- CSRC Home
- About CSD
- Projects / Research
- news & events
Some security practices in the listing below may not reference an organization's affiliation. These practices are provided in a generic format. Document icons specify the type of file format (Ex. MS Word, pdf, Text file, etc.). The right column contains the document title. The left column contains the date when the file was posted to this page.
NOTE: After clicking link to document, the document will open in a blank browser window and this page will be in the background.
Maintains a record of system activity by system or application processes and by user activity.
Provides a form of assurance of the security of the system.
|Information Security Certification & Accreditation (C&A) Program Procedures - (CMS)||07/01/09|
|Plan of Action & Milestones (POA&M) Guidelines - (CMS)||07/01/09|
|Bridge Accreditation Process - (Centers for Disease Control and Prevention (CDC))||06/26/09|
|Plan of Action and Milestones (POA&M) Template - (CDC)||06/26/09|
|IA Cost Model Template - (US Coast Guard)||05/15/09|
|C&A Stakeholder Quarterly Training||04/16/08|
|C&A Document Tracker||04/16/08|
|C&A Comments Matrix||04/16/08|
|C&A Boundary/Scope Memorandum||04/16/08|
|Baseline System Information - (CDC)||10/18/06|
|Information Technology Security Test and Evaluation Guide - (Department of Health and Human Services)||05/04/06|
|NIST 800-37 Risk Management & Certification and Accreditation Tasks - (TSA)||09/14/04|
How to keep an organization's critical functions operating in the event of disruption, large and small.
|Contingency Plan Procedure - (CMS)||07/01/09|
|Contingency Plan Template - (CMS)||07/01/09|
|Contingency Plan Tabletop Test Template - (CMS)||07/01/09|
|Contingency Plan Template||04/16/08|
|System and Data Backups - (FCC)||12/29/04|
|Contingency Planning Template - (DOJ)||7/03/03|
Activities include configuration management and control of information system components, security impact analysis of changes to the system, ongoing assessment of security controls, and status reporting.
|Continuous Monitoring Training||04/16/08|
Controls used to protect data from accidental or malicious alteration or destruction and to provide assurance to the user that the information meets expectations about its quality and integrity.
|Viruses 101 - (FCC)||07/03/03|
Controls used to monitor the installation of, and updates to, hardware and software to ensure that the system functions as expected and that a historical record is maintained of changes.
Technical measures that prevent unauthorized people (or unauthorized processes) from entering an IT system.
|Password Protection - (FCC)||07/03/03|
|Creating Strong Passwords - (FCC)||07/03/03|
Capability to provide help to users when a security incident occurs in a system.
|Incident Handling and Breach Notification Analysis/Notification Procedure - (CMS)||07/01/09|
|Incident Reporting Template - (CMS)||07/01/09|
|Business Continuity Plan Format Guide - (Centers for Disease Control and Prevention (CDC))||06/26/09|
|Business Continuity Plan Functional Test After-Action Report - (CDC)||06/26/09|
|Business Continuity Plan Tabletop Test After-Action Report - (CDC)||06/26/09|
|Procedures and Techniques for Prevention of and Recovery From Fast Spreading Malware - (EEOC)||11/18/04|
|VA Central Incident Response Capability (VA-CIRC) - (Department of VA)||06/15/04|
IT system life cycles contain five basic phases: initiation, development and/or acquisition, implementation, operation, and disposal.
|The Project Manager's View of Security Processes Over the System Development Life Cycle - (Dept. of VA)||11/18/04|
System-based mechanisms used to designate who or what is to have access to a specific system resource and the type of transactions and functions that are permitted.
Secure communication capability that allows one user or system to connect to another user or system.
|Categorization and Firewall Worksheet - (Centers for Disease Control and Prevention (CDC))||06/26/09|
|Social Networking Website Security Mitigation - (CDC)||06/17/09|
|Social Media Site Review Plan - (CDC)||06/17/09|
|Combined Hardware/Software Solutions to Malware and SPAM Control - (US Equal Employment Opportunity Commission)||11/15/05|
|Cyber Security Infrastructure Project (ECSIP) - (Department of VA)||6/15/04|
|Lessons Learned - Phishing Attacks - (Department of Treasury)||06/14/04|
|Cookies - (FCC)||07/03/03|
|E-Mail Hoaxes and Scams - (FCC)||07/03/03|
|E-Mail Spam - (FCC)||07/03/03|
Involves human users, designers, implementers and managers and how they interact with computers and the access and authorities they need to do their jobs.
|National Security Clearance Requirement for CIOs and ITSOs - (Department of Commerce)||10/22/10|
|Information System Security Critical Elements for Performance Plans (PART 1 of 4 files, see below for part 2-4) - (Department of Commerce)||10/22/10|
|Information System Security Critical Elements for Performance Plans (PART 2 of 4 files) - (Department of Commerce)||10/22/10|
|Information System Security Critical Elements for Performance Plans (PART 3 of 4 files) - (Department of Commerce)||10/22/10|
|Information System Security Critical Elements for Performance Plans (Part 4 of 4 files, see above for part 1-3) - (Department of Commerce)||10/22/10|
|National Security Information Critical Element for Performance Plans - (Department of Commerce)||10/22/10|
|Rules of Behavior for Social Networking Usage - (Centers for Disease Control and Prevention (CDC))||06/17/09|
|Security Clearance and User ID Request - (Department of Education)||6/15/04|
|Identity Theft - (FCC)||07/03/03|
|FCC Personal Use - (FCC)||07/03/03|
|Policy on Limited Personnel Use of Government Office Equipment - (EPA)||04/08/03|
Measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment.
