System Security Plan for Trading Partners (Vendors) [System Name & Acronym] Version 1.1 November 8, 2013 [System Name] System Security Plan Version 1.1 1 [Date] This document contains confidential information for HHSC Official Use Only. It shall not be duplicated, used, or disclosed in whole or in part without prior written permission from the Information Security Assurance office. SSP: [System Name] SSP [Date] and Version: 1.1 TABLE OF CONTENTS DOCUMENT HISTORY ..............................................................................................................3 REVIEW LOG.............................................................................................................................4 1 PURPOSE ...........................................................................................................................5 1.1Overview ....................................................................................................................................................... 5 2 SYSTEM IDENTIFICATION ................................................................................................6 2.1SYSTEM NAME / TITLE ............................................................................................................................... 6 2.2RESPONSIBLE ORGANIZATION ................................................................................................................ 6 2.3DESIGNATED CONTACTS .......................................................................................................................... 6 2.4ASSIGNMENT OF SECURITY RESPONSIBILITY ...................................................................................... 7 2.5DESCRIPTION OF THE BUSINESS PROCESS ......................................................................................... 8 2.5.1 System Location ................................................................................................................. 8 2.5.2 System Data Flows ............................................................................................................. 8 2.5.3 System Confidential Data transfer inventory ...................................................................... 9 2.6DESCRIPTION OF OPERATIONAL/SYSTEM ENVIRONMENT AND SPECIAL CONSIDERATIONS ...... 9 2.6.1 System Information/Components ....................................................................................... 9 2.6.2 User Community Organizations and Access ...................................................................... 9 2.6.3 Architecture and Topology ................................................................................................10 2.7SYSTEM INTERCONNECTION / INFORMATION SHARING ................................................................... 10 2.8 APPLICABLE LAWS OR REGULATIONS ............................................................................................... 11 3 SECURITY CATEGORIZATION AND CLASSIFICATION ................................................ 12 3.1Data Classification .................................................................................................................................... 13 3.2System Categorization (Potential Impact of Security Breach) ............................................................. 13 4 HHS SECURITY CONTROL FRAMEWORK .................................................................... 14 4.1Security Control Class Areas ................................................................................................................... 14 5 INFORMATION SECURITY CONTROL PHASES ............................................................ 16 5.1PHASE 1 – Priority 1.................................................................................................................................. 16 5.1.1 Impact 1 Controls .................................................................................................................................. 16 5.1.2 Impact 2 Controls .................................................................................................................................. 26 5.1.3 Impact 3 Controls .................................................................................................................................. 34 5.1.4 Impact 4 Controls .................................................................................................................................. 46 Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 2 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 DOCUMENT HISTORY Revision History: Numbering convention: Version. Revision as n.xx. Pre-publication drafts are 0.xx; first published version is 1.00; for minor revisions to a published document, increment the decimal number (ex. 1.01); for major content upgrades to a published document, increment the leading whole number (ex.2.00). Revision Date Description 0.01 01-2013 Initial document distributed by the Office of the Chief Information Security Officer (CISO). 1.0 03-2013 First published version of the document distributed by the Office of the Chief Information Security Officer (CISO). 1.1 11-2013 Restructured the document for improved flow of required information. Removed RA-5 control and “XX-1” policy controls (e.g.: AC-1, CM-1 etc.) Included Confidential Data transfer inventory. Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 3 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 REVIEW LOG This SSP Review Log is maintained to record the reviews that have taken place for this system. The review log should be completed by entering the data from each column in the appropriate row. The log may also be completed by using a pen. Date of Review. Staff Name of Reviewer Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL Organization of Reviewer 4 November 8, 2013 SSP: [System Name] 1 SSP [Date] and Version: 1.1 PURPOSE The purpose of the [System Name] System Security Plan (SSP) is to document the current level of existing security controls within the [System Name] Information System that protect the confidentiality, integrity and availability (CIA) of the data that it processes stores and transmits. Texas Administrative Code (TAC) 202.20 states: “Security requirements shall be identified, documented, and addressed in all phases of development or acquisition of information resources.” The SSP document assists Information/Business Owners, Information Custodians/ System developers/Maintainers or other information resource personnel in meeting the Federal, State Laws and Agency requirements requiring systems security plans. 1.1 Overview The SSP provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. The System Security Plan (SSP) is used as a tool to perform risk assessment for the system. The Risk Assessment identifies potential threat/vulnerabilities in the information system, analyzes planned or actual security controls and potential impacts on operations, assets, and determines expected risk. All business processes operate with some level of risk and one of the most effective ways to protect these business processes is through the implementation of effective internal security controls, risk evaluation, and risk management (RM). The SSP is comprised of three main sections: section (2), System Identification, highlights overall systems and business design and functionality, section (3), Security Categorization and Classification, while the section (5), Information Security Control phases (Security Control Details), provides a detailed description of the implementation details of each security control. To facilitate compliance and implementation of the controls suite, a prioritized baseline of information security controls was developed. Internal and external audit findings, recommendations from the Consensus Audit Guidelines (CAG), Centers for Medicare & Medicaid Services (CMS), and security best practices were used to develop the prioritized baseline of controls. The phases and release order are organized using this methodology. This security plan, at a minimum, is marked, handled, and controlled as a confidential document. In addition, the security plan is dated for ease of tracking modifications and approvals. Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 5 November 8, 2013 SSP: [System Name] 2 SSP [Date] and Version: 1.1 SYSTEM IDENTIFICATION 2.1 SYSTEM NAME / TITLE This section describes the official name and/or title of system, including acronym. System Identifier Response Data Official System Name: System Acronym: 2.2 RESPONSIBLE ORGANIZATION This section describes the contact information for the organization responsible for the system. HHSC Internal Response Data Name of Organization: Address: City, State, Zip: Contact Number: 2.3 DESIGNATED CONTACTS This section describes the names of contact personnel who can address inquiries regarding system characteristics and operation. Business/Information Owner Response Data Name: Title: Organization: Address: E-Mail: Phone Number: Information Custodian (System Developer/Maintainer) Response Data Name: Title: Organization: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 6 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Information Custodian (System Developer/Maintainer) Response Data Address: E-Mail: Phone Number: SSP Author Response Data Name: Title: Organization: Address: City, State, Zip: E-mail: Phone Number: 2.4 ASSIGNMENT OF SECURITY RESPONSIBILITY Individual[s] Responsible for Security Response Data Name: Title: Organization: Address: Mail stop: City, State, Zip: E-mail: Phone Number: Emergency Contact (daytime): (name, phone & email) Component ISSO Response Data Name: Title: Organization: Address: Mail stop: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 7 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Component ISSO Response Data City, State, Zip: E-mail: Phone Number: Emergency Contact (daytime): (name, phone & email) 2.5 DESCRIPTION OF THE BUSINESS PROCESS Describe the following: Business function/process for the system. Who the system serves. Type of data it utilizes. Third party (vendor) involvement with the system. Describe the user’s level of access to: system-related data (read-only, alter etc.) 2.5.1 System Location The physical location and description of the location for the [System Name] system are documented in Table 2.5.1. Table 2.5.1: [System Name] System Locations Location Name Description Production Data Center Owned by HHSC Operated by Backup Data Center Owned by HHSC Operated by 2.5.2 System Data Flows Describe how information flows through/is processed by the system, beginning with system input through system output. Further describe how the data/information is processed by the system. Attach Data Flow Chart here. Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 8 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 2.5.3 System Confidential Data transfer inventory Table 2.5.3 describes the confidential data transfer inventory for the system. Name of Transfer 2.6 Data transfer Applicable Law Method of transfer Physical Address for physical transfer Generation Server Destination Server Frequency Contact Information DESCRIPTION OF OPERATIONAL/SYSTEM ENVIRONMENT AND SPECIAL CONSIDERATIONS This section describes the system’s operating environment, technical aspects, architecture, platforms, network connectivity, and additional security considerations. 