...of the Failure of the National Security Personnel System Andre Zephrine M. Pantaleo, Ph.D., M.B.A. Strayer University April 25, 2010 Context of the Problem The National Security Personnel System (NSPS) is a pay system based upon the caveat of being paid for performance. It was created in 2006 through Congressional authorization especially for the Department of Defense (DoD). Implementation of the system began in 2006 as a replacement for the General Schedule grade and step (GS) system used by the rest of the federal government. NSPS’s policies differ concerning hiring, reassignment, pay, promotion, tenure and recognition. Under the GS system, there are automatic pay increases which do not exist under NSPS. On October 29, 2009, President Obama signed legislation that repealed NSPS and restored DoD employees to the GS pay system. Full implementation of the switch back to the GS system is to occur no later than January 1, 2012. This research proposal proposes that NSPS did not succeed because of poor consideration for review boards, self evaluation, and allowances of discrimination through intention – speculatively – and more importantly unintentionally. This research proposal also posits that because of adverse impacts, similar systems would also be unsuccessful. Statement of the Problem The National Security Personnel System (NSPS) is a pay-for-performance pay system which replaced the General Schedule (GS) grade and step system for the Department of Defense...
Words: 4626 - Pages: 19
...Information Systems| 1.1Security CategorizationUsing either FIPS 199 or CNSS 1253, categorize the information system. The completed categorization should be included in the security plan.|Not done|As highlighted in the risk assessment, there is no security plan done (p.18). Add the security categorization information to the security plan.The security categorization that was completed in the risk assessment can be included in the security plan. The full categorization can be found on pp. 14-16. The categorization done in the risk analysis is based on FIPS 199.|FIPS 199 for nonnational security systems, CNSS 1253 for national security systems| 1.2Information System DescriptionIs a description of the information system included in the security plan?|||| 1.3Information System RegistrationIdentify offices that the information system should be registered with. These can be organizational or management offices.|||| RMF Step 2: Select Security Controls| 2.1Common Control IdentificationDescribe common security controls in place in the organization. Are the controls included in the security plan? |||| 2.2Security Control SelectionAre selected security controls for the information system documented in the security plan?|||| 2.3Monitoring StrategyWhat security control monitoring strategies should be used to protect the information system and its environment of operation? |||| 2.4Security Plan ApprovalHas the security plan been reviewed and approved?|||| RMF Step 3: Implement Security Controls| ...
Words: 540 - Pages: 3
...Framework Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Enterprise Risk Key activities in managing enterprise-level risk—risk resulting from the operation of an information system: Categorize the information system Select set of minimum (baseline) security controls Refine the security control set based on risk assessment Document security controls in system security plan Implement the security controls in the information system Assess the security controls Determine agency-level risk and risk acceptability Authorize information system operation Monitor security controls on a continuous basis NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2 Risk Management Framework Starting Point CATEGORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. MONITOR Security State Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. Security Life Cycle AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. IMPLEMENT Security Controls Implement security controls within...
Words: 723 - Pages: 3
...1. Executive Summary 2 2. Introduction 3 2.1 Company Overview 3 2.2 Security Policy Overview 4 2.3 Security policy goals 4 2.3.1 Confidentiality 4 2.3.2 Integrity 5 2.3.3 Availability 5 3. Disaster Recovery Plan 6 3.1 Risk Assessment 6 3.1.1Critical Business Processes 7 3.1.2 Internal, external, and environmental risks 7 3.2 Disaster Recovery Strategy 8 3.3 Disaster Recovery Test Plan 8 3.3.1 Walk-throughs 8 3.3.2 Simulations 9 3.3.3 Checklists 9 3.3.4 Parallel testing 9 3.3.5 Full interruption 9 4. Physical Security Policy 10 4.1 Security of the building facilities 10 4.1.1Physical entry control 10 4.1.2 Security offices, rooms and facilities 11 4.13.Isolated delivery and loading areas 12 4.2 Security of the information systems 12 4.2.1Workplace protections 12 4.2.2Unused ports and cabling 13 4.2.3 Network/server equipment 13 4.2.4 Equipment maintenance 13 4.2.5 Security of laptops/roaming equipment 13 5. References 14 Executive Summary The objective of this proposal is to present the information security policy created for Bloom Design Group. The issue of a company’s network security continues to be crucial because the results of data loss or significant system failure can be disastrous for a company. An alarming number of companies fail to realize how vulnerable their network is to internal, external, and environmental risks. One of the top priorities of an organization should be maintaining...
