This document delineates on the importance of security planning in protecting the information as well as information systems. It also gives a brief overview of the minimum-security controls to be considered in the planning process. It is imperative that program managers, system owners and security personnel understand the security planning process and provide their valuable inputs in successfully implementing this plan. This document basically provides a basic template for preparing a system security plan which meets the federal requirement; however, it can easily be applied to various organization structures.
NIST 800 100 in Chapter 8 talks about system security planning which emphasize using standards of FIP 199 and NIST SP 800-53. One key point that I took from this chapter is that the system security planning helps organizations improving the protection of information system resources. Roles and responsibilities of person in charge such as CIO, Information system Owner, Information Owner, Senior Agency Information Security Officer, and Information System Security Officer should be clearly identified. Lastly, the security planning should be reviewed and approved by authorized person.
I noticed the same key point you mentioned. This chapter definitely emphasizes that system security planning helps enable organizations in improving their protection of information assets.
One key point I learnt from NIST 800-100 chapter-8 is that system security plans are living documents which require regular reviews and plans of action and milestones (POA&M). Therefore, determining role and responsibilities is crucial to provide accountability so that make certain who reviews the plans and follows up on planned security controls. NIST document requires organizations to prepare procedures related to team members and their responsibilities and to develop policy on the system security planning process.
This area of study highlights the importance of the System Security Plan(SSP), this document provides an overview of the security requirements of the system and describes the controls in place or planned for meeting those requirements. Furthermore, the system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan as advised should have the input of managers from different departments and if need be, there is room for additional information in the basic plan and managers can add sections to the basic format prescribed.
Hi Percy, throughout this entire unit I have focused on the need to set controls and policies on the people and the systems. The article that encompasses all of this is the security plan. With a strong foundation of a security plan ironed out by the CISO and steering committee, will lead strong overall security.
Hi Percy,
Thanks for stating the importance of the System Security Plan.
Organizations use the system Security Plan to initiate, plan, design, and develop appropriate security measures to protect their information systems, operations, and ways to identify, protect, detect, respond and recover from an incident. The NIST SP 800 – 53, provides security controls for applicable security control baseline (low, moderate, or high impact information systems). The security controls contained in the baseline should always be reviewed and tailored according to each firm’s security needs and/or according to the regulatory requirements.
Chapter 8 disusses how to develop a system security plan and the resources needed. It references FIPS 200, minimum security requirements, which then use the controls laid out in NIST 800-53, and uses NIST 800-18 for the template to organize the overall security plan. All three documents help complete a part of the overall security plan and ensure that your appropriately managing your risk based upon the classification guidelines in Fips 199. The chapter also lays out who is responsible for parts of the plan and the appropriate approvals and maintenance of the security plan.
Good overall summary of chapter 8. Yes, this chapter references various NIST and FIPS document to come up with a sturdy security plan. However, what i found very important was that this chapter clearly states out the responsibility of all the staff in an organization, technical as well as managerial, regarding their role in maintaining the security of IT systems. Information security is a very vast topic and can become very complex if roles and responsibilities are not clearly described to staff, hence this document is a good reference point for gaining knowledge of essential responsibilities.
As I was reading through chapter 8 of the NIST Information Security Handbook, which covers and details the system security planning process and how this process contributes to the system development life cycle, I noted how the section on System Boundary Analysis and Security Controls related to the previous weeks discussions. In particular, this section discusses how a FIPS 199 impact analyses on the information systems should be used when categorizing the systems between Major Applications and General Support Systems, as well as when selecting a preliminary control baseline before tailoring according to the various risk assessments performed and conditions of the organization.
One key takeaway I took from the NIST 800 100 Chapter 8 is the requirements and standards needed for the System Security Plan. For example, the security control selection, it is important for an organization to understand the level of impact each risk exposure can have on their organization. This breakdown of levels in between low-high gives a clear picture to information system personnel in what vulnerabilities need to be focused on.
Hi Natalie, I like the key point that I took from this article because understanding the level of impact each risk exposure is important to organization for identifying and evaluating risks and controls. In this way, it helps organization to properly mitigates threat and cost budgets also.
The establishment of a security plan requires an indicator.NIST 800-100 refers to the minimum security requirement FIPS200 in the security plan. In addition, it describes the major application (MA) and General support system (GSS), which are important factors in the preparation of the security plan.Security planning should be considered from these two points.The responsibilities of each position are also mentioned.What they should be responsible for.
Major applications are systems that perform clearly defined functions for which there are. And General Support System is an interconnected set of information resources under the same direct management control that shares common functionality. They are clearly the most important factors in the preparation of the security plan. Nice finding!
NIST SP 800-100 acts as a guideline for how to prepare a system security plan in accordance with the appropriate federal requirements. What I found to be a key take away was the emphasis in defining roles and responsibilities and rules of behavior within the system security plan. As we have seen in other readings, it is important to establish who is responsible for what and to also set clear boundaries as to how employees are expected to use these systems. Documentation is crucial because it is an organization’s official plan of action, so it is important that the document is reviewed and updated in accordance with any changes to ensure that the document reflects what is happening within the agency.
