secure.in.gov · Web viewOverall impact score should use the high water-mark approach. If two...
Transcript of secure.in.gov · Web viewOverall impact score should use the high water-mark approach. If two...
Agency System Security Plan
Table of ContentsAgency Name..........................................................................................................................2
1. Information System Name/Title......................................................................................2
2. Information System Categorization.................................................................................2
3. Information System Owner..............................................................................................3
4. Authorizing Official/Accountable Party in Agency............................................................3
5. Assignment of Security Responsibility..............................................................................3
6. Information System Operational Status...........................................................................4
7. Information System Type:................................................................................................4
8. General System Description/Purpose...............................................................................4
9. System Environment........................................................................................................4
10. System Interconnections/Information Sharing.............................................................5
11. Related Laws/Regulations/Policies..............................................................................5
12. Minimum Security Controls.........................................................................................6
13. Information System Security Plan Completion and Approval Date(s)............................7
Agency Name
<<Name>>
1. Information System Name/Title
<<Unique identifier and name given to the system>>
2. Information System Categorization
Place one ‘X’ in each row of the table below, based on the FIPS 199 Impact Guidance:
Low Moderate High ConfidentialityIntegrityAvailability Overall*
Overall impact score should use the high water-mark approach. If two categories are ‘Low’ and one is ‘High’, the overall score should still be ‘High.’ The embedded Excel template will calculate the overall score based on responses.
FIPS 199 Impact Guidance:
2
3. Information System Owner
Name: Title: Agency:Email:Phone:
4. Authorizing Official/Accountable Party in Agency
Name: Title: Agency:Email:Phone:
5. Assignment of Security Responsibility
Name: Title: Agency:Email:Phone:
3
6. Information System Operational Status
Status CommentsOperational <<Place X for yes>>Under Development <<Place X for yes>>Major Modification <<Place X for yes>>
7. Information System Type: Indicate if the system is a major application or a general support system. If the system contains minor applications, list them in the next section (General System Description/Purpose).
Status CommentsMajor Application <<Place X for yes>>General Support System <<Place X for yes>>
8. General System Description/PurposeDescribe the function or purpose of the system and the information processes:
9. System Environment
Provide a general description of the technical system. Include the primary hardware, software, and communications equipment:
4
10. System Interconnections/Information Sharing
List interconnected systems using the table below. You can add more columns as necessary:
System 1 System 2 System 3 System 4System Name:Agency:Major App or General Support System:Interconnection Security Agreement (ISA)?Memorandum of Understanding (MOU)?Memorandum of Agreement (MOA)?Confidentiality (H, M, L)Integrity (H, M, L)Availability (H, M, L)
11. Related Laws/Regulations/Policies
List any laws or regulations that establish specific requirements for the confidentiality, integrity, or availability of the data in the system (e.g., PCI, HIPAA):
Law/Regulation Applicable version(s) Comments
5
12. Minimum Security Controls
Complete the following worksheet to determine the appropriate controls from NIST 800-53 (Revision 4) and the current status of implementation. If an applicable control isn’t implemented, not designed or operating effectively, provide an explanation of planned security controls or compensating controls.
As a reference, use the latest version of NIST SP800-53 (Revision 4):
6