USAID Mission Site Vulnerability Assessment and Remediation
1.0 | Identification Data | ||||||||||||||||||
1.1 | BSP Number | ||||||||||||||||||
00019 | |||||||||||||||||||
1.2 | BSP Title/Name | ||||||||||||||||||
USAID Mission Site Vulnerability Assessment and Remediation | |||||||||||||||||||
1.3 | Version Number | ||||||||||||||||||
1.0 | |||||||||||||||||||
1.4 | Adoption Date | ||||||||||||||||||
07/07/2001 | |||||||||||||||||||
1.5 | Approving Authority | ||||||||||||||||||
CIO Council Security Practices Subcommittee (SPS) | |||||||||||||||||||
1.6 | Responsible Organization | ||||||||||||||||||
United States Agency for International Development (USAID), Bureau for Management, Information Resources Management (M/IRM), Information Systems Security Team | |||||||||||||||||||
1.7 | Level of BSP | ||||||||||||||||||
Candidate | |||||||||||||||||||
1.8 | Security Processes or other Framework(s) Supported | ||||||||||||||||||
Security Process Framework:
SSE CMM Framework:
OMB Circular A-130, Appendix III, Section A:
| |||||||||||||||||||
1.9 | Reserved | ||||||||||||||||||
1.10 | Points of Contact | ||||||||||||||||||
Government BSP Owner:
Vendor Pa rtner: Yes, post this contact information with the publicly accessible BSP.
| |||||||||||||||||||
2.0 | What This BSP Does | ||||||||||||||||||
2.1 | BSP's Purpose | ||||||||||||||||||
This BSP describes the steps in the Information Security Vulnerability Assessment and Remediation Process applied at USAID Mission sites, and provides references to supporting documents. These documents include other BSPs, checklists, templates for reports to local Mission and Headquarters management, and industry and government standards addressing portions of the tasks named here. It is a first-level description of the whole Information Security Vulnerability Assessment and Remediation Process, and a guide to sources of more detailed information about each element of the process. | |||||||||||||||||||
2.2 | Requirements for this BSP | ||||||||||||||||||
OMB A-130 Appendix III, Section A.3a.3
states: "Review of Security Controls. Review the security controls in each system when significant modifications are made to the system, but at least every three years. The scope and frequency of the review should be commensurate with the acceptable level of risk for the system. Depending on the potential risk and magnitude of harm that could occur, consider identifying a deficiency pursuant to OMB Circular No. A-123, "Management Accountability and Control" and the Federal Managers' Financial Integrity Act (FMFIA), if there is no assignment of security responsibility, no security plan, or no authorization to process for a system." | |||||||||||||||||||
2.3 | Success Stories | ||||||||||||||||||
This letter is from an organization
expressing appreciation for raising the security capability at their
location through use of this Security Vulnerability Assessment
Process. Because Security Vulnerability Assessment is performed
repetitively at all USAID Mission sites, similar results continue to be
produced at other locations and are expected to occur during the next
visit to the Peru site.
Subject: COMPUTER SECURITY TEAM VISIT | |||||||||||||||||||
3.0 | What This BSP Is | ||||||||||||||||||
3.1 | Description of BSP | ||||||||||||||||||
The Information Security Vulnerability Assessment (VA) process is performed at USAID Mission locations whenever a Triggering Event happens. This trigger usually occurs routinely, activated by scheduled system changes at a Mission or expiration of the OMB-specified three-year interval since the last VA. These assessments assure that a Mission’s systems are installed and maintained according to current Agency policies and specifications. Occasionally, the trigger is activated by a security relevant event of sufficient magnitude to disrupt normal processing somewhere in the USAID network, which reveals an unexpected weakness in the standard system configuration. Assessments responding to these events assure that the new information gained has been applied at each Mission most effectively for that site’s configuration. Information Security Vulnerability Assessment is a repetitive process. Each cycle begins with the Triggering Event and ends with the Final Report step, which resets the Trigger in anticipation of the next assessment. Figure 3.1-1 illustrates the process. The names of the steps are in the boxes forming the inner circle. The products of the steps are beside the arrows forming the outer circle. This BSP shows the sequence of tasks comprising the VA Process cycle, indicates where more details may be found for each task, and illustrates the main points of coordination between USAID management officials and the VA team. Each of these major actors has a role in the successful completion of the process. Figure 3.1-1 USAID Mission Security Vulnerability Assessment Cycle
|
3.1.1 | Inputs | ||||||||||||||||||||||||||||||||||||||||||||
Note: This list suggests the information that may be available to the VA team. Not every document may be available to every VA visit, but the more that are available, the better focused and more efficient the visit becomes. Improved team focus results in more useful information for the Mission Director, Executive Officer (EXO), System Administrators and users. The list is compiled during the Visit Coordination phase, through an exchange of questionnaires and other correspondence between the VA team and cognizant Mission officials. These inputs are: a. Approved Mission
Security Plan; | |||||||||||||||||||||||||||||||||||||||||||||
