Sample Security Plan Development process

 Sample Security Plan Development process in Federal Agency

The IT Security Program Plan is one of many initiatives to implement agency strategic information security vision.  IT Security will collaborate with key partners and agencies to centrally gather and document existing programs and identify areas that require increased attention based on requirements with security challenges.  This plan will be agile but effective enough to align with the specific needs and assets of an agency and its valued partners’ security goals and objectives. 

As mandated by FISMA, OMB, and Federal Department and benefiting from the direction and guidance of NIST and industry best practices, this security plan will provide a framework that addresses industry standard security areas such as:  

•   Policy and Procedures IT Internal Control.
•  Training and Awareness Security Authorization
•   Information Protection Security Operations
•   Continuity of Operations Incident Response
•    Access Control IT Privacy
•    Security Program Management
•     Implementing Security Activities into the SDLC Quality Assurance (QA) and Control Security Engineering and Architecture
•    Laws and Regulations Security Risk Management

There are four goals defined for an agency. Each goal is a high-level accomplishment necessary to achieve the agency CIO’s objective to “implement information security practices across the enterprise.”  Each goal consists of several objectives and initiatives.  Objectives are major accomplishments that an agency Security must reach in order to obtain the goal.  Initiatives are programmatic endeavors that must be completed in order to obtain the stated objectives.    

Goal 1: Security Management:

IT Security Management will provide oversight of security activities that protect IT information and assets in support of the Agency mission. Security Management will align and coordinate with Agency OCIO IT governance to establish security project and resource management, QA, policy and procedures, and training and awareness.

Goal 2:  Security Risk Management and Compliance 

Manage IT security risks to identify, analyze, and respond appropriately to security risks that adversely affect agency business objectives, establish an internal controls program to ensure compliance with federal requirements and internal policies and procedures, and enhance Plan of Action and Milestones (POA&M) oversight.  

Goal 3:  IT Security Operations  

Establish a robust security operations program that allows Agency IT to address organization and departmental security requirements, create transparency with IT stakeholders, and streamline complex processes to ensure efficient implementation of cost-effective solutions. 

Goal 4:  Security Architecture and Engineering Management 

Support the information security concerns of Agency and its partners by implementing a strategy dedicated to assuring the security architecture and design of information systems, build security into the SDLC process.