Professional Documents
Culture Documents
Security Plan
(ITSP)
May, 2014 ii
Agency IT Security Plan (ITSP) Version 1.1
May, 2014 1
Agency IT Security Plan (ITSP) Version 1.1
Authorizing Official with the authority to formally assume responsibility for operating an
Official information system at an acceptable level of risk to agency operations
(including mission, functions, image, or reputation), agency assets, or
individuals.
Availability Ensuring timely and reliable access to and use of information.
Common Security control that can be applied to one or more agency information
Security systems and has the following properties: (i) the development, implementation,
Control and assessment of the control can be assigned to a responsible official or
organizational element (other than the information system owner); and (ii) the
results from the assessment of the control can be used to support the security
certification and accreditation processes of an agency information system
where that control has been applied.
High Impact An information system in which at least one security objective (i.e.,
System confidentiality, integrity, or availability) is assigned a FIPS 199 potential
impact value of high.
May, 2014 2
Agency IT Security Plan (ITSP) Version 1.1
Information Aggregate of directives, regulations, rules, and practices that prescribes how
Security an organization manages, protects, and distributes information.
Policy
Information A discrete set of information resources organized for the collection,
System processing, maintenance, use, sharing, dissemination, or disposition of
information.
Information Official responsible for the overall procurement, development, integration,
System Owner modification, or operation and maintenance of an information system.
Mobile Code Software programs or parts of programs obtained from remote information
systems, transmitted across a network, and executed on a local information
system without explicit installation or execution by the recipient.
May, 2014 3
Agency IT Security Plan (ITSP) Version 1.1
May, 2014 4
Agency IT Security Plan (ITSP) Version 1.1
Information Technology
Security Plan
(ITSP)
for
<insert Agency System Name>
Name
Title
Telephone Number
Email address
Agency Information
Security Officer or
Security Plan Point of
Contact Name and Contact
Information:
3. Insert the name of the individual
who is the Agencys point of
contact for security-related
matters. This individual is
responsible for ensuring the
accuracy of the security-related
information submitted with the
ITSP.
Name
ITSP Approved By
4.
Provide the name, title and contact
information of the Agency
Executive Sponsor
Name
Title
Telephone Number
Email address
5. Plan Date
Provide the date the plan was
approved by the Agency Executive
Sponsor
[For more
clarifying If N/A, please provide a statement explaining
information refer conditions for being exempt from compliance with
to Section 2.1 of the MD ISP.
the MD ISP.] <insert statement here> folks
[For more
clarifying If No, your agency is not compliant with this section
information refer of the MD ISP. Indicate here what steps your
to Section 3.0 of agency plans to take to become compliant and
the MD ISP.] indicate when your agency expects to become
compliant.
Steps:
<insert steps here>
folks
20. Does your agency Check one
document and N/ (Agency is exempt from compliance with
maintain an A MD ISP)
inventory of the
Ye (Compliant - See attached C&A
important assets
s documents)
associated with
each information Ye (Compliant - Description is provided
system? s below)
No (Steps to become compliant are provided
[For more below)
clarifying
information refer
If N/A, please provide a statement explaining
to Section 3.0 of
conditions for being exempt from compliance with
the MD ISP.]
the MD ISP.
<insert statement here> folks
System Security
Categorization
Policy
30. Has your agency Check one
assigned security N/ (Agency is exempt from compliance with
category levels for A MD ISP)
all information
Ye (Information can be found in C&A
systems?
s documents)
[For more Ye (Compliant description is provided below)
clarifying s
information refer No (Steps to become compliant are provided
to Section 3.2 of below)
the MD ISP.]
folks
Security Control
Requirements
32. Has your agency Check one
ensured that all N/ (Agency is exempt from compliance with
information A MD ISP)
systems (hosted
Ye (Information can be found in C&A
on a State network
s documents)
or a 3rd Party
offsite premise) Ye (Compliant description is provided below)
used for receiving, s
processing, storing No (Steps to become compliant are provided
and transmitting below)
confidential
information are
If N/A, please provide a statement explaining
protected in
conditions for being exempt from compliance with
accordance with
the MD ISP.
requirements
identified in this <insert statement here> folks
section of the MD
ISP. If you answered Yes and the information cannot
be found in the system C&A documents, describe
how your agency ensures that all information
[For more
systems (hosted on a State network or a 3rd Party
clarifying
offsite premise) used for receiving, processing,
information refer
storing and transmitting confidential information
to Section 3.3 of
are protected in accordance with requirements
the MD ISP.]
identified in this section of the MD ISP.
