《Project Security Plan》由会员分享,可在线阅读,更多相关《Project Security Plan(9页珍藏版)》请在金锄头文库上搜索。
1、University of WashingtonProject Security PlanPrepared Office of the CISO 02/10Note: Italic font is used for instructions or helpful information for the author, reviewers, and approvers. Page 2Table of Contents1.Approval Cycle Project Security Plan12.Project Security Plan Purpose13.Business Overview2
2、3.1System(s) Description23.2Abstract34.Business Security Assessment34.1Business Sponsors Security Expectations34.2Technical Assets44.3Risk Control Explanations55.Controls65.1Control Questions65.2Control Explanations91. Approval Cycle Project Security PlanRoleNameSignatureDateAuthor:Executive Sponsor
3、:Business Sponsor:Reviewer(s):Approver(s):System OwnerSystem Operator2. Project Security Plan PurposeThis document is used in conjunction with the overall project plan to: Facilitate security oversight; Describe the security plan as designed by the project team during the system or application desig
4、n; Document the assets being protected; Document the exposures and threats to which those assets are, or may be, subjected; Document the controls that are installed to mitigate those exposures and threats and; Document the reasons that the installed controls provide the appropriate level of security
5、 or why the residual risk is acceptable.3. Business OverviewPurpose: This section contains a summary of the System, briefly describes what it does, and outlines how it works. This section also covers the Systems operating environment. This section does not cover the design to the level of the functi
6、onal specification, but should include enough detail to evaluate the completeness and accuracy of the provided information. Typically, a diagram of all of the components will also be included in this section.3.1 System(s) DescriptionProject Description:Organization, college, or school:Department:Nam
7、e of System:Name of System Owner2:Name of System Operator2:Highest classification of data processed by the System1:Type of confidential data (if System will process confidential data):Volume of data expected on System:Name of Data Trustee2:Name of Data Custodian2:1 Administrative Policy Statement 2.
8、10 Minimum Data Security Standards2 Administrative Policy Statement 2.4 Information Security & Privacy Roles, Responsibilities, and Definitions3.2 AbstractThis section contains a concise summary of the: Business purpose of the System addressed by this project; Scope of the System; Level of effort to
9、 manage risks to an acceptable level; Assets or components that will be part of the System; Installation, implementation and maintenance expectations and; Use expectations.4. Business Security Assessment4.1 Business Sponsors Security ExpectationsIn this section, define the business sponsors expectat
10、ions for the System. Also interview the System Owner to augment what is not already documented.Some questions to help you think about expectations: Who is responsible for System security and what is expected? Does the System depend upon any other systems for enforcing security controls (e.g., Active
11、 Directory)? Who will use the System (e.g. employee, volunteers, contractors, vendors, students) Is the System used internally to provide information to another department? Must the System be operational 24x7? Will the System have maintenance windows? Should different groups of people have different
12、 modes of access (e.g., user mode, administrator mode, maintenance mode)?4.2 Technical AssetsAsset: List the assets that are to be protected in the table below. Examples of assets include data, systems, processor time, disk storage space, network connections, and anything else that the business spon
13、sor and system owner of this System values or manages. Common traits of assets to be protected include confidentiality, integrity, or availability.Exposure: If any of the assets being used to create the System, or that will be used to access or maintain the information asset, have any known exposure
14、s for which no fix is available, list those exposures. Do not trust the third party alone to answer this question. Check independent sources such as: BugTraq mailing list archive at http:/ Common Vulnerabilities and Exposures (CVE) at http:/www.cve.mitre.org Third party web sites, such as Microsoft at http:/ Threat: List all the ways that the assets of this system could be damaged, lost, or stolen in the Threats column. Common threats include: hackers, unauthorized users, theft, electrical/telecommunications failures, and natural disasters. A threat could affect a single asset
