Sample System Security Plan Template
advertisement
System Security Plan for Trading Partners (Vendors)
[System Name & Acronym]
Version 1.1
November 8, 2013
[System Name] System Security Plan
Version 1.1
1
[Date]
This document contains confidential information for HHSC Official Use Only. It shall not be duplicated, used, or disclosed in whole or in
part without prior written permission from the Information Security Assurance office.
SSP: [System Name]
SSP [Date] and Version: 1.1
TABLE OF CONTENTS
DOCUMENT HISTORY ..............................................................................................................3
REVIEW LOG.............................................................................................................................4
1
PURPOSE ...........................................................................................................................5
1.1Overview ....................................................................................................................................................... 5
2
SYSTEM IDENTIFICATION ................................................................................................6
2.1SYSTEM NAME / TITLE ............................................................................................................................... 6
2.2RESPONSIBLE ORGANIZATION ................................................................................................................ 6
2.3DESIGNATED CONTACTS .......................................................................................................................... 6
2.4ASSIGNMENT OF SECURITY RESPONSIBILITY ...................................................................................... 7
2.5DESCRIPTION OF THE BUSINESS PROCESS ......................................................................................... 8
2.5.1 System Location ................................................................................................................. 8
2.5.2 System Data Flows ............................................................................................................. 8
2.5.3 System Confidential Data transfer inventory ...................................................................... 9
2.6DESCRIPTION OF OPERATIONAL/SYSTEM ENVIRONMENT AND SPECIAL CONSIDERATIONS ...... 9
2.6.1 System Information/Components ....................................................................................... 9
2.6.2 User Community Organizations and Access ...................................................................... 9
2.6.3 Architecture and Topology ................................................................................................10
2.7SYSTEM INTERCONNECTION / INFORMATION SHARING ................................................................... 10
2.8 APPLICABLE LAWS OR REGULATIONS ............................................................................................... 11
3
SECURITY CATEGORIZATION AND CLASSIFICATION ................................................ 12
3.1Data Classification .................................................................................................................................... 13
3.2System Categorization (Potential Impact of Security Breach) ............................................................. 13
4
HHS SECURITY CONTROL FRAMEWORK .................................................................... 14
4.1Security Control Class Areas ................................................................................................................... 14
5
INFORMATION SECURITY CONTROL PHASES ............................................................ 16
5.1PHASE 1 – Priority 1.................................................................................................................................. 16
5.1.1 Impact 1 Controls .................................................................................................................................. 16
5.1.2 Impact 2 Controls .................................................................................................................................. 26
5.1.3 Impact 3 Controls .................................................................................................................................. 34
5.1.4 Impact 4 Controls .................................................................................................................................. 46
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
2
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
DOCUMENT HISTORY
Revision History:
Numbering convention: Version. Revision as n.xx. Pre-publication drafts are 0.xx; first published version is 1.00;
for minor revisions to a published document, increment the decimal number (ex. 1.01); for major content upgrades
to a published document, increment the leading whole number (ex.2.00).
Revision
Date
Description
0.01
01-2013
Initial document distributed by the Office of the Chief Information Security Officer (CISO).
1.0
03-2013
First published version of the document distributed by the Office of the Chief Information
Security Officer (CISO).
1.1
11-2013
Restructured the document for improved flow of required information.
Removed RA-5 control and “XX-1” policy controls (e.g.: AC-1, CM-1 etc.)
Included Confidential Data transfer inventory.
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
3
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
REVIEW LOG
This SSP Review Log is maintained to record the reviews that have taken place for this system.
The review log should be completed by entering the data from each column in the appropriate row. The log may
also be completed by using a pen.
Date of Review.
Staff Name of Reviewer
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
Organization of Reviewer
4
November 8, 2013
SSP: [System Name]
1
SSP [Date] and Version: 1.1
PURPOSE
The purpose of the [System Name] System Security Plan (SSP) is to document the current level of existing
security controls within the [System Name] Information System that protect the confidentiality, integrity and
availability (CIA) of the data that it processes stores and transmits.
Texas Administrative Code (TAC) 202.20 states:
“Security requirements shall be identified, documented, and addressed in all phases of development or
acquisition of information resources.”
The SSP document assists Information/Business Owners, Information Custodians/ System
developers/Maintainers or other information resource personnel in meeting the Federal, State Laws and Agency
requirements requiring systems security plans.
1.1
Overview
The SSP provides an overview of the security requirements for an information system and describes the security
controls in place or planned for meeting those requirements.
The System Security Plan (SSP) is used as a tool to perform risk assessment for the system. The Risk
Assessment identifies potential threat/vulnerabilities in the information system, analyzes planned or actual
security controls and potential impacts on operations, assets, and determines expected risk. All business
processes operate with some level of risk and one of the most effective ways to protect these business processes
is through the implementation of effective internal security controls, risk evaluation, and risk management (RM).
The SSP is comprised of three main sections: section (2), System Identification, highlights overall systems and
business design and functionality, section (3), Security Categorization and Classification, while the section (5),
Information Security Control phases (Security Control Details), provides a detailed description of the
implementation details of each security control.
To facilitate compliance and implementation of the controls suite, a prioritized baseline of information security
controls was developed. Internal and external audit findings, recommendations from the Consensus Audit
Guidelines (CAG), Centers for Medicare & Medicaid Services (CMS), and security best practices were used to
develop the prioritized baseline of controls. The phases and release order are organized using this methodology.
This security plan, at a minimum, is marked, handled, and controlled as a confidential document. In addition, the
security plan is dated for ease of tracking modifications and approvals.
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
5
November 8, 2013
SSP: [System Name]
2
SSP [Date] and Version: 1.1
SYSTEM IDENTIFICATION
2.1
SYSTEM NAME / TITLE
This section describes the official name and/or title of system, including acronym.
System Identifier
Response Data
Official System
Name:
System Acronym:
2.2
RESPONSIBLE ORGANIZATION
This section describes the contact information for the organization responsible for the system.
HHSC Internal
Response Data
Name of
Organization:
Address:
City, State, Zip:
Contact Number:
2.3
DESIGNATED CONTACTS
This section describes the names of contact personnel who can address inquiries regarding system
characteristics and operation.
Business/Information
Owner
Response Data
Name:
Title:
Organization:
Address:
E-Mail:
Phone Number:
Information
Custodian (System
Developer/Maintainer)
Response Data
Name:
Title:
Organization:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
6
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Information
Custodian (System
Developer/Maintainer)
Response Data
Address:
E-Mail:
Phone Number:
SSP Author
Response Data
Name:
Title:
Organization:
Address:
City, State, Zip:
E-mail:
Phone Number:
2.4
ASSIGNMENT OF SECURITY RESPONSIBILITY
Individual[s] Responsible for Security
Response Data
Name:
Title:
Organization:
Address:
Mail stop:
City, State, Zip:
E-mail:
Phone Number:
Emergency Contact (daytime): (name, phone
& email)
Component ISSO
Response Data
Name:
Title:
Organization:
Address:
Mail stop:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
7
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Component ISSO
Response Data
City, State, Zip:
E-mail:
Phone Number:
Emergency Contact (daytime): (name, phone
& email)
2.5
DESCRIPTION OF THE BUSINESS PROCESS
Describe the following:
Business function/process for the system.
Who the system serves.
Type of data it utilizes.
Third party (vendor) involvement with the system.
Describe the user’s level of access to: system-related data (read-only, alter etc.)
2.5.1 System Location
The physical location and description of the location for the [System Name] system are documented
in Table 2.5.1.
Table 2.5.1: [System Name] System Locations
Location Name
Description
Production Data Center
Owned by HHSC
Operated by
Backup Data Center
Owned by HHSC
Operated by
2.5.2 System Data Flows
Describe how information flows through/is processed by the system, beginning with system input through system
output. Further describe how the data/information is processed by the system. Attach Data Flow Chart here.
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
8
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
2.5.3 System Confidential Data transfer inventory
Table 2.5.3 describes the confidential data transfer inventory for the system.
Name of
Transfer
2.6
Data
transfer
Applicable
Law
Method
of
transfer
Physical
Address for
physical
transfer
Generation
Server
Destination
Server
Frequency
Contact
Information
DESCRIPTION OF OPERATIONAL/SYSTEM ENVIRONMENT AND SPECIAL
CONSIDERATIONS
This section describes the system’s operating environment, technical aspects, architecture, platforms,
network connectivity, and additional security considerations.
2.6.1 System Information/Components
Indicate a high-level asset inventory for each component of the system.
Table 2.6.1
Components
Server Names
Description
Function
Server Types(Operating System)
1. Data Transmission Servers
(e.g. ftp,sftp)
2. Application Servers (e.g.
Unix\Linux)
3. Database Servers (e.g.
Oracle 10g,11g)
Storage Area Network (SAN)
Access management (e.g. Identity
Manager, Novell, 4743 forms)
Other (specify)
2.6.2 User Community Organizations and Access
Table 2.6.2 describes the level of access for the System Privileged users.
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
9
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Table 2.6.2: User Community Level of Access
User Group
Organization
Internal/
External
Component
Data Access
Facility
Access
IT Resource
Access
2.6.3 Architecture and Topology
Describe the architecture of the system. Attach the network connectivity diagram (network topology diagram).
