1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.

Slides:

Advertisements

Similar presentations

For Security Professionals

Advertisements

CIP Cyber Security – Security Management Controls

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

Software Quality Assurance Plan

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS

What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,

ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov Nov 2013.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

Auditing Computer Systems

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

SAE AS9100 Quality Systems - Aerospace Model for Quality Assurance

Security Controls – What Works

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Information Systems Security Officer

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Concepts of Database Management Seventh Edition

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Stephen S. Yau CSE , Fall Security Strategies.

Session 3 – Information Security Policies

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

SEC835 Database and Web application security Information Security Architecture.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.

Introduction to Software Quality Assurance (SQA)

Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Information Systems Security Computer System Life Cycle Security.

Concepts of Database Management Sixth Edition

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

Section Five: Security Inspections and Reviews Note: All classified markings contained within this presentation are for training purposes only.

Concepts of Database Management Eighth Edition

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

FCS - AAO - DM COMPE/SE/ISE 492 Senior Project 2 System/Software Test Documentation (STD) System/Software Test Documentation (STD)

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.

Engineering Essential Characteristics Security Engineering Process Overview.

Chapter 2 Securing Network Server and User Workstations.

Unit 3: Identifying and Safeguarding Vital Records Unit Introduction and Overview Unit objective:  Describe the elements of an effective vital records.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006.

Module 10: Implementing Administrative Templates and Audit Policy.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Safeguarding CDI - compliance with DFARS

CS457 Introduction to Information Security Systems

TCSEC: The Orange Book.

Introduction to the Federal Defense Acquisition Regulation

Introduction to Operating Systems

HIPAA Security Standards Final Rule

Neopay Practical Guides #2 PSD2 (Should I be worried?)

Introduction to the PACS Security

Computer System Validation

Presentation transcript:

1 Preparing a System Security Plan

2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification

3 What is a System Security Plan (SSP)? The SSP is the user’s guide for operating your system. The SSP contains specific procedures and processes. Has two parts: Written instructions and a technical information. The written instruction provides all the explanations and steps necessary for a non-technical user to operate the system. The profile only list the technical information.

4 Pitfalls to avoid Failure to submit a cover letter Not providing detailed information Use of generic phrases e.g. If feasible, When applicable, If possible, etc Referring users to the profile for additional explanations

5 Pitfalls to avoid Failure to submit all required documents Completely re-writing a plan instead of only making suggested changes Failure to verify information in SSP to the profile

6 Required Documents Cover Letter SSP Profile Certification Network Security Plans or MOA/MOU for outside connections Customer letters Approved Variance letters

7 Preparing the Security Plan

8 Cover Page Revision Log

9 Cover Page Requirements Facility Name and address Cage Code Type of Plan Protection Level Operating Environment Outside Connections Date and Revision number Revision Log Must be completed with each revision.

10 1. Introduction

11 Introduction Purpose Identifies the purpose of the document Identifies the purpose of the System List of Attachments

12 Introduction Scope Identifies the range of operations Protection Level Classification Level Confidentiality, Integrity, Availability Type of system Categories of Information and formal access requirements Operating Environment Alternate Site Processing

13 2. Personnel Management

14 Personnel Responsibilities Contractor Management How is the security policy supported by Management ISSM Responsibilities May be listed exactly from the NISPOM ISSO Responsibilities May be listed exactly from the NISPOM or may be tailored to what you want this person to do. If using the ISSO Delegation Record, compare duties.

15 Personnel Responsibilities Users Privileged Users Other than the ISSM and ISSO. What are these users allowed to do on your system. General Users What are these users allowed to do on your system

16 3. Certification and Accreditation

17 Certification and Accreditation Certification Explain your certification process Accreditation Explain the accreditation process Reaccreditation Explain when reaccreditation is required and the process

18 Certification and Accreditation Certification of Similar Systems Certification process Define a similar system Security Testing Purpose Describe the frequency Self Inspections Describe the frequency Explain what will be inspected

19 4. System Identification and Requirements (SIRS)

20 System Identification and Requirements Specification Pure Servers (8-503 ) Provides non interactive service (e.g. messaging service) No user access No user code This is the beginning of the technical information and procedures for your system.

21 System Identification and Requirements Specification Tactical, Embedded, Data Acquisition, and Special Purpose Systems (8-504) No General users No user code Mobile Systems (8-308) A system that is used for classified processing outside your facilities cage code. May be at another Contractor or a Government site

22 5. Protection Measures

23 Protection Measures Accounts and Logons Identification and Management Are logons being used Explain how you create unique user IDs Explain how authenticators (passwords) are created and passed to the user

24 Protection Measures Accounts and Logons Requirements for Passwords Identify password length Password lifetime Password complexity Guidelines for User Generated Passwords Explain the requirements users are to follow

25 Protection Measures Accounts and Logons Generic or Group Accounts Are these accounts authorized Explain the purpose Explain the access procedures

26 Protection Measures Session Controls Logon Banner Requirements Are you using the most current banner How is the banner displayed Action to remove the banner

