app ca security assessment summary template 030408
TRANSCRIPT
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 1/39
[Insert System Name/Acronym]
Security Categorization: [Insert Security Categorization]
Security Assessment Summary ReportVersion [Insert #]
[Ins e r t Dat e ]
Prepared by
[Insert Group/Organization/Company Name] [Insert Street Address]
[Insert City, State, and ip Code]
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 2/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
DOCUMENT CHANGE CONTRO
i
Version Re!ease Date Summary o" C#an$es AddendumNumber
Name
[!ersion "$] [Insert Date] [%irst Dra&t] [Insert Addendum #] [Insert Name]
[!ersion "'] [Insert Date] [%ina( Dra&t] [Insert Addendum #]
[Insert Name]
[!ersion $"] [Insert Date] [%ina(] [Insert Addendum #]
[Insert Name]
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 3/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
TA%E O& CONTENTS
'( E)ECUT*VE SUMMAR+ (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('
,( *NTRODUCT*ON (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( -
2.1 System Description......................................................................................................................... .52.2 Purpose............................................................................................................................................52.3 Scope...............................................................................................................................................52.4 Structure..........................................................................................................................................6
.( METHODOOG+ (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((/
3.1 Step 1: Identify Threats.................................................................................................................. .7
3.1 .1 Thre at St at e me n t istin! ...............................................................................................7 "i!hest #e$e# of sophistication......................................................................................... ................... ..7 "ac%in!................................................................................................................................................7
Impersonation.......................................................................................................................................7 Socia# &n!ineerin!................................................................................................................................7
System Intrusion' (rea%)ins.................................................................................................................. 7 *nauthori+ed system access..................................................................................................................7 Po#itica# ,ain........................................................................................................................................7 &conomic ,ain..................................................................................................................................... 7 -i#itary ,ain........................................................................................................................................7 i.e.' ,o$ernment /inanced0............................................................................................................. ..... 7 "i!hest #e$e# of sophistication......................................................................................... ................... ..7 "ac%in!................................................................................................................................................7
Impersonation.......................................................................................................................................7 Socia# &n!ineerin!................................................................................................................................7 System Intrusion' (rea%)ins.................................................................................................................. 7 *nauthori+ed system access..................................................................................................................7 Po#itica# ,ain........................................................................................................................................7
&conomic ,ain..................................................................................................................................... 7 -i#itary ,ain........................................................................................................................................7 Denia# of Ser$ice.................................................................................................................................. 7 Threaten "arm to Indi$idua#s .............................................................................................................. 7 reate haos........................................................................................................................................7 i.e.' ,o$ernment /inanced0............................................................................................................. ..... 7 "i!hest #e$e# of sophistication......................................................................................... ................... ..7 "ac%in!................................................................................................................................................7
Impersonation.......................................................................................................................................7 Socia# &n!ineerin!................................................................................................................................7 System Intrusion' (rea%)ins.................................................................................................................. 7 *nauthori+ed system access..................................................................................................................7
&conomic ,ain..................................................................................................................................... 7 Po#itica# ,ain........................................................................................................................................7 utsider................................................................................................................................................ -any #e$e#s of sophistication................................................................................................................ "ac%in!................................................................................................................................................ Socia# &n!ineerin!................................................................................................................................ System Intrusion' (rea%)ins.................................................................................................................. *nauthori+ed system access..................................................................................................................
ha##en!e..............................................................................................................................................
ii
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 4/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
&!o ee##ion.............................................................................................................................................. reate haos........................................................................................................................................ utsider................................................................................................................................................ -any #e$e#s of sophistication................................................................................................................ "ac%in!................................................................................................................................................
Socia# &n!ineerin!................................................................................................................................ System Intrusion' (rea%)ins.................................................................................................................. *nauthori+ed system access..................................................................................................................
e$en!e................................................................................................................................................uriosity...............................................................................................................................................
&!o -onetary ,ain............................................................................................................................. ........ oca# physica##y on)site0 $ia Intranet ithin the firea##0...................................................................
Insider................................................................................................................................................... "i!h de!ree of technica# sophistication................................................................................................. *nauthori+ed ccess............................................................................................................................ (rosin! Proprietary Information............................................................................................ .......... .. /raud and Theft.................................................................................................................................... Input of /a#sified 8orrupt Information............................................................................ .......... .......... Saota!e...............................................................................................................................................
e$en!e................................................................................................................................................uriosity...............................................................................................................................................
&!o -onetary ,ain............................................................................................................................. ........ oca# physica##y on)site0 $ia Intranet ithin the firea##0................................................................... "i!h de!ree of technica# sophistication................................................................................................. *nauthori+ed ccess............................................................................................................................ (rosin! Proprietary Information............................................................................................ .......... .. /raud and Theft.................................................................................................................................... Input of /a#sified 8orrupt Information............................................................................ .......... ..........
Saota!e............................................................................................................................................... e$en!e................................................................................................................................................uriosity...............................................................................................................................................
&!o -onetary ,ain............................................................................................................................. ........ oca# physica##y on)site0 and $ia ompany Intranet ithin the firea##0................................. .......... . -any #e$e#s of technica# sophistication................................................................................................. Socia# &n!ineerin!................................................................................................................................ System Intrusion' (rea%)ins.................................................................................................................. *nauthori+ed system access..................................................................................................................
uriosity............................................................................................................................................... &!o -onetary ,ain............................................................................................................................. ........ oca# physica##y on)site0 and $ia ompany Intranet ithin the firea##0................................. .......... . udimentary de!ree of technica# sophistication............................................................... .......... ........... Input of orrupt Information.................................................................................................... .......... .. *nintentiona# &rrors and missions.....................................................................................................3.2 Step 2: Identify 9u#nerai#ities..................................................................................... .......... ......... 3.3 Step 3: na#y+e is%.......................................................................................................................
3.3. 1 i%e#ihood ............................................................................................................................
3.3. 2 Impa ct ................................................................................................................................11
iii
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 5/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
3.3. 3 is% e$ e# ..........................................................................................................................113.4 Step 4: Identify ecommended orrecti$e ctions........................................................................123.5 Step 5: Document esu#ts.......................................................................................................... .... 12
0( R*S1 ASSESSM ENT RESUTS (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((' .
-( ACCRED*TAT*ON RECOMMENDAT*ON (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((' /5.1 Priority -iti!ation ctions........................................................................................................ .... 1
2( &UTURE ENHANCEMENTS (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('3
ACRON+MS((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('
((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( '
APPEND*) A( RE&ERENCES((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('
APPEND*) %( SECUR*T+ TEST AND EVAUAT*ON 4ST5E6(((((((((((((((((((((((((((((((((((((((((((((((((((('
(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('
PR*VAC+ *MPACT ASSESSMENT 4P*A6 (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('
APPEND*) C( E7AUTHENT*CAT*ON R*S1 ASSESSMENT ((((((((((((((((((((((((((((((((((((((((((((((((((((((('
APPEND*) D( AUD*T REPORTS((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('
ORGAN*8AT*ONA COMMON CONTROS SAR(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('
i$
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 6/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
[)*is samp(e &ormat pro+ides a temp(ate &or preparing a Security Assessment Summary
eport &or systems )*e temp(ate is intended to -e used as a guide, and t*e preparer s*ou(dmodi&y t*e &ormat as necessary to comp(y .it* interna( po(icies *ere practica(, t*e guide pro+ides instructions [in -(ue, -o(ded te0t] &or comp(eting speci&ic sections
$
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 7/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
' ( E)ECUT*VE SUMMAR+
The [Insert System Name/Acronym] system has een determined to e a [Insert 1a2or or 1inor] System and has een determined to ha$e a security cate!ori+ation of [Insert 3ig*, 1oderate, or 4o.] .