2.7
SYSTEM INTERCONNECTION / INFORMATION SHARING
Include in this section the following information concerning the authorization for the connection to other systems
or the sharing of information:
(1) List/Name of interconnected system
(2) Type of interconnection (TCP/IP, Dial, SNA, etc.),
(3) Discussion of how the systems will interact, and security concerns and Rules of Behavior of the other
systems that need to be considered in the protection of this system
Table 2.7: System Interconnection /Information Sharing
Name/Unique Identifier
Type of Interconnection
(e.g. SFTP, HTTPS, Web
Services, etc.)
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
Interaction Details and
Security Considerations
10
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
2.8 APPLICABLE LAWS OR REGULATIONS
Law/Regulation/Policy
Applicable
Texas Administrative Code (TAC) 202
HHS Enterprise Information Security Standards and Guidelines (EISSG)
Health Insurance Portability and Accountability Act (HIPAA)
Internal Revenue Service (IRS) Publication 1075 Guidelines
Social Security Administration (SSA) Guidelines
Centers for Medicare and Medicaid Services (CMS)
Identity Theft Enforcement and Protection act
Federal Information Security Management Act (FISMA)
Other (specify below):
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
11
November 8, 2013
SSP: [System Name]
3
SSP [Date] and Version: 1.1
SECURITY CATEGORIZATION AND CLASSIFICATION
System Classification as per TAC 202
Below is the definition from TAC 202 on ranking the systems as "High," "Medium," or "Low," based primarily on
the following criteria:
High Risk-Information resources that:
(A) Involve large dollar amounts or significantly important transactions, such that business or government
processes would be hindered or an impact on public health or safety would occur if the transactions were not
processed timely and accurately, or
(B) Contain confidential or other data such that unauthorized disclosure would cause real damage to the
parties involved, or
(C) Impact a large number of people or interconnected systems.
Medium Risk-Information resources that:
(A) Transact or control a moderate or low dollar value, or
(B) Data items that could potentially embarrass or create problems for the parties involved if released, or
(C) Impact a moderate proportion of the customer base.
Low Risk-Information resources that:
(A) Publish generally available public information, or
(B) Result in a relatively small impact on the population, or
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
12
November 8, 2013
SSP: [System Name]
3.1
SSP [Date] and Version: 1.1
Data Classification
The HHS Data Classification Standard applies equally to all individuals who use or handle any HHS Information
Resource.
HHS data created, sent, printed, received, or stored on systems owned, leased, administered, or authorized by
the HHS agency are the property of the HHS agency and its protection is the responsibility of the HHS owners,
designated custodians, and users.
Data shall be classified as follows from highest level sensitivity to the lowest:
Restricted – which includes ‘IRS FTI’ and ‘Verified SSA’ – Data that is subject to specific federal or state
regulatory requirements and must a) remain encrypted at all times while at rest, in use or during
transmission, b) be comprehensively monitored for access/distribution and c) provide for comprehensive
access, distribution and audit controls.
Confidential – which includes ‘SPI’, ‘PI’, ‘PII’, ‘PHI’ or ‘LEA’ – Data that is subject to specific federal or
state regulatory requirements and must a) be encrypted during transmission to an outside agent or when
stored on a mobile device, b) be monitored and c) provide strong access, distribution and audit controls.
Agency Internal – Data that is not is subject to specific regulatory or other external requirements but is
considered HHS sensitive.
Public – Information intended or required for public release as described in the Texas Public Information
Act.
Specify the classification of data relative to this security plan.
Data Classification Standard
Restricted Data/Information
Confidential Data/Information
Agency Internal
Public Information
3.2
System Categorization (Potential Impact of Security Breach)
Security Categorization of Information
Description of
Information/System
Component
Confidentiality
Impact
Integrity
Impact
Overall Impact
Availability
Impact
Potential Impact of Security Breach
L
M
H
L
M
H
L
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
M
H
13
November 8, 2013
SSP: [System Name]
4
4.1
SSP [Date] and Version: 1.1
HHS SECURITY CONTROL FRAMEWORK
Security Control Class Areas
The HHS security program makes extensive use of the information security guidance found in the National
Institute of Standards and Technology (NIST) Special Publications (SP) 800-53, Revision 3 and Appendix J
document. This guidance has been adapted to the unique HHS environment and provides the fundamental
security principles on which this security control framework is built.
The security program framework is divided into four program class areas: Management, Operational, Technical,
and Privacy. Each program class area is further divided into a set of security families. There are a total of 26
control families each producing a high level security policy. Each family has a two letter identifier that is the prefix
of the Control ID; see the column labeled “Family ID” in Table 1 on page 15.
Management Control Class Area – Focuses on policies that relate to the management of risk and the
management of the HHS security program. This class consists of five security policies: Security Assessment and
Authorization, Planning, Program Management, Risk Assessment, System Services and Acquisition.
Operational Control Class Area – Focuses on policies that are primarily implemented and executed by people,
rather than the information system. This class consists of nine security policies: Awareness and Training,
Configuration Management, Contingency Planning, Incident Response, Maintenance, Media Protection, Physical
and Environmental Protection, Personnel Security, and System and Information Integrity.
Technical Control Class Area – Focuses on policies that are primarily implemented and executed by the
information system through mechanisms contained in the hardware, software, or firmware components of the
system. This class consists of four security policies: Access Control, Audit and Accountability, Identification and
Authentication, and System and Communications Protection.
Privacy Control Class Area – Focuses on policies that define the administrative, technical, and physical
safeguards employed to protect HHS Restricted and Confidential Information.
Each one of the security policies has a number of supporting security controls that when implemented and
enforced will satisfy the requirements of the security policy. There are a total of 197 Controls, including the
Security and Privacy Controls.
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
14
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Table 1 Organization of Policies and Controls
Control Class
Area
Management
Operational
Technical
Privacy
Item
Number
Family
ID
Policy Family Name
1.
CA
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
PL
PM
RA
SA
AT
CM
CP
IR
MA
MP
PE
PS
SI
AC
AU
IA
SC
AP
AR
DI
DM
IP
SE
TR
UL
Security Assessment and Authorization
(formerly Certification, Accreditation, and
Security Assessment)
Planning
Program Management
Risk Assessment
System Services and Acquisitions
Awareness and Training
Configuration Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Physical and Environmental Protection
Personnel Security
System and information Integrity
Access Control
Audit and Accountability
Identification and Authentication
System and Communications Protection
Authority and Purpose
Accountability, Audit, and Risk Management
Data Quality and Integrity
Data Minimization and Retention
Individual Participation and Redress
Security
Transparency
Use Limitation
TOTAL
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
Number of
Security
Controls
6
5
11
4
11
4
9
9
8
6
6
18
8
11
16
13
8
21
2
6
2
2
4
2
2
3
197
15
November 8, 2013
SSP: [System Name]
5
5.1
SSP [Date] and Version: 1.1
INFORMATION SECURITY CONTROL PHASES
PHASE 1 – Priority 1
5.1.1 Impact 1 Controls
Control
ID
Control
Name
Description of Control
AC-2 (1)
(2) (3) (4)
Account
Management
The HHS organization manages HHS information systems
accounts, including:
a. Identifying account types (i.e., individual, group, system,
application, guest/anonymous, temporary);
b. Establishing conditions for group membership;
c. Identifying authorized users and specifying access
privileges;
d. Requiring appropriate approvals for requests to establish
accounts;
e. Establishing, activating, modifying, disabling, and
removing accounts;
f. Specifically authorizing and monitoring the use of
guest/anonymous and temporary accounts;
g. Notifying account managers when temporary accounts
are no longer required and when HHS users are terminated,
transferred, or HHS information system usage or need-toknow/need-to-share changes;
h. Deactivating: (i) temporary accounts that are no longer
required; and (ii) accounts of terminated or transferred
users;
i. Granting access to the system based on:
i. a valid access authorization;
ii. intended system usage; and;
iii. other attributes as required by HHS or associated
missions/business functions; and;
j. Reviewing accounts every six months.
(1) Employs automated mechanisms to support the
management of accounts.
(2) HHS information systems automatically terminate
emergency accounts within 24 hours and temporary
accounts with a fixed duration not to exceed 12 months.
(3) HHS information systems disable inactive privileged
accounts after sixty (60) days and non-privileged accounts
after ninety (90) days.
(4) HHS information systems automatically audit account
creation, modification, disabling, and termination actions and
notify appropriate individuals, as required.
Status
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
{i} Regulate the access provided to contractors and define
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
16
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
security requirements for contractors.
[ii] Accounts do not have the same user or account name.
[iii] Accounts have not been assigned the same uid.
[iv] Accounts are locked after 90 days of inactivity.
[v] Unused default accounts will be disabled.
{vi} Implement centralized control of user access
administrator functions.
Security Control Implementation Details:
AC-3
Access
Enforcement
The HHS organization enforces approved authorizations for
logical access to the system in accordance with applicable
policy.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
AC-6 (1)
(2)
Least
Privilege
The HHS organization employs the concept of least
privilege, allowing only authorized accesses for users (and
processes acting on behalf of users) that are necessary to
accomplish assigned tasks in accordance with HHS
missions and business functions.
(1) Explicitly authorizes access to privileged functions
(deployed in hardware, software, and firmware) and
security-relevant information is restricted to explicitly
authorized individuals.
(2) Requires that users of HHS information system
accounts, or roles, with access to security functions or
security-relevant information, use non-privileged accounts,
or roles, when accessing other system functions, and if
feasible, audits any use of privileged accounts, or roles, for
such functions.
