Security Architecture

MIS 5214 - Section 001 - David Lanter

Security Architecture

MIS 5214.001 ■ Spring 2024 ■ David Lanter

Team Project

You and your team are:

  • Acting as the CSP (Cloud Service Provider)
  • Seeking PA (Preliminary Authorization) for your information system
  • Responsible for:
    1. Developing and documenting the system security architecture for your information system
    2. Developing a System Security Plan (SSP) for your information system
    3. Presenting your SSP to an internal senior management review team

To do so,

  • Determine the name and purpose of an information system your firm will develop and host in the cloud as a Software as a Service (SaaS) Cloud Service Offering (CSO) to support one or more client federal governmental agencies. Using the FedRAMP® (High, Moderate, Low, LI-SaaS) Baseline System Security Plan (SSP) template:
    • Document the name of your system’s cloud service offering (CSO) on the cover of your SSP, in Table 3.1 of Section 3 of your SSP, and in the page header that will display on each page of your SSP
    • Document the purpose of your cloud-based information system in Section 2 of your SSP
  • Use Table 4, Table 5, and/or Table 6 in NIST SP 800-60 Volume 1 to assist you in identifying the information types your system will contain. Refer to FIPS 199 and use NIST SP 800-60 Volume 2 to determine the security categorization of the information types contained within your information system and document the FIPS 199 categorizations in the SSP’s Table K.1 in Appendix K and your CSO’s overall FIPS 199 security categorization in Table 3.1 of Section 3 of your SSP:
  • Draft a logical network diagram of the information systems with security architecture needed to provide information assurance while developing, testing, and providing information system services to government clients of your information services. Use your logical network diagram to document your information system’s security architecture in your SSP’s Section 8.1 Illustrated Architecture. Describe important security elements illustrated in your diagram in SSP Section 8.2 Narrative.
    • Be sure to include in your logical network architecture diagram illustrations of:
      1. Boundaries superposed to enable visualization of the data flows interconnecting systems
      2. Data flows depicting the different types of system users and the paths of data between each user type across the internet and system boundary in and out and through the logical model of the system.
    • You may use https://app.diagrams.net, Visio, CSET (Cyber Security Evaluation Tool), or another drawing tool to draw the logical network diagram of the information system infrastructure
    • Use appropriate network symbols and annotation in your architectural diagram, include:
      • Information System Servers: e.g. Web Server(s), Application Server(s), Database Server(s), File Server(s), …
      • Security zones (i.e. security domain areas) based on security categorizations
      • Appropriately placed switches, routers, firewalls, Intrusion Detection System(s) and/or Intrusion Protection Systems.
      • Be sure to label each type of firewall, IDS, IPS, located throughout your diagram
      • Identify the system’s boundaries, locations of interconnection(s) to and through the Internet to/from users and other information systems accessed across the Internet
      • Identify where and how various user groups including clients and remote staff access your organization various IT system via the Internet and illustrate the data flow and protocols used (e.g. HTTPS, VPN, etc.) between each user group and the information system
      • Strongly consider having 3 parallel cloud-based system environments to support your system: Development System, Test System, and Production System
  • Document your system and it security architecture and controls in the System Security Plan, following instructions in available in the FedRAMP System Security Plan template to complete the following:
    • Cover Page; Section 1; Section 2; Section 3’ s Table 3.1’s CSP Name, CSO Name, Service Model, Digital Indentity Level Determination, FIPS Pub 199 Level, Deployment Model, and General System Description; Section 7 including Table 7.1; Section 8, 8.1, 8.2 and Table 8.1; Section 9 – in Table 9.1 only provide information for the following columns: Service Name, Transport Protocol, Purpose, and Used By; Section 11 – Tailor the roles (columns) in Table 11.1 to match those identified in your logical data flow diagram
    • Appendix A using either the HighModerate, or Low template for appropriate baseline based on your system’s FIPS 199 categorization. Complete only the controls of one of the four technical control families.  Annotate which control family you have chosen to complete on the cover of the Appendix A document.
    • Appendix E – Digital Identity Worksheet
    • Appendix H – Information System Contingency Plan: Only provide a GANTT Chart illustrating the tasks, dependencies and durations of scheduled tasks in person-hours for completing the Information System Contingency Plan.
    • Appendix K’s Table K.1 – FIPS 199 Categorization
  •  Create and deliver in-class a PowerPoint presentation that introduces the name and purpose your Cloud Based Information System, your systems user’s and how it is used, and the security architecture of the system.

Deliverables: (Hand in your assignment individually via Canvas. Each member of the team should submit an identical copies of the following documents in PDF format with your names on the files and in the documents via your individual Canvas accounts:

  1. PowerPoint presentation that supports a 15-minutes presentation delivered by your team in-class that introduces the name and purpose your Cloud Based Information System, your systems user’s and how it is used, and the security architecture of the system.
  2. System Security Plan (with completed sections and attachments as detailed above)
  3. Logical system security architecture diagram(s): Including: System’s logical network diagram with boundaries, interconnections and data flows to/from users and other/supporting systems, and security architecture components
  4. 360 Degree Review – On a single page, list the members of your team including yourself and briefly describe each team member’s contribution to developing and delivering the deliverables
  • Each team not presenting will interview/question the SSP presentation team to help identify and clarify possible weaknesses in the information system’s security architecture being presented.