It is important to ensure that adequate security controls have been implemented. See also Authorize Processing, Certification, and Designated Approving Authority. These managers are the individuals with the authority and responsibility for making the trade-off decisions essential to mission accomplishment. A vulnerability analysis identifies, evaluates, and reports security vulnerabilities in a system or application. This publication assists organizations in understanding the purpose, process, and format of information system contingency planning development through practical, real-world guidelines.
For example, small organizations tend to have more control within their environment. This guidance document provides background information on interrelationships between information system contingency planning and other types of security and emergency management-related contingency plans, organizational resiliency, and the system development life cycle. High Impact Threat results in unavailability, modification, disclosure, or destruction of valued data or other system assets or loss of system services that is unacceptable due to the resulting significant degradation of mission or possible injury to persons. An entity may use either a qualitative or quantitative method or a combination of the two methods to measure the impact on the organization. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. Such assessments are important because they help make certain that all threats and vulnerabilities are identified and considered, that the greatest risks are identified, and that appropriate decisions are made regarding which risks to accept and which to mitigate through security controls.
When assessing a system that is in a phase other than Initiation, provisions should be made for those products and activities that may be missing. Security plans and other system documentation must be updated when security architectural changes take place. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes. The security measures implemented to reduce risk will vary among organizations. Security requirements are then mapped against the results of security tests on the infrastructure.
Related to: , , , , , , , , , , , , Supplemental Guidance: Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans. Such weaknesses may be identified by auditors or by management. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. During this phase, the system is modified and hardware and software changes take place. Since the protection requirements for more sensitive or highly classified levels of data usually encompass those of lower levels, one approach is to treat all data on the system as if it were of a sensitivity or classification of the highest level existing on the system. Availability - The security goal that generates the requirement for protection against intentional or accidental attempts to 1 perform unauthorized deletion of data or 2 otherwise causes a denial of service or data and unauthorized use of system resources. There is a great inter-dependency between the three processes.
Electronic media includes a single workstation as well as complex networks connected between multiple locations. One of the advantages of analyzing allowable downtime and recovery objectives is the potential support it may provide for the funding needs of a specific recovery solution based on the losses identified and the importance of certain business functions and processes. Unintentional errors and omissions 3. Organizational program protection plans can provide assistance in identifying critical assets. The contingency plan should contain detailed guidance and procedures for restoring a damaged system unique to the system's security impact level and recovery requirements. The primary source of the business case information should be the System Owner, but secondary information may be obtained through system documents. Low The threat-source lacks motivation or capability, security controls are in place to prevent successful exploitation of the threat, or significantly impede threat capability.
A successful exercise of a vulnerability results in a reduction in the grounds for confidence in the system. Figure 7 discusses roles and activities in this phase. Procedures - are contained in a management issued document that focuses on the security control areas and management's position. Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. The work flow analysis should be a dynamic process that identifies the interdependencies between critical operations, departments, personnel, and services. The result of performing these seven steps is a formal business impact analysis, which is used in conjunction with the risk assessment analysis to develop mitigation strategies discussed in Chapter 5.
Moderate The threat-source exists, but countermeasures are in place that will impede successful exercise of the vulnerability. Other documents, such as previous assessments and recent vulnerability scan reports, will also provide further insight and assistance in performing the assessment. . A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation. For example, if the Probability of Threat Occurrence, for a specific threat, is Moderate and the Impact is High Impact, the overall Level of Risk for that threat is Moderate. Some covered entities may perform these processes annually or as needed e. Agency Agency, Office, Bureau, Service, etc.
Formally, the revised standard is known as Special Publication 800-34, Revision 1:. Users may be from the same or different organizations Individual Accountability - Requires individual users to be held accountable for their actions after being notified of the rules of behavior in the use of the system and the penalties associated with the violation of those rules. Accreditation is synonymous with the term authorize processing. One of the final steps in the threat analysis is to determine the probability of a threat occurrence or that a vulnerability will be exploited. Technical Controls - Those hardware and software controls used to provide automated protection to the system or applications.