The periodic assessment of ris% to a!ency operations or assets resu#tin! from the operation of aninformation system is an important acti$ity re;uired y /IS-. The [InsertGroup/Organization/Company Name] team prepared this Security ssessment Summary eportin accordance ith <ationa# Institute of Standards and Techno#o!y <IST0 Specia# Pu#icationSP0 ==)3=' Risk Management Guide for Information Technology Systems. The resu#ts capturedithin this eport are intended to e an addition to any e>istin! is% ssessments performedoutside of the ertification and ccreditation ?0 process. It summari+es the ris%s associatedith the $u#nerai#ities identified durin! the system@s Security Test ? &$a#uation ST?&0' Pri$acyImpact ssessment PI0' e)uthentication is% ssessment' audits' and any other ris%assessment acti$ities. This S a#so ser$es as the ST?& eport referenced in <IST SP ==)37'Guide for the Security Certification and Accreditation of Federal Information Systems. ##resu#ts ere ana#y+ed to pro$ide the ertifier ith an assessment of the mana!ement' operationa#'and technica# contro#s imp#emented to protect the confidentia#ity' inte!rity' and a$ai#ai#ity of thesystem' as documented in the System Security P#an SSP0. Ta#e 1 e#o pro$ides the tota#numer of system)specific security ris%s' y ris% #e$e# and contro# cate!ory.
)a-(e $: Summary o& System Security is5s
[6opu(ate t*is ta-(e using t*e data in )a-(e $7 Insert t*e num-er o& ris5s &or eac* contro(category and ris5 (e+e( A(so, inc(ude tota( num-ers &or eac* co(umn and ro.]
Contro! Cate$ory
Ris9 e:e! Mana$ement Operationa! Tec#nica! Tota!
Hi$#
Medium
o;
Tota!
In certain instances' the system may not ha$e the technica# capai#ity to imp#ement a securitycontro# or the system oner may ma%e a ris%)ased decision not to imp#ement a contro# ased onthe cost or feasii#ity of imp#ementin! the contro# re#ati$e to ris%. Status of such contro#s isdocumented as ris%)ased in the SSP. summary of these contro#s and Austification for each are
pro$ided in Ta#e 2.
1
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 8/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
)a-(e 7: Summary o& is5 8ased Decisions
[6opu(ate t*is ta-(e using contro(s in t*e SS6 t*at *a+e -een designated as is5 8ased Decisions DO NO) 9S )8D or N/A None is an appropriate ans.er i& t*ere are no is5
8ased Decisions &or t*e system]
Mana$ement<Operationa!<or Tec#nica!
Contro!*denti"ier
Description =usti"ication
## [Insert Group/Organization/Company Name] systems re#y on certain or!ani+ationa# contro#sthat are imp#emented at the &nterprise e$e# e.!. Security Po#icies0. is%s re#atin! to theseor!ani+ationa# contro#s shou#d e considered assessin! the system@s security posture. Ta#e 3 pro$ides the tota# numer of [Insert Group/Organization/Company Name] or!ani+ationa#security ris%s' y impact #e$e# and contro# cate!ory. P#ease refer to ppendi> , for more detai#s
re!ardin! the or!ani+ationa# #e$e# ris%s.
)a-(e ;: Summary o& Organizationa( Security is5s
Contro! Cate$ory
Ris9 e:e! Mana$ement Operationa! Tec#nica! Tota!
Hi$#
Medium
o;
Tota!
Note> The detai#ed resu#ts of the or!ani+ationa# common contro#s are documented in the accompanyin! [InsertGroup/Organization/Company Name] r!ani+ationa# ommon ontro#s Security ssessment eport S0 dated
[Insert Date] . These common contro#s are updated and assessed annua##y for each /IS- year.
Ta#e 4 pro$ides a summary of the audit findin!s specific to the system.
)a-(e <: Summary o& System Audit %indings
[6opu(ate t*is ta-(e using app(ica-(e audit eports &or t*e system DO NO) 9S )8D or N/A None is an appropriate ans.er]
Audit &indin$ Date o" Audit Reported byAssociated N*ST Contro!
&ami!y
Ta#e 4a pro$ides a summary of the audit findin!s re#ated to the r!ani+ationa# ommonontro#s.
)a-(e <a: Summary o& Organization 4e+e( Audit %indings
2
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 9/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
[6opu(ate t*is ta-(e using app(ica-(e audit eports &or t*e organization DO NO) 9S )8D
or N/A None is an appropriate ans.er]
Audit &indin$ Date o" Audit Reported byAssociated N*ST Contro!
&ami!y
Ta#e 4 pro$ides a summary of [Insert Group/Organization/Company Name] materia#ea%nesses re#ated to computer security.
)a-(e <-: Summary o& Computer Security 1ateria( ea5nesses [6opu(ate t*is ta-(e .it* any computer security materia( .ea5nesses t*at *a+e -een identi&ied
&or t*e organization DO NO) 9S )8D or N/A None is an appropriate ans.er]
Materia! ?ea9ness Domain4s6
Associated N*ST Contro!
&ami!y
Due to the inherent re#ationship eteen the system and the under#yin! ,enera# SupportSystems0 ,SS0' ,SS ris%s may impact the o$era## system security posture. summary of the,SS ris%s is pro$ided in Ta#e 5 for the system oner to consider hen ma%in! the accreditationdecision. /or more information on the ris%s that ere identified for the ,SSs0 and status of themiti!ation of these ris%s' refer to the respecti$e P#an of ction and -i#estones P?-0 for the,SSs0.
)a-(e =: Summary o& GSS Security is5s [6opu(ate t*is ta-(e using app(ica-(e C>A resu(ts &or eac* GSS .*ic* supports t*e systemO-tain t*e (ist o& supporting GSSs &rom t*e ?Interconnection@ ta-(e in section 7$= o& t*e
SS6 DO NO) 9S )8D or N/A None is an appropriate ans.er]
GSSGSS
AccreditationStatus@Date
Date o" GSSPOA5M
N*ST Contro! &ami!ies ;it# Vu!nerabi!ities*denti"ied @ Number o" POA5M *tems
4per N*ST Contro! &ami!y6
In order to pro$ide a more ho#istic $ie of the ris%s to the system' [InsertGroup/Organization/Company Name] inc#uded the ,SS components direct#y supportin! thesystem ithin the scope of the ST?&. The purpose of inc#udin! these ,SS components as partof the system ST?& is to specifica##y identify ,SS)#e$e# ris%s that may impact the security postureof the system' pro$idin! the Desi!nated ppro$in! uthority D0 ith a hi!her #e$e# ofassurance in ma%in! an accreditation decision for the system. The scope of the system ST?&inc#uded the fo##oin! ,SS components: [inc(ude a (isting o& systemspeci&ic GSS componentst*at .ere tested] . /or more information on the ris%s identified for the ,SS components' refer to
3
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 10/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
Ta#e 12a and the ST?& matri> #isted in ppendi> of the report. Ta#e 5a pro$ides a summaryof the ris%s identified for the ,SS components direct#y supportin! the system.
)a-(e =a: Summary o& is5s Identi&ied &or GSS Components Direct(y Supporting [Insert System Acronym]
[6opu(ate t*is ta-(e using app(ica-(e C>A resu(ts &or systemspeci&ic GSS components .*ic*
.ere tested as part o& t*e system C>A e&&ort DO NO) 9S )8D or N/A None is anappropriate ans.er i& no GSS ris5s .ere identi&ied]
GSS GSS ComponentN*ST Contro! &ami!ies ;it# Vu!nerabi!ities *denti"ied @
Number o" POA5M *tems4per N*ST Contro! &ami!y6
efer to the [Insert System Acronym] ertification -emorandum for the accreditationrecommendation.
4
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 11/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
, ( *NTRODUCT*ON
The [Insert System Name/Acronym] system has een determined to e a [Insert 1a2or or 1inor] System and has een determined to ha$e a security cate!ori+ation of [Insert 3ig*, 1oderate, or 4o.] .
The periodic assessment of ris% to a!ency operations or assets resu#tin! from the operation of aninformation system is an important acti$ity re;uired y /IS-. [InsertGroup/Organization/Company Name] prepared this Security ssessment Summary eport inaccordance ith <ationa# Institute of Standards and Techno#o!y <IST0 Specia# Pu#ication SP0==)3=' Risk Management Guide for Information Technology Systems. It summari+es the ris%sassociated ith the findin!s identified durin! the system@s Security Test ? &$a#uation ST?&0'Pri$acy Impact ssessment PI0' e)uthentication is% ssessment' audits' and any other ris%assessment acti$ities. This report a#so ser$es as the ST?& eport referenced in <IST SP ==)37'Guide for the Security Certification and Accreditation of Federal Information Systems.
