In this reading, my biggest takeaway was the parallel between the FedRAMP high baseline, and the federal information security plan guidelines provided by NIST 800-18rl. The importance of FIPS, information classification, determining a POC, etc. is mirrored between the publications. If I were to audit an information system (federal or not), I would use the FedRAMP-provided template in doing so. FedRAMP is a government standard in the information security/cybersecurity discipline which sets a baseline for overall security across the entire industry. In my experience working with compliance at a FedRAMP-high organization, I can confirm that FedRAMP compliance is more rigorous than PCI DSS, ISO 27001, and even HIPAA (of course this depends on the scope of the environment given). I highly recommend that any information security stakeholder reads this publication.
One key point that I took from the FedRAMP System Security Plan (SSP) High Baseline Template is the importance of executives and upper level managers being involved in creating a properly functioning SSP. This is important because one of the most valuable inputs while creating an SSP is the proper security categorization of information assets. In my opinion, it is difficult to ensure proper classification and inclusion of all information assets without some of the highest level employees being involved, since they know the business the best and may have access to resources that lower level employees do not. Another reason that executives and upper level managers are so important in creating an SSP is because more likely than not, several of these individuals (especially IT/IS executives and managers) will be listed as points of contact for the system and may be a primary individual responsible for maintaining and updating the SSP.
Another key point that I took from this reading is how important it is to always have written policies and procedures. Updates cannot be made and audits cannot be performed to “policies and procedures” that are not explicitly written down and commonly referred to.
The reading showed data flow maps and network diagrams. It showed how data moves through the network in various stages before finally reaching the database. There were multiple stages as the data came from the internet, went to the IDS system, through the web server, application server, and finally the database. At each step the data took, there was a firewall. It also showed that the development, production, and testing networks were all separate.
Having a data flow chart provides a graphical representation of the movement of data. Mapping out the system helps you identify weak points, areas for improvement, or helps you plan system implementation.
A data flow chart is a great resource to share with the type of shareholders required to participate in system security planning for the very reasons you have highlighted. For instance, if we identify that the information type our organization uses is spatial data, we would want to visualize how this geospatial data is stored in databases, how that information is pushed out to field workers, and wherein that data pipeline is vulnerable to compromise. Once we can identify weaknesses, assigning security control becomes a more manageable task. Thanks for your post!
Kelly
My cybersecurity experience so far has primarily been in the field of incident response. I am quite familiar with reading and creating incident response plans, but no plan goes into such granular detail as a FedRAMP System Security Plan. Although somewhat of a living document, a system security plan is more geared towards the initial development of identifying information systems and types, assigning security categorization, and selecting the appropriate controls and their status of implemenation (full or partially, etc). An SSP can serve as a guide. More importantly, it serves as a compliance and auditing mechanism that verifies a system’s security state, denoted by the questionnaire style throughout the plan template. Although, from an incident responder’s perspective, having a readily available document that lists the information system owners is incredibly useful during investigations, especially the Applicable Laws and Regulations section, which outlines relevant laws that apply to the system for Privacy officers.
After reading through this article, I became convinced that the template provides an overview of the security requirements for the Information System and explains the measures in place or planned for implementation to afford a level of security appropriate for the information to be transmitted, processed or stored by the system. Information security is fundamentally important to our critical infrastructure and its effective performance and protection is a key component of our national security program. The article further talks about Proper management of information technology systems is extremely vital to make sure the confidentiality, integrity and availability of the data transmitted, processed or stored by the Enter Information System Abbreviation information system. This is a template explaining a system security plan provided by a Cloud Service Provider (CSP) to a client. It is extremely essential to take into consideration that this document describes the security requirements of both the Cloud Service Provider and the client. Going through this article thoroughly, it became increasingly clear that the CSP is not responsible for all security measures of the system that is hosted in their cloud infrastructure. The template primarily explains where all security controls came from hence, it is clear without a doubt about whose responsibility it is to implement and monitor. In that regard, should there be a breach, that fault may not fall entirely on the CSP.