27 Protection Measures Session Controls Successive Logon Attempt Controls Are they controlled? Define the number of unsuccessful logon attempts before the account is locked Explain your procedures for unlocking an account System Entry Conditions Explain how a user accesses the system

28 Protection Measures Access Controls Explain what technical and physical controls are in place to protect the system. BIOS Protection Boot Sequence Seals Removable Hard drive protection

29 Protection Measures Audit Requirements Frequency of Audits Audit Configuration and Settings Audit Management Overflow Manual Logs required to be audited List procedures if a variance is approved

30 Protection Measures System Recovery and Assurances Explain how you are going to recover and certify your system in a controlled manner Virus and Malicious Code Detection Explain how you will detect malicious code Explain procedures for updating antivirus definition files Data Transmission Protection Explain how data is transmitted

31 Protection Measures Clearance and Sanitization Clearing Authorized Method used Sanitization Authorized Method used

32 Protection Measures Protection Measure Variances Identify any approved variances Include a copy of the letter in the profile

33 6.Personnel Security

34 Personnel Security Personnel Access to IS Identify specific requirements users must meet before accessing the system Security Education Initial Training Requirements Explain your training requirements Ongoing IS Security Education Programs Describe your ongoing security education program

35 7. Physical Security

36 Physical Security Operating Environment You cannot identify multiple operating environments. Briefly describe your environment

37 8. Maintenance

38 Maintenance Facility Maintenance Policy Describe how maintenance will be performed and by whom Cleared Maintenance Personnel Uncleared Maintenance Personnel Explain procedures for using uncleared personnel

39 9. Media Controls

40 Media Controls Classified Media Define and provide examples Protected Media Define and provide examples Unclassified or Lower Classified Media Define and explain its use Media Destruction Explain how media is destroyed.

Output Procedures

42 Output Procedures Hardcopy Output Review Define and provide procedures for review Verify with hardware list to ensure you have a printer identified Media Review and Trusted Downloading Authorized Method used DSS Approved procedures Non Approved procedures

Upgrade and Downgrade Procedures

44 Upgrade and Downgrade Procedures These procedures are required if operating in a Restricted Area, MPF, when using removable hard drives, or when performing periods processing Procedures are specific to each system Upgrade/Startup Procedure Compare to your Upgrade Log Downgrade/Shutdown Procedure Compare to your Downgrade Log Periods Processing Authorized

Markings

46 Marking IS Hardware Components List the documents that govern marking Classified marking requirements Markings for co-located systems

47 Marking Media Unclassified Media Markings Classified Media Markings Overall classification level Applicable special markings e.g. NATO, Unclassified Title Creation date Derived from Declassify on

Configuration Management Plan and System Configuration

49 Configuration Management Plan and System Configuration Configuration Management (CM) The Configuration Management Program ensures that protection features are implemented and maintained on the system. This includes a formal change control process of all security relevant aspects of the system. Specify who is responsible for authorizing security relevant changes Explain how changes are documented Explain how the CM process is evaluated and frequency

50 Configuration Management Plan and System Configuration System Configuration Hardware Description Provide a generic description of your hardware e.g. Desktops, laptops, networked, non networked, etc. List only the equipment that applies to your system Hardware Requirements Identify requirements that must be met prior to processing

51 Configuration Management Plan and System Configuration Change Control Procedures for Hardware Addition of Hardware List procedures to be followed when adding hardware Removal of Hardware List procedures to be followed when adding software Reconfiguration of Hardware List procedures to be followed when reconfiguring hardware Who is authorized to reconfigure the system

52 Configuration Management Plan and System Configuration Software Description Provide a generic description of the software authorized for use on the system Software Requirements Identify limitations on the type of software that can be used Identify protection requirements Explain how software is introduced to the system Address software development Address malicious code

53 Configuration Management Plan and System Configuration Change Control Procedures for Software Addition of Software Identify who authorizes the addition of software Identify what types of software can be added and by whom Explain the documentation requirements for adding software

54 Configuration Management Plan and System Configuration Change Control Procedures for Software Removal of Software Identify who authorizes the removal of the software Identify what types of software can be removed and by whom Explain the documentation requirements for removing software Other SSP Changes Who is authorized to make changes to the security plan

System Specific Risks and Vulnerabilities

56 System Specific Risks and Vulnerabilities Risk Assessment Risk assessment is the process of analyzing threats and vulnerabilities of an IS and potential impact resulting from the loss of information or capabilities of a system. You must identify if there are any unique local threats

Network Security

58 Network Security Network Description Describe your network Unified Interconnected Network Management Protections Describe any physical or logical protections for network devices and cabling

59 System Profile

60 Profile Contains specific technical information about the system Must be compared to appropriate paragraph in the SSP Does not contain routine procedures Does contain special procedures

61 System Certification

62 Certification Physical inspection of your system Written documentation to DSS that the system meets all NISPOM requirements Certification Test Guide NISP Tool

63 Summary Required Documentation Requirements of the SSP Requirements of the profile Certification

64 Questions