A formal policy provides the authority and guidance necessary to develop an effective contingency plan. This publication assists organizations in understanding the purpose, process, and format of information system contingency planning development through practical, real-world guidelines. Vulnerability - A flaw or weakness in system security procedures, design, implementation, internal controls, etc. The action plan serves as guidance for reaching a Full System Certification status. These pervasive weaknesses introduce risks that could allow malicious or unintentionally dangerous users to read, modify, delete or otherwise damage information or disrupt operations. Adequate security - Security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information.
Since the protection requirements for more sensitive or highly classified levels of data usually encompass those of lower levels, one approach is to treat all data on the system as if it were of a sensitivity or classification of the highest level existing on the system. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Authorize processing is synonymous with the term Certification. The two primary impact points of any business disruption are the operational impact and the financial impact. Outlined below responsibilities are delineated for the various activities that comprise the Risk Assessment process. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs. Instead, the Rule identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve.
This means that risk is not a single factor or event, but rather it is a combination of factors or events threats and vulnerabilities that, if they occur, may have an adverse impact on the organization. This document provides guidance to help personnel evaluate information systems and operations to determine contingency planning requirements and priorities. A successful exercise of a vulnerability results in a reduction in the grounds for confidence in the system. The materials will be updated annually, as appropriate. This guidance document provides background information on interrelationships between information system contingency planning and other types of security and emergency management-related contingency plans, organizational resiliency, and the system development life cycle. The following documents are listed in the Information Systems Security Assessment Guide.
Such weaknesses may be identified by auditors or by management. A risk assessment can be initiated at different phases of the system life cycle. Accountability supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. She has developed customized project management training for a number of clients and has taught project management in a variety of settings. However, there are many factors to consider. A formal system risk analysis is required every three years or when a major change in made in a system.
Confidentiality - The security goal that generates the requirement for protection from intentional or accidental attempts to perform unauthorized data reads. The definitions provided in this guidance, which are consistent with common industry definitions, are provided to put the risk analysis discussion in context. Often, the system can be defined in the negative, i. Decisions made by this official should be based on an effective risk management program. Both the source and the nature of possible threats must be understood in order to prevent the threat from occurring.
Moderate The threat-source exists, but countermeasures are in place that will impede successful exercise of the vulnerability. Supplemental Guidance: Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Various criteria are used including customer service, internal operations, legal or regulatory, and financial. Information system security is a system characteristic as well as a set of mechanisms that span the system both logically and physically. A well-structured risk assessment, when used effectively, must help management identify appropriate controls for providing the mission-essential security capabilities. In addition, threats or risks that are non-critical may not be mitigated or they may be eliminated in the future when system software or hardware changes are made or they may pose no immediate threat. They must also access and incorporate results of risk assessment activity into the decision making process.
Risk - is the possibility of harm or loss to any software, information, hardware, administrative, physical, communications, or personnel resource within an automated information system or activity. The Information Systems Security Assessment Guide will assist you in determining the areas of responsibility of the personnel who are needed to obtain information and assistance in completing the assessment. This act requires federal agencies, consistent with the Computer Security Act of 1987 40 U. The overall objective of this step is to assess the status of present system security controls so that a detailed course of action can be developed to implement security controls that will provide the greatest return on investment. The disadvantage is that depending on the units in which the measurement is expressed, the meaning of a quantitative threat analysis may be unclear, requiring that the result be interpreted in a qualitative manner. Periodic Review and Updates to the Risk Assessment The risk analysis process should be ongoing. Experts offer eight best practices for curating.
The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Figure 4 discusses specific roles and activities in this phase. However, better efforts made in this phase will result in a more effective and easier to maintain system in the future. Supplemental Guidance: Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Denial of service - The prevention of authorized access to resources or the delaying of time-critical operations. . Electronic media includes a single workstation as well as complex networks connected between multiple locations.
Low Impact Threat results in unavailability, modification, disclosure, or destruction of data or degradation of system services that does not cause a significant mission impact or injury to persons. As well as determining whether administrative policies are in place and being implemented, the information listed below should come out during the interviews. This step establishes the scope of the risk assessment and provides information that is essential to defining the risk to the organizations mission or business functions. Identifies essential missions and business functions and associated contingency requirements; 2. Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. Rules should cover such matters as work at home, dial-in access, connection to the Internet, use of copyrighted works, unofficial use of Federal government equipment, assignment and limitation of system privileges, and individual accountability.
Figure 7 discusses roles and activities in this phase. The Implementation Phase is typically just a bridge between Development and Operations, and the Disposal Phase is the end of the cycle entering here makes no sense. The purpose of further manual reviews is to ensure that all the pertinent controls are assessed, and that all areas are adequately covered. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Agency Agency, Office, Bureau, Service, etc. Typically, these countermeasures are thought of in terms of Technical controls, such as access control lists or registry settings. It is important to ensure that adequate security controls have been implemented.