Lab Organization

Abstract

This chapter introduces the Department of Social Media, a fictitious organization used in the chapters that follow for the lab exercises and occasionally to illustrate processes of the RMF.

Table of Contents

Chapter Overview and Key Learning Points

This chapter introduces a fictitious government organization that is used for the lab exercises in the upcoming chapters. The organization is also used occasionally to illustrate processes and procedures of the RMF.

The Department of Social Media (DSM)

Recently the administration noticed that a great deal of fraudulent activity has occurred on social media sites like Facebook, LinkedIn, and Google+. To combat this criminal and malicious activity, the Department of Social Media (DSM) was created as an organization that is part of the Department of Justice. The Department of Social Media is a small but growing and influential organization headquartered just outside Washington, D.C., in Northern Virginia. The DSM is chartered to protect US citizens from criminal activity in cyberspace by monitoring criminal organizations, tracking developing scam techniques, and providing education and training. The organization is staffed by law enforcement agents, analysts, computer scientists, and support staff who focus on the organization’s core mission of providing protection to US citizens on social media sites. Computer and information systems for the fledgling agency were developed by and transitioned from the Department of Justice from the equipment the department was decommissioning and some new equipment was purchased to provide the agency with the needed resources as the new DSM developed. The organization is beginning to develop its own systems and is transitioning from older accreditation techniques to the RMF for the authorization of these new systems. The systems provided by the DOJ were also accredited under the older accreditation methodology. Moving to the RMF demonstrates that the new department is dedicated to keeping pace with the changing information technology environment.

Organizational Structure

The DSM is staffed by government employees and contractors. Key positions are illustrated in the organizational chart in Figure 8-1. The head of the agency is Atticus Finch, who serves as chief executive officer (CEO) and director. Other key roles that are important in the coming chapters are Deputy Director Lennie Small; Chief Information Officer (CIO) Clarissa Dalloway; Chief Financial Officer Willie Stark; Human Resources Director Yuri Zhivago; Holden Caulfield, manager of personnel security; and Holly Golightly, head of physical security. Nick Adams is the chief information security officer (CISO) reporting to the CIO and is in charge of the information assurance (IA) branch. Stephen Maturin is in charge of the organization portfolio management branch, a group that tracks and documents organizational information technology spending and development.

The roles defined by the organizational chart are supplemented by roles that are required by the RMF. The authorizing official (AO) is the director, Atticus Finch. Director Finch has appointed two designated authorizing officials, Deputy Director Lennie Small and CIO Clarissa Dalloway. Common control providers, information system owners, information systems security officers, information security architects, information system security engineers, and security control assessors are defined as the system progresses through the six phases of the RMF. It is understood that the system security control assessors work for the CISO, who was also the certifying agent in the former process and now serves under the new title of organizational security control assessor (SCA).

Risk Executive (Function)

When the organization began its transition plan into the RMF, it was determined that one individual was not sufficient to fill the role of risk executive (function); therefore, the organization determined that a risk executive board would be created to manage the organization’s risk management process and fulfill the requirements for the risk executive (function). The board is composed of the CISO, the physical security manager, the personnel security manager, the portfolio manager, and representatives from HR and the Office of Budget. A representative from the inspector general’s office serves as a non-voting member with voting responsibilities in the event of voting stalemates (ties). The board’s charter mandates that this group develops risk management processes and procedures for all three tiers of organizational risk management and manages risks at tiers 1 and 2. The board also provides risk insight for the AO or the AO’s designated representatives.

The organization has begun a cursory evaluation of the security controls listed in NIST SP 800-53 and determined that the areas of personnel security, physical security, and training are potential candidates to be common control providers. This means that the organizational officials for those areas are responsible for gaining authorization for a group of controls that will be under their purview. The results of the evaluation have been discussed in many of the organization’s senior level meetings but have not progressed much further at this point.