CIS608 - RMF Step 4: Assessment

kartiukt18
RMF_Step2.docx

LOW IMPACT CONTROLS 2

LOW IMPACT CONTROLS 2

RMF: Low Impact Controls

NIST LOW IMPACT CONTROLS

AC-3 Access Enforcement. Access control enables the organization to include in their systems a varied range of security control to ensure a high level of access management. University Admin Office has a contract with Ekran System and ensures authentication by providing features that improve the company’s account management system using access control policies. University Admin office is fully compliant

AT-2 Security Awareness Training. Awareness training requires the organization to formulate and implement an awareness program that ensures all staff members within the organization are trained on security measures. University Admin Office partnered with Ekran system for creating proper online training materials and ensure adequate training have been put in place to minimize risks. Inherited and compliant.

AU-1 Audit and Accountability Policy and Procedures. These policies and procedures enables the organization to establish a trusted or credible accountability system by performing continuous audits to detect the presence of threats. Ekran System provides University Admin office with comprehensive user activity, to monitor the mitigation at all points. The company is fully compliant.

CA-1 Security Assessment and Authorization Policy and Procedures. Security Assessment and Authority enables the organization to create a policy for developing and monitoring information security assessment within all its IT users, and assets. University Admin Office has adopted this principle.

CM-1 Configuration Management Policy and Procedures. Configuration management is a system engineering procedure that ensures consistency in all operational environment. University has a contract with pivotal application service (PAS) to ensure all its assets with the system are compliance to audit.

CP-1 Contingency Planning Policy and Procedures. Contingency Planning requires the organization to address the established procedure and policies in the CP control. University ensures the procedure reflect the applicable federal laws.

IA-2 Identification and Authentication. It is a type of security control for identifying every user and device accessing your network in a unique way. Ekran System provide with Multiple factor authentication (MFU) features to enable identification of each shared user. University Admin Office is fully complaint.

IR-5 Incident Monitoring. Incident Response requires the organization to protect sensitive information. The University Admin Office has a contract with Ekran Systems company that provide actionable tools to cater to this requirement. University Admin Office meets this requirement fully.

MA-2 Controlled Maintenance. This control requires the organization to perform regular maintenance of documents, records, repairs of information system in a compliant with the vendor’s specification. University Admin Office has a contract with PAS on all its activities and equipment’s regardless remote or site. Fully compliant.

MP-2 Media Access. Media Protection requires the organization to protect and control information system stored in the university office. University Admin Office has a contract with PCF for testing its asset and transporting information on digital and non digital media. Fully compliant.

PE-6 Monitoring Physical Access. Physical and Environmental Protection requires the organization to provide physical and environmental policy protection within the scope, management and responsibilities. University complies fully to the federal law.

PL-2 System Security Plan. Planning Require the organization’s SSP system is secure a plan that is properly planned and implemented to manage and secure information. We are fully compliant with SSP.

PS-7 Third-Party Personnel Security. This control entails the implementation of procedures and policy for the third party security providers. University Admin Office partnered with ABC securities and compliant to the federal rule of law.

RA-3 Risk Assessment. Risk Assessment require the organization to conduct audit results, control testing and both external and internal loss events and put together by the assessor within a defined data, and system. University Admin office has a contract with ITL to monitor and develop test to the system and data. We are fully compliant

SA-4 Acquisition Process. This System and Services Acquisition control enables the organization to ensure service acquisition processes are secure in order to protect network infrastructure against the threat of loss of data. University Admin office is compliant

SC-1 System and Communications Protection Policy and Procedures. These policies and procedures enable the organization to establish a certain policy that ensures development and maintenance of system communication program. University fully complies.

SI-1 System and Information Integrity Policy and Procedures. System and Information Integrity require the organization to set information security standards to maximize the security, functionality of information on all assets data and encryption technology. We are compliant with this NIST control.