Overview and Purpose

The [variable: Covered Organization] is a critical resource that connects people, business processes, systems, and Information Resources. Network security procedures help protect the network both from external, malicious threats and from internal errors that might compromise network connections and degrade the confidentiality, integrity, and/or accessibility of Information Resources connected by the network.

This procedures document sets forth guidelines for the maintenance of network security. Compliance with these guidelines should conform to risk and threat performed by IT and business management.

Coverage

All personnel who have access to [variable: Covered Organization] Information Resources.

Roles and Responsibilities

[variable: Organizational role]

• Ensures coordination among Program area offices on IRM issues (including the Network) and activities

[variable: Organizational role]

• Approves documents prepared by the [variable: Organizational role] for the purpose of maintaining network security.

[variable: Organizational role]

• Approves documents prepared by [variable: Organizational role] for the purpose of maintaining network security.

[variable: Organizational role]

• Ensures IT resources are adequately safeguarded
• Develops and implementing an overall network security plan for [variable: Covered Organization] systems
• Issues guidelines and procedures
• Provides oversight for [variable: Covered Organization] network security
• Maintains current inventory of sensitive systems and a schedule for testing systems contingency plans.

Procedures

Policies, Procedures, and Guidance

The Information Security Officer (ISO) has overall responsibility for the security of the [variable: Covered Organization] network. It is the responsibility of that role to ensure that all laws, rules, policy, procedures, and guidelines applicable to network security are implemented and enforced.

Delegation of Authority

For every system, the organization must designate a role or individual that is responsible for system security. This role, which will be referred to as the Systems Administrator, may be an employee or contractor. In the latter case, security responsibilities must be specified in the terms of the contractor's engagement contract.

The Systems Administrator must know the nature of the information processed by the system (or an application on the system) and be able to apply and manage appropriate security controls. The [variable: Organizational role] must provides oversight and direction to the Systems Administrator for network security purposes. These responsibilities should be codified in the job descriptions of the roles designated as Systems Administrator, as well as the security oversight role.

Security Plans

Every system must have an IT Security Plan that documents the security posture at a particular point in time. The [variable: Organizational role] or its appointee is responsible for network. System owners [Note: clarify what a system owner is] are responsible for systems or applications on the network.

The IT Security Plan reports the outcome of the IT security planning process. IT Security Plans are considered sensitive documents and must be protected as such, although they must also be available to the ISO, and other security, application, and project and program managers, as needed to execute security plan requirements. In addition, the IT Security Plan must be made available to officials such as database owners and authorized external auditors, as required. The IT Security Plan must be updated whenever major changes to equipment, software, configurations, or network infrastructure affecting an application or system. IT Security Plan content must be reviewed periodically, at least [variable: time period], to ensure it remains relevant and accurately reflects the Organization's risk posture, business processes, and technology environment. An IT Security Plan remains in affect until a new plan is issued; however, the maximum time that may elapse before issuing a new plan is [variable: time period].

Procurement (Acquisition)

The [variable: Organizational role] must certify every significant planned IT procurement in order to ensure that the proposed resource meets information security requirements. This certification requirement is further described in the Security Lifecycle Standard.

Periodic Review

The [variable: Organizational role(s)] must periodically perform risk, threat, and/or vulnerability reviews of information security controls in order to ensure that security plans continually reflect technology changes and upgrades, risk profiles and organizational risk tolerance, policy and procedure updates, and shifting organizational roles. The scope and frequency of control reviews may vary, depending on the constancy of the operational environment and the degree of system or process risk that management deems acceptable. The maximum time that may elapse between risk, threat, and/or vulnerability analysis is [variable: time period].

Designated Approval Authority (DAA)

The ISO or a designated representative acts as a Designated Approval Authority. As such, s/he has overall responsibility and authority to accept or defer acceptance of information security controls. The ISO may be responsible for issuing system security certification and accreditation statements that records the decision to accept security controls.

The DAA must be at an organizational level such that s/he has authority to 1) evaluate the overall mission requirements of information systems and 2) provide definitive directions to systems developers or owners relative to the risk in the security posture of the systems.

By signing the authorization “to process,” the DAA accepts responsibility for the level of risk inherent in the system. Before a new, or significantly changed system or application can become operational, the following must occur:

• Assurance by [variable: Organizational role] that an IT Security Plan is in place, up-to-date, and being followed
• Authorization by [variable: Organizational role] in writing that the use of the system, based on the IT Security Plan, presents an acceptable level of risk to the system and the information it processes

Systems must be re-authorized periodically, every time they undergo a significant change, or at least once every [variable: time period]. A record of the written authorization must be associated with the IT Security Plan

Systems Continuity/Contingency Plans

A Systems Continuity/Contingency plan is required for each general support system and major application. Plans must be approved in writing and retained by [variable: Organizational role(s)]. Systems Continuity and Contingency Plans are considered sensitive documents and must be protected as such. They must be available to [variable: Organizational role(s)]. In addition, they must be made available to officials such as database owners, internal auditors, and authorized external auditors, as required.

Systems Continuity/Contingency plans must be updated periodically, at least once every [variable: time period]. Plans must also be tested as needed, not less frequently than once every [variable: time period].

System Documentation Reviews

At least once every [variable: time period], System Administrators must review the documentation for systems that are under the control of their organization. The purpose of these reviews is to ensure that significant changes to systems are brought to management’s attention and that any necessary corrective actions can be planned, budgeted, and implemented. If no significant changes have occurred, this status should be reported to the [variable: Organizational role], who shall notify the ISO or a designated representative.

Security Awareness and Training

The [variable: Organizational role] is responsible for ensuring that all [variable: Covered Organization] information system users are understand network security goals, controls, and requirements.

New employees should receive general information security training within [variable: time period] of start of employment. All general users (including contractors) must receive periodic information security awareness training. Executives and managers must receive IT security awareness training at the program management level. System Administrators, Database Owners, and System Security Professionals must receive security awareness training commiserate with their system access and responsibilities.

Incident Reporting and Response

The [variable: Organizational role] ensures that policies and procedures are established and maintained for recognizing, responding to, and reporting information security incidents. The [variable: Organizational role] appoints in writing a formal Incident Response Team and provides direction to that team.

The [variable: Organizational role] reports incidents to the [variable: Organizational role(s)], as required in accordance with [variable: Covered Organization or system] guidelines. The [variable: Organizational role] has ultimate responsibility for the safeguarding of corporate and information assets.

In the event that [variable: Covered Organization or system] is compromised, producing loss of system confidentiality, integrity, or availability, the [variable: Organizational role] must discuss with the Director(s) of the affected system(s) whether to investigate the incident. If investigation is indicated, the [variable: Organizational role(s)] ensures that proper forensic procedures are implemented to preserve evidence. The [variable: Organizational role(s)] works closely with the ISO, System Administrator, and relevant business units throughout the investigative and prosecution process.

If the [variable: Covered Organization] Web site or other public-facing system is compromised, the [variable: Organizational role(s)] also works closely with the internal Public Relations team. All external inquiries are directed to the Public Relations team.

Enforcement

Gross negligence or willful disregard of these procedures can result in disciplinary action that may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [variable: Covered Organization] Information Resources access privileges, civil, and criminal prosecution.

Supporting Documentation

This procedure is supported by the following rules, standards, and policies:

• [variable: internal documents (with links, if available)]
• [variable: external documents (with links, if available)]

Procedure Support Contact

• [variable: title (not personal name) of role responsible for overseeing this procedure]
• [variable: Contact information of office responsible for overseeing this procedure]

References

• Federal Agency Security Practices, US Government, National Institute of Standards and Technology (NIST)