, ( ' Syst em Descripti o n [Insert description o& t*e -usiness purpose o& t*e system and system en+ironment, as descri-edin t*e systemBs System Security 6(an In addition, inc(ude a re&erence to t*e SS6 &or more
in&ormation a-out t*e system nsure t*is section is continuous(y updated .it* t*e (atestdescription &rom t*e System Security 6(an]
, ( , Purpo s eThe purpose of this Security ssessment Summary eport is to pro$ide the ertifier and theDesi!nated ppro$in! uthority ith a more ho#istic $ie of ris% re!ardin! the system. Itdocuments the security assessment acti$ities that ere performed on the system and the resu#ts ofthose acti$ities inc#udin! ST?&' PI' e)uthentication is% ssessment' audits' and any otherris% assessment acti$ities. This report pro$ides the system@s sta%eho#ders ith an assessment of
the ade;uacy of the mana!ement' operationa#' and technica# contro#s used to protect theconfidentia#ity' inte!rity' and a$ai#ai#ity of the system and the data it stores' transmits or processes.
, ( . Scop eThe scope of the report inc#udes the assessment of the system #e$e# mana!ement' operationa#' andtechnica# contro#s as documented in the system SSP and the ,SS components that direct#ysupport the system. The e$a#uation of the contro#s pro$ided y the ,SSs0 on hich the systemresides are documented in the indi$idua# ,SS ? pac%a!es. summary of the ,SS ris%s are pro$ided in Ta#es 5 and 5a for the D to consider hen ma%in! the accreditation decision.dditiona##y' contro#s considered to e common security controls' as defined in <IST SP ==)53'
ere assessed. The resu#ts of the assessment of these common contro#s are summari+ed in Ta#e3 in the &>ecuti$e Summary section of this report.
The fo##oin! system components ere assessed in this report: [8u((et point components o& t*e
system t*at .ere assessed and (isted in t*e -oundary scope memo see e0amp(e -e(o.]
App 1odu(e $
App 1odu(e 7
5
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 12/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
The fo##oin! ,SS components that direct#y support the system ere a#so assessed in this report: [8u((et point GSS components t*at direct(y support t*e system .*ic* .ere assessed and (istedin t*e -oundary scope memo see e0amp(e -e(o.]
9NI Ser+er EGSS F
Orac(e Data-ase Ser+er EGSS F
, ( 0 StructureThe remainder of the eport is structured as fo##os:
Section 3 B pro$ides an o$er$ie of Security ssessment -ethodo#o!y
Section 4 B pro$ides a summary of is% ssessment esu#ts
Section 5 B contains the ccreditation ecommendation
ppendices pro$ide the detai#ed findin!s from the ST?&' PI' e)uthentication is%ssessment' and udits
6
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 13/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
. ( METHODOOG+
This section descries the methodo#o!y used to conduct the security assessment for the system.The methodo#o!y consists of the fo##oin! steps:
Step 1. Identify Threats Step 2. Identify 9u#nerai#ities
Step 3. na#y+e is%s
Step 4. Identify ecommended orrecti$e ctions
Step 5. Document esu#ts
. ( ' Ste p '> *denti"y T#rea ts
This step e!ins ith compi#in! a threat statement #istin! potentia# threat)sources that areapp#ica#e to the system.
.( ' ( ' T#reat Statement istin$
Ta#e 6 pro$ides an o$er$ie of the threat sources considered for the system ris% assessment.
)a-(e : )*reat Source 4ist
*denti"ier
Source and Type Capabi!ities T#reat Scenarios *ntentions@Moti:ations Resources
T)=1 /orei!n Inte##i!enceSer$ice o$er theInternet
utsider • "i!hest #e$e# of
sophistication
• "ac%in!• Impersonation• Socia# &n!ineerin!
• System Intrusion'(rea%)ins
• *nauthori+ed systemaccess
-a#icious• Po#itica# ,ain• &conomic ,ain
• -i#itary ,ain
Sustantia#• i.e.'
,o$ernment
/inanced0
T)=2 Terrorist o$er theInternet
utsider • "i!hest #e$e# of
sophistication
• "ac%in!• Impersonation• Socia# &n!ineerin!• System Intrusion'
(rea%)ins• *nauthori+ed system
access
-a#icious• Po#itica# ,ain• &conomic ,ain• -i#itary ,ain• Denia# of Ser$ice• Threaten "arm to
Indi$idua#s• reate haos
Sustantia#• i.e.'
,o$ernment/inanced0
T)=3 r!ani+ed rimeo$er the Internet
utsider • "i!hest #e$e# of
sophistication
• "ac%in!• Impersonation• Socia# &n!ineerin!• System Intrusion'
(rea%)ins• *nauthori+ed system
access
-a#icious• &conomic ,ain• Po#itica# ,ain
-oderate toSustantia#
7
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 14/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
)a-(e : )*reat Source 4ist
*denti"ier
Source and Type Capabi!ities T#reat Scenarios *ntentions@Moti:ations Resources
T)=4 Indi$idua# "ac%ero$er the Internet
utsider • -any #e$e#s of
sophistication
• "ac%in!• Socia# &n!ineerin!•
System Intrusion'(rea%)ins
• *nauthori+ed systemaccess
-a#icious• ha##en!e•
&!o• ee##ion• reate haos
-inima# to-oderate
T)=5 Dis!runt#ed /ormer&mp#oyee o$er theInternet
utsider • -any #e$e#s of
sophistication
• "ac%in!• Socia# &n!ineerin!• System Intrusion'
(rea%)ins• *nauthori+ed system
access
-a#icious• e$en!e• uriosity• &!o• -onetary ,ain
-inima# to-oderate
T)=6 Dis!runt#ed&mp#oyee B Systemadministrator'&n!ineerin! team• oca# physica##y
on)site0 $iaIntranet ithinthe firea##0
Insider • "i!h de!ree of
technica#sophistication
• *nauthori+ed ccess• (rosin! Proprietary
Information• /raud and Theft• Input of /a#sified
8orrupt Information• Saota!e
-a#icious• e$en!e• uriosity• &!o• -onetary ,ain
-oderate
T)=7 Dis!runt#ed&mp#oyee BTechnica# support
personne#• oca# physica##y
on)site0 $iaIntranet ithinthe firea##0
Insider • "i!h de!ree of
technica#sophistication
• *nauthori+ed ccess• (rosin! Proprietary
Information• /raud and Theft• Input of /a#sified
8orrupt Information• Saota!e
-a#icious• e$en!e• uriosity• &!o• -onetary ,ain
-oderate
T)= #eanin! cre'
ser$ice repair cre• oca# physica##yon)site0 and $iaompany Intranetithin thefirea##0
Insider •
-any #e$e#s oftechnica#sophistication
• Socia# &n!ineerin!•
System Intrusion'(rea%)ins• *nauthori+ed system
access
-a#icious•
uriosity• &!o• -onetary ,ain
-oderate
T)= are#ess c#erica#emp#oyee• oca# physica##y
on)site0 and $iaompany Intranetithin thefirea##0
Insider • udimentary
de!ree oftechnica#sophistication
• Input of orruptInformation
<on7-a#icious• *nintentiona# &rrors
and missions
-inima#
. ( , St ep ,> *de nt i" y Vu!n er ab i!i ti e s
The !oa# of this step is to de$e#op a #ist of the system $u#nerai#ities f#as or ea%nesses0 thatcou#d e e>p#oited y the potentia# threat)sources. The identification of $u#nerai#ities can ta%emany forms ased on $arious types of ris% assessments. The fo##oin! as used to determine the$u#nerai#ities ithin the systemC
The ST?& as used to determine the comp#eteness and effecti$eness of the system@ssecurity contro#s. ppendi> pro$ides a detai#ed #istin! of findin!s.
