Table 21.2 continued Examples of Compliance Checks for Operational Controls Description of Audit Pass Source of ID No. Check on Operations Fail /NA Comments Requirement O-41 Has a Configuration Management Plan been developed? O-42 Are baselines defined in the Configuration Management Plan? O-43 Have adequate baselines been established in the Configuration Management Plan? O-44 Has the configuration management system been adequately described? O-45 Are roles and responsibilities defined in the Configuration Management Plan? O-46 Has the change management process been adequately described in the Configuration Management Plan? O-47 Is the change management process acceptable? O-48 Is a copy of the Change Management Form depicted in the Configuration Management Plan? www.syngress.com 386 Chapter 21 • Evaluating the Certification Package for Accreditation Continued 409_Cert_Accred_21.qxd 11/3/06 2:59 PM Page 386 Table 21.2 continued Examples of Compliance Checks for Operational Controls Description of Audit Pass Source of ID No. Check on Operations Fail /NA Comments Requirement O-49 Are adequate parameters indicated on the Change Management Form? O-50 Are emergency change management procedures documented in the Configuration Management Plan? O-51 Are the emergency change management procedures adequate? O-52 Are configuration management terms defined in the Configuration Management Plan? O-53 Do all documents archived in the configuration management system have a unique ID number? O-54 Are appropriate background investigations performed on staff before access is given to systems and applications? www.syngress.com Evaluating the Certification Package for Accreditation • Chapter 21 387 Continued 409_Cert_Accred_21.qxd 11/3/06 2:59 PM Page 387 Table 21.2 continued Examples of Compliance Checks for Operational Controls Description of Audit Pass Source of ID No. Check on Operations Fail /NA Comments Requirement O-55 Are appropriate background investigations performed on contractors before they are granted access to systems and applications? O-56 Do user roles and responsibilities adhere to the principle of separation of duties? O-57 Is the principle of least privilege followed when granting access to systems and applications? O-58 When an unfriendly termination occurs, is access from systems and applications revoked immediately? O-59 When a friendly termination occurs, is access from systems and applications revoked within one day? O-60 Are critical points of failure noted in the System Security Plan? O-61 Are safeguards in place to mitigate the risk posed by critical points of failure? www.syngress.com 388 Chapter 21 • Evaluating the Certification Package for Accreditation Continued 409_Cert_Accred_21.qxd 11/3/06 2:59 PM Page 388 Table 21.2 continued Examples of Compliance Checks for Operational Controls Description of Audit Pass Source of ID No. Check on Operations Fail /NA Comments Requirement O-62 Is there a user enrollment process used for requesting, issuing, and closing user accounts? O-63 Are the humidity and temperature of the data center where the systems are housed controlled? O-64 Does the data center have an alarm system that alerts appropriate personnel if the temperature and humidity exceeds acceptable levels? O-65 Is a fire suppression system installed in the data center where the systems are housed? O-66 Does the data center where the systems are housed have an alarm system that alerts appropriate personnel in the event of a fire? O-67 Are the systems described in the Hardware and Software Inventory backed up on a regular schedule? www.syngress.com Evaluating the Certification Package for Accreditation • Chapter 21 389 Continued 409_Cert_Accred_21.qxd 11/3/06 2:59 PM Page 389 Table 21.2 continued Examples of Compliance Checks for Operational Controls Description of Audit Pass Source of ID No. Check on Operations Fail /NA Comments Requirement O-68 Is a copy of the system backup schedule included in the System Security Plan? O-69 Are the tools used to perform the backups adequately described in the System Security Plan? O-70 Are full backups performed at the minimum of once weekly with incremental backups performed nightly? O-71 Does an Incident Response Plan exist? O-72 Does the Incident Response Plan include adequate information on roles and responsibilities? O-73 Does the Incident Response Plan include a current list of key personnel that fill the roles and responsibilities? O-74 Does the Incident Response Plan include a diagram and description of the escalation framework? www.syngress.com 390 Chapter 21 • Evaluating the Certification Package for Accreditation Continued 409_Cert_Accred_21.qxd 11/3/06 2:59 PM Page 390 Table 21.2 continued Examples of Compliance Checks for Operational Controls Description of Audit Pass Source of ID No. Check on