4.6 Conduct Security and Privacy Reviews
Objective
Conduct security and privacy reviews to validate the system (data, applications, interfaces, network) is protected and personally identifiable information (PII) and data are secure.
View Best PracticesTask Activities
-
Shared
Develop Privacy Framework to include system categorization, data type, handling, storing and sharing method, and incident response process
-
Shared
Develop Privacy documentation and training material (if needed) to provide guidance to all stakeholders
-
Shared
Implement privacy training roadmap and integrate with overall Training Plan
-
Shared
Roll out privacy regulations to all users
-
Shared
Document and receive Systems of Record Notice (SORN), if required
-
Shared
Understand provider security environment and assess against requirements
-
Shared
Develop Security documentation and Security Test Plan if applicable
-
Shared
Execute security test according to test plan to include both physical and logical security, document and correct issues
-
Shared
Request and receive Authority to Operate (ATO) if necessary
4.6 Best Practices
- Understand the customer’s ATO process and allow sufficient time to get documentation through review and approvals
- Develop and define Security/Privacy plan before development as part of the Target State Solution Architecture
- Begin security and privacy planning early and include security steps across all migration phases
Stakeholders
Customer
- Program Manager
- Functional Lead
- Functional SME
- Technical Lead/Solution Architect
- Data SME
- Security Lead
- Information Systems Security Officer (ISSO)
- Network SME
- PMO Lead
Provider
- Program Manager
- Functional Lead
- Functional SME
- Technical Lead/Solution Architect
- Security Lead
- Information Systems Security Officer (ISSO)
- Network SME
- PMO Lead
Inputs
- Requirements Traceability Matrix (RTM)
- Requirements Fit-Gap Analysis
- Target State Concept of Operations
- Technical Strategy
- Training Plan
Outputs
- Security Documentation, including Security Test Results and ATO
- Privacy Documentation, including Initial Privacy Assessment, FIPS 199, SORN, Privacy Impact Assessment