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 15/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
The Pri$acy Impact ssessment as uti#i+ed to determine the system@s comp#ianceith federa# Pri$acy re;uirements. ppendi> D pro$ides a detai#ed #istin! of findin!s.
The e)uthentication is% ssessment as uti#i+ed to determine the system@scomp#iance ith federa# e)uthentication re;uirements. ppendi> & pro$ides adetai#ed #istin! of findin!s.
Security is% ssessments and &n!ineerin! is% (ased e$ies ere re$ieed' ifa$ai#a#e' to determine ris%s identified as part of the System De$e#opment ifecyc#e oras part of a separate technica# e$a#uation.
/indin!s identified as part of the ao$e)mentioned ris% assessment acti$ities ere re$ieed and!rouped into ris%s y <IST SP ==)53 contro# fami#ies or y findin!s that ere re#ated to oneanother. dditiona##y' durin! the conso#idation process' findin!s ere !rouped y <IST SP ==)53 mana!ement' operationa#' and technica# contro# c#asses in order to faci#itate the process ofeportin! ris%s in Ta#e 1 of this document.
. ( . Step .> Ana!y e Ris9
The ris% ana#ysis for each $u#nerai#ity consists of assessin! the threats and compensatin! contro#sto determine the #i%e#ihood that $u#nerai#ity cou#d e e>p#oited and the potentia# impact shou#dthe $u#nerai#ity e e>p#oited. !enera# depiction of the ana#ysis is shon in /i!ure 1' here ris%is the intersection of a threat and $u#nerai#ity' inf#uenced y #i%e#ihood and impact:
&i$ure '( in9 %et;een i9e!i#ood< *mpact and Ris9
&ssentia##y' ris% is proportiona# to oth #i%e#ihood of e>p#oitation and possi#e impact. Thefo##oin! sections pro$ide a rief description of each component used to determine the ris%.
.(. ( ' i9e!i#ood
The #i%e#ihood that a !i$en $u#nerai#ity i## e e>p#oited y a threat is determined y ana#y+in!
the effecti$eness of compensatin! contro#s a!ainst the threat capai#ity. ompensatin! contro#sconsist of measures in p#ace that assist in miti!atin! the ma!nitude of a !i$en $u#nerai#ity. Threatcapai#ity is defined as the means' opportunity' and moti$e of a !i$en threat a!ent. Threatcapai#ities are defined in Ta#e 7.
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 16/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
)a-(e H: )*reat Capa-i(ity Components
Component Description
Means-eans is the mechanism for fu#fi##ment in e>p#oitin! the $u#nerai#ity. Threat a!entsare continuous#y achie$in! a hi!her #e$e# of means due to the #e$e# of sophistication
a$ai#a#e in easi#y otained intrusion too#s.
Opportunity
The opportunity for attac% is determined y the threat a!ents@ #e$e# of access to thesystem. ne of the !reatest opportunity differences eteen threat a!ents is aninsider $ersus an outsider to the or!ani+ation' ith the insider ha$in! far moreopportunity to e>p#oit $u#nerai#ities.
MotieThe moti$e of a threat a!ent is his or her desire to e>p#oit $u#nerai#ity. -oti$e can
e inf#uenced y the sensiti$ity of data' desire for monetary !ain' or the potentia# pu#icity imp#ications of an attac% a!ainst a hi!h#y $isi#e or!ani+ation.
nce the threat capai#ity and compensatin! contro# effecti$eness is assessed' for the$u#nerai#ity' the o$era## #i%e#ihood of the threat e>p#oitin! the $u#nerai#ity is determined usin!
the matri> in Ta#e .
)a-(e : 4i5e(i*ood 1atri0
Compensatin$ Contro! E""ecti:eness
T#reatCapabi!ity
!o" Medium #igh
#igh "i!h "i!h -edium
Medium -edium -edium o
!o" o o o
The #i%e#ihood of the $u#nerai#ity ein! e>p#oited is the intersection of the threat capai#itycate!ory and the compensatin! contro# effecti$eness cate!ory. /or e>amp#e' if the compensatin!contro# effecti$eness is #igh'E the resu#tin! #i%e#ihood of e>p#oitation is MediumE #i%e#ihood fora #ighE threat capai#ity' !o"E #i%e#ihood for a MediumE threat capai#ity. Ta#e shos thedefinitions for each #i%e#ihood #e$e#. <ote that a #ighE effecti$eness for compensatin! contro#scannot comp#ete#y reduce the #i%e#ihood of e>p#oitation of a #ighE capai#ity threat.
)a-(e ': 4i5e(i*ood Descriptions
i9e!i#ood Description
#ighThe capai#ity of the threat is si!nificant' and compensatin! contro#s to reduce the
proai#ity of $u#nerai#ity e>p#oitation are insufficient
MediumThe capai#ity of the threat is medium' and imp#emented compensatin! contro#s#essen the proai#ity of $u#nerai#ity e>p#oitation.
!o"The capai#ity of the threat is #imited' and compensatin! contro#s are in p#ace thateffecti$e#y reduces the proai#ity of $u#nerai#ity e>p#oitation.
1=
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 17/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
.(.( , *mpact
Impact refers to the ma!nitude of potentia# harm that may e caused y successfu# e>p#oitation. Itis determined y the $a#ue of the resource at ris%' oth in terms of its inherent rep#acement0
$a#ue' its importance critica#ity0 to usiness missions' and the sensiti$ity of data contained ithinthe system. The resu#ts of the system security cate!ori+ation estimations for each system'discussed in each system@s respecti$e SSP' is used as an aid to determinin! indi$idua# impactestimations for each findin!. The #e$e# of impact is rated as "i!h' -edium' or o and adescription for each #e$e# of impact is pro$ided in Ta#e 1=.
)a-(e $": Impact De&initions
Ma$nitudeo" *mpact
*mpact De"initions
#igh
&>ercise of the $u#nerai#ity cou#d e e>pected to ha$e a se$ere or catastrophic ad$erse effect on
or!ani+ationa# operations' or!ani+ationa# assets' or indi$idua#s. se$ere or catastrophic ad$erseeffect means that' for e>amp#e' the #oss of confidentia#ity' inte!rity' or a$ai#ai#ity mi!ht: i0 causea se$ere de!radation in or #oss of mission capai#ity to an e>tent and duration that theor!ani+ation is not a#e to perform one or more of its primary functionsF ii0 resu#t in maAordama!e to or!ani+ationa# assetsF iii0 resu#t in maAor financia# #ossF or i$0 resu#t in se$ere orcatastrophic harm to indi$idua#s in$o#$in! #oss of #ife or serious #ife threatenin! inAuries.
Moderate
&>ercise of the $u#nerai#ity cou#d e e>pected to ha$e a serious ad$erse effect on or!ani+ationa#operations' or!ani+ationa# assets' or indi$idua#s. serious ad$erse effect means that' for e>amp#e'the #oss of confidentia#ity' inte!rity' or a$ai#ai#ity mi!ht: i0 cause a si!nificant de!radation inmission capai#ity to an e>tent and duration that the or!ani+ation is a#e to perform its primaryfunctions' ut the effecti$eness of the functions is si!nificant#y reducedF ii0 resu#t in si!nificantdama!e to or!ani+ationa# assetsF iii0 resu#t in si!nificant financia# #ossF or i$0 resu#t insi!nificant harm to indi$idua#s that does not in$o#$e #oss of #ife or serious #ife threatenin!
inAuries.
!o"
&>ercise of the $u#nerai#ity cou#d e e>pected to ha$e a #imited ad$erse effect on or!ani+ationa#operations' or!ani+ationa# assets' or indi$idua#s. #imited ad$erse effect means that' for e>amp#e'the #oss of confidentia#ity' inte!rity' or a$ai#ai#ity mi!ht: i0 cause a de!radation in missioncapai#ity to an e>tent and duration that the or!ani+ation is a#e to perform its primary functions'
ut the effecti$eness of the functions is noticea#y reducedF ii0 resu#t in minor dama!e toor!ani+ationa# assetsF iii0 resu#t in minor financia# #ossF or i$0 resu#t in minor harm toindi$idua#s.