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
{i} Contractors must be provided with minimal system and
physical access, and must agree to and support the HHS
security requirements.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
17
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Control
ID
Control
Name
Description of Control
AU-2 (3)
(4)
Auditable
Events
The HHS organization:
a. Determines, based on a risk assessment and HHS
mission/business needs, that HHS information systems
must be capable of auditing the events described in
"Appendix C Recommended Events for
Status
In Place
Partially in Place
Not in Place
N/A
Appendix C Recommended Events for Logging.docx
Logging"
b. Coordinates the security audit function with other HHS
entities requiring audit-related information to enhance
mutual support and to help guide the selection of auditable
events;
c. The list of auditable events are deemed to be adequate to
support after-the-fact investigations of security incidents
based on current threat information and ongoing
assessment of risk; and;
d. Determines, based on current threat information and
ongoing assessment of risk, that the events specified in AU2a are to be audited at the frequencies specified in the
system security plan.
(3) Reviews and updates the list of auditable events
annually.
(4) Includes execution of privileged functions in the list of
events to be audited by the information system, including
administrator and user account activities, failed and
successful log-on, security policy modifications, use of
administrator privileges, system shutdowns, reboots, errors,
and access authorizations.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
18
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
AU-6
Audit Review,
Analysis, and
Reporting
SSP [Date] and Version: 1.1
Description of Control
Status
The HHS organization:
(a) Reviews and analyzes audit records for defined key HHS
information systems on a daily basis for indications of
inappropriate or unusual activity, and reports findings to
designated HHS officials;
- Excessive logon attempt failures by single or
multiple users’
- Logons at unusual/non-duty hours’
- Failed attempts to access restricted system or data
files indicating a possible pattern of deliberate
browsing’
- Unusual or unauthorized activity by system
administrators’
- Activities (e.g. command-line activity) by a user
that should not have that capability’
- System failures or errors.
b. Adjusts the level of audit review, analysis, and reporting
within the HHS information systems when there is a change
in risk to HHS operations, assets, and individuals based on
law enforcement information, intelligence information, or
other credible sources of information.
Security Control Implementation Details:
In Place
CA-5
In Place
Plan of Action
and Milestones
The HHS organization:
a. Develops a plan of action and milestones (POA&M) for
the information system to document the organization’s
planned remedial actions to correct weaknesses or
deficiencies noted during the assessment of the security
controls and to reduce or eliminate known vulnerabilities in
the system; and;
b. Updates and submits existing POA&M on monthly bases
until all the findings are resolved based on the findings from
security controls assessments, security impact analyses,
and continuous monitoring activities.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
Partially in Place
Not in Place
N/A
Partially in Place
Not in Place
N/A
19
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
CM-2 (1)
(3) (4)
Baseline
Configuration
SSP [Date] and Version: 1.1
Description of Control
Status
The HHS organization:
a. Develops, documents, and maintains under configuration
control, a current baseline configuration of the HHS
information systems.
(1) Reviews and updates the baseline configuration of HHS
information systems:
(a) At least once annually;
(b) When required due to major system
changes/upgrades and;
(c) As an integral part of HHS component installations and
upgrades.
(3) Retains older versions of baseline configurations as
deemed necessary to support rollback.
(4) The HHS organization:
(a) Develops and maintains an Agency-defined list of
software programs not authorized (black list) to execute
on the information system.
(b) Employs an allow-all, deny-by-exception authorization
policy to identify software allowed to execute on HHS
information security components.
Security Control Implementation Details:
In Place
CM-3 (2)
In Place
Configuration
Change
Control
The HHS organization:
a. Determines the types of changes to the HHS information
systems that are configuration controlled;
b. Approves configuration-controlled changes to HHS with
explicit consideration for security impact analyses;
c. Documents approved configuration-controlled changes to
the system;
d. Retains and reviews records of configuration-controlled
changes to the system;
e. Audits activities associated with configuration-controlled
changes to the system; and;
f. Coordinates and provides oversight for configuration
change control activities through HHS change control board
that convenes at least monthly or as needed.
(2) The HHS organization tests, validates, and documents
changes to HHS before implementing the changes on the
operational system
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
Partially in Place
Not in Place
N/A
Partially in Place
Not in Place
N/A
20
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
CM-8 (1)
(5)
Information
System
Component
Inventory
SSP [Date] and Version: 1.1
Description of Control
Status
The HHS organization develops, documents, and maintains
an inventory of HHS information systems that:
a. Accurately reflects current HHS information system
components; (e.g. desktops, laptops, servers, network
equipment (routers, switches, firewalls, etc.), printers,
storage area networks, voiceover-IP telephones, etc. The
inventory of information system components includes detail
such as make, model, OS, type, model, serial number,
physical location, owner, and machine name).
b. Is consistent with the authorization boundary of the HHS
organization;
c. Is at the level of granularity deemed necessary for
tracking and reporting;
d. Includes manufacturer, model/type, serial number,
version number, location (i.e. physical location and logical
position within the HHS architecture, and ownership; and;
e. Is available for review and audit by designated HHS
officials.
(1) Updates the inventory of HHS information systems as an
integral part of component installations, removals, and
updates.
(5) Verifies that all components within the authorization
boundary of the HHS organization are either inventoried as
a part of the system or recognized by another system as a
component within that system.
Security Control Implementation Details:
In Place
IA-2 (1)
(8)
In Place
Identification
and
Authentication
(HHS Users)
The HHS information systems:
a. Uniquely identify and authenticate HHS users (or
processes acting on behalf of users).
(1) Use multifactor authentication for access to privileged
accounts for HHS Restricted data.
(8) Use replay-resistant authentication mechanisms for
network access to privileged accounts according to specific
system security plan requirements.
Partially in Place
Not in Place
N/A
Partially in Place
Not in Place
N/A
Additional Criteria:
[i]. All user accounts are unique; there are no duplicate user
accounts.
[ii]. The new user account creation fails. HHS information
systems provide a mechanism to ensure duplicate user
account names are not created, e.g., using operating
systems functions to manage user accounts.
[iii]. The new user account creation fails; a password is
required to create an account.
[iv] The logon attempt fails; a password is required for
identification and authentication to the application.
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
21
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
Security Control Implementation Details:
IA-5 (1)
(2) (3)
Authenticator
Management
The HHS organization manages the HHS component
authenticators for users and devices by:
a. Verifying, as part of the initial authenticator distribution,
the identity of the individual and/or device receiving the
authenticator;
b. Establishing initial authenticator content for authenticators
defined by the HHS organization;
c. Ensuring that authenticators have sufficient strength of
mechanism for their intended use;
d. Establishing and implementing administrative procedures
for initial authenticator distribution, for lost/compromised or
damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators upon HHS
information systems installation;
f. Establishing minimum and maximum lifetime restrictions
and reuse conditions for authenticators (if appropriate);
g. Changing/refreshing authenticators in accordance with
the criteria for Enhancement (1) below;
h. Protecting authenticator content from unauthorized
disclosure and modification; and;
i. Requiring users to take and having devices implement
specific measures to safeguard authenticators.
In Place
Partially in Place
Not in Place
N/A
(1) Password-based authentication for HHS information
systems:
(a) Enforces minimum password complexity. Each
password must contain a minimum of eight (8) and a
maximum of sixteen (16) characters with at least one (1)
from each of the following categories:
- upper case alpha (ABC)
- lower case alpha (abc)
- number (0 to 9)
- special character (@# $ % ^% *() _ + |~ =\ ’ {}[ ]:” ; ’ < >/ );
- dictionary names or words are prohibited
{b} Enforces a minimum of four (4) changed characters
when a new password is created;
(c) Encrypts passwords in storage and in transmission;
(d) Enforces password lifetime restrictions with a minimum
of two (2) days and maximum of sixty (60) days for
privileged accounts and ninety (90) days for nonprivileged accounts
{e} Prohibits password reuse for six (6) generations.
[f] Limits password change to once every 15 days.
(g) Forces user to change the default password at first
logon.
[h] Password is disabled after 90 days of inactivity.
[i] Prompt user to change password before expiration” is
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
22
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
set to “14 days” or more.
(2) PKI-based authentication for HHS information systems:
(a) Validates certificates by constructing a certification
path with status information to an accepted trust anchor;
(b) Enforces authorized access to the corresponding
private key; and;
(c) Maps the authenticated identity to the user account.
(3) Requires that the registration process to receive Agencydefined types of and/or specific authenticators (e.g.
hardware tokens) be verified in person by a designated HHS
official (e.g.: a supervisor).
Security Control Implementation Details:
SC-7 (1)
Boundary
Protection
HHS information systems:
a. Monitor and control communications at the external
boundary of the system and at key internal boundaries
within the system; and;
b. Connect to external networks or information systems only
through managed interfaces consisting of automated
boundary protection devices arranged in accordance with
HHS security architecture.
(1) The HHS organization physically allocates publicly
accessible HHS information systems to separate subnetworks with separate physical network interfaces.
Security Control Implementation Details:
In Place
SC-7 (2)
In Place
Boundary
Protection
HHS information systems prevent public access into the
HHS organization’s internal networks except as
appropriately mediated by managed interfaces employing
boundary protection devices.
Partially in Place
Not in Place
N/A
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
SC-7 (3)
Boundary
Protection
The HHS organization limits the number of access points to
the HHS information systems (e.g.: prohibiting desktop
modems) to allow for more comprehensive monitoring of
inbound and outbound communications and network traffic.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
23
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SC-7 (4)
Boundary
Protection
SSP [Date] and Version: 1.1
Description of Control
Status
The HHS organization:
(a) Implements a managed interface for each external
telecommunication service;
(b) Establishes a traffic flow policy for each managed
interface;
(c) Employs security controls as needed to protect the
confidentiality and integrity of the information being
transmitted;
(d) Documents each exception to the traffic flow policy with
a supporting mission/business need and duration of that
need;
(e) Reviews exceptions to the traffic flow policy as specified
in the system security plan; and;
(f) Removes traffic flow policy exceptions that are no longer
supported by an explicit mission/business need.
