Skip to content

Instantly share code, notes, and snippets.

@gregelin

gregelin/django-oc.yaml

Last active July 16, 2021 17:19
Show Gist options
  • Save gregelin/70cc440f9269a59dcfe1167f87aa36c5 to your computer and use it in GitHub Desktop.
Save gregelin/70cc440f9269a59dcfe1167f87aa36c5 to your computer and use it in GitHub Desktop.
Download ZIP
GovReady Controls
Raw
django-oc.yaml
name: Django
schema_version: 3.0.0
documentation_complete: false
satisfies:
- control_key: AC-11
control_name: Session Lock
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: 'The Django web framework has built-in session management that includes
locking and terminating a session after a specific duration of inactivity. The
duration of a session is set by configuring the `SESSION_COOKIE_AGE` in `settings.py`. '
remarks:
- text: ''
- control_key: AC-14
control_name: Permitted Actions Without Identification or Authentication
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: The Django web framework has built-in session management and path routing
that be combined to control which actions that can be performed by the end-user
do or do not require authentication.
remarks:
- text: ''
- control_key: AC-3
control_name: Access Enforcement
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: 'The Django web framework has built-in authentication to enforce logical
access to information and services. '
remarks:
- text: ''
- control_key: AU-3
control_name: Content of Audit Records
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: The Django web framework contains built-in logging tools that can be configured
and programmed by application developers to generate audit records containing
required information.
remarks:
- text: ''
- control_key: AU-8
control_name: Time Stamps
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: The Django web framework uses the Python programming language's time module
for generating and time and date stamps. The Python programming language has
access to the Operating System's clock for time and date information.
remarks:
- text: ''
- control_key: IA-11
control_name: Re-authentication
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: The Django web framework has built-in session management that can be configured
with session locks and timeouts that require re-authentication of users before
continued access is granted. Application developers can extend the built-in
session management to require re-authentication according to organization policies.
remarks:
- text: ''
- control_key: IA-2
control_name: Identification and Authentication (organizational Users)
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: 'The Django web framework has built-in authentication to enforce logical
access to information and services. '
remarks:
- text: ''
- control_key: IA-6
control_name: Authenticator Feedback
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: The Django web framework has built-in authentication processes that obscure
feedback of authentication information during the authentication process. Django
also has a built-in `DEBUG` setting that when set to `False` prevents all error
information from being rendered to the web browser.
remarks:
- text: ''
- control_key: SI-9
control_name: Information Input Restrictions
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: Django provides built-in validators, form validation handling, and auto-escaping
to check to ensure correct data types are added by end users.
remarks:
- text: ''
Raw
govready-controls.md

Controls

CP-2 - GovReady PBC Organizational Security Handbook

The GovReady PBC Organizational Security Handbook is a Markdown Document stored in GitHub outlining how the organization handles a spectrum of security activities from planning to various crisis scenarios.

The GovReady PBC Organizational Security Handbook includes a Contigency Plan that describes critical systems are restored within 1 to 2 days.

a. GovReady-Q Contingency Plan that lists contingency requirements to be able to restore GovReady-Q instance from most recent backup in single day.

Use virtual virtual environments
Containerized deployment
Republish
Repoint domain
Domain hosted at different service provider
Everything is in the database excluding configuration files
Shared passwords among individuals at different locations

b. The Contigency Plan is distributed to the Director of Operations and Chief Technology Officer by publishing the Plan as a Google Doc and/or markdown document in a GitHub repository.

c. GovReady PBC coordinates contigency planning activies with incident handling activities by having the Incident Handling include the Director of Operations and Chief Technology Officer determining if an incident requires activation of the Contigency Plan.

d. GovReady PBC's Director of Operations and Chief Technology Officer review the Contingency Plan quarterly.

e. GovReady PBC's Director of Operations and Chief Technology Officer update the GovReady-Q Contingency Plan when there are changes in the organization, GovReady-Q, general environment of operation, contigency testing results that impact effectiveness of the Contigency Plan.

f. The Director of Operations communicates to the Chief Executive Officer and GovReady-Q developers when changes are made to the Contigency Plan.

CP-2 (1) GovReady PBC

GovReady PBC is a small enough organization that all contigency plan development is done by the same individuals who develop other organization risk management plans.

