US Department of State Jay Coplon. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be.

Slides:



Advertisements
Similar presentations
Program Management Office (PMO) Design
Advertisements

Security metrics in SCADA system Master of Computer and Information Science Student: Nguyen Duc Nam Supervisor: Elena Sitnikova.
SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Process and Procedure Documentation. Agenda Why document processes and procedures? What is process and procedure documentation? Who creates and uses this.
CIP Cyber Security – Security Management Controls
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
1  AGA-DC and GWSPCA 6 th ANNUAL CONFERENCE OMB Circular A-123, Appendix A Internal Control Over Financial Reporting Innovative Approaches Jerome A. Vaiana.
PAGE Agency ATO Quick Guide 1 December 23,
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
Delivery Business Solutions April 29, Nashville PMI Symposium April 29, 2013 Stephanie Dedmon, PMP Director, Business Solutions Delivery Department.
How to Release a RFP/RFQ AT FIRST 5 LA February 2, 2010.
XLC Gate Review Consolidated Slide Deck [Project Name:] [Clarity ID:] Centers for Medicare & Medicaid Services eXpedited Life Cycle (XLC) 1 Note: Each.
A Presentation for the Enterprise Architect © 2008 IBM Corporation IBM Technology Day - SOA SOA Governance Miroslav Petrek IT Software Architect
PAGE Agency ATO Quick Guide 1 May 1,
Lesson-11 Information System Development
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Project Management and MS Project. The project management triangle: Time Resources Scope.
Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
Ensuring Information Security
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.
4/20/2017 Supplier Score Card.
User Services. Services Desktop Support Technical Support Help Desk User Services Customer Relationship Management.
Session No. 3 ICAO Safety Management Standards ICAO SMS Framework
What is Business Analysis Planning & Monitoring?
INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.
How To Apply Quality Management
Where Quality Talk is #1. QAP = Quality Assurance Program Transaction entry and approval moved from Business Affairs to Business Centers – Created a need.
Security Assessments FITSP-A Module 5
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Why use RequisitePro RequisitePro is a comprehensive tool that supports any of today's requirements management processes. The predominant requirements.
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
NIST Special Publication Revision 1
Roles and Responsibilities
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee
© OECD A joint initiative of the OECD and the European Union, principally financed by the EU. Quality Assurance José Viegas Ribeiro IGF, Portugal SIGMA.
1 Quality Center 10.0 NOTE: Uninstall the current version of QC before downloading QC All QC 10.0 documents can be located on the BI Shared Services.
© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.
Webinar Series to support Keystone AEA 1 Session #2 ●Substantial Deficiency ●Progress Monitoring ●Interventions.
NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Checklists for IT Products. Agenda Overview of Checklist Program Discussion of Operational Procedures Current Status Next Steps.
Example Incident Mgmt Initiation No recording of Incidents Users can approach different departments Solutions of previous incidents are not available.
Authorizing Information Systems FITSP-A Module 6.
Using OMB Section 508 reporting in addressing your agency's program maturity. How to Measure Your Agency's 508 Program.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
Event Management- Access Management and Request Fulfillment Tool 1 Many organizations are looking to implement Event Management, Access Management and.
US Department of State Jay Coplon. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be.
School Safety and Security Proposed Projects and Upgrades.
Information Security tools for records managers Frank Rankin.
Project Management Methodology Project Closing. Project closing stage Must be performed for all projects, successfully completed or shut off by management.
Internal Control Process at Geneseo. Objectives Understand the objectives of effective internal controls Describe Geneseo’s internal control program Accurately.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 The Department of Energy And Electronics Stewardship : How DOE Attained “Green Status” on the OMB Environmental Scorecard Federal Environmental Symposium.
 December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”
Information Security KRISHNAKUMAR RAGHAVAN (KK) NASWA's Information Technology Support Center 1.
Project Quality Management
Third Party Risk Governance in a Diverse Environment
Enterprise Content Management Owners Representative Contract Approval
CMGT 431 STUDY Education for Service- -cmgt431study.com.
RECORDS AND INFORMATION
Compliance Toolbox.
Capabilities Briefing
Presentation transcript:

US Department of State Jay Coplon

My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be answered

Key Points Quantitative Metrics Toolkits, Tools and Templates Continuous Monitoring Questions and Answers

Decision Memo Authorization to Operate When the Control Limits have not been exceeded.

Decision Memo Authorization to Operate When the Control Limits have been exceeded.

Risk Score in iPost Control Limit 5% or Less Medium Risk Specification Limit 6 -15% Medium Risk System Owner will manage their systems iPost Risk Score which is represent by an average over a 30 day period.

Fully Reporting in iPost System Owner will maintain a high level of hosts fully reporting (to iPost) within the accreditation boundary. Fully means current reporting on hardware, software, patch, vulnerability, and compliance Control Limit Falls below 90% Specification Limit Falls below 70%

Little or No Medium Traditional Risk The System Owner will maintain a level or state of low or no Medium business risk as determined by traditional C&A. Control Limit 5% or Less Medium Risk Specification Limit 6 -15% Medium Risk

Notifications of Change When risk is above the specification limit notifications of change will not be considered. Control Limit 3 or more consecutive months Specification Limit <3 consecutive months

C&A – How we communicate with our customers. SharePoint Website  Policy, Procedure, Standard Document Center  Organized by categories Alert Notifications  Page and/or Document Workshops  Tools

SharePoint

Get Ready Get Set STOP! Exceed any specification limit Readiness to Start C&A Checklist

FIPS 199 and OMB M Categorize your System Determine the Assurance Level

Control Selection Tool Identify which controls have been implemented How each control has been implemented C&A and Annual Security Control Assessments Manage controls over the systems lifecycle

POA&M Tester Database Tool Linked to the system FIPS 199 categorization Import Open Findings from previous assessments Finding and Recommended remediation Failed Controls are identified Standardizes the risk is calculated for each finding Risk Scoping

iPost Continuous Monitoring

IPost Continuous Monitoring

Questions and Answers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.