.(. ( . Ris9 e:e!
The ris% #e$e# for the findin! is the intersection of the #i%e#ihood $a#ue and impact $a#ue asdepicted in Ta#e 11.
)a-(e $$: is5 4e+e( 1atri0
11
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 18/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
*mpact
i9e!i#ood #igh Moderate !o"
#igh "i!h -edium o
Medium -edium -edium o
!o" o o o
. ( 0 St ep 0> *denti"y Rec om m e n d e d Corre cti :e Action sThe findin! and associated ris% #e$e# as used to determine the recommendations that shou#d eapp#ied as a means to miti!ate the ris%. Ghen identifyin! recommendations' the fo##oin! ereta%en into consideration: #e$e# of effort' costs' emer!in! techno#o!ies' time constraints' andfeasii#ity.
. ( - Step -> Docum en t Resu!t sThe resu#ts of the ris% assessment ere documented pro$idin! the findin!' usiness impact
statement' recommended correcti$e actions' #i%e#ihood' impact' and ris% #e$e#. efer to section4.= of this report for the ris% assessment resu#ts.
12
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 19/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
0 ( R*S1 AS SES SMENT RESUTS
This section documents the technica# and non)technica# security ris%s to the system. These ris%sha$e een determined y app#yin! the methodo#o!y out#ined in Section 3 of this document to the$u#nerai#ities identified y the $arious security re$ies that ha$e een performed for the system
as app#ica#e ) ST?&' PI' e)uthentication is% ssessment' and any other ris% assessmentacti$ities0. The security ris%s identified in this section #ar!e#y constitute the asis for theaccreditation recommendation pro$ided in Section 5 of this document.
The ris% assessment resu#ts for the system are documented in Ta#es 12 and 12a. The fo##oin! pro$ides a rief description of the information documented in each co#umn:
Identi&ier: Pro$ides a uni;ue numer used for referencin! each $u#nerai#ity.
Source: Indicates the source here the $u#nerai#ity as identified e.!.' ST?&' PI'e)uthentication is% ssessment' or any other ris% assessment acti$ities.0
is5: Pro$ides a rief description of the ris%.
8usiness Impact Statement: Indicates the impact to the usiness of a threat e>p#oitin!the $u#nerai#ity. The fo##oin! are e>amp#es of potentia# impacts to usiness datathat cou#d e rea#i+ed y the e>p#oitation of an system $u#nerai#ity:
• Completeness$ ## transactions that occurred are entered and accepted for processin! y the system.
• Accuracy$ Transactions are proper#y recorded' and on a time#y asis in the proper period0F %ey data e#ements input for transactions are accurate and datae#ements are processed accurate#y y systems that produce re#ia#e resu#ts.
• %alidity$ ## recorded transactions actua##y occurred are rea#0' re#ate to theor!ani+ation' and ere appro$ed y desi!nated personne#.
• Confidentiality$ System data and eports are protected a!ainst unauthori+edaccess.
ecommended Correcti+e Action: Pro$ides a rief description of the correcti$eactions0 recommended for miti!atin! the ris%s associated ith the findin!.
4i5e(i*ood: Pro$ides the #i%e#ihood of a threat e>p#oitin! the $u#nerai#ity. This isdetermined y app#yin! the methodo#o!y out#ined in Section 3 of this document.
Impact: Pro$ides the impact of a threat e>p#oitin! the $u#nerai#ity. This isdetermined y app#yin! the methodo#o!y out#ined in Section 3 of this document.
is5 4e+e(: Pro$ides the ris% #e$e# hi!h' medium' #o0 for the $u#nerai#ity. This isdetermined y app#yin! the methodo#o!y out#ined in Section 3 of this document.
The ris%s identified in the ta#e e#o are ased on security $u#nerai#ities from $arious sourcesinc#udin! ST?&' PI' e)uthentication is% ssessment' and any other ris% assessment acti$ities.The security $u#nerai#ities from the ST?& are #isted in the findin! matri> in ppendi> of thereport. These findin!s are ased on the ST?& resu#ts that are documented in the ST?& P#an.#so' p#ease refer to the source documents e.!.' PI' e)uthentication is% ssessment0inc#uded in the ? pac%a!e for more detai#ed information on the ris%s associated ith non)ST?& findin!s.
13
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 20/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
)a-(e $7: is5 Assessment esu(ts
[nsure t*at a(( ris5s t*at .ere identi&ied as part o& ris5 assessment acti+ities Eie, S)>, 6IA, eAut*entication is5 Assessment,and any ot*er ris5 assessment acti+itiesF are (isted in t*e ta-(e -e(o. nsure t*at t*e ?Impact@ (e+e( &or a(( ris5s identi&ied in)a-(e $7 is t*e same as t*e security categorization (e+e( &or t*e system]
*denti"ier
Source Ris9 %usiness *mpact Statement Recommended Correcti:eAction
i9e!i#ood *mpact Ris9e:e
$ A164:
App S)>%indings 1atri0
A97 EAppF
7
R&'.
<
=
14
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 21/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
Supportin$ GSS Component Ris9sTa#e 12a pro$ides a #ist of ris%s that ere identified for the ,SS components direct#y supportin! the system that may impact thesecurity posture of the system. The ,SS components direct#y supportin! the system that ere inc#uded ithin the scope of the systemST?& are as fo##os: [inc(ude a (isting o& systemspeci&ic GSS components t*at .ere tested] . The ris%s identified in the ta#e e#oere not inc#uded in the tota# count of ris%s ta##ied in Ta#e 1: Summary of System Security is%s. These ris%s i## e incorporatedinto the respecti$e ,SS P?-s0.
)a-(e $7a: Supporting GSS Component is5 Assessment esu(ts [6opu(ate t*is ta-(e using app(ica-(e C>A resu(ts &or systemspeci&ic GSS components .*ic* .ere tested as part o& t*e system
C>A e&&ort nsure t*at t*e ?Impact@ (e+e( &or a(( ris5s identi&ied in )a-(e $7a is t*e same as t*e security categorization (e+e( &ort*e GSS t*at t*e ris5 .as identi&ied &or DO NO) 9S )8D or N/A None is an appropriate ans.er i& no GSS ris5s .ere
identi&ied]
*denti"ier
Source Ris9 %usiness *mpact Statement Recommended Correcti:eAction
i9e!i#ood *mpact Ris9e:e
GSS$ A164:
App S)>%indings 1atri0
A= EGSS indo.s 7""; Ser+erF
GSS7
15
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 22/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
Miti$ated Resu!tsTa#e 12 pro$ides a #ist of the ris%s that ere identified in the resu#ts of ris% assessment acti$ities here actions ha$e een ta%en tomiti!ate these ris%s after ris% assessment acti$ities ere performed. The [Insert Group/Organization/Company Name] Issueeso#ution Process as used to confirm that each of the ST?& findin!s noted e#o ha$e een miti!ated. Therefore' these ris%s are pro$ided in this report for informationa# purposes on#y and do not ha$e an impact on the accreditation recommendation.
)a-(e $7-: 1itigated esu(ts [6opu(ate t*e ta-(e -e(o. .it* ris5s t*at *a+e -een mitigated Eie, S)> and SA ris5s t*at *a+e -een correctedF Any ris5s t*at
*a+e not -een mitigated s*ou(d -e p(aced in )a-(e $7 a-o+e and s*ou(d not -e p(aced in t*is ta-(e DO NO) 9S )8D or N/A None is an appropriate ans.er i& a SA .as not per&ormed]
*denti"ier Source Ris9 %usiness *mpact Statement Recommended Correcti:e
Action
i9e!i#ood *mpact Ris9
e:e
$ A164:
App SA,dated "$/"7/"H
"$
C17
7 A164: App S)>%indings 1atri0
IA7 EAppF
16
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 23/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
- ( ACCRED*TAT*ON RECOMMENDAT*ON
[6opu(ate t*is section -ased on t*e ris5s identi&ied in t*is report and inc(ude a re&erence to t*esystemBs Certi&ication 1emorandum &or t*e accreditation recommendation )*e &o((o.ing isan e0amp(e:
A tota( o& nine system ris5s .ere identi&ied &or App O& t*e nine ris5s, t.o .ere deemed as
1edium and se+en .ere deemed as 4o. )*e ris5s identi&ied in Section <, )a-(e $7 .it*int*is report inc(uded .ea5nesses in t*e area o& Access Contro(s and Identi&ication and
Aut*entication 6(ease re&er to t*e App Certi&ication 1emorandum &or t*e accreditationrecommendation]
The /edera# Information Security -ana!ement ct /IS-0 re;uires that a P#an of ction and-i#estones P?-0' usin! the format !uidance prescried y -(' e uti#i+ed as the primarymechanism for trac%in! a## system security ea%nesses and issues. The authori+in! officia#accreditor0' i## need to ta%e onership of these ris%s and ensure they are inc#uded in theea%ness repository and that the P?- for the system is updated' monitored' and pro!resseported ;uarter#y throu!h your /IS- coordinator.
