spla continuous monitoring plan - · web viewspla) continuous monitoring plan version 1.0 may...

Scottish Pride Inc.

Office of Information Services

Scottish Pride Licensing Application (SPLA)

Continuous Monitoring Plan

Version 1.0

May 28, 2013

DOCUMENT CONTROL

Change RecordDate Author Version Change Reference

Quality Review HistoryDate Reviewer Comments

Approval Sign-offName Role Signature Date

of 20

Scottish Pride Scottish Pride Licensing Application Office of Information Services

TABLE OF CONTENTS1 BACKGROUND..................................................................................................................................................4

1.1 PURPOSE........................................................................................................................................................41.2 SECURITY FRAMEWORK SYSTEM DEVELOPMENT LIFECYCLE (SDLC).........................................................41.3 OBJECTIVE.....................................................................................................................................................51.4 RISK...............................................................................................................................................................61.5 BENEFITS.......................................................................................................................................................6

2 REQUIREMENTS FOR CONTINUOUS MONITORING.............................................................................7

2.1 CONFIGURATION MANAGEMENT AND CONTROL...........................................................................................72.2 SECURITY CONTROL MONITORING................................................................................................................92.3 STATUS REPORTING AND DOCUMENTATION...............................................................................................11

3 SECURITY CONTROLS MONITORING.....................................................................................................13

APPENDIX A – RESPONSIBILITIES......................................................................................................................1

APPENDIX B – ANNUAL REQUIRED SECURITY CONTROLS.......................................................................1

APPENDIX C – YEAR-2 REQUIRED SECURITY CONTROLS..........................................................................1

APPENDIX D – YEAR-3 REQUIRED SECURITY CONTROLS..........................................................................1

LIST OF TABLESTable 1: SPLA Security Controls Assessment........................................................................14

LIST OF FIGURESFigure 1: Security Framework System Development Life Cycle..............................................7

of 20


1 BACKGROUND1.1 PurposeContinuous monitoring is one of six steps in the Risk Management Framework described in NIST Special Publication 800‐37, Revision 1, Applying the Risk Management Framework (RMF) to Federal Information Systems (February 2010). (See Figure 1 below). The purpose of a continuous monitoring program is to determine if the complete set of planned, required, and deployed security controls within an information system or inherited by the system continue to be effective over time in light of the inevitable changes that occur. Continuous monitoring is an important activity in assessing the security impacts on an information system resulting from planned and unplanned changes to the hardware, software, firmware, or environment of operation.

Agency for Enterprise Information Technology Office of Information Security (AEIT/OIS) highly recommends agencies implement best practices identified in Florida Information Technology Resource Security Policies and Standards identified in 71A-1.001-.010, F.A.C. by formally developing a Continuous Monitoring Plan in accordance to NIST Special Publication (SP) 800-37 Revision 1. The Agencies must categorize all systems, identify and resolve risks, develop low-level and moderate-level system security plans, submit moderate-level systems for Security Authorization, perform continuous monitoring, and conduct annual reviews on the effectiveness of all security controls. This process, developed by NIST, is known as the Security Framework System Development Lifecycle (SDLC).

1.2 Security Framework System Development Lifecycle (SDLC)

The process to comply with AEIT/OIS moderate-level system security is documented in the Security Framework System Development Lifecycle in Figure 1. This SDLC addresses the steps towards compliance with the Agency for Enterprise Information Technology Office of Information Security (AEIT/OIS) directives on information systems security and state and federal laws.

Risk Assessments (RA) are promulgated under the AEIT/OIS directives on information systems security and the guidelines established by NIST Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems. AEIT requires Scottish Pride to implement a risk-based program for cost-effective Information Technology (IT). All business processes operate with some level of risk and one of the most effective ways to protect these

of 20

Scottish Pride Scottish Pride Licensing Application Office of Information Services business processes is through the implementation of effective internal security controls, risk evaluation, and risk management (RM).

A risk assessment is required before initiating Step 1 of the Security Framework System Development Lifecycle to establish a baseline indicating the risks to system resources in the areas of Management, Operational, and Technical controls. Risks should be assessed in the following areas: natural, environmental, human intentional and human unintentional threats.

This plan only follows Step 8 in the Security Framework System Development Lifecycle.

Step 1 System categorization was performed prior to the development of the SSP

Step’s 2-3 will be completed in the development of the SSP Step 4 Comprehensive risk assessment will be performed by an

independent third-party assessor Step 5 Certification and Accreditation package/approval will be

performed by an independent third-party authorizing authority identified by the CIO

1.2.1 Step 6 - Continuous Monitoring Plan

Step 6 is the development of the Continuous Monitoring Plan which provides oversight and monitoring of the security controls in the information system on an ongoing basis. The Continuous Monitoring Plan also describes the Agency’s procedural requirements and responsibilities for implementation of the NIST SP 800-53 Revision 2, CA-7.

Continuous Monitoring security control for the Scottish Pride information system. Continuous Monitoring begins after the system has been certified and accredited for operations, and the activities in this plan are performed continuously throughout the life cycle of the information system. The plan informs the CIO when changes occur that may have an impact on the security of the system. The continuous monitoring plan will include:

Continuous monitoring validation through spot checks, continuous

scans, and documentation updates Configuration management and control processes for the information

system Security impact analysis on actual or proposed changes to the

information system Assessment of selected security controls based on continuous

monitoring strategy of 20


Security status reporting

1.3 ObjectiveThe objective of the continuous monitoring plan is to develop a strategy and implement a plan for the continuous monitoring of Scottish Pride Licensing Application (SPLA) security control effectiveness taking into account any proposed/actual changes to the information system or its environment of operation. Furthermore, the Continuous Monitoring Plan should:

Be integrated into the agency’s SDLC processes Address the security impacts on information systems resulting from

changes to the hardware, software, firmware, or operational environment

Provide an effective mechanism to update the SSP, RA reports, and POA&M

Track the security state of the information system on a continuous basis

Maintain the security authorization for the system over time in highly dynamic environments of operation with changing threats, vulnerabilities, technologies, and mission/business processes

1.4 RiskFailure to meet compliance may put Scottish Pride in harm for further security issues. Furthermore, non-compliance with AEIT/OIS directives and Florida Statutes create a risk of losing critical program and system resource funding.

