Transcription
State of CaliforniaOffice of Information SecurityFoundational FrameworkSIMM 5300-BOctober 2017
REVISION HISTORYREVISIONInitial ReleaseDATE OF RELEASENovember 2017OWNEROffice of InformationSecurityCalifornia Department of Technology,Office of Information SecurityFoundational FrameworkSIMM 5300-BSUMMARY OF CHANGESNewOctober 2017
TABLE OF CONTENTSI.INTRODUCTION . 1II.FOUNDATIONAL FRAMEWORK . 2-17A. Application Security .2B. Contingency Planning .3C. Change and Configuration Management .4D. Data Security . 5-6E. Security Governance . 7-9F. Endpoint Security . 10G. Identity and Access Management . 11H. Mobile Security . 12I.Security Analytics and Continuous Monitoring . 13J. Network Security . 14K. Physical Security . 15L.Vulnerability Management . 16-17California Department of Technology,Office of Information SecurityFoundational FrameworkSIMM 5300-BOctober 2017
I. INTRODUCTIONThe Department of Technology, Office of Information Security has established this foundationalframework comprised of 30 priority security objectives to assist state entities with prioritizationof their information security efforts. The foundational framework is considered a starting pointand will be used to consistently measure and mature state entity security compliance movingforward.As state entities achieve compliance with foundational framework objectives they will continueto address other applicable control areas to sufficiently protect information assets and addressorganizational risk.Office of Information SecurityFoundational FrameworkSIMM 5300-BPage 1October 2017
SIMM 5300‐B FOUNDATIONAL FRAMEWORKSecurity Program FrameworkGOALS[REPORT at this level]2016‐2018 PRIORITYOBJECTIVES[MANAGE at This Level]NISTCYBER SECURITYFUNCTIONSAM 5300REFERENCETARGET STATENIST 800‐53 REFERENCE[What Good LooksLike][DEPLOYat This Level](Control Family, Number, Name)Formally defined, documented, and centrally managed software inventorymanagement process, mandated by policy with senior management oversight, withregular and periodic review and update of inventory contents.Application Inventory Management:Develop a formal, comprehensivesoftware application inventorymanagement process that includes regularand periodic reviews, management andstakeholder input and approval,integration with enterprise assetmanagement processesUse of automated tools for software discovery and inventory content maintenancewith owner and stakeholder input.IdentifyInventory contents include associated software characteristics include owners,assurance and protection requirements, sensitive data stored or processed,infrastructure requirements, aging and skill set requirements.5305.5 Information AssetManagement5315.3 Information AssetDocumentationConfiguration Management:CM‐8 INFORMATION SYSTEM COMPONENT INVENTORYPM‐5 INFORMATION ASSET INVENTORY5315.7 Software UsageRestrictionsApproach and applicability of the enterprise software inventory and contents isenhanced and enforced through a regular and periodic program of review, audit, andupdate.Application assurance levels have been formally defined, documented and governedthrough enterprise application development policy with senior managementoversight.APPLICATION SECURITYApplication AssuranceEstablish security controls for theLevel Definition:development, acquisition, and use ofsoftware applications that areDefineapplicationassurance levels basedcommensurate with the defined security riskon criticality to business mission andfor use and operations of those applications.sensitivity of data, as well as operationalthreat environmentAll applications are regularly and periodically assessed.Threats, vulnerabilities, and consequences are used to identify the securityrequirements of the application in terms of business requirements.IdentifyAssurance ratings are maintained as part of application inventory managementprocess, and used to define appropriate secure coding and testing methodologies.5315 Information SecurityIntegration5315.2 SDLCSystem and Services Acquisition:SA‐8 SECURITY ENGINEERING PRINCIPLESSA‐11 DEVELOPER SECURITY TESTING AND EVALUATION5315.1 System and ServicesAcquisitionAssurance definitions and assignments are enhanced and enforced through a regularand periodic program of review, audit, and update.Secure coding practices (software development and programming methods,techniques and standards) are formally defined, documented and governed throughenterprise application development policy with senior management oversight.Secure Code Practices:Establish and deploy softwaredevelopment and programming methods,techniques and standards (secure codingpractices) used specifically forimplementing software in a way thatprevents, avoids, or does not createsecurity vulnerability in the resultingapplicationCalifornia Department of Technology, Office of Information SecurityFoundational FrameworkSIMM 5300‐BProtectPractices are defined, documented, integrated, and enforced across all systemdevelopment environments.App developers are regularly and periodically trained and secure coding practices forapplicable system development environments.5315 SDLCSystem and Services Acquisition:SA‐17 DEVELOPER SECURITY ARCHITECTURE AND DESIGNCM‐7 LEAST FUNCTIONALITYSI‐10 INFORMATION INPUT VALIDATIONPractices are enhanced and enforced through a regular and periodic program ofreview, audit, and update.2October 2017