17
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 24/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
- ( ' Priorit y Miti $a ti o n Acti on s
[Comp(ete t*is section i& t*ere are ma2or mitigation actions t*at must -e comp(etedOt*er.ise, remo+e t*is section in its entirety )*is section must -e comp(eted &or any systemsissued an IA)O]
&ach item in the P?- is important for the o$era## security of the system. <e$erthe#ess' asma##er set of chan!es is re;uired to merit uthori+ation to perate under !uide#ines documentedin <IST Specia# Pu#ication ==)37. These items are considered so si!nificant that theertification !ent is uni##in! to recommend unrestricted operation of the system unti# the$u#nerai#ities ha$e een sustantia##y corrected. Ta#e 13 presented e#o depicts the prioritymiti!ation actions for the system. These miti!ation actions are suset of hat is presented in thesystem P?- document.
)a-(e $;: 6riority 1itigation Actions
Ris9 e:e! Ris9 *denti"ier Vu!nerabi!ity Description
1
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 25/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
2 ( &UTURE ENHANCEMENTS
The fo##oin! p#anned chan!es to the [Insert System Acronym] en$ironment are pro$ided herefor informationa# purposes on#y. t the time of the current system ? re$ie' these chan!esere sti## in de$e#opment' and therefore not enou!h information as a$ai#a#e to accurate#y
document and test the security contro#s p#anned for imp#ementation ith these enhancements.These future enhancements i## e documented and tested as part of the ne>t update to thesystem ? pac%a!e.
[I& section =$ .as comp(eted a-o+e, c*ange t*e ta-(e -e(o. to )a-(e $<]
)a-(e $;: %uture n*ancements
&uture En#ancementTit!e
&uture En#ancement Description *mp!ementationDate4s6
1
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 26/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
ACRON+MS [9pdate t*e acronym (ist -ased on t*e acronyms used in t*is document]
uthentication ate!ory
P ssurance Profi#eT uthori+ation to perate
? ertification ? ccreditation
TS ommercia# ff the She#f
D Desi!nated ppro$in! uthority
/IPS P*( /edera# Information Processin! Standard Pu#ication
/IS- /edera# Information Security -ana!ement ct
,SS ,enera# Support System
IT Interim uthori+ation to perate
ID Identification
IT Information Techno#o!y
< oca# rea <etor%
<IST <ationa# Institute of Standards and Techno#o!y
-( ffice of -ana!ement and (ud!et
PI Pri$acy Impact ssessment
P?- P#an of ction and -i#estones
P Point of ontact
is% ssessment
S System dministrator
S Security ssessment eport
SD System De$e#opment ife yc#e
SP Specia# Pu#ication
SSP System Security P#an
ST?& Security Test and &$a#uation
1
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 27/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
APPEND*) A( RE&ERENCES
a;s and Re$u!ations>
/edera# Information Security -ana!ement ct of 2==2' Tit#e III B Information Security'P.. 1=7)347.
onso#idated ppropriations ct of 2==5' Section 522.
*S PTIT ct P.. 1=7)560' ctoer 2==1.
OM% Circu!ars>
-( ircu#ar )13=' Management of Federal Information Resources' <o$emer 2===.
-( -emorandum -)=5)24' Imp#ementation of "ome#and Security Presidentia#Directi$e "SPD0 12CPo#icy for a ommon Identification Standard for /edera#&mp#oyees and ontractors' u!ust 2==5.
-( -emorandum -)=6)16' Protection of Sensiti$e !ency Information' Hune' 2==6.
&*PS Pub!ications> /IPS P*( 1' Standards for Security Categori(ation of Federal Information and
Information Systems
/IPS P*( 2==' Minimum Security Re)uirements for Federal Information and Information Systems
/IPS P*( 2=1' *ersonal Identity %erification +*I%, of Federal -mployees andContractors
N*ST Pub!ications>
<IST ==)1' Guide for eeloping Security *lans for Information Technology Systems
<IST ==)26' Security Self&Assessment Guide for Information Technology Systems <IST ==)3=' Risk Management Guide for Information Technology Systems
<IST ==)34' Contingency *lanning Guide for Information Technology Systems
<IST ==)47' Security Guide for Interconnecting Information Technology Systems
<IST ==)53' Recommended Security Controls for Federal Information Systems
<IST ==)53a' Guide for Assessing the Security Controls in Federal Information System
<IST ==)6=' Guide for Mapping Types of Information and Information Systems toSecurity
<IST ==)63' -lectronic Authentication Guideline$ Recommendations of the /ational Institute of Standards and Technology
<IST ==)64' Security Considerations in the Information System eelopment !ifeCycle
1
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 28/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
[Insert System Acronym] Re"erences
[Insert any -usinessre(ated (a.s/regu(ations t*at app(y to t*e system]
2
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 29/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
APPEND*) %( SECUR*T+ TEST AND EVAUAT*ON
4ST5E6
n ST?& as performed on [Insert Dates] at [Insert 4ocation] for the system. The resu#ts of the
ST?& are presented in the comp#eted ST?& p#an hich is part of the ? pac%a!e. The security$u#nerai#ities identified durin! the ST?& are pro$ided e#o. Testin! a!ainst the system and,SS components that direct#y support [Insert System Acronym] operations as conducted. TheST?& for the system inc#uded the fo##oin! components: [8u((et point components o& t*e
system t*at .ere assessed and (isted in t*e -oundary scope memo see e0amp(e -e(o.]
App 1odu(e $
App 1odu(e 7
The ST?& for the ,SS components that direct#y support the system inc#uded the fo##oin!: [8u((et point GSS components t*at direct(y support t*e system .*ic* .ere assessed and (istedin t*e -oundary scope memo see e0amp(e -e(o.]
9NI Ser+er EGSS F
Orac(e Data-ase Ser+er EGSS F
9u#nerai#ities disco$ered for the system components hich ere tested are #isted under theSystem !eel Findings section in this appendi>. 9u#nerai#ities disco$ered on the supportin! ,SScomponents are #isted under the Supporting GSS Component Findings section in this appendi>. Note: O-tain t*e S)> 6(an and %indings 1atri0 &or t*e system to comp(ete t*is appendi0
A(so, -e sure to ro(( up dup(icate &indings and p(ace &inding statement in a (ist &or t*at speci&iccontro( in t*e appropriate component section o& t*e ?System 4e+e( %indings@ ta-(e -e(o.%or e0amp(e, i& &i+e test cases &ai(ed &or IA7, ta5e t*e uniJue (anguage in t*ose test cases and
put it into an entry &or IA7 under t*e appropriate component section in t*e ta-(e -e(o. Eie, I& an IA7 test case &ai(s &or ?App 1odu(e $@, p(ace t*e (anguage under t*is componentsection in t*e ta-(e I& an IA7 test case &ai(s &or ?App 1odu(e $@, as .e(( as &or t*e ?App 1odu(e 7@, sp(it t*e &indings up according(y and p(ace entries &or IA7 into eac* o& t*esesections o& t*e ta-(eF
System e:e! &indin$s9u#nerai#ities disco$ered for the system components hich ere tested are #isted in the ta#e e#o. The composite ris%s and ris% #e$e#s for system $u#nerai#ities are captured in Ta#e 12 ofthe report a#on! ith the usiness impact statement and recommended correcti$e actions.
