Security Plans

1.0 Identification Data
1.1 BSP Number
00002
1.2 BSP Title/Name
Developing Security Plans at USAID Missions
1.3 Version Number
2.0
1.4 Adoption Date
January 23, 2001
1.5 Approving Authority
CIO Council Security Practices Subcommittee (SPS)
1.6 Responsible Organization
United States Agency for International Development (USAID) Bureau for Management, Information Resources Management (M/IRM), Information Systems Security Team
1.7 Level of BSP
Candidate
1.8 Security Processes or other Framework(s) Supported
In the Security Process Framework:
  • (2.1.1.1.3) Prepare a system security plan

In the SSE CMM Framework:

  • (PA-09) Provide Security Input

In the OMB A-130 Appendix III, Section A:

  • (3.a.3) Review of Security Controls
1.9 Reserved
Not to be completed by the drafter
1.10 Points of Contact
Government BSP Owner:
  • James P. Craft, CISSP
    USAID Information Systems Security Officer
    Ronald Reagan Building
    1300 Pennsylvania Ave., Suite 2.12-032
    Washington DC 20523-2120
    Telephone No - 202-712-5460
    Fax No. - 202-712-3053
    E-mail - jcraft@usaid.gov
    Or: cassistance@usaid.gov

Vendor Partner:

2.0 What This BSP Does
2.1 BSP's Purpose
This BSP provides instructions for USAID missions to develop security plans for general support systems and major applications within the cyber-security assistance visit process. USAID IRM security has developed an office automation tool (security plan template) to assist with the security plan development. The tool is a Word 97 document and is designed to meet the requirements of OMB Circular A-130, Appendix III. The tool was constructed before NIST Special Publication 800-18 was made available.

The security plan template provides sample text throughout the document that is to be modified to identify the specific security specifications of the system or application being defined. The title of each section requiring modification contains highlighted text denoting an imbedded comment. Moving the mouse arrow over the highlighted text causes a comment box to appear with information identifying or clarifying the requirements for that section. Users are to modify each section with security specifications specific to their systems or applications based on the requirements identified in the comments.

A list of files associated with the automated tool is contained in Section 4.4 of this BSP, under the heading Tools’. A brief description is also included to help users (System/Application Owners) in creating their own specific security plan.

2.2 Requirements for this BSP
OMB A-130 Appendix III, Section A.3a.3 states:

"Review of Security Controls. Review the security controls in each system when significant modifications are made to the system, but at least every three years. The scope and frequency of the review should be commensurate with the acceptable level of risk for the system. Depending on the potential risk and magnitude of harm that could occur, consider identifying a deficiency pursuant to OMB Circular No. A-123, "Management Accountability and Control" and the Federal Managers' Financial Integrity Act (FMFIA), if there is no assignment of security responsibility, no security plan, or no authorization to process for a system."

2.3 Success Stories
Below is correspondence from an organization expressing appreciation for raising security posture at their location through the use of this Risk Assessment Review Process.

Subj: COMPUTER SECURITY TEAM VISIT

Source: David Bayer, USAID Peru Executive Office

If you have the opportunity to have the Information Systems Security Officer (ISSO) Jim Craft and his Risk Assessment Program Area Manager, Rodney Murphy, visit your Mission with their team of computer security experts, then take advantage of it. They did one hell of a job during their February visit with us at USAID/Peru in getting us up to speed and raising our level of consciousness about security issues. This is not to say that our dedicated IRM staff, led by Systems Manager, Lucho Figueroa, have not been working their hearts out to get us into shape, but it is a real injection of energy to have professional people like Jim, Rodney, John Zoble, Mike Reiter and Steve Bui come in and sit down to review your Computer Security Program and Computer Contingency Plan with you.

In addition, they trained some 80 employees to become aware of computer security pitfalls.

And last but not least, they have given us some key advice and methods for closing out some computer security audit issues which are not only USAID/Peru exposures but endemic to all Missions worldwide.

Computer security is becoming an important issue in for USAID and all organizations. In this environment, new security standards and having a formal security program in each overseas Mission is very important.

USAID/Peru was selected as a Beta site to define the model/templates for the Computer Security Program to be applied in all overseas Missions.

Starting February 19 to February 25, during five workdays, a Computer Security Team belonging to the IRM/ Security Group was in Lima. The team had five members. Jim Craft acted as the team Leader.

Computer Security is a dynamic activity and demands coordination and permanent follow-up. The Computer Security Team's role in the implementation of the Computer Security Program in each Mission is critical. Computer Security activity involves the entire USAID organization, starting from Washington and reaching out worldwide to all Missions. If one Mission security system fails, it endangers the entire USAID organization.