Words: 3568 - Pages: 15
...Introduction: Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance. Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization’s information and information systems, along with organizational resilience given known threat information. This necessitates: • Maintaining situation awareness of all systems across the organization; • Maintaining an understanding of threats and threat activities; • Assessing all security controls; • Collecting, correlating, and analyzing security-related information; • Providing actionable communication of security status across all tiers of the organization; and • Active management of risk by organizational officials. Purpose: The purpose of this guideline is to assist organizations in the development of an ISCM strategy and the implementation of an ISCM program that provides awareness of threats and vulnerabilities, visibility...
Words: 4395 - Pages: 18
...SECURITY MASTER PLAN OUTLINE for CHABOT LAS POSITAS Community College District Submitted by: CATALYST Consulting Group, Inc. 851 Napa Valley Corporate Way, Suite D Napa, CA 94558 In Association With: DMJM, Program Management For Measure B Bond Program 6601 Owens Drive, Suite 238 Pleasanton, CA 94588 May 2, 2005 9/21/2005 2 SECURITY MASTER PLAN OUTLINE Chabot Community College District This outline presents the fundamental topics of the Security Master Plan, an independent document incorporated by reference into the TBP Architecture District Master Plan for the Chabot College campus new construction and building improvements. To develop the Security Master Plan, CATALYST has first performed numerous site surveys and interviews, analyzed crime index data, reviewed the relevant technologies, and assessed the campus physical environment to define the risks and vulnerabilities that need to be addressed for a long-term vision of campus security. From this goal set, CATALYST has developed the guidelines and recommendations for the District to standardize the approach and cost of physical security on their campuses. The Security Master Plan will include the topic sections listed in the outline following. The primary intent of the Security Master Plan is to define security mitigation standards that integrate efficiently with new building construction and building improvements, saving upgrade costs today by planning for the campus of tomorrow. By first prioritizing...
Words: 1345 - Pages: 6
...to the security requirements of your information system? From the very earliest stages of planning for the development of the system to its final disposal is the advice of the National Institute of Standards and Technology (NIST). By considering security early in the information system development life cycle (SDLC), you may be able to avoid higher costs later on and develop a more secure system from the start. The System Development Life Cycle (SDLC) The system development life cycle starts with the initiation of the system planning process, and continues through system acquisition and development, implementation, operations and maintenance, and ends with disposition of the system. Specific decisions about security must be made in each of these phases to assure that the system is secure. The organization develops its initial definition of the problem that could be solved through automation. Also during this early phase, the organization starts to define the security requirements for the planned system. Management approval of decisions reached is important at this stage. During this initiation phase, the organization establishes the security categorization and conducts a preliminary risk assessment for the planned information system. Categorization of the information system using federal standards and guidelines aids system security planners in defining information system security according to levels of impact, and in selecting a baseline of initial security controls...
