Hi Percy,
Great question, I think its incredibly important for small businesses to take cyber security seriously. As always the issue comes down to the amount of time and resources a small business can spare to develop a a comprehensive plan. I think just the development of a plan even if it isn’t perfect already puts a small business ahead of others. Small business still need to comply to government rules no different that a large business as well.
I think that time would be a challenge when implementing risk management practices to all phases of the SDLC. For example, after implementing controls and determining the residual risk- the residual risk may not be at an acceptable level, so the risk management cycle would need to be repeated in order to figure out a way to lower the residual risk to an appropriate level. While this is beneficial in the long run, it can be time consuming and costly to the agency.
Hi, Numneung
I thinks the challenge of develop system security plans are align the organization’s business goals with IT applications, using a risk-based orientation to accurately assess business requirements related to IT and IoT/IIoT.Adopt and apply appropriate standards-based frameworks.Create or adjust your security and compliance architecture.
For an effective incident response plan, how do organizations define appropriate logging and monitoring standards, so that meaningful data is capture which can provide alerts for potential security incidents ?
Great question Akshay, i think companies should determine which data or critical parts of the system need to be protected/ monitored and what framework they want to use and then deploy a customized SIEM tool based on their security parameters
Risk management in IT requires identifying system characteristics.What are the main differences in system characteristics?How does this affect security priorities?
Hi Junjie,
System characterization is the process of identifying information system assets that need to be protected. Information assets are characterized according to their criticality to the organization (using FIPS 199 to determine the system’s appropriate security categorization). This process is so important because the results of this processes provide basis for risk assessment works and other security processes.
Personally, I think the system security plan should be periodically reviewed and revised at least annually if there is no change. However, if there is any new program development, update of systems or any changes of information system owner, the organization should review the system security plan right after that because the changes impact to new risks. The organization should identify assets, evaluate risks based on FIP199, define system owner, and document to the plan with revision number and date.
It would be good to have a program that use AI/Machine Learning that can help to create/maintain a system security plan . The program interactively can propose/suggest options of howto mitigate certain security controls.
AI machines can help machines and systems maintain maintenance security plans.And the AI machine itself needs a security plan.AI can help humans reduce some of the computation and observation time.Confusion, polymorphous and certain other characteristics are among the most challenging hacking techniques that make it difficult to detect malicious programs.In addition, security engineers with specific domain knowledge are another important issue in ensuring network security.But by using AI and ML, experts and researchers will do their best to use the best technology to identify and respond to complex cyber attacks with little or no human intervention.
Hi Sarah,
I think, SSPs should have confidential or at least restricted level of classification. Therefore, access to this document should be granted to only authorized employees so that any exploitation of security controls is prevented. And, every company should follow their policies for storing, handling, and distribution about confidential documents. For instances, encryption and creating appropriate access-control lists.
Hi Zhen, I think every organization should establish system security plan because it is a guideline and help organizations to well understand systems, data, system owners, and security controls. Each organization has different system security plan since it depends on risks, nature of organization business, what assets they have, how big impacts of the risk when they perform risk management analysis.
I agree with you. I think it is necessary for the management of the organization to understand the system security plan. Only by mastering the requirements of SSP, can managers develop appropriate SSP for the organization and play a role.
In my option it should depend on how new or different the new security control is. If the security control is drastically different, the risk assessment process should be rethink. Otherwise, it is ok to apply the same risk assessment process every time a new security control is applied.
Do small businesses require comprehensive system security plans and implementation of government mandated polices to the “T” despite limited budgets?
Hi Percy,
Great question, I think its incredibly important for small businesses to take cyber security seriously. As always the issue comes down to the amount of time and resources a small business can spare to develop a a comprehensive plan. I think just the development of a plan even if it isn’t perfect already puts a small business ahead of others. Small business still need to comply to government rules no different that a large business as well.
What would be the advantages or challenges of implementing risk management practices from the beginning of SDLC to the end of all phases?
I think that time would be a challenge when implementing risk management practices to all phases of the SDLC. For example, after implementing controls and determining the residual risk- the residual risk may not be at an acceptable level, so the risk management cycle would need to be repeated in order to figure out a way to lower the residual risk to an appropriate level. While this is beneficial in the long run, it can be time consuming and costly to the agency.
What are difficulties or obstacles when organization develop system security plans?
Hi, Numneung
I thinks the challenge of develop system security plans are align the organization’s business goals with IT applications, using a risk-based orientation to accurately assess business requirements related to IT and IoT/IIoT.Adopt and apply appropriate standards-based frameworks.Create or adjust your security and compliance architecture.
For an effective incident response plan, how do organizations define appropriate logging and monitoring standards, so that meaningful data is capture which can provide alerts for potential security incidents ?
Great question Akshay, i think companies should determine which data or critical parts of the system need to be protected/ monitored and what framework they want to use and then deploy a customized SIEM tool based on their security parameters
What are the benefits and shortcomings of differing system security planning infrastructures?
Which part should be the most prioritized part of system security planning? Or which part should companies put most money in?
Risk management in IT requires identifying system characteristics.What are the main differences in system characteristics?How does this affect security priorities?
Hi Junjie,
System characterization is the process of identifying information system assets that need to be protected. Information assets are characterized according to their criticality to the organization (using FIPS 199 to determine the system’s appropriate security categorization). This process is so important because the results of this processes provide basis for risk assessment works and other security processes.
How often should the system security plan be revised? How should changes be implemented?
Personally, I think the system security plan should be periodically reviewed and revised at least annually if there is no change. However, if there is any new program development, update of systems or any changes of information system owner, the organization should review the system security plan right after that because the changes impact to new risks. The organization should identify assets, evaluate risks based on FIP199, define system owner, and document to the plan with revision number and date.
It would be good to have a program that use AI/Machine Learning that can help to create/maintain a system security plan . The program interactively can propose/suggest options of howto mitigate certain security controls.
AI machines can help machines and systems maintain maintenance security plans.And the AI machine itself needs a security plan.AI can help humans reduce some of the computation and observation time.Confusion, polymorphous and certain other characteristics are among the most challenging hacking techniques that make it difficult to detect malicious programs.In addition, security engineers with specific domain knowledge are another important issue in ensuring network security.But by using AI and ML, experts and researchers will do their best to use the best technology to identify and respond to complex cyber attacks with little or no human intervention.
Where should the system security plan be stored? Who should be allowed access to the system security plan?
Hi Sarah,
I think, SSPs should have confidential or at least restricted level of classification. Therefore, access to this document should be granted to only authorized employees so that any exploitation of security controls is prevented. And, every company should follow their policies for storing, handling, and distribution about confidential documents. For instances, encryption and creating appropriate access-control lists.
Does the system security plan apply to any type of organization?
Hi Zhen, I think every organization should establish system security plan because it is a guideline and help organizations to well understand systems, data, system owners, and security controls. Each organization has different system security plan since it depends on risks, nature of organization business, what assets they have, how big impacts of the risk when they perform risk management analysis.
I agree with you. I think it is necessary for the management of the organization to understand the system security plan. Only by mastering the requirements of SSP, can managers develop appropriate SSP for the organization and play a role.
Is it possible to apply the Risk Assessment Process every time a new security control is applied?
In my option it should depend on how new or different the new security control is. If the security control is drastically different, the risk assessment process should be rethink. Otherwise, it is ok to apply the same risk assessment process every time a new security control is applied.
Who is responsible for the development, maintenance and update of the system security plan?