Security Architecture - 001
MIS 5214 - Section 001 - David Lanter
January 23, 2020 by David Lanter 18 Comments
Akshay Shendarkar says
January 24, 2020 at 3:19 pm
This document delineates on the importance of security planning in protecting the information as well as information systems. It also gives a brief overview of the minimum-security controls to be considered in the planning process. It is imperative that program managers, system owners and security personnel understand the security planning process and provide their valuable inputs in successfully implementing this plan. This document basically provides a basic template for preparing a system security plan which meets the federal requirement; however, it can easily be applied to various organization structures.
Numneung Koedkietpong says
January 24, 2020 at 8:18 pm
NIST 800 100 in Chapter 8 talks about system security planning which emphasize using standards of FIP 199 and NIST SP 800-53. One key point that I took from this chapter is that the system security planning helps organizations improving the protection of information system resources. Roles and responsibilities of person in charge such as CIO, Information system Owner, Information Owner, Senior Agency Information Security Officer, and Information System Security Officer should be clearly identified. Lastly, the security planning should be reviewed and approved by authorized person.
Natalie Dorely says
January 26, 2020 at 9:50 pm
I noticed the same key point you mentioned. This chapter definitely emphasizes that system security planning helps enable organizations in improving their protection of information assets.
Zeynep Sahin says
January 24, 2020 at 10:56 pm
One key point I learnt from NIST 800-100 chapter-8 is that system security plans are living documents which require regular reviews and plans of action and milestones (POA&M). Therefore, determining role and responsibilities is crucial to provide accountability so that make certain who reviews the plans and follows up on planned security controls. NIST document requires organizations to prepare procedures related to team members and their responsibilities and to develop policy on the system security planning process.
Percy Jacob Rwandarugali says
January 26, 2020 at 11:45 am
This area of study highlights the importance of the System Security Plan(SSP), this document provides an overview of the security requirements of the system and describes the controls in place or planned for meeting those requirements. Furthermore, the system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan as advised should have the input of managers from different departments and if need be, there is room for additional information in the basic plan and managers can add sections to the basic format prescribed.
Alexander Reichart-Anderson says
January 28, 2020 at 9:36 am
Hi Percy, throughout this entire unit I have focused on the need to set controls and policies on the people and the systems. The article that encompasses all of this is the security plan. With a strong foundation of a security plan ironed out by the CISO and steering committee, will lead strong overall security.
Christopher James Lukens says
January 26, 2020 at 1:38 pm
Chapter 8 disusses how to develop a system security plan and the resources needed. It references FIPS 200, minimum security requirements, which then use the controls laid out in NIST 800-53, and uses NIST 800-18 for the template to organize the overall security plan. All three documents help complete a part of the overall security plan and ensure that your appropriately managing your risk based upon the classification guidelines in Fips 199. The chapter also lays out who is responsible for parts of the plan and the appropriate approvals and maintenance of the security plan.
January 28, 2020 at 2:18 pm
Good overall summary of chapter 8. Yes, this chapter references various NIST and FIPS document to come up with a sturdy security plan. However, what i found very important was that this chapter clearly states out the responsibility of all the staff in an organization, technical as well as managerial, regarding their role in maintaining the security of IT systems. Information security is a very vast topic and can become very complex if roles and responsibilities are not clearly described to staff, hence this document is a good reference point for gaining knowledge of essential responsibilities.
Imran Jordan Kharabsheh says
January 26, 2020 at 7:14 pm
As I was reading through chapter 8 of the NIST Information Security Handbook, which covers and details the system security planning process and how this process contributes to the system development life cycle, I noted how the section on System Boundary Analysis and Security Controls related to the previous weeks discussions. In particular, this section discusses how a FIPS 199 impact analyses on the information systems should be used when categorizing the systems between Major Applications and General Support Systems, as well as when selecting a preliminary control baseline before tailoring according to the various risk assessments performed and conditions of the organization.
January 26, 2020 at 8:19 pm
One key takeaway I took from the NIST 800 100 Chapter 8 is the requirements and standards needed for the System Security Plan. For example, the security control selection, it is important for an organization to understand the level of impact each risk exposure can have on their organization. This breakdown of levels in between low-high gives a clear picture to information system personnel in what vulnerabilities need to be focused on.
January 27, 2020 at 12:49 pm
Hi Natalie, I like the key point that I took from this article because understanding the level of impact each risk exposure is important to organization for identifying and evaluating risks and controls. In this way, it helps organization to properly mitigates threat and cost budgets also.
Junjie Han says
January 26, 2020 at 10:30 pm
The establishment of a security plan requires an indicator.NIST 800-100 refers to the minimum security requirement FIPS200 in the security plan. In addition, it describes the major application (MA) and General support system (GSS), which are important factors in the preparation of the security plan.Security planning should be considered from these two points.The responsibilities of each position are also mentioned.What they should be responsible for.
Sarah Puffen says
January 26, 2020 at 10:57 pm
NIST SP 800-100 acts as a guideline for how to prepare a system security plan in accordance with the appropriate federal requirements. What I found to be a key take away was the emphasis in defining roles and responsibilities and rules of behavior within the system security plan. As we have seen in other readings, it is important to establish who is responsible for what and to also set clear boundaries as to how employees are expected to use these systems. Documentation is crucial because it is an organization’s official plan of action, so it is important that the document is reviewed and updated in accordance with any changes to ensure that the document reflects what is happening within the agency.
January 28, 2020 at 4:24 am
After reading through your response to chapter 8 of the NIST Information Security Handbook, it becomes apparent just how critical the clear defining of roles and responsibilities for the organization’s systems is when creating the system security plan. I also appreciate your mentioning of continuously updating the information security plan and its components as changes and developments are made within the organization, as things tend change more often than people expect.
January 26, 2020 at 11:38 pm
NIST 800-100, from the title, lays out the plans an organization can take to keep their systems secure from various forms of attack. The plan starts with planning, documenting, and accounting for the people and systems in an organization. After all, without knowing who and what you’re working with to protect, you would not be able to move forward. After that, 800-100 begins to emphasize a true delegation of purpose to machines and their human counterparts operating them. This is almost as important as planning because as the organization moves forward and continues to evolve, the presence of operational boundaries is exponentially important so tasks, departments, and functions can be split up efficiently and effectively.
Joseph Nguyen says
January 26, 2020 at 11:46 pm
NIST 800-100 is a guideline for a System Security Plan. It uses for security certification and accreditation process by providing an overview of the security requirements and safeguards of the system,
The SSP describes security controls based on NIST 800-53, FIPS 199 and FIPS 200. Defines the roles, responsibilities of people involves:
– The chief information officer (CIO)
– Information System Owner
– Information Owner
– Senior Agency Information Security Officer (SAISO)
– Information System Security Officer (ISSO)
The plan is periodically updated, review, and plans of action and milestones (POA&M) for implementing security controls.
January 28, 2020 at 7:23 pm
Hi, Joseph Nguyen
You listed the relevant persons mentioned in it. These roles play an important role in the construction of organizational framework. Top manager needs to have a strong sense of security to protect the information system from the Top-down.
Peiran Liu says
January 29, 2020 at 12:25 pm
NIST 800 100 chapter 8 shows how to develop a system security plan and how the whole process works. The point I want to point out is the ongoing system security plan maintenance. After the system security plan is set up, the system can keep running. But in order to keep it running well for a long time, ongoing system maintenance according to the security plan is necessary to keep the system away from vulnerabilities. The changes for the plan maintenance are also required to be reviewed as the changes might revert some good controls for the security too.
You must be logged in to post a comment.