[6opu(ate t*e ta-(e -e(o. using t*e &indings identi&ied &or system components t*at .ere testedas part o& t*e S)> see t*e e0amp(e -e(o.]
ST5E Contro!Number and
Name
App!icab!e N*ST SP B7-. Contro!4s6 ST5E &indin$ Statement
[Insert name o& system component ie, App 1odu(e $]
1
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 30/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
ST5E Contro!Number and
Name
App!icab!e N*ST SP B7-. Contro!4s6 ST5E &indin$ Statement
SA=: In&ormation System Documentatio
n
)*e organization ensures t*at adeJuatedocumentation &or t*e in&ormation system andits constituent components is a+ai(a-(e,
protected .*en reJuired, and distri-uted to
aut*orized personne(
[Insert &inding statement &rom S)> esu(ts 1atri0 and &ai(ed test casenum-erEsF]
A164: AdeJuate documentation &or App is notmaintained EA66SA="$A, A66SA="$8F
[Insert name o& system component ie, App 1odu(e 7]
C1:Con&iguration
Settings
)*e organization: EiF esta-(is*es mandatorycon&iguration settings &or in&ormationtec*no(ogy products emp(oyed .it*in t*ein&ormation systemK EiiF con&igures t*esecurity settings o& in&ormation tec*no(ogy
products to t*e most restricti+e modeconsistent .it* in&ormation system operationa(reJuirementsK EiiiF documents t*econ&iguration settingsK and Ei+F en&orces t*e
con&iguration settings in a(( components o& t*ein&ormation system
[Insert &inding statement &rom S)> esu(ts 1atri0 and &ai(ed test casenum-erEsF]
2
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 31/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
Supportin$ GSS Component &indin$sIn order to pro$ide a more ho#istic $ie of the ris%s to the system' [Insert
Group/Organization/Company Name] inc#uded the ,SS components direct#y supportin! systemithin the scope of the system ST?&. The purpose of inc#udin! these ,SS components as partof the ST?& is to specifica##y identify ,SS)#e$e# ris%s that may impact the security posture of the
system' pro$idin! the D ith a hi!her #e$e# of assurance in ma%in! an accreditation decisionfor the system. The composite ris%s and ris% #e$e#s for the su pportin! ,SS omponent$u#nerai#ities are captured in Ta#e 12a of the report a#on! ith the usiness impact statementand recommended correcti$e actions. summary of the ,SS ris%s are pro$ided in Ta#es 5 and5a of the report.
[6opu(ate t*e ta-(e -e(o. using t*e &indings identi&ied &or GSS components t*at .ere testedas part o& t*e S)> see t*e e0amp(e -e(o. DO NO) 9S )8D or N/A None is anappropriate ans.er i& no GSS &indings .ere identi&ied]
ST5EContro!
Number andName
App!icab!e N*ST SP B7-.Contro!4s6
ST5E &indin$ Statement
[Insert name o& GSS component ie, 9NI Ser+er EGSS F]
C1:Con&iguration
Settings
)*e organization: EiF esta-(is*esmandatory con&iguration settings &orin&ormation tec*no(ogy productsemp(oyed .it*in t*e in&ormationsystemK EiiF con&igures t*e securitysettings o& in&ormation tec*no(ogy
products to t*e most restricti+e modeconsistent .it* in&ormation systemoperationa( reJuirementsK EiiiFdocuments t*e con&iguration settingsKand Ei+F en&orces t*e con&iguration
settings in a(( components o& t*ein&ormation system
[Insert &inding statement &rom S)> esu(ts 1atri0and &ai(ed test case num-erEsF]
SI$$: rror 3and(ing
)*e in&ormation system identi&ies and*and(es error conditions in ane0peditious manner
[Insert &inding statement &rom S)> esu(ts 1atri0and &ai(ed test case num-erEsF]
[Insert name o& GSS component ie, Orac(e Data-ase Ser+er EGSS F]
C1:Con&iguration
Settings
)*e organization: EiF esta-(is*esmandatory con&iguration settings &orin&ormation tec*no(ogy productsemp(oyed .it*in t*e in&ormationsystemK EiiF con&igures t*e securitysettings o& in&ormation tec*no(ogy
products to t*e most restricti+e modeconsistent .it* in&ormation systemoperationa( reJuirementsK EiiiFdocuments t*e con&iguration settingsKand Ei+F en&orces t*e con&igurationsettings in a(( components o& t*ein&ormation system
[Insert &inding statement &rom S)> esu(ts 1atri0and &ai(ed test case num-erEsF]
3
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 32/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
ST5EContro!
Number andName
App!icab!e N*ST SP B7-.Contro!4s6
ST5E &indin$ Statement
C1H: 4east%unctiona(ity
)*e organization con&igures t*ein&ormation system to pro+ide on(yessentia( capa-i(ities and speci&ica((y
pro*i-its and/or restricts t*e use o& t*e &o((o.ing &unctions, ports, protoco(s,and/or ser+ices: [Assignment:organizationde&ined (ist o& pro*i-itedand/or restricted &unctions, ports,
protoco(s, and/or ser+ices]
[Insert &inding statement &rom S)> esu(ts 1atri0and &ai(ed test case num-erEsF]
4
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 33/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
PR*VAC+ *MPACT ASSESSMENT 4P*A6
A 6IA .as per&ormed or re+ised &or t*e system as part o& t*e C>A acti+ities A copy o& t*e 6IA is5 1emo is presented in t*is appendi0 )*e security ris5s identi&ied -ased on t*e 6IA
are documented in a )a-(e $7 o& t*is report
[Insert 6IA is5 1emo *ere]
Or
A 6IA .as per&ormed or re+ised &or t*e system as part o& t*e C>A acti+ities A copy o& t*e 6IA is5 1emo is presented in t*is appendi0 )*ere .ere no security ris5s identi&ied -asedon t*e 6IA
[Insert 6IA is5 1emo *ere]
Or
A 6IA is not reJuired &or t*is system )*ere&ore, a copy o& t*e 6IA is5 1emo is not presented in t*is appendi0
1
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 34/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
APPEND*) C( E7AUTHENT*CAT*ON R*S1
ASSESSMENT
[Insert System Acronym] *as -een determined to -e a %edera( System t*at does not reJuire e Aut*entication security contro(s to -e imp(emented due to t*e nature o& t*e transactions
processed on t*e system
Or
n e)uthentication is% ssessment as performed or re$ised for the system as part of the? acti$ities. copy of the e)uthentication is% ssessment is presented in this appendi>.The security ris%s identified ased on the e)uthentication is% ssessment are documented inTa#e 12 of this report.
*ntroductionThe purpose of this e)uthentication ssurance e$e# Determination eport is to document the
e)uthentication ris% assessment acti$ities that ere performed accordin! to the -(Presidentia# -emorandum -)=4)=4' e)uthentication Guidance for Federal Agencies' ecem0er122'3 and /edera# Information Processin! Standards /IPS0 2=1' *ersonal Identity %erification+*I%, of Federal -mployees and Contractors3 and the resu#ts of those acti$ities. This eport pro$ides mana!ement ith an assessment of the assurance impact profi#e #e$e# of e#ectronicsystem transactions of remote users to ensure that authentication processes pro$ide theappropriate #e$e# of assurance.
O:er:ie;n e)uthentication assurance #e$e# determination as conducted in accordance ith the -(Presidentia# -emorandum -)=4)=4' e)uthentication Guidance for Federal Agencies' ecem0er
122'' <ationa# Institute of Standards and Techno#o!y <IST0 Specia# Pu#ication SP0 ==)63' -lectronic Authentication Guideline3 4une 12253 and /edera# Information Processin! Standards/IPS0 2=1' *ersonal Identity %erification +*I%, of Federal -mployees and Contractors.