1.5 BenefitsWith a compliant monitoring program, Scottish Pride becomes more efficient in their operations, and most importantly, more secure. In addition to reaping the benefits of strong controls and the ability to deliver continuous compliance with current and emerging regulations, Scottish Pride will be able to:

Reduce risk, cost and increase efficiency Create a consistent, agency-wide view of the current security posture;

creating ties between program activities such as assessment and remediation and showing business unit managers at all agency levels exactly where they stand in addressing security issues

Develop automated and integrated IT processes reducing burden on administrative staff and improving business effectiveness

Improve agency planning and strategic decision making of 20

STEP

2SELECTSecurity

Controls FIPS 200/SP 800

-53

Define

category of information

system according to potential impact of

loss

IMPLEMENTSecurity Controls

SP 800 SeriesSele

ct minimum security controls (i.e.,

safeguards and countermeasures) planned or in place to protect the information syste

m

Implement

security controls in new or

legacy information systems; implement

security configuration

checklists

Determine extent

to which the security controls

are implemented correctly, operating as intended,

and producing desired outcome with respect to

meeting security requirements

Determine risk to operatio

ns, assets

, or individuals and,

if acceptable, authorizes information

system processing

AUTHORIZEInformation Systems

SP 800

-37

MONITOR Security Controls

SP

800

-53A

CATEGORIZEInformation Systems

FIPS 199/SP 800

-60

ASSESSSecurity

ControlsSP 800

-53A

STEP

3STEP

1

STEP

4STEP

5STEP

6

Continuously

track chang

es to the information system

that may affect security controls and

assesses control effectiveness


Create and enforce configuration management standards, and identification of risks to all systems

Figure 1: Risk Management Framework

2 REQUIREMENTS FOR CONTINUOUS MONITORINGContinuous Monitoring is composed of three tasks: (1) Configuration Management and Control, (2) Security Control Monitoring, and (3) Status Reporting and Documentation. The tasks can further be broken down into nine subtasks which are described below. The goal of the Continuous Monitoring phase is to maintain SPLA’s authorization to operate after certification and accreditation has been granted. This goal is achieved through activities which provide ongoing, near-real time risk management and operational security such as monitoring SPLA, ensuring SPLA operates in a secure fashion and reporting status to appropriate Scottish Pride personnel.

2.1 Configuration Management and ControlConfiguration Management and Control consists of developing SPLA’s monitoring plan, monitoring SPLA for changes, and analyzing changes to

of 20

Scottish Pride Scottish Pride Licensing Application Office of Information Services determine security impact. The System Owner shall implement the details of tasks involved in these activities identified as:

Subtask 1: Security Control Monitoring Strategy - Develop a strategy for the continuous monitoring of security control effectiveness and any proposed/actual changes in SPLA including hardware, software, firmware, and surrounding environment

o Establish a strict configuration management process to support continuous monitoring activities

o Define the methodology for conducting security impact analyses to determine the extent to which proposed changes to SPLA or its operating environment will affect the security state of SPLA

o Determine how many subsets of security controls will be assessed during the authorization period, which security controls will be included in each subset, and the schedule according to which the security control subsets will be assessed

o Determine the tools that will be used in assessing security controls. For example, Security Content Automation Protocol (SCAP)-validated products should be used to verify whether the security configuration settings of various products comply with government standards, guidance, and policies

o Document the continuous monitoring strategyo Obtain approval for the continuous monitoring plan and strategy

from the CIO and ISM

Subtask 2: System and Environment Changes - Analyze and document the proposal or actual changes to SPLA (including hardware, software, firmware, and surrounding environment) to determine the security impact of such changeso Document any relevant information about proposed changes to the

hardware, software, and firmware components, SPLA’s operating environment, or Scottish Pride’s policies, procedures, or guidance

o Document actual changes to SPLA collecting the same information as the proposed changes so that the actual changes can be analyzed and appropriate Scottish Pride personnel can determine whether or not the actual change can remain in SPLA

Subtask 3: Security Impact Analysis - Determine the security impact of the proposed or actual changes to SPLA or the environment of operation in accordance with the security control monitoring strategy

of 20


o Analyze each proposed/actual change to SPLA to determine what impact, if any, the change has on the security posture of the system

o Monitor compliance of SPLA component’s configuration. If SPLA contains information technology components for which there exists SCAP-validated tools, those tools should be used to monitor the component’s configuration

o Document the results of the security impact analysis and share the results with the Information System Security Officer (ISSO), Information Security Manager (ISM), and Chief Information Officer (CIO) using an approved format

o Determine if remediation actions or other changes to SPLA are necessary based on the security impact analysis, determine the impacts of the actions or other changes, and document them in the Plan of Action and Milestones (POA&M)

o If the analysis determines that there is a significant change requiring reaccreditation of SPLA, report SPLA security status to the ISSO, CIO and ISM

The first step is to establish a security control monitoring strategy to select which security controls to monitor and how to monitor them effectively. Selection of security controls for monitoring should take into consideration the importance of the security control to SPLA and Scottish Pride. Monitoring of security controls can be done in three ways:

1. Automated processes – Vulnerability Scanners, Web Application Scanners, Patch Management software, Security Information and Event Management software and Information Security Automation Program (ISAP) / Security Content Automation Protocol (SCAP) tools

2. IT management systems – Information Technology Infrastructure Library (ITIL), Capability Maturity Model Integration (CMMI) or other change management solutions

3. Periodic audits – Auditing of sets of security controls on a regular basis

When a new or proposed change is identified, Scottish Pride security staff should provide feedback to the ISSO when changes could affect the security state. Effort spent identifying and analyzing changes should be commensurate with the security priority of SPLA and the risk system changes might incur. Documentation of SPLA changes should inform the System Owner and also be reflected in System Security Plan (SSP) updates, POA&M updates, and status reports to other appropriate Scottish Pride personnel.

of 20


2.2 Security Control Monitoring SPLA Security Control Monitoring consists of the ongoing processes of security control assessment and remediation actions. When security controls are identified as being ineffective, before or during the Continuous Monitoring phase, they must be remediated. The remediation method used is the periodic review of a subset of system security controls.

This method is a compliance requirement which can be simplified through good documentation procedures and recognizing the best practices which achieve the goals of Security Control Monitoring. The following tasks involved in these activities are:

Subtask 4: Ongoing Security Control Assessments - Assess a selected subset of the security controls in SPLA or the environment of operation (including those controls affected by changes to the system/environment) in accordance with the continuous monitoring strategyo The System Owner should:

Assign responsibility for assessing a subset of security controls to an assessor who has an appropriate level of independence as defined by the CIO and the knowledge, skills, and abilities to complete the assessment

Update the POA&M after the assessment has been completed based on the updated security assessment report provided by the security control assessor

o The security control assessor should: Develop the security assessment plan that defines the

appropriate procedures from NIST SP 800-53A to assess the security controls

Obtain approval for the security assessment plan from the CIO Conduct the security assessment in accordance with the

agreed-upon procedures, personnel, milestones, and schedule Update the security assessment report with the information

gained during the assessment of the subset of security controls and submit it to the System Owner, ISSO, and ISM

Subtask 5: Ongoing Remediation Actions - Conduct remediation actions based on the results of the selected security control assessments and outstanding items in the POA&M. The System Owner should initiate remediation actions based on the findings produced during the continuous monitoring assessments of the security controls,

of 20


the outstanding items listed in the POA&M, and the results of performing the activities required by the system’s security control (e.g., vulnerability scanning, contingency plan testing, incident response handling). The System Owner should: o Consult with the ISSO, ISM, and CIO and review each assessor

finding and determine the severity or seriousness of the finding and whether the finding is significant enough to be worthy of further investigation or remedial action

o Determine the appropriate steps required to correct any identified weaknesses or deficiencies that require remediation efforts, establish an implementation plan and schedule for the defined actions, and update the POA&M with the planned remediation actions

o Assess SPLA after the remediation actions have been completed to determine if the security controls remain effective after changes have been implemented

o Update the POA&M with the current status when a remediation action has been successfully completed

The System Owner needs to revisit, on a regular basis, the risk management activities described in the Risk Management Framework Figure 1 (Page 3) to ensure the selection of security controls remains appropriate for SPLA. The System Owner should:

Monitor events that occur throughout Scottish Pride and determine if those events introduce or uncover new vulnerabilities or threats to SPLA

