Management Information

The Management category addresses how IT systems are managed, including identifying risks to the system. It includes questions about such issues as:

• Risk Management: Whether the organization has a risk-management process in place and whether it takes steps to reduce and maintain the risks at an acceptable level.

• Security Reviews: Whether the organization has implemented routine evaluations of and responses to identified system vulnerabilities.

• Lifecycle: Whether security policies and procedures development and

maintenance is part of the technology lifecycle development process within the agency. (Meaning it is dynamic, not static.)

• Certification and Accreditation: Normally reserved for federal agencies’

compliance for certifying their IT systems in accordance with NIST guidelines.

The project it will require you to do quite a bit

Chapter 3

0

As we begin describing the information to collect, you will note it is voluminous.

We have created a tool to help facilitate the assessment process, downloadable at www.search.org. It is in Microsoft Excel spreadsheet format and is described in more detail starting on page 61.

You may also use Appendix A: Assessment worksheets and Questions from the SeArch Information Security Self- and risk-Assessment tool to help you through this chapter.

However, many state and local agencies fall under these rules based on the data that they maintain according to federal programs (such as compliance with Health Insurance Portability and Accountability Act [HIPAA] regulations or Child Protective Services regulations).

• System Security Plan: Does the agency maintain a formal security plan that includes the security requirements of the system(s), as well as procedures to fulfill those requirements? The plan should delineate individual responsibilities and expected behavior of all individuals who access, maintain, and otherwise interact with the system.

Here are the types of organizational information you should collect to inform the management self-assessment.

1. Controlling organizations. Identify and list all the controlling organizations of your agency, up to and including the federal level, if applicable.

a. If you are a local police department, the first level outside your agency will probably be your city or county government.

b. If you are working at the state level, you may not have a controlling organization if the head of your agency already reports to the governor or a state legislative committee; nevertheless, your agency will be responsible to these entities in a similar manner—with often more pressure due to the political sensitivity.

c. The federal level becomes important if your agency either uses services from or receives funding from a federal agency.

The list you develop should contain the following information at the minimum:

• Agency name.

• Relationship to your organization.

• The areas of control related to your organization. What oversight does this agency exercise with respect to your organization?

Phase I—Conduct a Security Self-Assessment 

• The first-level contacts within those agencies that your people would normally contact. These are the “go-to” people in the other agency.

2. Business/mission statement(s) for your agency. These should be easily located in your agency’s strategic plan.

3. Audit reports. These documents will potentially provide you with a lot of good information related to your organization and IT systems. Specifically, you need to identify and collect any audit reports created that relate to:

a. Your agency—the audit reports may have been created for any purpose (financial, security, or otherwise).

b. The IT infrastructure—the audit reports may have been created for the data network, physical security, emergency preparedness, and so forth.

4. Policies/procedures. Collect existing policies, procedures, memoranda, and so forth, related to IT systems control and/or IT security in particular and or any other compliance requirements based on law or agreement (for example, the FBI Criminal Justice Information Services [CJIS] Division’s CJIS Security Policy, HIPAA, Sarbanes-Oxley Act,¹⁰ and so forth).

5. Building design and construction details. Collect these for any

location housing IT systems or users of IT systems that are part of this self-assessment activity.

6. Project-related documents. Obtain, if they exist, the project plans, project specifications, proposals, requests for proposals (RFPs), and other documents for all IT systems that are part of this self-assessment.

7. Existing agreements. Do any agreements made between your department and any other entities relate to the IT systems that are part of this self-assessment?

Some examples of such agreements may be the following:

a. Service-level agreements—these agreements typically are between the service provider (usually an IT department, which may be part of another agency) and your organization.

b. Availability agreements—these typically would be made with your end users to guarantee system availability. In addition, they may also cover their responsibilities to maintain security, confidentiality, and controlled access to the system.

8. Position description and related correspondence. Identify the most senior person in your organization responsible for each IT system under review.

a. Obtain a copy of his or her job description.

b. Obtain any memos or letters of understanding addressed to this person that are related to the IT system under review.

10 Public Law 107-204.

52

tech GuIde

orIGINAL

s

Chapter 3

2

9. Responsible party information. Identify the organization that is responsible for maintaining the IT system. Gather the following information:

a. If the IT system is a commercial product—

i. License agreement.

ii. Support agreement.

iii. Policies and procedures related to maintenance and support of the IT system.

iv. Documentation of how the organization maintains system records regarding changes, modifications, and/or upgrades.

b. If the system was developed in house (this may be the city or county IT department)—

i. System design documentation.

ii. Copies of structured walk-throughs or other development documentation that was created when the system was built.

iii. Maintenance logs.

iv. Requests for system changes/modifications.

10. Budget information. Obtain the initial and subsequent budget proposals and justifications for the IT system. Determine the financial justifications for the IT system.

11. External information-sharing system information. Identify any other IT systems that either supply information to, or receive information from, the IT system under review. Obtain the same information for those systems as you are doing for this system.

12. Business continuity plans. Does your agency have any business continuity plans? If so, obtain copies of these plans.