Scottish Pride Inc.

Office of Information Services

Scottish Pride Licensing Application (SPLA)

Continuous Monitoring Plan

Version 1.0

May 28, 2013

Scottish Pride Scottish Pride Licensing Application
Office of Information Services Continuous Monitoring Plan

DOCUMENT CONTROL

Change Record

Date / Author / Version / Change Reference

Quality Review History

Date / Reviewer / Comments

Approval Sign-off

Name / Role / Signature / Date

Table of Contents

1background

1.1Purpose

1.2Security Framework System Development Lifecycle (SDLC)

1.3Objective

1.4Risk

1.5Benefits

2Requirements for Continuous monitoring

2.1Configuration Management and Control

2.2Security Control Monitoring

2.3Status Reporting and Documentation

3Security Controls monitoring

Appendix A – responsibilities

Appendix B – annual required security controls

Appendix C – year-2 required security controls

Appendix D – Year-3 Required Security Controls

List of Tables

Table 1: SPLA Security Controls Assessment

List of Figures

Figure 1: Security Framework System Development Life Cycle

1background

1.1Purpose

Continuous monitoring is one of six steps in the Risk Management Framework described in NIST Special Publication 800‐37, Revision 1, Applying the Risk Management Framework (RMF) to Federal Information Systems (February 2010). (See Figure 1 below). The purpose of a continuous monitoring program is to determine if the complete set of planned, required, and deployed security controls within an information system or inherited by the system continue to be effective over time in light of the inevitable changes that occur. Continuous monitoring is an important activity in assessing the security impacts on an information system resulting from planned and unplanned changes to the hardware, software, firmware, or environment of operation.

Agency for Enterprise Information Technology Office of Information Security (AEIT/OIS) highly recommends agencies implement best practices identified in Florida Information Technology Resource Security Policies and Standards identified in 71A-1.001-.010, F.A.C. by formally developing a Continuous Monitoring Plan in accordance to NIST Special Publication (SP) 800-37 Revision 1. The Agencies must categorize all systems, identify and resolve risks, develop low-level and moderate-level system security plans, submit moderate-level systems for Security Authorization, perform continuous monitoring, and conduct annual reviews on the effectiveness of all security controls. This process, developed by NIST, is known as the Security Framework System Development Lifecycle (SDLC).

1.2Security Framework System Development Lifecycle (SDLC)

The process to comply with AEIT/OIS moderate-level system security is documented in the Security Framework System Development Lifecycle in Figure 1. This SDLC addresses the steps towards compliance with the Agency for Enterprise Information Technology Office of Information Security (AEIT/OIS) directives on information systems security and state and federal laws.

Risk Assessments (RA) are promulgated under the AEIT/OIS directives on information systems security and the guidelines established by NIST Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems. AEIT requires Scottish Pride to implement a risk-based program for cost-effective Information Technology (IT). All business processes operate with some level of risk and one of the most effective ways to protect these business processes is through the implementation of effective internal security controls, risk evaluation, and risk management (RM).

A risk assessment is required before initiating Step 1 of the Security Framework System Development Lifecycle to establish a baseline indicating the risks to system resources in the areas of Management, Operational, and Technical controls. Risks should be assessed in the following areas: natural, environmental, human intentional and human unintentional threats.

This plan only follows Step 8 in the Security Framework System Development Lifecycle.

  • Step 1 System categorization was performed prior to the development of the SSP
  • Step’s 2-3 will be completed in the development of the SSP
  • Step 4 Comprehensive risk assessment will be performed by an independent third-party assessor
  • Step 5Certification and Accreditation package/approval will be performed by an independent third-party authorizing authority identified by the CIO

1.2.1Step 6 - Continuous Monitoring Plan

Step 6 is the development of the Continuous Monitoring Plan which provides oversight and monitoring of the security controls in the information system on an ongoing basis. The Continuous Monitoring Plan also describes the Agency’s procedural requirements and responsibilities for implementation of the NIST SP 800-53 Revision 2, CA-7.

