Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Appendix C Technical Requirements Worksheet

advertisement 
Appendix C
Technical Requirements Worksheet (A)
On Appendix C, Technical Requirements Worksheet (A), if your company has
delivered a project that contained any of the described IT Security Service(s) service
items within the past 36 months, record “Yes” in the response column.
If your company has not delivered a project that contained the described IT Security
Service(s) service item within the past 36 months, record “NA” in the response
column. The GTA is expecting to see either a “Yes” or “NA” for Not Applicable
response to each of the 13 IT Security Service(s) service item criteria.
APPENDIX C
TECHNICAL REQUIREMENTS WORKSHEET (A)
CATEGORY I
IT Program Security Services – Provided NIST aligned security program management and planning activities
focused to support organizational mission objectives and enable IT security efforts toward compliance with
federal laws, executive orders, directives, policies, regulations, standards and guidance. These activities should
include development and evaluation of:
SERVICE ITEM(s)
SERVICE ITEM #1:
Information Security Program Planning – Project should have proactively planned for,
implemented and monitored for the appropriate information security management, culture,
processes and security controls that supported the business missions. The efforts should have been
structured to facilitate IT security management functions in a cost-effective manner, while
addressing evolving information security risks. The planning efforts goal should have been to
increase the level of maturity and effectiveness of the information security program.
Service activities should have included:
 Information security strategic planning
 Information security governance structure development/reviews
 Determination of Roles & Responsibilities
 Risk management activities
 Information security policy / standards / guidance development
 Security control reviews
 Personnel security
 Assessment of the security cultural environment
 Program and system documentation development
 Monitoring program overall effectiveness
SERVICE ITEM #2:
Security Awareness Training and Education – Project should have provided the workforce with the
information and tools needed to protect an organization’s vital information resources. The project
should have ensured personnel at all levels of the organization understand their information
security responsibilities, how to properly use and protect the information and resources entrusted
to them.
SERVICE ITEM #3:
Life Cycle Management Support –Project should that were directed to support efforts involving a
planning and governance framework to ensure that all investments in information technology are
evaluated and managed at specific points in their lifecycle to ensure that the investments mee t the
business performance and security needs and expectations of the enterprise. Additionally, the Life
Cycle support services include experience employing an industry accepted System Development
Life Cycle (SDLC), Change Controlled process and Configuration Management methodology.
SERVICE ITEM #4:
Incident and Emergency Response Planning – Project should have involved the planning efforts to
develop an incident response capability necessary for rapidly detecting incidents, minimizing loss
and destruction, mitigating the weaknesses that were exploited, and restoring computing services.
SERVICE ITEM #5:
Contingency and Disaster Response Planning – Project should have provided for the development
of interim measures to recover information system services after a disruption. Interim measures
may include relocation of information systems and operations to an alternate site, recovery of
information system functions using alternate equipment, or performance of information system
functions using manual methods.
Have you
performed?
(“YES” or “NA”)
APPENDIX C
TECHNICAL REQUIREMENTS WORKSHEET (A)
CATEGORY II
IT System Security Services - Pre Operational - Provided FISMA Risk Management Framework aligned technical
security analysis, planning and engineering support up through the “deploy” stage of the “Enterprise Performance
Lifecycle”.
These support areas should have involved:
 Project conceptualization
 Proposal assessment
 System development or acquisition
 Deployment actions
The activities should have been structured to provide an appropriate security solution deliverable that addresses
the individual compliance and business needs of the entity. The activities may include:
SERVICE ITEM(s)
SERVICE ITEM #1:
System Security Planning – Project should have involved the development or revision of the system security
plan(s) that provided an overview of the security requirements of the system(s) and described the controls in
place or planned for meeting those requirements. The system security plan(s) should have also delineated
responsibilities and expected behavior of all individuals who access those system(s). The planning effort
should have required development of other key security-related documents or actions for the information
system such as:
 Risk assessment
 Boundary definitions
 Data categorization
 Security configuration checklists
 System interconnection agreements
The controls should have been consisted mainly of controls described by NIST as part of the FISMA RMF. See
NIST Special Publication 800-18.
