资源预览内容
第1页 / 共9页
第2页 / 共9页
第3页 / 共9页
第4页 / 共9页
第5页 / 共9页
第6页 / 共9页
第7页 / 共9页
第8页 / 共9页
第9页 / 共9页
亲,该文档总共9页全部预览完了,如果喜欢就下载吧!
资源描述
University of WashingtonProject Security PlanPrepared Office of the CISO 02/10Note: Italic font is used for instructions or helpful information for the author, reviewers, and approvers. Page 2Table of Contents1.Approval Cycle Project Security Plan12.Project Security Plan Purpose13.Business Overview23.1System(s) Description23.2Abstract34.Business Security Assessment34.1Business Sponsors Security Expectations34.2Technical Assets44.3Risk Control Explanations55.Controls65.1Control Questions65.2Control Explanations91. Approval Cycle Project Security PlanRoleNameSignatureDateAuthor:Executive Sponsor:Business Sponsor:Reviewer(s):Approver(s):System OwnerSystem Operator2. Project Security Plan PurposeThis document is used in conjunction with the overall project plan to: Facilitate security oversight; Describe the security plan as designed by the project team during the system or application design; Document the assets being protected; Document the exposures and threats to which those assets are, or may be, subjected; Document the controls that are installed to mitigate those exposures and threats and; Document the reasons that the installed controls provide the appropriate level of security or why the residual risk is acceptable.3. Business OverviewPurpose: This section contains a summary of the System, briefly describes what it does, and outlines how it works. This section also covers the Systems operating environment. This section does not cover the design to the level of the functional specification, but should include enough detail to evaluate the completeness and accuracy of the provided information. Typically, a diagram of all of the components will also be included in this section.3.1 System(s) DescriptionProject Description:Organization, college, or school:Department:Name of System:Name of System Owner2:Name of System Operator2:Highest classification of data processed by the System1:Type of confidential data (if System will process confidential data):Volume of data expected on System:Name of Data Trustee2:Name of Data Custodian2:1 Administrative Policy Statement 2.10 Minimum Data Security Standards2 Administrative Policy Statement 2.4 Information Security & Privacy Roles, Responsibilities, and Definitions3.2 AbstractThis section contains a concise summary of the: Business purpose of the System addressed by this project; Scope of the System; Level of effort to manage risks to an acceptable level; Assets or components that will be part of the System; Installation, implementation and maintenance expectations and; Use expectations.4. Business Security Assessment4.1 Business Sponsors Security ExpectationsIn this section, define the business sponsors expectations for the System. Also interview the System Owner to augment what is not already documented.Some questions to help you think about expectations: Who is responsible for System security and what is expected? Does the System depend upon any other systems for enforcing security controls (e.g., Active Directory)? Who will use the System (e.g. employee, volunteers, contractors, vendors, students) Is the System used internally to provide information to another department? Must the System be operational 24x7? Will the System have maintenance windows? Should different groups of people have different modes of access (e.g., user mode, administrator mode, maintenance mode)?4.2 Technical AssetsAsset: List the assets that are to be protected in the table below. Examples of assets include data, systems, processor time, disk storage space, network connections, and anything else that the business sponsor and system owner of this System values or manages. Common traits of assets to be protected include confidentiality, integrity, or availability.Exposure: If any of the assets being used to create the System, or that will be used to access or maintain the information asset, have any known exposures for which no fix is available, list those exposures. Do not trust the third party alone to answer this question. Check independent sources such as: BugTraq mailing list archive at http:/msgs.securepoint.com/bugtraq/ Common Vulnerabilities and Exposures (CVE) at http:/www.cve.mitre.org Third party web sites, such as Microsoft at http:/www.microsoft.com/security/bulletins/default.mspx Threat: List all the ways that the assets of this system could be damaged, lost, or stolen in the Threats column. Common threats include: hackers, unauthorized users, theft, electrical/telecommunications failures, and natural disasters. A threat could affect a single asset
网站客服QQ:2055934822
金锄头文库版权所有
经营许可证:蜀ICP备13022795号 | 川公网安备 51140202000112号