Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
6. Systems Operation<br />
These Systems Operation Non-Mandatory Procedures support the Enterprise Security <strong>Policy</strong><br />
(ITEC 7230 Rev 1), and the IT Security Self Assessment <strong>Policy</strong> (ITEC 7310).<br />
Mandatory<br />
Non-Mandatory<br />
Procedures Baselines Procedures Baselines<br />
6. Systems Operation <br />
6.1. Assessment Operations<br />
6.1.1. Perform Security Assessment (7 sets) (3 sets)<br />
6.1.2. Perform Security Self Assessment (4 sets) (2 sets)<br />
6.2. Integrity Operations<br />
6.2.1. Monitor System Security Controls (3 sets) (1 sets)<br />
6.3. Maintenance Operations<br />
6.3.1. Plan for, and Provide Notice <strong>of</strong>, Security Operations (4 sets) (1 sets)<br />
6.3.2. Perform Patch and Vulnerability Management (5 sets) (3 sets)<br />
6.3.3. Securely Maintain Systems (2 sets) (2 sets)<br />
6.4. Maintain Records <br />
6.1. Assessment Operations<br />
The following are the Non-Mandatory Procedures that support the Assessment<br />
Operations section <strong>of</strong> the Default Security Requirements:<br />
6.1.1. Perform Security Assessments<br />
Security Assessments are thorough and in-depth security analyses designed to<br />
determine the security deficiencies <strong>of</strong> a system. Agencies should perform<br />
Security Assessments to ascertain security concerns that may exist in a system:<br />
6.1.1.1 Identify the Target System<br />
Collect and document the information that defines the system:<br />
6.1.1.2 Develop an Assessment Plan<br />
Create a formal plan that clearly outlines the work that will be<br />
performed:<br />
• Determine the scope <strong>of</strong> assessments to be performed.<br />
• Establish a prioritized assessment schedule.<br />
• Identify and gather required skills and tools.<br />
• Creation an assessment implementation plan.<br />
6.1.1.3 Execute the Plan<br />
Apply the developed plan to the targeted system to determine and<br />
validate the existence <strong>of</strong> security compromises:<br />
• Review the system and system documentation to determine<br />
expected security configuration and capabilities <strong>of</strong> the system:<br />
• Identify and analyze the target system through investigative<br />
techniques:<br />
• Validate vulnerabilities that may be discovered:<br />
19