Table of Contents |
|
|---|---|
|
1. Background |
5. Roles and Responsibilities |
|
2. Goal |
6. Application Description |
| 3. Scope |
7. Acronyms |
4. Objectives |
 |
1. Background
The Information Resources & Management Support Contract (IR&MSC) with NASA HQ requires that the Boeing Team "... implement a comprehensive security program to adequately secure and protect the Government's and Contractor's investment in information technology systems, equipment, software, services, data and information, facilities, and other resources involved in the performance of this contract." [§1.0.1.2]
Sub-task Order 0.6 describes deliverables that the NASA HQ Information Technology (IT) Security Manager (ITSM) has determined to be an integral part of such a program. Sub-task Order 0.6 does not describe how comprehensive IT security should be achieved and maintained - that determination has been left to the Boeing Team.
The IT security posture of NASA HQ is the responsibility of the entire Boeing Team - most everything that Engineering, Operations, Applications and User Services does has a direct impact on IT security. For IT security to work, everyone must understand their role and must meet these additional responsibilities. IT security is therefore a function that must be managed across the Program, and must operate at two levels:
The IT Security Team Lead will launch and direct program-wide activities
The IT Security Team members will provide security deliverables, will conduct security-centric activities, and will assist with program-wide activities
In order to achieve efficiency and effectiveness, the entire Boeing Team must support and follow a plan maintained by the IT Security Team Lead. This Work Breakdown Structure (WBS) represents the foundation of that plan.
2. Goal
The overall goal of the IT Security Function is to continually improve the IT security posture of NASA HQ in the manner deemed most efficient and effective in terms of incident prevention, damage minimization, resource utilization, and law enforcement.
3. Scope
Efforts will focus initially on the tools and processes required for the systematic pursuit of better IT security. These tools and processes will then be directed at NASA HQ systems and services as they are scheduled to migrate behind the firewall - adequate technical security is a prerequisite for migration. It is anticipated that enterprise systems and services will migrate first, followed by Code systems and services. Once all migrating systems and services have been addressed, Boeing will prioritize what remains and will approach Code CI Management for concurrence.
4. Objectives
Pursuit of the following high-level objectives constitutes a comprehensive IT security program for NASA HQ:
- Provide ITSM-requested deliverables.
- Provide and maintain a comprehensive IT security architecture (i.e. master plan).
- Provide and maintain appropriate IT security policies, guidelines and procedures.
- Provide centralized IT security management, oversight, review and reporting.
- Provide IT security incident and virus response capabilities and coordination.
- Provide IT security training and awareness.
- Monitor actual system and network activity (i.e. intrusion detection).
- Monitor reported system and product vulnerabilities (via CERT, newsgroups, etc.).
- Assist NASA HQ in meeting regulatory screening and reporting requirements.
- Assess risk and recommend mitigations (e.g. scanning, auditing, analysis).
- Respond to security-centric Service Requests (SRs) and Problem Reports (PRs).
- Respond to ad hoc requests for analytical or technical security support.
5. Roles and Responsibilities
Boeing Team roles and responsibilities are delineated in the following table using these marks and abbreviations:
SEC = IT Security Group
OPS = Operations
ENG = Engineering
APP = Applications
USR = User Services (other than IT Security Group)
BUS = Business Management
- PRI = Priority of Task:
- C = Critical for implementation of the IT Security Function
H = High
M = Moderate
L = Low
| Shading indicates a deliverable (as opposed to an on-going or recurring activity). |
|---|
[Bracketed paragraph numbers indicate the mapping to Sub-task Order 0.6 for FY'98]
NOTE: Certain high-level reporting (e.g. financial management, personnel utilization) will continue to be handled by the User Services Department Head. [§1.0.4]
| S E C |
O P S |
E N G |
A P P |
U S R |
B U S |
P R I |
TASK DESCRIPTION (Deliverables are shaded) |
|---|---|---|---|---|---|---|---|
| |
|
|
|
|
|
-- | 1. Provide ITSM-requested deliverables. (…others are listed elsewhere in this WBS; these do not fit elsewhere) |
| |
|
|
|
|
|
C | a) Update and maintain the IT Security Web page (http://www.hq.nasa.gov/its) as directed. |
| |
|
|
|
