizes the information system
and the information processed, stored, or transmitted by the system in accordance with FIPS 199 and documents the results (including supporting rationale) in the system security plan. Designated senior-level officials within Scottish Pride review and approve the security categorizations.
RA-3 Risk Assessment: Scottish Pride conducts assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency.
RA-4 Risk Assessment Update: Scottish Pride updates the risk assessment every three years or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system.
System and Services Acquisition (SA)SA-9 External Information System Services: Scottish Pride ensures that third-
party providers of information system services employ adequate security controls in accordance with applicable federal laws, directives, policies, regulations, standards, guidance, and established service level agreements. Scottish Pride monitors security control compliance.
SA-11 Developer Security Testing: The information system developer creates a security test and evaluation plan, implements the plan, and documents the results. Developmental security test results may be used in support of the security certification and accreditation process for the delivered information system.
System and Communication Protection (SC)SC-5 Denial of Service Protection: The information system protects against or
limits the effects of denial of service attacks on devices within Scottish Pride’s internal network.
SC-9 Transmission Confidentiality: The information system protects the confidentiality of transmitted information.
SC-10 Network Disconnect: The information system terminates a network connection at the end of a session or after ten minutes of inactivity.
SC-14 Public Access Protections: For publicly available systems, the information system protects the integrity of the information and applications.
SC-23 Session Authenticity: The information system provides mechanisms to protect the authenticity of communications sessions.
Appendix D - 3
![Page 45: SPLA Continuous Monitoring Plan - · Web viewSPLA) Continuous Monitoring Plan Version 1.0 May 28, 20 1 3 DOCUMENT CONTROL Change Record Date Author Version Change Reference Quality](https://reader035.vdocuments.us/reader035/viewer/2022081605/5aa3a2f67f8b9a1f6d8ecb25/html5/thumbnails/45.jpg)
Scottish Pride Scottish Pride Licensing Application Office of Information Services
System and Information Integrity (SI)SI-3 Malicious Code Protection: The information system implements malicious
code protection that includes a capability for automatic updates.
SI-8 Spam and Spyware Protection: The information system implements spam and spyware protection.
SI-9 Information Input Restrictions: Scottish Pride restricts the information input to the information system to authorized personnel only.
Appendix D - 4