• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Security Architecture

MIS 5214 - Section 001 - David Lanter

Security Architecture

MIS 5214.701 ■ Spring 2021 ■ Jose Gomez
  • Homepage
  • Instructor
  • Syllabus
  • Schedule
    • First Half of the Semester
      • Unit 01 – Threat Environment
      • Unit 02 – System Security Plan
      • Unit 03 – Planning and Policy
      • Unit 04 – Cryptography
      • Unit 05 – Secure Networks
      • Unit 06 – Firewalls
      • Unit 07 – Mid-Term Exam
    • Second Half of the Semester
      • Unit 08 – Access Control
      • Unit 9 Host Hardening
      • Unit 10 Application Security
      • Unit 11 Data Protection
      • Unit 12 – Incident and Disaster Response
  • Deliverables
    • Assignments
    • Case Studies
      • Case Study 1 – A High Performance Computing Cluster Under Attack: The Titan Incident
      • Case Study 2 – Cyberattack: The Maersk Global Supply-Chain Meltdown
    • Participation
    • Team Project
  • Harvard Coursepack
  • Gradebook

My question about System Security Plans to discuss with my classmates

January 20, 2021 by Jose Gomez 34 Comments

Filed Under: 02 - System Security Plan Tagged With:

Reader Interactions

Comments

  1. Priyanka Ranu says

    January 23, 2021 at 10:54 pm

    What are some of the challenges that organizations face when developing system security plans?

    Log in to Reply
    • Mei X Wang says

      January 25, 2021 at 7:57 pm

      Some challenges organizations might face while developing a system security plan is not identifying the proper individuals in scope. When drafting a system security plan, there has to be the proper teams involved to ensure everything is covered. Legal counsel, top level management, and also the people performing the day to day operations have to be involved in creating the plan and upholding it. Unless all parties are identified, it might become a compliance issue and the plan won’t be able to perform it’s intended use.

      Log in to Reply
    • Zibai Yang says

      January 26, 2021 at 10:31 am

      Hi Priyanka,
      For a large enterprise with the project as its main business, when planning an enterprise-level project management information system. I think the hardest part would be the definition of management and business combination is the most difficult part, between the enterprise and the second-level unit, and the subordinate projects.

      Log in to Reply
  2. Mei X Wang says

    January 24, 2021 at 10:43 am

    What teams must work together to successfully facilitate a system security plan?

    Log in to Reply
    • Xinyi Zheng says

      January 26, 2021 at 7:30 am

      A system security plan is primarily implemented in organizational IT environments. Based on this, I think that the important groups that facilitate a successful system security plan are the management and IT departments. By creating a system security plan within the company, employees can understand and learn the relevant knowledge and responsibilities of SSP.

      Log in to Reply
  3. Austin Mecca says

    January 24, 2021 at 4:55 pm

    How does a system security plan look for a larger organization in comparison to a smaller or new company?

    Log in to Reply
  4. Krish Damany says

    January 24, 2021 at 6:27 pm

    What are some differences in a system security plan in a cloud environment versus a local environment?

    Log in to Reply
  5. Anthony Messina says

    January 24, 2021 at 7:59 pm

    What are the three common threat sources that typically apply in the threat identification process of risk management?

    Log in to Reply
    • Priyanka Ranu says

      January 25, 2021 at 10:14 pm

      Threat identification is the process of identifying threat sources that have the potential to exploit some weakness in the information system.

      The three common threat sources are:

      1. Natural threats such as earthquakes, floods, tornadoes, hurricanes, etc.
      2. Human threats (intentional or unintentional) such as insider threats etc.
      3. Environmental threats such as power failure

      Log in to Reply
  6. Vanessa Marin says

    January 24, 2021 at 8:47 pm

    FIPS, NIST and FISMA are all federal requirements for “federal” agencies. In the private sector, how would you as an IT professional convince the c-suite of a small company with limited budget to model their security policies against a stricter set of requirements? How would you approach “selling” them the idea?

    Log in to Reply
    • Mei X Wang says

      January 25, 2021 at 8:01 pm

      Cybersecurity is a fairly new concept and seems “out of budget” for smaller organizations. However, the most impacted organizations who fall for cyber attacks are these smaller companies. Hackers with ill intent prey on these smaller organization because they are aware of their lack of a security infrastructure. By selling the idea of how much money can be lost from a lack of a plan, it’ll help these companies better understand the quantitative cost($$) of not having a plan.

      Log in to Reply
  7. Jonathan Castelli says

    January 24, 2021 at 9:11 pm

    With so many guidelines and recommendations available, how does an organization decide which one is best for them?

    Log in to Reply
    • Zibai Yang says

      January 26, 2021 at 9:59 am

      – Can deal with the changes and development trends of today’s security threats.
      – Based on the existing construction conditions, we must fully tap the potential of technology and management and give full play to its role.
      – There must be a focus on planning to solve key short-term issues; there must be planning goals and continuous progress towards excellence.

      The plan should establish the overall goals suitable for the company’s current and future 2-5 years, implement them into a specific work framework, and carry out specific work plans according to and based on the working framework and safety construction status.

      Log in to Reply
  8. Zhen Li says

    January 24, 2021 at 10:19 pm

    There are so many guidance and framework need to as a reference, What should a team do if they keeps different opinion on which guidance is the best one?

    Log in to Reply
    • Vanessa Marin says

      January 26, 2021 at 8:17 pm

      Align your mission and vision to the standard practices you want to implement. It’s imperative to have both teams — the business and the technology group– involved and aligned. Essentially it is the business that drives the technical requirements, not vice versa. I’d recommend a steering committee meeting be held with the key stakeholders from each side and draft a security plan that touches base on the frameworks and standards. Compliance is key so legal should be involved as well to assist with the “required” standard that the business must meet and then layer on the best industry practices.

