• Document: SECURITY PLAN DRAFT For Major Applications and General Support Systems
  • Size: 207.35 KB
  • Uploaded: 2018-12-08 21:50:51
  • Status: Successfully converted


Some snippets from your converted document:

SECURITY PLAN DRAFT For Major Applications and General Support Systems TABLE OF CONTENTS EXECUTIVE SUMMARY A. APPLICATION/SYSTEM IDENTIFICATION A.1 Application/System Category • Indicate whether the application/system is a Major Application or a General Support System. • A Major Application is "an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application." • A General Support System is an "interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people." A.2 Application/System Name/Title • Unique identifier & name given to the application/system A.3 Responsible Organization • Organization responsible for the application/system A.4 Information Contact(s) • The owner(s) of the application/system and at least one other manager expertly knowledgeable about it. -- Name -- Title -- Address -- Phone Number -- Fax Number -- E-mail Address A.5 Assignment of Security Responsibility DRAFT • Person(s) responsible for security of the application/system and an alternate emergency contact. -- Name -- Title -- Address -- Phone Number -- Fax Number -- E-mail Address • Describe roles and responsibilities of all users having access to the application/system. Include approximate number of authorized users and their physical location. A.6 Application/System Operational Status • If more than one status is selected, list which part(s) of the application/system are covered under each status. -- Operational -- Under Development -- Undergoing a major modification A.7 General Description/Purpose • Describe the function or purpose of the application/system and the information processed. • Describe the processing flow of the application/system from input to output. • List user organizations (internal & external) and the type of data and processing provided. A.8 Application/System Environment • Provide a general description of the technical application/system. Include any environmental or technical factors that raise special security concerns (dial-up lines, open network, etc.) Include a diagram of architecture here or in an appendix, if applicable. • Describe the primary computing platform(s) used and a description of the principal application/system components, including hardware, software, and communications resources. • Include any security software protecting the application/system and information. • List the physical location(s) of the application/system. A.9 Application/System Interconnection/Information Sharing DRAFT The NIST Guide strongly recommends that written authorization, such as a memorandum of understanding (MOU) or a memorandum of agreement (MOA), be obtained prior to connection with other applications/systems and/or sharing sensitive data/information. This section should list any such agreements. The written authorization should detail the rules of behavior and controls that must be maintained by the interconnecting systems. • List interconnected applications/systems and application/system identifiers (if appropriate). • If connected to an external application/system not covered by a security plan, provide a brief discussion of any security concerns that need to be considered for protection. • A description of the rules for interconnecting applications/systems and for protecting shared data must be included with this security plan. A.10 Applicable Laws or Regulations Affecting the Application/System • List any laws or regulations that establish specific requirements for confidentiality, integrity, or availability of data/information in the application/system. A.11 Information Sensitivity and Criticality Assessment All applications/systems require protection for confidentiality, integrity, and availability. The level of protection required is determined by an evaluation of the sensitivity and criticality of the information processed; the relationship of the application/system to the organization's mission, and the economic value of the application/system components. The sensitivity and criticality of the information stored within, processed by, or transmitted by an application/system provides a basis for the value of the application/system and is one of the major factors in risk management. A description of the types of information handled by the application/system and an analysis of the criticality of the information is required. This description and analysis will assist in designing securi

Recently converted files (publicly available):