The insightful thing I picked from this document stems right from the definition of the system security plan (SSP) and its objective. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements while the objective is to improve protection of information resources. However, before the SSP is even thought about, all information systems in the inventory should be categorized using FIPS 199 as a first step in the system security planning activity. The document is a great guide for government agencies/companies on how to develop system security plans, polices, periodic reviews, modification and plans of action milestones for implementing controls.
HI Percy,
Great point, you cant begin to protect your systems until you know all the systems and data that you have. Understanding the categorization of the data shouldn’t be underplayed because it lay the ground work for all subsequent mitigation techniques.
This publication of NIST explains how to develop a security plan and indicates which NIST documents should be taken as references to help organizations to create their security plans. The key point that I took from this standard is the necessity and importance of documentation all security activities, functions, responsibilities and management authorization. Briefly, Security plan includes security requirements, controls associated with them and expected behavior from all the people involving the plan. As the document indicates every federal agencies and organizations have some degree of sensitivity so they need to be safeguarded as a part of management.
Hi Zeynep, your point nicely summarizes NIST’s SSP guidance. I think the requirement for people’s responsibilities in the SSP is the most important because it controls people’s inappropriate behavior in the organization.
This standard describes how to conduct appropriate security plans aligned with FIPS 200 (Systems Inventory and Federal Information Processing standards) and NIST SP 800-53 which contains required security controls in management, operational, and technical safeguards. There are many responsible persons involving in security plan; however, one key point that I would like to took from this reading is that senior management or executive level is the key responsible to approve and authorize the operation of an information system. This level has decision to operate risks to be the acceptable level.
It’s interesting how senior management has the responsibility to approve the operation of an information system! Since they have such a high level of understanding in regards to different controls and systems, it would be expected that they would understand which system is best for the organization.
This special edition of NIST provides guidelines for developing security plans for the protection of federal information assets. It also contains other NIST documents which can be referred by federal employees to form formidable information security plans which suit the need of their organization. The key point that I noted is the importance of FIPS 199 standard. FIPS 199 standard is to be used mandatorily by all federal agencies in classifying their information systems and data under their responsibility. This is the first step of any information security plan hence its vital that senior officials responsible for the categorization of federal information assets have a very deep and comprehensive understanding of this standard. This document also delineates on the core responsibilities of senior officials while developing security plans. These guidelines require the management to authorize the implementation of any information system after conducting a risk assessment of the system as well as accept the associated risks related to its operation in the federal information systems environment.
Hello,
After reading through your post on what you found the most interesting in the NIST SP 800-r1 document, I went back and read some of the portions that directly reference FIPS 199 and found that your summary was quite well-rounded. Your take away was also simplified well, as it made the concepts described in the document easier to comprehend, such as the need for the classification of information systems.
In the initial steps of a security plan being developed, system categorization must first take place according to the FIPS 199 impact analysis. It is then decided which systems should be grouped into major applications or general support systems, followed by which FIPS 199 impact levels must be considered when the system boundaries are drawn and selecting the initial set of security controls. I feel as though to understand the full plan of what system boundary analysis and security controls, it is important for an organization to implement the proper process of identifying each aspect to push towards identifying the proper weaknesses and vulnerabilities within an organization.
I like your point on identifying weaknesses and vulnerabilities. We should have an idea of what types of flaws are common for specific systems and/or security controls. Having a specific process in place when planning or testing can definitely aid in saving time and ultimately money for an organization.
The guide for developing security plans for federal information systems gives us a whole structure of how to make a perfect plan with meaningful controls for an information system. It also includes the list of personnel who are related to developing and fulfilling the plan. The part I would like to point out is that there is a individual section for information sharing, which is very common when we are talking about information systems. It points out that one of three key documents, ISA, MOU or MOA is required if the information is sharing to a different organization. When sharing information to different organizations, the detailed organization information should also be provided so that when there is a breach, it can be traced back and the problem could be easier to solve.
Guide for Developing Security Plans for Federal Information Systems provides us with minimal Security controls to protect Information and Information Systems.The definitions of the requirements are from FISP200 and NIST SP 800-53.It categorizes systems, applications, and responsibilities.Demonstrate the importance of managing key objectives that the it department needs to focus on.All federal agencies are required to use the FIPS 199 standard.That’s the bottom line.On the basis of this standard, safety optimization is carried out for each department.