      Log in to Reply
  9. Cami Chen says

    January 24, 2021 at 10:50 pm

    How do organizations develop a clear and easy understanding system security plan for different departments?

    Log in to Reply
    • Xinyi Zheng says

      January 26, 2021 at 7:37 am

      For different departments, I think the organizations should classify departments by their functions. After classified, different departments can list authorized account, different level of access access, variety access control methods and other SSP plan’s content.

      Log in to Reply
    • Austin Mecca says

      January 26, 2021 at 10:35 am

      I think that to make things as easy to understand, since the SSP document is so large, to only provide each department with their section, that way it is clear to them what they are responsible for when it comes to authorization and what controls are in their field of accountability.

      Log in to Reply
  10. Kyuande Johnson says

    January 24, 2021 at 10:55 pm

    What individuals are involved in creating a System Security Plan? Who decides what controls get implemented?

    Log in to Reply
  11. Prince Patel says

    January 24, 2021 at 11:06 pm

    What level of management is invited to develop a System Security Plan (SSP)? how are the subject matter experts and low level employees consulted?

    Log in to Reply
    • Anthony Wong says

      January 26, 2021 at 12:27 pm

      Hi Prince,

      Upper management such as VP’s should be invited to develop the System Security Plan. SME’s and other employees should be consulted by providing the more intricate details about the system such as the connection method, ports, services used, etc. Ultimately, I think this would be a document for the CISO to review and approve.

      Log in to Reply
  12. Heather Ergler says

    January 24, 2021 at 11:17 pm

    It seems like for federal agencies the security plan requirements, roles and responsibilities, scope and controls are mandated. How do agencies move quickly enough to keep their security plan up to date when technologies and bad actors are moving so fast? Is the plan more important than the risk mitigation?

    Log in to Reply
  13. Junhan Hao says

    January 24, 2021 at 11:20 pm

    Does FISMA require every federal agency to report on the confidentiality of all its information and information security procedures?

    Log in to Reply
  14. Xinyi Zheng says

    January 25, 2021 at 9:26 am

    Why the SSP is important to a FedRAMP?

    Log in to Reply
    • Anthony Messina says

      January 26, 2021 at 9:36 am

      I think SSP is important to FedRAMP because it outlines who (the cloud service provider or the client) is responsible for what security controls. Essentially it assigns accountability. That way if there was a breach of an overlooked or misconfigured security control than there is a clear understanding as to who is at fault.

      Log in to Reply
    • Haozhe Lin says

      January 27, 2021 at 6:46 pm

      SSP is the basic file supporting fedramp evaluation. SSP is used by 3pao to develop safety assessment plan (SAP). Therefore, the SSP must provide sufficient details of how each control is implemented so that 3pao can develop a test method for the control.

      Log in to Reply
  15. Anthony Wong says

    January 25, 2021 at 6:07 pm

    Is a SSP a living document? If yes, who should should be responsible for making updates and keeping a version history?

    Log in to Reply
    • Anthony Messina says

      January 26, 2021 at 10:00 am

      A SSP is definitely a living document. As the threat landscape changes and more vulnerabilities are detected in systems, changes must be made to prevent future breaches. There should be some kind of change management process in place when conducting changes on systems, especially high criticality systems. There should be a change review board consists of a group of advisors and stakeholders that review change requests, take decision about them and make sure that the change is successful. Then, there should be a change manager that is responsible for the proper execution of the change. This person is responsible for leading the review board, coordinating the change, and finally documenting it.

      Log in to Reply
  16. Zibai Yang says

    January 25, 2021 at 9:15 pm

    What are the principles of enterprise information system security planning?

    Log in to Reply
  17. Wenyao Ma says

    January 26, 2021 at 2:33 am

    What are the advantages of implementing risk management practice?

    Log in to Reply
    • Xinyi Zheng says

      January 26, 2021 at 7:55 am

      For companies, it is almost impossible to avoid all risks, so implementing risk management can help companies minimize risks and related impacts. Risk management will lead companies to access risk and classify the information they own, and to understand the different impact level of the information to the company’s operations. Also, it which helps to formulate and implement related risk management plans.

      Log in to Reply
    • Anthony Messina says

      January 26, 2021 at 9:45 am

      Risk management helps determine acceptable risk and where to invest in protection resources. An organization cannot mitigate all risk. Trying to harden every system for any kind of risk (large or small) can become expensive real fast. Risk management helps determine the critically of all the systems. Doing so will put them on a path to determine where they should spend their money in protection and which systems they can leave less guarded. Risk management also determines the scope (money spent) on disaster recovery should their be a major breach or incident.

      Log in to Reply
  18. Humbert Amiani says

    January 26, 2021 at 10:29 pm

    How do those responsible for developing a security plan guarantee that it will be effective when implemented?

    Log in to Reply
  19. Haozhe Lin says

    January 27, 2021 at 6:06 pm

    What type of threat (natural, man-made, environmental) constitutes the greatest risk to the organization’s information system? What?

    Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Weekly Discussions

  • 01 – Introduction (2)
  • 01 – Threat Environment (3)
  • 02 – System Security Plan (6)
  • 03 – Planning and Policy (7)
  • 04 – Cryptography (6)
  • 05 – Secure Networks (7)
  • 06 – Firewalls (5)
  • 08 – Access Control (7)
  • 09 – Host Hardening (5)
  • 10 – Application Security (6)
  • 11 – Data Protection (4)
  • 12 – Incident and Disaster Response (5)
  • 13 – Review (1)
  • 13 – Team Project Presentations and Review for Final (1)
Fox School of Business

Copyright © 2025 · Course News Pro on Genesis Framework · WordPress · Log in