IT Security Plan Template

Information Technology
Security Plan
(ITSP)
Guidelines & Instructions

for
Maryland State Agencies
Revision History
Version Date Author Description
Number
1.0 February Larry Riley Initial Document
2014
1.1 May 2014 Larry Riley Document name change
from IT System Security
Plan to IT Security Plan
May, 2014 ii
Agency IT Security Plan (ITSP) Version 1.1

Table of Contents
1 OVERVIEW.........................................................................................1
1.1 PURPOSE........................................................................................................... 1
1.2 OVERVIEW.......................................................................................................... 1
2 ALIGNING AGENCY ITSP TEMPLATE WITH MD ISP.................................1
3 AGENCY ITSP INSTRUCTIONS, FORMAT, AND CONTENT.........................1
4 ITSP SUBMISSION REQUIREMENTS......................................................1
4.1 ITSP SUBMISSION PROCEDURE............................................................................... 1
4.2 DOIT STAFF ASSISTANCE...................................................................................... 1
5 GLOSSARY.........................................................................................2
6 APPENDIX A INFORMATION TECHNOLOGY SECURITY PLAN (ITSP)
TEMPLATE..............................................................................................6
6.1 INFORMATION TECHNOLOGY SECURITY PLAN (ITSP) OVERVIEW....................................7
6.2 GENERAL AGENCY INFORMATION.............................................................................7
6.3 MARYLAND INFORMATION SECURITY POLICY COMPLIANCE............................................9
6.3.1 Objective................................................................................................... 9
6.3.2 Purpose..................................................................................................... 9
6.3.3 Agency ITSP Requirement.........................................................................9
6.3.4 ITSP Responsibilities................................................................................. 9
6.3.5 Agency Exemptions................................................................................ 10
7. COMMON CONTROLS COMPLIANCE MATRIX.......................................11
8. APPENDIX B COMPLETE SYSTEM SECURITY INVENTORY OF PII
SYSTEMS............................................................................................113
A. SYSTEM SECURITY INVENTORY SCOPE.....................................................................113
May, 2014 iii


1 Overview
1.1 Purpose
This document provides guidance, instructions and required format for an
Agency Information Technology Security Plan (ITSP).
These guidelines and instructions apply to all entities subject to State of
Maryland (MD) Information Security Policy (ISP), Version 3.1, dated February
2013.
1.2 Overview
Each Agency must produce an Agency Information Technology Security Plan
(ITSP). The ITSP shall contain information about cyber security measures
taken by the Agency for the protection of Agency information technology
systems and data.
2 Aligning Agency ITSP Template with MD ISP

The ITSP provides a template for documenting current cyber security
measures in place as required by MD ISP.
3 Agency ITSP Instructions, Format, and Content
The attached template contains instructions for completing an Agency ITSP

(See Appendix A).
Additionally, the MD ITSP template is posted at:
http://www.doit.maryland.gov/
4 ITSP Submission Requirements

4.1 ITSP Submission Procedure
The Agency ITSP should be sent to Larry Riley at Larry.riley@maryland.gov.
4.2 DoIT Staff Assistance
DoIT staff members are available to answer questions and provide feedback
to Agencies on their respective ITSPs. For information concerning guidelines
and formatting, please contact your Agencys assigned Information System
Security Officer (ISSO) or Representative. If your Agency does not have an
assigned ISSO or Representative, contact Larry Riley for assistance at
Larry.Riley@maryland.gov.
May, 2014 1

5 Glossary
Common Definitions
Terms
Accreditation The official management decision given by a senior agency official to
authorize operation of an information system and to explicitly accept the risk
to agency operations (including mission, functions, image, or reputation),
agency assets, or individuals, based on the implementation of an agreed-upon
set of security controls.
Adequate Security commensurate with the risk and the magnitude of harm resulting from
Security the loss, misuse, or unauthorized access to or modification of information.
Authentication Verifying the identity of a user, process, or device, often as a prerequisite to

allowing access to resources in an information system.
Authorizing Official with the authority to formally assume responsibility for operating an
Official information system at an acceptable level of risk to agency operations
(including mission, functions, image, or reputation), agency assets, or
individuals.
Availability Ensuring timely and reliable access to and use of information.
Common Security control that can be applied to one or more agency information
Security systems and has the following properties: (i) the development, implementation,
Control and assessment of the control can be assigned to a responsible official or
organizational element (other than the information system owner); and (ii) the
results from the assessment of the control can be used to support the security
certification and accreditation processes of an agency information system
where that control has been applied.
Compensating The management, operational, and technical controls (i.e., safeguards or

Security countermeasures) employed by an organization in lieu of the recommended
Controls controls in the low, moderate, or high baselines described in NIST SP 800-53,
that provide equivalent or comparable protection for an information system.
Confidentiality Preserving authorized restrictions on information access and disclosure,

including means for protecting personal privacy and proprietary information.
Configuration Process for controlling modifications to hardware, firmware, software, and

Control documentation to ensure that the information system is protected against
improper modifications before, during, and after system implementation.
High Impact An information system in which at least one security objective (i.e.,
System confidentiality, integrity, or availability) is assigned a FIPS 199 potential
impact value of high.
May, 2014 2

Information Official with statutory or operational authority for specified information and
Owner responsibility for establishing the controls for its generation, collection,
processing, dissemination, and disposal.
Information The protection of information and information systems from unauthorized

Security access, use, disclosure, disruption, modification, or destruction in order to
provide confidentiality, integrity, and availability.
Information Aggregate of directives, regulations, rules, and practices that prescribes how
Security an organization manages, protects, and distributes information.
Policy
Information A discrete set of information resources organized for the collection,
System processing, maintenance, use, sharing, dissemination, or disposition of
information.
Information Official responsible for the overall procurement, development, integration,
System Owner modification, or operation and maintenance of an information system.
Information Individual assigned responsibility by the senior agency information security

System officer, authorizing official, management official, or information system owner
Security for ensuring that the appropriate operational security posture is maintained for
Officer an information system or program.
Integrity Guarding against improper information modification or destruction, and

includes ensuring information non-repudiation and authenticity.
Low Impact An information system in which all three security objectives (i.e.,
System confidentiality, integrity, and availability) are assigned a FIPS 199 potential
impact value of low.
Major An application that requires special attention to security due to the risk and
Application magnitude of harm resulting from the loss, misuse, or unauthorized access to
or modification of the information in the application.
Major An information system that requires special management attention because of

Information its importance to an agency mission; its high development, operating, or
System maintenance costs; or its significant role in the administration of agency
programs, finances, property, or other resources.
Management The security controls (i.e., safeguards or countermeasures) for an information

Controls system that focus on the management of risk and the management of
information system security.
Mobile Code Software programs or parts of programs obtained from remote information
systems, transmitted across a network, and executed on a local information
system without explicit installation or execution by the recipient.
May, 2014 3

Moderate An information system in which at least one security objective (i.e.,
Impact System confidentiality, integrity, or availability) is assigned a FIPS 199 potential
impact value of moderate and no security objective is assigned a FIPS 199
potential impact value of high.
Operational
Controls
The security controls (i.e., safeguards or countermeasures) for an information system that primarily
are implemented and executed by people (as opposed to systems).A document that identifies tasks
needing to be accomplished. It details resources required to accomplish the elements of the plan, any
milestones in meeting the tasks, and scheduled completion dates for the milestones.Access by users
(or information systems) communicating external to an information system security perimeter.Access
by users (or information systems) communicating external to an information system security
perimeter.The level of impact on agency operations (including mission, functions, image, or
reputation), agency assets, or individuals results from the operation of an information system given
the potential impact of a threat and the likelihood of that threat occurring.The process of identifying
risks to agency operations (including mission, functions, image, or reputation), agency assets, or
individuals by determining the probability of occurrence, the resulting impact, and additional security
controls that would mitigate this impact. Part of risk management, synonymous with risk analysis,
and incorporates threat and vulnerability analyses.The process of managing risks to agency
operations (including mission, functions, image, or reputation), agency assets, or individuals
resulting from the operation of an information system. It includes risk assessment; cost-benefit
analysis; the selection, implementation, and assessment of security controls; and the formal
authorization to operate the system. The process considers effectiveness, efficiency, and constraints
due to laws, directives, policies, or regulations.Protective measures prescribed to meet the security
requirements (i.e., confidentiality, integrity, and availability) specified for an information system.
Safeguards may include security features, management constraints, personnel security, and security
of physical structures, areas, and devices. Synonymous with security controls and
countermeasures.The characterization of information or an information system based on an
assessment of the potential impact that a loss of confidentiality, integrity, or availability of such
information or information system would have on organizational operations, organizational assets, or
individuals.The set of minimum security controls defined for a low impact, moderate-impact, or
high-impact information system.Requirements levied on an information system that are derived from
laws, executive orders, directives, policies, instructions, regulations, or organizational (mission)
needs to ensure the confidentiality, integrity, and availability of the information being processed,
stored, or transmitted.Formal document that provides an overview of the security requirements for
the information system and describes the security controls in place or planned for meeting those
requirements.The security controls (i.e., safeguards or countermeasures) for an information system
that are primarily implemented and executed by the information system through mechanisms
contained in the hardware, software, or firmware components of the system.Individual or (system)
process authorized to access an information system.Weakness in an information system, system
security procedures, internal controls, or implementation that could be exploited or triggered by a
threat source.Formal description and evaluation of the vulnerabilities in an information system.
May, 2014 4

Agency Information Technology
Security Plan (ITSP)
6 Appendix A Information Technology Security

Plan (ITSP) Template
This template contains instructions, forms, and placeholder text to help
produce an Agency ITSP. Instructions are typically in italics. Placeholder
text is designated with brackets and blue highlighter (e.g., <sample
placeholder>). All placeholders must be removed prior to ITSP submission.
To aid in formatting, Word Styles have been defined and used throughout
this template. Prior to submission, remove pages 1 to 5 of this guidance
document, so this page becomes page 1 of the Agency ITSP.
Information Technology
Security Plan
(ITSP)
for
<insert Agency System Name>
<insert date of ITSP >
<insert date of ITSP> 5

<insert Agency System Name> ITSP
6.1 Information Technology Security Plan (ITSP) Overview

This ITSP contains the following sections describing cyber security measures
taken by the Agency for the protection of Agency information technology
systems and data:
All sections are required unless exempted by DoIT and/or a statement
explaining conditions for being exempt from compliance is provided.
6.2 General Agency Information
1. System Name (ACRONYM)
Provide the full System name and
acronym
2. Chief Information Officer

(CIO) Name and Contact
Information:
Insert the name of the Chief
Information Officer (CIO) who is
responsible for the Information
Technology (IT) systems related
information submitted with the
ITSP.
Name
Title
Telephone Number
Email address
Agency Information
Security Officer or
Security Plan Point of
Contact Name and Contact
Information:
3. Insert the name of the individual
who is the Agencys point of
contact for security-related
matters. This individual is
responsible for ensuring the
accuracy of the security-related
information submitted with the
ITSP.
Name

Title
Telephone Number
Email address
ITSP Approved By
4.
Provide the name, title and contact
information of the Agency
Executive Sponsor
Name
Title
Telephone Number
Email address
5. Plan Date
Provide the date the plan was
approved by the Agency Executive
Sponsor

6.3 Maryland Information Security Policy Compliance

6.3.1 Objective
The objective of security planning is to improve the protection of information
system resources. The protection of a system must be documented in a
Information Technology (IT) Security Plan (SSP). The development of the
Agency ITSP is to ensure each agency has a standard method for
documenting its compliance with the MD ISP and current legislation.
6.3.2 Purpose
The purpose of the Agency ITSP is to provide an overview of the security
requirements of the system and describe the controls in place or planned for
meeting those requirements. The Agency ITSP also delineates
responsibilities and expected behavior of all individuals who access the
system. The ITSP should be viewed as documentation of the structured
process of planning adequate, cost-effective security protection for a system.
It should reflect input from various managers with responsibilities concerning
the system, including information owners, the system owner, and the senior
agency information security officer.
6.3.3 Agency ITSP Requirement
The MD ISP requires each State agency under its jurisdiction to develop and
submit an Agency ITSP that address security procedures included in the MD
ISP.
6.3.4 ITSP Responsibilities
Chief Information Officer The Chief Information Officer (CIO) is the

agency official responsible for developing and maintaining an agency-
wide information security program.
Information System Owner The information system owner is the

agency official responsible for the overall procurement, development,
integration, modification, or operation and maintenance of the
information system.
Information System Security Officer - The information system

security officer is the agency official assigned responsibility by the
authorizing official, management official, or information system owner
for ensuring that the appropriate operational security posture is
maintained for an information system or program.

