Sample Security Plan Development process in
Federal Agency
The IT Security Program Plan is one of many initiatives to
implement agency strategic information security vision. IT Security will collaborate with key
partners and agencies to centrally gather and document existing programs and
identify areas that require increased attention based on requirements with
security challenges. This plan will be
agile but effective enough to align with the specific needs and assets of an
agency and its valued partners’ security goals and objectives.
As mandated by FISMA, OMB, and Federal Department and
benefiting from the direction and guidance of NIST and industry best
practices, this security plan will provide a framework that addresses industry
standard security areas such as:
- Policy and Procedures IT Internal Control.
- Training and Awareness Security Authorization
- Information Protection Security Operations
- Continuity of Operations Incident Response
- Access Control IT Privacy
- Security Program Management
- Implementing Security Activities into the SDLC Quality Assurance (QA) and Control Security Engineering and Architecture
- Laws and Regulations Security Risk Management
There are four goals defined for an agency. Each goal is a
high-level accomplishment necessary to achieve the agency CIO’s objective to
“implement information security practices across the enterprise.” Each goal consists of several objectives and
initiatives. Objectives are major
accomplishments that an agency Security must reach in order to obtain the
goal. Initiatives are programmatic
endeavors that must be completed in order to obtain the stated objectives.
Goal 1: Security
Management:
IT Security Management will provide oversight of security
activities that protect IT information and assets in support of the Agency
mission. Security Management will align and coordinate with Agency OCIO IT
governance to establish security project and resource management, QA, policy
and procedures, and training and awareness.
Goal 2: Security Risk Management and Compliance
Manage IT security risks to identify, analyze, and respond
appropriately to security risks that adversely affect agency business
objectives, establish an internal controls program to ensure compliance with
federal requirements and internal policies and procedures, and enhance Plan of
Action and Milestones (POA&M) oversight.
Goal 3: IT Security Operations
Establish a robust security operations program that allows Agency
IT to address organization and departmental security requirements, create
transparency with IT stakeholders, and streamline complex processes to ensure
efficient implementation of cost-effective solutions.
Goal 4: Security Architecture and Engineering
Management
Support the information security concerns of Agency and its
partners by implementing a strategy dedicated to assuring the security
architecture and design of information systems, build security into the SDLC
process.
