Security Assessment Plan Template Version 0 January 9, 2019 Table of Contents



Yüklə 116,21 Kb.
səhifə1/28
tarix01.05.2022
ölçüsü116,21 Kb.
#115626
  1   2   3   4   5   6   7   8   9   ...   28
Security Assessment Plan Template



Office of Information Technology

Information Security & Privacy Group

Centers for Medicare & Medicaid Services

Security Assessment Plan

Template

Version 3.0

January 9, 2019

Table of Contents


1.Introduction iv

1.1Purpose iv

1.2Security Assessment Background iv

1.3Assessment Process and Methodology iv

1.3.1Phase 1: Planning iv

1.3.2Phase 2: Assessment iv

1.3.3Phase 3: Reporting v

2.Planning 6

2.1Background 6

2.2Assessment Scope 6

2.3Assessment Assumptions/Limitations 6

2.4Data Use Agreement 6

2.5Roles and Responsibilities 6

2.5.1Business Owner 7

2.5.2CMS Facilitator 7

2.5.3CMS Government Task Lead 7

2.5.4Information System Security Officer or System Security Officer 8

2.5.5Lead Evaluator 8

2.5.6Privacy Officer 8

2.5.7Program Manager 9

2.5.8System Owner 9

2.6Assessment Responsibility Assignment 9

Table 1. Assessment Responsibilities 9

3.Assessment 11

3.1Information Collection 11

3.1.1CMS FISMA Controls Tracking System (CFACTS) 11

3.1.2Documentation Requirements 11

3.2Enumeration 12

3.2.1Documentation Review 12

3.3Testing and Review 13

3.3.1Interviews 13

3.3.2Observances 13

4.Reporting 14

4.1Security Control Assessment Findings Spreadsheet 14

Table 4. Findings Spreadsheet 15

4.1.1Row Number 16

4.1.2Weakness 16

4.1.3Risk Level 16

Table 5. Risk Definitions 16

4.1.4CMSR Security Control Family and Reference 16

4.1.5Affected Systems 16

4.1.6Ease-of-Fix 17

Table 6. Definition of Ease-of-Fix Rating 17

4.1.7Estimated Work Effort 17

Table 7. Definition of Estimated Work Effort Rating 17

4.1.8Finding 17

4.1.9Failed Test Description 18

4.1.10Actual Test Results 18

4.1.11Recommended Corrective Actions 18

4.1.12Status 18

4.2Reassignment of Findings 18

4.3Test Reporting 19

5.Logistics 20

5.1Points of Contact 20

Table 8. Points of Contact 20

Table 9. CMS Points of Contact 20

Table 10. Vendor Points of Contact 20

5.2ASSESSMENT Schedule 20

5.3Assessment Estimated Timeline 21

21


Table 1. Assessment Responsibilities 9

Table 2. Tier 1 Documentation – Mandatory Pre-Assessment 12

Table 3. Tier 2 Documentation - Required Two Weeks Prior to the Assessment 12

Table 4. Findings Spreadsheet 15

Table 5. Risk Definitions 16

Table 6. Definition of Ease-of-Fix Rating 17

Table 7. Definition of Estimated Work Effort Rating 17

Table 8. Points of Contact 20

Table 9. CMS Points of Contact 20

Table 10. Vendor Points of Contact 20

Table 11. Assessment Schedule 21

Table 12. Estimated Timeline for Assessment Actions and Milestones 21





  1. Yüklə 116,21 Kb.

    Dostları ilə paylaş:
  1   2   3   4   5   6   7   8   9   ...   28




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2022
rəhbərliyinə müraciət

    Ana səhifə