Agency ITSP Point of Contact - The agency ITSP point of contract is
the agency official responsible for serving as the CIO's primary liaison
to the agency's information system owners and information system
security officers.
Agency ITSP Approving Official - The approving official is a senior

management official or executive with the authority to formally
assume responsibility for operating an information system at an
acceptable level of risk to agency operations, agency assets, or
individuals.
6.3.5 Agency Exemptions
Any agency with no information technology systems or is exempt from

compliance with MD ISP must still provide a statement indicating that fact in
the appropriate section(s) of the ITSP.

7.Common Controls Compliance Matrix

This matrix is a compiled list of selected common controls identified in the
MD ISP.
These common controls consist of management, operational, and technical
controls mandated by State policy to be implemented in all Maryland IT
solutions, networks and systems.
Common Control Agency Response
Roles and
Responsibilities
1. Has your agency Check one
initiated measures N/ (Agency is exempt from compliance with
to assure and A MD ISP)
demonstrate
Ye (Compliant - See attached C&A
compliance with
s documents)
the security
requirements Ye (Compliant - Description is provided
outlined in the MD s below)
ISP? No (Steps to become compliant are provided
below)
[For more
clarifying
information refer If N/A, please provide a statement explaining
to Section 2.1 of conditions for being exempt from compliance with
the MD ISP.] the MD ISP.
<insert statement here> folks
If you answered Yes and the information cannot

be found in the system C&A documents, describe
how your agency initiates measures to assure and
demonstrate compliance with the security
requirements outlined in the MD ISP.
<insert description here>
If No, your agency is not compliant with this section

of the MD ISP. Indicate here what steps your
agency plans to take to become compliant and
indicate when your agency expects to become
compliant.

Steps:
<insert steps here> folk

implemented and N/ (Agency is exempt from compliance with
is maintaining an A MD ISP)
IT Security
Program in
s documents)
accordance with
the MD ISP? Ye (Compliant - Description is provided
s below)
[For more No (Steps to become compliant are provided
clarifying below)
information refer
to Section 2.1 of
the MD ISP.] If N/A, please provide a statement explaining
conditions for being exempt from compliance with
the MD ISP.

how your agency implemented and is maintaining
an IT Security Program in accordance with the MD
ISP.
< insert description here >

compliant.
Steps:
<insert steps here> folks t

identified a role N/ (Agency is exempt from compliance with
(position/person/tit A MD ISP)
le) that is
responsible for
s documents)
implementing and

maintaining the Ye (Compliant - Description is provided
agency security s below)
program? No (Steps to become compliant are provided
[For more below)
clarifying

be found in the system C&A documents, identify
who in your agency (position/person/title) that is
responsible for implementing and maintaining the
agency security program.

compliant.
Steps:
4. Does your agency Check one

ensure that N/ (Agency is exempt from compliance with
security is part of A MD ISP)
the information
planning and
s documents)
procurement
process? Ye (Compliant - Description is provided
s below)
clarifying below)
information refer
to Section 2.1 of
the MD ISP.


how your agency ensures that security is part of
the information planning and procurement process.

compliant.
Steps:
<insert steps here>
Folks
participate in N/ (Agency is exempt from compliance with
annual information A MD ISP)
systems data
security self-audits
s documents)
focusing on
compliance to the Ye (Compliant - Description is provided
State data security s below)
policy? No (Steps to become compliant are provided
below)
[For more
clarifying

how your agency participate in annual information
systems data security self-audits focusing on
compliance to the State data security policy?


compliant.
Steps:
<insert steps here>
Folks
determine the N/ (Agency is exempt from compliance with
feasibility of A MD ISP)
conducting regular
external and
s documents)
internal
vulnerability Ye (Compliant - Description is provided
assessments and s below)
penetration No (Steps to become compliant are provided
testing to verify below)
security controls
are working
If N/A, please provide a statement explaining
properly and to
identify
the MD ISP.
weaknesses?
[For more
clarifying
information refer
to Section 2.1 of
how your agency conducts regular external and
the MD ISP.]
internal vulnerability assessments and penetration
testing to verify security controls are working
properly and to identify weaknesses.

compliant.
Steps:
<insert steps here>
Folks

implement a risk N/ (Agency is exempt from compliance with
management A MD ISP)
process for the life Ye (Compliant - See attached C&A
cycle of each s documents)
critical IT System?
Ye (Compliant - Description is provided
[For more s below)
clarifying No (Steps to become compliant are provided
information refer below)
to Section 2.1 of
the MD ISP.]
the MD ISP.

how your agency implements a risk management
process for the life cycle of each critical IT System.

compliant.
Steps:
<insert steps here>
Folks
assure the N/ (Agency is exempt from compliance with
confidentiality, A MD ISP)
integrity,
availability, and
s documents)
accountability of
all agency Ye (Compliant - Description is provided
information while s below)
it is being No (Steps to become compliant are provided
processed, stored, below)
and/or transmitted

electronically, and If N/A, please provide a statement explaining
the security of the conditions for being exempt from compliance with
resources the MD ISP.
associated with <insert statement here> folks
those processing
functions?
[For more be found in the system C&A documents, describe
clarifying how your agency assure the confidentiality,
information refer integrity, availability, and accountability of all
to Section 2.1 of agency information while it is being processed,
the MD ISP.] stored, and/or transmitted electronically, and the
security of the resources associated with those
processing functions.

compliant.
Steps:
<insert steps here>
Folks
assuming the lead N/ (Agency is exempt from compliance with
role in resolving A MD ISP)
Agency security
and privacy
s documents)
incidents?
[For more s below)
to Section 2.1 of
the MD ISP.]
the MD ISP.

how your agency assuming the lead role in
resolving Agency security and privacy incidents.

compliant.
Steps:
<insert steps here>
Folks
abide by the N/ (Agency is exempt from compliance with
guidelines A MD ISP)
established in the
Maryland Personal
s documents)
Information
Protection Act Ye (Compliant - Description is provided
(PIPA)? s below)
No (Steps to become compliant are provided
[For more below)
clarifying
information refer
to Section 2.1 of If N/A, please provide a statement explaining
the MD ISP.] conditions for being exempt from compliance with
the MD ISP.

how your agency abides by the guidelines
established in the Maryland Personal Information
Protection Act (PIPA).


compliant.
Steps:
<insert steps here>
Folks
develop, N/ (Agency is exempt from compliance with
implement and A MD ISP)
conduct testing of
an IT Disaster
s documents)
Recovery Plan for
critical agency IT Ye (Compliant - Description is provided
Systems in s below)
accordance with IT No (Steps to become compliant are provided
Disaster Recovery below)
Plan Guidelines?
[For more If N/A, please provide a statement explaining
clarifying conditions for being exempt from compliance with
information refer the MD ISP.
to Section 2.1 of <insert statement here> folks
the MD ISP.]
how your agency develops, implements and
conducts testing of an IT Disaster Recovery Plan for
critical agency IT Systems in accordance with IT
Disaster Recovery Plan Guidelines.

compliant.
Steps:
<insert steps here>
Folks

ensure separation N/ (Agency is exempt from compliance with
of duties and A MD ISP)
assigning Ye (Compliant - See attached C&A
appropriate s documents)
system
permissions and
s below)
responsibilities for
agency system No (Steps to become compliant are provided
users? below)
[For more
clarifying If N/A, please provide a statement explaining
information refer conditions for being exempt from compliance with
to Section 2.1 of the MD ISP.
the MD ISP.] <insert statement here> folks

how your agency ensures separation of duties and
assigning appropriate system permissions and
responsibilities for agency system users.

compliant.
Steps:
<insert steps here>
Folks
abide by the N/ (Agency is exempt from compliance with
Records A MD ISP)
Management
Guidelines
s documents)
established by the
Department of Ye (Compliant - Description is provided
General Services s below)
and the Maryland No (Steps to become compliant are provided
State Archives? below)

[For more

how your agency abides by the Records
Management Guidelines established by the
Department of General Services and the Maryland
State Archives.

compliant.
Steps:
<insert steps here>
Folks
identify business N/ (Agency is exempt from compliance with
owners for any A MD ISP)
new system that
are responsible
s documents)
for:
Classifying Ye (Compliant - Description is provided
data; s below)
Approving No (Steps to become compliant are provided
access and below)
permissions to
the data; If N/A, please provide a statement explaining
Ensuring conditions for being exempt from compliance with
methods are in the MD ISP.
place to <insert statement here> folks
prevent and
monitor
inappropriate If you answered Yes and the information cannot

access to be found in the system C&A documents, describe
confidential how your agency identifies business owners for
data; and any new system that are responsible for classifying
Determining data; approving access and permissions to the
when to retire data; ensuring methods are in place to prevent and
or purge the monitor inappropriate access to confidential data;
data? and determining when to retire or purge data.
[For more
clarifying
information refer
to Section 2.1 of
the MD ISP.]
compliant.
Steps:
<insert steps here>
folks
ensure that all N/ (Agency is exempt from compliance with
State employees A MD ISP)
and contract
personnel are
s documents)
responsible for:
Being aware of s below)
and complying No (Steps to become compliant are provided
with statewide below)
and internal
policies and
their If N/A, please provide a statement explaining
responsibilities conditions for being exempt from compliance with
for protecting IT the MD ISP.
assets of their <insert statement here> folks
agency and the
State; If you answered Yes and the information cannot
Using IT be found in the system C&A documents, describe
resources only how your agency ensures that all State employees
for intended and contract personnel understand their
purposes as responsibly for the use of IT systems and resources
defined by as outlined in Section 2.2 of the MD ISP.
policies, laws < insert description here >

and regulations
of the State or If No, your agency is not compliant with this section
agency; and of the MD ISP. Indicate here what steps your
Being
accountable for
compliant.
their actions
relating to their Steps:
use of all IT <insert steps here>
Systems? Folks
[For more
clarifying
information refer
to Section 2.2 of
the MD ISP.]
Access
Management
ensured that all N/ (Agency is exempt from compliance with
major information A MD ISP)
systems assets
are accounted for
s documents)
and have a named
business owner? Ye (Compliant - Description is provided
s below)
clarifying below)
information refer
to Section 3 of the
MD ISP.] If N/A, please provide a statement explaining
the MD ISP.

how your agency ensures that all major information
systems assets are accounted for and have a
named business owner.

compliant.
Steps:
<insert steps here>

identified business N/ (Agency is exempt from compliance with
owners for all A MD ISP)
major assets and
the responsibility
s documents)
for the
maintenance of Ye (Compliant - Description is provided
appropriate s below)
controls assigned? No (Steps to become compliant are provided
below)
[For more
to Section 3 of the the MD ISP.
MD ISP.] <insert statement here> folks

how your agency identifies business owners for all
major assets and the responsibility for the
maintenance of appropriate controls assigned.

compliant.
Steps:
<insert steps here>
folks

have a N/ (Agency is exempt from compliance with
documented A MD ISP)
inventory of IT
systems?
s documents)
[For more Ye (Compliant - Description is provided
clarifying s below)
information refer No (Steps to become compliant are provided
to Section 3 of the below)
MD ISP.]