As I was reading through the NIST 800-18 Rev 1 publication titled “Guide for Developing Security Plans for Federal Information Systems”, I found myself more drawn towards the Plan Development section of the guide, as it delved a bit deeper into the applied aspects of planning the system security plan which I felt were touched upon in previous classes. Among the more interesting things I learned in that section include the documentation and study of every interconnection an organization has (especially those with external organizations). Interconnections are what organizations use to transmit information resources across multiple IT systems, some belonging to other organizations. If these systems are not appropriately protected, it could compromise every single system on both sides of the interconnection.
With a proper developed plan, protection will be applied to interconnections, which will protect every single system on both sides of interconnection. If there was a breach to other organizations, the protection will make sure that the interconnection will be cut off if needed.
NIST SP 800-18r1 is a guideline for developing a security plan for an Information System (IS) using FIPS 199 to categorize all information systems impact based on 17 categories of minimum security requirements in FIPS 200 and security control baselines in SP 800-53.
The plan helps to defines in the 3 classes of security controls (management, operational, and technical): roles, responsibilities, scopes, compensating controls, operational controls (contingency planning, incident response) and system interconnection.
Great Point, Joe. Also, the system security plan may also reference other key security-related documents for information system such as a risk assessment, plan of action and milestones, accreditation decision letter, privacy impact assessment, contingency plan, configuration management plan, security configuration checklist, and system interconnection agreements as appropriate.
NIST SP 800-18r1 is the guide to developing system security plans. I found figure 1 of the document interesting because it shows how interconnected all the different documents are and how they’re used in conjunction to form the security plan. The plan takes imputs from FIPS 199, security categorization, Fips 200, minimum security requirements, sp 800-53 which contain the controls. It also takes inputs your plan of action and milestones, risk assessments and on going monitoring. I found that a major tenant of building a good security plan is utilizing all of the inputs and using the other documents to properly build a comprehensive plan.
What I found interesting when reading NIST SP 800-18r1 was the connection with our other NIST reading and having an authorizing official to make decisions regarding security controls. Scope guidance provides conditions for specific technologies regarding baseline security controls and how they are applied by the agency. Related considerations include: technology, common security controls, public access information systems, infrastructure, scalability, and, of course, risk.
This document details the definition and purpose of system security planning, which provides organizations with guidance on how to properly protect the organization’s system security and the appropriate actions of individuals within the organization in accordance with the federal system. This document provides a detailed breakdown of the responsibility for each role in the organization. According to this document, the organization can systematically manage the behavior of each member.
Even I found interesting, the detailed breakdown of responsibilities related to information security as mentioned in this document.. Clearly for developing plans to secure information systems, it is essential that senior management delegate responsibilities to appropriate authorities in the organization, as well as are aware of their responsibilities as well. This document gives a very good description of how some of the basic responsibilities can be divided in the organization.
One key takeaway from the system security plan document is that, for the plans to adequately reflect the protection of the resources, a senior management official must authorize a system to operate. This provides an important quality control because by authorizing processing in a system, the manager accepts its associated risk; and this authorization should be based on an assessment of management, operational, and technical controls. Thus, management controls are techniques & concerns that are normally addressed by management and focus on the management of the information systems and management of risk for a system. (e.g.: risk assessment, planning, system & service acquisition, certification, accreditation, and security assessments). Operational controls address security methods focusing on security control families in NIST SP 800-53 e.g.. PS, PE, CP, MA, SI, MP,IR,AT; and the technical controls focus on security controls that the computer system executes. The controls provide automated protection for unauthorized access or misuse, facilitate detection of security violations, and support security requirement for applications and data. E.g. Access Control, Audit & accountability, Identification & Authentication, System & Communications Protection. Also, Federal agencies must meet the minimum security requirements defined in FIPS 200 through the use of the security controls in the NIST’s SP 800 – 53 , which contains the management, operational and technical safeguards or countermeasures prescribed for an information system. The system security plan may also reference other key security-related documents for information system such as a risk assessment, plan of action and milestones, accreditation decision letter, privacy impact assessment, contingency plan, configuration management plan, security configuration checklist, and system interconnection agreements as appropriate.