3.1.2 | Processes | ||||||||||||||||||||||||||||||||||||||||||||
Step 1, Trigger: Determine from
Input data that a triggering event has happened. a. Initiate survey questionnaires, to determine user/manager knowledge of security-relevant features of on-site systems and networks;Step 3. Probe and Scan a. Travel to the Mission, execute pre-assessment steps, which include:Step 4. Analyze. Document problems, evaluate and obtain patches or fixes. Submit items implemented as a result of the analysis for addition to the OS checklist. Step 5. Advise. Coordinate and document all changes with Application owners and system administrators. Step 6. Correct the identified problems: apply software updates and patches, reconfiguration, other countermeasures. Step 7. Validate: Rerun the tool appropriate for the system being reviewed to determine that the configuration problems have been resolved. Document any remaining vulnerability. Step 8: Report: Draft final report, obtain site staff concurrence and additional input. Prepare Final Report, forward to the organization's ISSO, the reviewed system's owner, and other appropriate parties. Step 9: Present outbrief, ensure that site conditions are fully understood and accurately described. | |||||||||||||||||||||||||||||||||||||||||||||
3.1.3 | Outputs | ||||||||||||||||||||||||||||||||||||||||||||
Advice and Final Report; see BSP 0004. | |||||||||||||||||||||||||||||||||||||||||||||
3.2 | Relationship to Other BSPs | ||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||
4.0 | How To Use This BSP | ||||||||||||||||||||||||||||||||||||||||||||
4.1 | Implementation Guidance | ||||||||||||||||||||||||||||||||||||||||||||
Referring to Figure 3.1-1, USAID Mission
Directors, EXOs and System Administrators should be aware of all phases of
the Assessment process, from the Coordinate Visit step to the Final Report
step. EXOs are most engaged during the coordination, advise and
report steps; System Administrators and other technical staff are most
engaged during the measurement, correction and validation
steps. | |||||||||||||||||||||||||||||||||||||||||||||
4.2 | Implementation Resource Estimates | ||||||||||||||||||||||||||||||||||||||||||||
Vulnerability Assessment visits normally require
5 days on-site. The assessment team, usually consisting of 5 or 6
people, can work unassisted during much of this time. The Coordinate
and Report steps in Figure 3.1-1 are most effective when attended by the
Assessment Team Leader, the EXO and the System Administrator, plus other
local staff designated by these Mission supervisors. Each training
session normally lasts 1 hour, attended by the Assessment Team Trainer and
Mission personnel designated by the Director or EXO. Coordination
sessions usually start before the Assessment Team arrives.
Preliminary meetings usually take place via e-mail or brief telephone
calls, to consider trip logistics. The initial visit meeting usually
lasts less than an hour, because most details have already been worked
out. Final meeting time varies, depending on the team’s findings and the
contents of the final report. Team experience indicates that this
meeting usually requires about 1 hour to present results, and an
additional half hour for discussion. Those attending include the
Mission Director, EXO, System Administrator, and 2 or 3 other people
nominated by these officials. | |||||||||||||||||||||||||||||||||||||||||||||
4.3 | Performance Goals and Indicators (Metrics) | ||||||||||||||||||||||||||||||||||||||||||||
General Goal: To select and apply the processes described in
BSPs 0001 through 0004 which together identify and eliminate the security
vulnerabilities associated with the configuration of the subject
information systems. | |||||||||||||||||||||||||||||||||||||||||||||
4.4 | Tools | ||||||||||||||||||||||||||||||||||||||||||||
None applicable. | |||||||||||||||||||||||||||||||||||||||||||||
4.5 | Training Materials | ||||||||||||||||||||||||||||||||||||||||||||
Presentations are tailored to the site’s needs, based on returns from questionnaires. Initial materials include the standard courseware on file at USAID Headquarters, plus resources known to the team Training member. This member is selected for his/her experience in the areas of interest. | |||||||||||||||||||||||||||||||||||||||||||||
Appendices | |||||||||||||||||||||||||||||||||||||||||||||
A | Executive Overview and Briefing | ||||||||||||||||||||||||||||||||||||||||||||
BSP 0004 shows an example in-briefing presentation. | |||||||||||||||||||||||||||||||||||||||||||||
B | Reference List | ||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||
C | Procurement Information | ||||||||||||||||||||||||||||||||||||||||||||
The United States Agency for International
Development (USAID) has contracted for general IRM support with Computer
Sciences Corporation (CSC) under the Agency's Principal Resource for
Information Management Enterprise-wide (PRIME) contract (GS00K96AJD0012)
with FEDSIM. USAID obtains its information system security support
from CSC under the PRIME contract using the Performance Work Statement
(PWS) tasking method. | |||||||||||||||||||||||||||||||||||||||||||||
D | Evaluation Information | ||||||||||||||||||||||||||||||||||||||||||||
Not to be completed by the drafter. | |||||||||||||||||||||||||||||||||||||||||||||
E | Recommended Changes | ||||||||||||||||||||||||||||||||||||||||||||
Not to be completed by the drafter. | |||||||||||||||||||||||||||||||||||||||||||||
F | Glossary | ||||||||||||||||||||||||||||||||||||||||||||
|