Professional Documents
Culture Documents
COMMONWEALTH OF VIRGINIA
i
IT Security Risk Management Guideline ITRM Guideline SEC506-01
PREFACE
Publication Designation procedures, and standards to protect the
confidentiality, integrity, and availability of the
ITRM IT Risk Management Commonwealth of Virginias IT systems and
Guideline SEC506-01 data.
Scope Definitions
This Guideline is offered as guidance to all
Executive Branch State Agencies and institutions Agency All Executive Branch State Agencies and
of higher education (collectively referred to as institutions of higher education that manage,
Agency) that manage, develop, purchase, and develop, purchase, and use IT resources in the
use information technology (IT) resources in the Commonwealth of Virginia (COV).
Commonwealth.
Agency Control - If an Agency is the Data
Purpose Owner of the data contained in a Government
To guide Agencies in the implementation of the database, that Agency controls the Government
information technology risk management database.
requirements defined by ITRM Standard
SEC501-01, Section 2. Audit scope - The boundaries of an audit,
including definition of what will and will not be
General Responsibilities considered within the audit.
(Italics indicate quote from the Code of Virginia)
BIA - Business Impact Analysis The process of
Chief Information Officer determining the potential consequences of a
In accordance with Code of Virginia 2.2-2009, disruption or degradation of business functions.
the Chief Information Officer (CIO) is assigned
the following duties: the CIO shall direct the COOP Continuity of Operations Plan A set
development of policies, procedures and of documented procedures developed to provide
standards for assessing security risks, for the continuance of essential business
determining the appropriate security measures functions during an emergency.
and performing security audits of government
databases and data communications. At a CISO - Chief Information Security Officer The
minimum, these policies, procedures, and CISO is the senior management official
standards shall address the scope of security designated by the CIO of the Commonwealth to
audits and which public bodies are authorized to develop Information Security policies,
conduct security audits. procedures, and standards to protect the
confidentiality, integrity, and availability of COV
Chief Information Security Officer IT systems and data.
The Chief Information Officer (CIO) has
designated the Chief Information Security Officer Data - Data consists of a series of facts or
(CISO) to develop Information Security policies, statements that have been collected, stored,
ii
IT Security Risk Management Guideline ITRM Guideline SEC506-01
processed and/or manipulated but have not been ISO Information Security Officer - The
organized or placed into context. When data is individual who is responsible for the
organized, it becomes information. Information development, implementation, oversight, and
can be processed and used to draw generalized maintenance of the Agencys IT security
conclusions or knowledge program.
iii
IT Security Risk Management Guideline ITRM Guideline SEC506-01
iv
IT Security Risk Management Guideline ITRM Guideline SEC506-01
TABLE OF CONTENTS
1 INTRODUCTION ........................................................................................................ 1
v
IT Security Risk Management Guideline ITRM Guideline SEC506-01
8 APPENDICES ............................................................................................................. 21
FIGURES
TABLES
Table 1 IT Security Roles and Responsibilities .................................................................. 4
Table 2 IT Security Standard BIA Requirements Cross Walk to COOP Manual .............. 7
Table 3 Classification Matrix Illustration ......................................................................... 10
vi
IT Risk Management Guideline ITRM Guideline SEC506-01
1 Introduction
1.1 Overview
In order to provide overall Information Technology (IT) security that is cost-effective and
risk based, IT Risk Management must be a part of an agencys comprehensive risk
management program. This Guideline presents a methodology for IT Risk Management
suitable for supporting the requirements of the Commonwealth of Virginia (COV)
Information Technology Resource Management (ITRM) Information Technology Security
Policy (ITRM Policy SEC500-02), the COV ITRM Information Technology Security
Standard (ITRM Standard SEC501-01), and the COV ITRM Information Technology
Security Audit Standard (ITRM Standard SEC502-00). These documents are hereinafter
referred to as the Policy, Standard and Audit Standard, respectively.
The function of the Policy is to define the overall COV IT security program, while the
Standard and the Audit Standard define high-level COV IT security and security audit
requirements, respectively. This Guideline describes methodologies agencies may use in
implementing the risk management requirements of the Policy, the Standard and the Audit
Standard. In this Guideline, the methodologies are presented in the same order as
presented in Section 2 Risk Management of the Standard.