Words: 1328 - Pages: 6
...Your Company Security Plan for Unclassified Data Version 1.3 March 20, 2012 Developed By: Your Committee Committee Your Company Important Disclaimer: The Aerospace Industries Association of America, Inc. (“AIA”) has no intellectual property or other interest in this Aerospace Industry Guideline for Developing a Security Plan for Unclassified Data. By developing this Aerospace Industry Guideline for Developing a Security Plan for Unclassified Data Plan and making it freely available to anyone, AIA assumes no responsibility for this Guideline’s content or use, and disclaims any potential liability associated therewith. Executive Overview From time to time an AIA member company may be requested to provide the DOD, a prime contractor or an industry partner an Information Technology Security Plan for unclassified data. This security plan could be required at the enterprise, program or application level depending on the unique requirements of the request. This request might be challenging for those members that have never been required to provide such a document. This “Aerospace Industry Guideline for Developing a Security Plan for Unclassified Data” provides a template and guidance to assist member companies in the development of a security plan to meet their customers or partners needs. Please keep in mind that this document is provided as a guideline and not a mandatory standard. AII member companies are encouraged to use this guideline. Use...
Words: 2097 - Pages: 9
...Protecting systems against various systems threats such as passwords and cracking tools with brute force or attacks into the system by gaining authentication for access rights including a password, policy, to educate the users. SECURITY CONSIDERATIONS IN THE INFORMATION SYSTEM DEVELOPMENT LIFE CYCLE. Each information security environments unique, unless modified to adapt to meet the organization’s needs. The System Development Life Cycle (SDLC) the system development life cycle starts with the initiation of the system planning process, and continues through system acquisition and development, implementation, operations and maintenance, and ends with disposition of the system. Service decisions about security made in each of these phases to assure that the system is secure. The initiation phase begins with a determination of need for the system. The organization develops its initial definition of the problem that solved through automation. This followed by a preliminary concept for the basic system that needed, a preliminary definition of requirements, and feasibility and technology assessments. Also during this early phase, the organization starts to define the security requirements for the planned system. Management approval of decisions reached is important at this stage. The information developed in these early analyses used to estimate the costs for the entire life cycle of the system, including information system security. An investment analysis determine...
Words: 1444 - Pages: 6
...behavior)? a. System owner 2. Who has the authority to formally assume responsibility for operating an information system at an acceptable level of risk? a. Accrediting Authority 3. Who is responsible for ensuring that the appropriate operational security posture is maintained for an information system and in many organizations is assigned responsibility for the day-to-day security operations of a system? a. Information System Security officer 4. Who is responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls? a. system owner, and/or the senior agency information security officer 5. Who is the highest-level senior official or executive within an organization with the overall responsibility to provide information security protections commensurate with the risk and magnitude or harm? a. The head of agency (or chief executive officer) 6. The six steps of the Risk Management Framework and what occurs on each step. a. Step 1: Categorize i. Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis. b. Step 2: Select i. Select an initial set of baseline security controls for the information system based on the security categorization; tailoring...
Words: 5295 - Pages: 22
... NIST Risk Management Framework for FISMA ..................................................................... 4 III. Application Security and FISMA .......................................................................................... 5 IV. NIST SP 800‐37 and FISMA .................................................................................................. 6 V. How Veracode Can Help ...................................................................................................... 7 VI. NIST SP 800‐37 Tasks & Veracode Solutions ....................................................................... 8 VII. Summary and Conclusions ............................................................................................... 10 About Veracode .................................................................................................................... 11 © 2008 Veracode, Inc. 2 Overview The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E‐ Government Act of 2002 (Pub.L. 107‐347, 116 Stat. 2899). The Act is meant to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating information security controls and periodic audits. I. The Role of NIST in FISMA Compliance The National Institute of Standards and...
Words: 2451 - Pages: 10
...1. How can a security framework assist in the design and implementation of a security infrastructure? Designing a working plan for securing the organization s information assets begins by creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets. A framework is the outline from which a more detailed blueprint evolves. The blueprint is the basis for the design, selection, and implementation of all subsequent security policies, education and training programs, and technologies. The blueprint provides scaleable, upgradeable, and comprehensive security for the coming years. The blueprint is used to plan the tasks to be accomplished and the order in which to proceed. What is information security governance? Governance is “the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”1 Governance describes the entire process of governing, or controlling, the processes used by a group to accomplish some objective. Just like governments, corporations and other organizations have guiding documents—corporate charters or partnership agreements—as well as appointed or elected leaders or officers, and planning and operating procedures. These elements in combination provide...
