Appendix 12 Risk Assessment Plan

Similar documents
Appendix 12 Risk Assessment Plan

Appendix 6 Operational Support Systems Change Management Plan

Appendix 6 Operational Support Systems Change Management Plan

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Appendix 5 Operational Support Systems Verification Test Plan

International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions

Appendix 5 Operational Support Systems Verification Test Plan

Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan

Appendix 2 Part A National Security and Emergency Preparedness (NS/EP) Functional Requirements Implementation Plan (FRIP)

3.0 NETWORX ARCHITECTURE FOR IP-BASED SERVICES (L ) (M.2.1) (a), M.2.1.1(a))

INFORMATION ASSURANCE DIRECTORATE

Appendix 3 Disaster Recovery Plan

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

Information Systems Security Requirements for Federal GIS Initiatives

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Agency Guide for FedRAMP Authorizations

NIST Security Certification and Accreditation Project

FedRAMP Security Assessment Framework. Version 2.0

FedRAMP Security Assessment Framework. Version 2.1

This is to certify that. Chris FitzGerald. has completed the course. Systems Security Engineering _eng 2/10/08

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

Framework for Improving Critical Infrastructure Cybersecurity

Streamlined FISMA Compliance For Hosted Information Systems

Vol. 1 Technical RFP No. QTA0015THA

INFORMATION ASSURANCE DIRECTORATE

SAC PA Security Frameworks - FISMA and NIST

Exhibit A1-1. Risk Management Framework

CCISO Blueprint v1. EC-Council

INFORMATION ASSURANCE DIRECTORATE

FISMAand the Risk Management Framework

3.4 DISASTER RECOVERY (L , M.3.9, comp_req_id 806)

DoDD DoDI

6.2 OPTIONAL SECURITY SERVICES

IASM Support for FISMA

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

3.4 NON-DOMESTIC SERVICES (L )

The Honest Advantage

The NIST Cybersecurity Framework

NETWORX PROGRAM INDIVIDUAL SMALL BUSINESS SUBCONTRACTING PLAN IDIQ TASK ORDER BASED

INFORMATION ASSURANCE DIRECTORATE

3.4 NON-DOMESTIC SERVICES (L )(C.2.1.9)

6.6 INCIDENT RESPONSE MANAGEMENT SERVICES (INRS) (L )

Appendix 2B. Supply Chain Risk Management Plan

INFORMATION ASSURANCE DIRECTORATE

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Ensuring System Protection throughout the Operational Lifecycle

TEL2813/IS2820 Security Management

ROADMAP TO DFARS COMPLIANCE

Physical Security Reliability Standard Implementation

10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?

INFORMATION ASSURANCE DIRECTORATE

FiXs - Federated and Secure Identity Management in Operation

INFORMATION ASSURANCE DIRECTORATE

DFARS Cyber Rule Considerations For Contractors In 2018

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE

Cybersecurity Risk Management

New Guidance on Privacy Controls for the Federal Government

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Cybersecurity & Privacy Enhancements

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Appendix 7 Preliminary Transition Management Plan

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Security Management Models And Practices Feb 5, 2008

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

Enabling Efficient, Consistent Certification and Accreditation Enterprise-Wide

IT-CNP, Inc. Capability Statement

MIS Week 9 Host Hardening

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

The next generation of knowledge and expertise

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

Why you should adopt the NIST Cybersecurity Framework

Security Standards for Electric Market Participants

National Policy and Guiding Principles

SECURITY & PRIVACY DOCUMENTATION

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

01.0 Policy Responsibilities and Oversight

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Cyber Security Program

INFORMATION ASSURANCE DIRECTORATE

Information Security Program

Executive Order 13556

Level Access Information Security Policy

INFORMATION ASSURANCE DIRECTORATE

Data Recovery Policy

Guide to Understanding FedRAMP. Version 2.0

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Solutions Technology, Inc. (STI) Corporate Capability Brief