|
|
C | |
| |
|
|
|
|
|
C | |
|
|
|
|
|
|
C | |
| |
|
|
|
|
|
H | (b) Support the NASA IT Security (ITS) Working Group meetings held semi-annually at NASA Centers as directed. [§1.3.2.10] |
| |
|
|
|
|
|
H | (c) Comply with policies and procedures for NASA Headquarters Computer Center (NHCC) physical security. [§1.3.3.1] |
|
|
|
|
|
|
H | (d) Maintain high quality in all presentations and written products. [Metric 4 "Quality of Documentation"] |
| |
|
|
|
|
|
? | (e) Perform other tasks when so directed by the issuance of a competent Sub-task Order or Sub-task Order Amendment.[§1.3.2.1] |
| |
|
|
|
|
|
-- | 2. Provide and maintain a comprehensive IT security architecture (i.e. master plan). |
| |
|
|
|
|
|
C | a)Establish and maintain a NASA HQ-specific IT threat list. |
| |
|
|
|
|
|
C | |
| |
|
|
|
|
|
C | b)Establish and maintain a general-principles-style master architectural plan for NASA HQ IT security. [§1.3.2.8] |
| |
|
|
|
|
|
C | |
| |
|
|
|
|
|
-- | 3.Provide and maintain appropriate IT security policies, guidelines and procedures. |
| |
|
|
|
|
|
M | a)Draft and recommend enhancements for NASA HQ IT security policies as directed. [§1.3] |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | b) Establish and maintain platform- and application-specific IT security guidelines. [§1.3.2.8] |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | (c) Establish and maintain procedures for all IT security-significant events and processes. [§1.3.2.5 and 1.3.2.8] |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
-- | 4. Provide centralized IT security management, oversight, review and reporting. |
| |
|
|
|
|
|
H | a) Review and coordinate priorities with ITSM; provide up-to-date deliverables schedule and status. |
| |
|
|
|
|
|
H | b) Participate in a half-hour daily status meeting with the Contracting Officer's Technical Representative (COTR) and the Functional Monitors (a.k.a. "NASA HQ Daily Tag Up" typically at 8:30 am). [§1.0.5] |
| |
|
|
|
|
|
H | c) Participate in a one-hour weekly status meeting (typically Wednesday at 11:00 am) with the ITSM and Chief, Support Services Branch. |
| |
|
|
|
|
|
H | d) Contribute to the development and presentation of monthly program management reports to the COTR and Functional Monitors (typically the fourth Thursday "In-depth" at 8:30 am). [§1.0.5] |
| |
|
|
|
|
|
H | e) Monitor and report monthly on the status of ITS at NASA HQ (weekly status reports plus monthly deliverables schedule update and virus statistics; reports also help form the ITS Status section of Data Requirement Descriptions (DRD) 3-C). [§1.0.5 and 1.3.2.6] |
| |
|
|
|
|
|
H | f) Draft and submit the NASA HQ Annual ITS Plan (DRD 6-1) in accordance with NASA Handbook (NHB) 2410.9A. [§1.3.2.9] |
| |
|
|
|
|
|
C | g)Define IT "security incident", "security activity", "security vulnerability", "security infraction", "security exception", "security review", "security plan" and "risk assessment" relative to NASA HQ, and post to ITS website. |
| |
|
|
|
|
|
C | h)Establish and maintain a process for IT security incident, activity, vulnerability, infraction and exception reporting. |
| |
|
|
|
|
|
C | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
C | j) Establish IT security review criteria and procedures for hardware systems and include them in the system life cycle and PDR/CDR/DRR/ORR process. [§1.3.2.4] |
| |
|
|
|
|
|
C | k) Establish IT security review criteria and procedures for applications and include them in the application life cycle and PDR/CDR/DRR/ORR process. [§1.3.2.4 and 1.3.4.1] |
| |
|
|
|
|
|
M | l)Update and maintain the Server matrix (formerly UNIX matrix). [§1.3.2.14] |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
L | m)Update the Boeing IR&MSC Security Management Plan (DRD 66) as needed. [§1.1.1] |
| |
|
|
|
|
|
L | n)Ensure the effectiveness and accuracy of the security measures prescribed by the Boeing IR&MSC Security Management Plan (DRD 66). [§1.1.1.1] |
| |
|
|
|
|
|
H | o)Provide centralized account administration. |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | p)Cross-connect projects with overlapping IT security aspects. |
| |
|
|
|
|
|
M | q) Participate in Agency-wide IT security-related working groups. |
| |
|
|
|
|
|
M | r)Implement IT security aspects of new Federal mandates and Chief Information Officer (CIO) Executive Notices as they become applicable. [§1.3] |
| |
|
|
|
|
|
L | s) Verify adherence to policy and procedures through periodic, unannounced compliance checks. [§1.3.2.15] |
| |
|
|
|
|
|
M | t)Maintain this WBS, including updates necessitated by changes in policy, technology and organizational structure. [§1.3.1] |
| |
|
|
|
|
|
-- | 5. Provide IT security incident and virus response capabilities and coordination. |
