Identify system components, boundaries, and functions
2
Identify and categorize information types processed, stored, and transmitted by system
3
Identify potential threats and vulnerabilities for each system process and data
4
Determine risk levels for found threats and vulnerabilities
5
Approval: Risk Levels Determination
6
Implement, manage, and update security controls
7
Conduct Initial Security Control Assessment
8
Remediate Weaknesses
9
Approval: Weakness Remediation
10
Certificate and Accreditation Processing
11
Monitors system security controls to ensure they are effective and operating as intended
12
Perform system and data backup
13
Conduct regularly scheduled reviews of system security controls
14
Reassess system, environment, and risks
15
Approval: System Security Reassessment
16
Ensure system users and stakeholders are aware of the security risks
Identify system components, boundaries, and functions
This task involves identifying the different components, boundaries, and functions of the system. It helps in understanding the overall architecture and structure of the system, which is crucial for developing security controls. The task requires analyzing the system documentation, conducting interviews with stakeholders, and reviewing system diagrams and flowcharts. The desired outcome is a comprehensive understanding of the system's components, boundaries, and functions.
1
Server
2
Database
3
Network devices
4
Application software
5
User interfaces
1
Internal
2
External
3
Perimeter
4
DMZ
5
Firewalls
Identify and categorize information types processed, stored, and transmitted by system
This task involves identifying and categorizing the different types of information that are processed, stored, and transmitted by the system. It helps in understanding the sensitivity and criticality of the information, which is crucial for implementing appropriate security controls. The task requires reviewing the system documentation, conducting interviews with stakeholders, and analyzing data flows. The desired outcome is a comprehensive list of information types and their categorization.
1
Sensitive
2
Confidential
3
Public
4
Personal
5
Proprietary
Identify potential threats and vulnerabilities for each system process and data
This task involves identifying potential threats and vulnerabilities for each system process and data. It helps in understanding the risks that the system is exposed to and enables the development of appropriate security controls. The task requires conducting a threat and vulnerability assessment, reviewing system documentation, and analyzing security incidents. The desired outcome is a comprehensive list of potential threats and vulnerabilities associated with each system process and data.
Determine risk levels for found threats and vulnerabilities
This task involves determining the risk levels for the identified threats and vulnerabilities. It helps in prioritizing the implementation of security controls based on the severity and likelihood of exploitation. The task requires conducting a risk assessment, analyzing the impact and likelihood of each threat and vulnerability, and assigning risk levels. The desired outcome is a prioritized list of threats and vulnerabilities based on their risk levels.
1
High
2
Medium
3
Low
4
Negligible
5
Not applicable
Approval: Risk Levels Determination
Will be submitted for approval:
Determine risk levels for found threats and vulnerabilities
Will be submitted
Implement, manage, and update security controls
This task involves implementing, managing, and updating security controls to mitigate the identified risks. It includes selecting and implementing appropriate security technologies, configuring security settings, and establishing policies and procedures. Ongoing management and updates are necessary to ensure the effectiveness and relevance of the controls. The desired outcome is a set of implemented and maintained security controls.
1
Access control
2
Encryption
3
Firewall
4
Intrusion detection
5
Security awareness training
1
Implemented
2
Partially implemented
3
Not implemented
4
Obsolete
5
Unknown
Conduct Initial Security Control Assessment
This task involves conducting an initial assessment of the implemented security controls. It aims to validate the effectiveness and adequacy of the controls in addressing the identified risks. The assessment includes reviewing control configurations, performing vulnerability scanning, and analyzing security incidents. The desired outcome is an assessment report identifying any weaknesses or gaps in the implemented controls.
1
Control review
2
Vulnerability scanning
3
Penetration testing
4
Security incident analysis
5
Security configuration review
1
Compliant
2
Non-compliant
3
Partially compliant
4
Not applicable
5
Under assessment
Remediate Weaknesses
This task involves remediating the weaknesses or gaps identified in the initial security control assessment. It aims to address any vulnerabilities or deficiencies in the implemented controls to improve the overall security posture. The task requires developing mitigation plans, implementing corrective actions, and monitoring the effectiveness of remediation efforts. The desired outcome is a set of remediated security control weaknesses.
1
Completed
2
In progress
3
Not started
4
Failed
5
Not applicable
Approval: Weakness Remediation
Will be submitted for approval:
Remediate Weaknesses
Will be submitted
Certificate and Accreditation Processing
This task involves processing the certificate and accreditation for the system. It aims to obtain the necessary certifications and accreditations to demonstrate compliance with relevant security standards and regulations. The task requires preparing documentation, coordinating with accrediting bodies, and addressing any findings or recommendations. The desired outcome is a certified and accredited system.
1
Documentation preparation
2
Accrediting body coordination
3
Finding resolution
4
Recommendation implementation
5
Accreditation decision
Monitors system security controls to ensure they are effective and operating as intended
This task involves monitoring the system security controls to ensure their effectiveness and proper functioning. It includes reviewing security logs, conducting periodic security assessments, and analyzing system performance data. The task helps in identifying any potential issues or deviations from the desired security posture and allows for timely corrective actions. The desired outcome is a continuously monitored and optimized system security environment.
1
Log review
2
Performance analysis
3
Security incident analysis
4
System configuration review
5
Compliance assessment
1
Effective
2
Partially effective
3
Ineffective
4
Not monitored
5
Unknown
Perform system and data backup
This task involves performing regular system and data backups to ensure data availability and recovery in the event of system failures or data loss. It includes establishing backup schedules, selecting appropriate backup technologies, and verifying the integrity and completeness of backups. The task helps in minimizing data loss and maximizing business continuity. The desired outcome is a well-documented and regularly tested system and data backup process.
1
Daily
2
Weekly
3
Monthly
4
Quarterly
5
Yearly
1
Local storage
2
Cloud storage
3
Tape backup
4
Disk-to-disk backup
5
Replication
Conduct regularly scheduled reviews of system security controls
This task involves conducting regularly scheduled reviews of the system security controls to ensure their continued effectiveness and relevance. It includes reviewing control configurations, assessing compliance with security policies, and identifying areas for improvement. The task helps in maintaining a proactive and adaptive security posture. The desired outcome is a documented review report with identified control strengths and weaknesses.
1
Control configuration review
2
Policy compliance assessment
3
Risk assessment
4
Vulnerability scanning
5
Security incident analysis
Reassess system, environment, and risks
This task involves reassessing the system, environment, and risks to account for changes in technology, threats, and organizational requirements. It includes reviewing system documentation, conducting risk assessments, and analyzing security incidents and trends. The task helps in ensuring the ongoing effectiveness and adequacy of security controls. The desired outcome is an updated risk assessment report with identified control improvements or enhancements.
1
System documentation review
2
Risk assessment
3
Security incident analysis
4
Trend analysis
5
Threat intelligence review
1
Improved
2
Unchanged
3
Deteriorated
4
Not applicable
5
Under assessment
Approval: System Security Reassessment
Will be submitted for approval:
Reassess system, environment, and risks
Will be submitted
Ensure system users and stakeholders are aware of the security risks
This task involves ensuring that system users and stakeholders are aware of the security risks associated with the system. It includes providing security awareness training, distributing security advisories, and promoting a culture of security awareness. The task helps in mitigating human-related security risks and fostering a security-conscious environment. The desired outcome is an informed and security-aware user and stakeholder community.