Words: 4589 - Pages: 19
...Health Body Wellness Center Information Security Management System (ISMS) File:FYT2_Task2 Health Body Wellness Center (HBWC) promotes medical research, evaluation, and sharing of information between health care professionals. The HBWC’s Office of Grants Giveaway (OGG) provides for the distribution of federally supported medical grants. OGG uses a Microsoft Access database program called Small Hospital Tracking System (SHGTS) to manage the medical grant distribution process. A risk assessment of SHGTS was conducted to evaluate vulnerabilities and establish a baseline of potential threats. This document will outline an ISMS plan for HBWC and provide recommendation of additional steps needed to implement and maintain this plan. Use of the ISO 27000 series certification process will provide a framework for the ISMS. The Plan-Do-Check-Act (PDCA) model provides a step-by-step process for planning, implementing, and management of the ISMS plan. The ISMS outline, network drawing, and additional recommended steps will be discussed below. A1. Business Objectives The first step of any ISMS is the identification of the business objects that need to be included in the planning and maintenance of an organization. Listed below are HBWC’s major objects to be considered when developing ISMS. (Arnason, S, & Willett, K.D, 2008) Staff: Basic users, RAS users, Administrators, Executives, and Database Administrators roles, access levels, and responsibility should be defined. Facilities: ...
Words: 1741 - Pages: 7
...Health Body Wellness Center Information Security Management System (ISMS) File:FYT2_Task2 By Thomas A. Groshong Sr Page Health Body Wellness Center (HBWC) promotes medical research, evaluation, and sharing of information between health care professionals . The HBWC’s Office of Grants Giveaway (OGG) provides for the distribution of federally supported medical grants. OGG uses a Microsoft Access database program called Small Hospital Tracking System (SHGTS) to manage the medical grant distribution process. A risk assessment of SHGTS was conducted to evaluate vulnerabilities and establish a baseline of potential threats. This document will outline an ISMS plan for HBWC and provide recommendation of additional steps needed to implement and maintain this plan. Use of the ISO 27000 series certification process will provide a framework for the ISMS. The Plan-Do-Check-Act (PDCA) model provides a step-by-step process for planning, implementing, and management of the ISMS plan. The ISMS outline, network drawing, and additional recommended steps will be discussed below. A1. Business Objectives The first step of any ISMS is the identification of the business objects that need to be included in the planning and maintenance of an organization. Listed below are HBWC’s major objects to be considered when developing ISMS. ( Arnason, S, & Willett, K.D, 2008) Staff: Basic users, RAS users, Administrators, Executives, and Database Administrators roles, access...
Words: 1760 - Pages: 8
...GIAC Enterprises Security Controls Implementation Plan Group Discussion and Written Project John Hally, Erik Couture 08/07/2011 GIAC Enterprises – Security Controls Implementation Plan Table of Contents Executive Summary Introduction Security Controls Implementation Plan Incident Response Weekend Plan Conclusions References 3 3 4 6 9 9 2 GIAC Enterprises – Security Controls Implementation Plan Executive Summary The cyber-threat landscape has evolved significantly in recent years. From primarily a threat of denial of service and website vandalism in years past, to the currently advanced and well resourced adversaries employing complex technologies to achieve financial and political benefit. At GIAC Enterprises, we have observed huge increases in suspicious network activity directed at our corporate networks, sometimes even targeting key individuals. Due to the huge global increase in demand for fortune cookie messages, it is reasonable to expect that this undesired attention will only increase in the coming months and years as cyber-criminals and possibly corporate spies attempt to closely monitor our business activities and steal vital business information. This paper presents the recommendations of the tiger team, which was recently formed, with the goals of: 1. Developing a strategy for the implementation of the SANS Top 20 Security Controls, and in particular the creation of an incident response capability; and 2. Identifying and eradicating any possible...
Words: 3167 - Pages: 13