Security Control Implementation Details:
In Place
SC-7 (5)
In Place
Boundary
Protection
At managed interfaces, HHS information systems deny
network traffic by default and allow network traffic by
exception (i.e., deny all, permit by exception).
Partially in Place
Not in Place
N/A
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
SC-7 (7)
Boundary
Protection
HHS information systems prevent remote devices that have
established a non-remote connection with the system from
communicating outside of that communications path with
resources in external networks.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
24
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Control
ID
Control
Name
Description of Control
SC-8 (1)
Transmission
Integrity
HHS information systems protect the integrity of transmitted
information.
(1) The HHS organization employs cryptographic
mechanisms (e.g., digital signatures, cryptographic hashes)
as required by the system security plan to recognize
changes to information during transmission unless otherwise
protected by alternative physical measures.
• The application uses integrity checks (e.g., hash
algorithms, checksums) to detect errors in data streams of
the application data transmitted over the network.
• The application supports integrity checking mechanisms
for file transmissions.
Status
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
[i] Transmissions are encrypted using a key no less than
128 bits in length, or FIPS 140-2 compliant, whichever is
stronger.
[ii]. If encryption is not used to transmit data over the WAN,
unencrypted cable circuits of copper or fiber optics is an
acceptable means of transmitting FTI. If encryption is not
used to transmit data over the LAN, the Agency must use
other compensating mechanisms (e.g., switched vLAN
technology, fiber optic medium, etc.).
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
25
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Control
ID
Control
Name
Description of Control
SI-2 (2)
Flaw
Remediation
The HHS organization:
a. Identifies, reports, and corrects HHS information system
flaws;
b. Tests software updates related to flaw remediation for
effectiveness and potential side effects on HHS information
systems before installation; and;
c. Incorporates flaw remediation monthly into the HHS
configuration management process.
Status
In Place
Partially in Place
Not in Place
N/A
(2) Employs automated mechanisms to determine the state
of HHS information systems with regard to flaw
remediation.
Additional Criteria:
{i} Remediate identified HHS flaws on production equipment
in a timeframe based on the National Vulnerability Database
(NVD) http://nvd.nist.gov/ vulnerability severity rating of the
flaw: flaws rated as high severity within seven (7) calendar
days; medium severity within fifteen (15) calendar days; and
all others within thirty (30) calendar days.
(a) Evaluate system security patches, service packs, and
hot fixes in a test bed environment to determine the
effectiveness and potential side effects of such changes,
and;
(b) Manage the flaw remediation process centrally.
[ii]Procedures are documented for the testing for all patches
and upgrades that is required as part of the HHS’s
configuration management process.
[iii] A test plan and procedures are created and updated for
each production release.
Security Control Implementation Details:
5.1.2 Impact 2 Controls
Control
ID
Control
Name
Description of Control
AC-4
Information
Flow
Enforcement
The HHS organization enforces approved authorizations for
controlling the flow of information within the HHS information
systems and between interconnected systems in
accordance with applicable policy.
Status
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
26
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Control
ID
Control
Name
Description of Control
AC-5
Separation of
Duties
The HHS organization:
a. Separates duties of individuals as necessary, to prevent
malevolent activity without collusion;
b. Documents separation of duties, and;
c. Implements separation of duties through assigned HHS
component access authorizations.
Status
In Place
Partially in Place
Not in Place
N/A
Additional Criteria
{i} Ensure that audit functions are not performed by security
personnel responsible for administering access control.
{ii}. Ensure that HHS testing functions (i.e., user acceptance,
quality assurance, information security) and production
functions are divided among separate individuals or groups.
{iii} Ensure that an independent entity, not the business
owner, system developers/maintainers, or system
administrators responsible for the information system,
conducts information security testing of the information
system.
Security Control Implementation Details:
AC-7
Unsuccessful
Login Attempts
HHS information systems:
For Restricted data:
a. Enforce a limit of three (3) consecutive invalid access
attempts by a user within a fifteen (15) minute period; and;
b. Automatically lock the account/node for one (1) hour or
until released by an account administrator. The control
applies regardless of whether the login occurs via a local or
network connection.
In Place
Partially in Place
Not in Place
N/A
For other HHS classified systems, enforce the following:
a. Account lockout duration of 30 minutes;
b. Account lockout threshold after 5 invalid logon attempts,
and;
c. Reset account lockout counter after 30 minutes of lock
out.
Additional Criteria:
[i]The login delay between login prompts after a failed login
is set to more than four seconds.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
27
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Control
ID
Control
Name
Description of Control
AC-17 (1)
(2) (3) (4)
(5) (7) (8)
Remote
Access
The HHS organization:
a. Requires that the allowed methods of remote access to
HHS information systems are;
GoToMyPC;
VPN;
Outlook Webaccess;
The requirements for remote access are two factor
authentications.
b. Establishes usage restrictions and implementation
guidance for each allowed remote access method;
c. Monitors for unauthorized remote access;
d. Authorizes remote access prior to connection; and;
e. Enforces requirements for remote connections.
(1) HHS information systems employ automated
mechanisms to facilitate the monitoring and control of
remote access methods.
(2) The HHS organization uses cryptography to protect the
confidentiality and integrity of remote access sessions.
(3) HHS information systems route all remote accesses
through a limited number of managed access control points.
(4) The HHS organization authorizes the execution of
privileged commands and access to security-relevant
information via remote access only for compelling
operational needs and documents the rationale for such
access and use of commands in the specific system security
plan for the information system.
(5) The HHS organization monitors for unauthorized remote
connections to HHS information systems at least quarterly
and takes appropriate action if an unauthorized connection
is discovered.
(7) The HHS organization requires that remote sessions
used for remote administration employ additional security
measures (e.g.: Secure Shell [SSH], Virtual Private
Networking [VPN] with blocking mode enabled) (see SC-13)
and the sessions are audited.
(8) The HHS organization disables networking protocols
deemed to be nonsecure (such as Bluetooth, peer-to-peer
networking) except for explicitly identified components in
support of specific operational requirements.
Status
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
[i] No unauthorized remote sessions are allowed.
[ii] The administrative password is not passed over a
network in clear text form.
Security Control Implementation Details:
AU-5
Response to
Audit
Processing
Failures
HHS information systems:
a. Alert designated HHS officials in the event of an audit
processing failure; and;
b. Take the following additional actions in response to an
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
In Place
Partially in Place
28
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
audit failure or audit storage capacity issue.
- Shutdown HHS information system/applications;
- Stop generating audit records, or;
- Overwrite the oldest records, in the case that storage
media is unavailable.
Security Control Implementation Details:
Not in Place
CA-7
The HHS organization establishes a continuous monitoring
strategy and implements a continuous monitoring program
that includes:
a. A configuration management process for HHS and its
constituent components;
b. A determination of the security impact of changes to HHS
information systems and environment of operation;
c. Ongoing security control assessments in accordance with
the continuous monitoring strategy; and;
d. Reporting the security state of the HHS information
systems to appropriate organizational officials within
annually.
Security Control Implementation Details:
In Place
CM-6 (3)
In Place
Continuous
Monitoring
Configuration
Settings
The HHS organization:
a. Establishes and documents mandatory configuration
settings for information technology products employed within
the HHS information systems using the latest security
configuration guidelines Data Center Services (DCS )
Master System Security Plan (MSSP) technical specification
document.
b. Implements the configuration settings;
c. Identifies, documents, and approves exceptions from the
mandatory configuration settings for individual components
within HHS information systems based on explicit
operational requirements; and;
d. Monitors and controls changes to the configuration
settings in accordance with HHS policies and procedures.
(3) Incorporates detection of unauthorized, security-relevant
configuration changes into the incident response capability
to ensure that such detected events are tracked, monitored,
corrected, and available for historical purposes.
Additional Criteria:
[i] The Agency establishes and documents mandatory
security configuration settings for HHS information systems.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
N/A
Partially in Place
Not in Place
N/A
Partially in Place
Not in Place
N/A
29
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
MP-4
Media Storage
SSP [Date] and Version: 1.1
Description of Control
Status
The HHS organization:
a. Physically controls and securely stores media within
controlled areas using safeguards prescribed for the highest
system security level of the information ever recorded on it;
b. Protects HHS media until the media are destroyed or
sanitized using approved equipment, techniques, and
procedures.
Additional Criteria:
1. Desktops, Laptops, Hard Drives, Portable Computing
devices needs to be encrypted with Federal Information
Processing Standard (FIPS) 140-2, Security Requirements
for Cryptographic Modules.
Security Control Implementation Details:
In Place
PE-3
In Place
Physical
Access
Control
The HHS organization:
a. Enforces physical access authorizations for all physical
access points (including designated entry/exit points) to the
facility where HHS information systems reside excluding
those areas within the facility officially designated as publicly
accessible;
b. Verifies individual access authorizations before granting
access to the facility;
c. Controls entry to the facility containing HHS information
systems using physical access devices and/or guards;
d. Controls access to areas officially designated as publicly
accessible in accordance with HHS’s assessment of risk;
e. Secures keys, combinations, and other physical access
devices;
f. Inventories physical access devices within annually; and;
g. Changes combinations and keys annually, or whenever
keys are lost, combinations are compromised, or individuals
who had access to combinations and/or keys are transferred
or terminated.