The insightful thing I picked from this document stems right from the definition of the system security plan (SSP) and its objective. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements while the objective is to improve protection of information resources. However, before the SSP is even thought about, all information systems in the inventory should be categorized using FIPS 199 as a first step in the system security planning activity. The document is a great guide for government agencies/companies on how to develop system security plans, polices, periodic reviews, modification and plans of action milestones for implementing controls.
HI Percy,
Great point, you cant begin to protect your systems until you know all the systems and data that you have. Understanding the categorization of the data shouldn’t be underplayed because it lay the ground work for all subsequent mitigation techniques.
This publication of NIST explains how to develop a security plan and indicates which NIST documents should be taken as references to help organizations to create their security plans. The key point that I took from this standard is the necessity and importance of documentation all security activities, functions, responsibilities and management authorization. Briefly, Security plan includes security requirements, controls associated with them and expected behavior from all the people involving the plan. As the document indicates every federal agencies and organizations have some degree of sensitivity so they need to be safeguarded as a part of management.
Hi Zeynep, your point nicely summarizes NIST’s SSP guidance. I think the requirement for people’s responsibilities in the SSP is the most important because it controls people’s inappropriate behavior in the organization.
This standard describes how to conduct appropriate security plans aligned with FIPS 200 (Systems Inventory and Federal Information Processing standards) and NIST SP 800-53 which contains required security controls in management, operational, and technical safeguards. There are many responsible persons involving in security plan; however, one key point that I would like to took from this reading is that senior management or executive level is the key responsible to approve and authorize the operation of an information system. This level has decision to operate risks to be the acceptable level.
Hi Numneung!
It’s interesting how senior management has the responsibility to approve the operation of an information system! Since they have such a high level of understanding in regards to different controls and systems, it would be expected that they would understand which system is best for the organization.
Best,
Natalie Dorely
This special edition of NIST provides guidelines for developing security plans for the protection of federal information assets. It also contains other NIST documents which can be referred by federal employees to form formidable information security plans which suit the need of their organization. The key point that I noted is the importance of FIPS 199 standard. FIPS 199 standard is to be used mandatorily by all federal agencies in classifying their information systems and data under their responsibility. This is the first step of any information security plan hence its vital that senior officials responsible for the categorization of federal information assets have a very deep and comprehensive understanding of this standard. This document also delineates on the core responsibilities of senior officials while developing security plans. These guidelines require the management to authorize the implementation of any information system after conducting a risk assessment of the system as well as accept the associated risks related to its operation in the federal information systems environment.
Hello,
After reading through your post on what you found the most interesting in the NIST SP 800-r1 document, I went back and read some of the portions that directly reference FIPS 199 and found that your summary was quite well-rounded. Your take away was also simplified well, as it made the concepts described in the document easier to comprehend, such as the need for the classification of information systems.
In the initial steps of a security plan being developed, system categorization must first take place according to the FIPS 199 impact analysis. It is then decided which systems should be grouped into major applications or general support systems, followed by which FIPS 199 impact levels must be considered when the system boundaries are drawn and selecting the initial set of security controls. I feel as though to understand the full plan of what system boundary analysis and security controls, it is important for an organization to implement the proper process of identifying each aspect to push towards identifying the proper weaknesses and vulnerabilities within an organization.
I like your point on identifying weaknesses and vulnerabilities. We should have an idea of what types of flaws are common for specific systems and/or security controls. Having a specific process in place when planning or testing can definitely aid in saving time and ultimately money for an organization.
The guide for developing security plans for federal information systems gives us a whole structure of how to make a perfect plan with meaningful controls for an information system. It also includes the list of personnel who are related to developing and fulfilling the plan. The part I would like to point out is that there is a individual section for information sharing, which is very common when we are talking about information systems. It points out that one of three key documents, ISA, MOU or MOA is required if the information is sharing to a different organization. When sharing information to different organizations, the detailed organization information should also be provided so that when there is a breach, it can be traced back and the problem could be easier to solve.
Guide for Developing Security Plans for Federal Information Systems provides us with minimal Security controls to protect Information and Information Systems.The definitions of the requirements are from FISP200 and NIST SP 800-53.It categorizes systems, applications, and responsibilities.Demonstrate the importance of managing key objectives that the it department needs to focus on.All federal agencies are required to use the FIPS 199 standard.That’s the bottom line.On the basis of this standard, safety optimization is carried out for each department.
