Information System Security Officer (ISSO) Guide
Information System SecurityOfficer (ISSO) GuideOffice of the Chief Information Security OfficerVersion 10September 16, 2013DEPARTMENT OF HOMELAND SECURITY
INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDEDocument Change HistoryVersionDateDescription0.111/25/09Initial Internal Draft0.212/15/09Revised Internal Draft, corrected formattingand grammatical errors0.31/27/2010Incorporated ISO comments1.03/30/2010Final Version8.06/06/2011 Updated entire document forterminology changes per DHS 4300AVersion 8.0 and NIST SP 800-37 Changed version to match DHS 4300ACreated new section 2.1.2 CriticalControl Review (CCR) Team Updates:o 2.1.1 Document Review (DR)Team;o 2.1.4 DHS InfoSec CustomerService Center;Appendix C: OIG Potential Listing ofSecurity Test Tools & Utilities. 8.09/19/201110i Section 5.1 ISSO letter Attachement Nwas changed to Attachement C. Document updated to reflect new IACStool, Ongoing Authorization, and otherminor changes. ISO changed to DHS OCISO.
INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDETABLE OF CONTENTSDOCUMENT CHANGE HISTORY . ITABLE OF CONTENTS . IILIST OF FIGURES . IV1.0INTRODUCTION . 11.1BACKGROUND . 11.2PURPOSE . 11.3SCOPE . 11.4DHS INFORMATION SECURITY PROGRAM. 21.5ESSENTIALS . 22.0ORGANIZATIONAL ROLES, RESPONSIBILITIES AND RELATIONSHIPS . 32.1DHS CHIEF INFORMATION SECURITY OFFICER (CISO) . 42.2COMPONENT CISO / ISSM AND STAFF . 72.3SYSTEM OWNER. 82.4SYSTEM, DATABASE, AND MAJOR APPLICATION ADMINISTRATORS (TECHNICAL STAFF) 82.5BUSINESS OWNER . 82.6SECURITY CONTROL ASSESSOR (SCA) . 82.7AUTHORIZING OFFICIAL . 92.8CHIEF FINANCIAL OFFICER . 92.9CHIEF PRIVACY OFFICER . 92.10 CHIEF SECURITY OFFICER (CSO) / FACILITY SECURITY OFFICER (FSO) . 102.11 DHS SECURITY OPERATIONS CENTER (SOC) . 102.12 CONFIGURATION CONTROL BOARD (CCB) . 102.13 FACILITY MANAGERS . 112.14 PEERS. 113.0ISSO RESOURCES AND TOOLS . 113.1REFERENCES . 113.2DHS INFOSEC CUSTOMER SERVICE CENTER . 164.0SYSTEM ENGINEERING LIFE CYCLE (SELC) . 164.1LIFE CYCLE PHASES. 174.2ISSO RESPONSIBILITIES DURING THE LIFE CYCLE . 215.0ISSO RESPONSIBILITIES . 215.1ISSO LETTER . 225.2ACCESS CONTROL . 235.3ACQUISITION PROCESS. 245.4CONTROL ASSESSMENTS . 25ii
INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDE5.5ANNUAL SECURITY AWARENESS AND ROLE-BASED TRAINING . 265.6AUDITS . 275.7AUDITING (LOGGING) AND ANALYSIS . 295.8BUDGET . 315.9SECURITY AUTHORIZATION PROCESS . 325.10 COMMON CONTROLS . 345.11 CONFIGURATION MANAGEMENT (CM) . 355.12 CONTINGENCY PLANNING . 365.13 CONTINUOUS MONITORING . 385.14 IDENTIFICATION AND AUTHENTICATION . 395.15 INCIDENT RESPONSE INCLUDING PII . 395.16 INTERCONNECTION SECURITY AGREEMENTS AND MEMORANDA OF UNDERSTANDING /AGREEMENT . 405.17 INVENTORY . 415.18 MAINTENANCE. 425.19 MEDIA PROTECTION . 425.20 PATCH MANAGEMENT . 425.21 PERSONNEL SECURITY . 435.22 PHYSICAL AND ENVIRONMENTAL SECURITY . 445.23 PLANNING . 465.24 POA&M MANAGEMENT . 475.25 RISK ASSESSMENT . 475.26 SYSTEM AND COMMUNICATIONS PROTECTION . 475.27 SYSTEM AND INFORMATION INTEGRITY . 485.28 SYSTEM AND SERVICES ACQUISITION . 485.29 SYSTEM INTERCONNECTIONS . 495.30 SECURITY TRAINING . 496.0REQUIREMENTS FOR PRIVACY SYSTEMS AND CFO DESIGNATED SYSTEMS . 506.1PRIVACY SYSTEMS . 506.2CFO DESIGNATED SYSTEMS . 507.0ISSO RECURRING TASKS . 537.1ONGOING ACTIVITIES . 537.2ISSO WEEKLY ACTIVITIES . 537.3ISSO MONTHLY ACTIVITIES . 537.4ISSO QUARTERLY ACTIVITIES . 537.5ISSO ANNUAL ACTIVITIES . 537.6AS REQUIRED ACTIVITIES . 54APPENDIX A: REFERENCES . 55iii
INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDEAPPENDIX B: ACRONYMS . 58APPENDIX C: OIG POTENTIAL LISTING OF SECURITY TEST TOOLS & UTILITIES . 61LIST OF FIGURESFigure 1. ISSO Interactions. 4Figure 2. SELC Process . 17Figure 3. ISSO Security Authorization Process Relationships . 33iv
INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDE1.0INTRODUCTION1.1BackgroundThe Information System Security Officer (ISSO) serves as the principal advisor to theInformation System Owner (SO), Business Process Owner, and the Chief Information SecurityOfficer (CISO) / Information System Security Manager (ISSM) on all matters, technical andotherwise, involving the security of an information system. ISSOs are responsible for ensuringthe implementation and maintenance of security controls in accordance with the Security Plan(SP) and Department of Homeland Security (DHS) policies. In almost all cases, ISSOs will becalled on to provide guidance, oversight, and expertise, but they may or may not develop securitydocuments or actually implement any security controls. While ISSOs will not actually performall functions, they will have to coordinate, facilitate, or otherwise ensure certain activities arebeing performed. As a result, it is important for ISSOs to build relationships with the SO,technical staff, and other stakeholders as described in this document.This guide provides basic information to help ISSOs fulfill their many responsibilities and servesas a foundation for Components to develop and implement their own ISSO guidance. It alsoprovides techniques, procedures, and useful tips for implementing the requirements of the DHSInformation Security Program for Sensitive Systems.This guide is a compilation of the best practices used by DHS Components and requirementscontained in various DHS policies and procedures, National Institute of Standards andTechnology (NIST) publications, Office of Management and Budget (OMB) guidance andCongressional and Executive Orders.1.2PurposeISSO duties, responsibilities, functions, tasks, and chain of command vary widely, even withinthe same Component. The document provides practical guidance to assist DHS ISSOs whenperforming assigned tasks. It addresses and explains the responsibilities, duties, tasks, resources,and organizational relationships needed for an ISSO to be successful. ISSOs should use thisdocument as a guide as it applies to their circumstances.This document is meant to be a companion document to, and an elaboration of, the various DHSManagement Directives (MDs), Information Technology (IT) Security Policies and Handbooks(e.g., DHS 4300A), as well as the procedures and tools to implement those policies.1.3ScopeThe ISSO Guide provides practical guidance based on DHS directives and policies applicablethroughout the Department. Many Components have additional guidance that tailors DHSguidance to meet specific Component requirements. In all cases, Component guidance should beused as the primary reference source as long as it is consistent with DHS directives and policies.The information in this guide is intended to support ISSO responsibilities for Sensitive ButUnclassified (SBU) systems. Although much of the information in this guide is applicable to1
INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDEISSOs for Classified systems, it cannot be considered authoritative for information systemsprocessing National Security Information, Sensitive Compartmented Information (SCI),Cryptographic/Cryptologic data, or Special Access Programs. ISSOs for those excluded systemsare guided by separate documentation including but not limited to the:1.4 DHS 4300B National Security System Policy DHS 4300B National Security Systems Handbook DHS 4300C Sensitive Compartmented Information (SCI) Systems Policy Directive DHS SCI Systems Information Assurance HandbookDHS Information Security ProgramThe DHS CISO is responsible for implementing and managing the DHS-wide InformationSecurity Program to ensure compliance with applicable Federal laws, Executive Orders,directives, policies, and regulations.To help with these responsibilities, the DHS Office of the Chief Information Security Officer(OCISO) has the mission and resources to assist in ensuring Department compliance withinformation security requirements. DHS OCISO is organized into four directorates: InformationSecurity Program Policy, Compliance and Technology, Cybersecurity Strategy, and InformationSecurity Program Management. ISSOs will have the most interaction with the Compliance andTechnology Directorate, which includes