Determine whether the selected security controls remain sufficient to protect the information and SPLA assets against the newly identified vulnerabilities and threats

Reconfirm SPLA’s impact level and security category of SPLA and the information processed, stored, or transmitted by SPLA and determine if they should be changed

Consult with the ISSO, ISM, and CIO to determine if the authorization should be updated

2.3 Status Reporting and DocumentationStatus Reporting and Documentation consists of Critical Document Updates, Security Status Reporting, Ongoing Risk Determination and Acceptance, and System Removal and Decommissioning. The overall goal is to ensure that the documentation describing the security status of SPLA does not become stale.

of 20

Scottish Pride Scottish Pride Licensing Application Office of Information Services The POA&M is particularly important to keep current because it reflects a single aspect of SPLA, the controls known to have been inadequate. The SSP should also be updated on an ongoing basis to support the near real-time view of SPLA’s security posture.When SPLA system status changes occur, they must be documented and presented to the appropriate agency officials. Significant changes may require the ISSO to consider whether the risk(s) presented requires reconsideration of the operating status of the system. Additionally, these updates should be periodic and ensure all affected Scottish Pride staff is aware of SPLA’s status. Details of tasks involved in these activities are:

Subtask 6: Critical Document Updates - Update the SSP, security assessment report, and POA&M based on the results of the continuous monitoring process. Continuous monitoring provides System Owners with an effective tool for producing ongoing updates to SSPs, security assessment reports, and POA&Ms. These documents are critical to understanding and explicitly accepting risk on a day-to-day basis. The System Owner should: o Ensure that the security control assessor updates the security

assessment report with the results of the security control assessments conducted during the continuous monitoring phase

o Update the SSP and POA&M to identify changes to SPLA, the operating environment, the security controls, and the implementation of the SPLA’s security controls

o Preserve the original version of the documents so that they are available for oversight, management, security control assessments, and auditing purposes

o Share the updated documentation with others Subtask 7: Security Status Reporting - The System Owner should

document the results of the continuous monitoring activities in security status reports and provide them to the ISSO, ISM, and CIO. The System Owner should: o Describe the continuous monitoring activities and how the

vulnerabilities discovered during the security control assessments and security impact analyses are being addressed

o Provide the security status reports to the ISSO, ISM, and CIO at appropriate Scottish Pride defined frequencies

Subtask 8: Ongoing Risk Determination and Acceptance - Periodically review the reported security status of SPLA and determine whether the risk to Scottish Pride operations and assets, individuals, other organizations, or the Nation remains acceptable. The System

of 20


Owner should provide sufficient information to the ISSO, ISM, and CIO for them to be able to make appropriate reauthorization decisions. The ISSO, ISM, and CIO should: o Review the updated security assessment report, SSP, POA&M, and

security status reports to determine whether the risk to the information and SPLA remains acceptable

o Determine whether SPLA requires reauthorizationo Document the decision and forward it to the System Owner for

appropriate action Subtask 9: System Removal and Decommissioning - Implement

an Scottish Pride approved SPLA decommissioning strategy, when needed, which executes required actions when SPLA is removed from service. When SPLA is removed from operation, the System Owner should ensure that all security controls addressing SPLA decommissioning are implemented. The System Owner should: o Determine a decommissioning strategy for SPLA when SPLA is no

longer needed by Scottish Prideo Keep users and application owners served by the decommissioned

SPLA or system components informed about the decommissioning activities and any issues associated with their information or applications

o Sanitize or destroy SPLA components in accordance with applicable regulations and guidance to remove system information from SPLA media so that there is reasonable assurance that the information cannot be retrieved or reconstructed

o Update Scottish Pride’s tracking and management systems to identify the specific SPLA components that are being removed from the inventory

o Record the decommissioned status of SPLA in the SSP and distribute the document to appropriate individuals or agencies

3 SECURITY CONTROLS MONITORINGThe following schedule in Table 1 shall be established by the System Owner for continuous monitoring security control assessment to ensure that all controls requiring assessment are covered and that all controls are assessed at least once during the three-year accreditation cycle.

Year 1 – Full accreditation, all security controls assessed Year 2 – All security controls required to be assessed annually (See

Appendix B), plus a subset of the remainder of security controls (See Appendix C) must be assessed

of 20


Year 3 – All security controls required to be assessed annually (See Appendix B), plus a subset of security controls (See Appendix D) that were not assessed during Year 2 must be assessed

As it is not feasible or cost-effective to monitor all of the security controls in SPLA on a continuous basis, an appropriate subset of those controls for the annual assessment shall be selected. The selection of a subset of security controls for continuous monitoring assessment includes the following considerations:

Annual Security Control Requirements – Those security controls that require annual assessment as identified by NIST SP 800-53

Significant changes to SPLA – A significant change to SPLA, or its operating environment, may introduce new security vulnerabilities and may require a more frequent assessment of select security controls

External Influences – Activities outside the direct control of SPLA which may impact security posture. Examples may include, but are not limited to, organizational changes, new or modified policies, and newly identified threats or vulnerabilities

Scottish Pride Requirements – Those security controls that Scottish Pride deems essential to protecting SPLA may require increased attention, and more frequent assessment

Plan of Action and Milestone (POA&M) Items – New or modified security controls, implemented to remediate identified weaknesses, should be assessed for effectiveness

Table 1: SPLA Security Controls AssessmentControl Numbe

r

Control Name Frequency

Access Control (AC)AC-1 Access Control Policy and Procedures Year 1 Year 2 AC-2 Account Management Year 1 AnnualAC-3 Access Enforcement Year 1 Year 2AC-4 Information Flow Enforcement Year 1 Year 2AC-5 Separation of Duties Year 1 Year 3AC-6 Least Privilege Year 1 Year 3AC-7 Unsuccessful Logon Attempts Year 1 AnnualAC-8 System Use Notification Year 1 Year 3AC-11 Session Lock Year 1 Year 3AC-12 Session Termination Year 1 Year 3

of 20


Control Numbe

r

Control Name Frequency

AC-13 Supervision and Review – Access Control

Year 1 Annual

AC-14 Permitted Actions w/o Identification or Authentication

Year 1 Year 2

AC-17 Remote Access Year 1 AnnualAC-18 Wireless Access Restrictions Year 1 Year 3AC-19 Access Control for Portable and Mobile

SystemsYear 1 Year 3

AC-20 Use of External Information Systems Year 1 Year 2

of 20


Awareness and Training (AT)AT-1 Security Awareness and Training

Policies and ProceduresYear 1 Year 2

AT-2 Security Awareness Year 1 AnnualAT-3 Security Training Year 1 AnnualAT-4 Security Training Records Year 1 Year 2

Audit and Accountability (AU)AU-1 Audit and Accountability Policy and

ProceduresYear 1 Year 2

AU-2 Auditable Events Year 1 AnnualAU-3 Content of Audit Records Year 1 AnnualAU-4 Audit Storage Capacity Year 1 AnnualAU-5 Response to Audit Processing Failures Year 1 AnnualAU-6 Audit Monitoring, Analysis, and

ReportingYear 1 Annual

AU-7 Audit Reduction and Report Generation

Year 1 Annual

AU-8 Time Stamps Year 1 Year 2AU-9 Protection of Audit Information Year 1 Year 2

AU-11 Audit Retention Year 1 AnnualCertification, Accreditation, and Security Assessments (CA)