|Site Survey of Data Center - (CFTC)||06/15/04|
|Securing Portable Electronic Media - (FCC)||07/03/03|
Formally documented security policies and procedures.
|Policy for the Acceptable Use of Desktop/Laptop and Other IT Resources - (CMS)||07/01/09|
|Rules of Behavior for Connection to Networks - (CMS)||07/01/09|
|Information Security Terms, Definitions and Acronyms - (CMS)||06/30/09|
|CDC Wireless Security Policy - Centers for Disease Control and Prevention (CDC)||TBA|
|Use of CDC Information Technology Resources - Centers for Disease Control and Prevention - (CDC)||06/26/09|
|Information Technology Security Policy Handbook Version 3.1 - (DOI)||09/25/08|
|Handbook for General Support Systems and Major Applications Inventory Procedures - (Department of Education)||04/07/06|
|U.S. Customs AIS Security Policy Manual CIS HB 1400-05 - (U.S. Customs)||11/13/03|
|Administrative Policies and Procedures Manual - (National Labor Relations Board)||07/03/03|
|Rules of Behavior - (FCC)||07/03/03|
Covers topics ranging from a user help desk to procedures for storing, handling and destroying media.
|USB Flash Drive Security - (Office of Government Ethics)||05/04/06|
|Media Sanitization Procedures - (NIST)||12/08/03|
Overall scope of the program (i.e., PD's, policies and security program plans and guidance).
|Policy for Information Security - (CMS)||06/30/09|
|Policy for the Information Security Program - (CMS)||06/30/09|
|FISMA Security Assessment Report for FY 07||12/10/07|
|System Inventory Template||05/25/06|
|Information Security Program, Plan of Action and Milestones Guide - (Department of Health and Human Services)||05/04/06|
|Information Security Program - Health Insurance Portability and Accountability Act (HIPAA) Compliance Guide, September 14, 2005||01/17/06|
|Information Security & FISMA - (National Labor Relations Board)||09/10/04|
|FISMA Reporting Project - (Department of VA)||06/15/04|
Routine evaluations and response to identified vulnerabilities.
|Security Assessment Summary Template||04/16/08|
|Security Test & Evaluation Template||04/16/08|
|PII Security Controls Assessment Plan Template - (Department of Commerce)||07/28/06|
|Spreadsheet of SP 800-53 Controls - (Commodity Futures Trading Commission)||06/21/06|
The process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk.
|Risk Mitigation Worksheet - (Centers for Disease Control and Prevention (CDC))||06/26/09|
|Risk Calculation Worksheet - (CDC)||06/26/09|
|Risk Assessment Report - (CDC)||06/26/09|
Improves awareness of the need to protection system resources as well as develops skills and knowledge so computer users can perform their jobs more securely and build in-depth knowledge.
|Policy on Information System Security Training for Significant Roles - (Department of Commerce)||10/22/10|
|January Newsletter - (Minerals Management Service, DOI)||03/12/09|
|December Newsletter - (Minerals Management Service, DOI)||03/12/09|
|Stop - Think - Click: 7 Practices for Safer Computing - (FTC)||02/24/06|
|Cyber Security Practitioner Professionalization (CSPP) - (Department of VA)||06/15/04|
|Social Engineering - (FCC)||07/03/03|
|ISSO Course Slides (to be used with participant book and instructor guide)||04/01/03|
|ISSO Course Participant Book (to be used with ISSO course slides and instructor guide)||04/01/03|
|ISSO Course Instructor Guide (to be used with ISSO course slides and ISSO course participant book)||04/01/03|
|Information Security Briefing for Executives||03/24/03|
|Information Security Briefing for Managers||03/24/03|
|Risk Assessment and Security Plan Course Slides - (Centers for Medicare & Medicaid Services)||03/24/03|
Provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements.
|SSP Workbook for High Impact Level Systems - (CMS)||06/30/09|
|SSP Workbook for Moderate Impact Level Systems - (CMS)||06/30/09|
|SSP Workbook for Low Impact Level Systems - (CMS)||06/30/09|
|SSP Workbook for e-Authentication Level 1 - (CMS)||06/30/09|
|SSP Workbook for e-Authentication Level 2 - (CMS)||06/30/09|
|SSP Workbook for e-Authentication Level 3 - (CMS)||06/30/09|
|SSP Workbook for e-Authentication Level 4 - (CMS)||06/30/09|
|SSP Workbook Instructions - (CMS)||06/30/09|
|System Security Plan Procedure - (CMS)||06/30/09|
|Interconnection Security Agreement (ISA) Template = (CMS)||06/30/09|
|Memorandum of Understand (MOU) Template = (CMS)||06/30/09|
|System Security Plan Template = (CMS)||06/30/09|
|System Security Plan Template - (Centers for Disease Control and Prevention (CDC))||06/26/09|
|Enterprise Master System Security Plan - (CDC)||06/26/09|
|Security Plan Template for Moderate Impact Systems||04/16/08|
* These submissions were first collected by the Federal CIO Council for their Best Security Practices initiative. That material was later passed to NIST's Computer Security Division.