Hi Kofi,
Thoughtful analysis to call out the shared responsibility aspects that CSP and their clients have to identify regarding who is responsible for protecting what and enforcing security. When it comes to the cloud, primarily a service provider like AWS, Azure, or GCP, the ownership is on the client to lock down their environment to ensure the proper controls and visibility is configured. To that end, creating a plan and documenting how the client enables security within its environment is a valuable auditing and compliance measure. Thanks!
Kelly
My key takeaway from this reading is how important organization and consistency are in the cybersecurity field. This template allows for a variety of different information to be displayed in one uniform format, which is critical in an industry that requires professionals to be up-to-date and on the same page when facing various threats. As mentioned above, this also exemplifies the importance of having written policies and procedures, as this industry requires security to be performed in a proficient and repeatable way. In all, this template is necessary to relay the formalized information of a security plan.
Simply put, I agree wholeheartedly – so much confusion happens in cybersecurity when departments within an organization have no consistency and unity in their policies or deployments. Now imagine that inconsistency across the industry as a whole, what a mess. I believe this is where its the responsibility as a nation to seek cybersecurity best practices and to standardize our approach so any organizaito regardless of size, private or public can understand how to implement a baseline level of security controls. Especially following so many businesses migration to the cloud. Excellent post.
A key point I took away from this reading was Security Planning Policy. This policy is extremely important to prevent risks by developing effective controls in place from an organization. It addresses the confidentiality, integrity, and availability. of the company. As the reading mentioned, a Security Planning Policy must be in line with the organization’s enterprise architecture . The process consists of if assets are identified, loss of events are exposed, and specific measures taken in a situation.
The policy must at least be reviewed and tested at least a year.
Hello Victoria,
I am with you 100% (hundred percent) in connection with your analysis on security planning policy in an organization. However, non-compliance designing information security policies that are enforceable and yet command compliance is a big challenge. Your employees can pose a major threat to your organization’s security if they decide to not comply with your policies.
One key take away I took from the FedRAMP System Security Plan (SSP) is the importance of the data flow diagram. The data-flow diagram is a way of representing a flow of data through a process or a system. It allows you to visualize the interconnected nature of internal systems and external vendor systems so as to ensure data security throughout the process lifecycle. The data flow diagram helps you understand the functioning and the limits of a system and the Data Flow Diagrams can be understood by both technical or nontechnical person because they are very easy to understand.
After reading “FedRAMP System Security Plan (SSP) High Baseline Template”, I have a deeper understanding of information type classification. Information types used in information systems are classified according to confidentiality, integrity, and availability sensitivity levels, which can greatly reduce adverse impacts. The security impact levels are based on each of the security objectives mentioned in NIST SP 800-60 and FIPS Pub 199, and the different levels of security are equally important. Loss of confidentiality, integrity, or availability can have a serious or catastrophic adverse impact on organizational operations, organizational assets, or individuals.
Another point I learned from reading, the confidentiality, integrity, and availability of data transmitted, processed, or stored by information systems is also critical, and its effective performance and protection is a key component of the national security program.
The amount of documented items for a FedRAMP System Security Plan is beyond in-depth, and demonstrates again the importance of categorizing information systems in terms of the security objectives, confidentiality, integrity, and availability as done in FIPS 199. Aside from being a generally all around useful informational document regarding the security of information systems, one of the bigger perks of the system security plan document is that it provides thorough accountability, which can be shown via identifying system owners, information system security officers, points of contact, roles, responsibilities, and privilege details.
The FedRAMP System Security Plan is a rather detailed document containing all of the security controls for cloud-related systems. It provides a quick to determine the point of contact and understand their roles and responsibilities. This template provides a great frame of reference for the system architecture whether it’s for the network diagram or the data flow process. Overall, my takeaway is this document provides valuable information from security controls, systems requirements, and even laws and regulations, and it really shows the importance of cloud security.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP was created by the Joint Authorization Board (JAB) with representatives from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD).
The SSP report is the first report on the required materials for the FedRAMP Security Package. The SSP report is one of the most detailed reports and describes the security controls a CSP has implemented. The plan must show Documents, processes, devices, or any other deployed solutions for each rule.
