Operating Unit ITSO
Operating Unit ITSO
Copyright(c), 1995 - Management Analytics - All Rights Reserved
The operating unit ITSO shall serve as the central point of contact
for the operating unit IT security program with the Departmental IT
Security Manager. The operating unit ITSO shall perform the following
functions:
- 1. Represent the operating unit as a voting member of the
DOC IT Security Coordinating Committee, attend
regularly scheduled meetings to obtain current
information on issues relating to federal or DOC IT
security policies, regulations, guidelines, share
information with the committee about issues or concerns
and participate in special subcommittees working to
solve Department-wide issues.
- 2. Ensure that an ITSO and alternate are appointed for
each major subordinate organizational component within
the operating unit, if appropriate. These individuals
will serve as the point of contact for their
organizational component IT security program with the
operating unit ITSO.
- 3. Establish and maintain a list of all IT systems within
the operating unit and provide an up-to-date list to
the DOC IT Security Manager annually.
- 4. Ensure that an ITSSO has been appointed for each IT
system within the operating unit.
- 5. Ensure IT security plans are prepared in the proper
format for all sensitive and classified IT systems
owned and operated by the operating unit. Review and
comment on individual IT security plans, ensuring that
all corrective actions are completed and submit all
plans to the DOC IT Security Manager. Requirements for
IT security plans are contained in Section 10.2 of this
document and Section 2 of the "DOC IT Security Manual."
- 6. Ensure that risk analysis is completed for all
sensitive or classified IT systems within the operating
unit. Requirements for risk analysis are contained in
Section 10.7 of this document and Section 7 of the "DOC
IT Security Manual."
- 7. Ensure that contingency and disaster recovery plans are
developed for all sensitive or classified IT systems
within the operating unit. Requirements for
contingency and disaster recovery planning are
contained in Section 10.8 of this document and Section
8 of the "DOC IT Security Manual."
- 8. Maintain a tracking system concerning implementation of
the required controls and accreditation status for all
operating unit sensitive and classified IT systems.
- 9. Act as the central point of contact for accreditation
of all sensitive IT systems within the operating unit.
Ensure that all certification requirements have been
met for each system, prior to accreditation.
Certification requirements are contained in Section
10.3 of this document and Section 3 of the "DOC IT
Security Manual." The ITSO will submit an accreditation
status report quarterly to the DOC IT Security Manager.
Accreditation requirements are contained in Section
10.4 of this document and Section 4 of the "DOC IT
Security Manual."
- 10. Conduct, or cause to be conducted, IT security
verification reviews of all operating unit sensitive IT
systems every three years. Requirements for IT
security verification reviews are contained in Section
10.5 of this document and Section 5 of the "DOC IT
Security Manual."
- 11. Ensure that all operating unit personnel are provided
appropriate IT security awareness and training. IT
security awareness and training requirements are
contained in Section 10.17 of this document and Section
17 of the "DOC IT Security Manual."
- 12. Act as the central point of contact for the operating
unit for any type of IT security related incidents or
violations. Investigate or cause to be investigated
any incidents or violations, maintain records and
ensure reports are submitted to the DOC IT Security
Manager and disseminate information concerning
potential threats to system owners. Requirements for
incident and violation reporting are contained in
Section 10.5 of this document and Section 5 of the "DOC
IT Security Manual."
- 13. Ensure that the operating unit has a malicious software
policy in place and the required virus detection and
elimination software and procedures are available to
protect against these threats. Malicious software
protection and reporting requirements are contained in
Section 10.6.1 of this document and Section 6.1 of the
"DOC IT Security Manual."
- 14. Ensure that the operating unit has established a policy
against the illegal duplication of copyrighted
software. Ensure that all systems are audited for
illegal software at least annually and inventories of
all software on each individual system is maintained to
verify that only legal copies of software are being
used. Requirements for software copyright protection,
auditing and reporting are contained in Section 10.12.1
of this document and Section 12.1 of the "DOC IT
Security Manual."
- 15. Coordinate with the operating unit Security Office on
security matters of mutual interest.
In the absence of the ITSO the alternate shall perform all functions
normally assigned to the ITSO for the operating unit IT security
program.