As I was reading through the NIST 800-18 Rev 1 publication titled “Guide for Developing Security Plans for Federal Information Systems”, I found myself more drawn towards the Plan Development section of the guide, as it delved a bit deeper into the applied aspects of planning the system security plan which I felt were touched upon in previous classes. Among the more interesting things I learned in that section include the documentation and study of every interconnection an organization has (especially those with external organizations). Interconnections are what organizations use to transmit information resources across multiple IT systems, some belonging to other organizations. If these systems are not appropriately protected, it could compromise every single system on both sides of the interconnection.
Hi Jordan,
With a proper developed plan, protection will be applied to interconnections, which will protect every single system on both sides of interconnection. If there was a breach to other organizations, the protection will make sure that the interconnection will be cut off if needed.
NIST SP 800-18r1 is a guideline for developing a security plan for an Information System (IS) using FIPS 199 to categorize all information systems impact based on 17 categories of minimum security requirements in FIPS 200 and security control baselines in SP 800-53.
The plan helps to defines in the 3 classes of security controls (management, operational, and technical): roles, responsibilities, scopes, compensating controls, operational controls (contingency planning, incident response) and system interconnection.
Great Point, Joe. Also, the system security plan may also reference other key security-related documents for information system such as a risk assessment, plan of action and milestones, accreditation decision letter, privacy impact assessment, contingency plan, configuration management plan, security configuration checklist, and system interconnection agreements as appropriate.
NIST SP 800-18r1 is the guide to developing system security plans. I found figure 1 of the document interesting because it shows how interconnected all the different documents are and how they’re used in conjunction to form the security plan. The plan takes imputs from FIPS 199, security categorization, Fips 200, minimum security requirements, sp 800-53 which contain the controls. It also takes inputs your plan of action and milestones, risk assessments and on going monitoring. I found that a major tenant of building a good security plan is utilizing all of the inputs and using the other documents to properly build a comprehensive plan.
What I found interesting when reading NIST SP 800-18r1 was the connection with our other NIST reading and having an authorizing official to make decisions regarding security controls. Scope guidance provides conditions for specific technologies regarding baseline security controls and how they are applied by the agency. Related considerations include: technology, common security controls, public access information systems, infrastructure, scalability, and, of course, risk.
This document details the definition and purpose of system security planning, which provides organizations with guidance on how to properly protect the organization’s system security and the appropriate actions of individuals within the organization in accordance with the federal system. This document provides a detailed breakdown of the responsibility for each role in the organization. According to this document, the organization can systematically manage the behavior of each member.
Hello Qiannan,
Even I found interesting, the detailed breakdown of responsibilities related to information security as mentioned in this document.. Clearly for developing plans to secure information systems, it is essential that senior management delegate responsibilities to appropriate authorities in the organization, as well as are aware of their responsibilities as well. This document gives a very good description of how some of the basic responsibilities can be divided in the organization.
One key takeaway from the system security plan document is that, for the plans to adequately reflect the protection of the resources, a senior management official must authorize a system to operate. This provides an important quality control because by authorizing processing in a system, the manager accepts its associated risk; and this authorization should be based on an assessment of management, operational, and technical controls. Thus, management controls are techniques & concerns that are normally addressed by management and focus on the management of the information systems and management of risk for a system. (e.g.: risk assessment, planning, system & service acquisition, certification, accreditation, and security assessments). Operational controls address security methods focusing on security control families in NIST SP 800-53 e.g.. PS, PE, CP, MA, SI, MP,IR,AT; and the technical controls focus on security controls that the computer system executes. The controls provide automated protection for unauthorized access or misuse, facilitate detection of security violations, and support security requirement for applications and data. E.g. Access Control, Audit & accountability, Identification & Authentication, System & Communications Protection. Also, Federal agencies must meet the minimum security requirements defined in FIPS 200 through the use of the security controls in the NIST’s SP 800 – 53 , which contains the management, operational and technical safeguards or countermeasures prescribed for an information system. The system security plan may also reference other key security-related documents for information system such as a risk assessment, plan of action and milestones, accreditation decision letter, privacy impact assessment, contingency plan, configuration management plan, security configuration checklist, and system interconnection agreements as appropriate.