CP-2 (3) GovReady PBC

GovReady PBC plans for the resumption of essential missions and business functions within 10 business days of organizational contingency plan activation.

CP-2 (8) GovReady PBC

GovReady PBC maintains a list of critical information system assets supporting essential missions and business functions as a Google Doc and/or markdown document in a GitHub repository.

CP-3 GovReady PBC

GovReady PBC provides contingency training to information system users consistent with assigned roles and responsibilities within 30 days of assuming a congtingency role or responsibility; when required by ifnromation system changes; and a brief review on an annual basis.

CP-3 (1) GovReady-Q Contingency Plan

GovReady-Q Contingency Plan includes example table-top exercises run on an annual basis that include simulated events using development environments as part of contigency training to facilitate effective response by personnel in crisis situations.

CP-6 (1) AWS Availability Zones

AWS Availability Zones are used to provide alternate storage sites for backup information that is separated from the primary storage site to reduce susceptibility to the same threats.

CP-6 (3) GovReady-Q Contingency Plan

The GovReady-Q Contingency Plan identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

CP-7 AWS Availability Zones

AWS Availability Zones are used to establish alternate processing site including necessary agreements to permit the transfer and resumption of customer facing for essential missions/business functions within [organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;

CP-7 Slack

Slack is used to establish an alternate processing site for organizational communication within a single day should the primary email services be unavailable for essential business email communication.

CP-7 Google Suite

Google Suite, including email, is used to establish an alternate processing site for organizational communication within a single day should the real-time messaging services be unavailable for essential business email communication.

CP-7 (1) AWS Availability Zones

AWS Availability Zones are used to provide alternate processing sites for backup information that is separated from the primary processing site to reduce susceptibility to the same threats.

CP-7 (2) GovReady-Q Contingency Plan

The GovReady-Q Contingency Plan identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

CP-7 (3) GovReady-Q Contingency Plan

The GovReady-Q Contingency Plan includes ensuring agreements have have been made with the alternate processing sites that provide provisions for deploying and launching the processing within the time frames required by the Contigency Plan.

CP-8 AWS Availability Zones

AWS Availability Zones provide redundant telecommunication services to permit the resumption of services immediately should the primary telecommunications capabilities are unavailable.

CP-8 (1) AWS Availability Zones

AWS Availability Zones provide redundant telecommunication services to permit the resumption of services immediately should the primary telecommunications capabilities are unavailable.

CP-8 (2) AWS Availability Zones

AWS Availability Zones provide redundant telecommunication services to permit the resumption of services immediately should the primary telecommunications capabilities are unavailable.

CP-9 Git

Documentation describing critical recovery information maintained Git repositories and

CP-9 Google Suite

Google Suite's G-Drive service is used to store organizational system documentation and provides extensive backup up services to insure disaster recovery.

CP-9 (1) GovReady Operations Team

The GovReady Operations Team tests backup information on a quarterly basis to verify media reliability and information integrity

CP-9 (2) GovReady Operations Team

The GovReady Operations Teams restores a sample of backup information to restore a new version of production ifnromation as part of contigency plan testing.

