Since it is difficult/impossible to predict the probability of any security incident, what are some of the alternatives that can be used to get a more accurate estimation while performing the classical Risk Analysis ?
The risk is that the person who is unauthorized may also be unqualified to review a SSP. This could lead to gaps in the plan or even gaps towards compliance and open the company up for breaches and fines. The SSP needs to be reviewed by qualified security professionals who know how to use the framework.
Hi, Zeynep Sahin
The organization should choose the right IT security framework for security control deployment.This depends on the organization’s positioning of its business.
FIPS Publication 199 is for Security Categorization of Federal Information and Information Systems. FIPS Publication 200, points out risk-based process for selecting the security controls to meet the minimum-security requirements. NIST SP 800-53 provides three security control baselines., low, moderate, and high, that are associated with the three FIPS 199 impact levels; as the impact level increases, so do the minimum assurance requirements.
Among the seventeen security related areas that are covered in the minimum security requirements of federal information systems security program, which area do you feel holds the most significance and cover the most prominent risks faced by federal agencies?
What would happen if organizations added biometrics as a form of security control and there was a breach in confidential information of the employees that personal information was obtained?
When some organizations are unable to meet minimum security requirements (when they want to implement IT programs such as membership).But the financial situation does not meet the minimum security requirements.) what can they do?Or just take risks?
I think at the hart of this question its about staying current with standards and not falling behind on best practices. At the current time using the NIST standards is a great option but once implemented you need to review and make sure there are no changes and that your still current. The most risky thing to do is to implement a framework and then never look at it again and assume your not vulnerable.
As the business evolves and matures, a business needs to make sure their categorizations of data are right otherwise they wont be using the necessary controls to prevent an incident. Another reason is to make sure the company stays in compliance and doesn’t receive any fines.
There are also kinds of system security plan for different frameworks, but the SSP we are doing are specifically to NIST only as it contains lots of references to the NIST file.
Who is responsible for implementing, monitoring and enforcing the security rules and policies that are established and authorized by the management of an organization ?
Hi Sarah,
I think policies can reviewed between 1 to 2 years, however for fast paced businesses, like PCI DSS mechants may need to review policies once or at most twice a year.
Since it is difficult/impossible to predict the probability of any security incident, what are some of the alternatives that can be used to get a more accurate estimation while performing the classical Risk Analysis ?
What are the risks when the system security planning is reviewed and approved by unauthorized person?
The risk is that the person who is unauthorized may also be unqualified to review a SSP. This could lead to gaps in the plan or even gaps towards compliance and open the company up for breaches and fines. The SSP needs to be reviewed by qualified security professionals who know how to use the framework.
How can an organization balance regulatory compliance and business needs?
Hi, Zeynep Sahin
The organization should choose the right IT security framework for security control deployment.This depends on the organization’s positioning of its business.
Who should have access to the system security and where should to it be stored?
Who should have access to the system security plan and where should to it be stored?
What are the relationships between FIPS 199, FIPS 200, SP 800-53, in terms of developing a system security plan?
FIPS Publication 199 is for Security Categorization of Federal Information and Information Systems. FIPS Publication 200, points out risk-based process for selecting the security controls to meet the minimum-security requirements. NIST SP 800-53 provides three security control baselines., low, moderate, and high, that are associated with the three FIPS 199 impact levels; as the impact level increases, so do the minimum assurance requirements.
Among the seventeen security related areas that are covered in the minimum security requirements of federal information systems security program, which area do you feel holds the most significance and cover the most prominent risks faced by federal agencies?
What would happen if organizations added biometrics as a form of security control and there was a breach in confidential information of the employees that personal information was obtained?
When some organizations are unable to meet minimum security requirements (when they want to implement IT programs such as membership).But the financial situation does not meet the minimum security requirements.) what can they do?Or just take risks?
Which information systems, positions, and policies/standards are most risky, important, and/or vulnerable as we move into the 2020s?
I think at the hart of this question its about staying current with standards and not falling behind on best practices. At the current time using the NIST standards is a great option but once implemented you need to review and make sure there are no changes and that your still current. The most risky thing to do is to implement a framework and then never look at it again and assume your not vulnerable.
Why is it important to revisit security categorizations as a business matures?
As the business evolves and matures, a business needs to make sure their categorizations of data are right otherwise they wont be using the necessary controls to prevent an incident. Another reason is to make sure the company stays in compliance and doesn’t receive any fines.
Is SSP specific to NIST only or also available in other frameworks?
There are also kinds of system security plan for different frameworks, but the SSP we are doing are specifically to NIST only as it contains lots of references to the NIST file.
Who is responsible for implementing, monitoring and enforcing the security rules and policies that are established and authorized by the management of an organization ?
How often should the policy be updated for a small company to balance between cost and effectiveness?
Hi Sarah,
I think policies can reviewed between 1 to 2 years, however for fast paced businesses, like PCI DSS mechants may need to review policies once or at most twice a year.