Hi Percy,
Great question, I think its incredibly important for small businesses to take cyber security seriously. As always the issue comes down to the amount of time and resources a small business can spare to develop a a comprehensive plan. I think just the development of a plan even if it isn’t perfect already puts a small business ahead of others. Small business still need to comply to government rules no different that a large business as well.
I think that time would be a challenge when implementing risk management practices to all phases of the SDLC. For example, after implementing controls and determining the residual risk- the residual risk may not be at an acceptable level, so the risk management cycle would need to be repeated in order to figure out a way to lower the residual risk to an appropriate level. While this is beneficial in the long run, it can be time consuming and costly to the agency.
Hi, Numneung
I thinks the challenge of develop system security plans are align the organization’s business goals with IT applications, using a risk-based orientation to accurately assess business requirements related to IT and IoT/IIoT.Adopt and apply appropriate standards-based frameworks.Create or adjust your security and compliance architecture.
For an effective incident response plan, how do organizations define appropriate logging and monitoring standards, so that meaningful data is capture which can provide alerts for potential security incidents ?
Great question Akshay, i think companies should determine which data or critical parts of the system need to be protected/ monitored and what framework they want to use and then deploy a customized SIEM tool based on their security parameters
Risk management in IT requires identifying system characteristics.What are the main differences in system characteristics?How does this affect security priorities?
Hi Junjie,
System characterization is the process of identifying information system assets that need to be protected. Information assets are characterized according to their criticality to the organization (using FIPS 199 to determine the system’s appropriate security categorization). This process is so important because the results of this processes provide basis for risk assessment works and other security processes.
Personally, I think the system security plan should be periodically reviewed and revised at least annually if there is no change. However, if there is any new program development, update of systems or any changes of information system owner, the organization should review the system security plan right after that because the changes impact to new risks. The organization should identify assets, evaluate risks based on FIP199, define system owner, and document to the plan with revision number and date.
It would be good to have a program that use AI/Machine Learning that can help to create/maintain a system security plan . The program interactively can propose/suggest options of howto mitigate certain security controls.
AI machines can help machines and systems maintain maintenance security plans.And the AI machine itself needs a security plan.AI can help humans reduce some of the computation and observation time.Confusion, polymorphous and certain other characteristics are among the most challenging hacking techniques that make it difficult to detect malicious programs.In addition, security engineers with specific domain knowledge are another important issue in ensuring network security.But by using AI and ML, experts and researchers will do their best to use the best technology to identify and respond to complex cyber attacks with little or no human intervention.
Hi Sarah,
I think, SSPs should have confidential or at least restricted level of classification. Therefore, access to this document should be granted to only authorized employees so that any exploitation of security controls is prevented. And, every company should follow their policies for storing, handling, and distribution about confidential documents. For instances, encryption and creating appropriate access-control lists.
Hi Zhen, I think every organization should establish system security plan because it is a guideline and help organizations to well understand systems, data, system owners, and security controls. Each organization has different system security plan since it depends on risks, nature of organization business, what assets they have, how big impacts of the risk when they perform risk management analysis.
I agree with you. I think it is necessary for the management of the organization to understand the system security plan. Only by mastering the requirements of SSP, can managers develop appropriate SSP for the organization and play a role.
In my option it should depend on how new or different the new security control is. If the security control is drastically different, the risk assessment process should be rethink. Otherwise, it is ok to apply the same risk assessment process every time a new security control is applied.
Percy Jacob Rwandarugali says
Do small businesses require comprehensive system security plans and implementation of government mandated polices to the “T” despite limited budgets?
Christopher James Lukens says
Hi Percy,
Great question, I think its incredibly important for small businesses to take cyber security seriously. As always the issue comes down to the amount of time and resources a small business can spare to develop a a comprehensive plan. I think just the development of a plan even if it isn’t perfect already puts a small business ahead of others. Small business still need to comply to government rules no different that a large business as well.
Zeynep Sahin says
What would be the advantages or challenges of implementing risk management practices from the beginning of SDLC to the end of all phases?
