CivicActions maintains security policies for those clients that require it either by contract, regulation or law. Such policy may cover one or more controls within these families:
- Certification, Accreditation, and Security Assessments (CA)
- Planning (PL)
- Program Management (PM)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
Create system security plans, diagrams, rules, privacy impact assessments, and operational procedures that are easy to understand, enforce, implement, and that reduce complexity wherever it can be found.
See the CivicActions Common Control Policy.
For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the CivicActions Common Control Policy.
Using the most current template applicable to the systems and services provided, CivicActions develops a system security plan which includes the hosting platform and encompasses the provided applications.
When created, CivicActions distributes copies of the security plan and communicates subsequent changes to the plan to the System Owner, ISSO, ISSM, AO and other designated members within the CivicActions staff and client services.
The Information Security Officer reviews the SSP at least annually or whenever there is a significant change to the information system.
The Information Security Officer updates the SSP to address changes to the platform and its network of operation or problems identified during plan implementation or security control assessments, and thereafter whenever a significant change occurs.
See PL-2
All CivicActions employees are required to read and sign the CivicActions Security Policy which includes an Acceptable Use Policy (AKA "Rules of Behavior") prior to being authorized to access CivicActions systems. This is part of the Security Training onboarding process that covers Security Awareness and an understanding of security incidents including how to Handle phishing emails.
If CivicActions staff fail to comply with CivicActions security awareness and training requirements, their access to CivicActions information systems may be terminated.
See AT-2, PL-4