the DHS InfoSec Customer Service Center, Plan ofAction and Milestones (POA&M), document review, inventory, and scorecard functions.The DHS Information Security Program does not apply to systems that process, store, or transmitNational Intelligence Information.1.5EssentialsThe goal of information security is to help the business process owner accomplish the mission ina secure manner. To be successful, ISSOs need to know and understand the following: Mission and business functions of the organization (e.g., an ISSO for a procurementsystem should know that no maintenance or down time should be scheduled duringthe fourth quarter, which is extremely busy)How the system supports the organization’s missionSystem details, including: Architecture System components (hardware, software, peripherals, etc.) Location of each system component Data flow Interconnections (internal and external) Security categorization2
INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDE 2.0 Security requirements Configuration management processes and proceduresUsers (How many, location, etc.)Key personnel by nameORGANIZATIONAL ROLES, RESPONSIBILITIES ANDRELATIONSHIPSThe key to success for an ISSO is to build relationships with key personnel who have theauthority or ability to ensure compliance with security laws, regulations, guidance andrequirements. Key people will differ depending on circumstances. Therefore, throughout thisguide, ISSOs are encouraged to coordinate with appropriate contacts as determined by theirComponents and different situations that arise with their systems.This section discusses the organizational relationships between the ISSO and key personnel withwhom the ISSO interfaces. It emphasizes the type of information each can provide and thesuggested frequency of contact. Roles and responsibilities are included only as they are relevantto the ISSO. For a more detailed description of individual roles and responsibilities, see DHS4300A Sensitive Systems Handbook. Sections below discuss the nature of those relationshipsand the types of information exchanged in each case.3
INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDEFigure 1. ISSO Interactions illustrates the people the ISSO will interact with on a regular basis.Descriptions of these relationships are provided in the following sections.Figure 1. ISSO Interactions2.1DHS CHIEF INFORMATION SECURITY OFFICER (CISO)The DHS CISO implements and manages the DHS Information Security Program to ensurecompliance with applicable Federal laws, Executive Orders, directives, policies, and regulations.The DHS CISO reports directly to the DHS Chief Information Officer (CIO) and is the principaladvisor for information security matters.The DHS CISO issues Department-wide information security policies, guidance, and architecturerequirements for all DHS IT systems and networks based upon guidance from NIST as well asall applicable OMB memoranda and circulars. The CISO also facilitates the development ofsubordinate plans for providing adequate information security for networks, facilities, andsystems or groups of information systems.4
INFORMATION SYSTEM SECURITY OFFICER (ISSO) GUIDEISSOs are assigned duties and tasks that directly support these CISO responsibilities. SpecificCISO responsibilities at the Department and Component levels can be found in the InformationSecurity Program Roles section of DHS 4300A. The DHS CISO has several teams available tohelp ISSOs perform their duties and assess the effectiveness of policy, guidance, and overallprogram structure. In all cases, ISSOs should work through their Component CISO / ISSM andfollow Component-specific procedures to request support from DHS.DHS OCISO teams are described in detail below and include the: Document Review (DR) Team Ongoing Authorization Inventory Team Plan of Action and Milestones (POA&M) Team DHS InfoSec Customer Service CenterMany Components have a similar structure with an internal FISMA compliance function. KeyDHS teams include those described below.2.1.1Document Review TeamThe