5 FAM 820
INFORMATION TECHNOLOGY ROLES AND RESPONSIBILITIES FOR
SYSTEM OPERATIONS/MANAGEMENT
(CT:IM-215; 08-17-2018)
(Office of Origin: IRM/BMP/GRP/GP)
5 FAM 821 GENERAL
(CT:IM-178; 06-29-2016)
This section defines responsibilities for system
operations and management. See also 5 FAM 120, 12 FAM 620, and 12 FAM 630.
5 FAM 822 CHIEF INFORMATION OFFICER
(CT: IM-185; 02-16-2017)
The CIO:
(1) Is the Departments senior information technology
professional. The CIO reports via the Under Secretary for Management to the
Secretary of State on all matters relating to information resource management;
(2) Ensures availability of information technology
systems and operations, including IT contingency planning, to support the
Departments diplomatic, consular, and management operations;
(3) Ensures that appropriate procedures are in place
for system authorization of national security systems;
(4) Serves as the authorizing official (AO) for
non-Sensitive Compartmented Information (non-SCI) systems in the Department;
and
(5) Is the Department official responsible for
compliance with the Paperwork Reduction Act, 44 U.S.C. 3501 et seq;
implementation has been delegated to the Bureau of Administration, Office of
Directives Management, A/GIS/DIR (see Delegation of Authority 226, dated
October 13, 1998).
5 FAM 823 CHIEF INFORMATION SECURITY
OFFICER (CISO)
(CT:IM-115; 04-25-2011)
The CISO:
(1) Reports directly to the CIO on all matters
pertaining to IT security;
(2) Develops and maintains the Departments
information security program;
(3) Provides guidance to personnel with
responsibilities for information security and coordinates with information
systems security officers (ISSOs) domestically and abroad; and
(4) Coordinates the design and implementation of
processes and practices that assess and quantify risk.
5 FAM 824 INFORMATION SYSTEMS SECURITY
OFFICER (ISSO)
(CT:IM-151; 07-16-2014)
The ISSO:
(1) Ensures that the systems for which they are
responsible are configured, operated, maintained, and disposed of in accordance
with all relevant IRM and DS security guidelines;
(2) Is responsible for overseeing configuration and
administration of auditing and for ensuring that audit trails are reviewed
periodically and archived in accordance with security guidelines;
(3) Works closely with IMO/ISO/system administrator to
ensure all security related functions and activities are performed;
(4) Plays a leading role in introducing an appropriate
methodology to help identify, evaluate, and minimize risks to all IT systems;
and
(5) Is responsible to the CISO to ensure that IT
system is configured and maintained securely throughout its lifecycle in
accordance with the Systems Security Plan (SSP). See also 12 FAM 620 and 12 FAM 630.
5 FAM 824.1 Domestic Information
Systems Security Officer (DISSO)
(CT:IM-215; 08-17-2018)
The DISSO:
(1) Provides desktop security support and fulfills
in-scope information systems security officer (ISSO) as defined in 1 FAM 276.4-3;
and
(2) Performs in-scope ISSO roles and responsibilities
for domestic consolidated bureaus which include:
(a) Establishing enterprise policy, processes and
procedures in compliance with DOS desktop security guidelines;
(b) Administrating access control/user accounts to
include file permissions;
(c) Performing desktop incident handling to include
incident response, computer incident response team's (CIRT) litigation and
remediation requests;
(d) Executing desktop security audits to include random
security scans;
(e) Managing software download request authorizations;
(f) Monitoring data transfer requests to include
authorizing transfers to and from CDs, DVDs and other removable media;
(g) Providing training and education to include
performing security briefings as well as informing users of Department of State
security best practices; and
(h) Responsibility for maintaining requirements for all
desktops and providing desktop security guidance to all users within bureaus
that have fully consolidatedas defined by the respective master service level
agreement (SLA) for each consolidated bureau and ISSO appointment memo.
(3) Works closely with out-of-scope ISSOs whose
roles and responsibilities include:
(a) Performing certification and accreditation requirements;
(b) Managing out-of-scope applications and servers;
(c) Performing routine security audits for out-of-scope
server functions; and
(d) Regulating physical security.
5 FAM 825 SYSTEM OWNER
(CT:IM-151; 07-15-2014)
a. Domestically, the system owner is the
bureau-designated senior executive that is responsible for the system. Abroad,
the system owner is the Charg, deputy chief of mission, consul general, or
principal officer or equivalent, or the bureau-designated senior executive
responsible for the system.
b. Each system owner:
(1) Is responsible and accountable for the business
aspects of managing a system, including funding and representing the interests
of the system throughout its lifecycle;
(2) Ensures adequate confidentiality, integrity, and
availability of data and applications software residing on the system;
(3) Ensures system security plans and contingency
plans are developed and maintained for each system and applications; and
(4) Ensures systems personnel are properly designated,
and trained; and appoints the ISSO and the alternate ISSO for a system.
5 FAM 826 INFORMATION MANAGEMENT
OFFICER (IMO)/INFORMATION SYSTEMS OFFICER (ISO)/SYSTEM ADMINISTRATOR
(CT:IM-115; 04-25-2011)
The IMO/ISO/system administrator:
(1) Develops and maintains system security plans and
contingency plans for all IT systems and major applications for which he or she
is responsible;
(2) Participates in risk assessments to periodically
reevaluate sensitivity of the system, risks, and mitigation strategies; and
(3) Installs only hardware and/or software approved by
the IT CCB or local CCB. See 5 FAM 120 for
further information on the roles and responsibilities of personnel managing
systems abroad.
5 FAM 827 USER
(CT:IM-151; 07-16-2014)
The user must:
(1) Adhere to Department guidelines governing the
personal use of information systems;
(2) Not download, install, or use software on any
Department computer without prior approval from the ISSO or ISSOs delegated
representative;
(3) Use e-mail systems in a professional and courteous
manner with the understanding that misuse of Department e-mail will subject
them to possible disciplinary action (see 12 FAM 642);
(4) Use properly formatted passwords and protect them
from unauthorized disclosure. Unauthorized disclosure is the release of
password information to persons other than senior IT management or security
personnel for purposes of performing an investigation; and
(5) Not use a system or application before receiving
appropriate training.
5 FAM 828 and 829 UNASSIGNED