Some challenges organizations might face while developing a system security plan is not identifying the proper individuals in scope. When drafting a system security plan, there has to be the proper teams involved to ensure everything is covered. Legal counsel, top level management, and also the people performing the day to day operations have to be involved in creating the plan and upholding it. Unless all parties are identified, it might become a compliance issue and the plan won’t be able to perform it’s intended use.
Hi Priyanka,
For a large enterprise with the project as its main business, when planning an enterprise-level project management information system. I think the hardest part would be the definition of management and business combination is the most difficult part, between the enterprise and the second-level unit, and the subordinate projects.
A system security plan is primarily implemented in organizational IT environments. Based on this, I think that the important groups that facilitate a successful system security plan are the management and IT departments. By creating a system security plan within the company, employees can understand and learn the relevant knowledge and responsibilities of SSP.
Threat identification is the process of identifying threat sources that have the potential to exploit some weakness in the information system.
The three common threat sources are:
1. Natural threats such as earthquakes, floods, tornadoes, hurricanes, etc.
2. Human threats (intentional or unintentional) such as insider threats etc.
3. Environmental threats such as power failure
FIPS, NIST and FISMA are all federal requirements for “federal” agencies. In the private sector, how would you as an IT professional convince the c-suite of a small company with limited budget to model their security policies against a stricter set of requirements? How would you approach “selling” them the idea?
Cybersecurity is a fairly new concept and seems “out of budget” for smaller organizations. However, the most impacted organizations who fall for cyber attacks are these smaller companies. Hackers with ill intent prey on these smaller organization because they are aware of their lack of a security infrastructure. By selling the idea of how much money can be lost from a lack of a plan, it’ll help these companies better understand the quantitative cost($$) of not having a plan.
– Can deal with the changes and development trends of today’s security threats.
– Based on the existing construction conditions, we must fully tap the potential of technology and management and give full play to its role.
– There must be a focus on planning to solve key short-term issues; there must be planning goals and continuous progress towards excellence.
The plan should establish the overall goals suitable for the company’s current and future 2-5 years, implement them into a specific work framework, and carry out specific work plans according to and based on the working framework and safety construction status.
There are so many guidance and framework need to as a reference, What should a team do if they keeps different opinion on which guidance is the best one?
Align your mission and vision to the standard practices you want to implement. It’s imperative to have both teams — the business and the technology group– involved and aligned. Essentially it is the business that drives the technical requirements, not vice versa. I’d recommend a steering committee meeting be held with the key stakeholders from each side and draft a security plan that touches base on the frameworks and standards. Compliance is key so legal should be involved as well to assist with the “required” standard that the business must meet and then layer on the best industry practices.
For different departments, I think the organizations should classify departments by their functions. After classified, different departments can list authorized account, different level of access access, variety access control methods and other SSP plan’s content.
I think that to make things as easy to understand, since the SSP document is so large, to only provide each department with their section, that way it is clear to them what they are responsible for when it comes to authorization and what controls are in their field of accountability.
Upper management such as VP’s should be invited to develop the System Security Plan. SME’s and other employees should be consulted by providing the more intricate details about the system such as the connection method, ports, services used, etc. Ultimately, I think this would be a document for the CISO to review and approve.
It seems like for federal agencies the security plan requirements, roles and responsibilities, scope and controls are mandated. How do agencies move quickly enough to keep their security plan up to date when technologies and bad actors are moving so fast? Is the plan more important than the risk mitigation?
I think SSP is important to FedRAMP because it outlines who (the cloud service provider or the client) is responsible for what security controls. Essentially it assigns accountability. That way if there was a breach of an overlooked or misconfigured security control than there is a clear understanding as to who is at fault.
SSP is the basic file supporting fedramp evaluation. SSP is used by 3pao to develop safety assessment plan (SAP). Therefore, the SSP must provide sufficient details of how each control is implemented so that 3pao can develop a test method for the control.
A SSP is definitely a living document. As the threat landscape changes and more vulnerabilities are detected in systems, changes must be made to prevent future breaches. There should be some kind of change management process in place when conducting changes on systems, especially high criticality systems. There should be a change review board consists of a group of advisors and stakeholders that review change requests, take decision about them and make sure that the change is successful. Then, there should be a change manager that is responsible for the proper execution of the change. This person is responsible for leading the review board, coordinating the change, and finally documenting it.
For companies, it is almost impossible to avoid all risks, so implementing risk management can help companies minimize risks and related impacts. Risk management will lead companies to access risk and classify the information they own, and to understand the different impact level of the information to the company’s operations. Also, it which helps to formulate and implement related risk management plans.
Risk management helps determine acceptable risk and where to invest in protection resources. An organization cannot mitigate all risk. Trying to harden every system for any kind of risk (large or small) can become expensive real fast. Risk management helps determine the critically of all the systems. Doing so will put them on a path to determine where they should spend their money in protection and which systems they can leave less guarded. Risk management also determines the scope (money spent) on disaster recovery should their be a major breach or incident.
What are some of the challenges that organizations face when developing system security plans?
Some challenges organizations might face while developing a system security plan is not identifying the proper individuals in scope. When drafting a system security plan, there has to be the proper teams involved to ensure everything is covered. Legal counsel, top level management, and also the people performing the day to day operations have to be involved in creating the plan and upholding it. Unless all parties are identified, it might become a compliance issue and the plan won’t be able to perform it’s intended use.
Hi Priyanka,
For a large enterprise with the project as its main business, when planning an enterprise-level project management information system. I think the hardest part would be the definition of management and business combination is the most difficult part, between the enterprise and the second-level unit, and the subordinate projects.
