Fred Cohen & Associates

10.1 Program Requirements

Copyright(c), 1995 - Management Analytics - All Rights Reserved

All DOC organizations will establish, implement and maintain an IT security program consistent with the Department and government-wide laws, regulations, policies, procedures and standards. The program must include as a minimum, adequate and appropriate levels of protection for all IT resources within the organization, including hardware, software, physical and environmental facilities that support IT systems, telecommunications, administrative, personnel and data.

All IT systems will be identified and appropriate controls implemented in the following categories:

1. Management controls;
2. Acquisition/development/installation/implementation controls;
3. Operational controls;
4. IT security awareness and training; and
5. Technical controls.

Responsibilities for the DOC IT security program starts at the Department level and flows down through management of all organizations to the individual users.

1. The DOC Office for Information Resources Management is responsible for security of DOC IT resources. Non-IT security programs (e.g., theft of computer resources, physical security, personnel security, safeguarding classified material and Inspector General requirements) are stated in section G. below.
2. The head of each operating unit is responsible for adequate protection of the operating unit IT resources. Staff responsibility for IT security shall be monitored by the operating unit Senior Official for Information Resources Management.
3. System owners are responsible for providing adequate and appropriate levels of protection for the IT resources under their control to prevent unauthorized disclosure, effective and accurate processing and continuity of operations for accomplishment of the organization's mission.
4. Each employee of the Department is responsible for the adequate protection of IT resources within their control or possession.

IT security program responsibilities are assigned to the Department and all operating units in line with the requirements outlined in section F. below.