the MD ISP.

be found in the system C&A documents, attach
inventory of IT systems as an appendix to this ITSP.

compliant.
Steps:
<insert steps here>
folks
have a N/ (Agency is exempt from compliance with
documented A MD ISP)
inventory of IT
systems that
s documents)
contain
confidential or PII Ye (Compliant - Description is provided
data? s below)
A complete below)
inventory shall
include a unique
system name, a If N/A, please provide a statement explaining

system owner, a conditions for being exempt from compliance with
security the MD ISP.
classification and <insert statement here> folks
a description of
the physical
location of the If you answered Yes and the information cannot
system. See be found in the system C&A documents, document
Appendix B all IT systems that contain confidential or PII data
Complete System using the inventory worksheet in Appendix B
Security Inventory Complete System Security Inventory of PII Systems
of PII Systems < insert description here >
[For more
clarifying If No, your agency is not compliant with this section
information refer of the MD ISP. Indicate here what steps your
to Section 3.0 of agency plans to take to become compliant and
the MD ISP.] indicate when your agency expects to become
compliant.
Steps:
<insert steps here>
folks
document and N/ (Agency is exempt from compliance with
maintain an A MD ISP)
inventory of the
important assets
s documents)
associated with
each information Ye (Compliant - Description is provided
system? s below)
[For more below)
clarifying
information refer
to Section 3.0 of
the MD ISP.]
the MD ISP.

how your agency documents and maintains an
inventory of the important assets associated with

each information system.

compliant.
Steps:
<insert steps here>
folks
asset inventory N/ (Agency is exempt from compliance with
include; a unique A MD ISP)
system name, a
system/business
s documents)
owner, a security
classification and Ye (Compliant - Description is provided
a description of s below)
the physical No (Steps to become compliant are provided
location of the below)
asset?
[For more conditions for being exempt from compliance with
clarifying the MD ISP.
information refer <insert statement here> folks
to Section 3.0 of
the MD ISP.]
where the agency asset inventory that includes; a
unique system name, a system/business owner, a
security classification and a description of the
physical location of the asset can be found.


compliant.
Steps:
<insert steps here>
folks
compiled an N/ (Agency is exempt from compliance with
inventory of assets A MD ISP)
and the relative
values and
s documents)
importance of
these assets? Ye (Compliant - Description is provided
s below)
clarifying below)
information refer
to Section 3.0 of
the MD ISP.

where the agency compiled inventory of assets and
the relative values and importance of these assets
can be found.

compliant.
Steps:
<insert steps here>
folks
23. Based on the Check one
relative values and N/ (Agency is exempt from compliance with
importance of the A MD ISP)
agency

documented Ye (Compliant - See attached C&A
inventory of IT s documents)
systems, has the Ye (Compliant - Description is provided
agency assigned s below)
the appropriate
levels of
below)
protection?
to Section 3.0 of
the MD ISP.]

how your agency assigns the appropriate levels of
protection to each of the agency IT systems.

compliant.
Steps:
<insert steps here>
folks
Information
Classification
categorized N/ (Agency is exempt from compliance with
information into A MD ISP)
the main
Ye (Information can be found in C&A
classifications with
s documents)
regard to
disclosure as Ye (Compliant description is provided below)
identified in MD s
ISP? No (Steps to become compliant are provided
below)
[For more
clarifying


how your agency ensures that information is
categorized into the main classifications with
regard to disclosure as identified in MD ISP.

compliant.
Steps:
<insert steps here>
folks
data and record N/ (Agency is exempt from compliance with
custodians adhere A MD ISP)
to the Information
Classification
s documents)
Policy as identified
in the MD ISP? Ye (Compliant description is provided below)
s
clarifying below)
information refer
to Section 3.1 of
the MD ISP.]
the MD ISP.

how your agency data and record custodians
adheres to the Information Classification Policy as

identified in the MD ISP.

compliant.
Steps:
<insert steps here> folks
educate users that N/ (Agency is exempt from compliance with
may have access A MD ISP)
to confidential
information for
s documents)
which they are
responsible? Ye (Compliant description is provided below)
s
clarifying below)
information refer
to Section 3.1 of
the MD ISP.]
the MD ISP.

how your agency educates users that may have
access to confidential information for which they
are responsible.

compliant.
Steps:

<insert steps here>
folks
clearly identify N/ (Agency is exempt from compliance with
Confidential A MD ISP)
information (PII,
Privileged, or
s documents)
Sensitive) as
Confidential? Ye (Compliant description is provided below)
s
clarifying below)
information refer
to Section 3.1 of
the MD ISP.

how your agency clearly identifies Confidential
information (PII, Privileged, or Sensitive) as
Confidential.

compliant.
Steps:
<insert steps here>
folks
Information
Marking &
Handling
ensure N/ (Agency is exempt from compliance with
confidential A MD ISP)
information is

protected with Ye (Information can be found in C&A
administrative, s documents)
technical, and Ye (Compliant description is provided below)
physical s
safeguards to
ensure its
below)
confidentiality,
integrity, and
availability and to If N/A, please provide a statement explaining
prevent conditions for being exempt from compliance with
unauthorized or the MD ISP.
inappropriate <insert statement here> folks
access, use, or
disclosure?
[For more how your agency ensures that confidential
clarifying information is protected with administrative,
information refer technical, and physical safeguards to ensure its
to Section 3.1.1 of confidentiality, integrity, and availability and to
the MD ISP.] prevent unauthorized or inappropriate access, use,
or disclosure.

compliant.
Steps:
<insert steps here>
29. If portable devices Check one
are approved for N/ (Agency is exempt from compliance with
use within your A MD ISP)
agency and
contained
s documents)
Confidential
information, is Ye (Compliant description is provided below)
encryption used s
for protection? No (Steps to become compliant are provided
below)
[For more

clarifying
to Section 3.1.1 of conditions for being exempt from compliance with

how your agency ensures that portable devices that
are approved for use within your agency and
contained Confidential information, are
encryption used for protection.

compliant.
Steps:
<insert steps here>
System Security
Categorization
Policy
assigned security N/ (Agency is exempt from compliance with
category levels for A MD ISP)
all information
systems?
s documents)
[For more Ye (Compliant description is provided below)
clarifying s
to Section 3.2 of below)
the MD ISP.]

the MD ISP.


how your agency assigns security category levels
for all information systems.

compliant.
Steps:
<insert steps here>
folks
Security
Categorization
Applied to
Information
Systems
assigned N/ (Agency is exempt from compliance with
sensitivity levels A MD ISP)
for the information
residing on all
s documents)
information
systems? Ye (Compliant description is provided below)
s
clarifying below)
information refer
to Section 3.3 of
the MD ISP.

how your agency assigns sensitivity level levels for

the information residing on all information systems.

compliant.
Steps:
<insert steps here>
folks
Security Control
Requirements
ensured that all N/ (Agency is exempt from compliance with
information A MD ISP)
systems (hosted
on a State network
s documents)
or a 3rd Party
offsite premise) Ye (Compliant description is provided below)
used for receiving, s
processing, storing No (Steps to become compliant are provided
and transmitting below)
confidential
information are
protected in
accordance with
the MD ISP.
requirements
identified in this <insert statement here> folks
section of the MD
ISP. If you answered Yes and the information cannot
how your agency ensures that all information
[For more
systems (hosted on a State network or a 3rd Party
clarifying
offsite premise) used for receiving, processing,
information refer
storing and transmitting confidential information
to Section 3.3 of
are protected in accordance with requirements
the MD ISP.]
identified in this section of the MD ISP.


compliant.
Steps:
<insert steps here>
1) folks> folks
Management
Level Controls
defined a schedule N/ (Agency is exempt from compliance with
for on-going risk A MD ISP)
management
review and
s documents)
evaluation based
on the system Ye (Compliant description is provided below)
categorization s
level and/or data No (Steps to become compliant are provided
classification of below)
their systems?
to Section 5.0 of
the MD ISP.]
how your agency defines a schedule for on-going
risk management review and evaluation based on
the system categorization level and/or data
classification of their systems.

compliant.

Steps:
<insert steps here>
folks
34. For IT systems Check one
that contain N/ (Agency is exempt from compliance with
information, does
your agency have
s documents)
an ongoing risk
management Ye (Compliant description is provided below)
review and s
evaluation No (Steps to become compliant are provided
process? below)
[For more

your agency ongoing risk management review and
evaluation process.

compliant.
Steps:
<insert steps here>
Security
Assessment &
Authorization
35. Has the agency Check one
certify and N/ (Agency is exempt from compliance with
accredit all IT A MD ISP)
systems and sites

under their Ye (Information can be found in C&A
ownership and s documents)
control, that Ye (Compliant description is provided below)
verifies security s
controls have
been adequately
below)
implemented (or
plan to be
implemented) to If N/A, please provide a statement explaining
protect conditions for being exempt from compliance with
confidential the MD ISP.
information? <insert statement here> folks
[For more
clarifying If Yes, attach a copy of the agency Security
information refer Certification and Accreditation documentation to
to Section 5.1 of this ITSP as an appendix.
the MD ISP and IT
Security If Yes, is the Authorization to Operate (ATO)
Certification and updated every three years or upon a significant
Accreditation change and signed by a senior agency official?
Guidelines.]
Yes No

compliant.
Steps:
<insert steps here>
36. For each system Check one

that contain PIl, N/ (Agency is exempt from compliance with
has your agency A MD ISP)
produced an
Authorization to
s documents)
Operate (ATO)
document that Ye (Compliant description is provided below)
verifies security s
controls have No (Steps to become compliant are provided
been adequately below)

implemented (or
plan to be If N/A, please provide a statement explaining
implemented) to conditions for being exempt from compliance with
protect the MD ISP.
confidential <insert statement here> folks
information?
[For more If Yes, attach a copy of the agency Authorization to
clarifying Operate (ATO) documentation to this ITSP as an
information refer appendix.
to Section 5.1 of
the MD ISP.]
If Yes, is the Authorization to Operate (ATO)
updated every three years or upon a significant
change and signed by a senior agency official?
Yes No

compliant.
Steps:
<insert steps here>

conduct annual N/ (Agency is exempt from compliance with
formal A MD ISP)
assessments of
the IT security
s documents)
controls of
information Ye (Compliant description is provided below)
systems that s
contain PII to No (Steps to become compliant are provided
determine the below)
extent to which
the controls are
implemented
correctly,
the MD ISP.
operating as
intended, and <insert statement here> folks
producing the

desired outcome? If Yes, attach a copy of the agency annual
assessments of the IT security controls
[For more documentation to this ITSP as an appendix.
clarifying
information refer
to Section 5.1 of If you answered Yes and the information cannot
the MD ISP.] be found in the system C&A documents, describe
how your agency conducts annual formal
assessments of the IT security controls of
information systems to determine the extent to
which the controls are implemented correctly,
operating as intended, and producing the desired
outcome.

compliant.
Steps:
<insert steps here>
38. Are Plan of Action Check one

& Milestones N/ (Agency is exempt from compliance with
(POA&M) A MD ISP)
documentation in
place, for agencies
s documents)
with IT systems,
that identifies any Ye (Compliant description is provided below)
deficiencies s
related to the No (Steps to become compliant are provided
processing of below)
Confidential
information?
to Section 5.1 of
the MD ISP.]
If Yes, attach a copy of the agency Plan of Action &
Milestones (POA&M) documentation to this ITSP as

an appendix.

your agency Plan of Action & Milestones (POA&M)
process within the agency that identifies any
deficiencies related to the processing of
Confidential information.

compliant.
Steps:
<insert steps here>
39. Are Corrective Check one

Action Plan (CAP) N/ (Agency is exempt from compliance with
documentation in A MD ISP)
place, for agencies
with IT systems,
s documents)
that identifies any
deficiencies Ye (Compliant description is provided below)
related to the s
processing of No (Steps to become compliant are provided
Confidential below)
information?
the MD ISP.
If Yes, attach a copy of the Corrective Action Plan