DHS DR Team reviews and validates Security Authorization Process documents uploadedin the Information Assurance Compliance System (IACS). The DR Team uses a checklist toensure Security Authorization Process documents are complete and comply with DHS guidancecontained in DHS 4300A, NIST Special Publication (SP) 800-53, the annual Performance Plan,and the DHS Security Authorization Process Guide. Security Authorization Process checklistsare available on the DHS CISO website.The DR team provides feedback on each package it reviews by providing the ISSO orComponent CISO team with a completed DR checklist. After the checklist has been provided,the DR Team conducts a conference call with the Component to provide additional feedback,answer questions, and consider any additional information the Component may provide. ISSOsshould ensure they participate in these feedback sessions along with any other stakeholders in theSecurity Authorization Process.Contact with the DR team is normally made via the Component CISO/Compliance team. ISSOsshould understand local requirements before contacting the DR team directly.2.1.2Ongoing Authoriz
Officer (CISO) / Information System Security Manager (ISSM) on all matters, technical and otherwise, involving the security of an information system. ISSOs are responsible for ensuring the implementation and maintenance of security controls in accordance with the Security Plan (SP) and Department of Homeland Security (DHS) policies.
8-104. Information System Security Officer(s) (ISSO). ISSOs may be appointed by the ISSM in facilities with multiple accredited IS. The ISSM will determine the responsibilities to be assigned to the ISSO that may include the following: a. Ensure the implementation of security measures, in accordance with facility procedures. b.
Attending an AO briefing given by the Chief Information Security Officer. 4.1.2 Information Systems Security Managers (ISSM), Information Systems Security Officers (ISSO) Individuals currently serving as an Information Systems Security Manager (ISSM) and Information Systems Security Officer (ISSO) are also identified in GSA's FISMA inventory.
certification as a school security officer is required in order to remain eligible for employment as a school security officer. If the school security officer recertification application is on file with the department 30 days prior to expiration, the school security officer may continue to operate in the school security officer capacity pending .
All threats and security incidents are to be immediately reported personally or by telephone to the sheriff's office. 3. Court Security Officer. The sheriff is directed to designate an officer to serve as a court security officer. The court security officer shall be responsible for: a. Referral and investigation of all threats and security .
manding officer. During his tour of duty he is re-sponsible to the commanding officer for the security of the installation or activity and other duties as may be assigned depending upon local directives. c. Officer of the Day. An officer, acting directly under the commanding officer or field officer of the
information security incident to the appropriate Accounting Officer and the Information Security Officer. 2. Management of MDAs and LGAs shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities.
AIR FORCE . OFFICER CLASSIFICATION DIRECTORY (AFOCD) The Official Guide to the Air Force . Dev Eng, Acquisition, Contracting and Finance), Officer 7XXX Special Investigations, Officer 8XXX Special Duty Identifiers (SDI), Officer 9XXX Reporting Identifiers (RI), Officer . functional AFSC IAW AFI 36-21
Nama Mata Kuliah : Akuntansi Keuangan Lanjutan Kode Mata Kuliah : AKM 145001 Semester : 5 (lima) Sks/jam perminggu : 3 SKS/ 6 jam Jurusan/ Program Studi : Jurusan Akuntansi/ DIV Akuntansi Manajemen Dosen Pengampu : 1. Novi Nugrahani, SE., M.Ak., Ak 2. Drs. Bambang Budi Prayitno, M.Si., Ak 3. Marlina Magdalena, S.Pd. MSA Capaian Pembelajaran Lulusan yang dibebankan pada mata kuliah :Setelah .
