octo

Office of the Chief Technology Officer
 

DC Agency Top Menu

Help us get everyone in our community pre-registered for a vaccination appointment.
Go to vaccinate.dc.gov or call 1-855-363-0333 to pre-register and then help us spread the word. #DCHOPE
Read Mayor Bowser’s Presentation on DC’s COVID-19 Situational Update: April 19

-A +A
Bookmark and Share

Security Planning Policy


1. Purpose

This policy establishes the Enterprise Security Planning Policy, for managing risks from inadequate security planning through the establishment of an effective security planning program.

2. Authority

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Office (hereafter called OCTO) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District’s government agencies under the authority of the District’s Mayor. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.

3. Applicability

This policy applies to all the District’s workforce members (including contractors, vendors, consultants, temporary staff, interns, and volunteers) performing official functions on behalf of the District’s Government, and/or any District Government agency/entity (e.g. subordinate and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from the District of Columbia Office of the Chief Technology Officer (OCTO).

This Policy also applies to any providers and third-party entities with access to the District’s information, networks, and applications.

4. Policy

4.1 System Security Plan

The District’s Agencies must:

  • Develop a security plan for the information system that:
    1. Is consistent with the organization’s enterprise architecture;
    2. Explicitly define the authorization boundary for the system;
    3. Describes the operational context of the information system in terms of missions and business processes;
    4. Provides the security categorization of the information system including supporting rationale;
    5. Describes the operational environment for the information system;
    6. Provides an overview of the security requirements for the system;
    7. Identifies any relevant overlays, if applicable
    8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and
    9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
  • Distributes copies of the security plan and communicates subsequent changes to the plan to the system owner.
  • Reviews the security plan for the information system on an annual basis or whenever there is a proposed change to an information system.
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments
  • Protects the security plan from unauthorized disclosure and modification.

4.2 Rules of Behavior

The District’s Agency:

  1. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage
  2. Signed acknowledgement from users indicating that they have read, understand, and agree to abide by the ROB must be received before they receive access to the information system;
  3. Reviews and updates the rules of behavior annually
  4. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.

4.3 Rules of Behavior | Social Media And Networking Restrictions

The District’s agencies include in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

4.4 Information Security Architecture

The District’s Agency must:

  • Develops an information security architecture for the information system that:
  • Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
  • Describes how the information security architecture is integrated into and supports the enterprise architecture; and
    1. Describes any information security assumptions about, and dependencies on, external services
    2. An annual review and update of the information security architecture to reflect changes in the enterprise architecture; and
    3. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.

5. Exemptions

Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”).

6. Definitions

The definition of the terms used in this document can be found in the Glossary section of the OCTO Policy Website and appendix 3 below.

More Resources