"Common Non-Disclosure Agreement"
Date 2007.06.22 Instructions This spreadsheet is an aggregation and sanitization of all the spreadsheets that I have made over the past year in one version or another. I figured that they could find some object reuse by other people. This spreadsheet is designed to be the core of a CISO's "Book of Death" that allows them to track and manage the IT systems under their purview in an ISM sense. The colloquial phrase "Book of Death" comes from the book that most good leaders in the US Army carry on them about all their soldiers. Feel free to add or detract as you see fit for your own environment or purposes. I would appreciate an email if you are using this or have recommendations to make it better. Have Fun Mike Smith http://www.guerilla-ciso.com/ email@example.com firstname.lastname@example.org email@example.com Color Bars for You to Use: High Moderate Low The purpose of this tab is to track the status of individual components of your policy framework. The original concept was a security-specific policy but ITIL-esque components were added later. Feel free to add or detract from the framework as necessary. Number Name Status Origin 1.0.0 Information Protection In Review Implied 1.0.1 Policy Enforcement Draft Corp Policy 1.0.2 Information Sensititivity Approved NISPOM Number Name Policy Owner Status 1.0.0 Policy Governance In Review 1.1.0 Information Protection Joe ISM Draft 1.2.0 Policy Enforcement Approved 1.3.0 Information Sensitivity and Categorization 2.0.0 Risk Management and Assessment 2.1.0 Risk Planning 2.2.0 Risk Assessment 2.3.0 Certification, Accreditation, and Security Assessments 3.0.0 Physical Security and Environmental Protection 3.1.0 Badge and Access Control 3.2.0 Data Center Safety 3.3.0 Physical Incident Response 3.4.0 Physical Maintenance 3.5.0 Media Protection 4.0.0 Service Infrastructure 4.1.0 Dedicated Infrastructure 4.2.0 Shared Infrastructure 4.3.0 Data Center Services 5.0.0 Configuration and Change Management 5.1.0 Change Management & Control 5.2.0 Configuration Management & Control 5.3.0 System and Services Acquisition 5.4.0 Asset Inventory and Control 5.5.0 System Naming Conventions 6.0.0 Disaster Recover and Business Continuity 6.1.0 IT Contingency Planning 6.2.0 Service Continuity Management 6.3.0 Requirements 6.4.0 Develop BCP/DR 6.5.0 Implement BCP/DR 6.6.0 Maintain BCP/DR 6.7.0 BCP/DR Training 7.0.0 Personnel Security 7.1.0 Position Categorization 7.2.0 Acceptable Use Policy 7.3.0 Security Awareness and Training 7.4.0 Non-Clearable Personnel 7.5.0 Employee Termination 7.6.0 Employee On-Boarding 8.0.0 IT Systems Security 8.1.0 IT Maintenance 8.2.0 IT Access Control 8.3.0 IT Audit and Accountability 8.4.0 Identification and Authentication 8.5.0 IT Interconnections 8.6.0 Wireless Communications 8.7.0 System and Communications Protection 8.8.0 System and Information Integrity 8.9.0 Warning Banners 9.0.0 Project Management 9.1.0 Communication 9.2.0 Strategic Planning 10.0.0 Incident Management 10.1.0 IT Security Incident Response 10.2.0 IT Operational Incident Resolution 10.3.0 Desktop Support 10.4.0 Server Support 10.5.0 Network Support 10.6.0 Database Support 10.7.0 Messaging Support 11.0.0 Problem Management 11.1.0 Fault Monitoring 11.2.0 Fault Recovery 11.3.0 Problem Analysis 11.4.0 Root Cause Analysis 12.0.0 Release Management 12.1.0 Technology Refresh 12.2.0 Desktop Services 12.3.0 Server Services 12.4.0 Network Services 12.5.0 Database Services 12.6.0 Messaging Services 13.0.0 Service Desk 13.1.0 Help Desk 13.2.0 Consumable Provisioning 14.0.0 Service-Level Management 14.1.0 SLA Development 14.2.0 SLA Monitoring 14.3.0 Standards Development 14.4.0 Standards Monitoring 15.0.0 Capacity Management 15.1.0 Capacity Planning 15.2.0 Business Requirements Analysis 15.3.0 Performance