< insert description here >
Security
Assessment &
Authorization
35. Has the agency Check one
certify and N/ (Agency is exempt from compliance with
accredit all IT A MD ISP)
systems and sites
Planning
40. Has the agency Check one
develop, N/ (Agency is exempt from compliance with
document, and A MD ISP)
establish a system
Ye (Information can be found in C&A
security plan,
s documents)
describing the
security Ye (Compliant description is provided below)
requirements, s
current controls No (Steps to become compliant are provided
and planned below)
controls, for
protecting agency
If N/A, please provide a statement explaining
information
conditions for being exempt from compliance with
systems and
the MD ISP.
confidential
information? <insert statement here> folks
Folks
Service Interface
Agreements (SIA)
43. Are agencies IT Check one
systems with N/ (Agency is exempt from compliance with
Service Interface A MD ISP)
Agreement in
Operational Level
Controls
44. Does your agency Check one
ensure all N/ (Agency is exempt from compliance with
information A MD ISP)
system users and
Ye (Information can be found in C&A
managers are
s documents)
knowledgeable of
security Ye (Compliant description is provided below)
awareness s
material before No (Steps to become compliant are provided
authorizing access below)
to systems?
[For more If N/A, please provide a statement explaining
clarifying conditions for being exempt from compliance with
information refer the MD ISP.
to Section 6.0 of <insert statement here> folks
the MD ISP.]
If you answered Yes and the information cannot
be found in the system C&A documents, describe
how your agency ensures that all information
system users and managers are knowledgeable of
security awareness material before authorizing
access to systems.
< insert description here >
Maintenance
Does the agency Check one
identify, approve, N/ (Agency is exempt from compliance with
control, and A MD ISP)
routinely monitor
Ye (Information can be found in C&A
the use of
s documents)
information
system Ye (Compliant description is provided below)
maintenance tools s
and remotely No (Steps to become compliant are provided
executed below)
maintenance and
diagnostic
If N/A, please provide a statement explaining
activities.
conditions for being exempt from compliance with
[For more the MD ISP.
clarifying <insert statement here>
information refer
54. to Section 6.4 of
If you answered Yes and the information cannot
the MD ISP.]
be found in the system C&A documents, describe
how your agency identifies, approves, controls, and
routinely monitors the use of information system
maintenance tools and remotely executed
maintenance and diagnostic activities.
Technical Level
Controls
83. Does the agency
manage user Check one
accounts,
N/ (Agency is exempt from compliance with
including
A MD ISP)
activation,
deactivation, Ye (Information can be found in C&A
changes and s documents)
audits? Ye (Compliant description is provided below)
s
[For more
No (Steps to become compliant are provided
clarifying
below)
information refer
to Section 7 of the
MD ISP.] If N/A, please provide a statement explaining
conditions for being exempt from compliance with
the MD ISP.
<insert statement here> folks
[For more
If N/A, please provide a statement explaining
clarifying
conditions for being exempt from compliance with
information refer
the MD ISP.
to Section 7 of the
MD ISP.] <insert statement here> folks
[For more
If N/A, please provide a statement explaining
clarifying
conditions for being exempt from compliance with
information refer
the MD ISP.
to Section 7 of the
MD ISP.] <insert statement here> folks
[For more
If N/A, please provide a statement explaining
clarifying
conditions for being exempt from compliance with
information refer
the MD ISP.
to Section 7 of the
MD ISP.] <insert statement here> folks
Audit &
Accountability
Control
Requirements
112. Does the agency Check one
ensure that N/ (Agency is exempt from compliance with
information A MD ISP)
systems generate
Ye (Information can be found in C&A
audit records for
s documents)
all security-
relevant events, Ye (Compliant description is provided below)
including all s
security and No (Steps to become compliant are provided
system below)
administrator
accesses?
If N/A, please provide a statement explaining
conditions for being exempt from compliance with
[For more
the MD ISP.
clarifying
information refer <insert statement here> folks
to Section 7.1 of
the MD ISP.] If you answered Yes and the information cannot
be found in the system C&A documents, describe
how your agency ensures that information systems
generate audit records for all security-relevant
events, including all security and system
administrator accesses.
< insert description here >
[For more
If N/A, please provide a statement explaining
clarifying
conditions for being exempt from compliance with
information refer
the MD ISP.
to Section 7.1 of
the MD ISP.] <insert statement here> folks
[For more
If N/A, please provide a statement explaining
clarifying
conditions for being exempt from compliance with
information refer
the MD ISP.
to Section 7.1 of
the MD ISP.] <insert statement here> folks
Identification &
Authorization
Control
Requirements
125. Does the agency Check one
ensure information N/ (Agency is exempt from compliance with
systems are A MD ISP)
configured to
Ye (Information can be found in C&A
uniquely identify
s documents)
users, devices,
and processes via Ye (Compliant description is provided below)
the assignment of s
unique user No (Steps to become compliant are provided
accounts and below)
validate users (or
processes acting
If N/A, please provide a statement explaining
on behalf of users)
conditions for being exempt from compliance with
using standard
the MD ISP.
authentication
methods such as <insert statement here> folks
passwords, tokens,
smart cards, or If you answered Yes and the information cannot
biometrics? be found in the system C&A documents, describe
how your agency ensures that information systems
[For more are configured to uniquely identify users, devices,
clarifying and processes via the assignment of unique user
information refer accounts and validate users (or processes acting on
to Section 7.2 of behalf of users) using standard authentication
the MD ISP.] methods such as passwords, tokens, smart cards,
or biometrics.