(CAP) documentation to this ITSP as an appendix.


your agency Corrective Action Plan (CAP)
documentation process within the agency that
identifies any deficiencies related to the processing
of Confidential information.

compliant.
Steps:
<insert steps here>
Planning
document, and A MD ISP)
establish a system
security plan,
s documents)
describing the
security Ye (Compliant description is provided below)
requirements, s
current controls No (Steps to become compliant are provided
and planned below)
controls, for
protecting agency
information
systems and
the MD ISP.
confidential

[For more
clarifying
how your agency develops, documents, and
information refer
establish a system security plan, describing the
to Section 5.2 of
security requirements, current controls and planned
the MD ISP.]
controls, for protecting agency information systems
and confidential information.

compliant.
Steps:
<insert steps here>
Folks
41. Does the agency Check one
ensure that the N/ (Agency is exempt from compliance with
system security A MD ISP)
plan is updated to
account for
s documents)
significant
changes in the Ye (Compliant description is provided below)
security s
requirements, No (Steps to become compliant are provided
current controls below)
and planned
controls for
protecting agency
information
the MD ISP.
systems and
confidential <insert statement here> folks
information?
clarifying how your agency ensures that the system security
information refer plan is updated to account for significant changes
to Section 5.2 of in the security requirements, current controls and
the MD ISP.] planned controls for protecting agency information
systems and confidential information.

compliant.
Steps:
<insert steps here>

Folks
establish a set of
rules describing
s documents)
their
responsibilities Ye (Compliant description is provided below)
and expected s
system behavior No (Steps to become compliant are provided
requirement to below)
system security
plan?
[For more
the MD ISP.
clarifying
to Section 5.2 of
the MD ISP.] If you answered Yes and the information cannot
how your agency develops, documents, and
establishes a set of rules describing their
responsibilities and expected system behavior
requirement to system security plan.

compliant.
Steps:
<insert steps here>
Folks
Service Interface
Agreements (SIA)
43. Are agencies IT Check one
systems with N/ (Agency is exempt from compliance with
Service Interface A MD ISP)
Agreement in

place for non- Ye (Information can be found in C&A
networkMaryland s documents)
connections Ye (Compliant description is provided below)
permitted only s
after all approvals
are obtained
below)
consistent with
the MD ISP?
information refer
to Section 5.3 of
the MD ISP.]
If Yes, attach a copy of the Service Interface
Agreement to this ITSP as an appendix.

how your agency ensure that for IT systems with
Service Interface Agreement in place for non-
networkMaryland connections are permitted only
after all approvals are obtained consistent with the
MD ISP.

compliant.
Steps:
folks t
Note: A compliant SIA shall include:
Purpose and duration of the connection as

stated in the agreement, lease, or contract;
Points-of-contact and cognizant officials for both

the State and untrusted entities;
Roles and responsibilities of points-of-contact
and cognizant officials for both State and

untrusted entities;
Security measures to be implemented by the
untrusted agency to protect the State's IT assets
against unauthorized use or exploitation of the
external network connection;
Requirements for notifying a specified State
official within a specified period of time (4 hours
recommended) of a security incident on the
network.
Operational Level
Controls
ensure all N/ (Agency is exempt from compliance with
system users and
managers are
s documents)
knowledgeable of
security Ye (Compliant description is provided below)
awareness s
material before No (Steps to become compliant are provided
authorizing access below)
to systems?
the MD ISP.]
how your agency ensures that all information
system users and managers are knowledgeable of
security awareness material before authorizing
access to systems.


compliant.
Steps:
<insert steps here>

identify personnel N/ (Agency is exempt from compliance with
with information A MD ISP)
system security
roles and
s documents)
responsibilities?
Ye (Compliant description is provided below)
[For more s
to Section 6.0 of
the MD ISP.]
the MD ISP.

how your agency identifies personnel with
information system security roles and
responsibilities.

compliant.
Steps:
<insert steps here>

monitor individual A MD ISP)
information

system security Ye (Information can be found in C&A
training activities s documents)
including basic Ye (Compliant description is provided below)
security s
awareness
training and
below)
specific
information
system security If N/A, please provide a statement explaining
training? conditions for being exempt from compliance with
the MD ISP.
[For more
clarifying
information refer If you answered Yes and the information cannot
to Section 6.0 of be found in the system C&A documents, describe
the MD ISP.] how your agency documents and monitors
individual information system security training
activities including basic security awareness
training and specific information system security
training.

compliant.
Steps:
<insert steps here>
Folks
Configuration
Management
application and A MD ISP)
operating system
hardening
s documents)
procedures are
created, Ye (Compliant description is provided below)
maintained and s
up-to-date No (Steps to become compliant are provided

security? below)
[For more
clarifying

how your agency ensures that application and
operating system hardening procedures are
created, maintained and up-to-date security

compliant.
Steps:
<insert steps here>
T
default system A MD ISP)
administrator
passwords are
s documents)
changed?
[For more s
to Section 6.1 of
the MD ISP.]
the MD ISP.

how your agency ensures that all default system
administrator passwords are changed.

compliant.
Steps:
<insert steps here>

appropriate A MD ISP)
change
management
s documents)
processes are
implemented? Ye (Compliant description is provided below)
s
clarifying below)
information refer
to Section 6.1 of
the MD ISP.

how your agency ensures that appropriate change
management processes are implemented.


compliant.
Steps:
<insert steps here>
Contingency
Planning
Does the agency Check one
ensure that IT N/ (Agency is exempt from compliance with
Disaster Recovery A MD ISP)
Plan and/or
Procedures been
s documents)
developed and
s
clarifying below)
information refer
to Section 6.2 of
the MD ISP.
50. <insert statement here> folks
If Yes, attach a copy of the Agency IT Disaster

Recovery Plan and/or Procedures to this ITSP as an
appendix.

compliant.
Steps:
ensure that the IT N/ (Agency is exempt from compliance with
Disaster Recovery A MD ISP)
Plan been tested?
[For more s documents)
clarifying Ye (Compliant description is provided below)

information refer s
to Section 6.2 of No (Steps to become compliant are provided
the MD ISP.] below)

the MD ISP.
<insert statement here>
If Yes, identify here the date of the last test for

disaster recovery conducted by your agency.
<insert date of last discovery recovery test>

compliant.
Steps:
<insert steps here>
Incident Response
ensure that an IT N/ (Agency is exempt from compliance with
Incident Response A MD ISP)
Plan and/or
Procedures been
s documents)
developed and
s
clarifying below)
information refer
to Section 6.3 of
the MD ISP.

be found in the system C&A documents, attach a

copy of the agency Incident Response Plan and/or
Procedures as an appendix to this ITSP.

compliant.
Steps:
security incidents A MD ISP)
are reported to
DoIT in
s documents)
accordance with
the MD ISP? Ye (Compliant description is provided below)
s
clarifying below)
information refer
to Section 6.3 of
the MD ISP.

how your agency ensures that that all security
incidents are reported to DoIT in accordance with
the MD ISP.

compliant.
Steps:

Maintenance
identify, approve, N/ (Agency is exempt from compliance with
control, and A MD ISP)
routinely monitor
the use of
s documents)
information
system Ye (Compliant description is provided below)
maintenance tools s
and remotely No (Steps to become compliant are provided
executed below)
maintenance and
diagnostic
activities.
[For more the MD ISP.
clarifying <insert statement here>
information refer
54. to Section 6.4 of
the MD ISP.]
how your agency identifies, approves, controls, and
routinely monitors the use of information system
maintenance tools and remotely executed
maintenance and diagnostic activities.

compliant.
Steps:

ensure only N/ (Agency is exempt from compliance with
authorized A MD ISP)
personnel perform
maintenance on
s documents)
information

s
clarifying below)
information refer
the MD ISP.

how your agency ensures only authorized
personnel perform maintenance on information
systems.

compliant.
Steps:
<insert steps here>
folks
system A MD ISP)
maintenance is
scheduled,
s documents)
performed, and
documented in Ye (Compliant description is provided below)
accordance with s
manufacturer or No (Steps to become compliant are provided
vendor below)
specifications
and/or
organizational
requirements?
the MD ISP.

[For more <insert statement here> folks
clarifying
the MD ISP.] how your agency ensures that system maintenance
is scheduled, performed, and documented in
accordance with manufacturer or vendor
specifications and/or organizational requirements.

compliant.
Steps:
<insert steps here>
folks
Media Protection
media that A MD ISP)
contains
confidential
s documents)
information
including Ye (Compliant description is provided below)
removable media s
(CDs, magnetic No (Steps to become compliant are provided
tapes, external below)
hard drives,
flash/thumb
drives, DVDs,
copier hard disk
the MD ISP.
drives, and
information <insert statement here> folks
system input and
output (reports, If you answered Yes and the information cannot
documents, data be found in the system C&A documents, describe
files, back-up how your agency ensures that all media that
tapes) shall be contains confidential information including
clearly labeled removable media (CDs, magnetic tapes, external

Confidential? hard drives, flash/thumb drives, DVDs, copier hard
disk drives, and information system input and
[For more output (reports, documents, data files, back-up
clarifying tapes) shall be clearly labeled Confidential.
information refer < insert description here >
to Section 6.5 of
the MD ISP.]
compliant.
Steps:
<insert steps here>

ensure that media N/ (Agency is exempt from compliance with
labeled A MD ISP)
Confidential is
physically
s documents)
controlled and
securely stored? Ye (Compliant description is provided below)
s
clarifying below)
information refer
to Section 6.5 of
the MD ISP.

how your agency ensures that media labeled
Confidential is physically controlled and securely
stored.


compliant.
Steps:
<insert steps here>
folks
ensure that access N/ (Agency is exempt from compliance with
to system media A MD ISP)
containing
Confidential
s documents)
information been
restricted to Ye (Compliant description is provided below)
authorized s
individuals? No (Steps to become compliant are provided
below)
[For more
clarifying
59. <insert statement here> folks

how your agency ensures that access to system
media containing Confidential information been
restricted to authorized individuals.

compliant.
<insert steps here>
protect and control N/ (Agency is exempt from compliance with
system media
during transport

outside of s documents)
controlled areas Ye (Compliant description is provided below)
and restrict the s
activities
associated with
below)
transport of such
media to
authorized If N/A, please provide a statement explaining
personnel? conditions for being exempt from compliance with
the MD ISP.
[For more
clarifying
information refer
how your agency protects and controls
Confidential system media during transport
outside of controlled areas and restrict the
activities associated with transport of such media
to authorized personnel.

compliant.
<insert steps here>

deploy a tracking N/ (Agency is exempt from compliance with
method to ensure A MD ISP)
Confidential
system media
s documents)
reaches its
intended Ye (Compliant description is provided below)
destination? s
[For more below)
clarifying
information refer

the MD ISP.

how your agency deploys a tracking method to
ensure Confidential system media reaches its
intended destination.

compliant.
Steps:
<insert steps here>
folks
ensure that when N/ (Agency is exempt from compliance with
no longer required A MD ISP)
for mission or
project
s documents)
completion, media
to be used by Ye (Compliant description is provided below)
another person s
within the agency No (Steps to become compliant are provided
shall be below)
overwritten (clear
or purge) with
software and
protected
the MD ISP.
consistent with the
classification of <insert statement here> folks
the data?
clarifying how your agency ensures that when confidential
information refer information is no longer required for mission or
to Section 6.5 of project completion, that the media to be used by
the MD ISP.] another person within the agency shall be

overwritten (clear or purge) with software and
protected consistent with the classification of the
data.

