Information Security Policy, Procedures, and Standards

Policy

• Information Security Policy (pdf) (317.77 KB)
  The Information Security Policy establishes minimum standards for information security requirements and assigns organizational and management responsibility to ensure the implementation of Federal security mandates.

Procedures

• Information Security – Access Control Procedures (pdf) (283.16 KB)
  The purpose of this procedure is to facilitate the implementation of EPA security control requirements for the Access Control family.
• Information Security – Awareness and Training (AT) Procedure (pdf) (235.7 KB)
  The purpose of this procedure is to facilitate the implementation of Environmental Protection Agency (EPA) security control requirements for the Awareness and Training (AT) control family, as identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations.
• Information Security – Audit and Accountability (AU) Procedures (pdf) (272.86 KB)
  The purpose of this procedure is to facilitate the implementation of Environmental Protection Agency (EPA) security control requirements for the Audit and Accountability (AU) control family, as identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, "Security and Privacy Controls for Information Systems and Organizations".
• Information Security – Assessment, Authorization and Monitoring (CA) Procedure (pdf) (242.48 KB)
  The purpose of this procedure is to facilitate the implementation of Environmental Protection Agency (EPA) security control requirements for the Assessment, Authorization and Monitoring (CA) control family, as identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, "Security and Privacy Controls for Information Systems and Organizations".
• Information Security – Configuration Management (CM) Procedure (pdf) (329.64 KB)
  The purpose of this procedure is to facilitate the implementation of Environmental Protection Agency (EPA) security control requirements for the Configuration Management (CM) control family, as identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, "Security and Privacy Controls for Information Systems and Organizations".
• Information Security – Contingency Planning (CP) Procedure (pdf) (287.84 KB)
  The purpose of this procedure is to facilitate the implementation of Environmental Protection Agency (EPA) security control requirements for the Contingency Planning (CP) control family, as identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, "Security and Privacy Controls for Information Systems and Organizations".
• Information Security – Identification and Authentication (IA) Procedure (pdf) (357.27 KB)
  The purpose of this procedure is to implement security control requirements for the Identification and Authentication (IA) control family, as identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations".
• Information Security – Incident Response (IR) Procedures (pdf) (249.87 KB)
  The purpose of this procedure is to facilitate the implementation of Environmental Protection Agency (EPA) security control requirements for the Incident Response (IR) control family, as identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, "Security and Privacy Controls for Information Systems and Organizations".
• Information Security – Maintenance (MA) Procedure (pdf) (262.88 KB)
  The purpose of this procedure is to facilitate the implementation of Environmental Protection Agency (EPA) security control requirements for the Maintenance (MA) control family, as identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, "Security and Privacy Controls for Information Systems and Organizations".
• Information Security – Media Protection (MP) Procedure (pdf) (267.99 KB)
  The purpose of this procedure is to facilitate the implementation of the security control requirements for the Media Protection (MP) control family, as identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, "Security and Privacy Controls for Information Systems and Organizations".
• Information Security – Personally Identifiable Information Processing and Transparency (PT) Procedure (pdf) (356.08 KB)
  The purpose of this procedure is to facilitate the implementation of Environmental Protection Agency (EPA) security control requirements for the Personally Identifiable Information (PII) Processing and Transparency (PT) control family, as identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, "Security and Privacy Controls for Federal Information Systems and Organizations".
• Information Security – Physical and Environmental Protection (PE) Procedure (pdf) (309.16 KB)
  The purpose of this procedure is to facilitate the implementation of the EPA security control requirements for the Physical and Environmental Protection (PE) control family, as identified in NIST SP 800-53, Revision 5.
• Information Security – Planning (PL) Procedure (pdf) (303.01 KB)
  The purpose of this procedure is to facilitate the implementation of the EPA security control requirements for the Planning (PL) control family, as identified in NIST SP 800-53, Revision 5.
• Information Security – Personnel Security (PS) Procedure (pdf) (285.3 KB)
  The purpose of this procedure is to facilitate the implementation of the EPA security control requirements for the Personnel Security (PS) control family, as identified in NIST SP 800-53, Revision 5.
• Information Security – Risk Assessment (RA) Procedure (pdf) (280.59 KB)
  The purpose of this procedure is to facilitate the implementation of the EPA security control requirements for the Risk Assessment (RA) control family, as identified in NIST SP 800-53, Revision 5.
• Information Security – System and Services Acquisition (SA) Procedure (pdf) (356.83 KB)
  The purpose of this procedure is to facilitate the implementation of the EPA security control requirements for the System and Services Acquisition (SA) control family, as identified in NIST SP 800-53, Revision 5.
• Information Security – System and Communications Protection (SC) Procedure (pdf) (371.06 KB)
  The purpose of this procedure is to facilitate the implementation of the EPA security control requirements for the System and Communications Protection (SC) control family, as identified in NIST SP 800-53, Revision 5.
• Information Security – System and Information Integrity (SI) Procedure (pdf) (389.71 KB)
  The purpose of this procedure is to facilitate the implementation of the EPA security control requirements for the System and Information Integrity (SI) control family, as identified in NIST SP 800-53, Revision 5.
• Information Security – Roles and Responsibilities Procedures (pdf) (467.88 KB)
  The purpose of this document is to ensure that the EPA roles are defined with specific responsibilities for each role and for people who have been assigned to the listed roles.
• Spillage of Classified Information onto Unclassified Systems Procedure (pdf) (401.99 KB)
  Implements the security control requirements/outlines actions required when responding to electronic spillage of classified information onto unclassified information systems/devices.
• Information Security – Privacy Procedures (pdf) (611.71 KB)
  Implements the security control requirements for the Privacy Control family, as identified in NIST SP 800-53, Revision 4.
• Information Security – Program Management (PM) Procedure (pdf) (365.92 KB)
  The purpose of this procedure is to facilitate the implementation of the EPA security control requirements for the Program Management (PM) control family, as identified in NIST SP 800-53, Revision 5.
• Information Security – Data Loss Prevention Procedure (pdf) (291.67 KB)
  The purpose of this procedure is to extend and provide specificity to the EPA "Information Security Policy" regarding DLP and digital rights management. The procedure will also serve as the authority for future development of additional operational procedures, standards and guidance that may become necessary to enhance protection of EPA data.
• Information Security – Supply Chain Risk Management (SR) Procedure (pdf) (407.23 KB)
  The purpose of this procedure is to facilitate the implementation of the EPA security control requirements for the Supply Chain Risk Management Family (SR), as identified in NIST SP 800-53, Revision 5.
• Information Security – Detecting Counterfeit Information and Communications Technology Products Procedure (pdf) (477.15 KB)
  The purpose of this procedure is to facilitate the implementation of Environmental Protection Agency (EPA) requirements for detecting counterfeit information and communications technology (ICT) products.

Standards

• Information Security – EPA National Rules of Behavior (pdf) (323.37 KB)
  Establishes the EPA National RoB and standards of behavior to comply with OMB Circular A-130 and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 controls regarding rules of behavior applicable for all users of EPA information and information systems and to safeguard EPA information and information systems from misuse, abuse, loss or unauthorized access.

Guidance

• Information Security – Guidance for Manually Completing the Information Security Awareness Training (pdf) (244.64 KB)
  The purpose of this guidance is to provide an alternative manual process for disseminating Environmental Protection Agency Information Security Awareness Training (ISAT) materials and collecting results from EPA users who elect to complete the ISAT manually.