First copy of the System Security Control Baseline prepared by the C&A Analyst is considered a draft until both the ISSO and the System Owner review it and agree with the control selected by the C&A analyst.
The process of finalizing the System Security Control Baseline is termed Tailoring of the Security Control Baseline. The end result is the Finalized System Security Control Baseline.
The review of the System Security Control Baseline by the system owner and the ISSO is to identify controls that are Not Applicable (N/A), Common Control, System Specific or Hybrid.
Sample System Security Control Baseline
Not Applicable- Is a control that cannot be test or implement because it is irrelevant to that particular system. For example, a publicly accessible website (www.USCIS.com) would not require log in credentials (username and password) Therefore IA-5 Authenticator Management and IA-6 Authenticator Feedback will not be implemented or tested.
Common Control/Inherited– Is a control that is provided by another system or department/business unit. For example, PS-1 Personnel Security Policy and Procedures is handled by the HR and not the responsibility of the System Owner in our Smart Portal test case
Hybrid-Control implementation is owned by two different system owners. For example, AT-2 Security Awareness Training for example HR prepares all IT security training material and the system owner ensures all of his/her staffs undertake the IT training and in addition, provide and keep records showing that training has been completed by staff members.
System Specific- Is a control that is not hybrid but maintained by only one System Owner. For example, CM-2 Configuration Settings in our smart Portal test case
Login
Accessing this course requires a login. Please enter your credentials below!