compliant.
Steps:
<insert steps here>

electronic media A MD ISP)
storage for
disposal or re-use
s documents)
is the electronic
media Ye (Compliant description is provided below)
appropriately s
sanitized or No (Steps to become compliant are provided
destroyed? below)
[For more
the MD ISP <insert statement here> folks
Options 1 and 2
for applicable
media overwriting
techniques.]
how your agency ensures that electronic media
[For more storage for disposal or re-use, is the electronic
clarifying media appropriately sanitized or destroyed.
information refer < insert description here >
to Section 6.5 of
the MD ISP.]

compliant.
Steps:
<insert steps here>

retain records on A MD ISP)
how they sanitize
and destroyed
s documents)
electronic media?
[For more s
to Section 6.5 of
the MD ISP.]
the MD ISP.
64.
how your agency documents and retains records on
how they sanitize and destroyed electronic media.

compliant.
Steps:
<insert steps here>
folks
65. If the agency Check one
outsource media N/ (Agency is exempt from compliance with
sanitization does A MD ISP)
the organizations
exercise due

diligence when s documents)
entering into Ye (Compliant description is provided below)
contract with the s
other party to
conduct media
below)
sanitization?

the MD ISP.]
how your agency exercises due diligence when
entering into contract with the other party to
conduct media sanitization.

compliant.
Steps:
<insert steps here>
folks
Physical &
Personnel Security
control physical N/ (Agency is exempt from compliance with
access to A MD ISP)
processing
equipment, media
s documents)
storage areas,
media storage Ye (Compliant description is provided below)
devices, s
supporting No (Steps to become compliant are provided
infrastructure below)
(communications,
power, and

environmental) to conditions for being exempt from compliance with
prevent, detect, the MD ISP.
and minimize the <insert statement here> folks
effects of
unauthorized or
unintended access If you answered Yes and the information cannot
to these areas? be found in the system C&A documents, describe
how your agency controls physical access to
[For more processing equipment, media storage areas, media
clarifying storage devices, supporting infrastructure
information refer (communications, power, and environmental) to
to Section 6.6 of prevent, detect, and minimize the effects of
the MD ISP.] unauthorized or unintended access to these areas.

compliant.
Steps:
<insert steps here>

ensure physical N/ (Agency is exempt from compliance with
access controls A MD ISP)
are in place for the
following:
s documents)
Data
Centers; Ye (Compliant description is provided below)
s
Areas
containing No (Steps to become compliant are provided
servers and below)
associated
media; If N/A, please provide a statement explaining
Networking conditions for being exempt from compliance with
cabinets and the MD ISP.
wiring <insert statement here> folks
closets;
Power and
emergency If you answered Yes and the information cannot

backup be found in the system C&A documents, describe
equipment; how your agency ensures that physical access
and controls are in place for the following:
Operations Data Centers;
and control Areas containing servers and associated
areas? media;
Networking cabinets and wiring closets;
[For more Power and emergency backup equipment;
clarifying and
information refer Operations and control areas?
to Section 6.6 of < insert description here >
the MD ISP.]
compliant.
Steps:
<insert steps here>
folks
ensure access to N/ (Agency is exempt from compliance with
data centers and A MD ISP)
secured areas are
limited to those
s documents)
employees,
contractors, Ye (Compliant description is provided below)
technicians and s
vendors who have No (Steps to become compliant are provided
legitimate below)
business
responsibilities in
those areas?
clarifying <insert statement here> folks
information refer
to Section 6.6 of
the MD ISP.]
how your agency ensures access to data centers
and secured areas are limited to those employees,

contractors, technicians and vendors who have
legitimate business responsibilities in those areas.

compliant.
Steps:
<insert steps here>
folks
portable storage A MD ISP)
media such as
hard drives, flash
s documents)
media drives,
diskettes, Ye (Compliant description is provided below)
magnetic tapes, s
laptops, PDA No (Steps to become compliant are provided
devices, DVDs and below)
CDs are physically
secured?
to Section 6.6 of
the MD ISP.]
how your agency ensures that all portable storage
media such as hard drives, flash media drives,
diskettes, magnetic tapes, laptops, PDA devices,
DVDs and CDs are physically secured.


compliant.
Steps:
<insert steps here>
folks
ensure proper N/ (Agency is exempt from compliance with
employee and/or A MD ISP)
contractor
identification
s documents)
processes are in
place? Ye (Compliant description is provided below)
s
clarifying below)
information refer
to Section 6.6 of
the MD ISP.
70.
how your agency ensures proper employee and/or
contractor identification processes are in place.

compliant.
Steps:
<insert steps here>
folks
environmental and A MD ISP)
physical controls
are established to
s documents)
prevent accidental

or unintentional Ye (Compliant description is provided below)
loss of information s
residing on IT No (Steps to become compliant are provided
systems? below)
[For more

how your agency ensures that proper
environmental and physical controls are
established to prevent accidental or unintentional
loss of information residing on IT systems.

compliant.
Steps:
<insert steps here>
folks
physical access A MD ISP)
controls are
auditable?
s documents)
clarifying s
to Section 6.6 of below)
the MD ISP.]

the MD ISP.


how your agency ensures that physical access
controls are auditable.

compliant.
Steps:
<insert steps here>
folks
security A MD ISP)
clearances are
required for
s documents)
personnel as
determined by the Ye (Compliant description is provided below)
system sensitivity s
and data No (Steps to become compliant are provided
classification below)
designation?
the MD ISP.]
how your agency ensures that security clearances
are required for personnel as determined by the
system sensitivity and data classification
designation.


compliant.
Steps:
<insert steps here>
74. For agencies that Check one

required security N/ (Agency is exempt from compliance with
clearances for A MD ISP)
personnel, are
appropriate
s documents)
background
investigation (e.g., Ye (Compliant description is provided below)
CJIS, State Police) s
being conducted? No (Steps to become compliant are provided
below)
[For more
clarifying

how your agency ensures that required security
clearances for personnel, are appropriate
background investigation (e.g., CJIS, State Police)
being conducted.

compliant.
Steps:

<insert steps here>
folks
For agencies that Check one
required security N/ (Agency is exempt from compliance with
clearances for A MD ISP)
personnel, does
the agency
s documents)
maintain
personnel Ye (Compliant description is provided below)
clearance s
information on No (Steps to become compliant are provided
file? below)

75. the MD ISP.]
how the agency maintains personnel clearance
information on file.

compliant.
Steps:
<insert steps here>
folks
System &
Information
Integrity
implemented N/ (Agency is exempt from compliance with
system and A MD ISP)
information

integrity security s documents)
controls including Ye (Compliant description is provided below)
flaw remediation, s
information
system
below)
monitoring,
information input
restrictions (such If N/A, please provide a statement explaining
as validating input conditions for being exempt from compliance with
in all Web the MD ISP.
applications), and <insert statement here> folks
information output
handling and
retention. If you answered Yes and the information cannot
[For more how the agency implements system and
clarifying information integrity security controls including
information refer flaw remediation, information system monitoring,
to Section 6.7 of information input restrictions (such as validating
the MD ISP.] input in all Web applications), and information
output handling and retention.

compliant.
Steps:
<insert steps here>

ensure that IT N/ (Agency is exempt from compliance with
systems are A MD ISP)
systems protected
against malicious
s documents)
code (e.g. viruses,
worms, Trojan Ye (Compliant description is provided below)
horses, etc.) by s
implementing No (Steps to become compliant are provided
(anti-virus, anti- below)
malware) solutions

that, to the extent
possible, includes If N/A, please provide a statement explaining
a capability for conditions for being exempt from compliance with
automatic the MD ISP.
updates. <insert statement here> folks
[For more
clarifying If Yes, identify here the anti-virus solution in place
information refer for your agency.
to Section 6.7 of <identify the anti-virus solution in place for your
the MD ISP.] agency>

how the agency ensures that IT systems are
systems protected against malicious code (e.g.
viruses, worms, Trojan horses, etc.) by
implementing (anti-virus, anti-malware) solutions
that, to the extent possible, includes a capability
for automatic updates.

compliant.
Steps:
<insert steps here>

employed N/ (Agency is exempt from compliance with
intrusion A MD ISP)
detection/preventi
on tools and
s documents)
techniques to
monitor system Ye (Compliant description is provided below)
events, detect s
attacks, and No (Steps to become compliant are provided
identify below)
unauthorized use

of information
systems and/or If N/A, please provide a statement explaining
confidential conditions for being exempt from compliance with
information? the MD ISP.
[For more
clarifying If Yes, identify here the intrusion
information refer detection/prevention tools in place for your agency.
to Section 6.7 of <identify the intrusion and detection/prevention
the MD ISP.] tools in place for your agency>
If Yes, identify here the intrusion detection

prevention solution in place for your agency what
unit within your agency is responsible for daily
management of the IDP.
<identify intrusion detection prevention solutions in
place in your agency>

how the agency utilizes intrusion
detection/prevention tools and techniques to
monitor system events, detect attacks, and identify
unauthorized use of information systems and/or
confidential information.

compliant.
Steps:
<insert steps here>

restrict N/ (Agency is exempt from compliance with
system input to

authorized Ye (Information can be found in C&A
personnel (or s documents)
processes acting Ye (Compliant description is provided below)
on behalf of such s
personnel)
responsible for
below)
receiving,
processing,
storing, or If N/A, please provide a statement explaining
transmitting conditions for being exempt from compliance with
confidential the MD ISP.

how your agency restricts information system input
to authorized personnel (or processes acting on
behalf of such personnel) responsible for receiving,
processing, storing, or transmitting confidential
information.

compliant.
Steps:
<insert steps here>
folks
identify, N/ (Agency is exempt from compliance with
correct information
system flaws?
s documents)
s
below)

the MD ISP.

how your agency identifies, documents, and
corrects information system flaws.

compliant.
Steps:
<insert steps here>
folks
receive and review N/ (Agency is exempt from compliance with
system security
alerts/advisories
s documents)
for critical
software that they Ye (Compliant description is provided below)
use (e. g. s
operating No (Steps to become compliant are provided
systems, below)
applications, etc.)
on a regular basis,
issue
alerts/advisories to
the MD ISP.
appropriate
personnel, and <insert statement here> folks
take appropriate
actions in If you answered Yes and the information cannot
response? be found in the system C&A documents, describe
how your agency receives and reviews information
system security alerts/advisories for critical
[For more
software that they use (e. g. operating systems,

clarifying applications, etc.) on a regular basis, issue
information refer alerts/advisories to appropriate personnel, and take
to Section 6.7 of appropriate actions in response.
the MD ISP.] < insert description here >

compliant.
Steps:
<insert steps here>

systems managed A MD ISP)
to protect system
output during the
s documents)
entire system
lifecycle in Ye (Compliant description is provided below)
accordance with s
applicable federal No (Steps to become compliant are provided
laws, Executive below)
Orders, directives,
data retention
policies,
regulations,
the MD ISP.
standards, and
operational <insert statement here> folks
requirements?
[For more
clarifying
how your agency ensures that systems managed to
information refer
protect system output during the entire system
to Section 6.7 of
lifecycle in accordance with applicable federal laws,
the MD ISP.]
Executive Orders, directives, data retention
policies, regulations, standards, and operational
requirements.

compliant.
Steps:
<insert steps here>
Technical Level
Controls
83. Does the agency
manage user Check one
accounts,
N/ (Agency is exempt from compliance with
including
A MD ISP)
activation,
deactivation, Ye (Information can be found in C&A
changes and s documents)
audits? Ye (Compliant description is provided below)
s
[For more
clarifying
below)
information refer
to Section 7 of the
MD ISP.] If N/A, please provide a statement explaining
the MD ISP.

how your agency manages user accounts, including
activation, deactivation, changes and audits.


compliant.
Steps:
<insert steps here>
folks

systems enforce A MD ISP)
assigned
authorizations that
s documents)
control system
access and the Ye (Compliant description is provided below)
flow of information s
within the system No (Steps to become compliant are provided
and between below)
interconnected
systems?
information refer
to Section 7 of the
MD ISP.]
how your agency ensures that systems enforce
assigned authorizations that control system access
and the flow of information within the system and
between interconnected systems.

compliant.