Sarah Puffen says
I think that time would be a challenge when implementing risk management practices to all phases of the SDLC. For example, after implementing controls and determining the residual risk- the residual risk may not be at an acceptable level, so the risk management cycle would need to be repeated in order to figure out a way to lower the residual risk to an appropriate level. While this is beneficial in the long run, it can be time consuming and costly to the agency.
Numneung Koedkietpong says
What are difficulties or obstacles when organization develop system security plans?
Junjie Han says
Hi, Numneung
I thinks the challenge of develop system security plans are align the organization’s business goals with IT applications, using a risk-based orientation to accurately assess business requirements related to IT and IoT/IIoT.Adopt and apply appropriate standards-based frameworks.Create or adjust your security and compliance architecture.
Akshay Shendarkar says
For an effective incident response plan, how do organizations define appropriate logging and monitoring standards, so that meaningful data is capture which can provide alerts for potential security incidents ?
Percy Jacob Rwandarugali says
Great question Akshay, i think companies should determine which data or critical parts of the system need to be protected/ monitored and what framework they want to use and then deploy a customized SIEM tool based on their security parameters
Imran Jordan Kharabsheh says
What are the benefits and shortcomings of differing system security planning infrastructures?
Peiran Liu says
Which part should be the most prioritized part of system security planning? Or which part should companies put most money in?
Junjie Han says
Risk management in IT requires identifying system characteristics.What are the main differences in system characteristics?How does this affect security priorities?
Zeynep Sahin says
Hi Junjie,
System characterization is the process of identifying information system assets that need to be protected. Information assets are characterized according to their criticality to the organization (using FIPS 199 to determine the system’s appropriate security categorization). This process is so important because the results of this processes provide basis for risk assessment works and other security processes.
Christopher James Lukens says
How often should the system security plan be revised? How should changes be implemented?
Numneung Koedkietpong says
Personally, I think the system security plan should be periodically reviewed and revised at least annually if there is no change. However, if there is any new program development, update of systems or any changes of information system owner, the organization should review the system security plan right after that because the changes impact to new risks. The organization should identify assets, evaluate risks based on FIP199, define system owner, and document to the plan with revision number and date.
Joseph Nguyen says
It would be good to have a program that use AI/Machine Learning that can help to create/maintain a system security plan . The program interactively can propose/suggest options of howto mitigate certain security controls.
Junjie Han says
AI machines can help machines and systems maintain maintenance security plans.And the AI machine itself needs a security plan.AI can help humans reduce some of the computation and observation time.Confusion, polymorphous and certain other characteristics are among the most challenging hacking techniques that make it difficult to detect malicious programs.In addition, security engineers with specific domain knowledge are another important issue in ensuring network security.But by using AI and ML, experts and researchers will do their best to use the best technology to identify and respond to complex cyber attacks with little or no human intervention.
Sarah Puffen says
Where should the system security plan be stored? Who should be allowed access to the system security plan?
Zeynep Sahin says
Hi Sarah,
I think, SSPs should have confidential or at least restricted level of classification. Therefore, access to this document should be granted to only authorized employees so that any exploitation of security controls is prevented. And, every company should follow their policies for storing, handling, and distribution about confidential documents. For instances, encryption and creating appropriate access-control lists.
Qiannan Zhen says
Does the system security plan apply to any type of organization?
Numneung Koedkietpong says
Hi Zhen, I think every organization should establish system security plan because it is a guideline and help organizations to well understand systems, data, system owners, and security controls. Each organization has different system security plan since it depends on risks, nature of organization business, what assets they have, how big impacts of the risk when they perform risk management analysis.
Qiannan Zhen says
I agree with you. I think it is necessary for the management of the organization to understand the system security plan. Only by mastering the requirements of SSP, can managers develop appropriate SSP for the organization and play a role.
Natalie Dorely says
Is it possible to apply the Risk Assessment Process every time a new security control is applied?
Peiran Liu says
In my option it should depend on how new or different the new security control is. If the security control is drastically different, the risk assessment process should be rethink. Otherwise, it is ok to apply the same risk assessment process every time a new security control is applied.
Innocent says
Who is responsible for the development, maintenance and update of the system security plan?