Ensuring government IT systems are secure means a lot of paperwork.

Everything from rules of behavior forms that users must sign to IT security plans that describe the controls that have been implemented for each major system. In order to ensure the continuity of government, and its IT systems, all of these important security considerations must be documented.

C5i can help with the creation of all security documentation required by OMB A-130, FISMA, and NIST. This includes:

• IT Security Policies and Procedures
• Security Plans
• System Security Authorization Agreements
• Risk Assessments
• Contingency, Disaster Recovery, and COOP Plans
• Computer Security Incident Response Team (CSIRT) Plans and Procedures
• Rules of Behavior for IT users
• Service Level Agreements (SLAs), Interconnection Security Agreements (ISAs), and Memorandums of Understanding (MOUs) for interconnected systems
• Security Awareness Programs and Training
• Network, System, and User Documentation

C5i documentation consultants are not only security experts, but they're documentation experts as well. They can help you document all of your IT security policies, procedures, and plans quickly and easily.

IT Security Policies and Procedures

Federal law requires every agency to develop IT security policies - they're the rules that govern all IT activity. Policies are the foundation upon which a successful IT security program is built. But actually writing them can be difficult, and getting the necessary parties to agree to them, even harder.

C5i's security and policy experts work with you to understand your agency needs and IT priorities, your security goals and expectations. And then we help you craft that vision into a security policy that everyone can live with - your end users, your IT staff, and your managers.

C5i consultants are uniquely qualified to help you with your IT security policies and procedures because of the strength of our security and networking expertise. Our engineers, analysts, and documentation experts have developed the most comprehensive set of proven methodologies and intellectual capital used in industry today. C5i can ensure that your IT security policies are as clear as they are comprehensive, and that they reflect the latest IT security topics, such as FISMA, NIST, the Privacy Act, email, wireless, and remote access. Not just for today, but for tomorrow as well.

Security Plans

The security plan is one of the most important pieces of documentation for your IT systems and network. It provides an overview of the security requirements of your system and describes the controls in place to protect it from all identifiable threats. The security plan is a reflection of the structured process of planning adequate, cost-effective security protection for a system. It's an important tool for communicating your IT security goals to your organization and its required by FISMA.

C5i consultants are experts in developing IT security plans that will enable you to document your controls, ensuring that all areas of your system are adequately protected. Not only do C5i consultants understand what information needs to be in your security plan, but they know the most effective and efficient way to do it.

Risk Assessments

Are your IT systems and data at risk? Is there a possibility that your network could be attacked, your systems hacked, your customers' data stolen or compromised? How do you even know where to look?

The best way to know where the threats lie is to perform a risk assessment using security experts who understand what the most common IT risks are for your type of business. A risk assessment is a formal, structured comparison of your IT system's controls-including people, processes, hardware, and software-against all potential threats.

C5i consultants not only perform the risk assessment, but they document it in clear, concise, easy-to-understand language. So you can see the actual status of your IT controls and any residual risk that may exist. And then make the most-informed decisions about improving your IT security.

Contingency, Disaster Recovery, and COOP Plans

If a natural disaster or national emergency wiped out your servers or data center, could you continue to operate? If a computer virus shut down your agency's workstations, what effect would that have on your mission? Answering these questions, and making preparations for their possible occurrence, is the focus of the contingency plan, disaster recovery plan, and continuity of operations plan.
C5i's security experts can help you devise a plan to keep your essential functions going during an emergency or any event that disrupts your normal IT operations. They can prepare a business impact analysis to identify your most vital IT assets and functions so you can prioritize your disaster response and prepare a plan of action. C5i consultants can even help you with the implementation of your contigency plans - arranging a backup site, procuring additional equipment, and facilitating agreements. C5i can make sure your agency is ready for anything.

Computer Security Incident Response Team (CSIRT) Plans and Procedures
Many security experts say it's not a matter of if your systems will be attacked, but when. Will your IT team be ready when it happens?

C5i's security experts can help you develop and document a CSIRT plan to coordinate the response to cyber attacks against your agency. We can help you identify the procedures that will be critical to identifying and stopping blatant attacks or annoying schemes, coordinating your defense, and then reporting those incidents to the Federal Computer Incident Response Center (FedCIRC), the CERT Coordination Center, and the proper authorities if necessary.

Security Awareness and Training Programs

Hackers and viruses make the headlines, but it's the people who have day-to-day interaction with systems and data that are really at the heart of your security system. Whether its an employee with good intentions who accidentally leaves his password written on a sticky note or his laptop unguarded in an airport, or a disgruntled worker who intentionally steals data, human beings have the greatest affect on your IT security. In fact, it has become common practice for security engineers to make "exceptions" to their own security policies in order to allow remote employees, partners, vendors and customers to perform necessary day-to-day tasks.

Which is why security awareness programs are so important. Anyone who works with your systems and data should understand what they should do to protect them. C5i's security experts are some of the best in the business and can help you develop an IT security program that is comprehensive, yet flexible, and that focuses on the issues that are most important to your agency and your mission.

Rules of Behavior for IT Users

Every federal IT system should have rules for the appropriate use and protection of the system and its data that all users should be required to read and acknowledge with a signature. Typically these rules of behavior are presented during the users' initial security awareness training and should also be included as part of the system's security plan. C5i security experts can help you draft comprehensive and complete rules of behavior for your IT systems so personnel clearly understand their roles as users of the system.

SLAs, ISAs, and MOUs

In addition to security plans, risk assessments, and contingency plans, there are several other types of IT security documents that may apply to your systems and agency. These include:

• Service Level Agreement (SLA) - An agreement or contract for use with a subcontractor who will be providing IT services. IT security standards and levels should be included in all federal IT SLAs and contracts.
• Interconnections Security Agreement (ISA) - An agreement governing the connection between your IT system and an IT system belonging to another organization or agency. These agreements specify the security measures that each interconnected party will provide to ensure that your IT systems and data are protected at all times.
• Memorandums of Understanding (MOUs) - NIST standards state that written authorization must be obtained before two IT systems can be interconnected. This authorization should be in the form of an MOU and should be included in each systems security plan. It should include the rules of behavior that must be maintained by the interconnecting systems.

C5i security and documentation experts can help you develop these important agreements and memorandums to ensure that all areas of your IT systems are adequately protected.

Network, System, and User Documentation

One of most dreaded, but necessary, components of any continuity of operations or IT security plan is documentation. A written record of all systems and data must be developed so that management can make cost-effective business decisions at any point in the system's life-cycle. That documentation should include network, system, and user manuals that accurately and completely document the design, implementation, installation, configuration, and use of the system. This documentation is critical to understanding the security risks to the system and its data.

C5i consultants are computer and network experts and can help you document your systems in clear, concise, easy-to-understand language. So you can have a clear view into the status of your systems in order to make the most-informed decisions about protecting them.