| |
|
|
|
|
|
C | a) Generate and maintain an incident response matrix. §1.3.2.5] |
| |
|
|
|
|
|
C | |
| |
|
|
|
|
|
C | b)Generate and maintain a virus response matrix. [§1.3.2.5] |
| |
|
|
|
|
|
C | |
| |
|
|
|
|
|
M | c) Assist the ITSM in better defining the incident response division-of-labor between Code CI, Code W and the NASA Automated System Incident Response Capability (NASIRC). |
| |
|
|
|
|
|
H | d) Respond to IT security incidents within one business hour of receipt of notification. [Metric 3 "Security Incident Response"] |
| |
|
|
|
|
|
-- | 6. Provide IT security training and awareness. |
| |
|
|
|
|
|
H | a) Assist the ITSM in the development and delivery of IT security training and awareness as directed. [§1.3.2.13] |
| |
|
|
|
|
|
L | b) Develop, implement and maintain an in-house IT security training and awareness program for Boeing IR&MSC personnel. [§1.1.2] |
| |
|
|
|
|
|
L | |
| |
|
|
|
|
|
M | c) Educate users, Customer Support Representatives (CSRs) and Service Center analysts in proper virus response. [§1.3.2.5] |
| |
|
|
|
|
|
L | |
| |
|
|
|
|
|
M | (d) Elevate and maintain IT Security Team proficiency and professionalism. |
| |
|
|
|
|
|
-- | 7. Monitor actual system and network activity (i.e. intrusion detection). |
| |
|
|
|
|
|
M | a) Implement automated IT security activity monitors on supported systems. [§1.3.2.8] |
| |
|
|
|
|
|
M | b) Monitor NASA HQ/Internet activities (e.g., NETMON) in support of the Firewall/Security Architecture Project. [§1.3.2.8] |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | c) Audit system and network activity logs. |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
M | d)Maintain system and network activity logs in support of incident response. |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
-- | 8. Monitor reported system and product vulnerabilities (via CERT, newsgroups, etc.). |
| |
|
|
|
|
|
M | a) Establish a vulnerability monitoring process. |
| |
|
|
|
|
|
M | b)Monitor vulnerability reports regarding supported hardware and software. |
| |
|
|
|
|
|
M | c)Disposition vulnerability reports. |
| |
|
|
|
|
|
M | d) Test and baseline patches. |
| |
|
|
|
|
|
M | e) Implement patches. |
| |
|
|
|
|
|
-- | 9. Assist NASA HQ in meeting regulatory screening and reporting requirements. |
| |
|
|
|
|
|
M | a) Monitor changes in applicable regulations. |
| |
|
|
|
|
|
H | b) Collect and submit for screening the Information on Employees in Sensitive ITS Positions/Assignments for appropriate Boeing IR&MSC personnel (DRD 68). [§1.1.3] |
| |
|
|
|
|
|
H | c)Draft a security plan for each of the following general support systems as defined in revised Appendix III of OMB A-130 and in accordance with DRD 6-2. [§1.3.2.8, 1.3.3 and 1.3.3.2] |
| |
|
|
|
|
|
H | |
|
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | (a) Perform sustaining engineering and maintenance of the existing HISS; and develop and/or acquire, sustain, and maintain enhancements, upgrades, and new capabilities. [§1.3.2.2] |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | d)Draft a security plan for each of the following category "A" applications as defined in revised Appendix III of OMB A-130 and in accordance with DRD 6-3. [§1.3.4] |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
-- | 10. Assess risk and recommend mitigations (e.g. scanning, auditing, analysis). |
| |
|
|
|
|
|
H | a) Implement virus protection products for all at-risk NASA HQ IT platforms. [§1.3.2.5] |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
L | b)Implement desktop access control products for all at-risk NASA HQ IT platforms. |
| |
|
|
|
|
|
L | |
| |
|
|
|
|
|
L | |
| |
|
|
|
|
|
L | |
| |
|
|
|
|
|
H | c) Assess and report quarterly the IT security configuration of network-accessible devices (e.g. SATAN scanning of UNIX machines, routers, NT servers, etc.). [§1.3.2.14] |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
H | |
| |
|
|
|
|
|
M | d) Provide/update sensitivity assessments for all NASA HQ applications for inclusion in DRD 31. [§1.3.2.3] |
| |
|
|
|
|
|
L | e) Provide a IT security review for each of the following category "B" applications. [§1.3.4.1 and 1.3.4.2] |
| |
|
|
|
|
|
L | |
| |
|
|
|
|
|
L | |
| |
|
|
|
|
|
L | |
| |
|
|
|
|
|
L | |
| |
|
|
|
|
|
L | |
| |
|
|
|
|
|
H | f) Provide an IT security review for each new or significantly modified NASA HQ application or hardware system as part of the PDR/CDR/DRR/ORR process. [§1.3.2.4, 1.3.2.8, 1.3.3.2, 1.3.4.1 and 1.3.4.2] |
| |
|
|
|
|
|
H | g) Review all Class 1 SRs through participation in Change Control Board / Service Request Review Team (CCB/SRRT) meetings, and intervene where appropriate. |
| |
|
|
|
|
|
M | h) Certify all non-legacy servers, both production and developmental. [§1.3.3.2] |