Fiscal Year 2013 Federal Information Security Management Act Report

David Missouri VP- Governance ISACA

INFORMATION ASSURANCE DIRECTORATE

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Defining IT Security Requirements for Federal Systems and Networks

NCSF Foundation Certification

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

Threat and Vulnerability Assessment Tool

Appendix 4 Training Plan

Transcription:

Appendix 12 Risk Assessment Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-1 RFP: TQC-JTB-05-0001 December 13, 2006

REVISION HISTORY Revision Number Revision Date Revision Description Revised by A12-2 RFP: TQC-JTB-05-0001 December 13, 2006

TABLE OF CONTENTS Revision History... A12-2 Table of Contents... A12-3 List of Figures... A12-4 1.0 Introduction... A12-5 1.1 Content and Purpose (C.3.3.2.4.2.1.4)... A12-5 1.2 Applicability... A12-7 1.3 Applicable Laws, Regulations and Policies Affecting Networx Network Infrastructure... A12-8 1.4 Technical Approach to Managed Tiered Security Services (MTSS)... A12-10 1.5 Security Risk Management... A12-12 1.6 Reporting Potential Impacts... A12-13 1.7 Security Risk Analysis... A12-13 1.8 Information Security Management... A12-16 A12-3 RFP: TQC-JTB-05-0001 December 13, 2006

LIST OF FIGURES Figure A12-1. Laws, Regulations and Policies Affecting Networx Network Infrastructure... A12-8 Figure A12-2. Risk Mitigation Methodology... A12-15 Figure A12-3. Features and Benefits of Qwest s Networx Security System... A12-16 Figure A12-4. Qwest s Security Policy, Mechanisms and Controls and Measures... A12-16 A12-4 RFP: TQC-JTB-05-0001 December 13, 2006

1.0 INTRODUCTION The Qwest risk management and information security mission is to protect the integrity, confidentiality, and availability of information assets and supporting resources of the network. The Qwest Team will provide all required security controls, network surveillance, network element security management, and managed security solutions, ensuring Qwest meets the Government s security mandates as described within the Networx Universal RFP. The Qwest Team will provide to the Agencies, information security expertise, risk analysis, evaluations, and guidance to ensure Qwest complies with Government policies, standards, and requirements. The Qwest Team focus will be on: 1.1 CONTENT AND PURPOSE (C.3.3.2.4.2.1.4) The purpose of a risk analysis is to identify to the GSA Networx PMO, security vulnerabilities and associated risks that may impact the security posture of Qwest provided Networx services. The Qwest Risk Assessment Plan outlines a risk analysis and subsequent report of the Networx related services, the Networx service infrastructure and OSS. Qwest is not proposing an Agency specific Risk Assessment in addition to a Risk Assessment of our Networx service infrastructure and OSS. A12-5 RFP: TQC-JTB-05-0001 December 13, 2006

The risk analysis process focuses on identifying vulnerabilities within the services infrastructure (e.g., operating system or network element flaws, architectural concerns), as well as enumerating the threats applicable to specific Networx services. Together, this threat model and set of known vulnerabilities provide a clear picture of risk and the specific actions required to manage them appropriately. Qwest will also conduct security control assessments of our Networx domestic/non-domestic subcontractors/partners/suppliers. Working with the CPO Subcontract Manager, the Qwest Networx Security Manager is responsible to ensure the integration of flow down contract language to address process-based security control assessment. This approach will ensure that physical security controls are in place with Qwest's domestic/non-domestic subcontractors, partners, and suppliers who have access to Government information. In addition, Qwest will maintain situational awareness on all subcontractors, partners and suppliers that may handle Government information through the daily monitoring of security related activities, including the re-evaluation and recommendation of security controls. The results will be reported to the Qwest Networx Security Manager who in turn will re-evaluate the risk and impact and effect any necessary control changes. Qwest will keep a log of any of the control changes that will be included in the yearly risk assessment. Through our enterprise Risk Management organization, Qwest has existing processes and the proven expertise to drive this kind of holistic recognition and management of risk. In addition to the services and infrastructure provided by Qwest, such an analysis must also consider the state of information security practice and infrastructure risk present at specific Agency customer locations. Because this risk analysis requires a clear scoping of specific services provided, along with detailed information sharing from the customer, Qwest will prepare a risk assessment report to A12-6 RFP: TQC-JTB-05-0001 December 13, 2006