Steps:
<insert steps here>
folks

ensure that only N/ (Agency is exempt from compliance with
authorized A MD ISP)
individuals
(employees or
s documents)
agency
contractors) have Ye (Compliant description is provided below)
access to s
confidential No (Steps to become compliant are provided
information and below)
that such access is
strictly controlled,
audited, and that
it supports the
the MD ISP.
concepts of least
possible privilege <insert statement here> folks
and need to
know? If you answered Yes and the information cannot
how your agency ensures that only authorized
[For more
individuals (employees or agency contractors) have
clarifying
access to confidential information and that such
information refer
access is strictly controlled, audited, and that it
to Section 7 of the
supports the concepts of least possible privilege
MD ISP.]
and need to know.


compliant.
Steps:
<insert steps here> olks

identify, document N/ (Agency is exempt from compliance with
and approve A MD ISP)
specific user
actions that can
s documents)
be performed
without Ye (Compliant description is provided below)
identification or s
authentication? No (Steps to become compliant are provided
below)
[For more
clarifying
information refer
to Section 7 of the
the MD ISP.
MD ISP.]

how your agency identifies, documents and
approves specific user actions that can be
performed without identification or authentication.

compliant.
Steps:

<insert steps here>
folks

separation of
duties through
s documents)
assigned access
authorizations? Ye (Compliant description is provided below)
s
clarifying below)
information refer
to Section 7 of the
MD ISP.]
the MD ISP.

how your agency ensures that the systems enforce
separation of duties through assigned access
authorizations.

compliant.
Steps:

<insert steps here>
folks

the most
restrictive access
s documents)
capabilities
required for Ye (Compliant description is provided below)
specified tasks? s
[For more below)
clarifying
information refer
to Section 7 of the
MD ISP.]
the MD ISP.

how your agency ensures that systems enforce the
most restrictive access capabilities required for
specified tasks.

compliant.
Steps:

<insert steps here>
folks

systems enforce a A MD ISP)
limit of (4)
consecutive
s documents)
unsuccessful
access attempts Ye (Compliant description is provided below)
during a (15) s
minute time No (Steps to become compliant are provided
period by below)
automatically
locking that
account for a
minimum of (10)
the MD ISP.
minutes?
[For more
clarifying If you answered Yes and the information cannot
information refer be found in the system C&A documents, describe
to Section 7 of the how your agency ensures that systems enforce a
MD ISP.] limit of (4) consecutive unsuccessful access
attempts during a (15) minute time period by
automatically locking that account for a minimum
of (10) minutes.


compliant.
Steps:
<insert steps here>
folks

systems display A MD ISP)
the approved
warning before
s documents)
granting system
access? Ye (Compliant description is provided below)
s
clarifying below)
information refer
to Section 7 of the
MD ISP.]
the MD ISP.

how your agency ensures that systems display the
approved warning before granting system access.

compliant.
Steps:

<insert steps here>
folks

unauthorized A MD ISP)
users are denied
access by ensuring
s documents)
that user sessions
time out or initiate Ye (Compliant description is provided below)
a re-authentication s
process after (30) No (Steps to become compliant are provided
minutes of below)
inactivity?
[For more
clarifying
the MD ISP.
information refer
to Section 7 of the <insert statement here> folks
MD ISP.]
how your agency ensures that unauthorized users
are denied access by ensuring that user sessions
time out or initiate a re-authentication process after
(30) minutes of inactivity.

compliant.

Steps:
<insert steps here>
folks

authorize, N/ (Agency is exempt from compliance with
monitor all remote
access capabilities
s documents)
used on its IT
s
clarifying below)
information refer
to Section 7 of the
MD ISP.]
the MD ISP.

how your agency authorizes, documents, and
monitors all remote access capabilities used on its
IT systems.

compliant.
Steps:

<insert steps here>
folks

ensure that Virtual N/ (Agency is exempt from compliance with
Private Network A MD ISP)
(VPN) or
equivalent
s documents)
technology is used
when remotely Ye (Compliant description is provided below)
accessing s
information No (Steps to become compliant are provided
systems? below)
[For more
clarifying
information refer
the MD ISP.
to Section 7 of the

how your agency ensures that Virtual Private
Network (VPN) or equivalent technology is used
when remotely accessing information systems.

compliant.
Steps:

<insert steps here>
folks

remote access A MD ISP)
connections that
utilize a shared
s documents)
infrastructure,
such as the Ye (Compliant description is provided below)
Internet, utilize s
some form of No (Steps to become compliant are provided
encryption for below)
transmission of
data and
authentication
information?
the MD ISP.
clarifying
to Section 7 of the be found in the system C&A documents, describe
MD ISP.] how your agency ensures that all remote access
connections that utilize a shared infrastructure,
such as the Internet, utilize some form of
encryption for transmission of data and
authentication information.


compliant.
Steps:
<insert steps here>
folks

developed formal N/ (Agency is exempt from compliance with
procedures for A MD ISP)
authorized
individuals to
s documents)
access its
information Ye (Compliant description is provided below)
systems from s
external systems, No (Steps to become compliant are provided
such as access below)
allowed from an
alternate work site
(if required)?
the MD ISP.
[For more
information refer
to Section 7 of the If you answered Yes and the information cannot
MD ISP.] be found in the system C&A documents, describe
how your agency ensures that formal procedures
for authorized individuals to access its information
systems from external systems, such as access
allowed from an alternate work site (if required) has
been developed.


compliant.
Steps:
<insert steps here>
folks

remote access N/ (Agency is exempt from compliance with
procedures A MD ISP)
address the
authorizations
s documents)
allowed to receive,
transmit, store, Ye (Compliant description is provided below)
and/or process s
confidential No (Steps to become compliant are provided
information? below)
[For more
clarifying
information refer
the MD ISP.
to Section 7 of the

how your agency ensures that remote access
procedures address the authorizations allowed to
receive, transmit, store, and/or process confidential
information.

compliant.

Steps:
<insert steps here>
folks

establish terms N/ (Agency is exempt from compliance with
and conditions, A MD ISP)
consistent with
any trust
s documents)
relationships
established with Ye (Compliant description is provided below)
other s
organizations No (Steps to become compliant are provided
owning, operating, below)
and/or maintaining
external
information
systems, allowing
the MD ISP.
authorized
individuals to; <insert statement here> folks
1) access the If you answered Yes and the information cannot

information be found in the system C&A documents, describe
system from how your agency establishes terms and conditions,
the external consistent with any trust relationships established
information with other organizations owning, operating, and/or
systems; and maintaining external information systems, allowing
2) process, store, authorized individuals to; access the information
and/or transmit system from the external information systems; and
agency- process, store, and/or transmit agency-controlled
controlled information using the external information systems.
information < insert description here >
using the
external
information

systems? of the MD ISP. Indicate here what steps your
[For more indicate when your agency expects to become
clarifying compliant.
information refer Steps:
to Section 7 of the <insert steps here>
MD ISP.]
folks

ensure that Virtual N/ (Agency is exempt from compliance with
Private Network A MD ISP)
(VPN) or
equivalent
s documents)
technology is used
when remotely Ye (Compliant description is provided below)
accessing s
information No (Steps to become compliant are provided
systems? below)
[For more
clarifying
information refer
the MD ISP.
to Section 7 of the

how your agency ensures that Virtual Private
Network (VPN) or equivalent technology is used
when remotely accessing information systems.

compliant.
Steps:

<insert steps here>
folks

devices which are A MD ISP)
not the property
of, or under the
s documents)
control of an
Agency (including Ye (Compliant description is provided below)
any portable s
devices) are not No (Steps to become compliant are provided
directly attached below)
to the Agency
networks?
the MD ISP.
[For more
information refer
to Section 7 of the If you answered Yes and the information cannot
MD ISP.] be found in the system C&A documents, describe
how your agency ensures that devices which are
not the property of, or under the control of an
Agency (including any portable devices) are not
directly attached to the Agency networks.

compliant.

Steps:
<insert steps here>
folks

authorize, N/ (Agency is exempt from compliance with
monitor all
wireless access to
s documents)
its information
s
clarifying below)
information refer
to Section 7 and
Appendix D of the
MD ISP.]
the MD ISP.

how your agency authorizes, documents, and
monitors all wireless access to its information
systems.

compliant.
Steps:

<insert steps here>
folks

ensure that only N/ (Agency is exempt from compliance with
wireless systems A MD ISP)
that meet the
criteria of the MD
s documents)
ISP or have been
granted an Ye (Compliant description is provided below)
exclusive waiver s
by the Agency CIO No (Steps to become compliant are provided
(or similar below)
delegated Agency
authority) are
approved for
connectivity to
the MD ISP.
agency networks?
[For more
to Section 7 and how your agency ensures that only wireless
Appendix D of the systems that meet the criteria of the MD ISP or
MD ISP.] have been granted an exclusive waiver by the
Agency CIO (or similar delegated Agency authority)
are approved for connectivity to agency networks.


compliant.
Steps:
<insert steps here>
folks

establish a process N/ (Agency is exempt from compliance with
for documenting A MD ISP)
all wireless access
points?
s documents)
clarifying s
to Section 7 and below)
Appendix D of the
MD ISP.]
the MD ISP.

your agency process for documenting all wireless
access points.

compliant.
Steps:

<insert steps here>
folks

security A MD ISP)
mechanisms are in
place to prevent
s documents)
the theft,
alteration, or Ye (Compliant description is provided below)
misuse of access s
points? No (Steps to become compliant are provided
below)
[For more
clarifying
information refer
to Section 7 and
the MD ISP.
Appendix D of the

how your agency ensures that proper security
mechanisms are in place to prevent the theft,
alteration, or misuse of access points.

compliant.
Steps:

<insert steps here>
folks

restrict hardware N/ (Agency is exempt from compliance with
implementation to A MD ISP)
utilize Wi-Fi
certified devices
s documents)
that are
configured to use Ye (Compliant description is provided below)
the latest security s
features available? No (Steps to become compliant are provided
below)
[For more
clarifying
information refer
to Section 7 and
the MD ISP.
Appendix D of the

how your agency restricts hardware
implementation to utilize Wi-Fi certified devices
that are configured to use the latest security
features available.

compliant.

Steps:
<insert steps here>
folks

ensure that default N/ (Agency is exempt from compliance with
administrator A MD ISP)
credentials have
been changed?
s documents)
clarifying s
to Section 7 and below)
Appendix D of the
MD ISP.]
the MD ISP.

how your agency ensures that default administrator
credentials have been changed.

compliant.
Steps:

<insert steps here>
folks

ensure that default N/ (Agency is exempt from compliance with
SNMP strings, if A MD ISP)
used, has been
changed or
s documents)
otherwise disable
SNMP? Ye (Compliant description is provided below)
s
clarifying below)
information refer
to Section 7 and
Appendix D of the
MD ISP.]
the MD ISP.

how your agency ensures that default SNMP
strings, if used, has been changed or otherwise
disable SNMP.

compliant.
Steps:

<insert steps here>
folks

ensured that N/ (Agency is exempt from compliance with
wireless system A MD ISP)
default
Service Set
s documents)
Identifier
(SSID) has been Ye (Compliant description is provided below)
changed? s
[For more below)
clarifying
information refer
to Section 7 and
Appendix D of the
the MD ISP.
MD ISP.]

how your agency ensures that wireless system
default Service Set Identifier (SSID) has been
changed.

compliant.
Steps:

<insert steps here>
folks

deploy secure N/ (Agency is exempt from compliance with
access point A MD ISP)
management
protocols and
s documents)
disable telnet on
all wireless Ye (Compliant description is provided below)
systems? s
[For more below)
clarifying
information refer
to Section 7 and
Appendix D of the
the MD ISP.
MD ISP.]

how your agency deploys secure access point
management protocols and disable telnet on all
wireless systems.

compliant.
Steps:

<insert steps here>
folks

strategically place N/ (Agency is exempt from compliance with
and configure A MD ISP)
access points to
minimize Service
s documents)
Set Identifier
(SSID) broadcast Ye (Compliant description is provided below)
exposure beyond s
the physical No (Steps to become compliant are provided
perimeter of the below)
building?
[For more
clarifying
the MD ISP.
information refer
to Section 7 and <insert statement here> folks
Appendix D of the
MD ISP.] If you answered Yes and the information cannot
how your agency strategically place and configure
access points to minimize Service Set Identifier
(SSID) broadcast exposure beyond the physical
perimeter of the building.

compliant.