Partially in Place
Not in Place
N/A
Partially in Place
Not in Place
N/A
Additional Criteria
{i}. Require two barriers to access IRS FTI under normal
security: secured perimeter/locked container, locked
perimeter/secured interior, or locked perimeter/security
container. Protected information must be containerized in
areas where other than authorized employees may have
access after-hours.
Security Control Implementation Details:
PS-7
Third-Party
Personnel
Security
The HHS organization:
a. Establishes personnel security requirements including
security roles and responsibilities for third-party providers.
b. Documents personnel security requirements; and;
c. Monitors provider compliance.
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
In Place
Partially in Place
Not in Place
30
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
N/A
Additional Criteria:
[i] Regulate the access provided to contractors and define
security requirements for contractors. Contractors must be
provided with minimal system and physical access, and
must agree to and support the HHS information security
requirements.
Security Control Implementation Details:
SC-9 (1)
Transmission
Confidentiality
HHS information systems must protect the confidentiality of
transmitted information.
(1) The HHS organization employs cryptographic
mechanisms to prevent unauthorized disclosure of
information during transmission unless otherwise protected
by alternative physical measures.
encryption, using at least a 128-bit encryption key.
{i} When sending or receiving faxes containing HHS
Restricted, Confidential, or Agency Internal data:
- Fax machines must be located in a locked room with a
trusted staff member having custodial coverage over
outgoing and incoming transmissions or fax machines must
be located in a secured area;
- Accurate broadcast lists and other preset numbers of
frequent fax recipients must be maintained; and;
- A cover sheet must be used that explicitly provides
guidance to the recipient that includes: a notification of the
sensitivity of the data and the need for protection, and a
notice to unintended recipients to telephone the sender
(collect if necessary) to report the disclosure and confirm
destruction of the information.
Security Control Implementation Details:
In Place
SI-3 (1)
(2) (3)
In Place
Malicious
Code
Protection
The HHS organization:
a. Employs malicious code protection mechanisms at HHS
information systems entry and exit points and at
workstations, servers, or mobile computing devices on the
network to detect and eradicate malicious code:
- Transported by electronic mail, electronic mail
attachments, web accesses, removable media, or other
common means; or;
- Inserted through the exploitation of HHS vulnerabilities;
b. Updates malicious code protection mechanisms
(including signature definitions) whenever new releases are
available in accordance with HHS configuration
management policy and procedures;
c. Configures malicious code protection mechanisms to:
- Perform periodic scans of the HHS information systems
every twenty-four (24) hours, during system reboot, and
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
Partially in Place
Not in Place
N/A
Partially in Place
Not in Place
N/A
31
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
real-time scans of files from external sources as the files
are downloaded, opened, or executed in accordance with
HHS security policy; and;
- Block, quarantine, and send alerts to administrators on
an ongoing basis in response to malicious code detection;
and;
d. Addresses the receipt of false positives during malicious
code detection and eradication and the resulting potential
impact on the availability of HHS.
(1) Centrally manages malicious code protection
mechanisms.
(2) HHS information systems automatically update malicious
code protection mechanisms (including signature
definitions).
(3) HHS information systems prevent non-privileged users
from circumventing malicious code protection capabilities.
Additional Criteria:
[i] Virus-protection program Signature definitions updated <
= 14 days.
[ii] Servers, workstations, and laptops should not be
configured to auto-run removable media.
[iii] Servers, workstations, and laptops should be configured
to automatically scan removable media for malware when
inserted.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
32
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SI-4 (2)
(4) (5) (6)
Information
System
Monitoring
SSP [Date] and Version: 1.1
Description of Control
The HHS organization:
a. Monitors events on HHS information systems in
accordance with Agency defined Security Operations
Procedures and detects HHS attacks;
b. Identifies unauthorized use of HHS information systems;
c. Deploys monitoring devices:
(i) strategically within HHS to collect organizationdetermined essential information; and;
(ii) at ad hoc locations within the system to track specific
types of transactions of interest to the HHS organization;
d. Heightens the level of HHS component monitoring activity
whenever there is an indication of increased risk to HHS
operations and assets, and individuals based on law
enforcement information, intelligence information, or other
credible sources of information; and;
e. Obtains legal opinion with regard to HHS monitoring
activities in accordance with applicable federal/state laws,
executive orders, directives, policies, or regulations.
(2) Employs automated tools to support near real-time
analysis of events.
(4) HHS information systems monitor inbound and outbound
communications for unusual or unauthorized activities or
conditions.
(5) HHS information systems provide near real-time alerts
when the following indications of compromise or potential
compromise occur:
(a) Presence of malicious code,
(b) Unauthorized export of information,
(c) Signaling to an external information system, or;
(d) Potential intrusions.
(6) HHS information systems prevent non-privileged users
from circumventing intrusion detection and prevention
capabilities.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
Status
In Place
Partially in Place
Not in Place
N/A
33
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
5.1.3 Impact 3 Controls
Control
ID
Control
Name
Description of Control
AC-11
Session Lock
HHS information systems:
a. Prevent further access to the system by initiating a
session lock after fifteen (15) minutes of inactivity or at
request of user, and;
b. Retain the session lock until the user reestablishes
access using established identification and authentication
procedures.
Status
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
[i] Ensure a password protected screen lock mechanism is
used.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
34
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Control
ID
Control
Name
Description of Control
AC-18 (1)
Wireless
Access
The HHS organization:
a. Establishes usage restrictions and implementation
guidance for wireless access;
b. Monitors for unauthorized wireless access to HHS
information systems;
c. Authorizes wireless access to the information system prior
to connection; and;
d. Enforces requirements for wireless connections to HHS
information systems.
(1) HHS information systems protect wireless access using
authentication and encryption.
Additional Criteria:
When deploying wireless access points the following
minimum standards shall apply:
1. File sharing on wireless clients shall be disabled.
2. Client NIC and Access Point firmware shall be
upgradeable so that security patches may be
deployed as they become available.
3. Access Points shall be turned off when they are not
in use (e.g., after hours and on weekends).
4. The Access Point’s Service Set Identifier, SSID,
shall be changed from the default setting to an ID
that does not reflect the identity of the Agency,
department, and the nature of the work of the
physical location where it is installed, and the SSID
Broadcast shall be disabled.
5. All non-secure and nonessential management
protocols on Access Points shall be disabled.
6. All security features of the WLAN product, including
the cryptographic authentication feature, shall be
enabled.
7. Wi-Fi Protected Access, WPA, security standard or
greater shall be implemented.
8. Access Points shall have strong passwords and
shall be changed regularly.
9. User authentication shall use an RFC compliant
method, such as RADIUS, TACACS, etc.
10. Authentication mechanisms for the management
interfaces of the Access Point shall be enabled and
management traffic destined for Access Points shall
be on a dedicated wired subnet.
11. SNMP settings on Access Points shall be disabled
or set for least privilege (i.e., read only), with
SNMPv3 or equivalent cryptographically protected
protocol in use.
12. Installers shall ensure that new WLAN installations
do not interfere with other existing equipment.
13. Physical and remote access to the Access Point
Reset Function shall be restricted to authorized
administrators only.
14. The default cryptographic key shall be changed
from the factory default and shall be changed on a
Trading Partners: [System Name] System Security Plan
regular basis.
Version 1.1
HHSC CONFIDENTIAL
Status
In Place
Partially in Place
Not in Place
N/A
35
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
Security Control Implementation Details:
AT-3
Security
Training
The HHS Organization provides role-based security-related
training: (i) before authorizing access to the system or
performing assigned duties; (ii) when required by system
changes; and (iii) refresher training annually thereafter.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
AU-3 (1)
Content of
Audit Records
HHS information systems shall produce audit records that
contain sufficient information to, at a minimum, establish
what type of event occurred, date and time the event
occurred, where the event occurred, the source of the event,
the outcome (success or failure) of the event, and the
identity of any user/subject associated with the event.
(1) Include the capability to provide more detailed
information for audit events identified by type, location, or
subject.
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
{i} Record disclosures of sensitive information, including
protected health and financial information. Log information
type, date, time, receiving party, and releasing party. Verify
within every ninety (90) days for each extract that the data is
erased or its use is still required.
Security Control Implementation Details:
AU-4
Audit Storage
Capacity
The HHS organization allocates audit record storage
capacity and configures auditing to reduce the likelihood of
such capacity being exceeded.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
AU-7 (1)
Audit
Reduction and
Report
Generation
HHS information systems provide an audit reduction and
report generation capability.
(1) HHS information systems provide the capability to
automatically process audit records for events of interest
based on selectable event criteria.
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
In Place
Partially in Place
Not in Place
N/A
36
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
Security Control Implementation Details:
CA-2 (1)
Security
Assessments
The HHS organization:
a. Develops a security assessment plan that describes the
scope of the assessment including:
- Security controls and control enhancements under
assessment;
- Assessment procedures to be used to determine
security control effectiveness;
- Assessment environment, assessment team, and
assessment roles and responsibilities;
b. Assesses the security controls in HHS information
systems annually to determine the extent to which the
controls are implemented correctly, operating as intended,
and producing the desired outcome with respect to meeting
the security requirements for the system;
c. Produces a security assessment report that documents
the results of the assessment; and;
d. Provides the results of the security control assessment in
writing to the authorizing official who is responsible for
reviewing the assessment documentation.
(1) Employs an independent assessor or assessment team
to conduct an assessment of the security controls in the
HHS information systems.