What I got from reading FedRAMP High Baseline is that it accounts for the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin. It Develops, documents, and provides the system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
In this reading, my biggest takeaway was the parallel between the FedRAMP high baseline, and the federal information security plan guidelines provided by NIST 800-18rl. The importance of FIPS, information classification, determining a POC, etc. is mirrored between the publications. If I were to audit an information system (federal or not), I would use the FedRAMP-provided template in doing so. FedRAMP is a government standard in the information security/cybersecurity discipline which sets a baseline for overall security across the entire industry. In my experience working with compliance at a FedRAMP-high organization, I can confirm that FedRAMP compliance is more rigorous than PCI DSS, ISO 27001, and even HIPAA (of course this depends on the scope of the environment given). I highly recommend that any information security stakeholder reads this publication.
One key point that I took from the FedRAMP System Security Plan (SSP) High Baseline Template is the importance of executives and upper level managers being involved in creating a properly functioning SSP. This is important because one of the most valuable inputs while creating an SSP is the proper security categorization of information assets. In my opinion, it is difficult to ensure proper classification and inclusion of all information assets without some of the highest level employees being involved, since they know the business the best and may have access to resources that lower level employees do not. Another reason that executives and upper level managers are so important in creating an SSP is because more likely than not, several of these individuals (especially IT/IS executives and managers) will be listed as points of contact for the system and may be a primary individual responsible for maintaining and updating the SSP.
Another key point that I took from this reading is how important it is to always have written policies and procedures. Updates cannot be made and audits cannot be performed to “policies and procedures” that are not explicitly written down and commonly referred to.
The reading showed data flow maps and network diagrams. It showed how data moves through the network in various stages before finally reaching the database. There were multiple stages as the data came from the internet, went to the IDS system, through the web server, application server, and finally the database. At each step the data took, there was a firewall. It also showed that the development, production, and testing networks were all separate.
Having a data flow chart provides a graphical representation of the movement of data. Mapping out the system helps you identify weak points, areas for improvement, or helps you plan system implementation.
Hi Madalyn,
A data flow chart is a great resource to share with the type of shareholders required to participate in system security planning for the very reasons you have highlighted. For instance, if we identify that the information type our organization uses is spatial data, we would want to visualize how this geospatial data is stored in databases, how that information is pushed out to field workers, and wherein that data pipeline is vulnerable to compromise. Once we can identify weaknesses, assigning security control becomes a more manageable task. Thanks for your post!
Kelly
My cybersecurity experience so far has primarily been in the field of incident response. I am quite familiar with reading and creating incident response plans, but no plan goes into such granular detail as a FedRAMP System Security Plan. Although somewhat of a living document, a system security plan is more geared towards the initial development of identifying information systems and types, assigning security categorization, and selecting the appropriate controls and their status of implemenation (full or partially, etc). An SSP can serve as a guide. More importantly, it serves as a compliance and auditing mechanism that verifies a system’s security state, denoted by the questionnaire style throughout the plan template. Although, from an incident responder’s perspective, having a readily available document that lists the information system owners is incredibly useful during investigations, especially the Applicable Laws and Regulations section, which outlines relevant laws that apply to the system for Privacy officers.
After reading through this article, I became convinced that the template provides an overview of the security requirements for the Information System and explains the measures in place or planned for implementation to afford a level of security appropriate for the information to be transmitted, processed or stored by the system. Information security is fundamentally important to our critical infrastructure and its effective performance and protection is a key component of our national security program. The article further talks about Proper management of information technology systems is extremely vital to make sure the confidentiality, integrity and availability of the data transmitted, processed or stored by the Enter Information System Abbreviation information system. This is a template explaining a system security plan provided by a Cloud Service Provider (CSP) to a client. It is extremely essential to take into consideration that this document describes the security requirements of both the Cloud Service Provider and the client. Going through this article thoroughly, it became increasingly clear that the CSP is not responsible for all security measures of the system that is hosted in their cloud infrastructure. The template primarily explains where all security controls came from hence, it is clear without a doubt about whose responsibility it is to implement and monitor. In that regard, should there be a breach, that fault may not fall entirely on the CSP.
