I want to talk about CIO, which stands for the Chief Information Officer. The chief information officer supports the company’s goals by guiding the use of information technology. He knows both technology and business processes and has a multi-functional concept. It is often best to closely integrate the organization’s technology deployment strategy and business strategy. Candidate.
Strategic level
The CIO’s responsibilities are to mine corporate information resources, formulate corporate informatization strategies, rationally deploy corporate informatization, and evaluate the enterprise’s value of informatization. Information resource planning is the primary responsibility of the CIO. The first step of informatization is information resource planning instead of product selection.
Executive level
Responsible for the integration of information flow, logistics, and capital flow, complete the selection and implementation of information systems, and collect and research internal and external information to provide a basis for decision-making. What is more important is to take on the supervision of e-commerce management and information engineering.
NIST 800 100 Information Security Handbook Chapter 8 highlights the importance of security planning to protect information and information systems. The purpose of the system security plan(SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. In addition, it also delineates responsibilities and expected behavior of all individuals who access the system. There should be procedures in place outlining the responsibilities and accountabilities to review the plans, keeping it current, and follow up on planned security controls. Roles and responsibilities should be clearly identified for the chief information officer, information system owner, information owner, senior agency information security officer, and information system security officer. The CIO is usually responsible for developing and maintaining an agency-wide information security program. One of the responsibilities of the CIO that I would like to highlight is to manage the identification, implementation, and assessment of common security controls.
Hi Priyanka, I agree with your point of view. The purpose of the system security plan(SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The CIO is responsible for point out the direction of the IT security policy and have the senior staff carrying out the plane and action.
This document describes the importance of security planning in protecting information and information systems. It also provides a brief overview of the minimum safety controls to be considered in the planning process. Program managers, system owners and security personnel must understand the security planning process and provide valuable advice for the successful implementation of the program. Moreover, the identification of roles and responsibilities is essential to provide accountability in order to determine who will review the plan and follow up on the planned security controls. NIST documents require organizations to prepare procedures related to team members and their responsibilities, and to develop policies on the system security planning process.
For the system boundary analysis and security controls, Before the system security plan can be developed, the information system and the information resident within that system must be categorized based on a FIPS 199 impact analysis. Then a determination can be made as to which systems in the inventory can be logically grouped into GSSs or MAs. This step is critical because before any IT professional trying to establish an system security plan, it would have to analyze what is the system and who are using them, how are the user using them, and what is the system for. After these question, then he/she can think about what is the potential risk, and where would they come from, and how would it attack the system. These information is important, because the IT staff will needs these information to establish a more complete and effective policy, place or procedure.
Hi Tingyen,
I agree with you. This chapter raises an important view that the system safety plan is a live document that requires periodic reviews, modifications, action plans, and mileposts for safety control. There should be appropriate procedures to outline who will review the plan, keep the plan up to date, and follow up the planned safety control. For any implementation project, the system safety plan should be an activity in the RACI matrix to ensure adequate allocation of responsibilities.
The eighth chapter shows the roles and responsibilities of project managers, system owners, and security personnel in the organization. The users of information systems and those responsible for defining system requirements should also be familiar with the system security planning process, in which each person has different functions in his position. These people have more rights to control system security. For example, the organization’s strategy should clearly define who is responsible for the approval of the system security plan. The board and management discussed compensation control and safety control.
Hi Haozhe,
I do see the importance of segregating duties between the different positions in an organization. When each job duty is clearly defined, it is easier for individuals to carry out their required duties, and makes everyone accountable and responsible for what falls under their position.
This document focus on the importance of system security plan. The system security plan’s purpose is to provide an overview of the security requirements of the system, and describe the controls in place or planned for meeting those requirements.
In the system security plan, it will introduce the different roles’ responsibilities and their expected behavior. For example, the CIO is the agency official responsible for developing and maintaining an agency-wide information security program, and have multiple responsibilities in system security planning. Program managers, system owners, and security personnel and any other people who can access the system need to understand the system security planning process. Also, chapter8 introduce the several security control method and maintenance process in the SSP.
