Transcription
APPENDIX C
United StatesGeneral Services AdministrationSecurity PlanforNetworxMarch 5, 2007Prepared for:United States GSAWashington, DC 20530Prepared byAT&T1900 Gallows RoadVienna, Virginia 22182
NETWORX ENTERPRISESOLICITATION TQC-JTB-05-0002REVISION HISTORYDATEVERSIONREVISION/CHANGE DESCRIPTION10/24/051.0Initial release7/14/20061.1Updated for Amendment 5 and 6 and CRs and DNs3/7/071.2Final Proposal RevisionUse or disclosure of data contained on this sheetis subject to the restriction on the title page of this proposalAT&T ProprietaryPage iMarch 5, 2007
NETWORX ENTERPRISESOLICITATION TQC-JTB-05-0002TABLE OF CONTENTSPREFACE.1Organization of Document . 3123SYSTEM IDENTIFICATION. 3c1.1Security Plan Name/Title .3c1.2Responsible Organization . 41.3Information Contacts . 41.4Assignment of Security Responsibility. 51.5System Operational Status. 61.6General Description and Purpose . 71.7System Environment and Special Considerations. 81.8System Interconnection/Information Sharing. 91.9Laws, Regulations, and Policies Affecting the System . 10SENSITIVITY OF INFORMATION HANDLED.122.1Description of Data Processed . 132.2Information Sensitivity . 13MANAGEMENT CONTROLS .153.1Risk Assessment and Management . 153.2Review of Security Controls . 173.3Rules of Behavior . 17a3.4Planning for Security in the Life Cycle . 183.4.1Initiation Phase . 193.4.2Development/Acquisition Phase . 193.4.3Implementation Phase . 203.4.4Operation/Maintenance Phase . 21Use or disclosure of data contained on this sheetis subject to the restriction on the title page of this proposalAT&T ProprietaryPage iiMarch 5, 2007
NETWORX ENTERPRISESOLICITATION TQC-JTB-05-00023.4.53.54Disposal Phase . 22Authorize Processing. 22OPERATIONAL CONTROLS .234.1Personnel Security . 234.1.1Personnel Security Management . 234.1.2Sensitivity of Positions . 244.1.3Required Background Investigations . 254.1.4Pre-Appointment Background Investigation Waivers. 254.1.5Required Security Forms . 264.1.6Operational Access Controls . 264.1.7Holding Users Responsible for their Actions. 27a4.1.8Friendly and Unfriendly Termination Procedures . 284.2Physical and Environmental Protection . 294.3Production, Input/Output Controls . 314.3.1Marking and Storing Devices and Media . 314.3.2Device and Media Disposal . 324.3.3Monitor the Production Environment. 324.4Contingency Planning. 344.4.1Continuity of Operations Plans . 344.4.2Backup and Off-Site Storage . 354.5Hardware and System Software Maintenance Controls . 354.5.1Maintenance and Repair. 364.5.2Configuration Management. 364.6Integrity Controls . 374.6.1Virus Control . 374.6.2Message Integrity. 384.6.3Use of Mobile Code . 38Use or disclosure of data contained on this sheetis subject to the restriction on the title page of this proposalAT&T ProprietaryPage iiiMarch 5, 2007
NETWORX ENTERPRISESOLICITATION TQC-JTB-05-000254.7Documentation . 384.8Security Awareness & Education. 404.9Incident Response Capability . 41Technical Controls .425.1Identification and Authentication. 425.2Logical Access Controls . 435.2.1User Authorization . 445.2.2Protection from Unauthorized Access. 445.2.3Public Access Controls . 455.2.4Warning Banner . 465.36Audit Trails . 46SUPPLEMENTAL INFORMATION .486.1AT&T Security Management Organization . 486.2Security Management Practices and Procedures . 506.3AT&T Security Resources, Strategies, Policies, and Procedures. 526.4AT&T Security Best Practices . 536.5Employee Security Awareness and Training . 55a6.6Security Risk Management. 576.6.1Vulnerability Scans and Tests. 586.6.2Security Evaluation Program . 586.7Information Security Management. 62b6.8Information Assurance Management. 646.9Security Breach Response Management . 656.10Alarms and Audit Trails . 666.11Personnel Security .
This security plan has two purposes: (1) to present the baseline system security plan and approach to how we will implement the security requirements for all services and Operational Support Systems provided by AT&T on Networx Enterprise, and (2) to describe how we plan and implement security for client Agency systems provided under individual
