In the area of physical security, determine and describe the facilities and other direct access protection that will be required to achieve an acceptable level of risk to prevent unauthorized access to these EA components. In the area of information security, determine how the information created/used by the EA component will be protected and authenticated. In the area of personnel security, determine how access control will be provided for system administrators, database administrators, webmasters, security personnel, and end-users. In the area of operational security, determine and document (via a SOP) the procedures for handling end-user agreements, login and access control, incident response (i.e. virus attacks, denial of service attacks, hackers), password issuance and control, and employee termination. For testing and accreditation, determine and describe the method that will be used to test certify that the delivered EA components(s) meet the risk adjusted-goals in the areas of physical, information, personnel, and operational security. For data privacy, determine the sensitivity and classification of information on delivered EA component(s). Determine the issues related to data privacy and describe how they will be handled (e.g., access to employee’s personal information). For records management, determine the issues related to records management and describe how they will be handled. Determine if information exchange and records management issues exist with other IT resources and describe how they will be handled.
Category: Security and Privacy