CA-1 Certification, Accreditation, and Security Assessment Policies and Procedures

Year 1 Year 2

CA-2 Security Assessments Year 1 Year 2CA-3 Information System Connections Year 1 Year 2 CA-4 Security Certification Year 1 Year 2 CA-5 Plan of Action and Milestones Year 1 Year 2CA-6 Security Accreditation Year 1 Year 3CA-7 Continuous Monitoring Year 1 Year 2

Configuration Management (CM)CM-1 Configuration Management Policy and


CM-2 Baseline Configuration Year 1 AnnualCM-3 Configuration Change Control Year 1 AnnualCM-4 Monitoring Configuration Changes Year 1 Annual

of 20


CM-5 Access Restrictions for Change Year 1 AnnualCM-6 Configuration Settings Year 1 AnnualCM-7 Least Functionality Year 1 AnnualCM-8 Information System Component

InventoryYear 1 Annual

Contingency Planning (CP)CP-1 Contingency Management Policy and


CP-2 Contingency Plan Year 1 AnnualCP-3 Contingency Training Year 1 AnnualCP-4 Contingency Plan Testing and

ExercisesYear 1 Annual

CP-5 Contingency Plan Updates Year 1 AnnualCP-6 Alternate Storage Sites Year 1 AnnualCP-7 Alternate Processing Sites Year 1 AnnualCP-8 Telecommunication Services Year 1 AnnualCP-9 Information System Backup Year 1 AnnualCP-10 Information System Recovery and

ReconstitutionYear 1 Annual

Identification and Authentication (IA)IA-1 Identification and Authentication

Policy and ProceduresYear 1 Year 2

IA-2 User Identification and Authentication Year 1 Year 3IA-3 Device Identification and

AuthenticationYear 1 Year 2

IA-4 Identifier Management Year 1 AnnualIA-5 Authenticator Management Year 1 AnnualIA-6 Authenticator Feedback Year 1 Annual

Incident Response (IR)IR-1 Incident Response Policy and


IR-2 Incident Response Training Year 1 AnnualIR-3 Incident Response Testing and

ExercisesYear 1 Year 2

IR-4 Incident Handling Year 1 Year 2IR-5 Incident Monitoring Year 1 AnnualIR-6 Incident Reporting Year 1 Annual

of 20


IR-7 Incident Response Assistance Year 1 Year 2

Maintenance (MA)MA-1 System Maintenance Policy and


MA-2 Controlled Maintenance Year 1 AnnualMA-3 Maintenance Tools Year 1 AnnualMA-4 Remote Maintenance Year 1 AnnualMA-5 Maintenance Personnel Year 1 AnnualMA-6 Timely Maintenance Year 1 Annual

Media Protection (MP)MP-1 Media Protection Policy and


MP-2 Media Access Year 1 Year 3MP-4 Media Storage Year 1 Year 3MP-5 Media Transport Year 1 AnnualMP-6 Media Sanitization and Disposal Year 1 Annual

Physical and Environmental Protection PE)PE-1 Physical and Environmental Protection

Policy ProceduresYear 1 Year 2

PE-2 Physical Access Authorizations Year 1 AnnualPE-3 Physical Access Control Year 1 AnnualPE-5 Access Control for Display Medium Year 1 Year 2PE-6 Monitoring Physical Access Year 1 AnnualPE-7 Visitor Control Year 1 AnnualPE-8 Access Records Year 1 Year 2PE-9 Power Equipment and Power Cabling Year 1 Year 2

PE-10 Emergency Shutoff Year 1 Year 2PE-11 Emergency Power Year 1 Year 2PE-12 Emergency Lighting Year 1 AnnualPE-13 Fire Protection Year 1 AnnualPE-14 Temperature and Humidity Controls Year 1 AnnualPE-16 Delivery and Removal Year 1 AnnualPE-17 Alternate Work Site Year 1 Year 3

of 20


PE-18 Location of Information System Components

Year 1 Year 2

of 20


Planning (PL)PL-1 Security Planning Policy and


PL-2 System Security Plan Year 1 Year 3PL-3 System Security Plan Update Year 1 Year 2PL-4 Rules of Behavior Year 1 AnnualPL-5 Privacy Impact Assessment Year 1 Year 3PL-6 Security Related Activity Planning Year 1 Annual

Personnel Security (PS)PS-1 Personnel Security Policy and


PS-2 Position Categorization Year 1 Year 3PS-3 Personnel Screening Year 1 AnnualPS-4 Personnel Termination Year 1 AnnualPS-5 Personal Transfer Year 1 AnnualPS-6 Access Agreements Year 1 AnnualPS-7 Third-Party Personnel Security Year 1 AnnualPS-8 Personnel Sanctions Year 1 Year 3

Risk Assessment (RA)RA-1 Risk Assessment Policy and


RA-2 Security Categorization Year 1 Year 3RA-3 Risk Assessment Year 1 Year 3RA-4 Risk Assessment Update Year 1 Year 3RA-5 Vulnerability Scanning Year 1 Year 2

System and Services Acquisition (SA)SA-1 System and Services Acquisition Policy

and ProceduresYear 1 Year 2

SA-2 Allocation of Resources Year 1 Year 2SA-3 Life Cycle Support Year 1 Year 2SA-4 Acquisitions Year 1 AnnualSA-5 Information System Documentation Year 1 Year 2SA-6 Software Usage Restrictions Year 1 Year 2SA-7 User Installed Software Year 1 AnnualSA-8 Security Engineering Principle Year 1 Year 2SA-9 External Information System Services Year 1 Year 3

of 20


SA-11 Developer Security Testing Year 1 Year 3System and Communication Protection (SC)

SC-1 System and Communications Protection Policy and Procedures

Year 1 Year 2

SC-2 Application Partitioning Year 1 Year 2SC-4 Information Remnance Year 1 AnnualSC-5 Denial of Service Protection Year 1 Year 3SC-7 Boundary Protection Year 1 AnnualSC-8 Transmission Integrity Year 1 AnnualSC-9 Transmission Confidentiality Year 1 Year 3

SC-10 Network Disconnect Year 1 Year 3SC-14 Public Access Protections Year 1 Year 3SC-17 Public Key Infrastructure Certificates Year 1 AnnualSC-18 Mobile Code Year 1 Year 2SC-19 Voice Over Internet Protocol Year 1 Year 2SC-20 Secure Name/Address Resolution

Service (Authoritative Source)Year 1 Year 2

SC-22 Architecture and Provisioning for Name/Address Resolution Service

Year 1 Year 2

SC-23 Session Authenticity Year 1 Year 3System and Information Integrity (SI)

SI-1 System and Information Integrity Policy and Procedures

Year 1 Year 2

SI-2 Flaw Remediation Year 1 AnnualSI-3 Malicious Code Protection Year 1 Year 3SI-4 Information System Monitoring Tools

and TechniquesYear 1 Annual

SI-5 Security Alerts and Advisories Year 1 AnnualSI-8 Spam and Spyware Protection Year 1 Year 3SI-9 Information Input Restrictions Year 1 Year 3

SI-10 Information Input Accuracy, Completeness, and Validity

Year 1 Annual

SI-11 Error Handling Year 1 AnnualSI-12 Output Handling and Retention Year 1 Annual

of 20


Additional Security ControlsAny critical volatile security controls, as determined by the System Owner

