ANÁLISIS GENERAL - CARACTERISTICAS GENERALES DE LA MUESTRA

Fase 3: Análisis de resultados.

6. CARACTERISTICAS GENERALES DE LA MUESTRA

8.1 ANÁLISIS GENERAL

SECURITY AND IDAM

It is the responsibility of the geospatial system investment owner (both existing and pending), to 6

understand and ensure compliance with information security policy and individual agency 7

practices. Information security considerations must occur prior to the procurement and 8

implementation phases of the System Development Life Cycle (SDLC). Security controls, policy, 9

and processes must be built into the SDLC for information security to be implemented 10

successfully and cost-effectively. Each organization should have a mechanism by which risk and 11

security concerns inform the design and implementation of systems and applications, to avoid 12

creating cost and schedule impacts due to security requirements being added at the operations 13

and maintenance stage of the SDLC. The continuous assessment of risk and the effectiveness of 14

controls are required throughout the entire lifecycle of the IT system.138_{Table 7-1 provides an}

overview ok key security activities that must occur at each phase of the SDLC. 16

Table 7-1. Key Security Activities by SDLC Phase139

SDLC PHASE KEY SECURITY ACTIVITIES FOR THIS PHASE INCLUDE:

Initiation Initial delineation of business requirements in terms of confidentiality, integrity, and availability:

•Determine information categorization and identification of known special handling requirements to transmit, store, or create information such as personally identifiable information

•Determine any privacy requirements

•Early planning and awareness will result in cost and timesaving through proper risk management planning. Security discussions should be performed as a part of (not separately from) the development project to ensure solid understanding among project personnel of business decisions and their implications to the overall development project.

Development/ Acquisition

Conduct the risk assessment and use the results to supplement the baseline security controls:

•Analyze security requirements

•Perform functional and security testing

•Prepare initial documents for system authorization and accreditation

•Design security architecture

Implementation/ Assessment

Integrate the information system into its environment:

•Plan and conduct system certification activities in synchronization with testing of security controls

•Complete system accreditation activities

Operations and Manage the configuration of the system:

138_{Office of Management and Budget,}_{Federal Enterprise Architecture Framework}_{, Version 2, January 29, 2013, available at}

http://www.whitehouse.gov/omb/e-gov/fea

139_{National Institute of Standards and Technology, NIST Special Publication 800-64 Revision 2,}_{Security Considerations in the System}

SDLC PHASE KEY SECURITY ACTIVITIES FOR THIS PHASE INCLUDE:

Maintenance •Institute processes and procedures for assured operations and continuous monitoring of the information system’s security controls

•Perform reauthorization as required

Disposal Build and execute a Disposal/Transition Plan:

•Archive critical information

•Sanitize media

•Dispose of hardware and software

The Performance Guidance (Table 7-2) provides a summation of the key decision points to 1

facilitate the awareness and understanding of the roles and responsibilities of geospatial 2

investment owners for security considerations. 3

Table 7-2. Stakeholder Performance Guide: Security

STAKEHOLDER PERFORMANCE GUIDE CHAPTER 7 – SECURITY

Role Responsibility Approach Benefit

Exe cu tiv e L e ad e rshi p

•Identify appropriate access policy for system data necessary to ensure responsible information sharing according to mission need.

•Ensure risk management function for the

organization is established and applies repeatable, consistent evaluation criterion.

•Embrace the use of reusable, shared services for IdAM and security capabilities within the agency, and ensure Enterprise Architecture provides for adoption of federal shared services, particularly IdAM and security services, as they become available.

•Empower organizational enterprise architect to direct the inclusion of relevant IdAM and security standards in organizational IT acquisition actions by holding systems accountable for EA compliance.

•Understand Policy Requirements:

◦ Mission need for system information security

◦ Business processes that incorporate the system information

◦ Severity of risk of unauthorized disclosure

•Risk management function should be staffed sufficiently and empowered to reconcile interests of stakeholders. Clear risk management criteria formed with input from all relevant stakeholders (security, privacy, CR/CL, mission owners).

•Designate organizational Executive Agents responsible for implementing IdAM and Security EA and policy. Responsible for:

◦ Organization. EAs represent organization at relevant intergovernmental committees, governance bodies, and WGs.

◦ Develop acquisition strategy that requires transition of solutions to repeatable shared services.

•EA functions include:

◦ Organizational process for approval of systems to ensure EA for IdAM and Security (services and standards). If compliance not currently feasible, POA&Ms to be required.