1
IT Risk Management Guideline ITRM Guideline SEC506-01
No
Process Start
Has Major
Assign Agency System
ISO Change
Normal Operation/
Occurred or
Annual Self-
has three years
Assessment
elapsed since
Conduct Agency
last Risk
Business Impact
Assessment? Develop and
Analysis
Implement
Corrective Action
Document & Risk Management Activities Plan and Accept
Residual Risk
Characterize Data
Types
Yes
Classify IT System Conduct IT
and Data Security Audit
Sensitivity
Apply Additional IT
Inventory and
Assign Security Security Controls
Is IT System or Define Systems Conduct Formal
Yes Roles for IT Based on Risk
Data Sensitive? and Determine Risk Assessment
System Assessment
System Ownership
Results
No
Conduct informal
risk analysis and
apply additional
security controls,
as required Based on Risk
Assessment
results, apply
appropriate
additional
IT Contingency Logical Access
IT Systems Security controls in
Planning Control
these areas.
Apply
appropriate
additional
controls from
Data Protection Facilities Security Personnel Security
these areas, as
required.
IT Asset
Threat Management
Management
2
IT Risk Management Guideline ITRM Guideline SEC506-01
The Policy requires Agency Heads to designate an ISO, and strongly encourages
the Agency Head to designate at least a backup ISO. To the extent practical,
Agency Heads and ISOs are encouraged to assign a different person to each IT
Security role. All security roles must be documented in the position description of
the individual assigned to the role.
In smaller agencies, assigning a different person to each IT Security role may not
be practical. In such cases, agencies should consider solutions such as having a
single individual fulfill the role of ISO for several agencies, where practical.
Agencies are encouraged to go beyond the requirements of the Policy and Standard
in assigning IT Security roles, where appropriate. For example, in cases where
responsibilities for applications and infrastructure are divided, agencies are
encouraged to designate two System Administrators, one with responsibility for
applications security and one with responsibility for infrastructure security of the
IT system.
Table 1, which begins on the next page, delineates each IT security role, the
individual responsible for assigning the role, and role requirements, recommended
qualifications, and responsibilities. Appendix A is a sample template for defining
Agency IT security roles and responsibilities. System-specific roles (System
Owner, Data Owner, System Administrator, and Data Custodian) should be
documented in the System Inventory and Definition document for each IT system.
(See Section 5 and Appendix B.).
3
IT Risk Management Guideline ITRM Guideline SEC506-01
Role
Designated Role Recommended Responsibilities
By Requirements Qualifications
Agency Governor Defined by Defined by Oversee Agency IT security
Head or Board, Governor or Governor or program.
as defined Board, as Board, as Designate ISO
by statute defined by defined by Designate or delegate other
statute statute Agency IT security roles
Review BIA, RA, COOP
Review IT Security Audit
Plan & results of IT security
audits
Monitor Corrective Action
Plans (CAPs)
Report incidents that
threaten the security of
databases & data
communications
ISO Agency Must be a In-depth Overall security of Agency
Head COV knowledge of IT systems & liaison to the
employee systems CISO of the Commonwealth
Must not be a owned & of Develop/maintain IT
system or Agencys security program as defined
data owner overall by Policy, Standard, and
Should not business Audit Standard.
exercise (or In-depth Assign (unless Agency
report to an knowledge of Head assigns) other Agency
individual Agencys IT IT security roles
who exercises) and operating
operational IT environment &
or IT security requirements
application or Security
infrastructure Certifications1
responsibilitie
s
Privacy Agency At Agency In-depth Only mandatory if required
Officer Head Heads/ ISOs knowledge of by law or regulation
/ISO discretion system owned Responsibilities otherwise
& of Agencys exercised by ISO
overall business Provide guidance on
In-depth privacy laws:
knowledge of Disclosure of &
1
IT Security certifications include Certified Information Systems Security Professional (CISSP), Certified
Information Security Manager (CISM), and Certified Information Security Auditor (CISA), among others.
4
IT Risk Management Guideline ITRM Guideline SEC506-01
5
IT Risk Management Guideline ITRM Guideline SEC506-01
6
IT Risk Management Guideline ITRM Guideline SEC506-01
7
IT Risk Management Guideline ITRM Guideline SEC506-01
8
IT Risk Management Guideline ITRM Guideline SEC506-01
Following is one method for classifying the sensitivity of IT systems and data.