SERVICE ITEM #2:
System Security Plan Implementation – Project should have provided for the implementation of a
system’s security plan or implementation of additional security controls added to a prior version of
the system security plan. These controls should have been implemented as described in the syste m
security plan and in accordance with the FISMA RMF documentation available from NIST. Activities
and artifacts may have included, but not be limited to, system security control implementation,
security control configuration documentation, development of operational guides, project
planning, control gap analysis and tuning, development of Plans of Actions and Milestones, etc.
SERVICE ITEM #3:
SDLC Application Development Reviews – Project should have performed analysis and/or reviews of either
the development process or the final artifact of an SDLC effort to ensure that security design, secure coding
practices and application testing are performed prior to application(s) being placed into a production
environment. Best industry practices and tools should have been utilized to study and evaluate the process
efforts and product artifact so that the review accurately assessed the risks/issues and their potential
effects. Activities and artifacts should have encompassed all SDLC phases such as:
 Initiation
 Development/acquisition
 Implementation/assessment
 Operations/maintenance
 Disposal
 White or black box testing
 Process review
 Development / review of security architecture documentation
Have you
performed?
(“YES” or “NA”)
APPENDIX C
TECHNICAL REQUIREMENTS WORKSHEET (A)
CATEGORY II
IT System Security Services - Pre Operational - Provided FISMA Risk Management Framework aligned technical
security analysis, planning and engineering support up through the “deploy” stage of the “Enterprise Performance
Lifecycle”.
These support areas should have involved:
 Project conceptualization
 Proposal assessment
 System development or acquisition
 Deployment actions
The activities should have been structured to provide an appropriate security solution deliverable that addresses
the individual compliance and business needs of the entity. The activities may include:
SERVICE ITEM(s)
SERVICE ITEM #4:
Pre-Operational Security Assessments – Project should have provided a point in time security
assessment of a systems security posture, from a “pre-production” basis, of the system’s security
controls using appropriate tools and procedures to determine the extent to which the planned
controls were implemented correctly, operated as intended, and produced the desired outcome
with respect to meeting the security requirements for the system.
Activities and artifacts may have included, but not be limited to:
 Data categorization
 Security control selection
 Initial control baseline determination
 Penetration testing
 Control tailoring
 Supplementation
 Assessment reporting
Delivery should have included reporting and recommendation objectives for the target system so as
to improve the organization overall security posture before being placed into the production
environment. The assessment reporting should have been based on FISMA documentation.
Have you
performed?
(“YES” or “NA”)
APPENDIX C
TECHNICAL REQUIREMENTS WORKSHEET (A)
CATEGORY III
IT System Security Services – Operational – Provided FISMA Risk Management Framework aligned technical
security analysis, planning and engineering support within the “operations and disposition” stages of the
“Enterprise Performance Lifecycle”. These support areas should have involved:
 Acquisitions
 Installations
 Upgrades
 Event monitoring/analysis
 Assessments that report about the effectiveness of the deployed security controls in the information system
The activities should have been structured to provide an appropriate security solution deliverable that addresses
the individual compliance and business needs of the entity. The activities should have included:
SERVICE ITEM(s)
SERVICE ITEM #1:
Security Services and Products Acquisition – Project should have provided appropriate business
owners and stakeholders that performed analytics, utilizing best practice methodologies, to
determine the most advantageous solution that addressed the declared business objective(s) and
requirement(s) for a proposed security solution. Actions toward planning, staging, installation
and/or modification should have included advanced technology security products and services
were selected and used appropriately within the organization’s overall security envi ronment.
