View
218
Download
0
Category
Preview:
Citation preview
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
i
Company Proprietary
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Enterprise Infrastructure Solutions (EIS) Risk
Management Framework Plan (RMFP)
Systems in accordance with (IAW) C.1.8.7
November 4, 2016
Prepared by
CenturyLink Government Services, Inc. 4250 North Fairfax Drive
Arlington, VA 22203
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
ii
Company Proprietary
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
REVISION HISTORY Revision Number Revision Date Revision Description Revised by
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
iii
Company Proprietary
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
TABLE OF CONTENTS
EIS Risk Management Framework Plan (RMFP) Overview ............................................ 1 Purpose ................................................................................................................ 2 Related Plans ....................................................................................................... 3
Tier 1—Organization: CenturyLink ....................................................................... 4 Tier 2—Mission/Business Process: CenturyLink Risk Management for EIS ........ 6 Tier 3—Information Systems ................................................................................ 8
Information System RMFP Development Process ........................................................ 11
LIST OF FIGURES
Figure 1. Enterprise Security Risk Management Program .............................................. 3
Figure 2. Risk Management Framework Plan Steps. ...................................................... 9
LIST OF TABLES
Table 1. EIS Products and Services. ............................................................................... 7
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
1
Company Proprietary
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
EIS RISK MANAGEMENT FRAMEWORK PLAN (RMFP) OVERVIEW
CenturyLink follows industry-leading information security standards and best
practices to ensure the integrity of our services and confidentiality of customer and
company information. Comprehensive security policies and standards guide these
practices which include extensive controls in the areas of personnel, systems, and
facility security. CenturyLink maintains a hierarchy of information security-related
policies and standards, using the National Institute of Standards and Technology (NIST)
Special Publication (SP) 800 series as guidance. Authority for these policies is founded
in the CenturyLink code of conduct (available on the public Internet under our corporate
governance page), and corporate ethics and compliance program, as authorized by the
CenturyLink Board of Directors.
CenturyLink implements industry standard security to ensure data assurance,
integrity, and confidentiality of customer and company information in support of our
telecommunications services. These practices include implementing controls in the
areas of personnel, systems, and facility security. CenturyLink has also implemented
comprehensive Business Continuity and Disaster Recovery (BC/DR) measures and
controls to ensure the availability of customer and corporate networks.
To ensure that the security architecture stays current with best practices,
CenturyLink takes a lead role in developing standards, working with vendors, and
implementing innovative approaches to improve our products, including security
services.
In support of the General Services Administration (GSA) Networx Universal and
Enterprise contracts, CenturyLink has delivered system security plans and obtained
Department of Homeland Security (DHS) Cybersecurity Compliance Validation (CCV)
and Trusted Internet Connections (TIC) Compliance Validation (TCV) for the Managed
Trusted Internet Protocol Service (MTIPS) TIC Networx accreditation, annually, since
2009. CenturyLink will continue to maintain the systems security plans and
accreditations with the DHS and GSA under Enterprise Infrastructure Solutions (EIS).
CenturyLink operates and maintains several government-accredited facilities throughout
the U.S. These facilities are capable of processing and storing information at the top
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
2
Company Proprietary
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
secret/sensitive compartmented information (TS/SCI) security level. The facilities
support various government contracts, which include the DHS EINSTEIN 3 Accelerated
(E3A) program, and have a long history of commendable security compliance
assessments. This effectively demonstrates CenturyLink’s knowledge and ability to
apply the risk management framework.
Building a foundation on the CenturyLink processes and controls we have previously
used to reduce risk in information systems, we have developed a risk management
framework plan (RMFP) that consolidates our practices, standards, framework, and
processes across the system lifecycle.
PURPOSE
This CenturyLink RMFP addresses EIS requirements for security compliance in
accordance with the risk management framework and NIST SP 800-37 (Guide for
Applying the Risk Management Framework to Federal Information Systems: A Security
Life Cycle Approach, issued February 2010), as defined in Request for Proposal (RFP)
Section C.1.8.7, System Security Requirements. Our plan focuses on the processes
and practices we will use to ensure security compliance for the services provided under
EIS. We will implement our multi-tiered enterprise security program to achieve
compliance, as detailed in the CenturyLink Security Risk Management Program
depicted in Figure 1 below.