Continuous Monitoring security control for the Scottish Pride information system. Continuous Monitoring begins after the system has been certified and accredited for operations, and the activities in this plan are performed continuously throughout the life cycle of the information system. The plan informs the CIO when changes occur that may have an impact on the security of the system. The continuous monitoring plan will include:

  • Continuous monitoring validation through spot checks, continuous scans, and documentation updates
  • Configuration management and control processes for the information system
  • Security impact analysis on actual or proposed changes to the information system
  • Assessment of selected security controls based on continuous monitoring strategy
  • Security status reporting

1.3Objective

The objective of the continuous monitoring plan is to develop a strategy and implement a plan for the continuous monitoring of Scottish Pride Licensing Application (SPLA) security control effectiveness taking into account any proposed/actual changes to the information system or its environment of operation. Furthermore, the Continuous Monitoring Plan should:

  • Be integrated into the agency’s SDLC processes
  • Address the security impacts on information systems resulting from changes to the hardware, software, firmware, or operational environment
  • Provide an effective mechanism to update the SSP, RA reports, and POA&M
  • Track the security state of the information system on a continuous basis
  • Maintain the security authorization for the system over time in highly dynamic environments of operation with changing threats, vulnerabilities, technologies, and mission/business processes

1.4Risk

Failure to meet compliance may put Scottish Pride in harm for further security issues. Furthermore, non-compliance with AEIT/OIS directives and Florida Statutes create a risk of losing critical program and system resource funding.

1.5Benefits

With a compliant monitoring program, Scottish Pride becomes more efficient in their operations, and most importantly, more secure. In addition to reaping the benefits of strong controls and the ability to deliver continuous compliance with current and emerging regulations, Scottish Pride will be able to:

  • Reduce risk, cost and increase efficiency
  • Create a consistent, agency-wide view of the current security posture; creating ties between program activities such as assessment and remediation and showing business unit managers at all agency levels exactly where they stand in addressing security issues
  • Develop automated and integrated IT processes reducing burden on administrative staff and improving business effectiveness
  • Improve agency planning and strategic decision making
  • Create and enforce configuration management standards, and identification of risks to all systems

Figure 1: Risk Management Framework

2Requirements for Continuous monitoring

Continuous Monitoring is composed of three tasks: (1) Configuration Management and Control, (2) Security Control Monitoring, and (3) Status Reporting and Documentation. The tasks can further be broken down into nine subtasks which are described below. The goal of the Continuous Monitoring phase is to maintain SPLA’s authorization to operate after certification and accreditation has been granted. This goal is achieved through activities which provide ongoing, near-real time risk management and operational security such as monitoring SPLA, ensuring SPLA operates in a secure fashion and reporting status to appropriate Scottish Pride personnel.

2.1Configuration Management and Control

Configuration Management and Control consists of developing SPLA’s monitoring plan, monitoring SPLA for changes, and analyzing changes to determine security impact. The System Owner shall implement the details of tasks involved in these activities identified as:

  • Subtask 1: Security Control Monitoring Strategy - Develop a strategy for the continuous monitoring of security control effectiveness and any proposed/actual changes in SPLA including hardware, software, firmware, and surrounding environment
  • Establish a strict configuration management process to support continuous monitoring activities
  • Define the methodology for conducting security impact analyses to determine the extent to which proposed changes to SPLA or its operating environment will affect the security state of SPLA
  • Determine how many subsets of security controls will be assessed during the authorization period, which security controls will be included in each subset, and the schedule according to which the security control subsets will be assessed
  • Determine the tools that will be used in assessing security controls. For example, Security Content Automation Protocol (SCAP)-validated products should be used to verify whether the security configuration settings of various products comply with government standards, guidance, and policies
  • Document the continuous monitoring strategy
  • Obtain approval for the continuous monitoring plan and strategy from the CIO and ISM
  • Subtask 2: System and Environment Changes - Analyze and document the proposal or actual changes to SPLA (including hardware, software, firmware, and surrounding environment) to determine the security impact of such changes
  • Document any relevant information about proposed changes to the hardware, software, and firmware components, SPLA’s operating environment, or Scottish Pride’s policies, procedures, or guidance
  • Document actual changes to SPLA collecting the same information as the proposed changes so that the actual changes can be analyzed and appropriate Scottish Pride personnel can determine whether or not the actual change can remain in SPLA
  • Subtask 3: Security Impact Analysis - Determine the security impact of the proposed or actual changes to SPLA or the environment of operation in accordance with the security control monitoring strategy
  • Analyze each proposed/actual change to SPLA to determine what impact, if any, the change has on the security posture of the system
  • Monitor compliance of SPLA component’s configuration. If SPLA contains information technology components for which there exists SCAP-validated tools, those tools should be used to monitor the component’s configuration
  • Document the results of the security impact analysis and share the results with the Information System Security Officer (ISSO), Information Security Manager (ISM), and Chief Information Officer (CIO)using an approved format
  • Determine if remediation actions or other changes to SPLA are necessary based on the security impact analysis, determine the impacts of the actions or other changes, and document them in the Plan of Action and Milestones (POA&M)
  • If the analysis determines that there is a significant change requiring reaccreditation of SPLA, report SPLA security status to the ISSO, CIO and ISM