SIMM 5300‐B FOUNDATIONAL FRAMEWORKSecurity Program FrameworkGOALS[REPORT at this level]2016‐2018 PRIORITYOBJECTIVES[MANAGE at This Level]NISTCYBER SECURITYFUNCTIONSAM 5300REFERENCETARGET STATENIST 800‐53 REFERENCE[What Good LooksLike][DEPLOYat This Level](Control Family, Number, Name)Enterprise Business Impact Analysis (BIA) is conducted regularly and periodicallyresulting in realistic Recovery Time Objectives (RTO) and Recovery Point Objectives(RPO) for all critical systems and supporting IT infrastructure.Business Impact Assessment:CONTINGENCY PLANNINGDeploy controls to prevent unauthorized orunacceptable loss of customer, critical, andsensitive information. In keeping with asystematic and comprehensive securityprogram, deploy controls to protectinformation availability.Develop and vet an enterprise BusinessImpact Analysis (BIA) with realisticRecovery Time Objectives (RTO) andRecovery Point Objectives (RPO)commensurate with assurance‐level ofeach application and aligned with servicerecovery objectives established inenterprise Business Continuity Plan (BCP)Recover5325 Business Continuity withTechnology RecoveryRecovery objectives are commensurate with assigned assurance‐level of eachapplication and aligned with service recovery objectives established in the enterprise5325.1 Technology Recovery Contingency Planning:Business Continuity Plan (BCP).PlanCP‐2 CONTINGENCY PLANCP‐4 CONTINGENCY PLAN TESTING5325.4 Alternate Storage and CP‐6 ALTERNATE STORAGE SITEService recovery objectives are reviewed and approved by key business processProcessing SiteCP‐7 ALTERNATE PROCESSING SITEstakeholders.BIA is reviewed and updated at least annually with a complete refresh at least everythree years.5325.5 TelecommunicationsServicesDisaster recovery testing results are used as feedback to periodically enhance BIA‐based recovery objectives between BIA refresh cycles.Disaster Recovery (DR)/Business Continuity (BC) testing is conducted as part of aformal, documented plan integrated with the regular and periodic review of theDR/BC plans.Comprehensive DRP Testing:Existing disaster recovery processes toinclude periodic live testing of recoverycapabilities and incorporating feedback torefine the processesRecoverTesting is structured as a tiered testing program that includes table‐top scenario‐based and live partial (function, infrastructure, system or application‐specific)recovery testing, as well as live, full failover and recovery testing for all systemssupporting critical business processes.Test results are used as feedback to the plan review process and incorporated asrefinements to the plan.5325.1 Technology RecoveryPlanContingency Planning:CP‐2 CONTINGENCY PLAN5325.3 Technology RecoveryCP‐3 CONTINGENCY TRAININGTestingCP‐4 CONTINGENCY PLAN TESTINGCP‐9 INFORMATION SYSTEM BACKUP5325.6 Information SystemBackupsTesting occurs at least annually.Full, live testing occurs at least every three years.California Department of Technology, Office of Information SecurityFoundational FrameworkSIMM 5300‐B3October 2017
SIMM 5300‐B FOUNDATIONAL FRAMEWORKSecurity Program FrameworkGOALS[REPORT at this level]2016‐2018 PRIORITYOBJECTIVES[MANAGE at This Level]NISTCYBER SECURITYFUNCTIONSAM 5300REFERENCETARGET STATENIST 800‐53 REFERENCE[What Good LooksLike][DEPLOYat This Level](Control Family, Number, Name)Practices are formally defined and governed by enterprise policy with seniormanagement oversight.Enterprise policy is comprehensively applied across the enterprise; mandates themaintenance of an enterprise change management processes; and defines the assetsto be managed via the process; outlines specific management and administrationresponsibilities including change advisory board (CAB) and formal security changeimpact evaluations.Comprehensive EnterpriseChange Management Process,Workflow, and Database:Establish change and configurationmanagement controls that include aworkflow model with documentation,attribution, approval processes, testing, andCHANGE AND CONFIGURATIONexecution of the change. Additionally,MANAGEMENTestablish controls to protect the integrity andconfidentiality of the change managementprocess commensurate with level ofcriticality of the resources being changed.Establish organization‐wide changemanagement (CM) process and standardsapplicable to all IT and