Hi, Xinyi, I agree with your analysis, this document illustrate the different roles and responsibilities of the parties who involved in the system security planning process. And this document clearly specifies the job responsibilities of each employee, which makes it easier for them to perform their duties and investigate their responsibilities
The security plan provided an overview of the security requirement of the system and describe the controls in place or planned for meeting those requirement. The FIPS 200 provides 17 minimum security requirements for federal information and information system. And these requirements addresses the management, operational, and technical aspects of protecting the confidentiality, integrity, and
availability of federal information and information systems. Also, an agency must meet the minimum security requirements in FIPS 199 by applying security controls selected in accordance with NIST SP 800-53 and the designated impact levels of the information systems. NIST SP 800-53 has three impact level during the security categorization process, there are low-impact, moderate-impact, high-impact. In addition, once the information system security plan is accredited, it’s still need to do the ongoing system security plan maintenance to follow up the subsequent situation.
The roles and responsibilities were clearly outlined in the NIST 800-100 documentation. The CIO, Information system owner, information owner, SAISO, and ISSO each have important roles when creating the security plan of an organization. They are responsible for outlining, documenting, and implementing the compensating and security controls which will allow the company to keep confidentiality, integrity and availability of the data and systems. They also must make sure they consistently review, update, and maintain the security controls. With their teamwork and efforts towards implementing the guidelines from NIST and the FIPS controls, the organization can plan their security and becoming compliant with federal guidelines.
Hi Jon,
The idea f having clearly outlined responsibilities gives each unit an edge in making a functional system security plan. When personnel know what is expected of their position, then responsibility and accountability can be imposed to them on those system units they are responsible for.
This chapter lists all the roles and responsibilities of the parties involved in the system security planning process. Some of the roles mentioned in the reading were the Chief Information Officer who is responsible for such things as developing and maintaining information security policies, procedures, and control techniques to address system security planning. The CIO is also responsible for identifying and developing common security controls for the agency. The information system owner is responsible for the overall procurement, development, integration, modification, and operation and maintenance of the information system. A final role mentioned was the information owner. The information owner establishes the rules for the appropriate use and protection of the subject data/information. This person also is responsible for deciding who has access to the information system and determines what types of privileges are access rights are associated with it. The goal of system security planning is to improve the protection of the information resources.
Hi, Anthony
I noticed the same key point you mentioned. This chapter definitely emphasizes that system security planning helps enable organizations in improving their protection of information assets.
The key point from this reading is ensuring the Ongoing System Security Plan Maintenance is upheld after being accredited/implemented. With technology evolving rapidly, it is very easy for an organization to find themselves with outdated or obsolete system security plans. When changes occur in within the organization, from personnel changes, infrastructure, system architecture, system status and scope, they must be updated as soon as possible in the System Security Plan. This proactive approach ensures all bases are covered should an incident occur at any given time.
Each organization need to come up with a plan to keep these documents updated to reflect all changes and keep up with industry standards for recertification/re-accreditation of the plans as well. The concept of System Security Plans being a living document should always be upheld since threats evolve in nature at the same rate and even faster than the measures at times.
Hi Humbert, I agree with your analysis as well. Ongoing monitoring should be in place so the organization has a process in place to address new risks or mitigate current risks. The system security plan should be a living document that is improved and built upon as the scope of the business environment changes and threats evolve.
From this reading the point that caught my eye is the role of the information system owner is the person or department that is officially responsible for the overall procurement, development, integration, modification, operation and maintenance of the information system. The information system owner has critical responsibilities related to system security plan and planning process including the development of the system security plan in coordination with information owners, the system administrator, the information system security officer (ISSO), the SAISO, and the functional “end users”. They take care of maintaining the system security plan and ensuring that the system is fully deployed and operated according to the agreed/desired information security requirements. The information system owner ensures that the system users and support team receive the appropriate and requisite security training. They also assist in the identification, implementation, and assessment of the common security controls.
