Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Transcription

1 Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

2 Information Security Policy and Procedures Identify Risk Assessment ID.RA Table of Contents Identify Risk Assessment (ID.RA) Overview... 2 Identify and Document Asset Vulnerabilities ID.RA Cyber Threat Intelligence and Vulnerability Information Received from Information Sharing Forums and Sources ID.RA Additional Risk and Compliance Requirements:... 4 Links to Policies, Documentation... 5 Identify and Document Internal and External Threats ID.RA Identify Potential Business Impacts and Likelihoods ID.RA Additional Risk and Compliance Requirements:... 8 Links to Policies, Documentation... 8 Use Threats, Vulnerabilities, Likelihoods, and Impacts to Determine Risk ID.RA Identify and Prioritize Risk Responses ID.RA North Dallas Community Bible Fellowship IT Security Plan - Identify Risk Assessment ID.RA Page: 1

3 Identify Risk Assessment ID.RA Identify Risk Assessment (ID.RA) Overview The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Identify Risk Assessment functions are: Identify and Document Asset Vulnerabilities ID.RA-1 The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Cyber Threat Intelligence and Vulnerability Information Received from Information Sharing Forums and Sources ID.RA-2 Cyber threat intelligence and vulnerability information is received from information sharing forums and sources Identify and Document Internal and External Threats ID.RA-3 - Threats, both internal and external, are identified and documented Identify Potential Business Impacts and Likelihoods ID.RA-4 Potential business impacts and likelihoods are identified Use Threats, Vulnerabilities, Likelihoods, and Impacts to Determine Risk ID.RA-5 Threats, vulnerabilities, likelihoods, and impacts are used to determine risk Identify and Prioritize Risk Responses ID.RA-6 Risk responses are identified and prioritized North Dallas Community Bible Fellowship IT Security Plan - Identify Risk Assessment ID.RA Page: 2

4 Identify and Document Asset Vulnerabilities ID.RA-1 The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Primary Control Reference - NIST SP Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5 CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES - Control: The organization: o a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and o b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organizationdefined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. o Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. o Control Enhancements: None. o References: NIST Special Publications , , A, North Dallas Community Bible Fellowship IT Security Plan - Identify Risk Assessment ID.RA Page: 3

5 Cyber Threat Intelligence and Vulnerability Information Received from Information Sharing Forums and Sources ID.RA-2 Cyber threat intelligence and vulnerability information is received from information sharing forums and sources Primary Control Reference - NIST SP Rev. 4 PM-15, PM-16, SI-5 PM-1 INFORMATION SECURITY PROGRAM PLAN - Control: The organization: o a. Develops and disseminates an organization-wide information security program plan that: 1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; 2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; 3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and 4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS - Control: The organization establishes and institutionalizes contact with selected groups and associations within the security community: o a. To facilitate ongoing security education and training for organizational personnel; o b. To maintain currency with recommended security practices, techniques, and technologies; and o c. To share current security-related information including threats, vulnerabilities, and incidents. o Supplemental Guidance: Ongoing contact with security groups and associations is of paramount importance in an environment of rapidly changing technologies and threats. Security groups and associations include, for example, special interest groups, forums, professional associations, news groups, and/or peer groups of security professionals in similar organizations. Organizations select groups and associations based on organizational missions/business functions. Organizations share threat, vulnerability, and incident information consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related control: SI-5. o Control Enhancements: None. o References: None ADDITIONAL RISK AND COMPLIANCE REQUIREMENTS: erisk Self-Assessment North Dallas Community Bible Fellowship IT Security Plan - Identify Risk Assessment ID.RA Page: 4

6 o 4.3) Are all employees formally instructed on their specific responsibilities with respect to information security, such as the proper reporting of suspected security incidents and other due care tasks? PCI Compliance Requirements o TBD Texas House Bill 300 and HIPAA Requirements o HIPAA Security Rule 45 C.F.R. TBD LINKS TO POLICIES, DOCUMENTATION TBD TBD North Dallas Community Bible Fellowship IT Security Plan - Identify Risk Assessment ID.RA Page: 5

7 Identify and Document Internal and External Threats ID.RA-3 Threats, both internal and external, are identified and documented Primary Control Reference - NIST SP Rev. 4 North Dallas Community Bible Fellowship IT Security Plan - Identify Risk Assessment ID.RA Page: 6

8 Identify Potential Business Impacts and Likelihoods ID.RA-4 Potential business impacts and likelihoods are identified Primary Control Reference - NIST SP Rev. 4 PM-9, PM-11 PM-9 RISK MANAGEMENT STRATEGY - Control: The organization: o a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; o b. Implements the risk management strategy consistently across the organization; and o c. Reviews and updates the risk management strategy [Assignment: organizationdefined frequency] or as required, to address organizational changes. o Supplemental Guidance: An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization s risk tolerance, and approaches for monitoring risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive. Related control: RA-3. Control Enhancements: None. o References: NIST Special Publications , MISSION/BUSINESS PROCESS DEFINITION - Control: The organization: o a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and o b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained. o Supplemental Guidance: Information protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, or the Nation through the compromise of information (i.e., loss of confidentiality, integrity, or availability). Information protection needs are derived from the mission/business needs defined by the organization, the mission/business processes selected to meet the stated needs, and the organizational risk management strategy. Information protection needs determine the required security controls for the organization and the associated information systems supporting the mission/business processes. Inherent in defining an organization s information protection needs is an understanding of the level of adverse impact that could result if a compromise of information occurs. The security categorization process is used to make such potential impact determinations. Mission/business process definitions and associated information protection requirements are documented by the organization in North Dallas Community Bible Fellowship IT Security Plan - Identify Risk Assessment ID.RA Page: 7

9 accordance with organizational policy and procedure. Related controls: PM-7, PM-8, RA-2. o Control Enhancements: None. o References: FIPS Publication 199; NIST Special Publication ADDITIONAL RISK AND COMPLIANCE REQUIREMENTS: erisk Self-Assessment o TBD PCI Compliance Requirements o TBD Texas House Bill 300 and HIPAA Requirements o HIPAA Security Rule 45 C.F.R (a)(1), (b) LINKS TO POLICIES, DOCUMENTATION TBD TBD North Dallas Community Bible Fellowship IT Security Plan - Identify Risk Assessment ID.RA Page: 8

10 Use Threats, Vulnerabilities, Likelihoods, and Impacts to Determine Risk ID.RA-5 Threats, vulnerabilities, likelihoods, and impacts are used to determine risk North Dallas Community Bible Fellowship IT Security Plan - Identify Risk Assessment ID.RA Page: 9

11 Identify and Prioritize Risk Responses ID.RA-6 Risk responses are identified and prioritized North Dallas Community Bible Fellowship IT Security Plan - Identify Risk Assessment ID.RA Page: 10