IS3110 Project Part 1 Defense Logistics Information Service Risk Management Plan 1.

PURPOSE This Risk Management Plan is an in-depth look at how Defense Logistics Information Service can protect data. The imposed regulations on Government Data by the Federal Information Security Management Act are the driving cause for this Risk Management plan. 2. GUIDING PRINCIPLES The Security Safety and Risk Management Program support the DLIS philosophy that government safety and risk management should be shared by all. Management, providers, and staff participation is essential for an efficient and effective patient safety and risk management program. The program will be implemented through the coordination of multiple organizational functions and the activities of multiple departments. DLIS supports the establishment of such clauses and best practices. We will analyze weaknesses and possible solutions. Constructive feedback will play a large part as well. Individuals are still held accountable for compliance with safety and risk management practices. As such, if evaluation and investigation of an error or reckless behavior or willful violation of policies, disciplinary actions can be taken.

3. SCOPE AND BOUNDARIES

The DLIS Security and Safety Risk Management Program encompass many operational departments and services throughout the organization. Including the following:
Buildings and grounds DOD/FISMA regulatory compliance Disaster preparation and management Employee health Event/incident/accident reporting and investigation Finance/budget Human resources Information technology Legal and contracts Safety and security Staff education Further, events and risks will be analyzed based on: Requests for confidential data Reports and minutes Event, incident, or near miss reports Monitoring systems based on objective criteria Results of failure mode and effects analysis of high risk processes Root-cause analyses of sentinel events

4. COMPLIANCE

All policies will be in compliance with the following: Section 2330a of title 10, United States Code (10 USC 2330a), requires the Secretary of Defense to submit to Congress an annual inventory of contracts for services performed during the prior fiscal year for or on behalf of the Department of Defense (DoD). The inventory must include the number of contractor employees, expressed as full-time equivalents for direct labor, using direct labor hours and associated cost data collected from contractors, except that estimates may be used where such data is not available and cannot reasonably be made available in a timely manner for purposes of the inventory. In an interim response provided to the congressional defense committees on July 18, 2011, the USDCP&R) stated that the 44 individual Components would develop their respective plans in coordination with his staff and would submit these plans directly to the congressional defense committees by September 30, 2011. To date, the Office of the USD (P&R) has reviewed 41 of 44 plans, of which 36 have been signed by Directors/Commanders or other senior Component leadership official. The 36 signed plans received to date were provided to the Congress and serve as the basis for the Department's plan at Enclosure I. The remainder of the individual Component plans shall be provided to Congress by December 31, 2013. While some variance exists in the level of detail, or specific methodologies provided by the individual Components in their plans, a majority reflect intent to insert the reporting requirements for direct labor hours and associated costs from contractors into statements of work or performance work statement requirements, consistent with the

methodology the Army currently employs. Most of the individual component plans also request a common DoD reporting system to capture information reported by contractors similar to the Army's "Contractor Manpower Reporting Application': tool and processes. Additionally, many of the individual Component plans recommend that the Department consider pursuing a standardized contract clause to enforce this requirement at option exercise. A small number of the Components, such as the Department of the Army and the United States Special Operations Command, currently have reporting processes and infrastructure in place to fully comply with 10 USC 2330a and do not require additional DoD support.

5. RESPONSIBILITIES Each department will be responsible for the general assessment of risks and problems within their own unit. Following this, upper management will request mini risk management plans based on each departments needs. Compliance of policies listed above is of utmost priority. Employees will be heavily trained once risks are identified to ensure mistakes are not repeated.

6. TIMELINE

The risk management will be broken up into these major tasks: Identify the IT assets of the organization and their value. Identify threats and vulnerabilities to these assets. Identify the likelihood that vulnerabilities will be exploited by a threat Identify the impact of a risk. Identify risks to manage Selection of controls Implementation and testing of controls Evaluation of controls