Monitoring 15.4.0 Capacity Monitoring 16.0.0 Availability Management 16.1.0 Performance Tuning 16.2.0 Outage Analysis 16.3.0 Fault Tree Analysis 17.0.0 Financial Management 17.1.0 Cost Accounting 17.2.0 Contract Management 17.3.0 RFP Management 17.4.0 Budgeting 18.0.0 Quality Management 18.1.0 Quality Management Plan Addenda A Rules of Behavior B Non-Disclosure Agreement C Glossary Notes Sets Authority for Policy Document Link References & Guidance Notes http://intranet/path/filename Implied FIPS-199 NIST SP 800-60 PCI DSS The purpose of this tab is to track the subcomponents of your network as you break them down into "bite-sized pieces". System ID Short Name Full Name System Owner 1 FooNet Foo Corporate LAN/WAN Mike Smith ou break them down into "bite-sized pieces". Criticality Criticality ISSO (Owner) (Enterprise) Boundaries Established Joe Smith Moderate Moderate Yes Last Risk Assessment Connects With 10/4/2006 System 2, System 3 Comments Will be decommissioned 01/01/2009 The purpose of this tab is to track audit findings and responses until a mitigation plan is agreed upon. ID Environment or System Finding Consequences Not able to meet restore and 1 FooNet Backup system not fully tested COOP objectives System Risk Enterprise Risk System Owner's Response We have a project plan, budget and a project manager High Moderate designated to lead this effort. Auditor's Response Mitigation Plan Concur with system owner. Develop BCP At publication of first version of BCP, will Develop backup and restore plan revise system risk to moderate. Deploy hot site Comments Some tape backup working as of 01/01/2007 The purpose of this tab is to track unmitigated risks as a long-term tracking sheet. ID Environment or System Risk Description Consequences Not able to meet restore and 1 FooNet Backup system not fully tested COOP objectives System Risk Enterprise Risk Mitigation Plan Develop BCP Develop backup and restore plan High Moderate Deploy hot site Resources Required Mitigation Actions and Milestones Need to hire additional Backup Admin 01/01/2007 First bare-metal restore test Comments Some tape backup working as of 01/01/2007 The purpose of this tab is to track incidents for closure and then statistics. Serial Date of Notification Organization Description Investigator Category 200700101-01 1/1/2007 NOC Missing Laptop Smith Asset Management Date of Closure Outcome Recommended Actions Bag Inspections Equipment Sign-Out 1/14/2007 Handed over to Local Police Property Passes The purpose of this tab is to track waivers that are granted as an exception to policy, procedures, or security architectural mode Waiver ID Requester Description Firewall rules to allow WSUS servers in trusted internal zone to Internet to Waiver 07-01-01-01 Smith allow updates icy, procedures, or security architectural model. Risk Rating (system component Risk Rating only) (enterprise) Approver Date Approved Low Low Smith 1/1/2007 Mitigation Action Milestone Due Date Deployment of a WSUS server for Grackle and the Internet access for it to pull the new patches from Microsoft 90 Days The purpose of this tab is to record the various pieces of our subcomponents so that we know exactly which assets belong to a Hostname IP Function System Administrator rainbow 10.1.1.1 Router salmon 10.1.1.2 Switch brownie 10.1.1.3 Switch ow exactly which assets belong to a particular system. The purpose of this tab is to build a requirements traceability matrix and implementation details. Control Identifier Reference 1.1.1 NIST SP 800-53 Control RA-1 bility matrix and implementation details. Requiremente Description Common or Hybrid Controls External Dependencies Risk Assessment Policy and Procedures Common enterprise-wide control Corporate Budget Process Implementation Details Have Policy, needs procedure work