3.0 What This BSP Is
3.1 Description of BSP
A standard format for presenting the results of the security planning process at any USAID site is described here, along with a library of reference material. These resources are to be combined to produce a durable approach to the security needs of USAID Mission locations throughout the world.
3.1.1 Inputs (see Section 4.4, Tools)
  1. Security Plan Template
  2. Cover sheet for the USAID ADS-Section 545
  3. USAID Sensitive-But-Unclassified Policy
  4. List of security plan associated hardware
  5. List of security plan associated software
  6. Security Compliance Checklists
  7. Emergency Readiness Evaluation checklist
3.1.2

Process

Using the sample document of the cyber-security assist visit In-Briefing presentation and the information gathered during the planning activities, develop a comprehensive In-Briefing to be presented to the appropriate management/staff of the organization undergoing the Risk Assessment Review.

Step 1. Identify the systems and applications that require Security Plan documentation.

Step 2. Apply the security plan template to each system and application identified for Security Plan documentation. Users modify each section of the template with security specifications particular to their systems or applications based on the requirements identified in the ‘comments’ section of the template. (The title of each section requiring modification contains highlighted text signaling an attached comment. By moving the mouse arrow over the highlighted text, a comment box will appear with specific information identifying or clarifying the requirements for that section).

Complete a Security Compliance Checklist for each file server identified in the security planning document. These Security Compliance Checklists contain specific requirements associated with the operating system software configuration on each server.

Complete an Emergency Readiness Evaluation checklist for each system/application being evaluated. The Emergency Readiness Evaluation checklist is used to verify the status of Continuity of Operations Planning associated with the system/application.

3.1.3

Outputs

The process builds a security plan for each USAID general support system and major application that will meet the requirements specified by OMB A-130 Appendix III, associated with security plans.

3.2 Relationship to Other BSPs
The cyber-security assistance visit process comprises several sub-processes, one of which is the development of a Security Plan. More relationships will be added as additional BSPs are submitted.
4.0 How To Use This BSP
4.1 Implementation Guidance
Having the Administrator of the system being reviewed work closely with the Risk Assessment team members in developing the Security Plan can enhance the efficiency of this process.
4.2 Implementation Resource Estimates
Personnel: Operating System Administrator or knowledge equivalent.

Time per System/Application: Depends on the size of the system; approximately 40 hours to complete the Security Plan template, the Security Compliance checklist, and the Emergency Readiness Evaluation checklist.

Preparation Time up-front: Depends on the time required to identify systems and applications, and to gather the requisite security specifications information for each system and application; approximately 40 hours for each system and application.

4.3 Performance Goals and Indicators (Metrics)
General Goal: To eliminate the security vulnerabilities associated with the configuration of the organization’s systems/applications and develop a security plan to maintain the proper security posture for these systems/applications.

Performance Goal: To develop a Security Plan for all USAID general support and major applications.

Outcome Goal: Security Plans developed during a Risk Assessment Review will comply with OMB A-130 Appendix III.

Output goal: An OMB A-130 Appendix III compliant Security Plan.

General Objective: To identify and document the security posture of the USAID general support systems and major applications. This information can assist Senior Management in making appropriate security related decisions.

Performance Indicator: Document the existence of a Security Plan for each USAID general support and major application.

4.4 Tools
The tools used to perform the BSP for Security Plan Development within the Risk Assessment Review are:
  • Security Plan Template - A Word 97 document constructed in the format of a Security Plan. The document is formatted according to OMB A-130, Appendix III requirements. Once modified to include system/application specific requirements, the finished document will meet the requirements associated with security plans.
  • Appendix A – Glossary - A glossary of security terms used within the security planning document.
  • Appendix B - Reference List - A list of references used in the development of the security planning document.
  • Appendix C – Cover Sheet A cover sheet for the USAID ADS-Section 545, Automated Information Systems security document. This appendix is not included in this package, it can be accessed from the USAID Web site.
  • Attachment 1 – USAID Sensitive But Unclassified Policy
  • Attachment 2 – Sample List of Hardware A sample list of hardware associated with the system/application identified in the security plan.
  • Attachment 3 – Sample List of Software A sample list of software associated with the system/application identified in the security plan.
  • Attachment 4 – Checklists - Security Compliance Checklists containing specific requirements associated with the operating system software configuration on each server. One of these should be completed for each file server identified in the security planning document. Files:
  • Attachment 5 – Emergency Readiness Evaluation Checklist - A checklist used to verify the status of Continuity of Operations Planning for the system/application. This checklist should be completed for each system/application being evaluated.
4.5 Training Materials
None Applicable.
Appendices
A Executive Overview and Briefing
Editor's Note: See Appendix A *.ppt briefing
B Reference List
NIST Special Publication 800-18 (.pdf format)
C Procurement Information
The United States Agency for International Development (USAID) has contracted for general IRM support with Computer Sciences Corporation (CSC) under the Agency's Principle Resource for Information Management Enterprisewide (PRIME) contract (GS00K96AJD0012) with FEDSIM. USAID obtains its information system security support from CSC under the PRIME contract using the Performance Work Statement (PWS) at Appendix C *.doc.
D Evaluation Information
Not yet evaluated
E Recommended Changes
BSP 0002, Version 1.0 was reviewed after conducting cyber-assistance visits to Phnom Penh, Cambodia and Manila, Philippines during November and December 2000. Review determined need to revise time estimates in Section 4.2, from 4 hours to 40 hours.
F Glossary
None applicable