The first step is to establish a security control monitoring strategy to select which security controls to monitor and how to monitor them effectively. Selection of security controls for monitoring should take into consideration the importance of the security control to SPLA and Scottish Pride. Monitoring of security controls can be done in three ways:

  1. Automated processes – Vulnerability Scanners, Web Application Scanners, Patch Management software, Security Information and Event Management software and Information Security Automation Program (ISAP) / Security Content Automation Protocol (SCAP) tools
  2. IT management systems – Information Technology Infrastructure Library (ITIL), Capability Maturity Model Integration (CMMI) or other change management solutions
  3. Periodic audits – Auditing of sets of security controls on a regular basis

When a new or proposed change is identified, Scottish Pride security staff should provide feedback to the ISSO when changes could affect the security state. Effort spent identifying and analyzing changes should be commensurate with the security priority of SPLA and the risk system changes might incur. Documentation of SPLA changes should inform the System Owner and also be reflected in System Security Plan (SSP) updates, POA&M updates, and status reports to other appropriate Scottish Pride personnel.

2.2Security Control Monitoring

SPLA Security Control Monitoring consists of the ongoing processes of security control assessment and remediation actions. When security controls are identified as being ineffective, before or during the Continuous Monitoring phase, they must be remediated. The remediation method used is the periodic review of a subset of system security controls.

This method is a compliance requirement which can be simplified through good documentation procedures and recognizing the best practices which achieve the goals of Security Control Monitoring. The following tasks involved in these activities are:

  • Subtask 4: Ongoing Security Control Assessments - Assess a selected subset of the security controls in SPLA or the environment of operation (including those controls affected by changes to the system/environment) in accordance with the continuous monitoring strategy
  • The System Owner should:
  • Assign responsibility for assessing a subset of security controls to an assessor who has an appropriate level of independence as defined by the CIO and the knowledge, skills, and abilities to complete the assessment
  • Update the POA&M after the assessment has been completed based on the updated security assessment report provided by the security control assessor
  • The security control assessor should:
  • Develop the security assessment plan that defines the appropriate procedures from NIST SP 800-53A to assess the security controls
  • Obtain approval for the security assessment plan from the CIO
  • Conduct the security assessment in accordance with the agreed-upon procedures, personnel, milestones, and schedule
  • Update the security assessment report with the information gained during the assessment of the subset of security controls and submit it to the System Owner, ISSO, and ISM
  • Subtask 5: Ongoing Remediation Actions - Conduct remediation actions based on the results of the selected security control assessments and outstanding items in the POA&M. The System Owner should initiate remediation actions based on the findings produced during the continuous monitoring assessments of the security controls, the outstanding items listed in the POA&M, and the results of performing the activities required by the system’s security control (e.g., vulnerability scanning, contingency plan testing, incident response handling). The System Owner should:
  • Consult with the ISSO, ISM, and CIO and review each assessor finding and determine the severity or seriousness of the finding and whether the finding is significant enough to be worthy of further investigation or remedial action
  • Determine the appropriate steps required to correct any identified weaknesses or deficiencies that require remediation efforts, establish an implementation plan and schedule for the defined actions, and update the POA&M with the planned remediation actions
  • Assess SPLA after the remediation actions have been completed to determine if the security controls remain effective after changes have been implemented
  • Update the POA&M with the current status when a remediation action has been successfully completed

The System Owner needs to revisit, on a regular basis, the risk management activities described in the Risk Management Framework Figure 1 (Page 3) to ensure the selection of security controls remains appropriate for SPLA. The System Owner should:

  • Monitor events that occur throughout Scottish Pride and determine if those events introduce or uncover new vulnerabilities or threats to SPLA
  • Determine whether the selected security controls remain sufficient to protect the information and SPLA assets against the newly identified vulnerabilities and threats
  • Reconfirm SPLA’s impact level and security category of SPLA and the information processed, stored, or transmitted by SPLA and determine if they should be changed
  • Consult with the ISSO, ISM, and CIO to determine if the authorization should be updated

2.3Status Reporting and Documentation

Status Reporting and Documentation consists of Critical Document Updates, Security Status Reporting, Ongoing Risk Determination and Acceptance, and System Removal and Decommissioning. The overall goal is to ensure that the documentation describing the security status of SPLA does not become stale.

The POA&M is particularly important to keep current because it reflects a single aspect of SPLA, the controls known to have been inadequate. The SSP should also be updated on an ongoing basis to support the near real-time view of SPLA’s security posture.

When SPLA system status changes occur, they must be documented and presented to the appropriate agency officials. Significant changes may require the ISSO to consider whether the risk(s) presented requires reconsideration of the operating status of the system. Additionally, these updates should be periodic and ensure all affected Scottish Pride staff is aware of SPLA’s status. Details of tasks involved in these activities are:

  • Subtask 6: Critical Document Updates - Update the SSP, security assessment report, and POA&M based on the results of the continuous monitoring process. Continuous monitoring provides System Owners with an effective tool for producing ongoing updates to SSPs, security assessment reports, and POA&Ms. These documents are critical to understanding and explicitly accepting risk on a day-to-day basis. The System Owner should:
  • Ensure that the security control assessor updates the security assessment report with the results of the security control assessments conducted during the continuous monitoring phase
  • Update the SSP and POA&M to identify changes to SPLA, the operating environment, the security controls, and the implementation of the SPLA’s security controls
  • Preserve the original version of the documents so that they are available for oversight, management, security control assessments, and auditing purposes
  • Share the updated documentation with others
  • Subtask 7: Security Status Reporting - The System Owner should document the results of the continuous monitoring activities in security status reports and provide them to the ISSO, ISM, and CIO. The System Owner should:
  • Describe the continuous monitoring activities and how the vulnerabilities discovered during the security control assessments and security impact analyses are being addressed
  • Provide the security status reports to the ISSO, ISM, and CIO at appropriate Scottish Pride defined frequencies
  • Subtask 8: Ongoing Risk Determination and Acceptance - Periodically review the reported security status of SPLA and determine whether the risk to Scottish Pride operations and assets, individuals, other organizations, or the Nation remains acceptable. The System Owner should provide sufficient information to the ISSO, ISM, and CIO for them to be able to make appropriate reauthorization decisions. The ISSO, ISM, and CIO should:
  • Review the updated security assessment report, SSP, POA&M, and security status reports to determine whether the risk to the information and SPLA remains acceptable
  • Determine whether SPLA requires reauthorization
  • Document the decision and forward it to the System Owner for appropriate action
  • Subtask 9: System Removal and Decommissioning - Implement an Scottish Pride approved SPLA decommissioning strategy, when needed, which executes required actions when SPLA is removed from service. When SPLA is removed from operation, the System Owner should ensure that all security controls addressing SPLA decommissioning are implemented. The System Owner should:
  • Determine a decommissioning strategy for SPLA when SPLA is no longer needed by Scottish Pride
  • Keep users and application owners served by the decommissioned SPLA or system components informed about the decommissioning activities and any issues associated with their information or applications
  • Sanitize or destroy SPLA components in accordance with applicable regulations and guidance to remove system information from SPLA media so that there is reasonable assurance that the information cannot be retrieved or reconstructed
  • Update Scottish Pride’s tracking and management systems to identify the specific SPLA components that are being removed from the inventory
  • Record the decommissioned status of SPLA in the SSP and distribute the document to appropriate individuals or agencies

3Security Controls monitoring

The following schedule in Table 1 shall be established by the System Owner for continuous monitoring security control assessment to ensure that all controls requiring assessment are covered and that all controls are assessed at least once during the three-year accreditation cycle.