Hi Kofi,
Thoughtful analysis to call out the shared responsibility aspects that CSP and their clients have to identify regarding who is responsible for protecting what and enforcing security. When it comes to the cloud, primarily a service provider like AWS, Azure, or GCP, the ownership is on the client to lock down their environment to ensure the proper controls and visibility is configured. To that end, creating a plan and documenting how the client enables security within its environment is a valuable auditing and compliance measure. Thanks!
Kelly
My key takeaway from this reading is how important organization and consistency are in the cybersecurity field. This template allows for a variety of different information to be displayed in one uniform format, which is critical in an industry that requires professionals to be up-to-date and on the same page when facing various threats. As mentioned above, this also exemplifies the importance of having written policies and procedures, as this industry requires security to be performed in a proficient and repeatable way. In all, this template is necessary to relay the formalized information of a security plan.
Hi Patrick,
Simply put, I agree wholeheartedly – so much confusion happens in cybersecurity when departments within an organization have no consistency and unity in their policies or deployments. Now imagine that inconsistency across the industry as a whole, what a mess. I believe this is where its the responsibility as a nation to seek cybersecurity best practices and to standardize our approach so any organizaito regardless of size, private or public can understand how to implement a baseline level of security controls. Especially following so many businesses migration to the cloud. Excellent post.
Kelly
A key point I took away from this reading was Security Planning Policy. This policy is extremely important to prevent risks by developing effective controls in place from an organization. It addresses the confidentiality, integrity, and availability. of the company. As the reading mentioned, a Security Planning Policy must be in line with the organization’s enterprise architecture . The process consists of if assets are identified, loss of events are exposed, and specific measures taken in a situation.
The policy must at least be reviewed and tested at least a year.
Hello Victoria,
I am with you 100% (hundred percent) in connection with your analysis on security planning policy in an organization. However, non-compliance designing information security policies that are enforceable and yet command compliance is a big challenge. Your employees can pose a major threat to your organization’s security if they decide to not comply with your policies.
One key take away I took from the FedRAMP System Security Plan (SSP) is the importance of the data flow diagram. The data-flow diagram is a way of representing a flow of data through a process or a system. It allows you to visualize the interconnected nature of internal systems and external vendor systems so as to ensure data security throughout the process lifecycle. The data flow diagram helps you understand the functioning and the limits of a system and the Data Flow Diagrams can be understood by both technical or nontechnical person because they are very easy to understand.
After reading “FedRAMP System Security Plan (SSP) High Baseline Template”, I have a deeper understanding of information type classification. Information types used in information systems are classified according to confidentiality, integrity, and availability sensitivity levels, which can greatly reduce adverse impacts. The security impact levels are based on each of the security objectives mentioned in NIST SP 800-60 and FIPS Pub 199, and the different levels of security are equally important. Loss of confidentiality, integrity, or availability can have a serious or catastrophic adverse impact on organizational operations, organizational assets, or individuals.
Another point I learned from reading, the confidentiality, integrity, and availability of data transmitted, processed, or stored by information systems is also critical, and its effective performance and protection is a key component of the national security program.
The amount of documented items for a FedRAMP System Security Plan is beyond in-depth, and demonstrates again the importance of categorizing information systems in terms of the security objectives, confidentiality, integrity, and availability as done in FIPS 199. Aside from being a generally all around useful informational document regarding the security of information systems, one of the bigger perks of the system security plan document is that it provides thorough accountability, which can be shown via identifying system owners, information system security officers, points of contact, roles, responsibilities, and privilege details.
The FedRAMP System Security Plan is a rather detailed document containing all of the security controls for cloud-related systems. It provides a quick to determine the point of contact and understand their roles and responsibilities. This template provides a great frame of reference for the system architecture whether it’s for the network diagram or the data flow process. Overall, my takeaway is this document provides valuable information from security controls, systems requirements, and even laws and regulations, and it really shows the importance of cloud security.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP was created by the Joint Authorization Board (JAB) with representatives from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD).
The SSP report is the first report on the required materials for the FedRAMP Security Package. The SSP report is one of the most detailed reports and describes the security controls a CSP has implemented. The plan must show Documents, processes, devices, or any other deployed solutions for each rule.
What I got from reading FedRAMP High Baseline is that it accounts for the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin. It Develops, documents, and provides the system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.