Hello,
After reading through your response to chapter 8 of the NIST Information Security Handbook, it becomes apparent just how critical the clear defining of roles and responsibilities for the organization’s systems is when creating the system security plan. I also appreciate your mentioning of continuously updating the information security plan and its components as changes and developments are made within the organization, as things tend change more often than people expect.
NIST 800-100, from the title, lays out the plans an organization can take to keep their systems secure from various forms of attack. The plan starts with planning, documenting, and accounting for the people and systems in an organization. After all, without knowing who and what you’re working with to protect, you would not be able to move forward. After that, 800-100 begins to emphasize a true delegation of purpose to machines and their human counterparts operating them. This is almost as important as planning because as the organization moves forward and continues to evolve, the presence of operational boundaries is exponentially important so tasks, departments, and functions can be split up efficiently and effectively.
NIST 800-100 is a guideline for a System Security Plan. It uses for security certification and accreditation process by providing an overview of the security requirements and safeguards of the system,
The SSP describes security controls based on NIST 800-53, FIPS 199 and FIPS 200. Defines the roles, responsibilities of people involves:
– The chief information officer (CIO)
– Information System Owner
– Information Owner
– Senior Agency Information Security Officer (SAISO)
– Information System Security Officer (ISSO)
The plan is periodically updated, review, and plans of action and milestones (POA&M) for implementing security controls.
You listed the relevant persons mentioned in it. These roles play an important role in the construction of organizational framework. Top manager needs to have a strong sense of security to protect the information system from the Top-down.
Thanks for giving more details about NIST 800-100, by this document defining the roles of people involved in security, it helps with SOD which tends to lead to avoid overlapping of roles hence causing security concerns.
NIST 800 100 chapter 8 shows how to develop a system security plan and how the whole process works. The point I want to point out is the ongoing system security plan maintenance. After the system security plan is set up, the system can keep running. But in order to keep it running well for a long time, ongoing system maintenance according to the security plan is necessary to keep the system away from vulnerabilities. The changes for the plan maintenance are also required to be reviewed as the changes might revert some good controls for the security too.
According to the NIST 800 -100 Information security handbook, awareness and training program is a critical component of the information security program. Introducing and maintaining a robust and effective information security awareness and training program as part of the overall information security program will help provide the workforce with the information and tools needed to protect a firm’s vital information resources. It is importance to note that agencies that continually train their workforce in organizational security policy and role-based security responsibilities will have a higher rate of success in protecting information.
This document delineates on the importance of security planning in protecting the information as well as information systems. It also gives a brief overview of the minimum-security controls to be considered in the planning process. It is imperative that program managers, system owners and security personnel understand the security planning process and provide their valuable inputs in successfully implementing this plan. This document basically provides a basic template for preparing a system security plan which meets the federal requirement; however, it can easily be applied to various organization structures.
NIST 800 100 in Chapter 8 talks about system security planning which emphasize using standards of FIP 199 and NIST SP 800-53. One key point that I took from this chapter is that the system security planning helps organizations improving the protection of information system resources. Roles and responsibilities of person in charge such as CIO, Information system Owner, Information Owner, Senior Agency Information Security Officer, and Information System Security Officer should be clearly identified. Lastly, the security planning should be reviewed and approved by authorized person.
Hi Numneung!
I noticed the same key point you mentioned. This chapter definitely emphasizes that system security planning helps enable organizations in improving their protection of information assets.
Best,
Natalie Dorely
One key point I learnt from NIST 800-100 chapter-8 is that system security plans are living documents which require regular reviews and plans of action and milestones (POA&M). Therefore, determining role and responsibilities is crucial to provide accountability so that make certain who reviews the plans and follows up on planned security controls. NIST document requires organizations to prepare procedures related to team members and their responsibilities and to develop policy on the system security planning process.
This area of study highlights the importance of the System Security Plan(SSP), this document provides an overview of the security requirements of the system and describes the controls in place or planned for meeting those requirements. Furthermore, the system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan as advised should have the input of managers from different departments and if need be, there is room for additional information in the basic plan and managers can add sections to the basic format prescribed.
Hi Percy, throughout this entire unit I have focused on the need to set controls and policies on the people and the systems. The article that encompasses all of this is the security plan. With a strong foundation of a security plan ironed out by the CISO and steering committee, will lead strong overall security.
Hi Percy,
Thanks for stating the importance of the System Security Plan.
Organizations use the system Security Plan to initiate, plan, design, and develop appropriate security measures to protect their information systems, operations, and ways to identify, protect, detect, respond and recover from an incident. The NIST SP 800 – 53, provides security controls for applicable security control baseline (low, moderate, or high impact information systems). The security controls contained in the baseline should always be reviewed and tailored according to each firm’s security needs and/or according to the regulatory requirements.
Chapter 8 disusses how to develop a system security plan and the resources needed. It references FIPS 200, minimum security requirements, which then use the controls laid out in NIST 800-53, and uses NIST 800-18 for the template to organize the overall security plan. All three documents help complete a part of the overall security plan and ensure that your appropriately managing your risk based upon the classification guidelines in Fips 199. The chapter also lays out who is responsible for parts of the plan and the appropriate approvals and maintenance of the security plan.