9
IT Risk Management Guideline ITRM Guideline SEC506-01
Type of Sensitivity
Data Confidentiality Integrity Availability
Current Low High Moderate
Year Budget Data is public BFS is system of record Data is used less
Details information for fiscal year budget than daily by all
data for all COV COV Agencies
Agencies to allocate
resources
Future Year High Moderate Low/High
Budget Release of the data BFS is system of record Low during
Plans before it is final for future year budget most of year;
could be damaging plans for all COV high during
to COV and its Agencies budget
Agencies preparation
Agency Low Low Low
Contact Data is public BFS is not the system of Data is
Information information record for this available from
information other sources
If the level of impact on any of the criteria is rated high, the data and IT systems
that store, process or transmit it are classified as sensitive. Agencies are strongly
encouraged to classify IT systems as sensitive if a type of data handled by the IT
system has a sensitivity of moderate on any of the criteria of confidentiality,
integrity or availability.
As an example, personal contact information includes data that could be used in
identity theft or to target individuals for other crimes. A compromise of this
information could impact the agencys credibility to a point where it would be
difficult to execute its mission. In this case, a compromise of confidentiality is
rated high.
10
IT Risk Management Guideline ITRM Guideline SEC506-01
5.2.1 Definition
Initially, in order to begin the definition process, some assumptions concerning the
IT system boundaries have to be made. In general, and to the extent practical, each
IT system supports a single major business function. For example, an agency e-
mail system supports the major business function of communication, even though
it is used by multiple different functional areas within the agency. The IT system
11
IT Risk Management Guideline ITRM Guideline SEC506-01
definition should include the characteristics that will help determine IT system
ownership and the IT system boundaries. These characteristics include:
major business function supported;
IT system interfaces;
ownership characteristics (e.g. wholly owned, leased, managed service contract,
etc.);
determination of data and IT system sensitivity - data is a component of an IT
system; if data is sensitive, the IT system is sensitive; and
IT Security Roles, including System Owner, Data Owner, System Administrator,
and Data Custodian.
Exceptions to the general case in which each IT system supports a single major
business function include systems that support multiple other systems (support
systems) such as mainframe computers, enterprise networks, and general controls.
These support systems should be separately defined, assessed for risk and included
in IT Security Audits. The Risk Management activities conducted for the support
systems can then be relied upon in the Risk Management activities for the IT
systems they support.
12
IT Risk Management Guideline ITRM Guideline SEC506-01
In most cases, it will be clear that a given agency is the owner of an IT system for
IT security purposes. In these cases, the Agency Head or ISO, if appropriate,
designates the System Owner. In cases where more than one agency claims the IT
system, the agencies either negotiate who will be the owner for IT security
purposes and designate the System Owner or request the CIO of the
Commonwealth make the determination, as illustrated by the process map in
Figure 3.
No
Yes
No
Figure 3 IT System Ownership Selection Process
13
IT Risk Management Guideline ITRM Guideline SEC506-01
The owner of each IT system and the owners of the data handled by each system
must agree on the boundaries between or among the systems, so that all
components are the responsibility of someone, and no components are covered
more than once. IT system boundaries should be based on non-arbitrary
characteristics, such as funding boundaries, functional boundaries, physical gaps,
contractual boundaries, operational boundaries, and transfer of information
custody.
2) if the IT system does not support a single major business function or does not
have a single System Owner, break it up into smaller IT systems, unless the IT
system is a support system such as a mainframe computer, an enterprise network
or general security controls;
14
IT Risk Management Guideline ITRM Guideline SEC506-01
No
The ISA describes the IT systems being connected, the nature of the sensitive
information and it delineates a simple agreement that each interconnected IT
system will implement controls in accordance with the risk assessments of both IT
systems.
For connections between IT systems that are owned by a common System Owner,
the System Owner should describe the IT systems being connected and the nature
of the sensitive information. A formal, signed agreement, however, is not required
for connections between IT systems that are owned by a common System Owner.