Hi Prince
Like you, I was surprised at the level of detail and how prescriptive the responsibilities are in the Information Security Handbook. I focused more on the Information Owner and Information System Owner than the Senior Agency Information Security Officer (SAISO) and the ISSO. Particularly, in the rules of behavior and security plan approval process collaboration between the roles is prescribed in the handbook and not necessarily left to the agency to decide how the roles interact. This prescriptive approach allows standardization and consolidation of security plans across the federal government.
I think one important point from this reading is that there are many different roles upper management is responsible for in security planning. The main positions responsible for security planning are the Chief Information Officer (CIO), Information System Owner, Information Owner, Senior Agency Information Security Officer (SAISO), and the Information System Security Officer (ISSO). The CIO develops and maintains the agency-wide information security program, designates a SAISO to assist in the CIO’s responsibilities for system security planning, and ensuring that personnel are trained efficiently for system security plans. The information system owner is in charge of anything dealing with the overall maintenance of the information system, which includes developing a system security plan with the system administrator, ISSO, SAISO, and end users, as well as ensuring those involved have the proper security training. The information owner establishes the rules on how to use the data and how to protect it, and relay information to information system owners. They also determines who has access to the information. The SAISO carries out the CIO’s responsibilities for system security planning and are a bridge between the ISSOs and information system owners. Lastly is the ISSO, who authorizes the appropriate users to make sure that the information system is secure and being maintained. Each of these users have a symbiotic relationship with one another to ensure that the information system of an organization is as secure as can be.
A takeaway from this reading is during the certification and accreditation process, the SSP is analyzed, updated, and accepted. The certification confirms that the controls described in the plan are consistent with FIPS 199 and that vulnerability ID and initial risk determination is identified and documented in the SSP, risk assessment, or equivalent document. The results from the certification are used to reassess risks, develop the POA&Ms and update the SSP therefore providing factual basis for an authorizing official to render an accreditation decision.
Selecting the appropriate security controls are important, and they can mitigate the risk and improve the business operation. Before this action, the organization should have a very effective risk assessment. It will tell the organization what kind of risk categories it is happening and the risk rating. After defining the rating of impact, the management will start to control the risk from high to low. Usually, the management will put much more resources to mitigate the high impact risk, and it will follow the security controls, which define in NIST SP 800-53, to meet its satisfaction. If the management has had the issue of identifying the incorrect risk categories and rating, it is going in the wrong direction to solve the problem, or it may cause increasing the risk but not mitigate the risk. Therefore, I think the effective risk assessment and the appropriate security controls supplement each other.
In the information security plan, the responsibilities of company management and personnel are clearly subdivided. The management should not allow information security to be merely an afterthought, but should take proactive strategic measures. Too many security incidents show that many companies have not improved their information security capabilities while achieving rapid business development. It is not enough to have information security leaders and security committees that can communicate and coordinate both inside and outside the company. Massive amounts of information and data are created, displayed, disseminated, used and exchanged by massive business chain end users. The security of these information and data undoubtedly also needs collaboration of these end users.
I agree with your comments about information security should be a proactive approach. In order to create a successful plan, there must be “buy-in” from the subject matter experts. The SME’s are able to provide the details about how the system processes work and how they relate to another. Additionally, the technical details provided can help the information security team provide guidance on how to harden the system
System security plans are living documents that require periodic review, modification, and plans of action and milestones (POA&M) for implementing security controls. POAMs are key to both the Authorization process (C&A) and also the Continuous Monitoring process. Either before or during Authorization, an assessment of security controls are needed for a POAM, The POAM helps describe the security categorization (High, Medium, Low). It enumerates weaknesses and deficiencies in security controls. Evaluate the importance of weaknesses and deficiencies. Describe the scope of each weakness as it relates to components in the environment. Propose an approach to the mitigation of weaknesses and deficiencies. While describing the current progress in mitigating them The POA&M provides a rigorous and structured approach to tracking and implementing risk mitigating controls
As working spaces become more reliant on technology, each organization should create a baseline of security controls to keep their information and information systems safe. In security planning, FIPs 200 provides seventeen minimum security requirements for federal information and information systems. The security requirements create a baseline of controls that should be in place to addresses the management, operational, and technical aspects of the business based on the CIA triad. Each agency must meet the minimum requirements of FIPS 199 to achieve “adequate security”.