information(hardware, software, infrastructure, anddata); support change managementprocess with single automated workflowtool and central CM data repositoryIdentifyImplementation includes the use of automation for workflow, cataloging, tracking,and reporting.Monitoring and reporting processes are defined and established to ensure policyadherence.5315.5 ConfigurationManagement5315 Information SecurityIntegrationConfiguration Management:CM‐3 CONFIGURATION CHANGE CONTROLCM‐4 SECURITY IMPACT ANALYSISCM‐5 ACCESS RESTRICTIONS FOR CHANGEIntegrated with enterprise configuration and asset management processes.Approach and applicability of the change management policy is enhanced andenforced through a regular and periodic program of review, audit, and approachupdate.Practices are formally defined and governed by enterprise policy with seniormanagement oversight.Embed Formal Security Evaluationsin Enterprise CM Process:Integrate formal security impactevaluation and approval in enterprise riskmanagement processes and panelsCalifornia Department of Technology, Office of Information SecurityFoundational FrameworkSIMM 5300‐BDetectEnterprise policy is comprehensively applied across the enterprise; mandates themaintenance of an enterprise change management process that includes formalsecurity change impact evaluations to qualify the level of alteration to the enterprisesecurity posture resulting from the proposed change; defines the threshold criteriafor identifying types of changes subject to security impact evaluations; outlinesspecific management and administration responsibilities including actions andauthority of change advisory board (CAB) to stop, suspend, or approve changes basedon results of security impact evaluation.Configuration Management:CM‐4 SECURITY IMPACT ANALYSIS4October 2017
SIMM 5300‐B FOUNDATIONAL FRAMEWORKSecurity Program FrameworkGOALS[REPORT at this level]2016‐2018 PRIORITYOBJECTIVES[MANAGE at This Level]NISTCYBER SECURITYFUNCTIONSAM 5300REFERENCETARGET STATENIST 800‐53 REFERENCE[What Good LooksLike][DEPLOYat This Level](Control Family, Number, Name)Business data use cases and practices are formally defined and governed byenterprise policy with senior management oversight.5305.5 Information AssetEnterprise policy defines practices for data classification that includes identification Managementand definition of data and information types used, processed, and stored throughout5310.1 State Entity Privacythe enterprise in alignment with business processes.Statement And Notice OnCollectionAuthorized use case guidelines are provided for data‐at‐rest, in‐motion, and in‐use, aswell as required standards for protection per use case.5310.2 Limiting CollectionData Classification Policyand Enforcement:Establish enterprise policy and practicesfor data classification that includesidentification and definition of data andinformation types used, processed, andstored throughout the enterprise inalignment with business processesIdentifyUse case requirements include data exchange, retention, and destruction, as well ashardcopy and mobile media applicability.5310.3 Limiting Use AndDisclosureTraining on appropriate use is included in regular and periodic security awarenessprogram.5310.4 Individual Access toPersonnel InformationAwareness and Training Risk Assessment:RA‐2 SECURITY CATEGORIZATIONSystem and Communications Protection:5310.5 Information Integrity SC‐8 TRANSMISSION CONFIDENTIALITY AND INTEGRITYSC‐13 CRYPTOGRAPHIC PROTECTION5310.6 Data Retention and SC‐28 PROTECTION OF INFORMATION AT RESTApproach and applicability of the enterprise data classification policy is enhanced and Destructionenforced through a regular and periodic program of review, audit, and approachupdate.5310.7 Security SafeguardsMonitoring and reporting processes are defined and established to ensure policyadherence.5320 Training and Awarenessfor Information Security andPrivacy5365.2 Media ProtectionDATA SECURITYDeploy governance processes and protectioncontrols to prevent unauthorized orinappropriate access to or disclosure ofprivate or sensitive information. In keepingwith a systematic and comprehensivesecurity program, deploy controls to protectinformation confidentiality in addition tocontrols for other major security objectivesas they relate to comprehensive data andinformation protection.5365.3 Media DisposalEnterprise privacy policy is defined with senior management accountability. Appointsa Chief Privacy Officer (CPO) or Privacy Coordinator (PC) responsible for thedevelopment, implementation, maintenance of a privacy program to protectindividual privacy and to ensure the compliance with applicable laws and regulationsregarding the collection, use, maintenance, sharing and disposal of personallyinformation by programs and information systems.Policy is defined to support achievement of privacy objectives commensurate