Annual

The CIO may identify Agency security controls and/or designate additional SPLA security controls for annual assessment

Annual

of 20


APPENDIX A – RESPONSIBILITIES Title Role Responsibility

System Owner Monitor May designate a representative to perform continuous monitoring security control assessments as required for the annual report to the CIO

Develop and document a continuous monitoring strategy for their information systems

Be responsible for continuous monitoring security control assessment activities

Ensure resources are provided for the continuous monitoring security control assessment activities for SPLA

Report to the ISSO, any significant changes made to SPLA that may cause an impact to the security status and require a reaccreditation of SPLA

Participate in the agency’s configuration management process

Establish and maintain an inventory of SPLA’s components

Conduct security impact analyses on all changes to SPLA

Conduct security assessments of security controls according to their continuous monitoring strategies

Prepare and submit security status reports at the monthly

Conduct remediation activities as necessary to maintain the current authorization status

Update the selection of security controls for SPLA when events occur that indicate the baseline set of security controls is no longer adequate to protect SPLA

Update critical security documents on a regular basisInformation Systems Security Officer (ISSO)

Supporter

Provide oversight to continuous monitoring security control assessment activities for SPLA, ensuring completion and reporting no later than July 31st of each fiscal year

Provide an assessment and recommendation to the System Owner and CIO as to the need for reaccreditation as a result of a reported or identified significant change to SPLA

Participate in the formal configuration management process

Information Security Manager (ISM)

Overseer Support the information owner on the continuous monitoring security control assessment procedures to complete security responsibilities

Ensure Agency annual security controls are certified

Appendix A - 1


Title Role Responsibilityannually

Prepare and submit Agency metrics on continuous monitoring security control assessments as required for the annual Scottish Pride report satisfying auditing requirements

Participate in the formal configuration management process

Chief Information Officer (CIO)

Leader Ensure an effective continuous monitoring program is established for the organization

Establish expectations/requirements for the agency’s continuous monitoring process

Provide funding, personnel, and other resources to support continuous monitoring

Maintain high-level communications and working group relationships among agency entities

Ensure that information systems are covered by an approved security plan, are authorized to operate, and are monitored throughout the system development life cycle

Ensure completion of continuous monitoring security control assessments on SPLA

Ensure Scottish Pride CIO designated and/or common security controls are certified annually

Determine whether a significant change to SPLA requires reaccreditation and advise the ISSO and ISM of such a decision

Review SPLA security weaknesses reported that was identified during the continuous monitoring security control assessment activities

User Advisor Identify changes to mission, business, or operational security requirements

• Report any weaknesses in, or new requirements for, SPLA operations

• Submit and justify system change requests to the through the agency’s formal configuration management process

Operations Manager (GeoSol)

Supporter

• Support the information owner/information System Owner to complete security responsibilities

• Participate in the formal configuration management process

Appendix A - 2


APPENDIX B – ANNUAL REQUIRED SECURITY CONTROLSThe following security controls should be monitored annually:

Access Controls (AC) AC-2 Account Management: Scottish Pride manages information system

accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. Scottish Pride reviews information system accounts annually.

AC-7 Unsuccessful Logon Attempts: The information system enforces a limit of three consecutive invalid access attempts by a user during a 30 minute time period. The information system automatically locks the account/node for 30 minutes for low systems or until an appropriate security administrator manually intervenes to unlock accounts on moderate and high systems when the maximum number of unsuccessful attempts is exceeded.

AC-13 Supervision and Review—Access Control: Scottish Pride supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls.

AC-17 Remote Access: Scottish Pride documents, monitors, and controls all methods of remote access (e.g., dial-up, Internet) to the information system including remote access for privileged functions. Appropriate Scottish Pride officials authorize each remote access method for the information system and authorize only the necessary users for each access method.

Awareness and Training (AT) AT-2 Security Awareness: Scottish Pride ensures all users (including managers

and senior executives) are exposed to basic information system security awareness materials before authorizing access to the system and at least annually thereafter.

AT-3 Security Training: Scottish Pride identifies personnel with significant information system security roles and responsibilities, documents those roles and responsibilities, and provides appropriate information system security training before authorizing access to the system and each year thereafter.

Audit and Accountability (AU)AU-2 Auditable Events: The information system generates audit records for

events identified in the Scottish Pride IT Security Handbook.

AU-3 Content of Audit Records: The information system captures sufficient information in audit records to establish what events occurred, the sources of the events, and the outcomes of the events.

Appendix B - 1


Audit and Accountability (AU)AU-4 Audit Storage Capacity: Scottish Pride allocates sufficient audit record

storage capacity and configures auditing to prevent such capacity being exceeded.

AU-5 Response to Audit Processing Failures: In the event of an audit failure or audit storage capacity being reached, the information system alerts appropriate Scottish Pride officials and takes the following additional actions:

Shutdown the system Overwrite the oldest audit records Stop generating audit records

AU-6 Audit Monitoring, Analysis, and Reporting: Scottish Pride regularly reviews/analyzes audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, report’s findings to appropriate officials, and takes necessary actions.

AU-7 Audit Reduction and Report Generation: The information system provides an audit reduction and report generation capability.

AU-11 Audit Retention: Scottish Pride retains audit logs in accordance with Scottish Pride records retention policies, but at least for one year for high and moderate systems to provide support for after-the-fact investigations of security incidents and to meet regulatory and Scottish Pride information retention requirements.

Configuration Management (CM) CM-2 Baseline Configuration: Scottish Pride develops, documents, and

maintains a current, baseline configuration of the information system and an inventory of the system’s constituent components.

CM-3 Configuration Change Control: Scottish Pride documents and controls changes to the information system. Appropriate Scottish Pride officials approve information system changes in accordance with Scottish Pride policies and procedures.

CM-4 Monitoring Configuration Changes: Scottish Pride monitors changes to the information system and conducts security impact analyses to determine the effects of the changes.

CM-5 Access Restrictions for Change: Scottish Pride enforces access restrictions associated with changes to the information system.

CM-6 Configuration Settings: Scottish Pride configures the security settings of information technology products to the most restrictive mode consistent with information system operational requirements.

CM-7 Least Functionality: Scottish Pride configures the information system to provide only essential capabilities and specifically prohibits and/or restricts the use of any protocol or service that is not explicitly permitted.

CM-8 Information System Component Inventory: Scottish Pride develops, documents, and maintains a current inventory of the components of the information system and relevant ownership information.

Appendix B - 2


Appendix B - 3


Contingency Planning (CP) CP-1 Contingency Planning Policy and Procedures: Scottish Pride develops,

disseminates, and periodically reviews/updates: (1) a formal, documented, contingency planning policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.

CP-2 Contingency Plan: Scottish Pride develops and implements a contingency plan for the information system addressing contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the system after a disruption or failure. Designated officials within Scottish Pride review and approve the contingency plan and distribute copies of the plan to key contingency personnel.

CP-3 Contingency Training: Scottish Pride trains personnel in their contingency roles and responsibilities with respect to the information system and provides refresher training annually.

CP-4 Contingency Plan Testing and Exercises: Scottish Pride tests the contingency plan for the information system at least annually using to determine the plan’s effectiveness and Scottish Pride’s readiness to execute the plan. System rated as high shall be tested at the alternate processing site. Appropriate officials within Scottish Pride review the contingency plan test results and initiate corrective actions.