CP-10 The GovReady Development Team

The GovReady Development Team designs the GovReady-Q information system as containerized, Infrastructure as Code approach with sufficient transaction logging and snapshot backups so that GovReady-Q can be reconstituted to a knwon state after a disruption, compromise or failure.
Raw
govready-pbc-dev-team-oc.yaml
name: GovReady PBC Development Team
schema_version: 3.0.0
documentation_complete: false
satisfies:
- control_key: CP-10
control_name: Information System Recovery and Reconstitution
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: The GovReady Development Team designs the GovReady-Q information system
as containerized, Infrastructure as Code approach with sufficient transaction
logging and snapshot backups so that GovReady-Q can be reconstituted to a known
state after a disruption, compromise or failure.
remarks:
- text: ''
Raw
govready-pbc-ops-handbook-oc.yaml
name: GovReady PBC Security Handbook
schema_version: 3.0.0
documentation_complete: false
satisfies:
- control_key: AT-1
control_name: Security Awareness and Training Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe security awareness training practice describes the management commitment,
purpose, scope, and responsibilities for developing the security awareness training
as well as specific procedures to insure the implementation of the trainings
for employees and consultants. \r\n\r\nPart of the security and awareness training
practice is to have the Director of Operations and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: AU-1
control_name: Audit and Accountability Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe audit and accountability contingency practice describes the management
commitment, purpose, scope, and responsibilities for developing audit and accountability
policies as well as specific procedures to insure the implementation of the
\ policies. \r\n\r\nPart of the contingency planning practice is to have the
Director of Operations and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: CA-1
control_name: Security Assessment and Authorization Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe audit and accountability contingency practice describes the management
commitment, purpose, scope, and responsibilities for developing security assessment
and authorization policy as well as specific procedures to insure the implementation
of the policy. \r\n\r\nPart of the contingency planning practice is to have
the Director of Operations and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: CM-1
control_name: Configuration Management Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe configuration management practice describes the management commitment,
purpose, scope, and responsibilities for developing configuration management
policy as well as specific procedures to insure the implementation of the policy.
\r\n\r\nPart of the configuration management practice is to have the Director
of Operations and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: CP-1
control_name: Contingency Planning Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe contingency planning practice describes the management commitment,
purpose, scope, and responsibilities for developing contingency plans as well
as specific procedures to insure the implementation of the contingency planning
policy. \r\n\r\nPart of the contingency planning practice is to have the Director
of Operations and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: IA-1
control_name: Identification and Authentication Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe identity and authorization practice describes the management commitment,
purpose, scope, and responsibilities for developing contingency plans as well
as specific procedures to insure the implementation of the identity and authorization
policy. \r\n\r\nPart of the identity and authorization practice is to have the
Director of Operations and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: IR-1
control_name: Incident Response Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe incident response practice describes the management commitment,
purpose, scope, and responsibilities for developing incident response as well
as specific procedures to insure the implementation of the incident response
policy. \r\n\r\nPart of the incident response practice is to have the Director
of Operations and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: MA-1
control_name: System Maintenance Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe system maintenance practice describes the management commitment,
purpose, scope, and responsibilities for developing system maintenance policy
as well as specific procedures to insure the implementation of the system maintenance
policy. \r\n\r\nPart of the system maintenance practice is to have the Director
of Operations and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: MP-1
control_name: Media Protection Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe media protection practice describes the management commitment, purpose,
scope, and responsibilities for developing media protection as well as specific
procedures to insure the implementation of the media protection policy. \r\n\r\nPart
of the media protection practice is to have the Director of Operations and CTO
review the practice quarterly."
remarks:
- text: ''
- control_key: PE-1
control_name: Physical and Environmental Protection Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe physical and environmental protection practice describes the management
commitment, purpose, scope, and responsibilities for developing physical and
environmental protection as well as specific procedures to insure the implementation
of the physical and environmental protection policy. \r\n\r\nPart of the physical
and environmental protection practice is to have the Director of Operations
and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: PL-1
control_name: Security Planning Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe identity and authorization practice describes the management commitment,
purpose, scope, and responsibilities for developing security planning as well
as specific procedures to insure the implementation of the security planning
policy. \r\n\r\nPart of the security planning practice is to have the Director
of Operations and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: PM-1
control_name: Information Security Program Plan
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe program management practice describes the management commitment,
purpose, scope, and responsibilities for developing program management as well
as specific procedures to insure the implementation of the program management