The first step of developing a system security plan is to categorize the information system by FIPS 199 impact analyses based on 3 designated impact levels – low, moderate, and high, From each baseline, the controls can be tailored based on the risk assessed, the local conditions, organization-specific requirements and threat information, by the results of cost-benefit analyses, compensating controls at hand, and special circumstances that may occur. Other control-tailoring activities that can be done is “the application of scoping guidance, the specification of compensating controls, and specification of agency-defined parameters”. All tailoring of these security controls must be documented in the system security plan.
I agree with your analysis. FIPS 199’s categorization of impact levels of low, moderate, and high helps organizations with making a baseline of controls to keep information from being put at risk from common threats. This also works in conjunction with the CIA triad to determine how information should be managed and viewed.
The reading summarizes how federal agencies are to build their security plan. The chapter covers roles and responsibilities related to the security plan, behavior rules for agency personnel, the approval process for the security plan, how the security controls are to be selected, security plan approval dates and the frequency and scope of updates to the plan. I found the rules of behavior interesting in this reading where every agency needs to have documented rules of behavior. In the rules, responsibilities, expected use of system, and behavior of all users is required. The rules need to describe appropriate limits on interconnections and define service provisions and restoration priorities. They also need to outline clear consequences of behavior not consistent with the rules. And the rules need to cover work at home, dial-in access , connection to the Internet, use of copyrighted work, unofficial use of government equipment, assignment and limitations of system privileges and individual accountability, password usage and searching databases and divulging agency information.
They key take away I took from this reading is collaboration. No one role is more important, no one control is better. Without the team effort and mentality the SSP will fail. If one stakeholder is misinformed the SSP will fail. If the wrong person selects the wrong controls, the SSP will fail. It’s is the weakest link. Security Planning is not just about implementing policies, it is about understanding your threat environment and all the actors in it and how they impact each area of the SSP. The tap into those resources explicitly. This collaboration drives the planning process to include the right individuals (there is a very long list listed), review the right controls to implement, and choose the right approach for each data type risk.
The effort of collaboration is ongoing even after the SSP has been produced and delivered. Periodic review is required.
Hi, Vanessa. I agree with you how the collaboration is important for the company. I think usually that it is a team or different departments complete the SSP. As you said that if the wrong person, who is not familiar with the company environment, implements the control, the SSP will be ineffective. Also, the department manager has a better understanding of his or her operational environment, so the manager can help complete the SSP efficiently.
Hi Vanessa, thank you for your perspective and the valuable response. I couldn’t agree more with you about collaboration being one of the most important activities to get a successful SSP. SSP is a document and discipline that requires inputs from many different roles and many different departments. all these inputs must be organized in the right way for the SSP to be as per the standard. This is impossible without proper collaboration between these parties and the stakeholders. As collaboration is a soft skill many organizations may often give it less importance than it needs.
Chapter 8 outlines the process of security planning and its importance for managing the risk of information systems. It goes on to discuss the usage of FIPS 199 to categorize an organization’s information systems based off of impact levels low, moderate, and high. Based off of the security categorization of Federal Information and Information Systems, there are minimum security requirements the system must meet in order to be compliant. The minimum security requirements are composed for seventeen different control families and can be found in FIPS 200. After this, NIST SP 800-53 can be used to determine what controls and safeguards can be implemented to meet the security requirements. The process of security planning is important to complete because the goal is to minimize risk and improve on the overall protection of the information system.
Zibai Yang says
I want to talk about CIO, which stands for the Chief Information Officer. The chief information officer supports the company’s goals by guiding the use of information technology. He knows both technology and business processes and has a multi-functional concept. It is often best to closely integrate the organization’s technology deployment strategy and business strategy. Candidate.
Strategic level
The CIO’s responsibilities are to mine corporate information resources, formulate corporate informatization strategies, rationally deploy corporate informatization, and evaluate the enterprise’s value of informatization. Information resource planning is the primary responsibility of the CIO. The first step of informatization is information resource planning instead of product selection.
Executive level
Responsible for the integration of information flow, logistics, and capital flow, complete the selection and implementation of information systems, and collect and research internal and external information to provide a basis for decision-making. What is more important is to take on the supervision of e-commerce management and information engineering.
Priyanka Ranu says
NIST 800 100 Information Security Handbook Chapter 8 highlights the importance of security planning to protect information and information systems. The purpose of the system security plan(SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. In addition, it also delineates responsibilities and expected behavior of all individuals who access the system. There should be procedures in place outlining the responsibilities and accountabilities to review the plans, keeping it current, and follow up on planned security controls. Roles and responsibilities should be clearly identified for the chief information officer, information system owner, information owner, senior agency information security officer, and information system security officer. The CIO is usually responsible for developing and maintaining an agency-wide information security program. One of the responsibilities of the CIO that I would like to highlight is to manage the identification, implementation, and assessment of common security controls.
Ting-Yen Huang says
Hi Priyanka, I agree with your point of view. The purpose of the system security plan(SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The CIO is responsible for point out the direction of the IT security policy and have the senior staff carrying out the plane and action.
Wenyao Ma says
This document describes the importance of security planning in protecting information and information systems. It also provides a brief overview of the minimum safety controls to be considered in the planning process. Program managers, system owners and security personnel must understand the security planning process and provide valuable advice for the successful implementation of the program. Moreover, the identification of roles and responsibilities is essential to provide accountability in order to determine who will review the plan and follow up on the planned security controls. NIST documents require organizations to prepare procedures related to team members and their responsibilities, and to develop policies on the system security planning process.
Ting-Yen Huang says
For the system boundary analysis and security controls, Before the system security plan can be developed, the information system and the information resident within that system must be categorized based on a FIPS 199 impact analysis. Then a determination can be made as to which systems in the inventory can be logically grouped into GSSs or MAs. This step is critical because before any IT professional trying to establish an system security plan, it would have to analyze what is the system and who are using them, how are the user using them, and what is the system for. After these question, then he/she can think about what is the potential risk, and where would they come from, and how would it attack the system. These information is important, because the IT staff will needs these information to establish a more complete and effective policy, place or procedure.
Haozhe Lin says
Hi Tingyen,
I agree with you. This chapter raises an important view that the system safety plan is a live document that requires periodic reviews, modifications, action plans, and mileposts for safety control. There should be appropriate procedures to outline who will review the plan, keep the plan up to date, and follow up the planned safety control. For any implementation project, the system safety plan should be an activity in the RACI matrix to ensure adequate allocation of responsibilities.
Haozhe Lin says
The eighth chapter shows the roles and responsibilities of project managers, system owners, and security personnel in the organization. The users of information systems and those responsible for defining system requirements should also be familiar with the system security planning process, in which each person has different functions in his position. These people have more rights to control system security. For example, the organization’s strategy should clearly define who is responsible for the approval of the system security plan. The board and management discussed compensation control and safety control.
Humbert Amiani says
Hi Haozhe,
I do see the importance of segregating duties between the different positions in an organization. When each job duty is clearly defined, it is easier for individuals to carry out their required duties, and makes everyone accountable and responsible for what falls under their position.
Xinyi Zheng says
This document focus on the importance of system security plan. The system security plan’s purpose is to provide an overview of the security requirements of the system, and describe the controls in place or planned for meeting those requirements.
In the system security plan, it will introduce the different roles’ responsibilities and their expected behavior. For example, the CIO is the agency official responsible for developing and maintaining an agency-wide information security program, and have multiple responsibilities in system security planning. Program managers, system owners, and security personnel and any other people who can access the system need to understand the system security planning process. Also, chapter8 introduce the several security control method and maintenance process in the SSP.
Zhen Li says
Hi, Xinyi, I agree with your analysis, this document illustrate the different roles and responsibilities of the parties who involved in the system security planning process. And this document clearly specifies the job responsibilities of each employee, which makes it easier for them to perform their duties and investigate their responsibilities
Zhen Li says
The security plan provided an overview of the security requirement of the system and describe the controls in place or planned for meeting those requirement. The FIPS 200 provides 17 minimum security requirements for federal information and information system. And these requirements addresses the management, operational, and technical aspects of protecting the confidentiality, integrity, and
availability of federal information and information systems. Also, an agency must meet the minimum security requirements in FIPS 199 by applying security controls selected in accordance with NIST SP 800-53 and the designated impact levels of the information systems. NIST SP 800-53 has three impact level during the security categorization process, there are low-impact, moderate-impact, high-impact. In addition, once the information system security plan is accredited, it’s still need to do the ongoing system security plan maintenance to follow up the subsequent situation.
Jonathan Castelli says
The roles and responsibilities were clearly outlined in the NIST 800-100 documentation. The CIO, Information system owner, information owner, SAISO, and ISSO each have important roles when creating the security plan of an organization. They are responsible for outlining, documenting, and implementing the compensating and security controls which will allow the company to keep confidentiality, integrity and availability of the data and systems. They also must make sure they consistently review, update, and maintain the security controls. With their teamwork and efforts towards implementing the guidelines from NIST and the FIPS controls, the organization can plan their security and becoming compliant with federal guidelines.
Humbert Amiani says
Hi Jon,
The idea f having clearly outlined responsibilities gives each unit an edge in making a functional system security plan. When personnel know what is expected of their position, then responsibility and accountability can be imposed to them on those system units they are responsible for.
Anthony Messina says
This chapter lists all the roles and responsibilities of the parties involved in the system security planning process. Some of the roles mentioned in the reading were the Chief Information Officer who is responsible for such things as developing and maintaining information security policies, procedures, and control techniques to address system security planning. The CIO is also responsible for identifying and developing common security controls for the agency. The information system owner is responsible for the overall procurement, development, integration, modification, and operation and maintenance of the information system. A final role mentioned was the information owner. The information owner establishes the rules for the appropriate use and protection of the subject data/information. This person also is responsible for deciding who has access to the information system and determines what types of privileges are access rights are associated with it. The goal of system security planning is to improve the protection of the information resources.
Wenyao Ma says
Hi, Anthony
I noticed the same key point you mentioned. This chapter definitely emphasizes that system security planning helps enable organizations in improving their protection of information assets.
Humbert Amiani says
The key point from this reading is ensuring the Ongoing System Security Plan Maintenance is upheld after being accredited/implemented. With technology evolving rapidly, it is very easy for an organization to find themselves with outdated or obsolete system security plans. When changes occur in within the organization, from personnel changes, infrastructure, system architecture, system status and scope, they must be updated as soon as possible in the System Security Plan. This proactive approach ensures all bases are covered should an incident occur at any given time.
Each organization need to come up with a plan to keep these documents updated to reflect all changes and keep up with industry standards for recertification/re-accreditation of the plans as well. The concept of System Security Plans being a living document should always be upheld since threats evolve in nature at the same rate and even faster than the measures at times.
Mei X Wang says
Hi Humbert, I agree with your analysis as well. Ongoing monitoring should be in place so the organization has a process in place to address new risks or mitigate current risks. The system security plan should be a living document that is improved and built upon as the scope of the business environment changes and threats evolve.
Prince Patel says
From this reading the point that caught my eye is the role of the information system owner is the person or department that is officially responsible for the overall procurement, development, integration, modification, operation and maintenance of the information system. The information system owner has critical responsibilities related to system security plan and planning process including the development of the system security plan in coordination with information owners, the system administrator, the information system security officer (ISSO), the SAISO, and the functional “end users”. They take care of maintaining the system security plan and ensuring that the system is fully deployed and operated according to the agreed/desired information security requirements. The information system owner ensures that the system users and support team receive the appropriate and requisite security training. They also assist in the identification, implementation, and assessment of the common security controls.
Heather Ergler says
Hi Prince
Like you, I was surprised at the level of detail and how prescriptive the responsibilities are in the Information Security Handbook. I focused more on the Information Owner and Information System Owner than the Senior Agency Information Security Officer (SAISO) and the ISSO. Particularly, in the rules of behavior and security plan approval process collaboration between the roles is prescribed in the handbook and not necessarily left to the agency to decide how the roles interact. This prescriptive approach allows standardization and consolidation of security plans across the federal government.
Krish Damany says
I think one important point from this reading is that there are many different roles upper management is responsible for in security planning. The main positions responsible for security planning are the Chief Information Officer (CIO), Information System Owner, Information Owner, Senior Agency Information Security Officer (SAISO), and the Information System Security Officer (ISSO). The CIO develops and maintains the agency-wide information security program, designates a SAISO to assist in the CIO’s responsibilities for system security planning, and ensuring that personnel are trained efficiently for system security plans. The information system owner is in charge of anything dealing with the overall maintenance of the information system, which includes developing a system security plan with the system administrator, ISSO, SAISO, and end users, as well as ensuring those involved have the proper security training. The information owner establishes the rules on how to use the data and how to protect it, and relay information to information system owners. They also determines who has access to the information. The SAISO carries out the CIO’s responsibilities for system security planning and are a bridge between the ISSOs and information system owners. Lastly is the ISSO, who authorizes the appropriate users to make sure that the information system is secure and being maintained. Each of these users have a symbiotic relationship with one another to ensure that the information system of an organization is as secure as can be.
Austin Mecca says
A takeaway from this reading is during the certification and accreditation process, the SSP is analyzed, updated, and accepted. The certification confirms that the controls described in the plan are consistent with FIPS 199 and that vulnerability ID and initial risk determination is identified and documented in the SSP, risk assessment, or equivalent document. The results from the certification are used to reassess risks, develop the POA&Ms and update the SSP therefore providing factual basis for an authorizing official to render an accreditation decision.
Cami Chen says
Selecting the appropriate security controls are important, and they can mitigate the risk and improve the business operation. Before this action, the organization should have a very effective risk assessment. It will tell the organization what kind of risk categories it is happening and the risk rating. After defining the rating of impact, the management will start to control the risk from high to low. Usually, the management will put much more resources to mitigate the high impact risk, and it will follow the security controls, which define in NIST SP 800-53, to meet its satisfaction. If the management has had the issue of identifying the incorrect risk categories and rating, it is going in the wrong direction to solve the problem, or it may cause increasing the risk but not mitigate the risk. Therefore, I think the effective risk assessment and the appropriate security controls supplement each other.
Junhan Hao says
In the information security plan, the responsibilities of company management and personnel are clearly subdivided. The management should not allow information security to be merely an afterthought, but should take proactive strategic measures. Too many security incidents show that many companies have not improved their information security capabilities while achieving rapid business development. It is not enough to have information security leaders and security committees that can communicate and coordinate both inside and outside the company. Massive amounts of information and data are created, displayed, disseminated, used and exchanged by massive business chain end users. The security of these information and data undoubtedly also needs collaboration of these end users.
Anthony Wong says
Hi Junhan,
I agree with your comments about information security should be a proactive approach. In order to create a successful plan, there must be “buy-in” from the subject matter experts. The SME’s are able to provide the details about how the system processes work and how they relate to another. Additionally, the technical details provided can help the information security team provide guidance on how to harden the system
Kyuande Johnson says
System security plans are living documents that require periodic review, modification, and plans of action and milestones (POA&M) for implementing security controls. POAMs are key to both the Authorization process (C&A) and also the Continuous Monitoring process. Either before or during Authorization, an assessment of security controls are needed for a POAM, The POAM helps describe the security categorization (High, Medium, Low). It enumerates weaknesses and deficiencies in security controls. Evaluate the importance of weaknesses and deficiencies. Describe the scope of each weakness as it relates to components in the environment. Propose an approach to the mitigation of weaknesses and deficiencies. While describing the current progress in mitigating them The POA&M provides a rigorous and structured approach to tracking and implementing risk mitigating controls
Mei X Wang says
As working spaces become more reliant on technology, each organization should create a baseline of security controls to keep their information and information systems safe. In security planning, FIPs 200 provides seventeen minimum security requirements for federal information and information systems. The security requirements create a baseline of controls that should be in place to addresses the management, operational, and technical aspects of the business based on the CIA triad. Each agency must meet the minimum requirements of FIPS 199 to achieve “adequate security”.
The first step of developing a system security plan is to categorize the information system by FIPS 199 impact analyses based on 3 designated impact levels – low, moderate, and high, From each baseline, the controls can be tailored based on the risk assessed, the local conditions, organization-specific requirements and threat information, by the results of cost-benefit analyses, compensating controls at hand, and special circumstances that may occur. Other control-tailoring activities that can be done is “the application of scoping guidance, the specification of compensating controls, and specification of agency-defined parameters”. All tailoring of these security controls must be documented in the system security plan.
Krish Damany says
I agree with your analysis. FIPS 199’s categorization of impact levels of low, moderate, and high helps organizations with making a baseline of controls to keep information from being put at risk from common threats. This also works in conjunction with the CIA triad to determine how information should be managed and viewed.
Heather Ergler says
The reading summarizes how federal agencies are to build their security plan. The chapter covers roles and responsibilities related to the security plan, behavior rules for agency personnel, the approval process for the security plan, how the security controls are to be selected, security plan approval dates and the frequency and scope of updates to the plan. I found the rules of behavior interesting in this reading where every agency needs to have documented rules of behavior. In the rules, responsibilities, expected use of system, and behavior of all users is required. The rules need to describe appropriate limits on interconnections and define service provisions and restoration priorities. They also need to outline clear consequences of behavior not consistent with the rules. And the rules need to cover work at home, dial-in access , connection to the Internet, use of copyrighted work, unofficial use of government equipment, assignment and limitations of system privileges and individual accountability, password usage and searching databases and divulging agency information.
Vanessa Marin says
They key take away I took from this reading is collaboration. No one role is more important, no one control is better. Without the team effort and mentality the SSP will fail. If one stakeholder is misinformed the SSP will fail. If the wrong person selects the wrong controls, the SSP will fail. It’s is the weakest link. Security Planning is not just about implementing policies, it is about understanding your threat environment and all the actors in it and how they impact each area of the SSP. The tap into those resources explicitly. This collaboration drives the planning process to include the right individuals (there is a very long list listed), review the right controls to implement, and choose the right approach for each data type risk.
The effort of collaboration is ongoing even after the SSP has been produced and delivered. Periodic review is required.
Cami Chen says
Hi, Vanessa. I agree with you how the collaboration is important for the company. I think usually that it is a team or different departments complete the SSP. As you said that if the wrong person, who is not familiar with the company environment, implements the control, the SSP will be ineffective. Also, the department manager has a better understanding of his or her operational environment, so the manager can help complete the SSP efficiently.
Prince Patel says
Hi Vanessa, thank you for your perspective and the valuable response. I couldn’t agree more with you about collaboration being one of the most important activities to get a successful SSP. SSP is a document and discipline that requires inputs from many different roles and many different departments. all these inputs must be organized in the right way for the SSP to be as per the standard. This is impossible without proper collaboration between these parties and the stakeholders. As collaboration is a soft skill many organizations may often give it less importance than it needs.
Anthony Wong says
Chapter 8 outlines the process of security planning and its importance for managing the risk of information systems. It goes on to discuss the usage of FIPS 199 to categorize an organization’s information systems based off of impact levels low, moderate, and high. Based off of the security categorization of Federal Information and Information Systems, there are minimum security requirements the system must meet in order to be compliant. The minimum security requirements are composed for seventeen different control families and can be found in FIPS 200. After this, NIST SP 800-53 can be used to determine what controls and safeguards can be implemented to meet the security requirements. The process of security planning is important to complete because the goal is to minimize risk and improve on the overall protection of the information system.