preview

Department Of Health And Human Services

Better Essays
Department of Health and Human Services (HHS)

Security Categorization: Moderate

System Security Plan
Version 1.0

April 23, 2015

Prepared by

Atausch Paolini
CMIS 412

INTRODUCTION The purpose of the system security plan (SSP) is to provide an overview of federal information system security requirements and describe the controls in place or planned to meet those requirements for the Department of Health and Human Services. Each SSP is developed in accordance with the guidelines contained in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide for Developing Security Plans for Information Technology Systems, and applicable risk mitigation guidance and standards. Through
…show more content…
The analysis of risk assessment controls are an important aspect of a system, as they are used as a basis for identifying and selecting appropriate and cost-effective measures.
1.1.1 RA-1: Risk Assessment Policy and Procedures
Implementation Status: In place.
Implementation of Control: The Department of Health and Human Services has implemented risk assessment policies and procedures such as HIPAA, through its regulatory compliance of OMB Circular A-130, and NIST SP 800-37 Rev.1 standards. They have done so, by establishing, dissementing, and periodically reviewing/updating formal documented risk assessment policy and procedures that address the purpose, scope, roles, responsibilities, and compliance of the organization. Furthermore, the HHS has also followed this control through the development and implementation of policies, “the organizational commitment to information security and the actions required to effectively manage risk and protect the core missions and business functions being carried out by the organization” (DHHS, 2011).
1.1.2 RA-5: Vulnerability Scanning
Implementation Status: In place.
Implementation of Control: In order to meet this risk assessment control, the Department of Health and Human Services uses appropriate vulnerability scanning tools such as those of the Operating Divisions (OPDIVs) which ensure the
Get Access