Information Systems Security Manager (ISSM) - Marine Corps ...

More documents

Recommendations

Info

NAVSO P-5239-04SEPTEMBER 19953.2 Risk Management ProgramThe DON Risk Management Program includes the process of identifying, measuring,and minimizing events affecting IS resources. The program includes the security activitiesthat span the life cycle of an IS. Risk Management determines the value of the data, whichprotections already exist, and how much more protection (if any) the system needs. Itincludes risk analysis, countermeasure selections, security test and evaluation, and systemreview. The results of these activities provide the information on which a DAA can base anaccreditation decision. Risk management activities do not end with an accreditation decision.Ongoing analysis throughout the life cycle ensures that the security requirements are alwaysmet. The ISSM implements the DON-mandated Risk Management Program for the systemsunder the ISSM’s purview.ResponsibilityThe ISSM ensures that the DON Risk Management Programrequirements are met by ensuring these tasks are accomplished:· Identify specific threats and vulnerabilities to the IS· Identify and apply countermeasures to mitigate theidentified risk· Test the effectiveness of the implemented securitycontrols· Review the continued effectiveness of the implementedsecurity measures.ImplementationRisk AssessmentThe first two tasks are accomplished by conducting a RiskAssessment. The Risk Assessment evaluates the threats andvulnerabilities related to the assets of the activity. The RiskAssessment Guidebook, Module 16 of the NAVSO P series,provides the procedures to be followed for performing a riskassessment based on common, definable systems or networkconfigurations. It identifies and separates systems and networksby operating characteristics, and provides methodologies thatcan be used for each situation.The ISSM is responsible for determining the risk assessmentmethodology to be used for each system under the ISSM’spurview. The ISSM is responsible for ensuring that a riskassessment is performed on each IS under the ISSM’s purview.14
NAVSO P-5239-04SEPTEMBER 1995The ISSM is responsible for reviewing the completed RiskAssessment to ensure the following:· The methodology was properly followed· The risks and the risk levels were identified· Appropriate countermeasures were identified andrecommended· Residual risk was identified.CountermeasureIdentification andImplementationThe ISSM is responsible for ensuring that threats, vulnerabilities,and current safeguards are identified in the Risk Assessment.Effective countermeasures must be identified for areas ofexceptionally high or unacceptable risks.The ISSM reviews the countermeasure selectionrecommendations provided with the Risk Assessment andensures that selection of appropriate countermeasures is basedon:· The risk potential· The magnitude of the security problem· The potential impact on organizational resources.The ISSM coordinates the selection of security controls with theCommanding Officer to minimize the effect of the securitymeasures on the overall mission accomplishment.The dynamic environment of ISs demands continuing review ofthe effectiveness of security controls to achieve the highestdegree of protection. The effectiveness of the identified andimplemented countermeasures is assessed in the Security Testand Evaluation (ST&E) performed on each IS.Security Test andEvaluationThe primary purpose for conducting ST&E is to obtain technicalinformation to support the DAA’s decision to accredit an IS.The ST&E consists of two interrelated phases:· Determining whether the necessary countermeasuresidentified in the Risk Assessment have been installed· Determining whether the installed countermeasures are15
Page 1: Department of the Navy NAVSO P-5239
Page 5: NAVSO P-5239-04SEPTEMBER 1995FOREWO
Page 8 and 9: NAVSO P-5239-04SEPTEMBER 1995TABLE
Page 10 and 11: NAVSO P-5239-04SEPTEMBER 1995· Sec
Page 12 and 13: NAVSO P-5239-04SEPTEMBER 1995techni
Page 14 and 15: NAVSO P-5239-04SEPTEMBER 1995ISEASS
Page 16 and 17: NAVSO P-5239-04SEPTEMBER 19953.0 IN
Page 18 and 19: NAVSO P-5239-04SEPTEMBER 1995· Sit
Page 20 and 21: NAVSO P-5239-04SEPTEMBER 1995the DO
Page 24 and 25: NAVSO P-5239-04SEPTEMBER 1995workin
Page 26 and 27: NAVSO P-5239-04SEPTEMBER 19953.3 Ac
Page 28 and 29: NAVSO P-5239-04SEPTEMBER 19953.4 Ad
Page 30 and 31: NAVSO P-5239-04SEPTEMBER 1995Virus
Page 32 and 33: NAVSO P-5239-04SEPTEMBER 19953.5 Tr
Page 34 and 35: NAVSO P-5239-04SEPTEMBER 1995- Expl
Page 36 and 37: NAVSO P-5239-04SEPTEMBER 19953.6 Ph
Page 38 and 39: NAVSO P-5239-04SEPTEMBER 1995· Eva
Page 40 and 41: NAVSO P-5239-04SEPTEMBER 19953.7 Au
Page 42 and 43: NAVSO P-5239-04SEPTEMBER 19953.8 In
Page 44 and 45: NAVSO P-5239-04SEPTEMBER 19953.9 Se
Page 46 and 47: NAVSO P-5239-04SEPTEMBER 19953.10 C
Page 48 and 49: NAVSO P-5239-04SEPTEMBER 19953.11 S
Page 50 and 51: NAVSO P-5239-04SEPTEMBER 199542
Page 52 and 53: NAVSO P-5239-04SEPTEMBER 1995update
Page 55 and 56: NAVSO P-5239-04SEPTEMBER 1995Securi
Page 57 and 58: NAVSO P-5239-04SEPTEMBER 1995SECNAV
Page 59 and 60: NAVSO P-5239-04SEPTEMBER 1995This d
Page 61 and 62: NAVSO P-5239-04SEPTEMBER 1995NCSC-T
Page 63 and 64: NAVSO P-5239-04SEPTEMBER 1995NTISSP
Page 65 and 66: NAVSO P-5239-04SEPTEMBER 1995primar

Information Systems Security Manager (ISSM) - Marine Corps ...

Create successful ePaper yourself

Delete template?

Save as template?