CP-5 Contingency Plan Update: Scottish Pride reviews the contingency plan for the information system once per year and revises the plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing.

CP-6 Alternate Storage Sites: Scottish Pride identifies an alternate storage site and initiates necessary agreements to permit the storage of information system backup information.

CP-7 Alternate Processing Site: Scottish Pride identifies an alternate processing site and initiates necessary agreements to permit the resumption of information system operations for critical mission/business functions within 24 hours when the primary processing capabilities are unavailable.

CP-8 Telecommunications Services: Scottish Pride identifies primary and alternate telecommunications services to support the information system and initiates necessary agreements to permit the resumption of system operations for critical mission/business functions within 24 hours when the primary telecommunications capabilities are unavailable.

CP-9 Information System Backup: Scottish Pride conducts backups of user-level and system-level information (including system state information) contained in the information system according to backup schedules documented in the system contingency plan and stores backup information at an appropriately secured location.

CP-10 Information System Recovery and Reconstitution: Scottish Pride employs mechanisms with supporting procedures to allow the information

Appendix B - 4


system to be recovered and reconstituted to the system’s original state after a disruption or failure.

Appendix B - 5


Identification and Authentication (IA)IA-4 Identifier Management: Scottish Pride manages user identifiers by: (1)

uniquely identifying each user; (2) verifying the identity of each user; (3) receiving authorization to issue a user identifier from an appropriate Scottish Pride official; (4) ensuring that the user identifier is issued to the intended party; (5) disabling user identifier after 30 days of inactivity; and (6) archiving user identifiers.

IA-5 Authenticator Management: Scottish Pride manages information system authenticators (e.g., tokens, PKI certificates, biometrics, passwords, key cards) by: (1) defining initial authenticator content; (2) establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; and (3) changing default authenticators upon information system installation.

IA-6 Authenticator Feedback: The information system provides feedback to a user during an attempted authentication and that feedback does not compromise the authentication mechanism.

Incident Response (IR)IR-2 Incident Response Training: Scottish Pride trains personnel in their

incident response roles and responsibilities with respect to the information system and provides refresher training at least annually.

IR-5 Incident Monitoring: Scottish Pride tracks and documents information system security incidents on an ongoing basis.

IR-6 Incident Reporting: Scottish Pride promptly reports incident information to appropriate authorities.

Maintenance (MA) MA-2 Controlled Maintenance: Scottish Pride schedules, performs, and

documents routine preventative and regular maintenance on the components of the information system in accordance with manufacturer or vendor specifications and/or Scottish Pride requirements.

MA-3 Maintenance Tools: Scottish Pride approves, controls, and monitors the use of information system maintenance tools and maintains the tools on an ongoing basis.

MA-4 Remote Maintenance: Scottish Pride approves, controls, and monitors remotely executed maintenance and diagnostic activities.

MA-5 Maintenance Personnel: Scottish Pride maintains a list of personnel authorized to perform maintenance on the information system. Only authorized personnel perform maintenance on the information system.

MA-6 Timely Maintenance: Scottish Pride obtains maintenance support and spare parts within 48 hours of failure.

Appendix B - 6


Media Protection (MP) MP-5 Media Transport: Scottish Pride controls information system media (paper

and electronic) and restricts the pickup, receipt, transfer, and delivery of such media to authorized personnel.

MP-6 Media Sanitization and Disposal: Scottish Pride sanitizes information system digital media using approved equipment, techniques, and procedures. Scottish Pride tracks, documents, and verifies media sanitization actions and periodically tests sanitization equipment/procedures to ensure correct performance.

Physical and Environmental Protection (PE)PE-2 Physical Access Authorizations: Scottish Pride develops and keeps

current lists of personnel with authorized access to facilities containing information systems (except for those areas within the facilities officially designated as publicly accessible) and issues appropriate authorization credentials (e.g., badges, identification cards, smart cards). Designated officials within Scottish Pride review and approve the access list and authorization credentials once a year.

PE-3 Physical Access Control: Scottish Pride controls all physical access points (including designated entry/exit points) to facilities containing information systems (except for those areas within the facilities officially designated as publicly accessible) and verifies individual access authorizations before granting access to the facilities. Scottish Pride also controls access to areas officially designated as publicly accessible, as appropriate, in accordance with Scottish Pride’s assessment of risk.

PE-6 Monitoring Physical Access: Scottish Pride monitors physical access to information systems to detect and respond to incidents.

PE-7 Visitor Control: Scottish Pride controls physical access to information systems by authenticating visitors before authorizing access to facilities or areas other than areas designated as publicly accessible.

PE-12 Emergency Lighting: Scottish Pride employs and maintains automatic emergency lighting systems that activate in the event of a power outage or disruption and that cover emergency exits and evacuation routes.

PE-13 Fire Protection: Scottish Pride employs and maintains fire suppression and detection devices/systems that can be activated in the event of a fire.

PE-14 Temperature and Humidity Controls: Scottish Pride regularly maintains within acceptable levels and monitors the temperature and humidity within facilities containing information systems.

PE-16 Delivery and Removal: Scottish Pride controls information system-related items (i.e., hardware, firmware, software) entering and exiting the facility and maintains appropriate records of those items.

Appendix B - 7


Planning (PL)PL-3 System Security Plan Update: Scottish Pride reviews the security plan for

the information system annually and revises the plan to address system/organizational changes or problems identified during plan implementation or security control assessments.

PL-4 Rules of Behavior: Scottish Pride establishes and makes readily available to all information system users a set of rules that describes their responsibilities and expected behavior with regard to information system usage. Scottish Pride receives signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system.

PL-6 Security-Related Activity Planning: Scottish Pride plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on Scottish Pride operations (i.e., mission, functions, image, and reputation), Scottish Pride assets, and individuals.

Personal Security (PS)PS-3 Personnel Screening: Scottish Pride screens individuals requiring access to

Scottish Pride information and information systems before authorizing access.

PS-4 Personnel Termination: When employment is terminated, Scottish Pride terminates information system access, conducts exit interviews, ensures the return of all Scottish Pride information system-related property (e.g., keys, identification cards, building passes), and ensures that appropriate personnel have access to official records created by the terminated employee that are stored on Scottish Pride information systems.

PS-5 Personnel Transfer: Scottish Pride reviews information systems/facilities access authorizations when individuals are reassigned or transferred to other positions within Scottish Pride and initiates appropriate actions (e.g., reissuing keys, identification cards, building passes; closing old accounts and establishing new accounts; and changing system access authorizations).

PS-6 Access Agreements: Scottish Pride completes appropriate access agreements (e.g., nondisclosure agreements, acceptable use agreements, rules of behavior, conflict-of-interest agreements) for individuals requiring access to Scottish Pride information and information systems before authorizing access.

PS-7 Third-Party Personnel Security: Scottish Pride establishes personnel security requirements for third-party providers (e.g., service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, network and security management) and monitors provider compliance to ensure adequate security.

Appendix B - 8


System and Services Acquisition (SA)SA-4 Acquisitions: Scottish Pride includes security requirements and/or security

specifications, either explicitly or by reference, in information system acquisition contracts based on an assessment of risk.

SA-7 User Installed Software: Scottish Pride enforces explicit rules governing the downloading and installation of software by users.

System and Communication Protection (SC)SC-4 Information Remnance: The information system prevents unauthorized

and unintended information transfer via shared system resources.

