4: Information Security
An information security program that safeguards Finance Board and bank information, and that complies with the requirements
of OMB Circular A-130 and the Federal Information Security Management Act (FISMA).
Other Information:
An Effective Information Security Program: The Finance Board will develop an information security program to support and enforce
the information security policy. The information security program will include a framework of policies and operating procedures,
many of which are already in place, and it will be in compliance with the requirements of OMB Circular A-130 and FISMA. The
small size of the Finance Board poses special challenges in complying with the numerous system and reporting requirements
contained in OMB Circular A-130 and FISMA. However, the Finance Board’s Information security Program has been planned and
implemented to assure that all of the components of an effective information security program are covered. The basic nature
of the Finance Board’s business operations is bank examination. The nature of this business requirement results in a large
proportion of users connecting to the Finance Board network from remote locations. Special infrastructure and security planning
is necessary to safeguard information resources in this environment. Information Security Program Components The following
information security program components will, when fully implemented, help to assure protection of agency, FHLBank and member
institution information and computing resources: · Security Plans for General Support Systems (GSS) and Major Applications
(MA) · Systems Risk Assessments · Systems Certification · Systems Accreditation · Computer Security Incident Response Capability
· Awareness and Training Program Security Plans. The completion of security plans for General Support Systems and Major Applications
is a requirement of OMB Circular A-130 and the Computer Security Act of 1987. Security plans will: provide an overview of
the security requirements of the system; describe the controls in place or planned to meet those requirements; and, delineate
responsibilities and expected behavior of all individuals who access the system. Risk Assessments. Risk assessment is the
review of threats and vulnerabilities to systems. Typically, risk assessments include the identification of managerial, operational
and technical controls to mitigate identified risks. Mitigation techniques must be cost effective and system owners/managers
must make those decisions. Certification. Certification is the technical evaluation and testing that establishes whether a
computer system, application or network meets the security requirements specified in security plans. Accreditation. Synonymous
with the term “authorize processing,” accreditation is the approval granted by the management official responsible for the
business process for a Major Application or General Support System to operate in a production environment. Accreditation occurs
based on certification results and their acceptance by the accrediting official. Computer Security Incident Response Capability
(CSIRC). Computer security incidents are any occurrence that compromises the confidentiality, integrity or availability of
agency information resources. For the most part, such incidents usually involve malicious code or unauthorized intrusion attempts.
The Finance Board will have a CSIRC operations guide specifying responsibilities and procedures designed to prevent, detect
and eradicate computer viruses and other malicious code. Processes and procedures to monitor and prevent unauthorized intrusion
of the Finance Board network will be included in CIRC responsibilities. Information Security Awareness and Training. OMB Circular
A-130 and FISMA place heavy emphasis on awareness and training. Training required includes: periodic training (usually annual)
for all employees and contractors; and specialized training for individuals with special information security responsibilities.
A web-based training program with self-certification will be created and implemented to satisfy minimum requirements for annual
training for all employees and contractors as required in the existing Finance Board Information Security Training Plan. Information
Security Program Plan of Action The first four components of the Information Security Plan, i.e., security plans, risk assessments,
system certification and system accreditation, will be completed as a “package” for the GSS each MA. These four activities
are discrete functions, but because the Finance Board is a small agency with few critical systems, they will be developed
as part of a unified program. Sequentially, the work will proceed as follows: · Confirm the identification of each GSS and
MA with appropriate Office Directors. · Conduct a risk assessment to establish system sensitivity and criticality, and the
magnitude of damage/loss/harm to the Finance Board that could result because of system vulnerability. · Prepare a system security
plan that identifies the system operating environment, risks/vulnerabilities and cost-effective security controls and risk
mitigation strategies. · Test system operation with security controls in place. Successful testing results in system certification.
· Secure approval for the operation of the system in the production environment from the business unit manager that owns the
system. The approval constitutes accreditation. The remaining two components of the plan, a Computer Security Incident Response
Capability (CSIRC) and Information Security Awareness and Training have no interdependencies with the other components and
work may be done on them simultaneously with the other component work. CSIRC work will consist of modifying an existing document
titled Computer Security Incident Response Team Plan. The awareness and training program work will include development of
a web-based training program that satisfies initial and annual training requirements for all employees and contractors. The
information security program components will be developed using the appropriate National Institute of Standards and Technology
(NIST) guidance, especially, but not limited to, the NIST Special Publications Series 800. In addition to the components of
the information security program described above, FISMA includes a requirement that agencies demonstrate that information
security is integrated into the capital planning process. The Finance Board’s information security program will address this
requirement by building it into the existing capital planning and investment review process.
Objective(s):
|