Operations Fail /NA Comments Requirement O-75 Does the Incident Response Plan include an adequate description of incident types? O-76 Does the Incident Response Plan include information on how to contact the agency CSIRC? O-77 Does the Incident Response Plan include an informative section on security forensics? O-78 Does the Incident Response Plan include incident handling guidelines? O-79 Does the Incident Response Plan include adequate information in incident severity levels? O-80 Does the Incident Response Plan include a copy of the a Security Incident Reporting Form? O-81 Are members of both the CSIRT and CSIRC teams included in the Incident Response Plan? O-82 Does the Incident Response Plan include information on how to report a security incident? www.syngress.com Evaluating the Certification Package for Accreditation • Chapter 21 391 409_Cert_Accred_21.qxd 11/3/06 2:59 PM Page 391 Table 21.2 continued Examples of Compliance Checks for Operational Controls Description of Audit Pass Source of ID No. Check on Operations Fail /NA Comments Requirement O-83 Are safeguards in place to ensure that only authorized individuals can access systems to perform maintenance tasks? O-84 Are systems backed up before maintenance tasks are performed? O-85 Is a log kept (that includes date and time) of who performs maintenance tasks on which systems? Compliance Checklist for Technical Controls Table 21.3 Examples of Compliance Checks for Technical Controls Description of Audit Check on Technical Pass / Source of ID No. Controls Fail /NA Comments Requirement T-1 Does a System Security Plan exist? T-2 Does the System Security Plan accurately describe the systems to which it applies? T-3 Does the System Security Plan include an adequate description of the system boundaries? www.syngress.com 392 Chapter 21 • Evaluating the Certification Package for Accreditation Continued 409_Cert_Accred_21.qxd 11/3/06 2:59 PM Page 392 Table 21.3 continued Examples of Compliance Checks for Technical Controls Description of Audit Check on Technical Pass / Source of ID No. Controls Fail /NA Comments Requirement T-4 Are the procedures for authenticating users (passwords, tokens, biometrics, smart cards, etc.) fully explained in the System Security Plan? T-5 Does each user have a unique user ID? T-6 Are all user IDs associated with a person? T-7 Do all user IDs identify a user to the system, and verify their identity, before the user is allowed to perform any actions on the system? T-8 Are all users assigned to groups based on access requirements that comply with the principle of least privilege? T-9 Is the display of passwords suppressed on the monitor when users enter their passwords into the system? T-10 Are passwords for new users distributed securely? www.syngress.com Evaluating the Certification Package for Accreditation • Chapter 21 393 Continued 409_Cert_Accred_21.qxd 11/3/06 2:59 PM Page 393 Table 21.3 continued Examples of Compliance Checks for Technical Controls Description of Audit Check on Technical Pass / Source of ID No. Controls Fail /NA Comments Requirement T-11 Are users informed not to share their passwords with others? T-12 Are users forced by the system to change their password upon initial activation of their account? T-13 Do passwords meet the agency password complexity rules? T-14 Do user passwords expire every 90 days? T-15 Do root, admin, all system administration, and all privileged account passwords expire every 30 days? T-16 Have all guest and anonymous accounts been removed? T-17 Does the system provide a mechanism that notifies the user when a password change is required? T-18 Are all passwords stored encrypted and not displayed in clear- text anywhere on the system? www.syngress.com 394 Chapter 21 • Evaluating the Certification Package for Accreditation Continued 409_Cert_Accred_21.qxd 11/3/06 2:59 PM Page 394 Table 21.3 continued Examples of Compliance Checks for Technical Controls Description of Audit Check on Technical Pass / Source of ID No. Controls Fail /NA Comments Requirement T-19 Is it certain that passwords are not hard- coded into scripts, software, or applications? T-20 Are password auditing tools used to scan for weak passwords? T-21 When weak passwords are found are the users with weak passwords required to change their password? T-22 Is there a secure process to assist users who have forgotten their passwords? T-23 Are all requests for account creation approved by the user’s supervisor prior to giving the user access? T-24 Are nonactivated accounts removed from the system after 60 days? T-25 Are systems configured to lock an account/user ID after 3 consecutive failed logon attempts? T-26 Is it possible to trace all system actions to user IDs? T-27 Are all logon attempts recorded in an audit log? www.syngress.com Evaluating the Certification Package for Accreditation • Chapter 21 395 Continued 409_Cert_Accred_21.qxd 11/3/06 2:59 PM Page 395 [...]