Actions should have included providing analysis to identify potential or existing assets as well as
the risks to those assets, to estimate the likelihood of security failures, and to identify and
recommend appropriate controls for protecting those assets and resources based on the entity
business objectives and security plan(s). Activities and artifacts may have included, but not be
limited to:
 Performing asset inventories
 Identification of critical security services/functions gaps
 Risk analysis
 Development and articulation of rational justifications for security project approval
 Development of service level arrangements
 Project planning for integration or transition efforts for the desired future security
implementation
 Security control identification
 Product or service acquisitions
 Installations or upgrades
SERVICE ITEM #2:
Operational Security Assessments – Project should have provided a point in time assessment, from
an “operational” environment basis, of a system’s security controls using appropriate tools and
procedures to determine the extent to which the client’s current controls are implemented
correctly, operating as intended, and producing the desired outcome with respect to meeting the
security requirements for the system. The assessment process should have included documenting
any changes to the system or environment since implementation, conduct security impact analyses
and determine if control modifications are necessary due to changes of data categorization or
governing control requirements and document/report on the results as to security appropriate
officials. Additionally the service should have included the development of recommendations to
guide management with risk based prioritized remedial actions to address the gaps identified in the
security environment. The assessment reporting should have utilized reporting template forms
based on FISMA documentation.
Have you
performed?
(“YES” or “NA”)
APPENDIX C
TECHNICAL REQUIREMENTS WORKSHEET (A)
CATEGORY III
IT System Security Services – Operational – Provided FISMA Risk Management Framework aligned technical
security analysis, planning and engineering support within the “operations and disposition” stages of the
“Enterprise Performance Lifecycle”. These support areas should have involved:
 Acquisitions
 Installations
 Upgrades
 Event monitoring/analysis
 Assessments that report about the effectiveness of the deployed security controls in the information system
The activities should have been structured to provide an appropriate security solution deliverable that addresses
the individual compliance and business needs of the entity. The activities should have included:
SERVICE ITEM(s)
SERVICE ITEM #3:
Security Incident and Event Monitoring – Project should have provided services directed toward
establishment, review and recommendations of mechanisms and processes that were structured to
automatically collect, aggregate, correlate and filter security event information from key points
across the network and thus assist in providing for both automated and human analysis
functionality concerning anomalous or potentially damaging security events. These actions should
have been leveraged to provide better response and reporting capabilities and thus assist with
compliance to regulatory requirements. Activities and artifacts may have included, but not be
limited to:
 Implementation or review of the entity monitoring program
 Historical event data collection
 Log management reviews
 Trend analysis
 Establishment of measurements and metrics
 Acquisition/implementation of security appliances
 Periodic reporting
SERVICE ITEM #4:
Security Operations Management Reviews – Project should have provided evaluation of
organizational operational procedures and resource efforts impacting the enterprise security
posture, applied and functioning appropriately to achieve organizational and compliance
objectives. These actions should have been leveraged to provide better management, response and
reporting capabilities and thus assist with compliance to regulatory requirements. Activities and
artifacts in this area may have included, but not be limited to:
 Reviews and recommendations concerning: patch management
 System backup/recovery
 Identity provisioning
 Access control
 System monitoring
 Logging
Have you
performed?
(“YES” or “NA”)
APPENDIX C
TECHNICAL REQUIREMENTS
WORKSHEET (B)
INSTRUCTIONS: Record requested information about each company that received a “Yes” in Appendix C, Technical
Requirements Worksheet (A).
Category
CATEGORY
I
IT Program
Security
Services
CATEGORY
II
IT System
Security
Services –
Pre
Operational
CATEGORY
III
IT System
Security
Services Operational
Service Item
Information Security
Program Planning
Security Awareness
Training and Education
Life Cycle Management
Support
Incident and Emergency
Response Planning
Contingency and Disaster
Response Planning
System Security Planning
System Security Plan
Implementation
SDLC Application
Development Reviews
Pre-Operational Security
Assessments
Security Services and
Products Acquisition
Operational Security
Assessments
Security Incident & Event
Monitoring
Security Operations
Management Reviews
Company Name
Project Name
Company Address
Point of Contact
(Name/Email)
Related documents
Appendix 2C: Worksheet for Writing an Academic Program Vision
Appendix 2C: Worksheet for Writing an Academic Program Vision
CURRENT EVENTS ANALYSIS WORKSHEET
CURRENT EVENTS ANALYSIS WORKSHEET
Answers to Law of Conservation of Momentum Worksheet Since this
Answers to Law of Conservation of Momentum Worksheet Since this
GAO INFORMATION SECURITY Selected Departments
GAO INFORMATION SECURITY Selected Departments
Download
advertisement