Hello Chris,
Good overall summary of chapter 8. Yes, this chapter references various NIST and FIPS document to come up with a sturdy security plan. However, what i found very important was that this chapter clearly states out the responsibility of all the staff in an organization, technical as well as managerial, regarding their role in maintaining the security of IT systems. Information security is a very vast topic and can become very complex if roles and responsibilities are not clearly described to staff, hence this document is a good reference point for gaining knowledge of essential responsibilities.
As I was reading through chapter 8 of the NIST Information Security Handbook, which covers and details the system security planning process and how this process contributes to the system development life cycle, I noted how the section on System Boundary Analysis and Security Controls related to the previous weeks discussions. In particular, this section discusses how a FIPS 199 impact analyses on the information systems should be used when categorizing the systems between Major Applications and General Support Systems, as well as when selecting a preliminary control baseline before tailoring according to the various risk assessments performed and conditions of the organization.
One key takeaway I took from the NIST 800 100 Chapter 8 is the requirements and standards needed for the System Security Plan. For example, the security control selection, it is important for an organization to understand the level of impact each risk exposure can have on their organization. This breakdown of levels in between low-high gives a clear picture to information system personnel in what vulnerabilities need to be focused on.
Hi Natalie, I like the key point that I took from this article because understanding the level of impact each risk exposure is important to organization for identifying and evaluating risks and controls. In this way, it helps organization to properly mitigates threat and cost budgets also.
The establishment of a security plan requires an indicator.NIST 800-100 refers to the minimum security requirement FIPS200 in the security plan. In addition, it describes the major application (MA) and General support system (GSS), which are important factors in the preparation of the security plan.Security planning should be considered from these two points.The responsibilities of each position are also mentioned.What they should be responsible for.
Hi Junjie,
Major applications are systems that perform clearly defined functions for which there are. And General Support System is an interconnected set of information resources under the same direct management control that shares common functionality. They are clearly the most important factors in the preparation of the security plan. Nice finding!
NIST SP 800-100 acts as a guideline for how to prepare a system security plan in accordance with the appropriate federal requirements. What I found to be a key take away was the emphasis in defining roles and responsibilities and rules of behavior within the system security plan. As we have seen in other readings, it is important to establish who is responsible for what and to also set clear boundaries as to how employees are expected to use these systems. Documentation is crucial because it is an organization’s official plan of action, so it is important that the document is reviewed and updated in accordance with any changes to ensure that the document reflects what is happening within the agency.
Hello,
After reading through your response to chapter 8 of the NIST Information Security Handbook, it becomes apparent just how critical the clear defining of roles and responsibilities for the organization’s systems is when creating the system security plan. I also appreciate your mentioning of continuously updating the information security plan and its components as changes and developments are made within the organization, as things tend change more often than people expect.
NIST 800-100, from the title, lays out the plans an organization can take to keep their systems secure from various forms of attack. The plan starts with planning, documenting, and accounting for the people and systems in an organization. After all, without knowing who and what you’re working with to protect, you would not be able to move forward. After that, 800-100 begins to emphasize a true delegation of purpose to machines and their human counterparts operating them. This is almost as important as planning because as the organization moves forward and continues to evolve, the presence of operational boundaries is exponentially important so tasks, departments, and functions can be split up efficiently and effectively.
NIST 800-100 is a guideline for a System Security Plan. It uses for security certification and accreditation process by providing an overview of the security requirements and safeguards of the system,
The SSP describes security controls based on NIST 800-53, FIPS 199 and FIPS 200. Defines the roles, responsibilities of people involves:
– The chief information officer (CIO)
– Information System Owner
– Information Owner
– Senior Agency Information Security Officer (SAISO)
– Information System Security Officer (ISSO)
The plan is periodically updated, review, and plans of action and milestones (POA&M) for implementing security controls.
Hi, Joseph Nguyen
You listed the relevant persons mentioned in it. These roles play an important role in the construction of organizational framework. Top manager needs to have a strong sense of security to protect the information system from the Top-down.
Hi Joseph,
Thanks for giving more details about NIST 800-100, by this document defining the roles of people involved in security, it helps with SOD which tends to lead to avoid overlapping of roles hence causing security concerns.
NIST 800 100 chapter 8 shows how to develop a system security plan and how the whole process works. The point I want to point out is the ongoing system security plan maintenance. After the system security plan is set up, the system can keep running. But in order to keep it running well for a long time, ongoing system maintenance according to the security plan is necessary to keep the system away from vulnerabilities. The changes for the plan maintenance are also required to be reviewed as the changes might revert some good controls for the security too.
According to the NIST 800 -100 Information security handbook, awareness and training program is a critical component of the information security program. Introducing and maintaining a robust and effective information security awareness and training program as part of the overall information security program will help provide the workforce with the information and tools needed to protect a firm’s vital information resources. It is importance to note that agencies that continually train their workforce in organizational security policy and role-based security responsibilities will have a higher rate of success in protecting information.