... their own OIG and then by the GAO, agencies are required to self-report FISMA and privacy information annually.The White House Office of Management and Budget gives specific instructions on how to prepare and submit your agency’s FISMA information An overview for agencies to use on how to selfreport their FISMA information is listed in memorandum M-05-15 available at www.whitehouse.gov/omb/memoranda/fy2005/m05-15.html... the expiration date www.syngress.com 405 4 09_ Cert_Accred_21.qxd 406 11/3/06 2: 59 PM Page 406 Chapter 21 • Evaluating the Certification Package for Accreditation Figure 21.1 Sample Recommendation for Accreditation Figure 21.2 Sample Accreditation Letter www.syngress.com 4 09_ Cert_Accred_21.qxd 11/3/06 2: 59 PM Page 407 Evaluating the Certification Package for Accreditation • Chapter 21 Evaluations by an... process The point of C&A is to assess and document the security of your systems, identify vulnerabilities in your systems, and mitigate those vulnerabilities to improve the security posture Don’t waste all the hard work and effort that you and your colleagues put into the C&A process by not tracking and following up on the mitigation activities If you track, follow up on, and validate that the mitigation... be identified and described in a document known as the Plan of Action & Milestones (POA&M).The POA&M represents the ISSO’s to-do list and typically needs to be approved by the evaluation team that evaluated the C&A package before they send in the recommendation for accreditation The objective of the POA&M is to have all the vulnerabilities and belowstandard security controls identified and listed in...4 09_ Cert_Accred_21.qxd 396 11/3/06 2: 59 PM Page 396 Chapter 21 • Evaluating the Certification Package for Accreditation Table 21.3 continued Examples of Compliance Checks for Technical Controls Description of Audit Check on Technical ID No Controls Pass / Fail /NA Comments T-28 Do the system/ applications have audit logging capabilities? T- 29 Is the absolute pathname of all... the audit checks adequately check for compliance with confidentiality, integrity, and availability security policies? ■ Does the Security Assessment Report include a final list of vulnerabilities and corrective action? www.syngress.com 4 09 4 09_ Cert_Accred_21.qxd 11/3/06 2: 59 PM Page 410 Evaluating the Certification Package for Accreditation • Chapter 21 Summary Evaluating a C&A package is a big undertaking... passwords, session passwords, change and response protocols, twofactor authentication, digital signatures, or encryption? Continued www.syngress.com 397 4 09_ Cert_Accred_21.qxd 398 11/3/06 2: 59 PM Page 398 Chapter 21 • Evaluating the Certification Package for Accreditation Table 21.3 continued Examples of Compliance Checks for Technical Controls Description of Audit Check on Technical ID No Controls Pass... vulnerabilities and belowstandard security controls identified and listed in one consolidated document The POA&M is the final output of the certification and accreditation process and is where OIG and GAO are going to look to determine what your plans are to reduce the risks to your systems going forward Development and Approval Typically the POA&M is created by the ISSO However, the ISSO may delegate this... Example of a POA&M 4 09_ Cert_Accred_22.qxd Page 415 Addressing C&A Findings • Chapter 22 415 4 09_ Cert_Accred_22.qxd 416 11/3/06 3:02 PM Page 416 Chapter 22 • Addressing C&A Findings A Word to the Wise Now the C&A Package is complete It has been delivered and approved by the evaluation team and you have an Authority to Operate in hand Good job to everybody involved! It was a long hard road, and the job is... www.syngress.com 4 09_ Cert_Accred_21.qxd 11/3/06 2: 59 PM Page 399 Evaluating the Certification Package for Accreditation • Chapter 21 Table 21.3 continued Examples of Compliance Checks for Technical Controls Description of Audit Check on Technical ID No Controls Pass / Fail /NA Comments T-48 Are there safeguards in place to protect the firewall rules file from unauthorized modification? T- 49 Are there safeguards . Plan? www.syngress.com Evaluating the Certification Package for Accreditation • Chapter 21 399 Continued 4 09_ Cert_Accred_21.qxd 11/3/06 2: 59 PM Page 399 Table 21.3 continued Examples of Compliance Checks. a diagram and description of the escalation framework? www.syngress.com 390 Chapter 21 • Evaluating the Certification Package for Accreditation Continued 4 09_ Cert_Accred_21.qxd 11/3/06 2: 59 PM Page 390 Table. incident? www.syngress.com Evaluating the Certification Package for Accreditation • Chapter 21 391 4 09_ Cert_Accred_21.qxd 11/3/06 2: 59 PM Page 391 Table 21.2 continued Examples of Compliance Checks for