Information Systems Security Manager (ISSM) - Marine Corps ...

NAVSO P-5239-04SEPTEMBER 1995ActivityAccreditationSchedule (AAS)Included in the ISSP, the AAS identifies all IS elementsand provides a POA&M for completing the following:· Risk assessments· Security test and evaluations· Contingency plans.IS Incident ReportThe IS incident report explains of the type of incident,the individuals involved, the estimated cost of theincident,summarizes the incident, and the investigation resultsalong with the supervisor’s recommendations; andprovides the local action to prevent reoccurrence.Authorized UserListThe ISSO and cognizant local work area security officermust be able to determine the identity of all usersapproved for any workstation or terminal. The exactmethod and format can vary. Timeliness and accuracyare most important. The Authorized User List identifiesauthorized system users and should be kept as part of therelated accreditation documentation .Security OperatingProceduresOPNAVINST 5239.1A requires that security proceduresbe developed, documented, and presented to all users ofISs. Topics of discussion should include, but are notlimited to: policy statement, system access controls,operating procedures, audit trails, training, physicalsecurity, media protection, modes of operation,emergency procedures, enforcement, documentation,data levels, etc. Additional information may need to beaddressed to meet site-specific needs. The ISSO is theprimary author of the SOPs. The ISSM ensures thatSOPs are reviewed annually for accuracy.Training andAwarenessDocumentationThe purpose of training and awareness documentation isto continuously reinforce the need for security of the ISand network with the users. The reinforcement satisfiesthe requirement to provide refresher training to the user.An awareness program provides the opportunity to43