In order to compi#e a comprehensi$e re$ie of the systems and their transactions' an inter$ietranspired eteen the e)uthentication ssurance is% ssessment Profi#e Team ssessmentTeam0' and the point of contact for [Insert System Name EAcronymF] . ris% assessment on neand e>istin! e#ectronic transactions as conducted to ensure that current authentication processes pro$ide the appropriate #e$e# of assurance.
ScopeThis eport incorporates an ana#ysis of the e>terna# and interna# facin! e)uthentication
transactions on the fo##oin! components: [Insert System Acronym] .
StructureThe eport is structured as fo##os:
• esu#ts of the e)uthentication ris% assessmentF
• Transaction eport pro$ided y the e)uthentication ris% assessment too#.
1
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 35/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
E7AUTHENT*CAT*ON R*S1 ASSESSMENT RESUTS
Assessment *nter:ie; Summary A164:)*e assessment team per&ormed a te(ep*one inter+ie. .it* on ednesday, Septem-er 7$,7""= at ':"" A1 )*e assessment team used t*e stream(ined set o& assurance Juestionnaire.or5s*eets to guide t*e inter+ie. and used a *ardcopy o& t*e .or5s*eet to record responses
&rom t*e inter+ie.ees No nota-(e departures &rom t*e .or5s*eet structure occurred
System Operations A164: App reJuires aut*entication &or Go+ernment mp(oyees o+er t*e Organization Intranet A(( users are considered interna( users )*e num-er o& user sessions in a year are (ess t*an7"" )*e system 94 pro+ides t*e &ront door in&ormation page &or t*e App system 9sersaccess t*e N) App System Ser+er -y uti(izing t*e .or5stationBs Netscape -ro.ser and
Organization Intranet Einside t*e Organization &ire.a((sF *en t*e 94 &or t*e Appsystem is entered, a La+a app(et is do.n(oaded into t*e .or5stationBs memory )*e user is
t*en prompted &or a (ogin id and pass.ord com-ination &or t*e system I& t*e (oginid/pass.ord com-ination matc*es .*at is stored in t*e App data-ase Epass.ord is encryptedin t*e data-aseF &or t*at user, t*e system t*en c*ec5s t*e (ist o& aut*orized I6 addresses Ea(sostored in t*e data-aseF to determine i& t*e userBs .or5station is aut*orized to access App)*e user is granted access on(y i& t*e I6 address o& *is/*er .or5station matc*es one o& t*e I6addresses a((ocated to t*at user %rom t*is point on, t*e system ser+er passes reJuests &romt*e c(ient .or5station to t*e App data-ase ser+er using Orac(e, a commercia( o&&t*es*e(&ECO)SF so&t.are 9sers do not *a+e direct access to t*e App data-ase ser+er or to t*e App
data-ase at any time
Transactions
Ta#e 1 pro$ides a summary of the e)uthentication Transaction Gor%sheet resu#ts for [Insert System Name] . The Ta#e uses the fo##oin! si> e#ements to de#ineate each transaction:
• *D B uni;ue associationE identifier used to #in% a transaction ith a## other ;ua#itati$e
e#ements of the e)uthentication assurance profi#in! process: security cate!ories S0'threat statements' $u#nerai#ities' authentication cate!ory impacts' $u#nerai#ity #i%e#ihoodratin!s' assurance #e$e#s' ris% #e$e#s' miti!ations' and assurance #e$e# impact profi#es e.!.'' (' 0F
• Action B Transaction type: a $erE e.!.' in;uire' create' modify' de#ete0F
• Asset B Data oAect: the oAect ein! acted upon y the ctor e.!.' persona# profi#e' ta>
record' ta> credit' emp#oyee record0F
• Attributes B Set' in ritin!' the apparent authentication characteristics e.!.' sensiti$ity' pri$acy' a$ai#ai#ity' user8!roup restrictions' non)repudiation needs0F
• Actor B *ser type: a suAectE e.!.' citi+en' federa# a!ency /0' usiness' e>terna# fi#in!
partner' emp#oyee' administratorJF and
• A:enue B &ntry point: the instrumenta# $ehic#e for the transaction e.!.' Internet'
re!istered user porta#' emp#oyee user porta#' intranet' e>tranet0.
2
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 36/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
• Aut#entication Cate$ory 4AC6 B -( uthentication Potentia# Impact ate!ory' or
uthentication ate!oryE 0 for each transaction. ccordin! to -( -)=4)=4'cate!ories of harm and impact inc#ude:1 B Incon$enience' distress' or dama!e to standin! or reputationF2 B /inancia# #oss or a!ency #iai#ityF
3 B "arm to a!ency pro!rams or pu#ic interestsF4 B *nauthori+ed re#ease of sensiti$e informationF5 B Persona# safetyF and6 B i$i# or crimina# $io#ations.
• Assurance Pro"i!e 4AP6 77 The four assurance profi#e #e$e#s for each security cate!ory
are:e$e# 1: itt#e or no confidence in the asserted identity@s $a#idity.e$e# 2: Some confidence in the asserted identity@s $a#idity.e$e# 3: "i!h confidence in the asserted identity@s $a#idity.e$e# 4: 9ery hi!h confidence in the asserted identity@s $a#idity.
Tab!e '( System Transaction Summary
A164
AC
ID Name Action Asset Attributes Actor Avenue 1 2 3 4 5 6 AP
App-X-001User-Manage
AccountModify Employee Record C, I, P,
!o"ernmentEmployees
Intranet # # # # # M 3
App-X-00$ User-%ie& Report In'uire Employee Record C, I, P, !o"ernmentEmployees
Intranet # # # # # M 3
App-X-00( Admin-%ie&Reports
In'uire Employee Record C, I, P, !o"ernmentEmployees
Intranet # # # # # M 3
App-X-00) Admin-CreateUser Account
Create Employee Record C, I, P, !o"ernmentEmployees
Intranet # # # # # M 3
App-X-00* Admin-ModifyUser Account
Modify Employee Record C, I, P, !o"ernmentEmployees
Intranet # # # # # M 3
Conc!usion A164:
As indicated in )a-(e $ in t*e rig*tmost co(umn, (a-e(ed ?A6,@ t*e assurance pro&i(e (e+e( &or t*is system is a 4e+e( ;
)*e system *as missionspeci&ic transactions .*ic* need to -e carried out -y Organization users In addition t*ere is a moderate (e+e( o& impact resu(ting &rom an aut*entication &ai(ure.*ic* can (ead to ci+i( or crimina( +io(ations )*is impact is primari(y due to t*econseJuences o& unaut*orized access to t*e system .*ic* can resu(t in unaut*orized access tosensiti+e in&ormation A(t*oug* on(y t*ose users .*o *a+e admin pri+i(eges may modi&y or
update t*is in&ormation, t*ere must -e a *ig* (e+e( o& con&idence t*at t*e indi+idua( (oggingin is indeed t*e aut*orized indi+idua(
3
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 37/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
3o.e+er, tec*nica((y at a (e+e( ; assurance (e+e( t.o &actor aut*entication is reJuired suc* as
a onetime pass.ord t*roug* a cryptograp*ic protoco( )*e use o& an t*e I6 c*ec5er .*ic*on(y a((o.s users .it* aut*orized I6 addresses Estored in t*e data-aseF to access App on(y i&t*eir I6 address o& t*eir .or5station matc*es one o& t*e I6 addresses a((ocated to t*at user, pro+ides a mitigation contro(
4
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 38/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
APPEND*) D( AUD*T REPORTS
Audit &indings *a+e -een identi&ied &or t*e system esu(ts &rom t*e re(e+ant audit eports are presented in t*is appendi0 )*e security +u(nera-i(ities identi&ied -ased on t*ese eports are
documented in a ta-(e in section < o& t*e report
[6ro+ide re(e+ant audit eports *ere]
Or
Audit &indings *a+e not -een identi&ied &or t*e system As suc*, no audit eports are presented in t*is appendi0
1
7/27/2019 App CA Security Assessment Summary Template 030408
http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 39/39
[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]
ORGAN*8AT*ONA COMMON CONTROS SAR
P#ease refer to the or!ani+ationa# common contro#s S dated [Insert Date] for moreinformation.