There are a number of goals for CenturyLink’s RMFP:
Document the three-tiered approach for risk management to address risk-related
concerns at each level of the hierarchy:
– The organization level addresses risk from an organizational perspective
with the development of a comprehensive governance structure and
organization-wide risk management strategy
– The mission and business process level defines and prioritizes the core
missions and business processes for the organization and defines the types
of information processed
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
3
Company Proprietary
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
– The information system level determines the definition of a boundary and
ultimately selects and applies appropriate safeguards and countermeasures
Define the required six (6) risk management framework steps at the information
system level: Categorize, Select, Implement, Assess, Authorize, Monitor
Provide a process for creating information system risk management framework
plans on a task order (TO) basis as demonstrated with the Business Support
Systems (BSS) and MTIPS RMFPs
CenturyLink will maintain and periodically update this plan with the benefit that
revisions to this plan will be at no cost to the government.
RELATED PLANS
The following risk plans will also be developed and provided as indicated in the chart
below:
Plan RFP Reference Relationship to this Plan
Draft Supply Chain Risk Management Plan G.6.3 Documents procedures for handling supply chain and third-
party risk within the overall EIS risk framework
Draft BSS Risk Management Framework Plan G.5.6.2 Information system-specific risk plan for the BSS
Draft MTIPS Risk Management Framework
Plan
C.2.8.4.5.2 Information system-specific risk plan for MTIPS
Figure 1. Enterprise Security Risk Management Program
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
5
Company Proprietary
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Information security-related functions are performed in collaboration with CenturyLink’s
operations organizations, as follows:
Corporate Security/information security (InfoSec): Provides end-to-end
governance and policymaking; maintains comprehensive processes for
measuring InfoSec risk and managing those risks within acceptable levels
through clear policy-setting, assessments, and compliance management.
Business continuity planning: Provides planning efforts, including facilitating
the development, testing, and training of BC/DR plans to ensure that CenturyLink
and our customers are prepared to effectively manage disaster situations.
Risk assessment: Maintains a risk inventory to highlight the risk and potential
exposure status for key infrastructure elements, including extensive monitoring
and analysis of numerous sources for newly published vulnerabilities. Monitors
compliance with CenturyLink policies and standards using key industry and
international standards as guidance. CenturyLink conducts ongoing risk
assessments of individual systems and network elements.
Vulnerability management: CenturyLink has a number of threat intelligence
feeds that provide vulnerability notifications. Threats are evaluated, and threat
information, including vulnerability information, is distributed to appropriate
operations teams through multiple methods.
Strategic security planning with hardware and software suppliers: Reveals
risk dependencies between systems and risk pinch points. Establishes strong
relationships for vulnerability notification and remediation.
Building compliance-based security into CenturyLink networks: Records
and tracks risk remediation activity. Collects and collates data about incidents
affecting information systems, highlighting root causes and business impact with
appropriate follow-up.
Operations/corporate infrastructure and systems sphere: Operational teams
focus on information technology (IT) areas including internal CenturyLink
computing and network components.
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
8
Company Proprietary
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Information and Information Systems to Security Categories. The overall system
categorizations are derived from the different information system types.
The following security categorizations are applied to specific EIS information
systems that have an established, identified, and agreed-to information system
boundary with the GSA, and where GSA personnel have performed the FIPS 199
security category.
EIS BSS Gateway FIPS 199 Moderate Impact
EIS MTIPS FIPS 199 High Impact
EIS FedRAMP Services FIPS 199 Moderate Impact
RFP Section C.1.8.7.2 specifies the minimum FIPS 199 security category as FIPS
199 moderate impact level due to the data that will be processed and held within the
CenturyLink-provided EIS services and resultant solutions and systems. More restrictive
or higher impact levels can be stated within awarded TOs.
TIER 3—INFORMATION SYSTEMS
Information systems that initiate their lifecycles under the EIS program will inherit
policies, processes, and technical control implementations from Tier 1 as appropriate.
Each will comply with Tier 2 security directives; inherit control implementations,
monitoring and tailoring from Tier 2 as appropriate; and address additional cybersecurity
requirements and specific control tailoring directives in accordance with the agency
policy and requirements that are issued within the TO under EIS.
At this tier, all six steps of the risk management framework must be addressed
across the system lifecycle and documented in a system-specific risk plan using the
CenturyLink EIS RMFP process provided in Figure 2 below as applicable per the
agency TO.
Recommended