5.2.5 Documentation
After the definition of IT systems is complete, it is important to document clearly
the extent and limits of each IT system in order to provide security that is risk-
based and cost-effective to each system. To meet this need, each sensitive IT
System requires a formal definition document that includes:
the full name of the IT system, any acronym that it uses, any other system
designator or identifier and the purpose of the system;
the Agency that owns the IT system, including
15
IT Risk Management Guideline ITRM Guideline SEC506-01
6 6 Risk Assessment
6.1 Overview
To meet the requirements of the Standard, each agency-owned IT system classified
as sensitive must have a Risk Assessment (RA). RA is the process of identifying
vulnerabilities, threats, likelihood of occurrence, and potential loss or impact.
RA of sensitive IT systems and data:
protects against threats that are most likely to occur and have the potential
to cause the greatest damage;
assists in identifying security controls that most effectively protect
confidentiality, integrity, and availability of agency IT systems and the
information they process; and
helps organizations evaluate the type and level of risks and develop
security requirements and specifications.
Results are used to evaluate the type and level of risks and to develop security
requirements and specifications. Organizations use RA to determine the overall
vulnerability of their sensitive IT systems and data to threats.
In order to provide risk-based and cost-effective controls for sensitive IT systems
and data, it is necessary to protect against threats that are most likely to occur and
have the potential to cause the greatest damage. RA of sensitive agency IT systems
and data assists in identifying security controls that most effectively protect
confidentiality, integrity, and availability of agency IT systems and the information
they process.
This Guideline recommends one method to prepare a RA appropriate to sensitivity
of the assessed IT resources. The Risk Assessment Template provided in
Appendix D (under separate cover due to its length) contains definitions and
instructions for assessing risk and documenting results using this method.
16
IT Risk Management Guideline ITRM Guideline SEC506-01
Minor changes that may not require a new risk assessment include such events as
the replacement of existing hardware with similar hardware when capacity does not
significantly change; the addition of two or three workstations on a network; or
small modifications to an application program (e.g., a change in table headings).
6.2.2 Performance
The Risk Assessment Instructions (Appendix D, published separately due to its
length) may be used to perform and document agency risk assessments. These
instructions include explanations for participants, analysis techniques and
methodologies. Agencies may select another RA methodology to meet specific
agency requirements.
7 IT Security Audits
7.1 Overview
IT Security Audits are vital to governance and control of enterprise information
assets. This Guideline prescribes actions to enhance Commonwealth security by
defining the process for performing IT Security Audits
17
IT Risk Management Guideline ITRM Guideline SEC506-01
18
IT Risk Management Guideline ITRM Guideline SEC506-01
In planning IT Security Audits, and in developing its plan, each agency should
consider audits already scheduled or underway and not duplicate audits solely for
the purposes of complying with the Audit Standard. Each agency must document
Audits already scheduled or underway in its plan.
If any agency has engaged a firm to assist in documenting its security program,
policies or procedures, it shall not engage the same firm to conduct the IT Security
Audits.
Each IT Security Audit should assess the overall effectiveness of the IT system
controls and measure compliance with the Policy, Standard and any other
applicable laws, regulations, policies or procedures. The audit should evaluate
19
IT Risk Management Guideline ITRM Guideline SEC506-01
whether the controls in place provide protection of the IT system and data that is
commensurate with sensitivity and risk.
The agency may select to create the required report by compiling all CAPs for
audits completed in the previous quarter and audits previously completed with
20
IT Risk Management Guideline ITRM Guideline SEC506-01
An example of a Corrective Action Plan report and a blank template are contained
in Appendix F.
The CISO uses the report along with reports from other agencies, to understand the
overall information security posture and readiness of Executive Branch Agencies.
This understanding assists the CISO in developing and improving Commonwealth
information security policies, standards and guidelines.
8 8 Appendices
These Appendices provide examples and templates that agencies may use to
document their use of many of the methodologies described in this Guideline. Each
template consists of an example of the document completed with fictional
information and a blank version of the template for use by COV agencies.
The examples use different fonts for instructions and example information, as
follows.
21
IT Risk Management Guideline ITRM Guideline SEC506-01
22
IT Risk Management Guideline ITRM Guideline SEC506-01
23
IT Risk Management Guideline ITRM Guideline SEC506-01
24
IT Risk Management Guideline ITRM Guideline SEC506-01
25
IT Risk Management Guideline ITRM Guideline SEC506-01
26
IT Risk Management Guideline ITRM Guideline SEC506-01
27
IT Risk Management Guideline ITRM Guideline SEC506-01
28
IT Risk Management Guideline ITRM Guideline SEC506-01
Memorandum of Understanding
This ISA shall remain in force until June 30, 2007 unless jointly re-accomplished by the
ISOs.