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
{i} A security assessment of all security controls must be
conducted for all newly implemented systems.
{ii} The HHS system owner notifies the appropriate
personnel as defined within applicable business requirement
document and change requests whenever updates are
made to system security authorization artifacts or significant
role changes occur (e.g.: system developer/maintainer,
information system security analyst).
Security Control Implementation Details:
CA-6
Security
Authorization
The HHS organization:
a. Identifies the HHS CISO, Agency IRM, Agency ISO’s as
the approving officials for the HHS environment;
b. Ensures that the approving official authorizes the
information system for processing before commencing
operations; and;
c. Updates the security authorization:
- At least annually for high risk assets;
- When substantial changes are made to the system;
- When changes in requirements result in the need to
process data of a higher sensitivity;
- When changes occur to authorizing legislation or
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
In Place
Partially in Place
Not in Place
N/A
37
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
federal/state requirements;
- After the occurrence of a serious security violation which
raises questions about the validity of an earlier security
authorization; and;
- Prior to expiration of a previous security authorization.
Security Control Implementation Details:
CM-7 (1)
Least
Functionality
The HHS organization:
a. Configures the HHS information systems to provide only
essential capabilities and specifically prohibits or restricts
the use of functions, ports, protocols, and/or services.
(1)Reviews HHS information systems within annually to
identify and eliminate unnecessary functions, ports,
protocols, and/or services.
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
{i} A list of specifically needed system services, ports, and
network protocols should be maintained and documented in
the system security plan; all others are disabled.
Any functions installed by default that are not
required by the HHS information systems are
disabled.
Services and or software that are not needed should
not be present on the server.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
38
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
CP-2 (1)
Contingency
Plan /
Continuity of
Operations
Plan
SSP [Date] and Version: 1.1
Description of Control
Status
The HHS organization:
a. Develops a contingency plan (CP) or Continuity of
Operations Plan (COOP) for HHS information systems that:
- Identifies essential HHS missions and business
functions and associated contingency requirements;
- Provides recovery objectives, restoration priorities, and
metrics;
- Addresses contingency roles, responsibilities, assigned
individuals with contact information;
- Addresses maintaining essential HHS missions and
business functions despite a HHS disruption,
compromise, or failure;
- Addresses eventual, full HHS restoration without
deterioration of the security measures originally planned
and implemented; and;
- Is reviewed and approved by designated officials within
the HHS organization;
b. Distributes copies of the COOP to key contingency
personnel (identified by name and/or by role) and
organizational elements;
c. Coordinates contingency planning activities with incident
handling activities;
d. Reviews the COOP for the HHS information systems
annually.
e. Revises the COOP to address changes to the HHS
organization, HHS information systems, or environment of
operation and problems encountered during COOP
implementation, execution, or testing; and;
f. Communicates COOP changes to key contingency
personnel (identified by name and/or by role) and others as
defined in the HHS COOP.
(1) Coordinates contingency plan development with HHS
elements responsible for related plans.
Security Control Implementation Details:
In Place
CP-4 (1)
In Place
Contingency
Plan Testing
and Exercises
The HHS organization:
a. Tests and/or exercises the contingency plan for the
mission critical HHS information systems annually using
defined tests and/or exercises such as the tabletop test in
accordance with the current COOP procedure to determine
the plan’s effectiveness and HHS’s readiness to execute the
plan; and;
b. Documents and reviews the contingency plan
test/exercise results and initiates reasonable and
appropriate corrective actions to close or reduce the impact
of contingency plan failures and deficiencies.
(1) Coordinates contingency plan testing and/or exercises
with HHS elements responsible for related plans.
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
Partially in Place
Not in Place
N/A
Partially in Place
Not in Place
N/A
39
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
Security Control Implementation Details:
IA-4
Identifier
Management
The HHS organization manages information system
identifiers for users and devices by:
a. Receiving authorization from a designated official to
assign a user or device identifier;
b. Selecting an identifier that uniquely identifies an individual
or device;
c. Assigning the user identifier to the intended party or the
device identifier to the intended device;
d. Preventing reuse of user or device identifiers until all
previous access authorizations are removed from the
system, including all file accesses for that identifier, but not
before a period of at least a year has expired; and
e. Disabling the user identifier after ninety (90) days of
inactivity.
Security Control Implementation Details:
In Place
MP-2 (1)
In Place
Media Access
The HHS organization restricts access to HHS Restricted,
Confidential, or Agency Internal media to authorized
individuals using automated mechanisms to control access
to media storage areas.
(1) Employs automated mechanisms to restrict access to
media storage areas and to audit access attempts and
access granted.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
Partially in Place
Not in Place
N/A
Partially in Place
Not in Place
N/A
40
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Control
ID
Control
Name
Description of Control
MP-6
Media
Sanitization
The HHS organization:
a. Sanitizes information systems media, both digital and
non-digital, prior to disposal, release out of HHS control, or
release for reuse; and;
b. Employs sanitization mechanisms with strength and
integrity commensurate with the classification or sensitivity
of the information.
Status
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
{i}. (For IRS Federal Tax Information (FTI) only) FTI must
never be disclosed to an Agency's agents or contractors
during disposal unless authorized by the Internal Revenue
Code. Generally, destruction should be witnessed by an
Agency employee.
{ii}. (For Confidential, or Agency Internal) Authorized
employees of the receiving entity must be responsible for
securing magnetic tapes/cartridges before, during, and after
processing, and they must ensure that the proper
acknowledgment form is signed and returned. Inventory
records must be maintained for purposes of control and
accountability. Tapes containing HHS Restricted and
Confidential Information or any file resulting from the
processing of such a tape is recorded in a log that identifies:
(a) Date received
(b) Reel/cartridge control number contents
(c) Number of records, if available
(d) Movement, and
(e) If disposed of, the date and method of disposition.
Security Control Implementation Details:
PE-2
PE-6 (1)
Physical
Access
Authorizations
Monitoring
Physical
Access
The HHS organization:
a. Develops and keeps current a list of personnel with
authorized access to the facility where HHS information
systems reside (except for those areas within the facility
officially designated as publicly accessible);
b. Issues authorization credentials; and;
c. Reviews and approves the access list and authorization
credentials, at least once every one hundred eighty (180)
days, removing personnel no longer requiring access from
the list.
The HHS organization:
a. Monitors physical access to the HHS information system
to detect and respond to physical security incidents;
b. Reviews physical access logs once a month and;
c. Coordinates results of reviews and investigations with
HHS’s incident response capability.
(1) Monitors real-time physical intrusion alarms and
surveillance equipment.
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
In Place
Partially in Place
Not in Place
N/A
In Place
Partially in Place
Not in Place
N/A
41
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
Security Control Implementation Details:
PE-7 (1)
Visitor Control
The HHS organization controls physical access to the HHS
information systems by authenticating visitors before
authorizing access to the facility where HHS information
systems reside, other than areas designated as publicly
accessible.
(1) Escorts visitors and monitors visitor activity, when
required.
Security Control Implementation Details:
In Place
PM-5
In Place
Information
System
Inventory
The HHS organization develops and maintains inventories
of Agency information systems.
Partially in Place
Not in Place
N/A
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
PS-3
Personnel
Screening
The HHS organization:
a. Screens individuals prior to authorizing access to HHS
information systems; and;
b. Rescreens individuals within annually, consistent with the
criticality/sensitivity rating of the position.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
RA-2
Security
Categorization
The HHS organization:
a. Categorizes information and HHS information systems in
accordance with applicable federal laws, executive orders,
directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including
supporting rationale) in the System security plan for the
information system; and;
c. Ensures the security categorization decision is reviewed
and approved by the approving official or a designated
representative.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
In Place
Partially in Place
Not in Place
N/A
42
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Control
ID
Control
Name
Description of Control
RA-3
Risk
Assessment
The HHS organization:
a. Conducts an assessment of risk, including the likelihood
and magnitude of harm, from the unauthorized access, use,
disclosure, disruption, modification, or destruction of the
HHS information systems and the information it processes,
stores, or transmits;
b. Documents risk assessment results in accordance in a
risk assessment report;
c. Reviews risk assessment results annually; and;
d. Updates the risk assessment annually or whenever there
are significant changes to HHS information systems or
environment of operation (including the identification of new
threats and vulnerabilities), or other conditions that may
impact the security or authorization state of the system.
Status
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
[i] Risk assessment should be conducted for the information
system based on the Agency defined methodology that
includes the likelihood and magnitude of harm, from the
unauthorized access, use, disclosure, modification, or
destruction of the information system and the information it
processes, stores, or transmits.
Security Control Implementation Details:
SA-3
Life Cycle
Support
The HHS organization:
a. Manages the HHS information systems using a system
development life cycle methodology that includes
information security considerations;
b. Defines and documents HHS component security roles
and responsibilities throughout the system development life
cycle; and;
c. Identifies individuals having HHS component security
roles and responsibilities.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
In Place
Partially in Place
Not in Place
N/A
43
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Control
ID
Control
Name
Description of Control
SA-9
External
Information
System
Services
The HHS organization:
a. Requires that providers of external information system
services comply with organizational information security
requirements and employ appropriate security controls in
accordance with applicable federal laws, executive orders,
directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user
roles and responsibilities with regard to external information
system services; and;
c. Monitors security control compliance by external service
providers.
Status
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
{i} Prohibits service providers from outsourcing any system
function outside the U.S. or its territories for Medicaid Data.