2.6.1 System Information/Components Indicate a high-level asset inventory for each component of the system. Table 2.6.1 Components Server Names Description Function Server Types(Operating System) 1. Data Transmission Servers (e.g. ftp,sftp) 2. Application Servers (e.g. Unix\Linux) 3. Database Servers (e.g. Oracle 10g,11g) Storage Area Network (SAN) Access management (e.g. Identity Manager, Novell, 4743 forms) Other (specify) 2.6.2 User Community Organizations and Access Table 2.6.2 describes the level of access for the System Privileged users. Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 9 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Table 2.6.2: User Community Level of Access User Group Organization Internal/ External Component Data Access Facility Access IT Resource Access 2.6.3 Architecture and Topology Describe the architecture of the system. Attach the network connectivity diagram (network topology diagram). 2.7 SYSTEM INTERCONNECTION / INFORMATION SHARING Include in this section the following information concerning the authorization for the connection to other systems or the sharing of information: (1) List/Name of interconnected system (2) Type of interconnection (TCP/IP, Dial, SNA, etc.), (3) Discussion of how the systems will interact, and security concerns and Rules of Behavior of the other systems that need to be considered in the protection of this system Table 2.7: System Interconnection /Information Sharing Name/Unique Identifier Type of Interconnection (e.g. SFTP, HTTPS, Web Services, etc.) Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL Interaction Details and Security Considerations 10 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 2.8 APPLICABLE LAWS OR REGULATIONS Law/Regulation/Policy Applicable Texas Administrative Code (TAC) 202 HHS Enterprise Information Security Standards and Guidelines (EISSG) Health Insurance Portability and Accountability Act (HIPAA) Internal Revenue Service (IRS) Publication 1075 Guidelines Social Security Administration (SSA) Guidelines Centers for Medicare and Medicaid Services (CMS) Identity Theft Enforcement and Protection act Federal Information Security Management Act (FISMA) Other (specify below): Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 11 November 8, 2013 SSP: [System Name] 3 SSP [Date] and Version: 1.1 SECURITY CATEGORIZATION AND CLASSIFICATION System Classification as per TAC 202 Below is the definition from TAC 202 on ranking the systems as "High," "Medium," or "Low," based primarily on the following criteria: High Risk-Information resources that: (A) Involve large dollar amounts or significantly important transactions, such that business or government processes would be hindered or an impact on public health or safety would occur if the transactions were not processed timely and accurately, or (B) Contain confidential or other data such that unauthorized disclosure would cause real damage to the parties involved, or (C) Impact a large number of people or interconnected systems. Medium Risk-Information resources that: (A) Transact or control a moderate or low dollar value, or (B) Data items that could potentially embarrass or create problems for the parties involved if released, or (C) Impact a moderate proportion of the customer base. Low Risk-Information resources that: (A) Publish generally available public information, or (B) Result in a relatively small impact on the population, or Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 12 November 8, 2013 SSP: [System Name] 3.1 SSP [Date] and Version: 1.1 Data Classification The HHS Data Classification Standard applies equally to all individuals who use or handle any HHS Information Resource. HHS data created, sent, printed, received, or stored on systems owned, leased, administered, or authorized by the HHS agency are the property of the HHS agency and its protection is the responsibility of the HHS owners, designated custodians, and users. Data shall be classified as follows from highest level sensitivity to the lowest: Restricted – which includes ‘IRS FTI’ and ‘Verified SSA’ – Data that is subject to specific federal or state regulatory requirements and must a) remain encrypted at all times while at rest, in use or during transmission, b) be comprehensively monitored for access/distribution and c) provide for comprehensive access, distribution and audit controls. Confidential – which includes ‘SPI’, ‘PI’, ‘PII’, ‘PHI’ or ‘LEA’ – Data that is subject to specific federal or state regulatory requirements and must a) be encrypted during transmission to an outside agent or when stored on a mobile device, b) be monitored and c) provide strong access, distribution and audit controls. Agency Internal – Data that is not is subject to specific regulatory or other external requirements but is considered HHS sensitive. Public – Information intended or required for public release as described in the Texas Public Information Act. Specify the classification of data relative to this security plan. Data Classification Standard Restricted Data/Information Confidential Data/Information Agency Internal Public Information 3.2 System Categorization (Potential Impact of Security Breach) Security Categorization of Information Description of Information/System Component Confidentiality Impact Integrity Impact Overall Impact Availability Impact Potential Impact of Security Breach L M H L M H L Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL M H 13 November 8, 2013 SSP: [System Name] 4 4.1 SSP [Date] and Version: 1.1 HHS SECURITY CONTROL FRAMEWORK Security Control Class Areas The HHS security program makes extensive use of the information security guidance found in the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53, Revision 3 and Appendix J document. This guidance has been adapted to the unique HHS environment and provides the fundamental security principles on which this security control framework is built. The security program framework is divided into four program class areas: Management, Operational, Technical, and Privacy. Each program class area is further divided into a set of security families. There are a total of 26 control families each producing a high level security policy. Each family has a two letter identifier that is the prefix of the Control ID; see the column labeled “Family ID” in Table 1 on page 15. Management Control Class Area – Focuses on policies that relate to the management of risk and the management of the HHS security program. This class consists of five security policies: Security Assessment and Authorization, Planning, Program Management, Risk Assessment, System Services and Acquisition. Operational Control Class Area – Focuses on policies that are primarily implemented and executed by people, rather than the information system. This class consists of nine security policies: Awareness and Training, Configuration Management, Contingency Planning, Incident Response, Maintenance, Media Protection, Physical and Environmental Protection, Personnel Security, and System and Information Integrity. Technical Control Class Area – Focuses on policies that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. This class consists of four security policies: Access Control, Audit and Accountability, Identification and Authentication, and System and Communications Protection. Privacy Control Class Area – Focuses on policies that define the administrative, technical, and physical safeguards employed to protect HHS Restricted and Confidential Information. Each one of the security policies has a number of supporting security controls that when implemented and enforced will satisfy the requirements of the security policy. There are a total of 197 Controls, including the Security and Privacy Controls. Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 14 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Table 1 Organization of Policies and Controls Control Class Area Management Operational Technical Privacy Item Number Family ID Policy Family Name 1. CA 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. PL PM RA SA AT CM CP IR MA MP PE PS SI AC AU IA SC AP AR DI DM IP SE TR UL Security Assessment and Authorization (formerly Certification, Accreditation, and Security Assessment) Planning Program Management Risk Assessment System Services and Acquisitions Awareness and Training Configuration Management Contingency Planning Incident Response Maintenance Media Protection Physical and Environmental Protection Personnel Security System and information Integrity Access Control Audit and Accountability Identification and Authentication System and Communications Protection Authority and Purpose Accountability, Audit, and Risk Management Data Quality and Integrity Data Minimization and Retention Individual Participation and Redress Security Transparency Use Limitation TOTAL Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL Number of Security Controls 6 5 11 4 11 4 9 9 8 6 6 18 8 11 16 13 8 21 2 6 2 2 4 2 2 3 197 15 November 8, 2013 SSP: [System Name] 5 5.1 SSP [Date] and Version: 1.1 INFORMATION SECURITY CONTROL PHASES PHASE 1 – Priority 1 5.1.1 Impact 1 Controls Control ID Control Name Description of Control AC-2 (1) (2) (3) (4) Account Management The HHS organization manages HHS information systems accounts, including: a. Identifying account types (i.e., individual, group, system, application, guest/anonymous, temporary); b. Establishing conditions for group membership; c. Identifying authorized users and specifying access privileges; d. Requiring appropriate approvals for requests to establish accounts; e. Establishing, activating, modifying, disabling, and removing accounts; f. Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts; g. Notifying account managers when temporary accounts are no longer required and when HHS users are terminated, transferred, or HHS information system usage or need-toknow/need-to-share changes; h. Deactivating: (i) temporary accounts that are no longer required; and (ii) accounts of terminated or transferred users; i. Granting access to the system based on: i. a valid access authorization; ii. intended system usage; and; iii. other attributes as required by HHS or associated missions/business functions; and; j. Reviewing accounts every six months. (1) Employs automated mechanisms to support the management of accounts. (2) HHS information systems automatically terminate emergency accounts within 24 hours and temporary accounts with a fixed duration not to exceed 12 months. (3) HHS information systems disable inactive privileged accounts after sixty (60) days and non-privileged accounts after ninety (90) days. (4) HHS information systems automatically audit account creation, modification, disabling, and termination actions and notify appropriate individuals, as required. Status In Place Partially in Place Not in Place N/A Additional Criteria: {i} Regulate the access provided to contractors and define Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 16 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status security requirements for contractors. [ii] Accounts do not have the same user or account name. [iii] Accounts have not been assigned the same uid. [iv] Accounts are locked after 90 days of inactivity. [v] Unused default accounts will be disabled. {vi} Implement centralized control of user access administrator functions. Security Control Implementation Details: AC-3 Access Enforcement The HHS organization enforces approved authorizations for logical access to the system in accordance with applicable policy. In Place Partially in Place Not in Place N/A Security Control Implementation Details: AC-6 (1) (2) Least Privilege The HHS organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) that are necessary to accomplish assigned tasks in accordance with HHS missions and business functions. (1) Explicitly authorizes access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information is restricted to explicitly authorized individuals. (2) Requires that users of HHS information system accounts, or roles, with access to security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other system functions, and if feasible, audits any use of privileged accounts, or roles, for such functions. In Place Partially in Place Not in Place N/A Additional Criteria: {i} Contractors must be provided with minimal system and physical access, and must agree to and support the HHS security requirements. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 17 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Control ID Control Name Description of Control AU-2 (3) (4) Auditable Events The HHS organization: a. Determines, based on a risk assessment and HHS mission/business needs, that HHS information systems must be capable of auditing the events described in "Appendix C Recommended Events for Status In Place Partially in Place Not in Place N/A Appendix C Recommended Events for Logging.docx Logging" b. Coordinates the security audit function with other HHS entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. The list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents based on current threat information and ongoing assessment of risk; and; d. Determines, based on current threat information and ongoing assessment of risk, that the events specified in AU2a are to be audited at the frequencies specified in the system security plan. (3) Reviews and updates the list of auditable events annually. (4) Includes execution of privileged functions in the list of events to be audited by the information system, including administrator and user account activities, failed and successful log-on, security policy modifications, use of administrator privileges, system shutdowns, reboots, errors, and access authorizations. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 18 November 8, 2013 SSP: [System Name] Control ID Control Name AU-6 Audit Review, Analysis, and Reporting SSP [Date] and Version: 1.1 Description of Control Status The HHS organization: (a) Reviews and analyzes audit records for defined key HHS information systems on a daily basis for indications of inappropriate or unusual activity, and reports findings to designated HHS officials; - Excessive logon attempt failures by single or multiple users’ - Logons at unusual/non-duty hours’ - Failed attempts to access restricted system or data files indicating a possible pattern of deliberate browsing’ - Unusual or unauthorized activity by system administrators’ - Activities (e.g. command-line activity) by a user that should not have that capability’ - System failures or errors. b. Adjusts the level of audit review, analysis, and reporting within the HHS information systems when there is a change in risk to HHS operations, assets, and individuals based on law enforcement information, intelligence information, or other credible sources of information. Security Control Implementation Details: In Place CA-5 In Place Plan of Action and Milestones The HHS organization: a. Develops a plan of action and milestones (POA&M) for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and; b. Updates and submits existing POA&M on monthly bases until all the findings are resolved based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL Partially in Place Not in Place N/A Partially in Place Not in Place N/A 19 November 8, 2013 SSP: [System Name] Control ID Control Name CM-2 (1) (3) (4) Baseline Configuration SSP [Date] and Version: 1.1 Description of Control Status The HHS organization: a. Develops, documents, and maintains under configuration control, a current baseline configuration of the HHS information systems. (1) Reviews and updates the baseline configuration of HHS information systems: (a) At least once annually; (b) When required due to major system changes/upgrades and; (c) As an integral part of HHS component installations and upgrades. (3) Retains older versions of baseline configurations as deemed necessary to support rollback. (4) The HHS organization: (a) Develops and maintains an Agency-defined list of software programs not authorized (black list) to execute on the information system. (b) Employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on HHS information security components. Security Control Implementation Details: In Place CM-3 (2) In Place Configuration Change Control The HHS organization: a. Determines the types of changes to the HHS information systems that are configuration controlled; b. Approves configuration-controlled changes to HHS with explicit consideration for security impact analyses; c. Documents approved configuration-controlled changes to the system; d. Retains and reviews records of configuration-controlled changes to the system; e. Audits activities associated with configuration-controlled changes to the system; and; f. Coordinates and provides oversight for configuration change control activities through HHS change control board that convenes at least monthly or as needed. (2) The HHS organization tests, validates, and documents changes to HHS before implementing the changes on the operational system Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL Partially in Place Not in Place N/A Partially in Place Not in Place N/A 20 November 8, 2013 SSP: [System Name] Control ID Control Name CM-8 (1) (5) Information System Component Inventory SSP [Date] and Version: 1.1 Description of Control Status The HHS organization develops, documents, and maintains an inventory of HHS information systems that: a. Accurately reflects current HHS information system components; (e.g. desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, voiceover-IP telephones, etc. The inventory of information system components includes detail such as make, model, OS, type, model, serial number, physical location, owner, and machine name). b. Is consistent with the authorization boundary of the HHS organization; c. Is at the level of granularity deemed necessary for tracking and reporting; d. Includes manufacturer, model/type, serial number, version number, location (i.e. physical location and logical position within the HHS architecture, and ownership; and; e. Is available for review and audit by designated HHS officials. (1) Updates the inventory of HHS information systems as an integral part of component installations, removals, and updates. (5) Verifies that all components within the authorization boundary of the HHS organization are either inventoried as a part of the system or recognized by another system as a component within that system. Security Control Implementation Details: In Place IA-2 (1) (8) In Place Identification and Authentication (HHS Users) The HHS information systems: a. Uniquely identify and authenticate HHS users (or processes acting on behalf of users). (1) Use multifactor authentication for access to privileged accounts for HHS Restricted data. (8) Use replay-resistant authentication mechanisms for network access to privileged accounts according to specific system security plan requirements. Partially in Place Not in Place N/A Partially in Place Not in Place N/A Additional Criteria: [i]. All user accounts are unique; there are no duplicate user accounts. [ii]. The new user account creation fails. HHS information systems provide a mechanism to ensure duplicate user account names are not created, e.g., using operating systems functions to manage user accounts. [iii]. The new user account creation fails; a password is required to create an account. [iv] The logon attempt fails; a password is required for identification and authentication to the application. Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 21 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status Security Control Implementation Details: IA-5 (1) (2) (3) Authenticator Management The HHS organization manages the HHS component authenticators for users and devices by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator; b. Establishing initial authenticator content for authenticators defined by the HHS organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e. Changing default content of authenticators upon HHS information systems installation; f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if appropriate); g. Changing/refreshing authenticators in accordance with the criteria for Enhancement (1) below; h. Protecting authenticator content from unauthorized disclosure and modification; and; i. Requiring users to take and having devices implement specific measures to safeguard authenticators. In Place Partially in Place Not in Place N/A (1) Password-based authentication for HHS information systems: (a) Enforces minimum password complexity. Each password must contain a minimum of eight (8) and a maximum of sixteen (16) characters with at least one (1) from each of the following categories: - upper case alpha (ABC) - lower case alpha (abc) - number (0 to 9) - special character (@# $ % ^% *() _ + |~ =\ ’ {}[ ]:” ; ’ < >/ ); - dictionary names or words are prohibited {b} Enforces a minimum of four (4) changed characters when a new password is created; (c) Encrypts passwords in storage and in transmission; (d) Enforces password lifetime restrictions with a minimum of two (2) days and maximum of sixty (60) days for privileged accounts and ninety (90) days for nonprivileged accounts {e} Prohibits password reuse for six (6) generations. [f] Limits password change to once every 15 days. (g) Forces user to change the default password at first logon. [h] Password is disabled after 90 days of inactivity. [i] Prompt user to change password before expiration” is Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 22 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status set to “14 days” or more. (2) PKI-based authentication for HHS information systems: (a) Validates certificates by constructing a certification path with status information to an accepted trust anchor; (b) Enforces authorized access to the corresponding private key; and; (c) Maps the authenticated identity to the user account. (3) Requires that the registration process to receive Agencydefined types of and/or specific authenticators (e.g. hardware tokens) be verified in person by a designated HHS official (e.g.: a supervisor). Security Control Implementation Details: SC-7 (1) Boundary Protection HHS information systems: a. Monitor and control communications at the external boundary of the system and at key internal boundaries within the system; and; b. Connect to external networks or information systems only through managed interfaces consisting of automated boundary protection devices arranged in accordance with HHS security architecture. (1) The HHS organization physically allocates publicly accessible HHS information systems to separate subnetworks with separate physical network interfaces. Security Control Implementation Details: In Place SC-7 (2) In Place Boundary Protection HHS information systems prevent public access into the HHS organization’s internal networks except as appropriately mediated by managed interfaces employing boundary protection devices. Partially in Place Not in Place N/A Partially in Place Not in Place N/A Security Control Implementation Details: SC-7 (3) Boundary Protection The HHS organization limits the number of access points to the HHS information systems (e.g.: prohibiting desktop modems) to allow for more comprehensive monitoring of inbound and outbound communications and network traffic. In Place Partially in Place Not in Place N/A Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 23 November 8, 2013 SSP: [System Name] Control ID Control Name SC-7 (4) Boundary Protection SSP [Date] and