Steps:
<insert steps here>
folks

require wireless N/ (Agency is exempt from compliance with
users to provide A MD ISP)
unique
authentication
s documents)
over encrypted
channels if Ye (Compliant description is provided below)
accessing internal s
LAN services? No (Steps to become compliant are provided
below)
[For more
clarifying
information refer
to Section 7 and
the MD ISP.
Appendix D of the

how your agency ensures wireless users provide
unique authentication over encrypted channels if
accessing internal LAN services.

compliant.
Steps:

<insert steps here>
folks

require wireless N/ (Agency is exempt from compliance with
users to utilize A MD ISP)
encrypted data
transmission if
s documents)
accessing internal
LAN services? Ye (Compliant description is provided below)
s
clarifying below)
information refer
to Section 7 and
Appendix D of the
MD ISP.]
the MD ISP.

how your agency ensures wireless users utilizes
encrypted data transmission if accessing internal
LAN services.

compliant.
Steps:

<insert steps here>
folks
Audit &
Accountability
Control
Requirements
systems generate
audit records for
s documents)
all security-
relevant events, Ye (Compliant description is provided below)
including all s
security and No (Steps to become compliant are provided
system below)
administrator
accesses?
[For more
the MD ISP.
clarifying
to Section 7.1 of
the MD ISP.] If you answered Yes and the information cannot
how your agency ensures that information systems
generate audit records for all security-relevant
events, including all security and system
administrator accesses.

compliant.
Steps:
<insert steps here>
folks

security-relevant A MD ISP)
events enable the
detection of
s documents)
unauthorized
access to Ye (Compliant description is provided below)
confidential s
information? No (Steps to become compliant are provided
below)
[For more
clarifying
information refer
to Section 7.1 of
the MD ISP.
the MD ISP.]

how your agency ensures that security-relevant
events enable the detection of unauthorized access
to confidential information.

compliant.
Steps:

<insert steps here>
folks

system and/or A MD ISP)
security
administrator
s documents)
processes include
all authentication Ye (Compliant description is provided below)
processes to s
access the system, No (Steps to become compliant are provided
for both operating below)
system and
application-level
events?
the MD ISP.
[For more
information refer
how your agency ensures that system and/or
security administrator processes include all
authentication processes to access the system, for
both operating system and application-level events.

compliant.

Steps:
<insert steps here>
folks

ensure that audit N/ (Agency is exempt from compliance with
logs are enabled A MD ISP)
for tracking
activities taking
s documents)
place on the
system? Ye (Compliant description is provided below)
s
clarifying below)
information refer
to Section 7.1 of
the MD ISP.]
the MD ISP.

how your agency ensures audit logs are enabled for
tracking activities taking place on the system.

compliant.
Steps:

<insert steps here>
folks

application and A MD ISP)
system auditing is
enabled to the
s documents)
extent necessary
to capture access, Ye (Compliant description is provided below)
modification, s
deletion and No (Steps to become compliant are provided
movement of below)
critical/confidential
information by
each unique user?
the MD ISP.
[For more
information refer
how your agency ensures that application and
system auditing is enabled to the extent necessary
to capture access, modification, deletion and
movement of critical/confidential information by
each unique user.


compliant.
Steps:
<insert steps here>
folks

auditing A MD ISP)
requirement also
applies to data
s documents)
tables or
databases Ye (Compliant description is provided below)
embedded in or s
residing outside of No (Steps to become compliant are provided
an application? below)
[For more
clarifying
information refer
the MD ISP.
to Section 7.1 of

how your agency ensures that auditing requirement
also applies to data tables or databases embedded
in or residing outside of an application.

compliant.
Steps:

<insert steps here>
folks

systems are is
configured to alert
s documents)
appropriate
agency officials in Ye (Compliant description is provided below)
the event of an s
audit processing No (Steps to become compliant are provided
failure and take below)
the additional
actions (i.e. shut
down information
system, overwrite
the MD ISP.
oldest audit
records or stop <insert statement here> folks
generating audit
records)? If you answered Yes and the information cannot
[For more how your agency ensures that information systems
clarifying are is configured to alert appropriate agency
information refer officials in the event of an audit processing failure
to Section 7.1 of and take the additional actions (i.e. shut down
the MD ISP.] information system, overwrite oldest audit records
or stop generating audit records).


compliant.
Steps:
<insert steps here>
folks

Information A MD ISP)
systems are
configured to
s documents)
allocate sufficient
audit record Ye (Compliant description is provided below)
storage capacity s
to record all No (Steps to become compliant are provided
necessary below)
auditable items?
[For more
clarifying
the MD ISP.
information refer
the MD ISP.]
how your agency ensures that Information systems
are configured to allocate sufficient audit record
storage capacity to record all necessary auditable
items.

compliant.

Steps:
<insert steps here>
folks

systems produce
audit records that
s documents)
contain sufficient
information to, at Ye (Compliant description is provided below)
a minimum s
establish; No (Steps to become compliant are provided
below)
1) what type of
event occurred,
2) when (date and
time) the event
the MD ISP.
occurred,
3) where the <insert statement here> folks
event occurred,
4) the source of If you answered Yes and the information cannot
the event, be found in the system C&A documents, describe
5) the identity of how your agency ensures that information systems
the targeted produce audit records that contain sufficient
resource, information as required by MD ISP.
6) the outcome < insert description here >
(success or
failure) of the
event, If No, your agency is not compliant with this section
7) the identity of of the MD ISP. Indicate here what steps your
any agency plans to take to become compliant and
user/subject indicate when your agency expects to become
associated with compliant.
the event. Steps:

<insert steps here>
[For more
clarifying
information refer
to Section 7.1 of
the MD ISP.]

developed N/ (Agency is exempt from compliance with
procedures too A MD ISP)
routinely (for
example daily or
s documents)
weekly) review
audit records for Ye (Compliant description is provided below)
indications of s
unusual activities, No (Steps to become compliant are provided
suspicious below)
activities or
suspected
violations, and
report findings to
the MD ISP.
appropriate
officials for prompt <insert statement here> folks
resolution?
clarifying your agency procedures too routinely (for example
information refer daily or weekly) review audit records for indications
to Section 7.1 of of unusual activities, suspicious activities or
the MD ISP.] suspected violations, and report findings to
appropriate officials for prompt resolution.


compliant.
Steps:
<insert steps here>
folks

systems provide
the capability to
s documents)
automatically
process audit Ye (Compliant description is provided below)
records for events s
of interest based No (Steps to become compliant are provided
on selectable below)
event criteria and
also provide report
generation
capabilities?
the MD ISP.
clarifying
the MD ISP.] how your agency ensures that information systems
provide the capability to automatically process
audit records for events of interest based on
selectable event criteria and also provide report
generation capabilities.


compliant.
Steps:
<insert steps here>
folks

ensure that audit N/ (Agency is exempt from compliance with
information is A MD ISP)
archived for the
[lesser of 3 years
s documents)
or until the Office
of Legislative Ye (Compliant description is provided below)
Audits completes s
the audit of the No (Steps to become compliant are provided
entity] to enable below)
the re-creation of
computer related
accesses to both
the operating
the MD ISP.
system and to the
application <insert statement here> folks
wherever
confidential If you answered Yes and the information cannot
information is be found in the system C&A documents, describe
stored? how your agency ensures that audit information is
archived for the [lesser of 3 years or until the Office
[For more of Legislative Audits completes the audit of the
clarifying entity] to enable the re-creation of computer
information refer related accesses to both the operating system and
to Section 7.1 of to the application wherever confidential information
the MD ISP.] is stored.


compliant.
Steps:
<insert steps here>
folks

systems protect
audit information
s documents)
and audit tools
from unauthorized Ye (Compliant description is provided below)
access, s
modification, and No (Steps to become compliant are provided
deletion? below)
[For more
clarifying
information refer
the MD ISP.
to Section 7.1 of

protect audit information and audit tools from
unauthorized access, modification, and deletion.

compliant.
Steps:

Identification &
Authorization
Control
Requirements
ensure information N/ (Agency is exempt from compliance with
configured to
uniquely identify
s documents)
users, devices,
and processes via Ye (Compliant description is provided below)
the assignment of s
unique user No (Steps to become compliant are provided
accounts and below)
validate users (or
processes acting
on behalf of users)
using standard
the MD ISP.
authentication
methods such as <insert statement here> folks
passwords, tokens,
smart cards, or If you answered Yes and the information cannot
biometrics? be found in the system C&A documents, describe
[For more are configured to uniquely identify users, devices,
clarifying and processes via the assignment of unique user
information refer accounts and validate users (or processes acting on
to Section 7.2 of behalf of users) using standard authentication
the MD ISP.] methods such as passwords, tokens, smart cards,
or biometrics.


compliant.
Steps:
<insert steps here>
manage user N/ (Agency is exempt from compliance with
accounts assigned A MD ISP)
within its
information
s documents)
systems?
s
[For more
to Section 7.2 of
the MD ISP.
126.
how your agency manages user accounts assigned
within its information systems.

compliant.
Steps:
<insert steps here>

ensure effective N/ (Agency is exempt from compliance with
user account A MD ISP)
management
practices include:
s documents)
1) obtaining Ye (Compliant description is provided below)
authorization s
from No (Steps to become compliant are provided
appropriate below)
officials to issue
user accounts
to intended
individuals;
the MD ISP.
2) disabling user
accounts, when <insert statement here> folks
no longer
needed. If you answered Yes and the information cannot
(immediately be found in the system C&A documents, describe
upon user exit how your agency ensures that effective user
from account management practices are in compliance
employment, with MD ISP.
60 days for < insert description here >
inactive
accounts.);
3) not re-issuing If No, your agency is not compliant with this section
inactive or of the MD ISP. Indicate here what steps your
terminated user agency plans to take to become compliant and
accounts; and indicate when your agency expects to become
4) developing and compliant.
implementing Steps:
standard <insert steps here>
operating folks
procedures for
validating
system users
who request
reinstatement
of user account
privileges
suspended or
revoked by
information

systems?
[For more
clarifying
information refer
to Section 7.2 of
the MD ISP.]

systems obscure
feedback of
s documents)
authentication
information during Ye (Compliant description is provided below)
the authentication s
process to protect No (Steps to become compliant are provided
the information below)
from possible
exploitation/use by
unauthorized
individuals?
the MD ISP.
clarifying
obscure feedback of authentication information
during the authentication process to protect the
information from possible exploitation/use by
unauthorized individuals.


compliant.
Steps:
<insert steps here>
folks

whenever A MD ISP)
information
systems are
s documents)
employing
cryptographic Ye (Compliant description is provided below)
modules, that s
these modules are No (Steps to become compliant are provided
compliant with below)
NIST guidance,
including FIPS
PUB140-2?
the MD ISP.
[For more
information refer
how your agency ensures that whenever
information systems are employing cryptographic
modules, that these modules are compliant with
NIST guidance, including FIPS PUB140-2.

compliant.