communicate actions taken to maintain the Government s security environment at an acceptable level of risk for both Qwest and the Government. This will begin within 30 days of the Notice to Proceed, followed by periodic updates according to the customer s requirements. Security risks evolve over time as technologies change, vulnerabilities are discovered, and the threat climate evolves. Through our partnership with the GSA Networx PMO and the Agencies, Qwest will ensure risks are identified and managed in a timely manner according to the customer s requirements. In future Risk Assessment reports for the Government, the following areas will be discussed: 1.2 APPLICABILITY Risk analysis activities, processes, and procedures identified within the risk assessment report will apply to the Government s data, information systems, telecommunications infrastructure, products, and services as identified within the Networx Universal RFP. Beginning within 30 calendar days of the Notice to Proceed, Qwest will provide the Networx PMO a revised Security Plan, including an updated risk assessment report, followed by periodic updates as required. A12-7 RFP: TQC-JTB-05-0001 December 13, 2006

The following sections of this initial risk assessment attachment covers the applicable laws and a general overview of mitigation strategies used by Qwest to mitigate risks, along with recommended actions for Agencies to take where the risk to be addressed has components that lie outside the boundaries of the services provided. 1.3 APPLICABLE LAWS, REGULATIONS AND POLICIES AFFECTING NETWORX NETWORK INFRASTRUCTURE The laws, regulations, and policies shown in Figure A12-1 will be used to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels. Figure A12-1. Laws, Regulations and Policies Affecting Networx Network Infrastructure Law, Regulations and Policies National Institute of Standards and Technology (NIST) Federal Information Processing Standards Publication (FIPS) PUB 140-2 NIST FIPS PUB 199 NIST Special Publications (SP) 800-12 NIST SP 800-14 NIST SP 800-18 NIST SP 800-23 NIST SP 800-26 NIST SP 800-30 NIST SP 800-31 NIST SP 800-34 Purpose Security Requirements for Cryptographic Modules Standards for Security Categorization of Federal Information and Information Systems (Pre-Publication Final) An Introduction to Computer Security: The NIST Handbook Generally Accepted Principles and Practices for Securing Information Technology Systems Guide for Developing Security Plans for Information Technology Systems Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products Security Self-Assessment Guide for Information Technology Systems Risk Management Guide for Information Technology Systems Intrusion Detection Systems (IDS) Contingency Planning for Information Technology Systems A12-8 RFP: TQC-JTB-05-0001 December 13, 2006

Law, Regulations and Policies NIST SP 800-35 NIST SP 800-36 NIST SP 800-37 NIST SP 800-40 NIST SP 800-41 NIST SP 800-42 NIST SP 800-45 NIST SP 800-46 NIST SP 800-47 NIST SP 800-48 NIST SP 800-50 NIST SP 800-51 NIST SP 800-53 NIST SP 800-55 NIST SP 800-59 NIST SP 800-61 NIST SP 800-64 NIACAP (NSTISSI 1000) DoD Information Technology Security Certification and Accreditation Process (DITSCAP) (DoD 5200-40) Purpose Guide to Information Technology Security Services Guide to Selecting Information Technology Security Products Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems Procedures for Handling Security Patches Guidelines on Firewalls and Firewall Policy Guideline on Network Security Testing Guidelines on Electronic Mail Security Security for Telecommuting and Broadband Communications Security Guide for Interconnecting Information Technology Systems Wireless Network Security: 802.11, Bluetooth, and Handheld Devices Building an Information Technology Security Awareness and Training Program Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme Draft Recommended Security Controls for Federal Information Systems Security Metrics Guide for Information Technology Systems Guideline for Identifying an Information System as a National Security System Draft Computer Security Incident Handling Guide Security Considerations in the Information System Development Life Cycle National Information Assurance Certification and Accreditation Process DoD Information Technology Security Certification and Accreditation Process In addition, Qwest adheres to the following standards and acts: E-Government Act of 2002, Title III (Federal Information Security Management Act (FISMA)) T1.276-2003 American National Standard for Telecommunications Operations, Administration, Maintenance, and Provisioning Security A12-9 RFP: TQC-JTB-05-0001 December 13, 2006