{ii}(For Protected Health Information (PHI) only) A covered
entity under HIPAA may permit a business associate to
create, receive, maintain, or transmit ePHI on the covered
entity's behalf only if the covered entity obtains satisfactory
assurances, in accordance with HIPAA regulations. Such
assurances must be documented and meet the
requirements set forth in HIPAA regulations. (See HIPAA
164.308(b) and 164.314(a).)
Security Control Implementation Details:
SA-10
Developer
Configuration
Management
The HHS organization requires that HHS
developers/integrators:
a. Perform configuration management during HHS
information system design, development, implementation,
and operation;
b. Manage and control changes to HHS information
systems;
c. Implement only organization-approved changes;
d. Document approved changes to HHS information
systems; and;
e. Track security flaws and flaw resolution.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
In Place
Partially in Place
Not in Place
N/A
44
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Control
ID
Control
Name
Description of Control
SA-11
Developer
Security
Testing
The HHS organization requires that HHS information system
component developers/integrators, in consultation with
associated security personnel (including security engineers):
a. Create and implement a security test and evaluation plan
in accordance with, but not limited to, the current HHS
procedures;
b. Implement a verifiable flaw remediation process to correct
weaknesses and deficiencies identified during the security
testing and evaluation process; and;
c. Document the results of the security testing/evaluation
and flaw remediation processes.
Status
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
([i]) HHS information systems should be tested for security
flaws on a periodic basis using automated vulnerability
scanning methods, or manual control testing, or a
combination of both.
[ii] Test results are documented and security flaws found
during the test should be entered into a tracking system and
monitored for mitigation.
[iii] Agency systems/Applications should be tested for
security flaws prior to release in production using manual or
automated techniques or a combination of both.
Security Control Implementation Details:
SC-13
Use of
Cryptography
HHS information systems implement required cryptographic
protections using cryptographic modules that comply with
applicable federal/state laws, executive orders, directives,
policies, regulations, standards, and guidance.
(i) Federal Information Processing Standard (FIPS) 140-2,
Security Requirements for Cryptographic Modules, should
be used to specify the security requirements within a
security system.
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
[i] Use Secure Socket Layer (SSL) v2 and SSL v3.
[ii] SSH is not using v1 compatibility, only v2 connections
are accepted.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
45
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
5.1.4 Impact 4 Controls
Control
ID
Control
Name
Description of Control
AC-8
System Use
Notification
HHS information systems will display an approved system
use notification message or banner before granting access
to the system that provides privacy and security notices
consistent with applicable Federal, Texas laws, executive
orders, directives, policies, regulations, Health and Human
Services Commission (HHSC) standards, and guidance and
states that:
(i) users are accessing a U.S. Government information
system;
(ii) system usage may be monitored, recorded, and subject
to audit;
(iii) unauthorized use of the system is prohibited and subject
to criminal and civil penalties; and;
(iv) use of the system indicates consent to monitoring and
recording;
Status
In Place
Partially in Place
Not in Place
N/A
The recommended banner for IRS FTI information
resources is:
“WARNING
This system may contain U.S. Government information,
which is restricted to authorized users ONLY. Unauthorized
access, use, misuse, or modification of this computer
system or of the data contained herein or in transit to/from
this system constitutes a violation of Title 18, United States
Code, Section 1030, and may subject the individual to
Criminal and Civil penalties pursuant to Title 26, United
States Code, Sections 7213, 7213A (the Taxpayer Browsing
Protection Act), and 7431. This system and equipment are
subject to monitoring to ensure proper performance of
applicable security features or procedures. Such monitoring
may result in the acquisition, recording and analysis of all
data being communicated, transmitted, processed or stored
in this system by a user. If monitoring reveals possible
evidence of criminal activity, such evidence may be provided
to Law Enforcement Personnel.
ANYONE USING THIS SYSTEM EXPRESSLY CONSENTS
TO SUCH MONITORING”
b. Retain the notification message or banner on the screen
until users take explicit actions to log on to or further access
the information system; and;
c. For publicly accessible systems:
i. Display the system use information when appropriate,
before granting further access;
ii. Display references, if any, to monitoring, recording, or
auditing that are consistent with privacy accommodations
for such systems that generally prohibit those activities;
and;
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
46
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
iii. Include a description of the authorized uses of the
system in the notice given to public users of the
information system.
Additional Criteria:
[i] the system contains US government information;
[ii] users actions are monitored and audited;
[iii] unauthorized use of the system is prohibited;
[iv] unauthorized use of the system is subject to criminal and
civil penalties.
Security Control Implementation Details:
AT-4
Security
Training
Records
The HHS Organization:
a. Documents and monitors individual information system
security training activities including basic security awareness
training and specific information system security training;
and;
b. Retains individual training records for three (3) years.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
AU-11
Audit Record
Retention
The HHS organization retains audit records for ninety (90)
days and archives old records for one (1) year to provide
support for after-the-fact investigations of security incidents
and to meet regulatory and HHS organization information
retention requirements.
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
{i} (For Confidential data only) Audit inspection reports,
including a record of corrective actions, shall be retained by
the HHS organization for a minimum of three (3) years from
the date the inspection was completed.
[ii] To support the audit of IRS FTI activities, all
organizations must ensure that audit information is archived
for six (6) years to enable the recreation of computer-related
access to both the operating system and to the application
where FTI is stored.
Security Control Implementation Details:
AU-14
Session Audit
For HHS information systems, ensure they have the
capability to:
a. Capture/record and log key content related to a user
session; and;
b. Remotely view/hear all content related to an established
user session in real time.
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
In Place
Partially in Place
Not in Place
N/A
47
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
Security Control Implementation Details:
IR-3
Incident
Response
Testing and
Exercises
The HHS organization tests and/or exercises the incident
response capability for the HHS information systems within
annually using reviews, analyses, and simulations to
determine the incident response effectiveness and
documents the results.
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
[i] The Agency defines incident response tests/exercises
that contain procedures for the following:
- Detecting unauthorized FTI access;
- Reporting unauthorized FTI access to IRS, TIGTA, and
internal Agency incident response team.
[ii]. The Agency tests/exercises the incident response
capability for FTI related security violations (e.g. simulated
successful unauthorized access to FTI) at least annually.
Note: The incident response tests/exercise should be
different from any testing activities perform as part of
Disaster Recovery or Contingency Planning.
[iii] The Agency documents the results of incident response
tests/exercises.
Security Control Implementation Details:
PE-18
Location of
Information
System
Components
The HHS organization positions HHS information systems
within the facility to minimize potential damage from physical
and environmental hazards and to minimize the opportunity
for unauthorized access.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
48
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Control
ID
Control
Name
Description of Control
PL-2
System
Security Plan
The HHS organization:
a. Develops security plans for HHS information systems
that:
- Are consistent with HHS’s enterprise architecture;
- Explicitly define the authorization boundary for the HHS
information systems;
- Describe the operational context of HHS information
systems in terms of missions and business processes;
- Provide the security categorization of the HHS
information systems including supporting rationale;
- Describe the operational environment for HHS
information systems;
- Describe relationships with or connections to other
information systems;
- Provide an overview of the security requirements for
HHS;
- Describe the security controls in place or planned for
meeting those requirements including a rationale for the
tailoring and supplementation decisions; and;
- Is reviewed and approved by the authorizing official or a
designated representative prior to plan implementation.
b. Reviews the security plan for HHS information systems
within annually; and;
c. Updates the plan, minimally every three (3) years, to
address current conditions or whenever:
- There are significant changes to the information
system/environment of operation that affect security;
- Problems are identified during plan implementation or
security control assessments:
- When the data sensitivity level increases;
- After a serious security violation due to changes in the
threat environment; or;
- Before the previous security authorization expires.
Status
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
{iii} (For IRS FTI only) Develop and submit a Safeguard
Procedures Report (SPR) that describes the procedures
established and used by the HHS organization for ensuring
the confidentiality of the information received from the IRS.
This report is provided every six years or when significant
changes occur in the safeguard program.
A Safeguard Activity Report (SAR advises the IRS of
minor changes to the procedures or safeguards described
in the SPR. It also advises the IRS of future actions that
will affect HHS's current efforts to ensure the
confidentiality of IRS FTI, and finally, certifies that HHS is
protecting IRS FTI pursuant to IRC Section 6103(p)(4)
and HHS's own security requirements. This report is
provided annually by September 30th. (Reference IRS
Publication 1075, sections 7 & 8).
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
49
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
Security Control Implementation Details:
PM-2
Senior
Information
Security
Analyst
The HHS organization appoints a Chief Information Security
Officer (CISO) with the mission and resources to coordinate,
develop, implement, and maintain a HHS-wide information
security program.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
PM-3
Information
Security
Resources
The HHS organization:
a. Ensures that all capital planning and investment requests
include the resources needed to implement the information
security program and documents all exceptions to this
requirement;
b. Employs a business case and/or Exhibit 300/Exhibit 53 to
record the resources required (Ref: SA-2); and
c. Ensures that information security resources are available
for expenditure as planned.
Security Control Implementation Details:
In Place
PM-4
In Place
Plan of Action
and
Milestones
Process
The HHS organization implements a process for ensuring
that plans of action and milestones for the security program
and the associated organizational information systems are
maintained and documents the remedial information security
actions to mitigate risk to organizational operations, assets,
and individuals.
Partially in Place
Not in Place
N/A
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
PM-7
Enterprise
Architecture
The HHS organization develops enterprise architecture with
consideration for information security and the resulting risk
to HHS operations, assets, and individuals.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
PM-9
Risk
Management
Strategy
The HHS organization:
a. Develops a comprehensive strategy to manage risk to
organizational operations and assets, and individuals
associated with the operation and use of information
systems; and
b. Implements that strategy consistently across the HHS
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
In Place
Partially in Place
Not in Place
50
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
organization.