29
IT Risk Management Guideline ITRM Guideline SEC506-01
30
IT Risk Management Guideline ITRM Guideline SEC506-01
Memorandum of Understanding
________
This ISA shall remain in force until ______________________ unless jointly re-
accomplished by the ISOs.
Date
Date
31
IT Risk Management Guideline ITRM Guideline SEC506-01
Please note: this Appendix is large and is published under separate cover.
32
IT Risk Management Guideline ITRM Guideline SEC506-01
PURPOSE: This Plan coordinates the execution of security audits for the IT systems
supporting government databases (as defined by ITRM Standard SEC502-00).
All IT Security Audits must evaluate overall effectiveness of controls, as well as compliance with the IT Security
Policy (ITRM Policy SEC500-02), Standard (ITRM Standard SEC501-01), and any other applicable laws, regulations,
policies, or procedures. Use this column to indicate any audit areas that require special attention or any additional audit
requirements.
33
IT Risk Management Guideline ITRM Guideline SEC506-01
All IT Security Audits must evaluate overall effectiveness of controls, as well as compliance with the IT Security
Policy (ITRM Policy SEC500-02), Standard (ITRM Standard SEC501-01), and any other applicable laws, regulations,
policies, or procedures. Use this column to indicate any audit areas that require special attention or any additional audit
requirements.
34
IT Risk Management Guideline ITRM Guideline SEC506-01
PURPOSE: This Plan describes IT Security Audit findings; documents responsibility for addressing the findings; and describes
progress towards addressing the findings. Provide enough information to enable the reader to understand the nature of the finding, the
impacts, and the planned remedy.
IT Security Audit Quarterly Summary
Audit Name: Budget Formulation System (BFS) BFA-001; Issued 03/08
Audit Short Title Summary Risk Responsible Status Status Concurs: Planned Action &
Finding No. Person(s) and Date Status
& Agency Due Date Does Not Concur: Mitigating
Concurrence Controls & Risk Acceptance
1 Develop Policy BFA should Compromise John James U 9/15/08 Policies and procedures have
BFA Concurs for Storage of develop and of confiden- 09/08 been developed;
Sensitive BFS enforce policies tiality of BFS implementation is underway
Data on Mobile and procedures data and will be completed this
Devices requiring Agency month.
Head approval for
storage of sensitive
BFS data on mobile
devices, including
employee laptops,
USB drives, CDs,
and DVDs.
2 Enforce BFA BFA should Compromise Bill Michaels U 09/15/08 Procedures for removal of
BFA Concurs Account enforce existing of confiden- Michael unneeded BFS accounts are
Management Agency procedures tiality and Williams now being enforced; review of
Procedures for to remove integrity of 09/08 all BFS accounts to identify and
BFS unneeded accounts BFS data remove unneeded accounts is
from BFS. underway and will be
completed this month.
35
IT Risk Management Guideline ITRM Guideline SEC506-01
Audit Short Title Summary Risk Responsible Status Status Concurs: Planned Action &
Finding No. Person(s) and Date Status
& Agency Due Date Does Not Concur: Mitigating
Concurrence Controls & Risk Acceptance
3 Enforce BFA should John James C 09/15/08 BFS has been reconfigured to
BFA Concurs Password enforce existing 09/08 require password changes
Change Agency every 90 days.
Requirements requirements for
on BFS password changes
every 90 days on
BFS
Audit Short Title Summary Risk Responsible Status Status Concurs: Planned Action &
Finding No. Person(s) and Date Status
& Agency Due Date Does Not Concur: Mitigating
Concurrence Controls & Risk Acceptance
1 Require BCS BFA should Compromise John Davis NS N/A BFA believes that screening
BFA Does Users to enforce policies of confiden- during hiring process
Not Concur Complete and procedures tiality, integri- sufficiently mitigates the risk of
Background requiring BCS ty, or availa- giving users access to BCS
Checks Before users to complete bility of BFS while background checks are
Receiving BCS criminal back- data underway.
Access ground checks
before receiving
access to the BCS,
due to the sensitiv-
ity of BCS data
36
IT Risk Management Guideline ITRM Guideline SEC506-01
37