SC-7 Boundary Protection: The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

SC-17 Public Key Infrastructure Certificates: Scottish Pride develops and implements a certificate policy and certification practice statement for the issuance of public key certificates used in the information system.

System and Information Integrity (SI)SI-2 Flaw Remediation: Scottish Pride identifies, reports, and corrects

information system flaws.

SI-4 Information System Monitoring Tools and Techniques: Scottish Pride employs tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system.

SI-5 Security Alerts and Advisories: Scottish Pride receives information system security alerts/advisories on a regular basis, issues alerts/advisories to appropriate personnel, and takes appropriate actions in response.

SI-10 Information Input Accuracy, Completeness, and Validity: The information system checks information inputs for accuracy, completeness, and validity.

SI-11 Error Handling: The information system identifies and handles error conditions in an expeditious manner.

SI-12 Output Handling and Retention: Scottish Pride handles and retains output from the information system in accordance with Scottish Pride policy

and operational requirements.

Appendix B - 9


APPENDIX C – YEAR-2 REQUIRED SECURITY CONTROLSYear 2 monitoring should include all security controls required to be assessed annually (See Appendix B), plus a subset of the remainder of security controls below must be assessed.

Access Controls (AC) AC-1 Access Control Policy and Procedures: Scottish Pride develops,

disseminates, and periodically reviews/updates: (1) a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.

AC-3 Access Enforcement: The information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy.

AC-4 Information Flow Enforcement: The information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.

AC-14 Permitted Actions w/o Identification or Authentication: Scottish Pride identifies specific user actions that can be performed on the information system without identification or authentication.

AC-20 Use of External Information Systems: Scottish Pride restricts the use of personally owned information systems for official U.S. Government business involving the processing, storage, or transmission of federal information.

Awareness and Training (AT) AT-1 Security Awareness and Training Policy and Procedures: Scottish

Pride develops, disseminates, and periodically reviews/updates: (1) a formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.

AT-4 Security Training Records: Scottish Pride documents and monitors individual information system security training activities including basic security awareness training and specific information system security training.

Appendix C - 1


Audit and Accountability (AU)AU-1 Audit and Accountability Policy and Procedures: Scottish Pride

develops, disseminates, and periodically reviews/updates: (1) a formal, documented, audit and accountability policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.

AU-8 Time Stamps: The information system provides time stamps for use in audit record generation.

AU-9 Protection of Audit Information: The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

Certification, and Accreditation, and Security Assessments(CA)

CA-1

Certification, Accreditation, and Security Assessment Policies and Procedures: Scottish Pride develops, disseminates, and periodically reviews/updates: (1) formal, documented, security assessment and certification and accreditation policies that address purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the security assessment and certification and accreditation policies and associated assessment, certification, and accreditation controls.

CA-2

Security Assessments: Scottish Pride conducts an assessment of the security controls in the information system annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

CA-3

Information System Connections: Scottish Pride authorizes all connections from the information system to other information systems outside of the accreditation boundary and monitors/controls the system interconnections on an ongoing basis. Appropriate Scottish Pride officials approve information system interconnection agreements.

CA-4

Security Certification: Scottish Pride conducts an assessment of the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

CA-5

Plan of Action and Milestones: Scottish Pride develops and updates quarterly, a POA&M for the information system that documents Scottish Pride’s planned, implemented, and evaluated remedial actions to correct any deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.

CA-7Continuous Monitoring: Scottish Pride monitors the security controls in the information system on an ongoing basis.

Appendix C - 2


Appendix C - 3


Configuration Management (CM) CM-1 Configuration Management Policy and Procedures: Scottish Pride

develops, disseminates, and periodically reviews/updates: (1) a formal, documented, configuration management policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.

Contingency Planning (CP) CP-1 Contingency Planning Policy and Procedures: Scottish Pride develops,

disseminates, and periodically reviews/updates: (1) a formal, documented, contingency planning policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.

Identification and Authentication (IA)IA-1 Identification and Authentication Policy and Procedures: Scottish

Pride develops, disseminates, and periodically reviews/updates: (1) a formal, documented, identification and authentication policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.

IA-3 Device Identification and Authentication: The information system identifies and authenticates specific devices before establishing a connection.

Incident Response (IR)IR-1 Incident Response Policy and Procedures: Scottish Pride develops,

disseminates, and periodically reviews/updates: (1) a formal, documented, incident response policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls.

IR-3 Incident Response Testing and Exercises: Scottish Pride tests the incident response capability for the information system at least annually using automated mechanisms for high systems to determine the incident response effectiveness and documents the results.

IR-4 Incident Handling: Scottish Pride implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.

Appendix C - 4


IR-7 Incident Response Assistance: Scottish Pride provides an incident support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents. The support resource is an integral part of Scottish Pride’s incident response capability.

Maintenance (MA) MA-1 System Maintenance Policy and Procedures: Scottish Pride develops,

disseminates, and periodically reviews/updates: (1) a formal, documented, information system maintenance policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the information system maintenance policy and associated system maintenance controls.

Media Protection (MP) MP-1 Media Protection Policy and Procedures: Scottish Pride develops,

disseminates, and periodically reviews/updates: (1) a formal, documented, media protection policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the media protection policy and associated media protection controls.

Physical and Environmental Protection (PE)PE-1 Physical and Environmental Protection Policy and Procedures:

Scottish Pride develops, disseminates, and periodically reviews/updates: (1) a formal, documented, physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls.

PE-5 Access Control for Display Medium: Scottish Pride controls physical access to information system devices that display information to prevent unauthorized individuals from observing the display output.

PE-8 Access Records: Scottish Pride maintains a visitor access log to facilities (except for those areas within the facilities officially designated as publicly accessible) that includes: (1) name and organization of the person visiting; (2) signature of the visitor; (3) form of identification; (4) date of access; (5) time of entry and departure; (6) purpose of visit; and (7) name and organization of person visited. Visitor logs are reviewed at closeout, maintained on file, and available for further review for one year.

PE-9 Power Equipment and Power Cabling: Scottish Pride protects power equipment and power cabling for the information system from damage and destruction.

Appendix C - 5


PE-10 Emergency Shutoff: For specific locations within a facility containing concentrations of information system resources (e.g., data centers, server rooms, mainframe rooms),Scottish Pride provides the capability of shutting off power to any information technology component that may be malfunctioning (e.g., due to an electrical fire) or threatened (e.g., due to a water leak) without endangering personnel by requiring them to approach the equipment.

PE-11 Emergency Power: Scottish Pride provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.

PE-18 Location of Information System Components: Scottish Pride positions information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.

Planning (PL)PL-1 Security Planning Policy and Procedures: Scottish Pride develops,

disseminates, and periodically reviews/updates: (1) a formal, documented, security planning policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the security planning policy and associated security planning controls.

Personal Security (PS)PS-1 Personnel Security Policy and Procedures: Scottish Pride develops,

disseminates, and periodically reviews/updates: (1) a formal, documented, personnel security policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the personnel security policy and associated personnel security controls.

Risk Assessment (RA)RA-1 Risk Assessment Policy and Procedures: Scottish Pride develops,

disseminates, and periodically reviews/updates: (1) a formal, documented risk assessment policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls.

