Among one of the missions of The U.S. Department of Homeland Security is to protect and preserve the security of the Cyberspace in the country. The principal objective of this Security Plan is to give instructions and direction for the Department’s workers and help the Homeland Security to create best practices and strategies in the IT security system.
This policy needs to be applied to all users, employees, contractors, suppliers and to all IT resources such as e-mails, files, data, messages and documents controlled or administered by The Department of Homeland Security.
3. Policy Intention
The Department of Homeland IT security policy must be uniform, stable, consistent, efficient, effective and compatible with best practices Information Security in the Department. It is the purpose of this security policy to create and implement the best security plans, strategies, and practices throughout the Department. Also, it is the intention of this policy to create safe and secure Cyberspace.
4. Protecting Cyberspace
Building secure and safe cyberspace and Communications system in the country is the top priority of the department. In its kind the Cybersecurity Framework of the Department is the most comprehensive and efficient one. The Department of Homeland Security performing the following activities to secure the cyberspace efficiently:
Checking and assessing organizations capacity of cyber-attacks defensive mechanisms and potentials.
Evaluate organizations decision making and incident response strategies at the national level.
Validate and confirm communication and information sharing methods. Create awareness about new cyber incidents and way of response, and recovery practices.
Review the way of sharing sensitive and private information without compromising the national security interests.
5. Cybersecurity Framework
The Framework is a risk-based strategy for conducting Cybersecurity peril and is comprised of three components: The Framework Core, Implementation Tiers, and Profiles. All the above Framework segment strengthens the relationship between business drivers and cybersecurity activities.
The Framework Core is a collection of cybersecurity activities, aspired results, and appropriate recommendations that are familiar with significant foundation areas.
Framework Implementation Tiers present a meaning on how The Department observes cybersecurity risk and what kind of method or processes need to follow to control and handle that risk.
The Framework Profile describes the consequences depend on the Department demands that already chosen and decided from the Framework segments and Sub-segments.
6. Threat Identification
The following Information security risks are identified by The US Department of Homeland Security that can compromise confidentiality, availability, and integrity of the system are:
Administrative, Maintenance, Software and System Design and User Errors
Denial of service, virus, spyware, trojan, worm attacks
Unauthorized modification of data
Terrorist act such as Terrorist cyber-attack,
Natural disasters such as Hurricane, Lightning, Tornado, Volcano.
7. Risk Management
The Department risk management includes the following processes:
Assessing and evaluating all types of Risks
Evacuating all kinds of Security Controlling Methods and procedures
Cost and Benefit Analysis
Recognize and understand Security Constraints
Assessing security laws, policies, and regulations
8. Risk Assessment Approach
The Department risk assessment approach is used information security system analysis to find out security vulnerabilities and to determine lethal threats to the system. Also, the approach efficiently mitigates chances of risks by evaluating the existing countermeasures and by assessing providing cost effective security strategies. The Approach follows series steps to identify threats and to recommend the best security methods and practices.
9. System Vulnerabilities
The primary objective of system vulnerability is to determine the weakness of the Department networking system. The system assessing communications, environmental, personal securities and evaluating significant and specific hardware, to identify the vulnerabilities of information technologies in the department. Also, the approach evaluating security controlling systems to check whether they are properly implemented or not.
9.1 Vulnerability Assessment
After vulnerability system identified primary threats, the vulnerability assessment process will follow. The assessment will identify and evaluate existed vulnerabilities in the system and provide different security countermeasures to mitigate and control the risk probability in the network. The assessment also compares and contrast the previous vulnerability assessment methods with the new one to improve the current security strategy.
10. Controls Analysis
The principal objective of control analysis is to examine the existing or the planned controlling system to minimize the possibility of potential vulnerabilities and threats. The control analysis additionally considering to launch different controlling strategies that mitigate active threats and reduce the chances that can increase the probability of various risks. Also, the controlling analysis diminishing the weaknesses of the security control system.
10.1 Establishing Controls
The US Department of Homeland Security used IACS (Information Assurance Compliance System) to generate Requirements Traceability Matrix (RTM). The matrix is a checking list of controlling systems. The list assessing that controlling system is efficient, and which one are not or need update and improvement. The chick list is also referring the source, control name, method, and category of the controlling systems.