withbusiness objectives.Policies are regularly and periodically reviewed and updated for alignment withcurrent prevailing industry practices and applicable threats.Data Privacy Programand Enforcement:Establish an enterprise policy and directthe development and maintenance of anorganizational Privacy Program thatdefines the overall Privacy Program as itexplicitly describes the applicability ofprivacy policy to enterprise businessprocesses and ensures the compliancewith the California Information PracticesAct.Policies and any updates are regularly and periodically communicated to personnelwith respect to applicability and enforcement.ProtectAccountability, Audit, and Risk Management:AR‐1 GOVERNANCE AND PRIVACY PROGRAMAR‐2 PRIVACY IMPACT AND ASSESSMENTAR‐3 PRIVACY REQUIREMENTS FOR CONTRACTORS AND SERVICE PROVIDERSAR‐4 PRIVACY MONITORING AND AUDITINGAR‐6 PRIVACY REPORTINGAR‐7 PRIVACY ENHANCED SYSTEM DESIGN AND DEVELOPMENT5305.2 Policy, Procedure and AR‐8 ACCOUNTING OF DISCLOSURESStandards ManagementRisk Assessment:5305.6 Risk ManagementRA‐1 RISK ASSESSMENT POLICY AND PROCEDURESPolicy is supported by comprehensive, set of defined policy implementation standards 5305.7 Risk Assessmentand guidelines, as well as requirements for minimum baseline policy enforcement5310.1 State Entity Privacyacross all aspects of the architecture and business processes.Statement and Notice onCollectionPrivacy policy definition, applicability, and enforcement is enhanced and validatedthrough a program of regular and periodic review, maintenance, update, monitoring 5310.2 Limiting Collectionand audit.5310.3All public websites contain a Privacy Policy Statement. All online and hard copy forms Limiting Use and Disclosurethat collect personal information contain a Notice on Collection.5310.4 Individual AccessProgram Management:PM‐9 RISK MANAGEMENT STRATEGYAuthority and Purpose:AP‐1 AUTHORITY TO COLLECTAP‐2 PURPOSE SPECIFICATIONData Minimization and Retention:DI‐1 MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATIONIndividual Participation and Redress:IP‐1 CONSENT5310.5 Information Integrity5310.6 Data Retention andDestructionTransparency:TR‐1 PRIVACY NOTICE5315.3 Information AssetDocumentationComprehensive privacy risk assessment strategy is formally defined and governed by5330.1 Security Assessmentsthe enterprise privacy policy with senior management oversight.California Department of Technology, Office of Information SecurityFoundational FrameworkSIMM 5300‐B5October 2017
SIMM 5300‐B FOUNDATIONAL FRAMEWORKSecurity Program FrameworkGOALS[REPORT at this level]2016‐2018 PRIORITYOBJECTIVES[MANAGE at This Level]NISTCYBER SECURITYFUNCTIONSAM 5300REFERENCETARGET STATENIST 800‐53 REFERENCE[What Good LooksLike][DEPLOYat This Level](Control Family, Number, Name)Policy identifies privacy‐specific management and administrative roles andresponsibilities including applicability to vendors and contractors.Regular and periodic assessment of privacy‐related risk and formal acceptance ofresidual risk by accountable organization management for programs, systems andtechnologies and including existing and new through informal and formal projectmanagement processes include Privacy Threshold Assessments (PTA) and PrivacyImpact Assessments (PIA).The assessment process is based on an industry‐accepted leading practice privacyframework and includes criteria for qualifying risk commensurate with the businessmission of the organization.ProtectProcess addresses residual risk in all aspects of the enterprise includingtelecommunications perimeter, major systems and applications, infrastructure,resources and data, governance, and procurement/acquisition.The process is enforced through a program of regular and periodic monitoring andtesting to validate assessment findings, with resulting metrics used to provide input toresidual risk acceptance process.Privacy program is periodically supplemented by privacy assessments conducted byindependent third‐parties.DATA SECURITY, (CONT'D).Privacy assessment results are provided as input into overall enterprise risk andcompliance management processes.Privacy assessment processes are enhanced and validated through a program ofregular and periodic review, maintenance, update, and audit.Data‐at‐rest protection practices are defined and governed in accordance with theenterprise information classification policy requirements for sensitive data.Appropriate, current‐state technological protection, such as encryption, masking andobfuscation, or tokenization, are employed on all enterprise and organization‐specific5310.7 Security Safeguardselectronic media and devices with the capability to store information.Protecting Confidentialand Sensitive Data:Employ encryption technology to protectsensitive data‐at‐rest, in accordance withthe enterprise data classification policy, inall enterprise and organization‐specificstructured data repositories that containsensitive information including databasesand enterprise content managementsystemsProtect5350.1 EncryptionEncryption strength (key and algorithm) is commensurate with assurance‐levelrequirements of the devices and media, as well as use cases in which the devices and 5365.2 Media Protectionmedia are used.5350 Operational SecurityEncryption approach(es) are supplemented with sufficient encryption keymanagement processes to ensure protected and managed data recovery for loss, mis‐configuration, or forensic investigation.Media Protection:MP‐5 MEDIA TRANSPORTSystem and Communications Protection:SC‐12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENTSC‐17 PUBLIC KEY INFRASTRUCTURE CERTIFICATESSC‐28 PROTECTION OF INFORMATION AT RESTSC‐8 TRANSMISSION CONFIDENTIALITY AND INTEGRITYSC‐13 CRYPTOGRAPHIC PROTECTIONData‐at‐rest protection practices are enhanced and enforced through a regular andperiodic program of review, audit, testing, and update.California Department of Technology, Office of Information SecurityFoundational FrameworkSIMM 5300‐B6October 2017
SIMM 5300‐B FOUNDATIONAL FRAMEWORKSecurity Program FrameworkGOALS[REPORT at this level]2016‐2018 PRIORITYOBJECTIVES[MANAGE at This Level]NISTCYBER SECURITYFUNCTIONSAM 5300REFERENCETARGET STATENIST 800‐53 REFERENCE[What Good LooksLike][DEPLOYat This Level](Control Family, Number, Name)Regular and periodic security awareness training is mandated by enterprise securitypolicy with senior management oversight.Awareness training is mandatory for all enterprise personnel, as well as all vendors,suppliers, and providers which make use of or operate IT resources and informationon behalf of the organization.Training compliance is formally tracked, managed, and reported, and enforcedthrough suspension of access to IT assets required for job function.Awareness Training Program:Establish a comprehensive enterprisesecurity awareness and training policywith requirements for regular and periodic(annual) awareness training for all users ofIT operated by or on behalf of theenterpriseRespond5305.4 PersonnelManagement5320 Training AndAwareness For InformationTraining content includes awareness of security policy applicability and enforcement, Security And Privacyapplicable threats, and reporting.5320.1 Security And PrivacyAwarenessTraining content is regularly and periodically updated to maintain currency withprevailing events.5320.2 Security And PrivacyTraining program is multi‐faceted to include formal training, mass communications, Trainingand topic‐specific messaging.5320.3 Security And PrivacyTraining program includes role‐specific training for audiences from at least theTraining Recordsgeneral‐user, technical, and management perspectives.5320.4 Personnel SecurityMetrics exist to measure success of awareness program as it relates to improvedsecurity and decreased risk.Awareness and Training:AT‐1 SECURITY AWARENESS POLICY AND PROCEDURESAT‐2 SECURITY AWARENESS TRAININGAT‐3 ROLE‐BASED SECURITY TRAININGAT‐4 TRAINING RECORDSSecurity Planning:PL‐4 RULES OF BEHAVIORSecurity awareness training program is enhanced through a program of regular andperiodic review, maintenance, update, and audit.SECURITY GOVERNANCEEstablish a high‐level enterprise SecurityGovernance process led by an informationsecurity officer (ISO) who is empowered toprotect enterprise IT assets while removingthe barriers to productivity through well‐understood management processes andgovernance principles.Comprehensive SecurityPolicy Structure:Formally establish and document aconsolidated, comprehensive enterprise‐specific security governance policystructure that includes policy,requirements, and supporting standardsCalifornia Department of Technology, Office of Information SecurityFoundational FrameworkSIMM 5300‐BAccess Control:AC‐1 ACCESS CONTROL POLICY AND PROCEDURESAwareness and Training:AT‐1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURESAudit and Accountability:AU‐1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURESSecurity Assessment and Authorization:CA‐1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURESConfiguration Management:CM‐1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURESContingency Planning:Policy is defined to support achievement of security objectives commensurate withCP‐1 CONTINGENCY PLANNING POLICY AND PROCEDURESbusiness objectives.Identification and Authentication:IA‐1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURESPolicy is regularly and periodically reviewed and updated for alignment with currentIncident Response:5305 Information Securityprevailing industry practices and applicable threats.IR‐1 INCIDENT RESPONSE POLICY AND PROCEDURESProgramMaintenance:Policy updates are regularly and periodically communicated to personnel with respectMA‐1 SYSTEM MAINTENANCE