Copyright(c), 1995 - Management Analytics - All Rights Reserved
The ITSSO for each classified or sensitive system shall perform the
- 1. Advise the IT system owner on matters pertaining to IT
- 2. Develop, implement and manage the execution of the IT
system security program.
- 3. Prepare, or cause to be prepared an IT system security
plan in the proper format for the IT system.
Requirements for IT security plans are contained in
Chapter 10.2 of this document and Section 2 of the "DOC
IT Security Manual."
- 4. Conduct, or cause to be conducted, a risk analysis on
the system when there are major changes to the system
or every three years, whichever is less. Requirements
for risk analysis are contained in Chapter 10.7 of this
document and Section 7 of the "DOC IT Security Manual."
- 5. Ensure that contingency and disaster recovery plans are
developed, maintained in an up-to-date condition and
tested at least annually. Requirements for contingency
and disaster recovery plans are contained in Chapter
10.8 of this document and Section 8 of the "DOC IT
- 6. Establish and maintain liaison with any remote
facilities or users served by the IT system, the
operating unit ITSO, or if appropriate, the subordinate
- 7. Monitor changes in hardware, software,
telecommunications, facilities and user requirements to
ensure that security is not compromised or degraded.
- 8. Exercise system responsibility or direct activities for
password management and control.
- 9. Arrange for IT security awareness training for the
system staff and monitor the user training programs to
ensure that personnel receive security orientation
before being allowed access to sensitive IT resources.
- 10. Ensure that positions requiring access to classified
information or resources are identified and that
incumbents of these positions receive an appropriate
level of security clearance before access is granted.
- 11. Investigate or cause to be investigated known or
suspected security incidents or violations and prepare
reports of findings as required in Chapter 10.6 of this
document and Section 6 of the "DOC IT Security Manual.
Verbal and written reports will be made to the
operating unit ITSO through the subordinate ITSO, if
appropriate. Incidents involving a physical security
violation, such as theft or violations of the personnel
security, classified information or industrial security
programs will be referred to the operating unit Office
of Security for investigation.
- 12. Ensure that the organization abides by the DOC and
operating unit malicious software policies and has the
required virus detection and elimination software and
procedures available to protect against these threats.
Malicious software protection and reporting
requirements are contained in Chapter 10.6.1 of this
document and Section 6.1 of the "DOC IT Security
- 13. Audit all the systems within the organization for
illegal software at least annually and maintain
inventories of all software on each individual system
to verify that only legal copies of software are being
used. Requirements for software Copyright protection,
auditing and reporting are contained in Section 10.12.1
of this document and Section 12.1 of the "DOC IT
- 14. Review IT related procurement specifications for
hardware, software or services to ensure that they
include adequate security requirements and/or
specifications which are commensurate with the
sensitivity of the system.
- 15. Conduct, or cause to be conducted, all activities
required for the certification of the system, including
preparing the certification and accreditation packages
for final approval every three years or when major
changes occur to the system, whichever is less.
- 16. Coordinate with the operating unit Security Office or
local Security Office on security matters of mutual