10.2 Control Methods
The department security controlling system use two types of methods, Technical, and Nontechnical.
The primary goal of Technical Controlling Methods is to preserve and protect the security of:
Firmware, hardware, software,
Encryption and intrusion detection system,
Access control, identification and authentication mechanisms.
The Nontechnical control methods used to preserve and safeguard:
Security procedures and policies,
Personnel, physical, and environmental safeties.
11. Business Continuity Plan
Business Continuity Plan is critical to continue the regular service and activity at the time of service interruption such as natural disaster or security incidents. The Department of Homeland Security Business continuity plan will be distributed to the management team of the continuity plan, and the master plan is kept by the leader of the group. Additional one copy of the program is retained in the Emergency Operation Center (EOC) of the Department, and that help the team members to review the plan quickly ate the time of activation of the business continuity plan. The business continuity plan incorporated initial response and disaster response plans. The Development of a business continuity plan in the department includes four consecutive steps:
Distinguish critical and sensitive business functions and resources to gather business impact study.
Recognize documents and resources that support the business recovery process.
Prepare the company continuity plan team and develop its plan to handle and control a business interruption.
Give proper recovery strategies to the business continuity team and evaluate the plan recovery methods.
11.1 Incident response plan
The Department has an Incident Response team. The team is responsible for reporting any incident information on time as soon as it is collected to the US-CERT (United States Computer Emergency Readiness). For all governmental offices, the US-CERT serve as the significant information security incident reporting body. All Federal Government incident response teams need to use standard taxonomy.
11.2 Disaster Recovery Plan
The recovery plan is a strategy for data and information technology retrieval system. The recovery plan plays a decisive role to retreat necessary information technologies and equipment and that help to proceed the proper operation at the time of service interruptions. The recovered Information and technology (IT) include networks, servers, desktop and laptop computers and wireless devices. The recovery plan also plays a vital role in running critical software and applications at the time of service interruption by restoring regular business operations.
The US Department of Homeland Security has chosen the Security Planning principles established in NIST SP 800-53. The following outline the Security plans and standards that constitute The Department of Homeland Security policy:
All The Homeland Security Business Systems need to adhere to a formal, documented security planning policy. The official security policy includes or needs to address the purpose of the system, the scope of the policy, the roles of the policy, responsibilities and the management strategy.
The Department Business Systems should develop information technology and other assets security plan.
The Department Business Systems should develop a consistent policy that can be compatible with the organization’s objective, purpose, and structure.
The security policy must define and show clearly and broadly the authorization boundary of each security and controlling systems and applications.
The Security Policy should be able to describe the operational circumstances of the information security asset regarding its missions and business processes.
The Policy need to provide the different security categories and their level of impact on the information asset.
The vital information, assets, and technologies operational environment need to describe in the security policy.
There should be an indication of relationships, connections, and continuity between all information and systems in the security policy.
The Department security requirement and obligation systems need to be summarized and reviewed.
Planned and existed security control methods that are meet the safety requirements of the department need to describe and discussed.
Before the security plan is implemented or activated, it is crucial and necessary to be reviewed, assessed and approved by authorized officials.
The Department of Homeland Security information should be available to all users with their expected responsibility and the rights and limitations of asset usage.
The Department operating system needs to collect evaluation about information and assets risk classification and their information security status.
The business system of the Department needs to design and organize security associated projects that sway its information assets.
13. Plan of Action and Milestones
Following the Federal Information Security Management Act of 2002 (FISMA), every information system is needed to create a Strategy of Action and Milestones (POA&M) to explain any specified vulnerabilities by analyzing a memoranda and assessment. POA&Ms create a framework to minimize weakness, and implement suggested security measures, recognize sources and determine related expenses. The proposed safety measures in this security plan need to be incorporated in the Test_2015-01-15-1052 POA&M and excited due to The US Department Homeland Security Plans of action and milestones guide requirement to mitigate the standard and the level of jeopardy that affiliated with the system.