Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.

Published bySusan Loren Rogers Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification."— Presentation transcript:

1 1 Preparing a System Security Plan

2 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification

3 3 What is a System Security Plan (SSP)? The SSP is the user’s guide for operating your system. The SSP contains specific procedures and processes. Has two parts: Written instructions and a technical information. The written instruction provides all the explanations and steps necessary for a non-technical user to operate the system. The profile only list the technical information.

4 4 Pitfalls to avoid Failure to submit a cover letter Not providing detailed information Use of generic phrases e.g. If feasible, When applicable, If possible, etc Referring users to the profile for additional explanations

5 5 Pitfalls to avoid Failure to submit all required documents Completely re-writing a plan instead of only making suggested changes Failure to verify information in SSP to the profile

6 6 Required Documents Cover Letter SSP Profile Certification Network Security Plans or MOA/MOU for outside connections Customer letters Approved Variance letters

7 7 Preparing the Security Plan

8 8 Cover Page Revision Log

9 9 Cover Page Requirements Facility Name and address Cage Code Type of Plan Protection Level Operating Environment Outside Connections Date and Revision number Revision Log Must be completed with each revision.

10 10 1. Introduction

11 11 Introduction Purpose Identifies the purpose of the document Identifies the purpose of the System List of Attachments

12 12 Introduction Scope Identifies the range of operations Protection Level Classification Level Confidentiality, Integrity, Availability Type of system Categories of Information and formal access requirements Operating Environment Alternate Site Processing

13 13 2. Personnel Management

14 14 Personnel Responsibilities Contractor Management How is the security policy supported by Management ISSM Responsibilities May be listed exactly from the NISPOM ISSO Responsibilities May be listed exactly from the NISPOM or may be tailored to what you want this person to do. If using the ISSO Delegation Record, compare duties.

15 15 Personnel Responsibilities Users Privileged Users Other than the ISSM and ISSO. What are these users allowed to do on your system. General Users What are these users allowed to do on your system

16 16 3. Certification and Accreditation

17 17 Certification and Accreditation Certification Explain your certification process Accreditation Explain the accreditation process Reaccreditation Explain when reaccreditation is required and the process

18 18 Certification and Accreditation Certification of Similar Systems Certification process Define a similar system Security Testing Purpose Describe the frequency Self Inspections Describe the frequency Explain what will be inspected

19 19 4. System Identification and Requirements (SIRS)

20 20 System Identification and Requirements Specification Pure Servers (8-503 ) Provides non interactive service (e.g. messaging service) No user access No user code This is the beginning of the technical information and procedures for your system.

21 21 System Identification and Requirements Specification Tactical, Embedded, Data Acquisition, and Special Purpose Systems (8-504) No General users No user code Mobile Systems (8-308) A system that is used for classified processing outside your facilities cage code. May be at another Contractor or a Government site

22 22 5. Protection Measures

23 23 Protection Measures Accounts and Logons Identification and Management Are logons being used Explain how you create unique user IDs Explain how authenticators (passwords) are created and passed to the user

24 24 Protection Measures Accounts and Logons Requirements for Passwords Identify password length Password lifetime Password complexity Guidelines for User Generated Passwords Explain the requirements users are to follow

25 25 Protection Measures Accounts and Logons Generic or Group Accounts Are these accounts authorized Explain the purpose Explain the access procedures

26 26 Protection Measures Session Controls Logon Banner Requirements Are you using the most current banner How is the banner displayed Action to remove the banner

27 27 Protection Measures Session Controls Successive Logon Attempt Controls Are they controlled? Define the number of unsuccessful logon attempts before the account is locked Explain your procedures for unlocking an account System Entry Conditions Explain how a user accesses the system

28 28 Protection Measures Access Controls Explain what technical and physical controls are in place to protect the system. BIOS Protection Boot Sequence Seals Removable Hard drive protection

29 29 Protection Measures Audit Requirements Frequency of Audits Audit Configuration and Settings Audit Management Overflow Manual Logs required to be audited List procedures if a variance is approved

30 30 Protection Measures System Recovery and Assurances Explain how you are going to recover and certify your system in a controlled manner Virus and Malicious Code Detection Explain how you will detect malicious code Explain procedures for updating antivirus definition files Data Transmission Protection Explain how data is transmitted

31 31 Protection Measures Clearance and Sanitization Clearing Authorized Method used Sanitization Authorized Method used

32 32 Protection Measures Protection Measure Variances Identify any approved variances Include a copy of the letter in the profile

33 33 6.Personnel Security

34 34 Personnel Security Personnel Access to IS Identify specific requirements users must meet before accessing the system Security Education Initial Training Requirements Explain your training requirements Ongoing IS Security Education Programs Describe your ongoing security education program

35 35 7. Physical Security

36 36 Physical Security Operating Environment You cannot identify multiple operating environments. Briefly describe your environment

37 37 8. Maintenance

38 38 Maintenance Facility Maintenance Policy Describe how maintenance will be performed and by whom Cleared Maintenance Personnel Uncleared Maintenance Personnel Explain procedures for using uncleared personnel

39 39 9. Media Controls

40 40 Media Controls Classified Media Define and provide examples Protected Media Define and provide examples Unclassified or Lower Classified Media Define and explain its use Media Destruction Explain how media is destroyed.

