fips191_43
FIPS PUB 191
Functional managers (and higher-level management) are responsible for the development and
implementation of effective security policies that reflect specific XYZ LAN objectives. They are
ultimately responsible for ensuring that information and communications security is, and remains,
a highly visible and critical objective of day-to-day operations. Specifically functional managers
are responsible for the following:
FM1. Responsible for implementing effective risk management in order to provide a basis for
the formulation of a meaningful policy. Risk management requires identifying the assets to be
protected, assessing the vulnerabilities, analyzing risk of exploitation, and implementing cost-
effective safeguards.
FM2. Responsible for ensuring that each user receive, at a minimum, a copy of the security
policy and site handbook (if any) prior to establishing an account for the user.
FM3. Responsible for implementing a security awareness program for users to ensure knowledge
of the site security policy and expected practices.
FM4. Responsible for ensuring that all personnel within the operating unit are made aware of this
policy and responsible for incorporating it into computer security briefings and training programs.
FM4. Responsible for informing the local administrator and the LAN Management Division of
the change in status of any employee who utilizes the XYZ LAN. This status change includes
an interagency position change, interdivision position change, or a termination from XYZ
employment.
FM5. Responsible for ensuring that users understand the nature of malicious software, how it is
generally spread, and the technical controls to use for protection.
3. Local Area Network (LAN) Management Division
The LAN Management Division (or designated personnel) is expected to enforce (to the extent
possible) local security policies as they relate to technical controls in hardware and software, to
archive critical programs and data, and to control access and protect LAN physical facilities.
Specifically, LAN management is responsible for the following:
NM1. Responsible for rigorously applying available security mechanisms for enforcement of local
security policies.
NM2. Responsible for advising management on the workability of the existing policies and any
technical considerations that might lead to improved practices.
45