The Information Assurance Division (IAD) is organized as a sub-division of the Service, Planning and Management (SPM) Division within the Office of the Chief Information Officer (OCIO). Information Assurance was instantiated mid-February, 2011 with the establishment of the Information Technology (IT) Transformation initiative that followed the release of Secretarial Order 3309.
Information Assurance Division's services have been restructured to support the overall IT Transformation objective of defragmenting Information Technology and increasing the ability to deliver reliable, cost-effective, enterprise-wide IT services efficiently.
Functions of the Information Assurance Division include:
- Developing Enterprise IT Security policies, standards, guidelines and procedures
- Ensuring the Confidentiality, Integrity and Availability of DOI Information and Systems
- Oversight of System Assessments & Authorizations across the Department
- Support for the Department's Cyber Security Assessment and Management (CSAM) system allowing for the oversight of A&A packages and Plan of Action and Milestone (POA&M) reporting
- Management of Office of the Secretary (OS) POA&M items in CSAM
- Developing an Enterprise Risk Management Framework
- Establishing an Enterprise Continuous Monitoring Program
- Developing Privacy Act policies, standards, guidelines and procedures
- Identifying relevant IT infrastructure controls for implementation to meet Privacy Act requirements
The Information Assurance Division's revised structure is comprised of the following functional areas:
- Enterprise IT Security Policy and Planning
- Enterprise Assessment and Authorization Oversight
- IT Security Education, Awareness and Training
- IT Security Program Management including Information Technology Security Team (ITST) Coordination
DOI IT security policies are created to set management expectations for securing IT systems and ensuring clear guidelines are defined for system user behavior, and ensuring consistent system performance. They are necessary for compliance with federal mandates, such as the Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB) memoranda and circulars, National Institute of Standards and Technology (NIST) guidance, and industry best practices.
Assessment and Authorization Management
Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Required by OMB Circular A-130, Appendix III, security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation.
IT Security Education, Awareness and Training
Awareness training plays an important role in achieving the Department's goals for information security and privacy. Annual information security and privacy awareness training is provided to all DOI employees, and others who have access to DOI information systems. The training objectives are to enhance awareness of the threats to, and vulnerabilities of, information systems; and to encourage the use of good information security practices within the Department.
Information Technology Security Team
The Department established the IT Security Team (ITST) in January 2002. The Team's mission is to help ensure the successful implementation of the Office of Management and Budget (OMB) Circular A-130, Appendix III. The ITST is chaired by the DOI CISO with membership comprised of Bureau CISOs and representatives from the Inspector General's office. The team works on issues relating to information security such as policy, procedures, security technologies and reporting to oversight agencies.