41 41 10. Output Procedures

42 42 Output Procedures Hardcopy Output Review Define and provide procedures for review Verify with hardware list to ensure you have a printer identified Media Review and Trusted Downloading Authorized Method used DSS Approved procedures Non Approved procedures

43 43 11. Upgrade and Downgrade Procedures

44 44 Upgrade and Downgrade Procedures These procedures are required if operating in a Restricted Area, MPF, when using removable hard drives, or when performing periods processing Procedures are specific to each system Upgrade/Startup Procedure Compare to your Upgrade Log Downgrade/Shutdown Procedure Compare to your Downgrade Log Periods Processing Authorized

45 45 12. Markings

46 46 Marking IS Hardware Components List the documents that govern marking Classified marking requirements Markings for co-located systems

47 47 Marking Media Unclassified Media Markings Classified Media Markings Overall classification level Applicable special markings e.g. NATO, Unclassified Title Creation date Derived from Declassify on

48 48 13. Configuration Management Plan and System Configuration

49 49 Configuration Management Plan and System Configuration Configuration Management (CM) The Configuration Management Program ensures that protection features are implemented and maintained on the system. This includes a formal change control process of all security relevant aspects of the system. Specify who is responsible for authorizing security relevant changes Explain how changes are documented Explain how the CM process is evaluated and frequency

50 50 Configuration Management Plan and System Configuration System Configuration Hardware Description Provide a generic description of your hardware e.g. Desktops, laptops, networked, non networked, etc. List only the equipment that applies to your system Hardware Requirements Identify requirements that must be met prior to processing

51 51 Configuration Management Plan and System Configuration Change Control Procedures for Hardware Addition of Hardware List procedures to be followed when adding hardware Removal of Hardware List procedures to be followed when adding software Reconfiguration of Hardware List procedures to be followed when reconfiguring hardware Who is authorized to reconfigure the system

52 52 Configuration Management Plan and System Configuration Software Description Provide a generic description of the software authorized for use on the system Software Requirements Identify limitations on the type of software that can be used Identify protection requirements Explain how software is introduced to the system Address software development Address malicious code

53 53 Configuration Management Plan and System Configuration Change Control Procedures for Software Addition of Software Identify who authorizes the addition of software Identify what types of software can be added and by whom Explain the documentation requirements for adding software

54 54 Configuration Management Plan and System Configuration Change Control Procedures for Software Removal of Software Identify who authorizes the removal of the software Identify what types of software can be removed and by whom Explain the documentation requirements for removing software Other SSP Changes Who is authorized to make changes to the security plan

55 55 14. System Specific Risks and Vulnerabilities

56 56 System Specific Risks and Vulnerabilities Risk Assessment Risk assessment is the process of analyzing threats and vulnerabilities of an IS and potential impact resulting from the loss of information or capabilities of a system. You must identify if there are any unique local threats

57 57 15. Network Security

58 58 Network Security Network Description Describe your network Unified Interconnected Network Management Protections Describe any physical or logical protections for network devices and cabling

59 59 System Profile

60 60 Profile Contains specific technical information about the system Must be compared to appropriate paragraph in the SSP Does not contain routine procedures Does contain special procedures

61 61 System Certification

62 62 Certification Physical inspection of your system Written documentation to DSS that the system meets all NISPOM requirements Certification Test Guide NISP Tool

63 63 Summary Required Documentation Requirements of the SSP Requirements of the profile Certification

64 64 Questions

Download ppt "1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification."

Similar presentations

For Security Professionals

For Security Professionals
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Software Quality Assurance Plan

Software Quality Assurance Plan
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS

ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS
What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,

What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,
ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov 2013 1 Nov 2013.

ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov Nov 2013.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer Systems

Auditing Computer Systems
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010.

Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
SAE AS9100 Quality Systems - Aerospace Model for Quality Assurance

SAE AS9100 Quality Systems - Aerospace Model for Quality Assurance
Security Controls – What Works

Security Controls – What Works
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Information Systems Security Officer

Information Systems Security Officer
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Similar presentations

Ads by Google