POLICY AND PROCEDURES5305.2 Policy, Proceduresto applicability and enforcement.Media Protection:and Standards ManagementMP‐1 MEDIA PROTECTION POLICY AND PROCEDURESPolicy is supported by comprehensive, set of defined policy implementation standardsPhysical and Environmental Protection:and guidelines, as well as requirements for minimum baseline policy enforcementPE‐1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURESacross all aspects of the security architecture and all business processes.Planning:PL‐1 SECURITY PLANNING POLICY AND PROCEDURESPersonnel Security:PS‐1 PERSONNEL SECURITY POLICY AND PROCEDURESRisk Assessment:RA‐1 RISK ASSESSMENT POLICY AND PROCEDURESSystem and Services Acquisition:SA‐1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURESSystem and Communications Protection:SC‐1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURESSystem and Information Integrity:SI‐1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURESEnterprise security policy is defined with senior management accountability.Protect7October 2017
SIMM 5300‐B FOUNDATIONAL FRAMEWORKSecurity Program FrameworkGOALS[REPORT at this level]2016‐2018 PRIORITYOBJECTIVES[MANAGE at This Level]NISTCYBER SECURITYFUNCTIONSAM 5300REFERENCETARGET STATENIST 800‐53 REFERENCE[What Good LooksLike][DEPLOYat This Level](Control Family, Number, Name)Comprehensive security and risk assessment strategy is formally defined andgoverned by the enterprise security management policy with senior managementoversight.Policy identifies security‐specific management and administrative roles andresponsibilities including applicability to vendors and contractors.Policy mandates process for residual security risk management that includes regularand periodic assessment of security‐related risk and formal acceptance of residual riskby accountable organization management.5305 Information SecurityProgramThe assessment process is based on an industry‐accepted leading practice securityframework and includes criteria for qualifying risk commensurate with the businessmission of the organization.Security Management Plan:Establish an enterprise policy and directthe development and maintenance of anorganizational Security Management Plan(SMP) that defines the overall informationprotection program as it relates to securityand privacy, and explicitly describesapplicability of security and privacy policyto enterprise business processesProtectProcess addresses residual risk in all aspects of the enterprise includingtelecommunications perimeter, major systems and applications, infrastructure,resources and data, governance, and procurement/acquisition.5305.1 Information SecurityProgram Management5305.2 Risk Management5305.6 Risk Management5305.7 Risk AssessmentThe process is enforced through a program of regular and periodic monitoring andtesting to validate assessment findings, with resulting metrics used to provide input to5330.1 Security Assessmentsresidual risk acceptance process.Security Assessment and Authorization:CA‐7 CONTINUOUS MONITORINGProgram Management:PM‐1 INFORMATION SECURITY PROGRAM PLANRisk Assessment:RA‐3 RISK ASSESSMENTRA‐1 RISK ASSESSMENT POLICY AND PROCEDURESAssessment program is periodically supplemented by assessments conducted byindependent third‐parties.Assessment results are provided as input into overall enterprise risk and compliancemanagement processes.Security and risk assessment processes are enhanced and validated through aprogram of regular and periodic review, maintenance, update, and audit.SECURITYGOVERNANCE, (CONT'D).Comprehensive security planning and system authorization strategy is formallydefined and governed by the enterprise security management policy with seniormanagement oversight.Policy identifies security‐specific management and administrative roles andresponsibilities including applicability to vendors and contractors.5305.6 Risk ManagementPolicy mandates the development and periodic maintenance of system‐specificsecurity plans, and requires senior management approval of the plans, as well asapproval to operate the system or application in the risk environment documented in 5305.7 Risk Assessmentthe plan.5315.9 SecurityPolicy defines and identifies accountable management designated to formally accept Authorizationresidual risk per organization‐specific criteria which includes overall responsib
A. Application Security B. Contingency Planning C. Change and Configuration Management D. Data Security 5-6 E. Security Governance 7-9 F. Endpoint Security 10 G. Identity and Access Management 11 H. Mobile Security 12 I. Security Analytics and Continuous Monitoring 13 J. Network Security 14 K. Physical Security 15 L. Vulnerability Management -17
![Office 2010 Professional Plus Com Ativador Serial Keyl [EXCLUSIVE]](/img/61/office-2010-professional-plus-com-ativador-serial-keyl-exclusive.jpg)