policy. \r\n\r\nPart of the program management integrity practice is to have
the Director of Operations and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: PS-1
control_name: Personnel Security Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe identity and authorization practice describes the management commitment,
purpose, scope, and responsibilities for developing personnel security as well
as specific procedures to insure the implementation of the personnel security
policy. \r\n\r\nPart of the personnel security is to have the Director of Operations
and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: RA-1
control_name: Risk Assessment Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe identity and authorization practice describes the management commitment,
purpose, scope, and responsibilities for developing risk assessment policy as
well as specific procedures to insure the implementation of the risk assessment
policy. \r\n\r\nPart of the risk assessment practice is to have the Director
of Operations and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: SA-1
control_name: System and Services Acquisition Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe system and services acquisition practice describes the management
commitment, purpose, scope, and responsibilities for developing system and services
acquisition policy as well as specific procedures to insure the implementation
of the system and services acquisition policy. \r\n\r\nPart of the security
planning practice is to have the Director of Operations and CTO review the practice
quarterly."
remarks:
- text: ''
- control_key: SC-1
control_name: System and Communications Protection Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe system and communication practice describes the management commitment,
purpose, scope, and responsibilities for system and communication plans as well
as specific procedures to insure the implementation of the system and communication
policy. \r\n\r\nPart of the system and communication practice is to have the
Director of Operations and CTO review the practice quarterly."
remarks:
- text: ''
- control_key: SI-1
control_name: System and Information Integrity Policy and Procedures
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "GovReady PBC Practices is a collection of organizational practices that
address policies, procedures, and practices followed by GovReady PBC and includes
contingency planning practices. Public practices are in the repository https://github.com/GovReady/govready-pbc-practices.
Private practices are in the repository https://github.com/GovReady/govready-pbc-private-practices.
\r\n\r\nThe systems and information integrity practice describes the management
commitment, purpose, scope, and responsibilities for developing systems and
information integrity as well as specific procedures to insure the implementation
of the systems and information integrity policy. \r\n\r\nPart of the systems
and information integrity practice is to have the Director of Operations and
CTO review the practice quarterly."
remarks:
- text: ''
Raw
govready-pbc-ops-team-oc.yaml
name: GovReady PBC Operations Team
schema_version: 3.0.0
documentation_complete: false
satisfies:
- control_key: CP-9.1
control_name: Testing for Reliability / Integrity
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: The GovReady Operations Team tests backup information on a quarterly basis
to verify media reliability and information integrity of GovReady PBC software.
remarks:
- text: ''
- control_key: CP-9.2
control_name: Test Restoration Using Sampling
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: The GovReady Operations Teams restores a sample of backup information to
restore a new version of production information as part of contingency plan
testing.
remarks:
- text: ''
Raw
govready-q-contgency-plan-oc.yaml
name: GovReady-Q Contingency Plan
schema_version: 3.0.0
documentation_complete: false
satisfies:
- control_key: CP-2
control_name: Contingency Plan
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: The Director of Operations communicates to the Chief Executive Officer and
GovReady-Q developers when changes are made to the Contingency Plan.
remarks:
- text: ''
- control_key: CP-2
control_name: Contingency Plan
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC's Director of Operations and Chief Technology Officer update
the GovReady-Q Contingency Plan when there are changes in the organization,
GovReady-Q, general environment of operation, contingency testing results that
impact effectiveness of the Contingency Plan.
remarks:
- text: ''
- control_key: CP-2
control_name: Contingency Plan
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC's Director of Operations and Chief Technology Officer review
the Contingency Plan quarterly.
remarks:
- text: ''
- control_key: CP-2
control_name: Contingency Plan
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC coordinates contingency planning activities with incident handling
activities by having the Incident Handling include the Director of Operations
and Chief Technology Officer determining if an incident requires activation
of the Contingency Plan.
remarks:
- text: ''
- control_key: CP-2
control_name: Contingency Plan
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: The Contingency Plan is distributed to the Director of Operations and Chief
Technology Officer by publishing the Plan as a Google Doc and/or markdown document
in a GitHub repository.
remarks:
- text: ''
- control_key: CP-2
control_name: Contingency Plan
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: "The GovReady PBC Organizational Security Handbook includes a Contingency
Plan that describes critical systems are restored within 1 to 2 days and requires
the following is addressed:\r\n\r\n- Use virtual virtual environments\r\n- Use
containerized deployment\r\n- Republish existing content within 2 days\r\n-
Re-pointing domain to new servers in a single day\r\n- Domain hosted at different
service provider\r\n- All content is hosted in the database excluding configuration
files\r\n- Share key administration account credentials among privileged individuals
at different locations so it is possible to return to service"
remarks:
- text: ''
- control_key: CP-3.1
control_name: Simulated Events
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady-Q Contingency Plan includes example table-top exercises run on
an annual basis that include simulated events using development environments
as part of contingency training to facilitate effective response by personnel
in crisis situations.
remarks:
- text: ''
- control_key: CP-6.3
control_name: Accessibility