[For more
clarifying
information refer
to Section 7.2 of
the MD ISP.]
System &
Communications
Control
Requirements
130. Does the agency Check one
ensure information N/ (Agency is exempt from compliance with
systems separate A MD ISP)
front end
Ye (Information can be found in C&A
interfaces from
s documents)
back end
processing and Ye (Compliant description is provided below)
data storage? s
No (Steps to become compliant are provided
[For more below)
clarifying
information refer
If N/A, please provide a statement explaining
to Section 7.3 of
conditions for being exempt from compliance with
the MD ISP.]
the MD ISP.
<insert statement here> folks
[For more
If N/A, please provide a statement explaining
clarifying
conditions for being exempt from compliance with
information refer
the MD ISP.
to Section 7.3 of
the MD ISP.] <insert statement here> folks
Virtualization
Technologies
138. Does the agency Check one
ensure that the N/ (Agency is exempt from compliance with
virtual A MD ISP)
environment is as
Ye (Information can be found in C&A
secure as a non-
s documents)
virtualized
environment and Ye (Compliant description is provided below)
in compliance with s
all relevant state No (Steps to become compliant are provided
and/or agency below)
policies?
If N/A, please provide a statement explaining
conditions for being exempt from compliance with
[For more
the MD ISP.
clarifying
information refer <insert statement here> folks
to Section 8 of the
MD ISP.] If you answered Yes and the information cannot
be found in the system C&A documents, describe
how your agency ensures that the virtual
environment is as secure as a non-virtualized
environment and in compliance with all relevant
state and/or agency policies.
< insert description here >
Cloud Computing
Technologies
140. If the agency has Check one
or plan on using a N/ (Agency is exempt from compliance with
cloud-based A MD ISP)
solution for
Ye (Information can be found in C&A
processing,
s documents)
transmitting or
storing Ye (Compliant description is provided below)
confidential s
information, has No (Steps to become compliant are provided
the agency below)
implemented
security controls
If N/A, please provide a statement explaining
to ensure that
conditions for being exempt from compliance with
compliance and
the MD ISP.
auditing
requirements are <insert statement here> folks
met as stated in
the ISP policy in If you answered Yes and the information cannot
addition to any be found in the system C&A documents, describe
Federal what security controls your agency has
regulations that implemented to ensure that compliance and
may apply? auditing requirements are met as stated in the ISP
policy in addition to any Federal regulations that
[For more may apply.
clarifying < insert description here >
information refer
to Section 9 of the
MD ISP.] If No, your agency is not compliant with this section
[For more
If N/A, please provide a statement explaining
clarifying
conditions for being exempt from compliance with
information refer
the MD ISP.
to Section 10 of
the MD ISP.] <insert statement here> folks
142.
If you answered Yes and the information cannot
be found in the system C&A documents, describe
the steps your agency has taken to educate the
users of their responsibly for protecting and
securing mobile devices as outlined in the MD ISP.
< insert description here >
[For more
If N/A, please provide a statement explaining
clarifying
conditions for being exempt from compliance with
information refer
the MD ISP.
to Section 12 of
the MD ISP.] <insert statement here> folks
Information assets: databases and data files, system documentation, user manuals, training material,
operational or support procedures, disaster recovery plans, archived information;
Software assets: application software, system software, development tools and utilities
Physical assets: computer equipment (processors, monitors, laptops, portable devices, tablets,
smartphones, modems), communication equipment (routers, PBXs, fax machines, answering machines),
magnetic media (tapes and disks), other technical equipment (uninterruptible power supplies, air
conditioning units), furniture, accommodation; and
Services: computing and communications services, general utilities, e.g. heating, lighting, power, air-
conditioning
A complete inventory shall include a unique system name, a system owner, a security classification and a
description of the physical location of the asset. See the MD ISP for all system security inventory requirements.
Numb Unique Name of information System Security Description of the Date of Most Location of System
er system containing PII Business Classificati Service the System Recent System
Owner (Name on Supports Authorization (Include externally
and Title) (ex. C&A, hosted systems as
(Public, IV&V, well as assets
Confidenti Authorization containing system
al) to Operate, backups)
etc.)
2.
Vulnerability
Assessment
Vulnerability
User
Technical
Controls
System
Security Plan
Security
Requirements
Security
Control
Baseline
Safeguard
s
Risk
Management
Risk
Assessment
Risk
Remote
Maintenance
Remote
Access
Plan of Action
and
Milestones