Steps:
System &
Communications
Control
Requirements
systems separate A MD ISP)
front end
interfaces from
s documents)
back end
processing and Ye (Compliant description is provided below)
data storage? s
[For more below)
clarifying
information refer
to Section 7.3 of
the MD ISP.]
the MD ISP.

separates front end interfaces from back end
processing and data storage.

compliant.
Steps:
<insert steps here>
folks

systems prevent A MD ISP)
unauthorized and
unintended
s documents)
information
transfer via shared Ye (Compliant description is provided below)
system resources? s
below)
[For more
clarifying
information refer
to Section 7.3 of
the MD ISP.
the MD ISP.]

prevents unauthorized and unintended information
transfer via shared system resources.

compliant.
Steps:

<insert steps here>
folks

configured to
monitor and
s documents)
control
communications at Ye (Compliant description is provided below)
the external s
boundaries of the No (Steps to become compliant are provided
information below)
systems and at
key internal
boundaries within
the systems?
the MD ISP.
clarifying
are configured to monitor and control
communications at the external boundaries of the
information systems and at key internal boundaries
within the systems.


compliant.
Steps:
<insert steps here>
folks

systems protect
the confidentiality
s documents)
of confidential
information during Ye (Compliant description is provided below)
electronic s
transmission? No (Steps to become compliant are provided
below)
[For more
clarifying
information refer
the MD ISP.
to Section 7.3 of

protect the confidentiality of confidential
information during electronic transmission.

compliant.
Steps:

<insert steps here>
folks

encrypt all media N/ (Agency is exempt from compliance with
containing A MD ISP)
confidential
information during
s documents)
transmission?
s
clarifying below)
information refer
to Section 7.3 of
the MD ISP.]
the MD ISP.

how your agency ensures that all media containing
confidential information is encrypted during
transmission.

compliant.
Steps:

<insert steps here>
folks

ensure that when N/ (Agency is exempt from compliance with
cryptography A MD ISP)
(encryption) is
employed within
s documents)
information
systems, the Ye (Compliant description is provided below)
system must s
perform all No (Steps to become compliant are provided
cryptographic below)
operations using
Federal
Information
Processing
the MD ISP.
Standard (FIPS)
PUB140-2 <insert statement here> folks
validated
cryptographic If you answered Yes and the information cannot
modules with be found in the system C&A documents, describe
approved modes how your agency ensures that when cryptography
of operation? (encryption) is employed within information
systems, the system must perform all
[For more cryptographic operations using Federal Information
clarifying Processing Standard (FIPS) PUB140-2 validated
information refer cryptographic modules with approved modes of
to Section 7.3 of operation.
the MD ISP.] < insert description here >


compliant.
Steps:
<insert steps here>
folks
136. When the agency Check one

uses Public Key N/ (Agency is exempt from compliance with
Infrastructure A MD ISP)
(PKI), does the
agency establish
s documents)
and manage
cryptographic keys Ye (Compliant description is provided below)
using automated s
mechanisms with No (Steps to become compliant are provided
supporting below)
procedures or
manual
procedures?
the MD ISP.
clarifying
the MD ISP.] how your agency establishes and manages
cryptographic keys using automated mechanisms
with supporting procedures or manual procedures.

compliant.
Steps:

<insert steps here>
folks

whenever there is A MD ISP)
a network
connection
s documents)
(external to the
system), the Ye (Compliant description is provided below)
information s
system terminates No (Steps to become compliant are provided
the network below)
connection at the
end of a session or
after no more than
(15) minutes of
the MD ISP.
inactivity?
[For more
to Section 7.3 of how your agency ensures that whenever there is a
the MD ISP.] network connection (external to the system), the
information system terminates the network
connection at the end of a session or after no more
than (15) minutes of inactivity.


compliant.
Steps:
<insert steps here>
folks
Virtualization
Technologies
virtual A MD ISP)
environment is as
secure as a non-
s documents)
virtualized
environment and Ye (Compliant description is provided below)
in compliance with s
all relevant state No (Steps to become compliant are provided
and/or agency below)
policies?
[For more
the MD ISP.
clarifying
to Section 8 of the
MD ISP.] If you answered Yes and the information cannot
how your agency ensures that the virtual
environment is as secure as a non-virtualized
environment and in compliance with all relevant
state and/or agency policies.


compliant.
Steps:

security A MD ISP)
recommendations
described in
s documents)
Sections 4 & 5 of
NIST SP 800-125 Ye (Compliant description is provided below)
Guide to Security s
for Full No (Steps to become compliant are provided
Virtualization below)
Technologies are
adopted as the
standard for
securing
the MD ISP.
virtualization
solutions? <insert statement here> folks
[For more If you answered Yes and the information cannot

clarifying be found in the system C&A documents, describe
information refer how your agency ensures that security
to Section 8 of the recommendations described in Sections 4 & 5 of
MD ISP.] NIST SP 800-125 Guide to Security for Full
Virtualization Technologies are adopted as the
standard for securing virtualization solutions.


compliant.
Steps:
<insert steps here>
folks
Cloud Computing
Technologies
140. If the agency has Check one
or plan on using a N/ (Agency is exempt from compliance with
cloud-based A MD ISP)
solution for
processing,
s documents)
transmitting or
storing Ye (Compliant description is provided below)
confidential s
information, has No (Steps to become compliant are provided
the agency below)
implemented
security controls
to ensure that
compliance and
the MD ISP.
auditing
requirements are <insert statement here> folks
met as stated in
the ISP policy in If you answered Yes and the information cannot
addition to any be found in the system C&A documents, describe
Federal what security controls your agency has
regulations that implemented to ensure that compliance and
may apply? auditing requirements are met as stated in the ISP
policy in addition to any Federal regulations that
[For more may apply.
clarifying < insert description here >
information refer
to Section 9 of the
MD ISP.] If No, your agency is not compliant with this section

compliant.
Steps:
<insert steps here>
Mobile Devices
Has the agency Check one
taken necessary N/ (Agency is exempt from compliance with
steps to keep data A MD ISP)
secure and protect
their mobile
s documents)
computing devices
as outlined in MD Ye (Compliant description is provided below)
ISP? s
[For more below)
clarifying
information refer
to Section 10 of
the MD ISP.]
the MD ISP.
141.
the necessary steps your agency has taken to keep
data secure and protect their mobile computing
devices as outlined in MD ISP.

compliant.
Steps:
<insert steps here>
folks

taken steps to N/ (Agency is exempt from compliance with
educate the users A MD ISP)
of their
responsibly for
s documents)
protecting and
securing mobile Ye (Compliant description is provided below)
devices as s
outlined in the MD No (Steps to become compliant are provided
ISP? below)
[For more
clarifying
information refer
the MD ISP.
to Section 10 of
142.
the steps your agency has taken to educate the
users of their responsibly for protecting and
securing mobile devices as outlined in the MD ISP.

compliant.
Steps:
<insert steps here>
folks
Electronic
Communications
Policy

of their
responsibly and
s documents)
acceptable use of
electronic Ye (Compliant description is provided below)
communications s
and electronic No (Steps to become compliant are provided
communications below)
systems as
outlined in the MD
ISP?
the MD ISP.
[For more
information refer
143. to Section 11 of If you answered Yes and the information cannot
users of their responsibly and acceptable use of
electronic communications and electronic
communications systems as outlined in the MD ISP.

compliant.
Steps:
<insert steps here>
folks
Social Media Policy

of their
responsibly and
s documents)
acceptable use
social media and Ye (Compliant description is provided below)
social media sites s
as outlined in the No (Steps to become compliant are provided
MD ISP? below)
[For more
clarifying
information refer
the MD ISP.
to Section 12 of
144. If you answered Yes and the information cannot

users of their responsibly and acceptable use social
media and social media sites as outlined in the MD
ISP.

compliant.
Steps:
<insert steps here>
folks

8.Appendix B Complete System Security Inventory of PII Systems

a. System Security Inventory Scope
The system security inventory documents all automated information systems associated with the agency that
contains PII.
Examples of assets associated with automated information systems that contain PII include:
Information assets: databases and data files, system documentation, user manuals, training material,
operational or support procedures, disaster recovery plans, archived information;
Software assets: application software, system software, development tools and utilities
Physical assets: computer equipment (processors, monitors, laptops, portable devices, tablets,
smartphones, modems), communication equipment (routers, PBXs, fax machines, answering machines),
magnetic media (tapes and disks), other technical equipment (uninterruptible power supplies, air
conditioning units), furniture, accommodation; and
Services: computing and communications services, general utilities, e.g. heating, lighting, power, air-
conditioning
A complete inventory shall include a unique system name, a system owner, a security classification and a
description of the physical location of the asset. See the MD ISP for all system security inventory requirements.
Numb Unique Name of information System Security Description of the Date of Most Location of System
er system containing PII Business Classificati Service the System Recent System
Owner (Name on Supports Authorization (Include externally
and Title) (ex. C&A, hosted systems as
(Public, IV&V, well as assets
Confidenti Authorization containing system
al) to Operate, backups)
etc.)
<insert date of ITSP> 140 <insert Agency System Name> ITSP

1.
2.
Vulnerability
Assessment
Vulnerability
User
Technical
Controls
System
Security Plan
Security
Requirements
Security
Control
Baseline

Security
Category
Safeguard
s
Risk
Management
Risk
Assessment
Risk
Remote
Maintenance
Remote
Access
Plan of Action
and
Milestones


IT Security Plan Template

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IT Security Plan Template

Uploaded by

Copyright:

Available Formats

Information Technology

Guidelines & Instructions

Guidelines & Instructions

May, 2014 iii

Guidelines & Instructions

2 Aligning Agency ITSP Template with MD ISP

3 Agency ITSP Instructions, Format, and Content

The attached template contains instructions for completing an Agency ITSP

4 ITSP Submission Requirements

Guidelines & Instructions

Authentication Verifying the identity of a user, process, or device, often as a prerequisite to

Compensating The management, operational, and technical controls (i.e., safeguards or

Confidentiality Preserving authorized restrictions on information access and disclosure,

Configuration Process for controlling modifications to hardware, firmware, software, and

Guidelines & Instructions

Information The protection of information and information systems from unauthorized

Information Individual assigned responsibility by the senior agency information security

Integrity Guarding against improper information modification or destruction, and

Major An information system that requires special management attention because of

Management The security controls (i.e., safeguards or countermeasures) for an information

Guidelines & Instructions

Guidelines & Instructions

6 Appendix A Information Technology Security

<insert date of ITSP >

<insert date of ITSP> 5

6.1 Information Technology Security Plan (ITSP) Overview

2. Chief Information Officer

<insert date of ITSP> 6

<insert date of ITSP> 7

6.3 Maryland Information Security Policy Compliance

Chief Information Officer The Chief Information Officer (CIO) is the

Information System Owner The information system owner is the

Information System Security Officer - The information system

<insert date of ITSP> 8

Agency ITSP Approving Official - The approving official is a senior

Any agency with no information technology systems or is exempt from

<insert date of ITSP> 9

7.Common Controls Compliance Matrix

If you answered Yes and the information cannot

If No, your agency is not compliant with this section

<insert date of ITSP> 10

2. Has your agency Check one

If you answered Yes and the information cannot

If No, your agency is not compliant with this section

3. Has your agency Check one

<insert date of ITSP> 11

If you answered Yes and the information cannot

If No, your agency is not compliant with this section

4. Does your agency Check one

<insert date of ITSP> 12

If you answered Yes and the information cannot

If No, your agency is not compliant with this section

If you answered Yes and the information cannot

If No, your agency is not compliant with this section

<insert date of ITSP> 13

If No, your agency is not compliant with this section

<insert date of ITSP> 14

If you answered Yes and the information cannot

If No, your agency is not compliant with this section

<insert date of ITSP> 15

If No, your agency is not compliant with this section

<insert date of ITSP> 16

If No, your agency is not compliant with this section

If you answered Yes and the information cannot