Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 02/23/2023
1. Purpose
Establish the Enterprise Security Planning Policy, for managing risks from inadequate security planning through the establishment of an effective security planning program.
2. Authority
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
3. Applicability
This policy applies to all District workforce members responsible for application identity and role definition on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any providers and third-party entities with access to District information, networks, and applications.
4. Policy
4.1. System Security Plan
The District’s agencies must:
4.1.1. Develop a security plan for the information system that:
- Is consistent with the organization’s enterprise architecture.
- Explicitly defines the authorization boundary for the system.
- Describes the operational context of the information system in terms of missions and business processes.
- Provides the security categorization of the information system including supporting rationale.
- Describes the operational environment for the information system.
- Provides an overview of the security requirements for the system.
- Identifies any relevant overlays, if applicable.
- Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions.
- Is reviewed and approved by the authorizing official or designated representative before planning implementation.
4.1.2. Distribute copies of the security plan and communicates subsequent changes to the plan to the system owner.
4.1.3. Review the security plan for the information system on an annual basis or whenever there is a proposed change to an information system.
4.1.4. Update the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.
4.1.5. Protect the security plan from unauthorized disclosure and modification.
4.2. Rules of Behavior
The District’s agencies:
4.2.1. Establish and make readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior concerning information and information system usage.
4.2.2. Signed acknowledgment from users indicating that they have read, understand, and agree to abide by the ROB must be received before they receive access to the information system.
4.2.3. Review and update the rules of behavior annually.
4.2.4. Require individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.
4.3. Rules of Behavior | Social Media And Networking Restrictions
The District’s agencies include in the rules of behavior, explicit restrictions on the use of social media/networking sites, and posting organizational information on public websites.
4.4. Information Security Architecture
The District’s agencies must develop an information security architecture for the information system that:
4.4.1. Describe the overall philosophy, requirements, and approach to be taken concerning protecting the confidentiality, integrity, and availability of organizational information.
4.4.2. Describe how the information security architecture is integrated into and supports the enterprise architecture.
4.4.3. Describe any information security assumptions about, and dependencies on, external services.
4.4.4. Perform an annual review and update of the information security architecture to reflect changes in the enterprise architecture.
4.4.5. Ensure that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.
5. Exemptions
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
6. Definitions
The definition of the terms used in this document can be found in the Policy Definitions website.