| |
|
|
|
|
|
M | i) Identify risks and recommend mitigations for all dial-up, dedicated and virtual communications links originating or terminating at NASA HQ. [§1.2 and 1.3.2.11] |
| |
|
|
|
|
|
M | |
| |
|
|
|
|
|
L | j) Provide appropriate technical, personnel, administrative, environmental and access safeguards for Boeing IR&MSC systems. [§1.1.1.5] |
| |
|
|
|
|
|
L | k) Ensure that all Boeing IR&MSC information technology resources are adequately protected. [§1.1.1.2] |
| |
|
|
|
|
|
L | l) Provide cost-effective assurance of Boeing IR&MSC system availability, integrity and confidentiality. [§1.1.1.4] |
| |
|
|
|
|
|
L | m) Maintain the continuity of Boeing's automated information support for NASA HQ missions, programs and functions. [§1.1.1.3] |
| |
|
|
|
|
|
L | n) Evaluate and recommend architectural and process initiatives, tools and training to improve the IT security environment of NASA HQ with emphasis on the Tactical Plan. [§1.3.2.8] |
| |
|
|
|
|
|
L | o) Assess emerging technologies and risks, raise awareness of potential IT security threats and issues, suggest additional projects and promote the image of the ITS Program. [§1.3, 1.3.1 and 1.3.2.11] |
| |
|
|
|
|
|
L | p) Monitor the general IT security threat situation, the IT security product market and the usage and effectiveness of IT security products and incident response at NASA HQ; analyze impacts, report trends and recommend process improvements. [§1.3.2.5] |
| |
|
|
|
|
|
L | q) Monitor the in-the-wild virus situation, the virus protection market and the usage and effectiveness of virus protection and virus response at NASA HQ; analyze impacts, report trends and recommend process improvements. [§1.3.2.5] |
| |
|
|
|
|
|
-- | 11. Respond to security-centric Service Requests (SRs) and Problem Reports (PRs). |
| |
|
|
|
|
|
M | a) Meet due dates for PRs, SRs and Action Items. [§1.3.2.7 and Metric 2 "ITSM-defined Task/products"] |
| |
|
|
|
|
|
-- | 12. Respond to ad hoc requests for analytical or technical security support. |
| |
|
|
|
|
|
H | a) Respond to virus incidents. [§1.3.2.5] |
| |
|
|
|
|
|
H | b) Analyze potential security threats as directed. [§1.3.2.11] |
| |
|
|
|
|
|
L | c) Obtain penetration testing by outside firm as directed. [§1.3.2.12] |
| |
|
|
|
|
|
M | d) Respond to NASA HQ ITS problems, issues and questions dealing with NASA HQ IT systems, software and services. [§1.3.2.7] |
** Technical security only; refer to NHCC and MSFC Amdahl Security Plans for all else.
6. Application Descriptions
- ACMS
- Administrative Correspondence Management System.
- AMS
- Acquisition Management System allows the NASA Headquarters and Centers to create, maintain, and generate reports of the acquisition management document information.
- CAPPS
- Consolidated Agency Personnel/Payroll System is a comprehensive, agency-wide automated information system used to collect and summarize personnel and payroll related information generated at the NASA Centers. CAPPS is a redesign and redevelopment of the Personnel Management Information System (PMIS). The purpose of the system is to fulfill internal and external requests for NASA agency-wide personnel statistical data.
- COBRA
- Cost/Obligations Budget Resource Application
- CTDS
- Consolidated Training & Development System provides warehouse consolidation and ad-hoc query capability, for training data.
- ERMP
- Energy Resources Management Program provides a uniform method of reporting the energy consumption, reduction, and costs for all NASA Centers, and for budgeting energy-related funds.
- FAAD
- Federal Assistance Award Data System is used to identify, maintain a master file, and report on all NASA contracts which are currently grants and/or cooperative agreements.
- FPDS
- Federal Procurement Data System collects procurement information to be reported to a central location, GSA, for use by the Congress, the Executive Branch, and the private sector.
- IFMP
- Integrated Financial Management Project is an integrated agency accounting and financial management system that includes financial reporting and internal controls and complies with applicable accounting principles, standards, and requirements, as well as with pertinent policies prescribed by the Office of Management and Budget (OMB).
- IRIS
- Incident Reporting Information System is an automated method for collecting mishap information obtained from the NASA Mishap Report Form 1627 and has been designed to meet the mishap reporting requirements defined in NMI8621.1F dated 12/31/91.
- NPMS
- NASA Procurement Management System.
- NTDS
- NASA Training and Development System aids in the management of training and development information for NASA.
- T&A
- Time & Attendance.
- WCS
- Work Control System.