AMS Lifecycle Phase: Solution Implementation

Description

The updated vulnerability and risk assessment is a continuation of the preliminary vulnerability and risk assessment activities. At this stage, more details are known about the system, therefore a more accurate vulnerability and risk assessment is performed. The idea at this stage is to review the preliminary vulnerability and risk assessment to determine if new threats and vulnerabilities exist and that previously identified vulnerability-threat pairs are still valid.

At this stage, risk mitigation strategies in the ISSP are also put into place. After the risks have been identified, countermeasures or security controls must be applied to mitigate these risks. These countermeasures or security controls are Management, Operational or Technical controls. For example, the countermeasures or security controls may be either adding and or setting the attributes to the firewalls, filtering routers, virus protection, and or other available countermeasures. Other countermeasures or security controls as listed within the FAA are to be considered for the mitigation. For these risks it is essential to have solid policies and procedures to counter these threats. A determination must be made based on the requirements of a given system as to what countermeasures or security controls must be allocated. These countermeasures will be the basis of the Risk Mitigation/Remediation listed in the plan that is to be included in the SCAP.

Tasks

• Refine the security requirements checklist
• Review the POAMS and the information from the Department of Transportation (DOT) Enterprise Security Portal (ESP)
• Gather more detailed information on the system's processing environment
• Review industry sources to identify application and hardware specific vulnerabilities
• Review the previously identified threats to and vulnerabilities in the information system to ensure they are still valid
• Identify any new threats and vulnerabilities that have developed
• Identify the potential impact or magnitude of harm that a loss of confidentiality, integrity, or availability would have on the assets
• Identify and analyze the security controls for the information system

Resources

• NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems
• NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
• NIST National Vulnerability Database
• Department of Transportation (DOT) Enterprise Security Portal (ESP)
• ATO Information Systems Security Program Implementation Guide (SCAPs)
• ATO Information Systems security Architecture (ISSA). Latest version
• FAA's ISS Handbook