Requirements for the Public Telecommunications Network: A Baseline of Security Requirements for the Management Plane All commercially available standards for any applicable underlying access and transport services All new versions, amendments, and modifications made to the above listed documents and standards, when applicable and commercially available Public Law 100-235, Computer Security Act of 1987, January 8, 1988 Bellcore Gr-815, Network Element and Network System Security Homeland Security Presidential Directive / HSPD-5, February 28, 2003 Homeland Security Act of 2002 Public Law 107 296 Qwest Communications Physical Security Construction Standards Qwest Policy and all other applicable Qwest policies and standards designed to address security management 1.4 TECHNICAL APPROACH TO SECURITY ASSESSMENT A12-10 RFP: TQC-JTB-05-0001 December 13, 2006

A12-11 RFP: TQC-JTB-05-0001 December 13, 2006

1.5 SECURITY RISK MANAGEMENT Qwest s security risk analysis processes address infrastructure components, such as routers, Ethernet switches, firewalls, and servers, as well as the processes used to maintain them, along with the environment used to deliver specific security services to Agencies. Networx OSS and Government information stored on or made available by the OSS will be included in the security risk analysis process. Qwest will conduct security risk analysis, reviews, or evaluations of Networx services throughout the life of the contract annually as required in the Networx contract. The objective of these reviews is to provide verification A12-12 RFP: TQC-JTB-05-0001 December 13, 2006

that the controls selected and/or installed provide a level of protection commensurate with the acceptable level of risk for Networx services. By using this comprehensive process, we ensure the security of Networx services does not degrade over time as the technology and the systems evolve, or people and procedures change. Periodic review provides assurance that management, operations, personnel and technical controls are functioning effectively and providing adequate levels of protection. 1.6 REPORTING POTENTIAL IMPACTS Qwest will use FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, which contains the potential impact categorization definitions, (Low, Medium, or High). Qwest will apply these standards to all Networx security analysis activities and risk assessment reports. The application of these definitions must take place within the context of each Agency participating in the Networx contract. 1.7 SECURITY RISK ANALYSIS Qwest security risk analysis responsibilities are assigned to specific technology operational groups within Qwest. A12-13 RFP: TQC-JTB-05-0001 December 13, 2006

As stated in Section C.3.3.2.2.2, security risk analysis, Qwest will conduct annual security risk analysis, reviews, and/or evaluations of Networx services throughout the life of the contract. The objective of these reviews is to provide verification that the controls selected and/or installed provide a level of protection commensurate with the acceptable level of risk for Networx services. All security risk analysis activities will adhere, at a minimum, to the following: NIST SP 800-30, July 2002 NIST SP 800-53, February 2005 Federal Information Processing Standards (FIPS) Publication 199, February 2004 The following flowchart identifies the Qwest Team mitigation methodology used throughout the Networx Security Risk Analysis process. A12-14 RFP: TQC-JTB-05-0001 December 13, 2006

A12-15 RFP: TQC-JTB-05-0001 December 13, 2006

1.8 INFORMATION SECURITY MANAGEMENT Section 4.0 in the Security Plan details Information Security Management controls and processes. summarizes the scope of the Qwest infrastructure security management architecture. Qwest's Network Security System and capabilities provides Networx customers with a high level of confidence in network information security and reliability A12-16 RFP: TQC-JTB-05-0001 December 13, 2006

A12-17 RFP: TQC-JTB-05-0001 December 13, 2006

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback