Ma Management Controls are the organizational policies and procedures used by agencies to reasonably ensure that programs achieve their intended results; resources are used consistent with agency mission; programs and resources are protected from waste, fraud, and mismanagement; laws and regulations are followed; and reliable and timely information is obtained, maintained, reported and used for decision making. In the broadest sense, they include the plan of the organization and methods or procedures adopted by management to ensure that its goals are met. Management controls include specific processes for planning, organizing, directing and controlling program operations. Security Program Functions and Management Controls: The purpose of a centralized Information Systems Security Program (ISSP) is to address the appropriate management of IT security within the USDA agency/mission area. Discuss the security management structure within the agency, including an organizational chart, showing the delegation of IT security authority through all layers of management to the Information Systems Security Program Manager (ISSPM) including field organizations. This section should address the current security management philosophy and specific functions of the ISSPM(s). Those duties include, but are not limited to, audits of system patches, personnel clearances, use of unauthorized or illegal software, incident response and reporting, change management procedures, security controls or as defined in DR 3140-1. Each agency will identify the responsible ISSPM and their deputies in writing. The scope of the program in terms of the overall GSS and MA systems managed should be included. In addition, the specific security responsibilities of Field Security Officers should be outlined.
This section should also detail the Management Controls used to ensure that the agency meets its security goals. This includes internal controls used to assure that there is prevention or timely detection of unauthorized acquisition, use or disposition of the agencies’ assets and taking timely and effective action to correct security deficiencies or weaknesses identified by the agency Information Systems Security Program Managers (ISSPM) in their oversight and monitoring responsibilities. Correcting these deficiencies is an integral part of management accountability and must be considered a priority by the agency. Discuss in detail how your agency uses management controls to protect information assets, ensure that systems are certified and accredited, conduct periodic reviews of information security procedures to ensure they work as intended and provide support for the role of the ISSPM in your organization. Security Program: This section should discuss in specific detail the implementation of security policy and program activities. A key element of any successful security program is the evaluation of the sensitivity, confidentiality, integrity and availability of data. System confidentiality provides assurance that the information in an IT system is protected from disclosure to unauthorized persons, processes, or devices. System integrity provides assurance that information in an IT system is protected from unauthorized, unanticipated, or unintentional modification or destruction. System integrity also addresses the quality of an IT system reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data. System availability provides assurance that information, services, and IT system resources are accessible to authorized users and/or system-related processes on a timely and reliable basis and are protected from denial of service.
An Application requires special attention to security due to the risk and magnitude of the harm resulting from the loss,