Version: 1.1 Description of Control Status The HHS organization: (a) Implements a managed interface for each external telecommunication service; (b) Establishes a traffic flow policy for each managed interface; (c) Employs security controls as needed to protect the confidentiality and integrity of the information being transmitted; (d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; (e) Reviews exceptions to the traffic flow policy as specified in the system security plan; and; (f) Removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need. Security Control Implementation Details: In Place SC-7 (5) In Place Boundary Protection At managed interfaces, HHS information systems deny network traffic by default and allow network traffic by exception (i.e., deny all, permit by exception). Partially in Place Not in Place N/A Partially in Place Not in Place N/A Security Control Implementation Details: SC-7 (7) Boundary Protection HHS information systems prevent remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks. In Place Partially in Place Not in Place N/A Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 24 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Control ID Control Name Description of Control SC-8 (1) Transmission Integrity HHS information systems protect the integrity of transmitted information. (1) The HHS organization employs cryptographic mechanisms (e.g., digital signatures, cryptographic hashes) as required by the system security plan to recognize changes to information during transmission unless otherwise protected by alternative physical measures. • The application uses integrity checks (e.g., hash algorithms, checksums) to detect errors in data streams of the application data transmitted over the network. • The application supports integrity checking mechanisms for file transmissions. Status In Place Partially in Place Not in Place N/A Additional Criteria: [i] Transmissions are encrypted using a key no less than 128 bits in length, or FIPS 140-2 compliant, whichever is stronger. [ii]. If encryption is not used to transmit data over the WAN, unencrypted cable circuits of copper or fiber optics is an acceptable means of transmitting FTI. If encryption is not used to transmit data over the LAN, the Agency must use other compensating mechanisms (e.g., switched vLAN technology, fiber optic medium, etc.). Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 25 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Control ID Control Name Description of Control SI-2 (2) Flaw Remediation The HHS organization: a. Identifies, reports, and corrects HHS information system flaws; b. Tests software updates related to flaw remediation for effectiveness and potential side effects on HHS information systems before installation; and; c. Incorporates flaw remediation monthly into the HHS configuration management process. Status In Place Partially in Place Not in Place N/A (2) Employs automated mechanisms to determine the state of HHS information systems with regard to flaw remediation. Additional Criteria: {i} Remediate identified HHS flaws on production equipment in a timeframe based on the National Vulnerability Database (NVD) http://nvd.nist.gov/ vulnerability severity rating of the flaw: flaws rated as high severity within seven (7) calendar days; medium severity within fifteen (15) calendar days; and all others within thirty (30) calendar days. (a) Evaluate system security patches, service packs, and hot fixes in a test bed environment to determine the effectiveness and potential side effects of such changes, and; (b) Manage the flaw remediation process centrally. [ii]Procedures are documented for the testing for all patches and upgrades that is required as part of the HHS’s configuration management process. [iii] A test plan and procedures are created and updated for each production release. Security Control Implementation Details: 5.1.2 Impact 2 Controls Control ID Control Name Description of Control AC-4 Information Flow Enforcement The HHS organization enforces approved authorizations for controlling the flow of information within the HHS information systems and between interconnected systems in accordance with applicable policy. Status In Place Partially in Place Not in Place N/A Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 26 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Control ID Control Name Description of Control AC-5 Separation of Duties The HHS organization: a. Separates duties of individuals as necessary, to prevent malevolent activity without collusion; b. Documents separation of duties, and; c. Implements separation of duties through assigned HHS component access authorizations. Status In Place Partially in Place Not in Place N/A Additional Criteria {i} Ensure that audit functions are not performed by security personnel responsible for administering access control. {ii}. Ensure that HHS testing functions (i.e., user acceptance, quality assurance, information security) and production functions are divided among separate individuals or groups. {iii} Ensure that an independent entity, not the business owner, system developers/maintainers, or system administrators responsible for the information system, conducts information security testing of the information system. Security Control Implementation Details: AC-7 Unsuccessful Login Attempts HHS information systems: For Restricted data: a. Enforce a limit of three (3) consecutive invalid access attempts by a user within a fifteen (15) minute period; and; b. Automatically lock the account/node for one (1) hour or until released by an account administrator. The control applies regardless of whether the login occurs via a local or network connection. In Place Partially in Place Not in Place N/A For other HHS classified systems, enforce the following: a. Account lockout duration of 30 minutes; b. Account lockout threshold after 5 invalid logon attempts, and; c. Reset account lockout counter after 30 minutes of lock out. Additional Criteria: [i]The login delay between login prompts after a failed login is set to more than four seconds. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 27 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Control ID Control Name Description of Control AC-17 (1) (2) (3) (4) (5) (7) (8) Remote Access The HHS organization: a. Requires that the allowed methods of remote access to HHS information systems are; GoToMyPC; VPN; Outlook Webaccess; The requirements for remote access are two factor authentications. b. Establishes usage restrictions and implementation guidance for each allowed remote access method; c. Monitors for unauthorized remote access; d. Authorizes remote access prior to connection; and; e. Enforces requirements for remote connections. (1) HHS information systems employ automated mechanisms to facilitate the monitoring and control of remote access methods. (2) The HHS organization uses cryptography to protect the confidentiality and integrity of remote access sessions. (3) HHS information systems route all remote accesses through a limited number of managed access control points. (4) The HHS organization authorizes the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs and documents the rationale for such access and use of commands in the specific system security plan for the information system. (5) The HHS organization monitors for unauthorized remote connections to HHS information systems at least quarterly and takes appropriate action if an unauthorized connection is discovered. (7) The HHS organization requires that remote sessions used for remote administration employ additional security measures (e.g.: Secure Shell [SSH], Virtual Private Networking [VPN] with blocking mode enabled) (see SC-13) and the sessions are audited. (8) The HHS organization disables networking protocols deemed to be nonsecure (such as Bluetooth, peer-to-peer networking) except for explicitly identified components in support of specific operational requirements. Status In Place Partially in Place Not in Place N/A Additional Criteria: [i] No unauthorized remote sessions are allowed. [ii] The administrative password is not passed over a network in clear text form. Security Control Implementation Details: AU-5 Response to Audit Processing Failures HHS information systems: a. Alert designated HHS officials in the event of an audit processing failure; and; b. Take the following additional actions in response to an Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL In Place Partially in Place 28 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status audit failure or audit storage capacity issue. - Shutdown HHS information system/applications; - Stop generating audit records, or; - Overwrite the oldest records, in the case that storage media is unavailable. Security Control Implementation Details: Not in Place CA-7 The HHS organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes: a. A configuration management process for HHS and its constituent components; b. A determination of the security impact of changes to HHS information systems and environment of operation; c. Ongoing security control assessments in accordance with the continuous monitoring strategy; and; d. Reporting the security state of the HHS information systems to appropriate organizational officials within annually. Security Control Implementation Details: In Place CM-6 (3) In Place Continuous Monitoring Configuration Settings The HHS organization: a. Establishes and documents mandatory configuration settings for information technology products employed within the HHS information systems using the latest security configuration guidelines Data Center Services (DCS ) Master System Security Plan (MSSP) technical specification document. b. Implements the configuration settings; c. Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within HHS information systems based on explicit operational requirements; and; d. Monitors and controls changes to the configuration settings in accordance with HHS policies and procedures. (3) Incorporates detection of unauthorized, security-relevant configuration changes into the incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes. Additional Criteria: [i] The Agency establishes and documents mandatory security configuration settings for HHS information systems. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL N/A Partially in Place Not in Place N/A Partially in Place Not in Place N/A 29 November 8, 2013 SSP: [System Name] Control ID Control Name MP-4 Media Storage SSP [Date] and Version: 1.1 Description of Control Status The HHS organization: a. Physically controls and securely stores media within controlled areas using safeguards prescribed for the highest system security level of the information ever recorded on it; b. Protects HHS media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. Additional Criteria: 1. Desktops, Laptops, Hard Drives, Portable Computing devices needs to be encrypted with Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules. Security Control Implementation Details: In Place PE-3 In Place Physical Access Control The HHS organization: a. Enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where HHS information systems reside excluding those areas within the facility officially designated as publicly accessible; b. Verifies individual access authorizations before granting access to the facility; c. Controls entry to the facility containing HHS information systems using physical access devices and/or guards; d. Controls access to areas officially designated as publicly accessible in accordance with HHS’s assessment of risk; e. Secures keys, combinations, and other physical access devices; f. Inventories physical access devices within annually; and; g. Changes combinations and keys annually, or whenever keys are lost, combinations are compromised, or individuals who had access to combinations and/or keys are transferred or terminated. Partially in Place Not in Place N/A Partially in Place Not in Place N/A Additional Criteria {i}. Require two barriers to access IRS FTI under normal security: secured perimeter/locked container, locked perimeter/secured interior, or locked perimeter/security container. Protected information must be containerized in areas where other than authorized employees may have access after-hours. Security Control Implementation Details: PS-7 Third-Party Personnel Security The HHS organization: a. Establishes personnel security requirements including security roles and responsibilities for third-party providers. b. Documents personnel security requirements; and; c. Monitors provider compliance. Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL In Place Partially in Place Not in Place 30 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status N/A Additional Criteria: [i] Regulate the access provided to contractors and define security requirements for contractors. Contractors must be provided with minimal system and physical access, and must agree to and support the HHS information security requirements. Security Control Implementation Details: SC-9 (1) Transmission Confidentiality HHS information systems must protect the confidentiality of transmitted information. (1) The HHS organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures. encryption, using at least a 128-bit encryption key. {i} When sending or receiving faxes containing HHS Restricted, Confidential, or Agency Internal data: - Fax machines must be located in a locked room with a trusted staff member having custodial coverage over outgoing and incoming transmissions or fax machines must be located in a secured area; - Accurate broadcast lists and other preset numbers of frequent fax recipients must be maintained; and; - A cover sheet must be used that explicitly provides guidance to the recipient that includes: a notification of the sensitivity of the data and the need for protection, and a notice to unintended recipients to telephone the sender (collect if necessary) to report the disclosure and confirm destruction of the information. Security Control Implementation Details: In Place SI-3 (1) (2) (3) In Place Malicious Code Protection The HHS organization: a. Employs malicious code protection mechanisms at HHS information systems entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: - Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or; - Inserted through the exploitation of HHS vulnerabilities; b. Updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with HHS configuration management policy and procedures; c. Configures malicious code protection mechanisms to: - Perform periodic scans of the HHS information systems every twenty-four (24) hours, during system reboot, and Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL Partially in Place Not in Place N/A Partially in Place Not in Place N/A 31 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with HHS security policy; and; - Block, quarantine, and send alerts to administrators on an ongoing basis in response to malicious code detection; and; d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of HHS. (1) Centrally manages malicious code protection mechanisms. (2) HHS information systems automatically update malicious code protection mechanisms (including signature definitions). (3) HHS information systems prevent non-privileged users from circumventing malicious code protection capabilities. Additional Criteria: [i] Virus-protection program Signature definitions updated < = 14 days. [ii] Servers, workstations, and laptops should not be configured to auto-run removable media. [iii] Servers, workstations, and laptops should be configured to automatically scan removable media for malware when inserted. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 32 November 8, 2013 SSP: [System Name] Control ID Control Name SI-4 (2) (4) (5) (6) Information System Monitoring SSP [Date] and Version: 1.1 Description of Control The HHS organization: a. Monitors events on HHS information systems in accordance with Agency defined Security Operations Procedures and detects HHS attacks; b. Identifies unauthorized use of HHS information systems; c. Deploys monitoring devices: (i) strategically within HHS to collect organizationdetermined essential information; and; (ii) at ad hoc locations within the system to track specific types of transactions of interest to the HHS organization; d. Heightens the level of HHS component monitoring activity whenever there is an indication of increased risk to HHS operations and assets, and individuals based on law enforcement information, intelligence information, or other credible sources of information; and; e. Obtains legal opinion with regard to HHS monitoring activities in accordance with applicable federal/state laws, executive orders, directives, policies, or regulations. (2) Employs automated tools to support near real-time analysis of events. (4) HHS information systems monitor inbound and outbound communications for unusual or unauthorized activities or conditions. (5) HHS information systems provide near real-time alerts when the following indications of compromise or potential compromise occur: (a) Presence of malicious code, (b) Unauthorized export of information, (c) Signaling to an external information system, or; (d) Potential intrusions. (6) HHS information systems prevent non-privileged users from circumventing intrusion detection and prevention capabilities. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL Status In Place Partially in Place Not in Place N/A 33 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 5.1.3 Impact 3 Controls Control ID Control Name Description of Control AC-11 Session Lock HHS information systems: a. Prevent further access to the system by initiating a session lock after fifteen (15) minutes of inactivity or at request of user, and; b. Retain the session lock until the user reestablishes access using established identification and authentication procedures. Status In Place Partially in Place Not in Place N/A Additional Criteria: [i] Ensure a password protected screen lock mechanism is used. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 34 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Control ID Control Name Description of Control AC-18 (1) Wireless Access The HHS organization: a. Establishes usage restrictions and implementation guidance for wireless access; b. Monitors for unauthorized wireless access to HHS information systems; c. Authorizes wireless access to the information system prior to connection; and; d. Enforces requirements for wireless connections to HHS information systems. (1) HHS information systems protect wireless access using authentication and encryption. Additional Criteria: When deploying wireless access points the following minimum standards shall apply: 1. File sharing on wireless clients shall be disabled. 2. Client NIC and Access Point firmware shall be upgradeable so that security patches may be deployed as they become available. 3. Access Points shall be turned off when they are not in use (e.g., after hours and on weekends). 4. The Access Point’s Service Set Identifier, SSID, shall be changed from the default setting to an ID that does not reflect the identity of the Agency, department, and the nature of the work of the physical location where it is installed, and the SSID Broadcast shall be disabled. 5. All non-secure and nonessential management protocols on Access Points shall be disabled. 6. All security features of the WLAN product, including the cryptographic authentication feature, shall be enabled. 7. Wi-Fi Protected Access, WPA, security standard or greater shall be implemented. 8. Access Points shall have strong passwords and shall be changed regularly. 9. User authentication shall use an RFC compliant method, such as RADIUS, TACACS, etc. 10. Authentication mechanisms for the management interfaces of the Access Point shall be enabled and management traffic destined for Access Points shall be on a dedicated wired subnet. 11. SNMP settings on Access Points shall be disabled or set for least privilege (i.e., read only), with SNMPv3 or equivalent cryptographically protected protocol in use. 12. Installers shall ensure that new WLAN installations do not interfere with other existing equipment. 13. Physical and remote access to the Access Point Reset Function shall be restricted to authorized administrators only. 14. The default cryptographic key shall be changed from the factory default and shall be changed on a Trading Partners: [System Name] System Security Plan regular basis. Version 1.1 HHSC CONFIDENTIAL Status In Place Partially in Place Not in Place N/A 35 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status Security Control Implementation Details: AT-3 Security Training The HHS Organization provides role-based security-related training: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) refresher training annually thereafter. In Place Partially in Place Not in Place N/A Security Control Implementation Details: AU-3 (1) Content of Audit Records HHS information systems shall produce audit records that contain sufficient information to, at a minimum, establish what type of event occurred, date and time the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event. (1) Include the capability to provide more detailed information for audit events identified by type, location, or subject. In Place Partially in Place Not in Place N/A Additional Criteria: {i} Record disclosures of sensitive information, including protected health and financial information. Log information type, date, time, receiving party, and releasing party. Verify within every ninety (90) days for each extract that the data is erased or its use is still required. Security Control Implementation Details: AU-4 Audit Storage Capacity The HHS organization allocates audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded. In Place Partially in Place Not in Place N/A Security Control Implementation Details: AU-7 (1) Audit Reduction and Report Generation HHS information systems provide an audit reduction and report generation capability. (1) HHS information systems provide the capability to automatically process audit records for events of interest based on selectable event criteria. Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL In Place Partially in Place Not in Place N/A 36 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status Security Control Implementation Details: CA-2 (1) Security Assessments The HHS organization: a. Develops a security assessment plan that describes the scope of the assessment including: - Security controls and control enhancements under assessment; - Assessment procedures to be used to determine security control effectiveness; - Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in HHS information systems annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system; c. Produces a security assessment report that documents the results of the assessment; and; d. Provides the results of the security control assessment in writing to the authorizing official who is responsible for reviewing the assessment documentation. (1) Employs an independent assessor or assessment team to conduct an assessment of the security controls in the HHS information systems. In Place Partially in Place Not in Place N/A Additional Criteria: {i} A security assessment of all security controls must be conducted for all newly implemented systems. {ii} The HHS system owner notifies the appropriate personnel as defined within applicable business requirement document and change requests whenever updates are made to system security authorization artifacts or significant role changes occur (e.g.: system developer/maintainer, information system security analyst). Security Control Implementation Details: CA-6 Security Authorization The HHS organization: a. Identifies the HHS CISO, Agency IRM, Agency ISO’s as the approving officials for the HHS environment; b. Ensures that the approving official authorizes the information system for processing before commencing operations; and; c. Updates the security authorization: - At least annually for high risk assets; - When substantial changes are made to the system; - When changes in requirements result in the need to process data of a higher sensitivity; - When changes occur to authorizing legislation or Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL In Place Partially in Place Not in Place N/A 37 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status federal/state requirements; - After the occurrence of a serious security violation which raises questions about the validity of an earlier security authorization; and; - Prior to expiration of a previous security authorization. Security Control Implementation Details: CM-7 (1) Least Functionality The HHS organization: a. Configures the HHS information systems to provide only essential capabilities and specifically prohibits or restricts the use of functions, ports, protocols, and/or services. (1)Reviews HHS information systems within annually to identify and eliminate unnecessary functions, ports, protocols, and/or services. In Place Partially in Place Not in Place N/A Additional Criteria: {i} A list of specifically needed system services, ports, and network protocols should be maintained and documented in the system security plan; all others are disabled. Any functions installed by default that are not required by the HHS information systems are disabled. Services and or software that are not needed should not be present on the server. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 38 November 8, 2013 SSP: [System Name] Control ID Control Name CP-2 (1) Contingency Plan / Continuity of Operations Plan SSP [Date] and Version: 1.1 Description of Control Status The HHS organization: a. Develops a contingency plan (CP) or Continuity of Operations Plan (COOP) for HHS information systems that: - Identifies essential HHS missions and business functions and associated contingency requirements; - Provides recovery objectives, restoration priorities, and metrics; - Addresses contingency roles, responsibilities, assigned individuals with contact information; - Addresses maintaining essential HHS missions and business functions despite a HHS disruption, compromise, or failure; - Addresses eventual, full HHS restoration without deterioration of the security measures originally planned and implemented; and; - Is reviewed and approved by designated officials within the HHS organization; b. Distributes copies of the COOP to key contingency personnel (identified by name and/or by role) and organizational elements; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the COOP for the HHS information systems annually. e. Revises the COOP to address changes to the HHS organization, HHS information systems, or environment of operation and problems encountered during COOP implementation, execution, or testing; and; f. Communicates COOP changes to key contingency personnel (identified by name and/or by role) and others as defined in the HHS COOP. (1) Coordinates contingency plan development with HHS elements responsible for related plans. Security Control Implementation Details: In Place CP-4 (1) In Place Contingency Plan Testing and Exercises The HHS organization: a. Tests and/or exercises the contingency plan for the mission critical HHS information systems annually using defined tests and/or exercises such as the tabletop test in accordance with the current COOP procedure to determine the plan’s effectiveness and HHS’s readiness to execute the plan; and; b. Documents and reviews the contingency plan test/exercise results and initiates reasonable and appropriate corrective actions to close or reduce the impact of contingency plan failures and deficiencies. (1) Coordinates contingency plan testing and/or exercises with HHS elements responsible for related plans. Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL Partially in Place Not in Place N/A Partially in Place Not in Place N/A 39 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status Security Control Implementation Details: IA-4 Identifier Management The HHS organization manages information system identifiers for users and devices by: a. Receiving authorization from a designated official to assign a user or device identifier; b. Selecting an identifier that uniquely identifies an individual or device; c. Assigning the user identifier to the intended party or the device identifier to the intended device; d. Preventing reuse of user or device identifiers until all previous access authorizations are removed from the system, including all file accesses for that identifier, but not before a period of at least a year has expired; and e. Disabling the user identifier after ninety (90) days of inactivity. Security Control Implementation Details: In Place MP-2 (1) In Place Media Access The HHS organization restricts access to HHS Restricted, Confidential, or Agency Internal media to authorized individuals using automated mechanisms to control access to media storage areas. (1) Employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL Partially in Place Not in Place N/A Partially in Place Not in Place N/A 40 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Control ID Control Name Description of Control MP-6 Media Sanitization The HHS organization: a. Sanitizes information systems media, both digital and non-digital, prior to disposal, release out of HHS control, or release for reuse; and; b. Employs sanitization mechanisms with strength and integrity commensurate with the classification or sensitivity of the information. Status In Place Partially in Place Not in Place N/A Additional Criteria: {i}. (For IRS Federal Tax Information (FTI) only) FTI must never be disclosed to an Agency's agents or contractors during disposal unless authorized by the Internal Revenue Code. Generally, destruction should be witnessed by an Agency employee. {ii}. (For Confidential, or Agency Internal) Authorized employees of the receiving entity must be responsible for securing magnetic tapes/cartridges before, during, and after processing, and they must ensure that the proper acknowledgment form is signed and returned. Inventory records must be maintained for purposes of control and accountability. Tapes containing HHS Restricted and Confidential Information or any file resulting from the processing of such a tape is recorded in a log that identifies: (a) Date received (b) Reel/cartridge control number contents (c) Number of records, if available (d) Movement, and (e) If disposed of, the date and method of disposition. Security Control Implementation Details: PE-2 PE-6 (1) Physical Access Authorizations Monitoring Physical Access The HHS organization: a. Develops and keeps current a list of personnel with authorized access to the facility where HHS information systems reside (except for those areas within the facility officially designated as publicly accessible); b. Issues authorization credentials; and; c. Reviews and approves the access list and authorization credentials, at least once every one hundred eighty (180) days, removing personnel no longer requiring access from the list. The HHS organization: a. Monitors physical access to the HHS information system to detect and respond to physical security incidents; b. Reviews physical access logs once a month and; c. Coordinates results of reviews and investigations with HHS’s incident response capability. (1) Monitors real-time physical intrusion alarms and surveillance equipment. Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL In Place Partially in Place Not in Place N/A In Place Partially in Place Not in Place N/A 41 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status Security Control Implementation Details: PE-7 (1) Visitor Control The HHS organization controls physical access to the HHS information systems by authenticating visitors before authorizing access to the facility where HHS information systems reside, other than areas designated as publicly accessible. (1) Escorts visitors and monitors visitor activity, when required. Security Control Implementation Details: In Place PM-5 In Place Information System Inventory The HHS organization develops and maintains inventories of Agency information systems. Partially in Place Not in Place N/A Partially in Place Not in Place N/A Security Control Implementation Details: PS-3 Personnel Screening The HHS organization: a. Screens individuals prior to authorizing access to HHS information systems; and; b. Rescreens individuals within annually, consistent with the criticality/sensitivity rating of the position. In Place Partially in Place Not in Place N/A Security Control Implementation Details: RA-2 Security Categorization The HHS organization: a. Categorizes information and HHS information systems in accordance with applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the System security plan for the information system; and; c. Ensures the security categorization decision is reviewed and approved by the approving official or a designated representative. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL In Place Partially in Place Not in Place N/A 42 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Control ID Control Name Description of Control RA-3 Risk Assessment The HHS organization: a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the HHS information systems and the information it processes, stores, or transmits; b. Documents risk assessment results in accordance in a risk assessment report; c. Reviews risk assessment results annually; and; d. Updates the risk assessment annually or whenever there are significant changes to HHS information systems or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security or authorization state of the system. Status In Place Partially in Place Not in Place N/A Additional Criteria: [i] Risk assessment should be conducted for the information system based on the Agency defined methodology that includes the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, modification, or destruction of the information system and the information it processes, stores, or transmits. Security Control Implementation Details: SA-3 Life Cycle Support The HHS organization: a. Manages the HHS information systems using a system development life cycle methodology that includes information security considerations; b. Defines and documents HHS component security roles and responsibilities throughout the system development life cycle; and; c. Identifies individuals having HHS component security roles and responsibilities. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL In Place Partially in Place Not in Place N/A 43 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Control ID Control Name Description of Control SA-9 External Information System Services The HHS organization: a. Requires that providers of external information system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance; b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and; c. Monitors security control compliance by external service providers. Status In Place Partially in Place Not in Place N/A Additional Criteria: {i} Prohibits service providers from outsourcing any system function outside the U.S. or its territories for Medicaid Data. {ii}(For Protected Health Information (PHI) only) A covered entity under HIPAA may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with HIPAA regulations. Such assurances must be documented and meet the requirements set forth in HIPAA regulations. (See HIPAA 164.308(b) and 164.314(a).) Security Control Implementation Details: SA-10 Developer Configuration Management The HHS organization requires that HHS developers/integrators: a. Perform configuration management during HHS information system design, development, implementation, and operation; b. Manage and control changes to HHS information systems; c. Implement only organization-approved changes; d. Document approved changes to HHS information systems; and; e. Track security flaws and flaw resolution. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL In Place Partially in Place Not in Place N/A 44 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Control ID Control Name Description of Control SA-11 Developer Security Testing The HHS organization requires that HHS information system component developers/integrators, in consultation with associated security personnel (including security engineers): a. Create and implement a security test and evaluation plan in accordance with, but not limited to, the current HHS procedures; b. Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and; c. Document the results of the security testing/evaluation and flaw remediation processes. Status In Place Partially in Place Not in Place N/A Additional Criteria: ([i]) HHS information systems should be tested for security flaws on a periodic basis using automated vulnerability scanning methods, or manual control testing, or a combination of both. [ii] Test results are documented and security flaws found during the test should be entered into a tracking system and monitored for mitigation. [iii] Agency systems/Applications should be tested for security flaws prior to release in production using manual or automated techniques or a combination of both. Security Control Implementation Details: SC-13 Use of Cryptography HHS information systems implement required cryptographic protections using cryptographic modules that comply with applicable federal/state laws, executive orders, directives, policies, regulations, standards, and guidance. (i) Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules, should be used to specify the security requirements within a security system. In Place Partially in Place Not in Place N/A Additional Criteria: [i] Use Secure Socket Layer (SSL) v2 and SSL v3. [ii] SSH is not using v1 compatibility, only v2 connections are accepted. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 45 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 5.1.4 Impact 4 Controls Control ID Control Name Description of Control AC-8 System Use Notification HHS information systems will display an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable Federal, Texas laws, executive orders, directives, policies, regulations, Health and Human Services Commission (HHSC) standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and; (iv) use of the system indicates consent to monitoring and recording; Status In Place Partially in Place Not in Place N/A The recommended banner for IRS FTI information resources is: “WARNING This system may contain U.S. Government information, which is restricted to authorized users ONLY. Unauthorized access, use, misuse, or modification of this computer system or of the data contained herein or in transit to/from this system constitutes a violation of Title 18, United States Code, Section 1030, and may subject the individual to Criminal and Civil penalties pursuant to Title 26, United States Code, Sections 7213, 7213A (the Taxpayer Browsing Protection Act), and 7431. This system and equipment are subject to monitoring to ensure proper performance of applicable security features or procedures. Such monitoring may result in the acquisition, recording and analysis of all data being communicated, transmitted, processed or stored in this system by a user. If monitoring reveals possible evidence of criminal activity, such evidence may be provided to Law Enforcement Personnel. ANYONE USING THIS SYSTEM EXPRESSLY CONSENTS TO SUCH MONITORING” b. Retain the notification message or banner on the screen until users take explicit actions to log on to or further access the information system; and; c. For publicly accessible systems: i. Display the system use information when appropriate, before granting further access; ii. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and; Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 46 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status iii. Include a description of the authorized uses of the system in the notice given to public users of the information system. Additional Criteria: [i] the system contains US government information; [ii] users actions are monitored and audited; [iii] unauthorized use of the system is prohibited; [iv] unauthorized use of the system is subject to criminal and civil penalties. Security Control Implementation Details: AT-4 Security Training Records The HHS Organization: a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and; b. Retains individual training records for three (3) years. In Place Partially in Place Not in Place N/A Security Control Implementation Details: AU-11 Audit Record Retention The HHS organization retains audit records for ninety (90) days and archives old records for one (1) year to provide support for after-the-fact investigations of security incidents and to meet regulatory and HHS organization information retention requirements. In Place Partially in Place Not in Place N/A Additional Criteria: {i} (For Confidential data only) Audit inspection reports, including a record of corrective actions, shall be retained by the HHS organization for a minimum of three (3) years from the date the inspection was completed. [ii] To support the audit of IRS FTI activities, all organizations must ensure that audit information is archived for six (6) years to enable the recreation of computer-related access to both the operating system and to the application where FTI is stored. Security Control Implementation Details: AU-14 Session Audit For HHS information systems, ensure they have the capability to: a. Capture/record and log key content related to a user session; and; b. Remotely view/hear all content related to an established user session in real time. Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL In Place Partially in Place Not in Place N/A 47 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status Security Control Implementation Details: IR-3 Incident Response Testing and Exercises The HHS organization tests and/or exercises the incident response capability for the HHS information systems within annually using reviews, analyses, and simulations to determine the incident response effectiveness and documents the results. In Place Partially in Place Not in Place N/A Additional Criteria: [i] The Agency defines incident response tests/exercises that contain procedures for the following: - Detecting unauthorized FTI access; - Reporting unauthorized FTI access to IRS, TIGTA, and internal Agency incident response team. [ii]. The Agency tests/exercises the incident response capability for FTI related security violations (e.g. simulated successful unauthorized access to FTI) at least annually. Note: The incident response tests/exercise should be different from any testing activities perform as part of Disaster Recovery or Contingency Planning. [iii] The Agency documents the results of incident response tests/exercises. Security Control Implementation Details: PE-18 Location of Information System Components The HHS organization positions HHS information systems within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. In Place Partially in Place Not in Place N/A Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 48 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Control ID Control Name Description of Control PL-2 System Security Plan The HHS organization: a. Develops security plans for HHS information systems that: - Are consistent with HHS’s enterprise architecture; - Explicitly define the authorization boundary for the HHS information systems; - Describe the operational context of HHS information systems in terms of missions and business processes; - Provide the security categorization of the HHS information systems including supporting rationale; - Describe the operational environment for HHS information systems; - Describe relationships with or connections to other information systems; - Provide an overview of the security requirements for HHS; - Describe the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and; - Is reviewed and approved by the authorizing official or a designated representative prior to plan implementation. b. Reviews the security plan for HHS information systems within annually; and; c. Updates the plan, minimally every three (3) years, to address current conditions or whenever: - There are significant changes to the information system/environment of operation that affect security; - Problems are identified during plan implementation or security control assessments: - When the data sensitivity level increases; - After a serious security violation due to changes in the threat environment; or; - Before the previous security authorization expires. Status In Place Partially in Place Not in Place N/A Additional Criteria: {iii} (For IRS FTI only) Develop and submit a Safeguard Procedures Report (SPR) that describes the procedures established and used by the HHS organization for ensuring the confidentiality of the information received from the IRS. This report is provided every six years or when significant changes occur in the safeguard program. A Safeguard Activity Report (SAR advises the IRS of minor changes to the procedures or safeguards described in the SPR. It also advises the IRS of future actions that will affect HHS's current efforts to ensure the confidentiality of IRS FTI, and finally, certifies that HHS is protecting IRS FTI pursuant to IRC Section 6103(p)(4) and HHS's own security requirements. This report is provided annually by September 30th. (Reference IRS Publication 1075, sections 7 & 8). Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 49 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status Security Control Implementation Details: PM-2 Senior Information Security Analyst The HHS organization appoints a Chief Information Security Officer (CISO) with the mission and resources to coordinate, develop, implement, and maintain a HHS-wide information security program. In Place Partially in Place Not in Place N/A Security Control Implementation Details: PM-3 Information Security Resources The HHS organization: a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; b. Employs a business case and/or Exhibit 300/Exhibit 53 to record the resources required (Ref: SA-2); and c. Ensures that information security resources are available for expenditure as planned. Security Control Implementation Details: In Place PM-4 In Place Plan of Action and Milestones Process The HHS organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained and documents the remedial information security actions to mitigate risk to organizational operations, assets, and individuals. Partially in Place Not in Place N/A Partially in Place Not in Place N/A Security Control Implementation Details: PM-7 Enterprise Architecture The HHS organization develops enterprise architecture with consideration for information security and the resulting risk to HHS operations, assets, and individuals. In Place Partially in Place Not in Place N/A Security Control Implementation Details: PM-9 Risk Management Strategy The HHS organization: a. Develops a comprehensive strategy to manage risk to organizational operations and assets, and individuals associated with the operation and use of information systems; and b. Implements that strategy consistently across the HHS Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL In Place Partially in Place Not in Place 50 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control organization. Status N/A Security Control Implementation Details: PM-10 Security Authorization Process The HHS organization: a. Manages (i.e. documents, tracks, and reports) the security state of HHS information systems through security authorization processes; b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and c. Fully integrates the security authorization processes into the HHS-wide risk management program. Security Control Implementation Details: In Place SC-5 In Place Denial of Service Protection HHS Information Systems protect against or limit the effects of distributed denial of service (DDoS) attacks. Partially in Place Not in Place N/A Partially in Place Additional Criteria: [i] Deployment personnel are registered to receive updates to all HHS, e.g. web server, application servers, database servers. Also if update notifications are provided to any custom developed software, deployment personnel should also register for these updates. Ref: Security Incident Management Plan. Security Control Implementation Details: Not in Place SC-10 In Place Network Disconnect HHS information systems automatically terminate the network connection associated with a communications session at the end of the session or: Additional Criteria: {i} Forcibly de-allocate communications session Dynamic Host Configuration Protocol (DHCP) leases after seven (7) days; and; {ii} Forcibly disconnect inactive VPN connections after thirty (30) minutes of inactivity. Security Control Implementation Details: SC-11 Trusted Path HHS information systems establish a trusted communications path between the user and, at a minimum, the HHS authentication and re-authentication security functions. Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL N/A Partially in Place Not in Place N/A In Place Partially in Place 51 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status Not in Place Additional Criteria: {i}. Defined and approved security functions are listed in the system security plan. Security Control Implementation Details: SC-12 Cryptographic Key Establishment and Management The HHS organization establishes and manages cryptographic keys for required cryptography employed within HHS information systems. N/A In Place Partially in Place Not in Place N/A Security Control Implementation Details: SC-17 Public Key Infrastructure Certificates The HHS organization issues public key certificates under an HHS Agency-defined certificate policy or obtains public key certificates under an appropriate certificate policy from an approved service provider. In Place Partially in Place Not in Place N/A Security Control Implementation Details: SC-18 Mobile Code The HHS organization: a. Defines acceptable and unacceptable mobile code and mobile code technologies; Mobile code technologies include, for example, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and; c. Authorizes, monitors, and controls the use of mobile code within HHS information systems. In Place Partially in Place Not in Place N/A Additional Criteria: [i] Mobile code is obtained from a trusted source, and is designated as trusted. The mobile code is digitally signed and the digital signature is properly validated by the client runtime environment prior to the execution. [ii] Unsigned mobile code operating in a constrained environment has no access to local operating system resources and does not attempt to establish network connections to servers other than the application server. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 52 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Control ID Control Name Description of Control SC-32 Information System Partitioning The HHS organization partitions HHS into components residing in separate physical domains (or environments) as deemed necessary. Status In Place Partially in Place Not in Place N/A Security Control Implementation Details: AP-1 Authority to Collect The HHS organization determines the legal authority that permits the collection, use, maintenance, and sharing of HHS Restricted and Confidential information in support of a specific program or information system need. In Place Partially in Place Not in Place N/A Security Control Implementation Details: AP-2 Purpose Specification The HHS organization describes the purposes for which HHS Restricted and Confidential information is collected, used, maintained, and shared in its privacy notices. In Place Partially in Place Not in Place N/A Security Control Implementation Details: AR-1 Governance and Privacy Program The HHS organization: a. Appoints an Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an Agency-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of HHS Restricted and Confidential information by programs and information systems; b. Allocates HHS Agency-defined allocation of budget and staffing resources to implement and operate the organization-wide privacy program; c. Develops, disseminates, and implements privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving HHS Restricted and Confidential Information; d. Develops a privacy plan for implementing applicable privacy controls, policies, and procedures; and; e. Updates the privacy plan, policies, and procedures as defined by the Agency. Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL In Place Partially in Place Not in Place N/A 53 November 8, 2013 SSP: [System Name] Control ID Control Name SSP [Date] and Version: 1.1 Description of Control Status Security Control Implementation Details: AR-2 Privacy Impact and Risk Assessment The HHS organization: a. Establishes a privacy risk assessment process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, and use of personally identifiable information; b. Conducts a Privacy Impact Assessment (PIA) for information systems and programs in accordance with Office of Management and Budget (OMB) policy and any existing organizational policies and procedures; and; c. Follows a documented, repeatable process for conducting, reviewing, and approving Privacy Impact Assessments. Security Control Implementation Details: In Place DM-1 In Place Minimization of Personally Identifiable information The HHS organization: a. Identifies the minimum HHS Restricted and Confidential and Agency Internal information elements that are relevant and necessary to accomplish the legally authorized purpose of collection; b. Limits the collection and retention of HHS Restricted and Confidential to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and; c. Conducts an initial evaluation and performs periodic evaluations of its holdings of HHS Restricted and Confidential information to ensure that only HHS Restricted and Confidential Information and Agency Internal identified in the notice is collected and retained, and that the HHS Restricted and Confidential Information continues to be necessary to accomplish the legally authorized purpose. (1) Where feasible and within the limits of technology, the organization locates and removes or redacts specified HHS Restricted and Confidential Information and/or uses anonymization and de-identification techniques to permit use of the retained information while reducing its sensitivity and reducing the risk resulting from disclosure. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL Partially in Place Not in Place N/A Partially in Place Not in Place N/A 54 November 8, 2013 SSP: [System Name] SSP [Date] and Version: 1.1 Control ID Control Name Description of Control DM-2 Data Retention and Disposal The HHS organization: a. Retains HHS Restricted and Confidential information for only as long as is necessary to fulfill the purpose(s) identified in the notice or as required by law; b. Appropriately disposes of HHS Restricted and Confidential information when it is no longer necessary to retain it; c. Systematically destroys, erases, and/or anonymizes the HHS Restricted and Confidential information regardless of the method of storage (e.g., electronic, optical media, or paper-based) in accordance with a National Archives and Records Administration (NARA) approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and; d. Uses audits and appropriate technology to ensure secure deletion or destruction of HHS Restricted and Confidential Information (including originals, copies, and archived records). Status In Place Partially in Place Not in Place N/A Additional Criteria: 1. Audit Trail of Restricted Data should be archived for six (6) years. 2. Confidential log data should be archived for six (6) years. Security Control Implementation Details: IP-4 Complaint Management The HHS organization implements a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices. In Place Partially in Place Not in Place N/A Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL 55 November 8, 2013 SSP: [System Name] Control ID Control Name TR-1 Privacy Notice SSP [Date] and Version: 1.1 Description of Control The HHS organization: a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of HHS Restricted and Confidential Information; (ii) authority for collecting HHS Restricted and Confidential Information; (iii) the choices, if any, individuals may have regarding how the organization uses HHS Restricted and Confidential Information and the consequences of exercising or not exercising, and; b. Describes: (i) the HHS Restricted and Confidential Information the organization collects and the purposes for which it collects that information; (ii) how the organization uses HHS Restricted and Confidential Information internally; (iii) whether the organization shares HHS Restricted and Confidential Information with external entities and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of HHS Restricted and Confidential Information and how to exercise any such consent; (v) how individuals may obtain access to HHS Restricted and Confidential Information for the purpose of having it amended or corrected, where appropriate; and; (vi) how the HHS Restricted and Confidential Information will be protected; c. Revises its public notices to reflect changes in practice or policy that affect HHS Restricted and Confidential Information or changes in its activities that impact privacy; and; d. Ensures (e.g., through updated public notice) that individuals are aware of and, where feasible, consent to all uses of HHS Restricted and Confidential Information not initially described in the public notice that was in effect at the time the organization collected the HHS Restricted and Confidential Information (1) Each Agency provides real-time (i.e., at the point of collection) notice when it collects HHS Restricted and Confidential Information. Security Control Implementation Details: Trading Partners: [System Name] System Security Plan Version 1.1 HHSC CONFIDENTIAL Status In Place Partially in Place Not in Place N/A 56 November 8, 2013