Status
N/A
Security Control Implementation Details:
PM-10
Security
Authorization
Process
The HHS organization:
a. Manages (i.e. documents, tracks, and reports) the
security state of HHS information systems through security
authorization processes;
b. Designates individuals to fulfill specific roles and
responsibilities within the organizational risk management
process; and
c. Fully integrates the security authorization processes into
the HHS-wide risk management program.
Security Control Implementation Details:
In Place
SC-5
In Place
Denial of
Service
Protection
HHS Information Systems protect against or limit the effects
of distributed denial of service (DDoS) attacks.
Partially in Place
Not in Place
N/A
Partially in Place
Additional Criteria:
[i] Deployment personnel are registered to receive updates
to all HHS, e.g. web server, application servers, database
servers.
Also if update notifications are provided to any custom
developed software, deployment personnel should also
register for these updates.
Ref: Security Incident Management Plan.
Security Control Implementation Details:
Not in Place
SC-10
In Place
Network
Disconnect
HHS information systems automatically terminate the
network connection associated with a communications
session at the end of the session or:
Additional Criteria:
{i} Forcibly de-allocate communications session Dynamic
Host Configuration Protocol (DHCP) leases after seven (7)
days; and;
{ii} Forcibly disconnect inactive VPN connections after thirty
(30) minutes of inactivity.
Security Control Implementation Details:
SC-11
Trusted Path
HHS information systems establish a trusted
communications path between the user and, at a minimum,
the HHS authentication and re-authentication security
functions.
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
N/A
Partially in Place
Not in Place
N/A
In Place
Partially in Place
51
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
Not in Place
Additional Criteria:
{i}. Defined and approved security functions are listed in the
system security plan.
Security Control Implementation Details:
SC-12
Cryptographic
Key
Establishment
and
Management
The HHS organization establishes and manages
cryptographic keys for required cryptography employed
within HHS information systems.
N/A
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
SC-17
Public Key
Infrastructure
Certificates
The HHS organization issues public key certificates under
an HHS Agency-defined certificate policy or obtains public
key certificates under an appropriate certificate policy from
an approved service provider.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
SC-18
Mobile Code
The HHS organization:
a. Defines acceptable and unacceptable mobile code and
mobile code technologies;
Mobile code technologies include, for example, Java,
JavaScript, ActiveX, PDF, Postscript, Shockwave movies,
Flash animations, and VBScript.
b. Establishes usage restrictions and implementation
guidance for acceptable mobile code and mobile code
technologies; and;
c. Authorizes, monitors, and controls the use of mobile code
within HHS information systems.
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
[i] Mobile code is obtained from a trusted source, and is
designated as trusted. The mobile code is digitally signed
and the digital signature is properly validated by the client
runtime environment prior to the execution.
[ii] Unsigned mobile code operating in a constrained
environment has no access to local operating system
resources and does not attempt to establish network
connections to servers other than the application server.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
52
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Control
ID
Control
Name
Description of Control
SC-32
Information
System
Partitioning
The HHS organization partitions HHS into components
residing in separate physical domains (or environments) as
deemed necessary.
Status
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
AP-1
Authority to
Collect
The HHS organization determines the legal authority that
permits the collection, use, maintenance, and sharing of
HHS Restricted and Confidential information in support of a
specific program or information system need.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
AP-2
Purpose
Specification
The HHS organization describes the purposes for which
HHS Restricted and Confidential information is collected,
used, maintained, and shared in its privacy notices.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
AR-1
Governance
and Privacy
Program
The HHS organization:
a. Appoints an Senior Agency Official for Privacy
(SAOP)/Chief Privacy Officer (CPO) accountable for
developing, implementing, and maintaining an Agency-wide
governance and privacy program to ensure compliance with
all applicable laws and regulations regarding the collection,
use, maintenance, sharing, and disposal of HHS Restricted
and Confidential information by programs and information
systems;
b. Allocates HHS Agency-defined allocation of budget and
staffing resources to implement and operate the
organization-wide privacy program;
c. Develops, disseminates, and implements privacy policies
and procedures that govern the appropriate privacy and
security controls for programs, information systems, or
technologies involving HHS Restricted and Confidential
Information;
d. Develops a privacy plan for implementing applicable
privacy controls, policies, and procedures; and;
e. Updates the privacy plan, policies, and procedures as
defined by the Agency.
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
In Place
Partially in Place
Not in Place
N/A
53
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
SSP [Date] and Version: 1.1
Description of Control
Status
Security Control Implementation Details:
AR-2
Privacy
Impact and
Risk
Assessment
The HHS organization:
a. Establishes a privacy risk assessment process that
assesses privacy risk to individuals resulting from the
collection, sharing, storing, transmitting, and use of
personally identifiable information;
b. Conducts a Privacy Impact Assessment (PIA) for
information systems and programs in accordance with Office
of Management and Budget (OMB) policy and any existing
organizational policies and procedures; and;
c. Follows a documented, repeatable process for
conducting, reviewing, and approving Privacy Impact
Assessments.
Security Control Implementation Details:
In Place
DM-1
In Place
Minimization
of Personally
Identifiable
information
The HHS organization:
a. Identifies the minimum HHS Restricted and Confidential
and Agency Internal information elements that are relevant
and necessary to accomplish the legally authorized purpose
of collection;
b. Limits the collection and retention of HHS Restricted and
Confidential to the minimum elements identified for the
purposes described in the notice and for which the individual
has provided consent; and;
c. Conducts an initial evaluation and performs periodic
evaluations of its holdings of HHS Restricted and
Confidential information to ensure that only HHS Restricted
and Confidential Information and Agency Internal identified
in the notice is collected and retained, and that the HHS
Restricted and Confidential Information continues to be
necessary to accomplish the legally authorized purpose.
(1) Where feasible and within the limits of technology, the
organization locates and removes or redacts specified HHS
Restricted and Confidential Information and/or uses
anonymization and de-identification techniques to permit
use of the retained information while reducing its sensitivity
and reducing the risk resulting from disclosure.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
Partially in Place
Not in Place
N/A
Partially in Place
Not in Place
N/A
54
November 8, 2013
SSP: [System Name]
SSP [Date] and Version: 1.1
Control
ID
Control
Name
Description of Control
DM-2
Data
Retention and
Disposal
The HHS organization:
a. Retains HHS Restricted and Confidential information for
only as long as is necessary to fulfill the purpose(s)
identified in the notice or as required by law;
b. Appropriately disposes of HHS Restricted and
Confidential information when it is no longer necessary to
retain it;
c. Systematically destroys, erases, and/or anonymizes the
HHS Restricted and Confidential information regardless of
the method of storage (e.g., electronic, optical media, or
paper-based) in accordance with a National Archives and
Records Administration (NARA) approved record retention
schedule and in a manner that prevents loss, theft, misuse,
or unauthorized access; and;
d. Uses audits and appropriate technology to ensure secure
deletion or destruction of HHS Restricted and Confidential
Information (including originals, copies, and archived
records).
Status
In Place
Partially in Place
Not in Place
N/A
Additional Criteria:
1. Audit Trail of Restricted Data should be archived for six
(6) years.
2. Confidential log data should be archived for six (6) years.
Security Control Implementation Details:
IP-4
Complaint
Management
The HHS organization implements a process for receiving
and responding to complaints, concerns, or questions from
individuals about the organizational privacy practices.
In Place
Partially in Place
Not in Place
N/A
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
55
November 8, 2013
SSP: [System Name]
Control
ID
Control
Name
TR-1
Privacy Notice
SSP [Date] and Version: 1.1
Description of Control
The HHS organization:
a. Provides effective notice to the public and to individuals
regarding: (i) its activities that impact privacy, including its
collection, use, sharing, safeguarding, maintenance, and
disposal of HHS Restricted and Confidential Information; (ii)
authority for collecting HHS Restricted and Confidential
Information; (iii) the choices, if any, individuals may have
regarding how the organization uses HHS Restricted and
Confidential Information and the consequences of
exercising or not exercising, and;
b. Describes:
(i) the HHS Restricted and Confidential Information the
organization collects and the purposes for which it collects
that information;
(ii) how the organization uses HHS Restricted and
Confidential Information internally;
(iii) whether the organization shares HHS Restricted and
Confidential Information with external entities and the
purposes for such sharing;
(iv) whether individuals have the ability to consent to specific
uses or sharing of HHS Restricted and Confidential
Information and how to exercise any such consent;
(v) how individuals may obtain access to HHS Restricted
and Confidential Information for the purpose of having it
amended or corrected, where appropriate; and;
(vi) how the HHS Restricted and Confidential Information will
be protected;
c. Revises its public notices to reflect changes in practice or
policy that affect HHS Restricted and Confidential
Information or changes in its activities that impact privacy;
and;
d. Ensures (e.g., through updated public notice) that
individuals are aware of and, where feasible, consent to all
uses of HHS Restricted and Confidential Information not
initially described in the public notice that was in effect at the
time the organization collected the HHS Restricted and
Confidential Information
(1) Each Agency provides real-time (i.e., at the point of
collection) notice when it collects HHS Restricted and
Confidential Information.
Security Control Implementation Details:
Trading Partners: [System Name] System Security Plan
Version 1.1
HHSC CONFIDENTIAL
Status
In Place
Partially in Place
Not in Place
N/A
56
November 8, 2013
