More Security Control Selection Phase 2 Q2
- First copy of the System Security Control Baseline prepared by the C&A Analyst is considered a draft until both the ISSO and the System Owner review it and agree with the control selected by the C&A analyst.
- The process of finalizing the System Security Control Baseline is termed Tailoring of the Security Control Baseline. The end result is the Finalized System Security Control Baseline.
- The review of the System Security Control Baseline by the system owner and the ISSO is to identify controls that are Not Applicable (N/A), Common Control, System Specific or Hybrid.
- Sample System Security Control Baseline
- Not Applicable- Is a control that cannot be test or implement because it is irrelevant to that particular system. For example, a publicly accessible website (www.USCIS.com) would not require log in credentials (username and password) Therefore IA-5 Authenticator Management and IA-6 Authenticator Feedback will not be implemented or tested.
- Common Control/Inherited– Is a control that is provided by another system or department/business unit. For example, PS-1 Personnel Security Policy and Procedures is handled by the HR and not the responsibility of the System Owner in our Smart Portal test case
- Hybrid-Control implementation is owned by two different system owners. For example, AT-2 Security Awareness Training for example HR prepares all IT security training material and the system owner ensures all of his/her staffs undertake the IT training and in addition, provide and keep records showing that training has been completed by staff members.
- System Specific- Is a control that is not hybrid but maintained by only one System Owner. For example, CM-2 Configuration Settings in our smart Portal test case
error: Content is protected !!
Accessing this course requires a login. Please enter your credentials below!