◦ Engage organizational acquisitions and procurement functions to ensure contractual commitments and acquisitions are consistent with IdAM and Security EA and implementation plans.

◦ Recommend restriction of funding of noncompliant systems.

•A clear statement of information sharing policy can be vetted through the relevant stakeholders and then digitally implemented within mission systems to efficiently execute the mission.

•Provides consistent feedback that can be incorporated for system design and avoids delays from inability to plan due to ambiguous guidance or interference from dissatisfied stakeholders.

•Assist in complying with Federal policy guidance and drives cost efficiencies through shared, common services.

•Ensures that system planning incorporates appropriate guidance from an early stage to avoid delays or wasted expenditures resulting from noncompliant system architecture.

•Incorporating EA function into organizational approval process provides enforcement mechanism for EA compliance at an early stage, when noncompliance can be more easily mitigated.

STAKEHOLDER PERFORMANCE GUIDE CHAPTER 7 – SECURITY

Role Responsibility Approach Benefit

Program

Manage

•Ensure access policy requirements for the system information are included in system acquisition, tech refresh actions, and system engineering lifecycle.

•Ensure

compliance/evaluation/ approval of the system in accordance with the organizational risk management framework.

•Ensure requirements for relevant IdAM

requirements are included in procurement language.

•Identify access policy rules that have been enumerated for information contained in the system.

•Program Manager actively engages with relevant governance bodies from system planning phase onward (see Table 7-1).

◦ Give EA organization visibility into each phase of system lifecycle.

◦ EA communicates emerging requirements to Program Managers.

•Draft and include approved guidance with system acquisition, tech refresh actions, and system engineering lifecycle documentation.

•Assist in complying with Federal policy guidance and drives cost efficiencies through shared, common services.

•Assists in CPIC reporting requirements and drives early security awareness and compliance resulting in cost savings.

•Assists in CPIC reporting requirements and drives early security awareness and compliance resulting in cost savings. Sol u ti on Arc h itect

•Ensure solution roadmap aligns with FICAM Roadmap.

•Ensure solution meets requirements of organizational risk management framework.

•Implement solution that is compliant with EA model for IdAM and security as well as organizational FICAM implementation plans.

•Implement solution with sufficient interfaces to take advantage of enterprise IdAM and security services.

•Detail functionality for currently available capabilities and provide POA&Ms demonstrating alignment for future capabilities.

•Clear system with risk management function during planning stage. If system is operational, coordinate roadmap to satisfy RM function.

•Solution is described in terms of functional and technical

requirements, which are mapped to service types and components of the relevant EA model.

•Interfaces are defined sufficiently to show interoperability of system with repeatable shared services and standards.

•Ensures flexibility and adaptability of systems to incorporate upcoming capabilities.

•Expedites development by coordinating risk management requirements into system planning and design phase rather than waiting for approval after build is complete.

•Ensures that solutions are engineered or selected to meet all relevant requirements from the planning and design phase.

•Ensures that the solution is designed and sufficiently technically implemented to provide flexibility to interoperate with emerging IdAM and security capabilities without the need for extensive re-engineering.

1 2

8 STANDARDS-BASED

INTEROPERABILITY

8.1 INTRODUCTION

Definition/Description (What) – is an operational requirement needed to achieve the maximum 4

benefit for geospatial systems investment resulting in increased access to and sharing of 5

functional capabilities for applications, services, data, and infrastructure to meet mission/business 6

requirements. 7

Purpose/Function (Why) – to serve as a reference guide to an organization in the preparation of 8

documentation for the procurement and/or development of geospatial systems and services. 9

Organizations and enterprise architectures will benefit from standards-based acquisitions and 10

deployment of industry accepted interoperability solutions and technologies to meet their 11

mission/business functions. 12

Stakeholder Performance Guide (Who & How) – Program Managers responsible for geospatial 13

system and services acquisition and development of procurement language for solicitations and 14

support services. Solution Architects for identifying, understanding and implementing systems 15

and services using industry open standards. 16

In document Análisis Multitemporal de la Variación del Valor del Suelo en Bogotá Durante el Periodo 2013 – 2016, Teniendo en Cuenta los Cambios de Normatividad Urbana en el Plan de Ordenamiento Territorial de la Ciudad (Decretos 190 de 2004, 364 de 2013, 562 de 2014 (página 81-92)