What teams must work together to successfully facilitate a system security plan?
A system security plan is primarily implemented in organizational IT environments. Based on this, I think that the important groups that facilitate a successful system security plan are the management and IT departments. By creating a system security plan within the company, employees can understand and learn the relevant knowledge and responsibilities of SSP.
How does a system security plan look for a larger organization in comparison to a smaller or new company?
What are some differences in a system security plan in a cloud environment versus a local environment?
What are the three common threat sources that typically apply in the threat identification process of risk management?
Threat identification is the process of identifying threat sources that have the potential to exploit some weakness in the information system.
The three common threat sources are:
1. Natural threats such as earthquakes, floods, tornadoes, hurricanes, etc.
2. Human threats (intentional or unintentional) such as insider threats etc.
3. Environmental threats such as power failure
FIPS, NIST and FISMA are all federal requirements for “federal” agencies. In the private sector, how would you as an IT professional convince the c-suite of a small company with limited budget to model their security policies against a stricter set of requirements? How would you approach “selling” them the idea?
Cybersecurity is a fairly new concept and seems “out of budget” for smaller organizations. However, the most impacted organizations who fall for cyber attacks are these smaller companies. Hackers with ill intent prey on these smaller organization because they are aware of their lack of a security infrastructure. By selling the idea of how much money can be lost from a lack of a plan, it’ll help these companies better understand the quantitative cost($$) of not having a plan.
With so many guidelines and recommendations available, how does an organization decide which one is best for them?
– Can deal with the changes and development trends of today’s security threats.
– Based on the existing construction conditions, we must fully tap the potential of technology and management and give full play to its role.
– There must be a focus on planning to solve key short-term issues; there must be planning goals and continuous progress towards excellence.
The plan should establish the overall goals suitable for the company’s current and future 2-5 years, implement them into a specific work framework, and carry out specific work plans according to and based on the working framework and safety construction status.
There are so many guidance and framework need to as a reference, What should a team do if they keeps different opinion on which guidance is the best one?
Align your mission and vision to the standard practices you want to implement. It’s imperative to have both teams — the business and the technology group– involved and aligned. Essentially it is the business that drives the technical requirements, not vice versa. I’d recommend a steering committee meeting be held with the key stakeholders from each side and draft a security plan that touches base on the frameworks and standards. Compliance is key so legal should be involved as well to assist with the “required” standard that the business must meet and then layer on the best industry practices.
How do organizations develop a clear and easy understanding system security plan for different departments?
For different departments, I think the organizations should classify departments by their functions. After classified, different departments can list authorized account, different level of access access, variety access control methods and other SSP plan’s content.
I think that to make things as easy to understand, since the SSP document is so large, to only provide each department with their section, that way it is clear to them what they are responsible for when it comes to authorization and what controls are in their field of accountability.
What individuals are involved in creating a System Security Plan? Who decides what controls get implemented?
What level of management is invited to develop a System Security Plan (SSP)? how are the subject matter experts and low level employees consulted?
Hi Prince,
Upper management such as VP’s should be invited to develop the System Security Plan. SME’s and other employees should be consulted by providing the more intricate details about the system such as the connection method, ports, services used, etc. Ultimately, I think this would be a document for the CISO to review and approve.
It seems like for federal agencies the security plan requirements, roles and responsibilities, scope and controls are mandated. How do agencies move quickly enough to keep their security plan up to date when technologies and bad actors are moving so fast? Is the plan more important than the risk mitigation?
Does FISMA require every federal agency to report on the confidentiality of all its information and information security procedures?
Why the SSP is important to a FedRAMP?
I think SSP is important to FedRAMP because it outlines who (the cloud service provider or the client) is responsible for what security controls. Essentially it assigns accountability. That way if there was a breach of an overlooked or misconfigured security control than there is a clear understanding as to who is at fault.
SSP is the basic file supporting fedramp evaluation. SSP is used by 3pao to develop safety assessment plan (SAP). Therefore, the SSP must provide sufficient details of how each control is implemented so that 3pao can develop a test method for the control.
Is a SSP a living document? If yes, who should should be responsible for making updates and keeping a version history?
A SSP is definitely a living document. As the threat landscape changes and more vulnerabilities are detected in systems, changes must be made to prevent future breaches. There should be some kind of change management process in place when conducting changes on systems, especially high criticality systems. There should be a change review board consists of a group of advisors and stakeholders that review change requests, take decision about them and make sure that the change is successful. Then, there should be a change manager that is responsible for the proper execution of the change. This person is responsible for leading the review board, coordinating the change, and finally documenting it.
What are the principles of enterprise information system security planning?
What are the advantages of implementing risk management practice?
For companies, it is almost impossible to avoid all risks, so implementing risk management can help companies minimize risks and related impacts. Risk management will lead companies to access risk and classify the information they own, and to understand the different impact level of the information to the company’s operations. Also, it which helps to formulate and implement related risk management plans.
Risk management helps determine acceptable risk and where to invest in protection resources. An organization cannot mitigate all risk. Trying to harden every system for any kind of risk (large or small) can become expensive real fast. Risk management helps determine the critically of all the systems. Doing so will put them on a path to determine where they should spend their money in protection and which systems they can leave less guarded. Risk management also determines the scope (money spent) on disaster recovery should their be a major breach or incident.
How do those responsible for developing a security plan guarantee that it will be effective when implemented?
What type of threat (natural, man-made, environmental) constitutes the greatest risk to the organization’s information system? What?