How well would the ‘Guide for Developing Security Plans for Federal Information Systems’ translate to small businesses? Federal organizations by their nature have the resources to hire security staff and the ability to assign roles as defined in the document. Fortunately, the listed roles have considerable overlap in responsibilites. Nonetheless are system security plans unfeasible for smaller organizations or can they be tailored to accommodate the private sector?
As federal agencies sign more cloud contracts with large vendors and look to move away from on-prem systems, would this guide be applicable to cloud or hybrid environments or would changes have to be made?
The guidelines for the development of federal information system security plans will have different effects on different agencies. Are there corresponding policies? How to do the perfect solution to the resulting problems?
In vulnerability identification regarding the risk management process in NIST SP 800-100, it mentions penetration testing to “identify vulnerabilities that may not have been present in other sources.” For compliance reasons, penetration testing is often required. How frequently should it be required – as results will surely change between different patches? Furthermore, should it be required to be done by an external assessment team in order to mitigate the risk of bias?
Hey Antonio, I think penetration tests should often be done by third-party teams to reduce any risks of bias. It is not uncommon for organizations to become complacent or comfortable in their normal ways, which could cause a security team to become blind to an otherwise obvious risk. I believe it is best to get a fresh set of eyes to conduct a penetration test to essentially see how another hacker would see.
How to identify the most relevant security controls that should be applied to the system and who would be the most appropriate person to tailor those controls if needed?
Hello Kyuande,
The best time to update the System Security Plan is annually. This would be a prefect time to make any necessary changes within the System Security Plan regarding any of POC information or any changes within the system itself.
Hi Kyuande,
I too think that a system security plan should be updated annually, as this provides enough time to have an understanding of the efficacy of the security plan; any longer may delay appropriate adjustments being made which would improve the efficacy of the items in the plan, and any sooner may not be enough time to assess and analyze if the plan is succeeding in fulfilling its security goals and keeping track of the right information.
How could different systems possibly impact each other through system interconnections & information sharing, and how often should an organization analyze these connections and ensure they are properly protected?
Some common security control additions companies make their employees go through during the sign-on process includes MFA and VPNs. You could also include IP validation to ascertain the network traffic is coming from a legitimate/known location. For the password itself, you can mandate frequent changes and complexity rules. You can also take it a step further by making sure those with sensitive credentials, such as system administrators, need to log in a second time to elevate privilege. This makes is so they’re not checking email and doing everyday work with a system admin account.
How does.a business create a SSP that best fits their organization? Where does the business start to ensure the SSP is efficient and has the proper controls in place?
For a small mom and pop shop that’s just opening, how would you recommend they implement these frameworks in a cost effective yet secure manner? Would you recommend they consult, hire an expert, use other resources…?
When executives and managers of an organization are developing a system security plan, how do they split up the duties for developing the responses to technical threats vs. environmental threats (like earthquakes and floods)? For technical threats, they can probably look internally towards a CIO and other qualified IT employees, but for natural disasters, do they hire contractors or consult their insurance agencies who have specialists in that field?
A lot of people should be involved in creating the disaster recovery plan. This includes legal, risk management, maintenance, IT, HR, and other business critical functions. Everyone has their own role and perspective that will be helpful in creating and refining the DRP. This should also be a continual process, where after creating the plan it is tested, refined, then tested again.
An incident response plan is a little more specialized, and should rely more heavily on IT and legal than the DRP does. But, likely all the same key players would have some role in developing the plan.
How well would the ‘Guide for Developing Security Plans for Federal Information Systems’ translate to small businesses? Federal organizations by their nature have the resources to hire security staff and the ability to assign roles as defined in the document. Fortunately, the listed roles have considerable overlap in responsibilites. Nonetheless are system security plans unfeasible for smaller organizations or can they be tailored to accommodate the private sector?
As federal agencies sign more cloud contracts with large vendors and look to move away from on-prem systems, would this guide be applicable to cloud or hybrid environments or would changes have to be made?
The guidelines for the development of federal information system security plans will have different effects on different agencies. Are there corresponding policies? How to do the perfect solution to the resulting problems?
In vulnerability identification regarding the risk management process in NIST SP 800-100, it mentions penetration testing to “identify vulnerabilities that may not have been present in other sources.” For compliance reasons, penetration testing is often required. How frequently should it be required – as results will surely change between different patches? Furthermore, should it be required to be done by an external assessment team in order to mitigate the risk of bias?
Hey Antonio, I think penetration tests should often be done by third-party teams to reduce any risks of bias. It is not uncommon for organizations to become complacent or comfortable in their normal ways, which could cause a security team to become blind to an otherwise obvious risk. I believe it is best to get a fresh set of eyes to conduct a penetration test to essentially see how another hacker would see.
How to identify the most relevant security controls that should be applied to the system and who would be the most appropriate person to tailor those controls if needed?
How often should a System Security Plan be updated?
Hello Kyuande,
The best time to update the System Security Plan is annually. This would be a prefect time to make any necessary changes within the System Security Plan regarding any of POC information or any changes within the system itself.
Hi Kyuande,
I too think that a system security plan should be updated annually, as this provides enough time to have an understanding of the efficacy of the security plan; any longer may delay appropriate adjustments being made which would improve the efficacy of the items in the plan, and any sooner may not be enough time to assess and analyze if the plan is succeeding in fulfilling its security goals and keeping track of the right information.
How could different systems possibly impact each other through system interconnections & information sharing, and how often should an organization analyze these connections and ensure they are properly protected?
What 5 items of contact information should be included in the security plan?
What are measures that can be used to complement your password-security by adding a layer of it to fortify your data storage?
Some common security control additions companies make their employees go through during the sign-on process includes MFA and VPNs. You could also include IP validation to ascertain the network traffic is coming from a legitimate/known location. For the password itself, you can mandate frequent changes and complexity rules. You can also take it a step further by making sure those with sensitive credentials, such as system administrators, need to log in a second time to elevate privilege. This makes is so they’re not checking email and doing everyday work with a system admin account.
How does.a business create a SSP that best fits their organization? Where does the business start to ensure the SSP is efficient and has the proper controls in place?
How applicable is the FedRAMP SSP high baseline template to small and medium-sized businesses?
For a small mom and pop shop that’s just opening, how would you recommend they implement these frameworks in a cost effective yet secure manner? Would you recommend they consult, hire an expert, use other resources…?
When executives and managers of an organization are developing a system security plan, how do they split up the duties for developing the responses to technical threats vs. environmental threats (like earthquakes and floods)? For technical threats, they can probably look internally towards a CIO and other qualified IT employees, but for natural disasters, do they hire contractors or consult their insurance agencies who have specialists in that field?
A lot of people should be involved in creating the disaster recovery plan. This includes legal, risk management, maintenance, IT, HR, and other business critical functions. Everyone has their own role and perspective that will be helpful in creating and refining the DRP. This should also be a continual process, where after creating the plan it is tested, refined, then tested again.
An incident response plan is a little more specialized, and should rely more heavily on IT and legal than the DRP does. But, likely all the same key players would have some role in developing the plan.
What is the relevance of a System Security Plan to an IT Auditor? How does it play into the overall audit process as required documentation?
What should a system security plan include?