RA-5 Vulnerability Scanning: Using appropriate vulnerability scanning tools and techniques, Scottish Pride scans for vulnerabilities in the information system every six months or when significant new vulnerabilities affecting the system are identified and reported.

System and Services Acquisition (SA)SA-1 System and Services Acquisition Policy and Procedures: Scottish Pride

develops, disseminates, and periodically reviews/updates: (1) a formal,

Appendix C - 6


documented, system and services acquisition policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.

SA-2 Allocation of Resources: Scottish Pride determines, documents, and allocates as part of its capital planning and investment control process the resources required to protect the system.

SA-3 Life Cycle Support: Scottish Pride manages the information system using a system development life cycle methodology that includes information security considerations.

SA-5 Information System Documentation: Scottish Pride ensures that adequate documentation for the information system and its constituent components are available, protected when required, and distributed to authorized personnel.

SA-6 Software Usage Restrictions: Scottish Pride complies with software usage restrictions.

SA-8 Security Engineering Principles: Scottish Pride designs and implements the information system using security engineering principles.

System and Communication Protection (SC)SC-1 System & Communications Protection Policy & Procedures: Scottish

Pride develops, disseminates, and periodically reviews/updates: (1) a formal, documented, system and communications protection policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.

SC-2 Application Partitioning: The information system separates user functionality (including user interface services) from information system management functionality.

SC-18 Mobile Code: Scottish Pride: (1) establishes usage restrictions and implementation guidance for mobile code technologies based on the potential to cause damage to the information system if used maliciously; and (2) documents, monitors, and controls the use of mobile code within the information system. Appropriate Scottish Pride officials authorize the use of mobile code.

SC-19 Voice Over Internet Protocol: Scottish Pride: (1) establishes usage restrictions and implementation guidance for Voice Over Internet Protocol (VOIP) technologies based on the potential to cause damage to the information system if used maliciously; and (2) documents, monitors, and controls the use of VOIP within the information system. Appropriate Scottish Pride officials authorize the use of VOIP.

SC-20 Secure Name/Address Resolution Service (Authoritative Source): The information system that provides name/address resolution service provides additional data origin and integrity artifacts along with the authoritative data it returns in response to resolution queries.

Appendix C - 7


SC-22 Architecture and Provisioning For Name/Address Resolution Service: The information systems that collectively provide name/address resolution service for Scottish Pride are fault tolerant and implement role separation.

System and Information Integrity (SI)SI-1 System and Information Integrity Policy and Procedures: Scottish

Pride develops, disseminates, and periodically reviews/updates: (1) a formal, documented, system and information integrity policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls.

Appendix C - 8


APPENDIX D – YEAR-3 REQUIRED SECURITY CONTROLSYear 3 monitoring should include all security controls required to be assessed annually (See Appendix B), plus a subset of security controls below that were not assessed during Year 2 must be assessed.

Access Controls (AC) AC-5 Separation of Duties: The information system enforces separation of

duties through assigned access authorizations.

AC-6 Least Privilege: The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks.

AC-8 System Use Notification: The information system displays an approved, system use notification message before granting system access informing potential users: (1) that the user is accessing a U.S. Government information system; (2) that system usage may be monitored, recorded, and subject to audit; (3) that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (4) that use of the system indicates consent to monitoring and recording. The system use notification message provides appropriate privacy and security notices (based on associated privacy and security policies or summaries) and remains on the screen until the user takes explicit actions to log on to the information system.

AC-12 Session Termination: The information system automatically terminates a session after ten minutes of inactivity.

AC-18 Wireless Access Restrictions: Scottish Pride: (1) establishes usage restrictions and implementation guidance for wireless technologies; and (2) documents, monitors, and controls wireless access to the information system. Appropriate Scottish Pride officials authorize the use of wireless technologies.

AC-19 Access Control for Portable and Mobile Systems: Scottish Pride: (1) establishes usage restrictions and implementation guidance for portable and mobile devices; and (2) documents, monitors, and controls device access to Scottish Pride networks. Appropriate Scottish Pride officials authorize the use of portable and mobile devices.

Certification, and Accreditation, and Security Assessments(CA)CA-6 Security Accreditation: Scottish Pride authorizes (i.e., accredits) the

information system for processing before operations and updates the authorization every 3 years. A senior Scottish Pride official signs and approves the security accreditation.

Appendix D - 1


Identification and Authentication (IA)IA-2 User Identification and Authentication: The information system

uniquely identifies and authenticates users (or processes acting on behalf of users).

Media Protection (MP) MP-2 Media Access: Scottish Pride ensures that only authorized users have

access to information in printed form or on digital media removed from the information system.

MP-4 Media Storage: Scottish Pride physically controls and securely stores information system media, both paper and electronic, based on the highest FIPS 199 security category of the information recorded on the media.

Planning (PL)PL-2 System Security Plan: Scottish Pride develops and implements a security

plan for the information system that provides an overview of the security requirements for the system and a description of the security controls in place or planned for meeting those requirements. Designated officials within Scottish Pride review and approve the plan.

PL-5 Privacy Impact Assessment: Scottish Pride conducts a privacy impact assessment on the information system.

Personal Security (PS)PS-2 Position Categorization: Scottish Pride assigns a risk designation to all

positions and establishes screening criteria for individuals filling those positions. Scottish Pride reviews and revises position risk designations periodically in accordance with Office of Personnel Management (OPM) guidance.

PS-8 Personnel Sanctions: Scottish Pride employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.

Appendix D - 2


Risk Assessment (RA)RA-2 Security Categorization: Scottish Pride categorizes the information system

and the information processed, stored, or transmitted by the system in accordance with FIPS 199 and documents the results (including supporting rationale) in the system security plan. Designated senior-level officials within Scottish Pride review and approve the security categorizations.

RA-3 Risk Assessment: Scottish Pride conducts assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency.

RA-4 Risk Assessment Update: Scottish Pride updates the risk assessment every three years or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system.

System and Services Acquisition (SA)SA-9 External Information System Services: Scottish Pride ensures that third-

party providers of information system services employ adequate security controls in accordance with applicable federal laws, directives, policies, regulations, standards, guidance, and established service level agreements. Scottish Pride monitors security control compliance.

SA-11 Developer Security Testing: The information system developer creates a security test and evaluation plan, implements the plan, and documents the results. Developmental security test results may be used in support of the security certification and accreditation process for the delivered information system.

System and Communication Protection (SC)SC-5 Denial of Service Protection: The information system protects against or

limits the effects of denial of service attacks on devices within Scottish Pride’s internal network.

SC-9 Transmission Confidentiality: The information system protects the confidentiality of transmitted information.

SC-10 Network Disconnect: The information system terminates a network connection at the end of a session or after ten minutes of inactivity.

SC-14 Public Access Protections: For publicly available systems, the information system protects the integrity of the information and applications.

SC-23 Session Authenticity: The information system provides mechanisms to protect the authenticity of communications sessions.

Appendix D - 3


System and Information Integrity (SI)SI-3 Malicious Code Protection: The information system implements malicious

code protection that includes a capability for automatic updates.

SI-8 Spam and Spyware Protection: The information system implements spam and spyware protection.

SI-9 Information Input Restrictions: Scottish Pride restricts the information input to the information system to authorized personnel only.

Appendix D - 4

spla continuous monitoring plan - · web viewspla) continuous monitoring plan version 1.0 may...

Documents