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: The GovReady-Q Contingency Plan identifies potential accessibility problems
to the alternate storage site in the event of an area-wide disruption or disaster
and outlines explicit mitigation actions.
remarks:
- text: ''
Raw
govready-q-oc.yaml
name: GovReady PBC
schema_version: 3.0.0
documentation_complete: false
satisfies:
- control_key: CP-2.1
control_name: Coordinate with Related Plans
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC is a small enough organization that all contingency plan development
is done by the same individuals who develop other organization risk management
plans.
remarks:
- text: ''
- control_key: CP-2.3
control_name: Resume Essential Missions / Business Functions
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC plans for the resumption of essential missions and business
functions within 10 business days of organizational contingency plan activation.
remarks:
- text: ''
- control_key: CP-2.8
control_name: Identify Critical Assets
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC maintains a list of critical information system assets supporting
essential missions and business functions as a Google Doc and/or markdown document
in a GitHub repository.
remarks:
- text: ''
- control_key: CP-3
control_name: Contingency Training
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC provides contingency training to information system users consistent
with assigned roles and responsibilities within 30 days of assuming a contingency
role or responsibility; when required by information system changes; and a brief
review on an annual basis.
remarks:
- text: ''
- control_key: PS-3
control_name: Personnel Screening
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC has a formal screening process for employees and contractors
that have access to customer proprietary information and commit privileges to
GovReady PBC software. GovReady PBC leverages the background checks that are
performed by government agencies on individuals as part of its screen process.
remarks:
- text: ''
- control_key: PS-4
control_name: Personnel Termination
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC, upon termination of individual employment and contract consulting
services, notifies the Director of Operations, CEO, managers, and effected customers
within 2 weeks.
remarks:
- text: ''
- control_key: PS-4
control_name: Personnel Termination
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC, upon termination of individual employment and contract consulting
services, reviews information the individual had access to in information systems
and retains relevant organizational information.
remarks:
- text: ''
- control_key: PS-4
control_name: Personnel Termination
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC, upon termination of individual employment and contract consulting
services, revokes all authenticators/credentials associated with the individual.
remarks:
- text: ''
- control_key: PS-4
control_name: Personnel Termination
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC, upon termination of individual employment and contract consulting
services, conducts exist interviews that include a discussion of any issues
the individual saw with organization conduct and cyber security.
remarks:
- text: ''
- control_key: PS-4
control_name: Personnel Termination
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC, upon termination of individual employment and contract consulting
services, retrieves all security-related organizational information system-related
property. The Director of Operations is responsible for this task.
remarks:
- text: ''
- control_key: PS-4
control_name: Personnel Termination
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC, upon termination of individual employment and contract consulting
services, disables appropriate system information access within 14 days.
remarks:
- text: ''
- control_key: PS-5
control_name: Personnel Transfer
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC, upon role reassignment of employees and contract consultants,
instructs the Director of Operations to modify access authorization as required
by the reassignment.
remarks:
- text: ''
- control_key: PS-5
control_name: Personnel Transfer
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC, upon termination of individual employment and contract consulting
services, rev
remarks:
- text: ''
- control_key: PS-5
control_name: Personnel Transfer
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC, upon role reassignment of employees and contract consultants,
initiates reassignment actions within 14 day or otherwise specified time period
following the reassignment.
remarks:
- text: ''
- control_key: PS-5
control_name: Personnel Transfer
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC, upon role reassignment of employees and contract consultants,
reviews and confirms individuals need for access to information systems and
customer/vendor facilities. (GovReady PBC is a virtual organization and does
not have facilities.)
remarks:
- text: ''
- control_key: PS-6
control_name: Access Agreements
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC's Director of Operations reviews and updates employee an consultant
access agreements on a quarterly basis.
remarks:
- text: ''
- control_key: PS-6
control_name: Access Agreements
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: 'GovReady PBC maintains an access agreement for each employee that tracks
the organizational systems to which an individual access. '
remarks:
- text: ''
- control_key: PS-6
control_name: Access Agreements
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC has the Director of Operations ensure that employees and consultants
sign access agreements prior to being granted access to organizational information
systems and re-sign such access agreements to maintain access when the access
agreements substantially change.
remarks:
- text: ''
- control_key: PS-8
control_name: Personnel Sanctions
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC describes a formal sanction process in its employee manual
and consulting contracts describing what happens when individuals fail to comply
with information security policies and procedures.
remarks:
- text: ''
- control_key: PS-8
control_name: Personnel Sanctions
standard_key: NIST_SP-800-53_rev4
covered_by: []
security_control_type: Hybrid | Inherited | ...
narrative:
- text: GovReady PBC notifies the Director of Operations and CEO within 14 days
when a formal employee sanctions process is initiated, identifying the individual
sanctioned and the reason for the sanction.
remarks:
- text: ''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment