OVERVIEW (SA-1)

This policy describes the information security requirements for acquiring information systems.

The CISO may exclude certain information systems from this policy if those systems:

  • Do not store or process any customer information
  • Have no impact on other systems that store or process customer information

System and Information Integrity Policy and Procedure has been developed to keep systems secure once deployed.

IT Management shall keep an Information Systems Inventory (SA001). The inventory shall be updated on a quarterly basis.

A System Risk Assessment (SA002) must be created before any new information system is acquired, a major change to system occurs or 3 years has elapsed since last risk assessment. The requirements stated in this policy form the basis of the 'system risk assessment'. 'System Risk Assessment' should also include code review and vulnerability scans as appropriate. Any exceptions noted within the 'system risk assessment' must be approved by the CISO.

ALLOCATION OF RESOURCES (SA-2)

IT Management shall work with the CISO to make sure sufficient resources are available for acquiring any new systems. Resources must be sufficient to meet or exceed the requirements stated in this policy.

Given the current size of the business shared resources are used to manage many different information systems.

SYSTEM DEVELOPMENT LIFE CYCLE (SA-3)

IT Management shall manage information systems using a SDLC (Reference Development Methodology) that incorporates information security considerations:

  • IT Management shall define and document information security roles and responsibilities throughout the SDLC.
  • Integrate the security risk management process into SDLC activities (see Risk Management for more details.)
  • The organization shall use the Change Management Process.
  • The organization shall monitor End-of-Life (EoL) and End-of-Support dates (EoS) for systems and services; this will ensure that systems and services are capable of receiving security patches and updates throughout the system development lifecycle, and that the organization is prepared to discontinue the system or service once no longer supported, or when security cannot be ensured.

ACQUISITION PROCESS (SA-4)

Security functional requirements must be considered as part of the hardware and software acquisition process. IT Management shall be capable of acquiring necessary solutions in an expedient manner in accordance with applicable state or federal laws, directives, policies, regulations,standards, guidelines, and business needs.

IT Management shall ensure the following:

  • Security functional requirements shall include security capabilities, security functions, and security mechanisms.
  • Security strength requirements based on security categorization, i.e. Low or Moderate, associated with such capabilities, functions, and mechanisms shall include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass.
  • Security assurance requirements shall include the following:
    • Development processes, procedures, practices, and methodologies;
    • Evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved
  • Requirements for protecting security-related documentation.
  • Description of the information system development environment and environment in which the system is intended to operate.
  • Acceptance criteria requirements for assessing the ability of a system component, software or system to perform its intended function.
  • IT Management should ensure that systems under consideration for acquisition are interoperable with any systems currently in use.
  • IT Management shall mitigate risks of exploitation of covert channels by obtaining third-party applications from reputable sources and by protecting the source code in custom developed applications.
  • IT Management shall ensure that non-security functional and technical requirements are also part of the hardware, software, or firmware acquisition process.
  • New system purchases shall meet, at a minimum, current operational specifications and have scalability to accommodate for growth projected by the agency.
  • IT Management shall require developer(s) of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.
  • IT Management shall require developer(s) of an information system, system component, or information system service to identify ports, protocols, and services required for use.

INFORMATION SYSTEM DOCUMENTATION (SA-5)

IT Management is responsible for generating or obtaining access to administrator and user documentation for information systems and components. If unsuccessful in obtaining relevant documentation, the IT will reach out to the vendor or relevant manufacturer to obtain documentation. IT Management is also responsible for distributing documentation to internal end users.

Documentation must include the following:

  • Secure configuration, installation, and operation of associated the systems, components, or services
  • Effective use and maintenance of security functions/mechanisms
  • Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions
  • User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms
  • Methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner
  • What responsibilities the end user has in maintaining the security of the system, e.g. password protection, sharing information, etc.

IT Management shall also do the following:

  • Ensure each new or updated system includes supporting system documentation and technical specifications of information technology hardware (if required)
  • Create, manage and secure system documentation libraries or data stores that are available at all times to only authorized personnel.
  • Ensure that system documentation is readily available to support the staff responsible for operating, securing and maintaining new and updated systems.
  • Control system documentation to ensure that it is current and available for purposes such as auditing, troubleshooting and staff turnover.
  • All documentation of operational procedures must be approved by IT Management and reviewed at least annually for accuracy and relevancy.

EXTERNAL INFORMATION SYSTEM SERVICES (SA-9)

No federal information is processed or stored in external information systems. The only exception to this is the backup services offered by our hosting partners. All hosting partners must have FedRAMP accreditation.

Also note that contact information for certain Federal Employees (e.g. purchaser of our systems) may be stored in external systems for CRM (Customer relationship management) purposes.

If an external information system is used at some point, we will perform a security review to ensure that the application meets the information security requirements. As part of this review, SLA/SLM and third party attestations (e.g. ISO27001) will be evaluated against this policy's requirement.

AUDIT

  • Quarterly Information Systems Inventory Review (SA001)
  • Quarterly Management Review (MR001) includes assessment of last SA001 and SA002 (if any new systems, major changes to existing system or 3 years since last review)
  • Annual Management Review (MR002) includes review of this policy.