LAMP Stack System – Prepare Stage _ Organizational Level & System Level
- Start Date Sept. 25
- End Date Current
I. Prepare Stage:
A. Organizational Level
a. Task P-1: Risk Management Roles and their responsibilities
This task consists of identifying individuals that will hold key roles for executing the Risk Management Framework (RMF). The expected output is a documented RMF role assignments. The primary role in charge of this task is Head of Agency or Chief Information Security Officer (CISO). Some Supporting roles are the Authorizing Official, Risk Executive, and Senior Agency Information Security Officer(AISO). That said, I will be documenting as the Chief Information Security Officer (CISO) of TarbariTech Inc.
Using the NIST SP 800-37 Revision 2, appendix D we are going to identify these roles.
- Authorizing Official (AO)
An AO is a senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organization operations and assets, individuals, other organizations, and the Nation. To do this, the AO relies primarily on: (i) the completed security plan; (ii) the security assessment report; and (iii) the plan of action and milestones for reducing or eliminating information system vulnerabilities
- Control Assessor
The Control Assessor is an individual, or group, or organization responsible for conducting a comprehensive assessment of implemented controls enhancements to determine the effectiveness of the controls (i.e. the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and organization)
- Senior Agency Information Security Officer (SAISO)
The SAISO, also known as Chief Information Security Officer, is responsible for promulgating policies on security integration in the SDLC and developing enterprise standards for information security. This individual plays a leading role in introducing an appropriate structured methodology to help identify, evaluate, and minimize information security risks to the organization.
- System Owner: Me, Rafik Tarbari
The System Owner is responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of a system. The System Owner is responsible for addressing the operational interests of the user community (i.e. users who require access to the system to satisfy mission, business, or operational requirements) and for ensuring compliance with security requirements. In coordination with the System Security and Privacy Officers, the System Owner is responsible for the development and maintenance of the security and privacy plans and ensures that the system is operated in accordance with the selected and implemented controls.
The System Owner ensures that the system users and support personnel receive the requisite security and privacy training. The System Owner receives the security and privacy assessment results from the Control Assessors. After taking appropriate steps to reduce or eliminate vulnerabilities or security and privacy risks, the System Owner assembles the authorization package and submits the package to the authorizing official designated representative for ad-junction.
- Information System Security Officer (ISSO): Me, Rafik Tarbari
The Information System Security Officer is Responsible for ensuring the security of an information system throughout its life cycle
- System Security/Privacy Officer (SSPO): Me, Rafik Tarbari
The System Security/Privacy Officer is an individual responsible for ensuring that the security and privacy posture is maintained for organizational system and works in close collaboration with the System Owner.
B. System Level
a. Task P-8: Mission or Business Focus
Organizational Mission
Our mission is to create a robust and secure system with stringent privacy requirements, tailored to meet the unique needs of the Department of Defense, ensuring seamless business operations. By prioritizing the highest standards of security and privacy, we strive to provide a trusted environment that safeguards sensitive information and enables the Department of Defense to carry out its vital mission with confidence and efficiency.
Purpose of the System
The purpose of this system is to deliver and manage training courses for the military personnel.